Intune NAC check in Citrix SSO app is not working with Citrix Gateway on Android 9.0+ devices.

The solution is to enable use of Intune NAC v2.0 check (aka Compliance Retrieval Service) support on Citrix Gateway.

To resolve the issue, following steps must be carried out.

1. Upgrade Citrix Gateway (ADC) to either 13.0-84.10/84.11 or 13.1-12.50/12.51 release.
2. Enable client certificate based authentication for users connecting to Citrix Gateway via Android Citrix SSO app.
   1. Enable client authentication in SSL properties or SSL profile bound to the vpn vserver
   2. Set client authentication to Mandatory or Optional depending on whether other type of VPN clients (iOS/macOS/Windows) will be connecting via the vpn vserver and whether cert auth is required for those or not.
3. Deploy new client certificates on the Android devices which contains the Intune Device Id in the URI (Uniform Resource Identifier) type SAN (Subject Alternative Name) field of the certificate. When configuring SCEP or PKCS certificate profile on Intune, use the format of the field value as "IntuneDeviceId://{{DeviceID}"  as specified in this Microsoft document. Existing client certificates not containing IntuneDeviceId in SAN field can not be used for Intune NAC check integration with Citrix Gateway. If there is an existing certificate profile, it can be updated to include the URI type SAN field with Intune Device ID information and it should trigger the certificate update process when device checks in with Intune next time. Following image shows an example of the SAN field configuration on Microsoft Endpoint Management portal.

 

---

Problem Cause

Third-party access to MAC address has been removed for both Android Enterprise BYOD (formerly known as “Work Profile”) and devices managed with device administrator by Google. Microsoft Company Portal app updated in October that increased the Company Portal API targeting from level 29 to level 30, as required by Google. When apps target API level 30, Android prevents them from collecting the MAC address used by the device. This affects systems using Citrix Gateway NAC implementation for any Android 9+ devices and lookup with MAC address will fail in Intune. MAC address of the device is used by Android Citrix SSO app for performing NAC check with Microsoft Intune. It prevents the NAC check to be performed by the Citrix Gateway and device is reported as not enrolled in Intune.

Note from Microsoft

Microsoft Intune will no longer collect Wi-Fi MAC address for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above. Google is requiring all app updates to target API 30 by November 2021. With this change, Android prevents apps from collecting the MAC address used by the device. For related information, see Hardware device details.

Network access control with certain NAC providers and third-party VPN providers may be affected. This may impact the ability of enrolled devices to connect to a corporate network. More information can be found here: Support Tip: Android 12 upgrade can affect NAC-enabled network access.