Mobile App vulnerability

Mobile App vulnerability

Adding to the vulnerability reported in 
https://pitstop.manageengine.com/portal/en/community/topic/adssp-mobile-app-does-not-follow-the-mfa-for-reset-unlock 

The enabled setting:
Self-Service > Multi-factor Authentication > MFA for Reset/Unlock > MFA for ADSelfService Plus Login


When using Change Password on the Web-browser of a laptop/desktop, this bring a MFA option to go through which is good and needed. 

However, when performing Change Password from the mobile app, there is No MFA requested.. After login it takes you straight to Change password page... this is a vulnerability when ADSSP is made available on the Public network... 
              New to ADManager Plus?

                New to ADSelfService Plus?