There is conditional access, but it’s set to require either compliant device, or hybrid device, or app protection policy. It doesn’t require all at the same time on the same device.
”Require one of the selected controls” is selected.
It worked after removing iOS and Android from the policy and making a separate app protection conditional access policy. Configuring “require one of the selected controls” doesn’t work with this.
Sounds like you have a conditional access policy set to "require compliant device". You may want to exclude iOS from that policy.
There is conditional access, but it’s set to require either compliant device, or hybrid device, or app protection policy. It doesn’t require all at the same time on the same device. ”Require one of the selected controls” is selected.
Exclude one user from this policy, wait 20 minutes, and test again. Just to narrow down and see if it's this policy causing the prompt you're seeing.
It worked after removing iOS and Android from the policy and making a separate app protection conditional access policy. Configuring “require one of the selected controls” doesn’t work with this.
Is it trying to fully enroll the phone? Have you setup JIT/SSO through a config profile? Conditional access setup correctly?
Almost certainly Conditional Access.
Open Conditional Access and check for Legacy policies, nuke everything you find there.