Ownership Variable as Posture Check - what's that?

Would you be so kind to explain what is this Posture Check and how this can be set in the Intune environment? Can this one be used to distinguish Corporate and Personal owned devices? Azure CAP cannot distinguish corporate from personal devices as both are marked as compliant.

The device posture profile is a set of criteria that a user’s device must meet in order to access applications with ZPA. You configure the posture profile from the mobile portal (ZCC portal). ZCC on end users devices will be used to check whether the device meets the criteria or not. Currently, the posture check is used for ZPA only, so you can configure ZPA to deny access if ZCC on end user machines failed to verify the criteria. You can distinguish between personal and corporates if the corporate device can meet a criteria where the personal would fail. For example, you can push a certificate to corporate devices that can be used as a criteria to evaluate. There is an enhancement request to integrate posture checks with ZIA polices as well.
For more info about Posture Profile:
https://help.zscaler.com/z-app/about-device-posture
https://help.zscaler.com/z-app/configuring-device-posture-profiles-zpa

@jalomari thank you for your response, but I am not sure it got me anywhere near :slight_smile: There’s a posture condition that can only be applied to iOS and Android devices. It’s called Ownership Variable. So, I am trying to understand what is it, and how this one can be set via InTune.

Best regards

MDM Configuration Profile-> Key name “Ownership”

You might need to get more information from the MDM vendor on how to push that Key to mobile devices. Once the mobile devices have it, you can use our kb article to configure it as a criteria for for ZPA.

Hi - anyone managed to get this running with Intune? We have the Ownership Key Configured as in the screenshot (in addition to our Zscaler config - same profil) and the profile is applied to the phone. But the device posture is not recognized.

I would recommend to report the issue to our support team to investigate