Intune conditional access
Question
We have IOS devices, working and they are not enrolled in any MDM. Now we want to enroll in Intune and we want to use a conditional access rule (CA), so that users when they are going to use mail in the native app are blocked and ask them to enroll the device in INtune, so be sure that all Devices enroll in Intune.
We have created a Conditional Access rule, which “require the device to be marked as compliant” for enrollment, but the rule is not working and the devices continue to access the email exchange online from their native applications and do not request enrollment.
We would like to know how to establish the rules for this scenario.
Answers ( 6 )
Create a separate CA to block Active Sync.
Hello – The best troubleshooting option is “WHAT IF”
Have you tried to understand whether you are missing some config in CA – https://snipboard.io/SzHjvD.jpg
Hi tkm8803,
I have confirmed, the group that is assigned is the correct one and the user that it affects is checked and the correct application that affects it is in this case Exchange Online and the condition is for IOS devices only.
I don’t know where to look anymore, everything is correct.
Hello – The best troubleshooting option is “WHAT IF”
Have you tried to understand whether you are missing some config in CA – https://snipboard.io/SzHjvD.jpg
First, You should make sure that the groups are properly assigned.
Are you select ExO or any application correctly at [Cloud apps or actions] blade?
Also you must check iOS selected at [Conditions] > [Device Platfoms] blade.
The easiest way is to use the What If feature to see if it works as expected.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool
Hello,
I have confirmed, the group that is assigned is the correct one and the user that it affects is checked and the correct application that affects it is in this case Exchange Online and the condition is for IOS devices only.
I don’t know where to look anymore, everything is correct.