unfortunatly this only fixed the issue for android devices..... iOS has gone back to same state where it is still picking the other policy for required client app. any way to find out why android is working and not ios.

an hour after marking this comment, android also stopped working.

looks like the initial conditional access policy (where adobe is exempted) is blocking this again. the excemption seems to be not effective here. any suggestion to enforce the adobe exemption rule on this policy.

User get below screen,also they dont have the account in adobe. how can i include/exclude adobe application from conditional access policy.

i created a sepearet conditional access policy without the required approved app, but again stuck with the below error. adobe being a free app from apple store & google account wat permission does it require, how to permit this.

Intune admin doesnt have rights it seems, i tried using my id with intune admin right .Also requested my Azure admin to try this too, he reported this is going in loops there.

i managed to get the app working for corporate iOS category, but the same changes is not helping when it comes to BYOD devices. it appeard the app protection policy is not getting applied on BYOD devices, any methof to enforce this on devices?

this is tragetted to dynamic device group

this is the issue, i have deployed the apps as required, they installs fine. But when checking on company portal on iOS or badged google store, they are empty. i have ensure that while creating iStore app i have enabled to display app as feature app in company portal. still nothin comes in either device

i am already deploying these apps as required apps & they install fine. so do i have to configure it to be made available again to see this in company portal?

1. pre-requisite met
   -initially had single deployment to get outlook, word, excel, onenote, teams and powerpoint install which was not working
   - then i created individula package for teams, another one for outlook and then remaing thing in another pack_ this worked partially with no proper status
   - for each of this the status was alwasy inconsitanc, at time it says installed, after an hour it would change and say 'pending' then 'failed', pending, and loop continues
   - this is not realiable, how can i fix it.... i only want to deploy one single app to get this all installe din one go

   
   

2. yes this gets created, but not working well.... sometimes teams alone gets installed, something nothing else

   
   
   
   
   
   

attaching screens as asked, and yes "Require all the selected controls" is enabled. however wen user try installing teams app, it allows them to configure this. Can this be something because of some misconfiguration from teams?

this was attched, but not picked up in previous comment.... also this is only on teams app i have this issue. Are there any restriction policy from teams app to prevent this maybe?

No, devices are not getting Hybrid joined. as i understand from the AD team, they have configured to use firstname.lastname@domain.com as their Azure login and it means the UPN of the user does not match the primary SMTP of th euser. we tried syncing the UPN attribute for the test user to Azure which did not help.
Again when tried adding the work account manual at setting>accounts>access school or work>connect > tried entering Azure username and password. This does not finish the Azure AD join process and leave the device at just 'Azure AD Registered' state.

Do you have any recommendation/guidance to help fix this?

Note: it was mentioned that to bring in the UPN of the user account to Azure this would require reinstallation of Azure AD connect.

Thank you for the support!

Issue stands resolved now, Azure AD team redid the AD connect setup to fix the UPN part and also there was some sync issue due to nested groups... they helped to get the device sync and it resolved!!

@LuDaiMSFT-0289 Thank you for the response! it helps a lot. Please help me if i have summed up the below correctly for my infra

For iOS scenarion if i undrstand the shared details above,
a) ADE enrollment profile should not be default in my infra as i also have BYOD iOS devices which i dont want to be converted to corporate devices
b) for ADE enrollment profile, how do i define dynamic group? will devices imported form ABM be identified as corporate and can this be utilised here to create dynamic groups?

For Android devices, it is only BYOD devices, so i am assuming creating an Android enrollment with work profile should suffice. But could you guide me how i should target the deploymnet, should this be via dynamic groups, if so what rules should be created for this?