Update end-user-mam-apps-ios.md

Added a section for required approved client app

Author: msbemba

memdocs/intune/fundamentals/end-user-mam-apps-ios.md

@@ -42,6 +42,14 @@ If the device is **not enrolled in Intune**, the user is asked to restart the ap
 
 For devices that are **enrolled for management in Intune**, the user sees a message that their app is now managed.
 
+
+### Require approved client app
+
+Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
+
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
+
+
 ## Use apps with multi-identity support
 
 Apps that support multi-identity let you use different work and personal accounts to access the same apps. App protection policies, like entering a device PIN, are activated when users access these apps in a work or school context.