To mark a device as Managed Device without the Client Connector then the IdP should add Device Trust Attribute but in the Zscaler Azure Ad guide I just don’t see this option so is it supported?
The Idea is that even without a Zscaler Client Connector the Azure AD will check with Conditional Access if the device is Intune Compliant and then allow access and if this SAML attribute is added then the Zscaler IdP proxy CASB feature will allow access to Salesforce from the device that is Intune Compliant.
From what I checked the Azure conditional access can filter the access to ZIA/ZPA when Azure is the SAML IdP that Zscaler uses but maybe in the future there will be also the day to trigger the Azure conditional access checks in Zscaler not for the Zscaler application but when the user opens internal ZPA app or external cloud app like salesforce and the Azure conditional access will check if a user is Intune compliant or not. As Zscaler an Microsoft have great integration together who knows as now Zscaler DLP can now attach the Microsoft Azure Information Protection (AIP) labes on documents and not just match on them as I saw in Zenith 2022 or the Zscaler and Micriosoft Defender for Endoint and Azure Sentinel Integration.
Till the Zscaler and Azure AD integration I found that the Azure AD can return an optional SAML calim ‘‘ismanaged’’ or ‘‘iscompliant’’ and they can do the job in the Zscaler ZPA by matching them in the Access Policy. Need to test it
Maybe this can also be done with Azure AD SCIM I did not found an article about that.
Also a strange idea could be to route the ZIA traffic through ZPA with Source IP for cloud applications like salesforce etc. and in this way to try to check the saml attributes and claims with ZPA Access Policies like it is done for office 365!