I have been unable to create a configuration using Intune MDM where the Salesforce mobile App in the Android Work container is evaluated as compliance. The logs indicate that Salesforce, in their Android Mobile App, presents a browser agent string that isn't Edge, Chrome or the Intune Managed Browser. The agent string reflects Apache Cordova SDK. Thus, after enrolling the device and deploying the Salesforce App into the Android Work container, I can't use Azure Conditional Access rules to allow this Salesforce App based on device enrolment and compliance.
This is a bit of a showstopper as the Company doesn't want users to be able to use the app on devices or in a state where the mobile device policy is not applied.
I've also tried using Palo Alto GlobalProtect VPN, for a trusted IP address approach, but that runs into other significant issues including SSL errors during Azure authentication. But Intune and Salesforce have been around for years and they should have learned to play nicely by now.
Two possible solutions:
- Microsoft provide methods to add additional browser agent strings in its Conditional Access / Intune software stack.
- Salesforce revise their App to present a standard browser agent string.
Ideas welcome.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 14.000000000000002%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECF%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
