Which quarantine group requirement is needed to downgrade a user to ICA Proxy Only when Endpoint Analysis requirements are not met?

Endpoint Analysis checks determine device posture, and if the checks aren’t met, the gateway can place you in a quarantine group to restrict access. To ensure you’re downgraded to ICA Proxy Only, the quarantine group must enforce a controlled authentication path. Using an nFactor authentication flow within that quarantine group provides the right level of control: you can verify identity with multiple factors while still limiting access to ICA Proxy rather than granting full VPN or internal resource access. This setup ensures the user is authenticated but remains in a restricted posture until EA requirements are satisfied or remediation occurs. A quarantine group with no AD membership, or one relying on regular AD membership, or one that uses LDAP-based two-factor authentication, wouldn’t by itself guarantee the specific ICA Proxy Only restriction that nFactor can reliably implement.