diff --git a/docs/identity/conditional-access/concept-conditional-access-grant.md b/docs/identity/conditional-access/concept-conditional-access-grant.md index beab9696f63..f67e303b558 100644 --- a/docs/identity/conditional-access/concept-conditional-access-grant.md +++ b/docs/identity/conditional-access/concept-conditional-access-grant.md @@ -69,6 +69,8 @@ The **Require device to be marked as compliant** control: > [!NOTE] > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. +> +> For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug-in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug-in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug-in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) You can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access. @@ -235,4 +237,4 @@ Custom controls are a preview capability of Microsoft Entra ID. Using custom con - [Conditional Access common policies](concept-conditional-access-policy-common.md) -- [Report-only mode](concept-conditional-access-report-only.md) \ No newline at end of file +- [Report-only mode](concept-conditional-access-report-only.md)