>
    Strata Copilot
    Configure MDM Posture Checks for Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. MDM Posture Checks for Prisma Access Agent
    6. Configure MDM Posture Checks for Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Configure MDM Posture Checks for Prisma Access Agent

    Table of Contents

    Configure MDM Posture Checks for Prisma Access Agent

    Connect your MDM tenant to Prisma Access and enable compliance enforcement to control which devices can establish a tunnel to Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access license with the Mobile User subscription
    • Minimum Prisma Access Agent version: 26.2
    • Windows 10 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate this feature
    Mobile device management (MDM) posture checks require two configuration components in Strata Cloud Manager: an MDM integration that defines how Prisma® Access authenticates to your MDM tenant, and a compliance enforcement setting in your agent configuration that activates the compliance check for connecting devices. You must complete both before Prisma Access enforces MDM compliance at tunnel establishment. Devices that are not enrolled in your MDM tenant are treated as non-compliant and are blocked from establishing a tunnel.
    1. In Strata Cloud Manager, go to Access Agent Setup by selecting ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetup.
    2. Set up an MDM integration.
      1. Edit the Global Agent Settings by selecting the gear icon.
      2. Select MDM Integration.
      3. Add an MDM integration or select an existing integration to edit.
        The Add MDM Integration panel opens.
      4. Enter a descriptive Name for the MDM integration profile.
      5. For Mobile Device Management (MDM), choose your MDM vendor, such as Microsoft Intune.
        MDM integration supports only Microsoft Intune with Windows devices at this time.
      6. Enter the Tenant DeviceID from your MDM vendor.
      7. Enter the Client DeviceID from your MDM vendor.
      8. Enter the Client Secret.
      9. For Confirm Client Secret, re-enter the client secret.
      10. Click Add.
      11. Click Save.
    3. Enable the compliance enforcement setting in your agent configuration.
      1. In Access Agent Setup, click Add Agent Settings or select an existing agent setting to edit.
      2. Scroll to the Authorization section and enable MDM Compliance Check. (Default: Disabled)
      3. Configure other agent settings as needed.
      4. Click Save and push the configuration to Prisma Access.
    4. (Optional) To verify MDM compliance enforcement is active, run the pacli mdm command on an endpoint and check the Device MDM Compliant field.
      For example, on a device that fails the MDM compliance check, the Device MDM Compliant field returns Not Compliant, and the Prisma Access Agent displays a banner stating that the connection could not be established because the device is not compliant.

    © 2026 Palo Alto Networks, Inc. All rights reserved.