Cisco Secure Client (CSC): Version 5.1.12.146
MacOS: Tahoe 26.5
Current issue we are facing is that when enrolling new MacBooks into our environment we are seeing that Cisco Secure Client is no longer passing through deviceID to azure to pass through conditional access policies.
Previously our environment was running JAMF conditional access, and our devices were enrolling without a problem. All applications were passing deviceID and going through conditional access policies (CAPs) without any blockers.
Recently we have shifted over to platform SSO as per many people’s recommendation as the old method was being deprecated. Since then, we have noticed that most applications are still working without issues, but unfortunately Cisco Secure Client is failing to pass deviceID and is now being blocked by our Azure CAPs.
The main difference that I'm seeing is that the previously enrolled devices also received a WJP certificate, while the new enrollment method no longer utilizes this check.
We originally believed the issue to be CSC’s configuration and utilizing an embedded browser rather than an external browser, so we enforced external browser through Secure Access Admin Portal. We thought this might be a surefire win, but we are still not receiving deviceID to Azure even with SSO App Extension config profile being applied to the systems.
Based off what I’ve found on w/ the assistance of ChatGPT/Claude is that this was a decision made by Microsoft to deprecate WPJ Certs.
Any assistance or guidance would be appreciated, thank you!
