From what I understand the MikroTik implemention intercepts HTTP requests (and optionally HTTPS) and redirects them internally to the hotspot setup running on the router. But it's not very graceful and especially with HTTPS it either doesn't work or it will throw a certificate warning, and it doesn't always work anyway with some users devices not being notified in any way that they need to login. I've seen much better hotspot implementations out there that do actually work with HTTPS. I've been reading up on it and essentially its up to the browser but there are common methods, most will try a well-known DNS name or access a specific site to look for redirect requests and if it doesn't respond exactly as expected then gracefully show the user that they need to login, rather than simply alerting them
that their information is about to be stolen...

https://success.tanaza.com/s/article/Ho ... rtal-works
https://thinkincredible.intraway.com/bl ... ve-portals

Is there a way to improve the MikroTik system? i.e. firewall rules, static DNS entries etc to comply with the way these browsers operate

There is no system that works with HTTPS*. This is by design, if you could intercept a secure page to show your portal, so could anyone else.

The only thing you need to do is redirect ALL requests to your hotspot page, even those without a valid hostname (eg http://sdfnsdgnsseg). When a phone / browser detects a new network, it will check a random or preconfigured host for connectivity, and if it sees a redirect, it will open the hotspot login page. That is the best you can do. Ignore any advice to add exceptions for gstatic.com etc as these actually hinder the portal detection.

*unless you control all the client devices and can install a MITM root certificate.

There is no system that works with HTTPS*. This is by design, if you could intercept a secure page to show your portal, so could anyone else.

You misunderstand me

There are much better captive portal systems out there that don't intercept HTTPS, but they work when a user tries to go to a HTTPS URL because they have detection mechanisms in place. They get a graceful interruption which is prompted on the browser or on the OS saying along the lines of "you need to go here to sign on first". Whereas with MikroTik it either flat out fails, or if you enable HTTPS intercept gives a certificate warning about the users data being stolen, both are very bad

Those systems work by seeing a HTTPS error, then trying to access a normal HTTP URL. If the HTTP request is redirected, they assume a portal is in use. As long as you're redirecting everything, you should see the same behavior with the Mikrotik hotspot.