Tech Community Live: Microsoft Intune
Oct 01 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

User must be Register their Mobile Device to Log in mobile app Android and iOS

Copper Contributor

Hello friends!

 

I ran a device management test on Intune with limited management on a group consisting of 1 laptop device and 1 user with the following Office 365 E3 license called user A.
My device was successfully managed by Intune and noted compliance policy configurations. User A logs in to the laptop device and uses it normally.
We only have a computer device management policy that has not implemented policies related to mobile devices.
The thing to note before logging in to the managed computer on user A is to log in and use apps like Outlook and Teams normally on his phone. However, after Mr. A is a member of a group managed by MDM, he cannot log in to the apps on his phone as before but requires him to register the device with the organization to be able to use those apps on the phone. That error code is 530003.

This ruined our plan when we originally intended to only manage devices that were company computers and users were added to a group managed by MDM to perform auto enrollment.
I checked the conditional access configurations only for devices that require MFA and also don't require approved client app or app protection policy.
So why does user A in a group managed by MDM have to register mobile devices?
Only user in the group managed by MDM or another user not in the group managed by MDM but logged into the laptop that is enrolled, the same thing happens to him on his personal mobile device.
Currently on Intune we also do not block Android or iOS devices.
I can show you my access policies if you need to.


Please help me, how do users not have to register their mobile devices with the organization when they log into computers that are managed by Intune.

 

Thank you!

15 Replies
Is your CA policy for requiring compliant devices applying to all OS platforms? If yes, then that is your problem. Just set it to Windows if you don’t want to enforce it on mobile OS platforms.

@rahuljindal-MVP   

Our CA policies do not require a compliant device. that's why I'm quite confused when checking this error, you can see my analysis report below.

 

Screenshot 2023-08-17 154929.png

Have you also checked the Entra ID sign-in logs? The behaviour does appear to be due to enforcement of a CA policy and sign-in logs should provide you details in relation to the failed sign-in attempts.

@rahuljindal-MVP 

you can see my sign in log like this, it requires the device to register with the organization, but my enabled CAs are all not applied. Will report-only CAs affect this?

Screenshot 2023-08-20 131715.pngScreenshot 2023-08-20 131545.pngScreenshot 2023-08-20 131406.png

Interesting. Can you also run the what if tool in CA just to be sure the UPN is not targeted for any CA policies? Entra ID sign-in logs can sometimes take time to display all the details in logs.

@rahuljindal-MVP 

I used the What If tool sometime before, but no CA applied as the picture below can see, 

 

Screenshot 2023-08-20 152803.pngScreenshot 2023-08-20 152730.pngScreenshot 2023-08-20 152634.png 

 

Can you remove the device platform, client apps and device ownership and then run the what if tool?

@rahuljindal-MVP 

Yes! I did, but the CA policy will apply is no policies.  

Thanks, maybe share a screenshot so that we are on the same page.
Thanks. Is the message\behaviour same if the user tries to use Outlook app on mobile phone?
For Android or iOS, are you using the App Protection Policies for unmanaged devices?

Hi @JeroenBurgerhout!

 

Currently no! We just have compliance policies, and no App Protection Policies and security policy just some conditional access policies.

Hello Friends! 

My problem solved it is in my classic conditional access which configured by another previous admin.

Screenshot 2023-08-25 164424.png