Hi,
You can't use roles as conditional parameters within a Role Mapping policy.
The [Machine authenticated] role is computed as part of an implicit mapping before your own role mapping rules.
If your authentication source is Active Directory there are two attributes that let you determine if the account is a computer:
- (sAMAccountType=805306369)
- (objectCategory=computer)
These are not part of the default attributes queried for AD auth sources, so you'll have to create a custom filter on your Authentication source to grab the value of one these attributes and use them in role mappings.
Your role mappings would then become something like:
IF Endpoint:MDM Enabled = True ----> Role = Managed
IF ActiveDirectory:ObjectCategory = computer ----> Role = Managed
or
IF Endpoint:MDM Enabled = True ----> Role = Managed
IF ActiveDirectory:AccountType = 805306369 ----> Role = Managed
Cheers,