Does Prisma Browser support device-based Conditional Access (device ID / compliance)?

Feedback from Palo Alto Support to this question (PAN Copilot):

The issue you are encountering with Prisma Browser on Android and iOS devices, where device attributes such as Device ID, Join Type, Managed, and Compliant are not being passed to Microsoft Entra Conditional Access, stems from specific architectural and feature limitations.

Root Cause

The primary root cause is that the "Microsoft Auto-SSO" feature, which includes the "Microsoft Single Sign On" Extension, is explicitly supported only on Microsoft Windows and macOS devices, and not on mobile operating systems like Android or iOS 1. Therefore, enabling this extension for mobile Prisma Browser users will not yield the desired device identity passthrough.

Additionally, when configuring the Cloud Identity Engine (CIE) as a mapping source for user and group information, the documentation explicitly advises to "Leave the Device Attributes as None" 2. This indicates that the current design of CIE, in this context, does not facilitate the passthrough of detailed device attributes to downstream systems like Microsoft Entra ID for granular conditional access evaluation.

While Prisma Browser Mobile performs its own device posture assessment and can integrate with Mobile Device Management (MDM) solutions, this is primarily for enforcing Prisma Browser's internal access policies rather than forwarding those specific device claims directly to Microsoft Entra Conditional Access for its evaluation.

Known Limitations and Answers to Your Questions

Is Prisma Browser on Android and iOS expected to support device-based Conditional Access (device ID, compliance, join type)?

Prisma Browser Mobile does perform its own device posture assessment. It can evaluate attributes such as root/jailbreak status, active screen lock, OS versions (iOS and Android), device type, and device manufacturer 3 4. This assessment ensures the browser runs in a secure environment and can restrict access if the device posture is non-compliant 4.

Furthermore, Prisma Access Browser Mobile can integrate with MDM solutions (like Microsoft Intune) to enforce sign-in policies based on device management status and can reuse existing MDM compliance rules for its own access control 5. This allows for secure access by ensuring only MDM-enrolled, compliant devices can sign in to PAB Mobile 5.

However, the direct passthrough of comprehensive device identity/claims (Device ID, Join Type, Managed, Compliant) from Prisma Browser on Android and iOS to Microsoft Entra Conditional Access for Entra's native evaluation is not explicitly supported by the current Microsoft Auto-SSO feature on these mobile platforms 1.

Does Prisma Browser integrate with Microsoft broker (Authenticator / Company Portal) for device identity?

Prisma Browser Mobile can leverage MDM integration (e.g., with Intune and Company Portal) for its own internal policy enforcement regarding device management status and compliance 5.

For iOS/iPad devices, in cases where authentication issues arise due to a missing device ID, the Authenticator app, if installed on the same device as Prisma Browser, can communicate and pass the "Entra ID that is needed for authentication" 6. This suggests a limited form of device identity passthrough for authentication purposes on iOS/iPad, but it does not encompass the full spectrum of device claims (Join Type, Managed, Compliant) required by Microsoft Entra Conditional Access policies for comprehensive device-based conditions.

Is there any configuration required to enable device claims passthrough?

Based on the available documentation, there is no specific configuration within Prisma Browser or Cloud Identity Engine that enables the comprehensive passthrough of device claims (Device ID, Join Type, Managed, Compliant) from Prisma Browser on Android and iOS directly to Microsoft Entra Conditional Access for its policy evaluation. The "Microsoft Auto-SSO" control is explicitly noted as having "No support" for mobile browsers 1.

The configuration for Cloud Identity Engine as a mapping source for user and group information specifically requires leaving "Device Attributes as None" 2, indicating that this component is not intended for device attribute forwarding in this manner.

Or is this a known limitation by design?

Yes, based on the documentation, the inability to pass detailed device identity/claims (Device ID, Join Type, Managed, Compliant) from Prisma Browser on Android and iOS directly to Microsoft Entra Conditional Access for evaluation appears to be a known limitation by design, particularly concerning the "Microsoft Auto-SSO" feature 1 and the current configuration scope of the Cloud Identity Engine for device attributes 2.

Remediation

Given these limitations, the recommended approach is to leverage the device posture assessment capabilities of Prisma Browser Mobile and its MDM integration for enforcing access policies, rather than relying on direct device claims passthrough to Microsoft Entra Conditional Access for mobile devices.

1. Utilize Prisma Browser Mobile's Device Posture Enforcement:
• Configure Prisma Browser Mobile device groups based on attributes such as root/jailbreak status, active screen lock, OS versions, device type, and manufacturer 3.
• Enforce sign-in rules for Prisma Browser Mobile that utilize these device groups to control access based on the device's posture 7.
• Ensure your MDM solution (Intune) is configured to enforce necessary compliance checks, which Prisma Browser Mobile can then leverage for its own access policies 5.
2. Review Conditional Access Policy for Mobile Devices:
• Since direct device claims passthrough for Entra Conditional Access is limited from Prisma Browser on mobile, consider if your Conditional Access policies can be adjusted to rely on other signals available from the authentication flow or user context, or if the device posture enforcement within Prisma Browser Mobile itself is sufficient for the target applications.
• The current workaround of using network-based exclusions, as you noted, weakens the Conditional Access model. By enforcing device posture directly within Prisma Browser Mobile, you can achieve a similar level of security for access through the browser.

Verification

To verify the configuration and behavior:

1. Monitor Prisma Browser Mobile Logs: Check Prisma Browser Mobile logs for device posture assessment results and policy enforcement actions 4.
2. Verify MDM Integration: Confirm that Prisma Browser Mobile is successfully deployed and managed by Intune, and that MDM compliance rules are being applied to the devices 5.
3. Test Access with Compliant and Non-Compliant Devices: Test access to the SaaS application protected by Entra Conditional Access using devices that meet and do not meet your defined Prisma Browser Mobile posture requirements. Observe if Prisma Browser Mobile correctly restricts access based on its internal policies.

Product Documentation

1 Configure Customization

2 Prisma Access User-Based Policy: Retrieving Group Mapping Using the Cloud Identity Engine

3 Configure Prisma Browser Mobile Device Posture Attributes

4 prisma-access-browser

5 Enforcing Prisma Access Browser Mobile Access on Managed Devices Using MDM App Configuration

6 Troubleshoot the Prisma Browser

7 Prisma Browser for Mobile

Nice that you are sharing this info with the community!

Maybe see LIVEcommunity - Prisma Browser for Mobile - LIVEcommunity - 1255306 as I mentioned SAA Secure Agentless Access  that could be an option as well.

Other than that if it is corporate device Globalprotect or Prisma Agent could be an option or to use something like MAM isolation for BYOD devices Mobile Application Management (MAM) for unenrolled devices in Microsoft Intune - Microsoft Intune | ...