We use MobileIron with on-prem Exchange but are now looking to move some of our users to Office 365. I would like to avoid using a Sentry if possible (i.e. have the user devices go to Office 365 for email etc. directly rather than via the extra hop of a Sentry) but at the same time I want to restrict such access to just company managed devices. Via Conditional Access policies I see that one can set access to be only from devices marked as compliant, but from what I see this is a flag only Intune can set. Is there a way of setting a device as compliant via something like MobileIron?
I am interested in hearing any other suggestions or experiences from others who've had to do something similar. We have a mix of iOS and Android devices all currently managed via MobileIron on-prem. Even if the workaround for now is to manually mark devices as compliant via Graph API or PowerShell that'll do too.
Based on Require device to be marked as compliant document, this option requires a device to be registered with Azure AD, and also to be marked as compliant by:
So currently, iOS and Android devices are not supported.
BTW, Graph API or PowerShell configurations should be the same with what can be done on Azure portal.