Intune conditional access

Question

We have IOS devices, working and they are not enrolled in any MDM. Now we want to enroll in Intune and we want to use a conditional access rule (CA), so that users when they are going to use mail in the native app are blocked and ask them to enroll the device in INtune, so be sure that all Devices enroll in Intune.

We have created a Conditional Access rule, which “require the device to be marked as compliant” for enrollment, but the rule is not working and the devices continue to access the email exchange online from their native applications and do not request enrollment.

We would like to know how to establish the rules for this scenario.

solved 1
David Lopez 5 months 6 Answers 81 views Beginner 0

Answers ( 6 )

  1. Create a separate CA to block Active Sync.

    Best answer
  2. Hello – The best troubleshooting option is “WHAT IF”

    Have you tried to understand whether you are missing some config in CA – https://snipboard.io/SzHjvD.jpg

  3. Hi tkm8803,

    I have confirmed, the group that is assigned is the correct one and the user that it affects is checked and the correct application that affects it is in this case Exchange Online and the condition is for IOS devices only.

    I don’t know where to look anymore, everything is correct.

  4. First, You should make sure that the groups are properly assigned.
    Are you select ExO or any application correctly at [Cloud apps or actions] blade?
    Also you must check iOS selected at [Conditions] > [Device Platfoms] blade.

    The easiest way is to use the What If feature to see if it works as expected.
    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

    • Hello,
      I have confirmed, the group that is assigned is the correct one and the user that it affects is checked and the correct application that affects it is in this case Exchange Online and the condition is for IOS devices only.

      I don’t know where to look anymore, everything is correct.

Leave an answer

Sorry, you do not have a permission to answer to this question .