Hi @merakitrucker!
I suspect it's due to Apple Captive Network Assistant (CNA). I can't find great documentation on Apple's side to explain the full process, but when a client connects to a wireless network, the CNA launches and sends a request to captive.apple.com. If it's successful, the device assumes it has network connectivity, and no action is taken. If it can't reach this website, the device will attempt to redirect you to a captive portal.
I tested this in my lab and found the same behavior you explained, except if I select cancel and "Use Without Internet," I can still reach the internal IPs I am allowing and no longer receive this pop-up unless I "Forget This Network."
To circumvent this, you can add a rule to allow access to 17.0.0.0/8, which will disable CNA. We cover some of this in our documentation for Device Posturing using Cisco ISE / Disable CNA.
