Devices enrolled but not allowed in Conditional Exchange Access

Devices enrolled but not allowed in Conditional Exchange Access

We have Desktop Central on premise with Mobile device management. We have devices enrolled (both Android and IOS) that when we enable Conditional Exchange access for the users, the devices is put in the "In grace period" or "Restricted" group. What criteria does it use to determine if the device is allowed other than being enrolled in MDM? Or is there something that could be keeping the MDM device from linking up with what is in Exchange?

                New to ADSelfService Plus?