diff --git a/memdocs/intune/fundamentals/end-user-mam-apps-ios.md b/memdocs/intune/fundamentals/end-user-mam-apps-ios.md
index fe3c98ae225..252d2e0986d 100644
--- a/memdocs/intune/fundamentals/end-user-mam-apps-ios.md
+++ b/memdocs/intune/fundamentals/end-user-mam-apps-ios.md
@@ -42,6 +42,14 @@ If the device is **not enrolled in Intune**, the user is asked to restart the ap
 
 For devices that are **enrolled for management in Intune**, the user sees a message that their app is now managed.
 
+
+### Approved client app requirement
+
+Organizations might require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile device management (MDM) solution.
+
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app could be the Microsoft Authenticator for iOS. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
+
+
 ## Use apps with multi-identity support
 
 Apps that support multi-identity let you use different work and personal accounts to access the same apps. App protection policies, like entering a device PIN, are activated when users access these apps in a work or school context.