We have a similar issue as When Intune-MAM integration is enabled, do not enforce Edge as the sole Managed Browser - English Forum / Product Feedback - Asana Forum, but the problem is NOT having a managed browser as default.
We use App Protection Policies on personal employee mobile devices since we do not have fully managed mobile devices. Because of that, we don’t/can’t enforce the default browser on the device. Our conditional access policies require the use of compliant devices to access company resources, including Asana. On Android, Chrome does not support compliance reporting (nor do most other browsers except Edge).
Since the Asana app uses a webview to log in, it opens in the default browser. Since the default browser is never Edge, the login fails because the device “isn’t compliant” and users get an error telling them to register with Intune. They already have, and the device is compliant, so users get very confused.
Our workaround is to have users temporarily set their default browser to Edge, log into the Asana app, and then change their default browser back to their preferred choice. Not ideal. They can also wait for the login window to open, copy/paste the URL into Edge and proceed that way.
Note 1: iOS doesn’t have this problem. Not sure what the app does differently.
Note 2: Yes, we could change Conditional Access policies to allow Asana access from Chrome on Android only. The problem is CA policies rely on user agent strings to detect OS and browser on unmanaged devices… that is trivial to fake. I could make any browser on any platform send the Chrome Android user agent, and I’d be in. I understand our users likely wouldn’t do this, but we have seen bad actors spoofing the least-protected user agents to get around weak CA policies… it’s akin to geolocation blocking – trivial to circumvent.
I don’t know the easiest path forward, but one idea: after the user enters their email address, Asana could detect their home tenant, check the company’s security settings, and offer a way to open in the managed or company-preferred browser. Since it’s just a URL, it would work fine with one extra click. (That’s assuming it would be too difficult to switch away from browser-based login for the app.)
Thanks for the consideration.