I want to implement a CA policy to only allow Intune enrolled, compliant mobile devices to access company resources.
I created the CA policy, applying to the test devices, applying to Office 365 cloud apps, condition is iOS and Android and on all types of client apps.
Access and granted when device is compliant AND approved client apps. Session uses app enforced restrictions.
Now the Problem: If I try to log in with a PW on a non-compliant device, the CA policy correctly denies me access.
If I however have a compliant device that has Outlook and other apps already open, and the device becomes non-compliant, I can still access and use Outlook, Teams etc. It appears CA is not checked every time I open an app.
How can I make it so CA is checked every time I open an app?