Entra ID F5 APM MDM Intune integration compliance check

here it says the following https://techdocs.f5.com/en-us/edge-client-7-1-8/big-ip-access-policy-manager-edge-client-and-application-configuration-7-1-8/configuring-access-policy-manager-for-mdm-applications.html 

Only iOS devices and Android devices with VPN access to APM from specific mobile device apps that are being managed by MDM (F5 Access Client Apps) are supported. For example, if you connect to APM WebTop from a browser in a device, then APM will not get a device ID and cannot check for device compliance.

F5 Access for macOS and Windows are currently not supported.

For devices with iOS 12 and later, F5 Access client could not retrieve device ID from iOS due to Apple imposed constraints, and compliance check failed. Microsoft's Network Access Control (NAC) integration with Intune provides a new temporary NAC ID to identify the device. This ID is pushed to the F5 Access client through the F5 Access profile in Intune. For iOS devices, the device is always verified by the MDM server as the NAC ID is not stored in the local cache.

To use NAC on iOS devices, the 

Enable network access control (NAC)

 option must be selected when configuring the VPN profile for F5 Access in Microsoft Intune

and here it says the following 

Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service

Intune ID in certificate-based compliance check
The Device ID is not provided in the VPN profile. Instead, a device certificate with the Intune device ID is pushed to the device during the enrollment process. F5 Access client presents this certificate to  the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance endpoint for the new Compliance Retrieval service.