MS Intune Mobile App Support config, setup, troubleshooting, and end user workflows #8599
Conversation
cwarnermm
requested review from
DSchalla,
enahum,
iyampaul,
roberson-io and
yasserfaraazkhan
cwarnermm
added
1: Dev Review
|
Newest code from mattermost has been published to preview environment for Git SHA 599a914 |
|
@cwarnermm I glanced at it and I spotted a few things that are incorrect.. going to take my time to |
|
|
||
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure all authentication methods (OAuth, SAML, LDAP) resolve to the same value. | ||
| * Confirm access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
this will be part of the configuration steps when configuring in Entra, not sure this is needed here.
There was a problem hiding this comment.
Is it accurate to say that Entra configuration enforces these conditions, or should we phrase this as "must be validated by the admin during Entra setup"?
There was a problem hiding this comment.
I mean, this is something that they will HAVE to configure in Entra when they register the application (This is not registering the mobile application, just an Entra application, then during the configuration of that Application they will need to add some claims the the access token, but the access token even without optional claims, will include the oid
Screenshot for reference
| * You require Android Intune MAM support (not yet available). | ||
| * Your deployment cannot use Microsoft Entra ID (Azure AD). | ||
| * Your identity strategy cannot use Azure AD ``objectId`` as the authoritative user identifier. | ||
| * You need a rollout model where users can defer or bypass Intune enrollment. |
There was a problem hiding this comment.
This point is interesting, cause they can have multiple login methods, only the login method selected in the Intune MAM configuration in the system console is subject to this.
There was a problem hiding this comment.
I think we need to make this clearer.. for example they can have users with another login method and this is then a false statement, guest users and again this is a false statement.
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
| * Register the Mattermost mobile app as a public/native Entra application. | ||
| * Copy the **Application (Client) ID**. | ||
|
|
||
| To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app | ||
|
|
||
| * Configure the iOS platform with the correct bundle ID and redirect URI. | ||
|
|
||
| For Entra portal steps, see: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration | ||
|
|
||
| For redirect URI formatting details, see: https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-redirect-uri | ||
|
|
||
| * Grant required Intune MAM API permissions with admin consent. | ||
|
|
||
| To grant tenant-wide admin consent, see: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent |
There was a problem hiding this comment.
not at all.
Register an Application in Entra that will be use to authenticate the users.
this link works To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app and we can keep that, but probably best to direct them to configure this for Single tenant
The redirect URI should remain empty
Once the app is registered, they should Expose an API more info here: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis
The API to be exposed should be api://<APPLICATION-ID> normally filled automatically, then add a scope named login.mattermost
Once that is done, they need to Add a client application, add the Client Id as listed below and assign the Authorized scopes to api://<APPLICATION-ID>/login.mattermost
- Mattermost Mobile Beta:
64e9952b-20eb-46dc-92ad-99089ed24903 - Mattermost Mobile:
not yet created, we will need to update this document
in addition I will share a script once we have the Client Id for Mattermost Mobile so we can attach it here.
Then in Token configuration -> Add optional claim, Select Token type Access then select the claims
- family_name
- given_name
- preferred_username
- upn
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name - Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name- Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
- Production Mobile Client ID -> @iyampaul still needs to configure this, I need it too.
login.mattermostis the FINAL scope- Not all claims are mandatory, but let's act as if they are.
- The script I can provide once I have the Production Mobile Client ID, the Guidance should be in the document I shared in the section that describes the configuration for "Expose an API"
| 3. Enter your credentials. | ||
| 4. When prompted, tap **Enroll**. | ||
|
|
||
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. |
There was a problem hiding this comment.
this does not happen during sign-in only if Intune is enabled mid-session
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. | ||
|
|
||
| 5. When enrollment completes, you are notified. | ||
| 6. When prompted, enter a PIN to add an extra layer of protection for your work data. |
There was a problem hiding this comment.
this is only if the policy enforces a PIN
|
|
||
| .. note:: | ||
|
|
||
| If you tap **Cancel**, you will not be able to use Mattermost on mobile until enrollment succeeds. You can retry immediately or `log out <#what-happens-when-i-log-out-manually>`__ and retry later. |
There was a problem hiding this comment.
this is only in mid-session, not during signin
| If you try to copy content from Mattermost into another app, the paste will not work. | ||
|
|
||
| Screenshot & Screen Recording Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To prevent sensitive content from being captured, you will not be able to take screenshots or record your screen while using Mattermost. | ||
|
|
||
| If you try to take a screenshot or record your screen, the screenshot or recording will not be captured. | ||
|
|
||
| File Save Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To keep work files protected, you will not be able to save files to personal locations. | ||
|
|
||
| If you try to save a file from Mattermost to a personal location, the save will not work. Files can be saved only to locations approved by your organization. | ||
|
|
||
| Browser & Sharing Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To ensure data stays within protected apps, you will not be able to open links in unapproved browsers or share content to unmanaged apps. | ||
|
|
||
| If you tap a link in Mattermost, it opens only in an approved browser. If you try to share content to an unmanaged app, the share will not work. |
There was a problem hiding this comment.
All of these are enforced or not depending on the Intune policy, perhaps we should point to a microsoft documentation that explains each policy or we should try to be broad with the explanation.
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA 6334a30 |
|
Newest code from mattermost has been published to preview environment for Git SHA 3350638 |
|
Newest code from mattermost has been published to preview environment for Git SHA 0f31a06 |
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA f47ab17 |
|
Newest code from mattermost has been published to preview environment for Git SHA a2dfc71 |
|
Newest code from mattermost has been published to preview environment for Git SHA 90580db |
|
Newest code from mattermost has been published to preview environment for Git SHA 3af81d6 |
|
Newest code from mattermost has been published to preview environment for Git SHA 5147147 |
enahum
left a comment
enahum
left a comment
There was a problem hiding this comment.
sorry, the comments remain in a pending state
|
|
||
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure all authentication methods (OAuth, SAML, LDAP) resolve to the same value. | ||
| * Confirm access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
I mean, this is something that they will HAVE to configure in Entra when they register the application (This is not registering the mobile application, just an Entra application, then during the configuration of that Application they will need to add some claims the the access token, but the access token even without optional claims, will include the oid
Screenshot for reference
| * Register the Mattermost mobile app as a public/native Entra application. | ||
| * Copy the **Application (Client) ID**. | ||
|
|
||
| To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app | ||
|
|
||
| * Configure the iOS platform with the correct bundle ID and redirect URI. | ||
|
|
||
| For Entra portal steps, see: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration | ||
|
|
||
| For redirect URI formatting details, see: https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-redirect-uri | ||
|
|
||
| * Grant required Intune MAM API permissions with admin consent. | ||
|
|
||
| To grant tenant-wide admin consent, see: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent |
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name- Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
- Production Mobile Client ID -> @iyampaul still needs to configure this, I need it too.
login.mattermostis the FINAL scope- Not all claims are mandatory, but let's act as if they are.
- The script I can provide once I have the Production Mobile Client ID, the Guidance should be in the document I shared in the section that describes the configuration for "Expose an API"
| Step 5: Validate Using the Mobile App | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| * Ensure test users are assigned in Intune and properly licensed. |
There was a problem hiding this comment.
They'll get an alert saying
"Consent Denied"
"You denied consent for Intune management. The affected accounts have been unenrolled and signed out."
So of course, this is not true from the part of the user, but still the consent is missing.
| | Custom attributes | Not supported | Unsupported by Intune | | ||
| +-------------------+------------------+------------------------------+ | ||
|
|
||
| Attribute Synchronization & Access Enforcement |
There was a problem hiding this comment.
"Your account isn't fully set up yet. Please sign in to Mattermost via the web or desktop app first."
|
Newest code from mattermost has been published to preview environment for Git SHA 3240e43 |
|
Newest code from mattermost has been published to preview environment for Git SHA 9a770d3 |
|
Newest code from mattermost has been published to preview environment for Git SHA bf6a4e8 |
|
Newest code from mattermost has been published to preview environment for Git SHA 31d650e |
|
Newest code from mattermost has been published to preview environment for Git SHA dceacd5 |
cwarnermm
requested review from
enahum and
esarafianou
and removed request for
iyampaul
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
| 4. Authorize the ``api://<APPLICATION-ID>/login.mattermost`` scope. | ||
| 5. Save your changes. | ||
|
|
||
| If the official client application ID isn't yet available, complete the remaining steps and return here once Mattermost provides it. |
There was a problem hiding this comment.
we have the one for the beta app, I already shared it but here it is again just in case 64e9952b-20eb-46dc-92ad-99089ed24903 we can add this one and once we have the id for the production app we can update this doc.
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
| 4. When enrollment completes, you are notified. | ||
| 5. If your organization’s Intune App Protection Policy requires it, you’ll be prompted to set a PIN to protect your work data. Once the PIN is confirmed, the Mattermost Mobile App unlocks access to your workspace. | ||
|
|
||
| If you dismiss enrollment during sign-in, return to the sign-in flow and complete enrollment to continue using Mattermost on that device. |
There was a problem hiding this comment.
enrollment cannot be dismissed, this happens automatically on sign-in, what they dismiss/cancel is the login flow.
In the event that Intune is enabled mid-session, they could dismiss the prompt to enroll, but this seems to belong in the next section.
|
Newest code from mattermost has been published to preview environment for Git SHA f1eea82 |
|
Newest code from mattermost has been published to preview environment for Git SHA 7f36db7 |
|
Newest code from mattermost has been published to preview environment for Git SHA 8aec224 |
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA 844e7bc |
Documentation for:
Docs Previews Shortcuts for Reviewers:
Decision Makers & Risk Assessors
System Administrators
End Users