question

Conditional Access is the easiest way (in my opinion) to force users to have their device managed and enrolled to allow them to get access to resources like email, teams etc.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

If you are using Apple Business Manager and ADE (Automated device enrollment) I think there's a setting you can configure to block unenrollment as well.

@TimmyAndersson I have the policy in place. Would you mind advising what is wrong with my policy:

Policy Configuration:

Name: Enforce MFA for all users

Users or workload identities: assigned to a group that include all users "Not the services account" - No Excludes.

Cloud apps or actions: Selected Apps: Office 365, Microsoft Intune Enrollment

Conditions:
Device platforms: Not configured
Locations: Any location - Exclude 2: MFA Trusted IPs & Company HO "which is our LAN"
Client apps: Not configured
Device state (Preview): Not configured
Filter for devices: Not configured

Access controls:
Grant access: the only selected one is: Require multi-factor authentication
Session: 0 controls selected

Enable policy: On

@TimmyAndersson Any Idea?

Hi @JanNuaman-2253

The conditional access policy configured will not force users to have Company Portal installed on their mobile device. If you want to achieve that, you have to use app protection policies which will require the user to also install the company portal app. You can then also configure conditional access policies to require the app protection policy on these devices. Users will then be forced to install the company portal app.

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy