Goal: identify if a device is managed (Azure joined).
Approach: verify that the logged in user's JWT has a claim signin_state with a flag dvc_mngd.
This works if the user signs in to Azure AD from a Windows system (Edge or Chrome) but if the user signs in from a Mac system (Safari or Chrome) to Azure AD then we find the flag is missing in their JWT.
1. do we need to configure anything in Azure AD so that this claim gets added or is that a restriction for Mac?
2. if that is a restriction then is there any alternative way to know programmatically if user has signed in to AAD from a managed device?