Web Access and Native client with two factor authentication

I used to use Web Access with two factor authentication (vWorkspace 8.5 and Defender 5.7) without a problem, but I need to now support two factor authentication on the native iPad client as well.

Looks like the 8.5 admin guide says this is supported by turning on two factor authentication both at the farm level and the web access level, but that I'll need to only use advanced targets for application assignment to users.

I checked two factor authentication for the farm level and made advanced targets that target a domain group and require two factor authentication, but now I don't get my application when I either log in via the web access site or the native iPad client. Furthermore, I enabled logging for the vWorkspace broker and see that my session is not being flagged as two factor even though the Defender security server says that I'm successfully using my token. 

Short question is, what is actually supported with web access and the native clients? Did I break everything by enabling two factor at the farm level?