mattermost · cwarnermm · Dec 22, 2025 · Dec 23, 2025 · Dec 23, 2025 · Dec 23, 2025
diff --git a/source/deployment-guide/mobile/configure-microsoft-intune-mam.rst b/source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
diff --git a/source/deployment-guide/mobile/mobile-app-deployment.rst b/source/deployment-guide/mobile/mobile-app-deployment.rst
@@ -25,6 +25,7 @@ Learn what’s required to build and deploy Mattermost mobile apps.
     :hidden:
     :titlesonly:
 
+    /deployment-guide/mobile/configure-microsoft-intune-mam.rst
     /deployment-guide/mobile/deploy-mobile-apps-using-emm-provider.rst
     /deployment-guide/mobile/distribute-custom-mobile-apps.rst
     /deployment-guide/mobile/host-your-own-push-proxy-service.rst
@@ -33,6 +34,7 @@ Learn what’s required to build and deploy Mattermost mobile apps.
     /deployment-guide/mobile/secure-mobile-file-storage.rst
     /deployment-guide/mobile/mobile-faq.rst
 
+* :doc:`Configure Microsoft Intune MAM for Mattermost </deployment-guide/mobile/configure-microsoft-intune-mam>`
 * :doc:`Distribute custom mobile apps </deployment-guide/mobile/distribute-custom-mobile-apps>`
 * :doc:`Host your own push proxy service </deployment-guide/mobile/host-your-own-push-proxy-service>`
 * :doc:`Mobile VPN options </deployment-guide/mobile/consider-mobile-vpn-options>`

diff --git a/source/deployment-guide/mobile/mobile-security-features.rst b/source/deployment-guide/mobile/mobile-security-features.rst
@@ -53,6 +53,33 @@ Preventing file downloads protects sensitive information from being inadvertentl
 
 See the :ref:`secure file preview <administration-guide/configure/environment-configuration-settings:enable secure file preview on mobile>` and :ref:`managing PDF link navigation <administration-guide/configure/environment-configuration-settings:allow pdf link navigation on mobile>` configuration settings documentation for details on enabling these features.
 
+Microsoft Intune Mobile Application Management (MAM)
+----------------------------------------------------
+
+Mattermost supports Microsoft Intune MAM to enforce identity-based, app-level data protection on iOS devices without requiring full device enrollment in a mobile device management (MDM) solution.
+
+.. important::
+
+   Microsoft Intune MAM enforcement for Mattermost is currently supported on **iOS** only. We recommend using Android for Work profiles until Android Intune support is available.
+
+Intune MAM applies security policies directly to the Mattermost mobile app using Microsoft Entra ID as the identity authority. This enables organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy.
+
+Key security capabilities enabled through Intune MAM include:
+
+* **Mandatory enrollment** before accessing Mattermost on mobile
+* **Identity-based enforcement** using Microsoft Entra ID
+* **Selective wipe** of Mattermost work data without affecting personal apps or device data
+* **Clipboard, file sharing, and data transfer restrictions**
+* **Screenshot and screen recording prevention**
+* **Managed browser enforcement** and controlled link handling
+* **Immediate enforcement** when policies or licensing change, including during active sessions
+
+Intune MAM enforcement is applied **per Mattermost workspace** and evaluated continuously at runtime. If a device becomes non-compliant, enrollment fails, or required policies are not met, access to protected content is blocked automatically.
+
+This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership or management of the underlying device.
+
+See the :doc:`Microsoft Intune MAM configuration guide </deployment-guide/mobile/configure-microsoft-intune-mam>` for deployment and configuration details.
+
 Mobile data isolation
 ------------------------
 

diff --git a/source/end-user-guide/access/access-your-workspace.rst b/source/end-user-guide/access/access-your-workspace.rst
@@ -52,6 +52,103 @@ Access your Mattermost instance with your credentials using a web browser, the d
   3. Enter your user credentials to log into Mattermost. 
   4. The team that displays first in the team sidebar opens. If you're not a member of a team yet, you're prompted to select a team to join.
 
+.. tab:: Mobile via Microsoft Intune
+  :parse-titles:
+
+  When your organization uses Microsoft Intune App Protection to secure Mattermost on iOS mobile devices, you must enroll to access Mattermost on mobile. Enrollment adds extra protection to work data while keeping your personal device and apps private.
+
+  What to Expect
+  ---------------
+
+  Each time you sign in, Mattermost checks the Intune App Protection Policy applied to your account and automatically enroll your account before you can access your workspace. After enrollment, your Mattermost experience generally stays the same, but some restrictions may be enforced.
+
+  Intune protections apply **per Mattermost workspace** (the Mattermost server you sign in to). If you have access to multiple Mattermost workspaces, each workspace may have different protections and requirements in place. This guide explains what to expect when the workspace you are connecting to is protected by Intune.
+
+  .. note::
+
+    * Intune protections are based on your **user account**, not your Mattermost role or permissions.
+    * Intune policies are controlled by your organization, not by Mattermost.
+    * Intune enrollment applies only when you sign in using your organization’s **Microsoft/Entra ID** sign-in method (for example, **Sign in with Microsoft**). If you sign in using a different method (such as email/password or another SSO provider), Intune App Protection may not be applied for that workspace.
+    * If you’re unsure which sign-in option to use, contact your IT support team.
+
+  Sign In to Enroll
+  -----------------
+
+  To sign in and enroll your iOS device:
+
+  1. Open the Mattermost mobile app on your iOS device.
+  2. Sign in with Microsoft (your organization’s sign-in option).
+  3. Enter your credentials.
+  4. When enrollment completes, you are notified.
+  5. If your organization’s Intune App Protection Policy requires it, you’ll be prompted to set a PIN to protect your work data. Once the PIN is confirmed, the Mattermost Mobile App unlocks access to your workspace.
+
+  Enrollment happens automatically during sign-in. If you cancel the sign-in flow before it completes, return to the sign-in flow and finish signing in to continue using Mattermost on that device.
+
+  Mid-Session Enrollment
+  ----------------------
+
+  If enrollment is triggered while you're already signed in, you may be prompted to confirm your Microsoft sign-in again. This is expected and typically takes only a few seconds.
+
+  If you tap **Cancel**, you won’t be able to continue using Mattermost on that device until enrollment succeeds. You can retry immediately, or `log out <#what-happens-when-i-log-out-manually>`__ and retry later.
+
+  What Changes After Enrollment?
+  ------------------------------
+
+  Your organization’s Intune App Protection Policy may restrict how you copy, capture, save, and share data from Mattermost. The exact behavior depends on the specific policy settings your organization has configured.
+
+  Screenshot and Screen Recording Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on your organization’s policy, you may not be able to take screenshots or record your screen while using Mattermost. If screenshot or screen recording is blocked, your device may still show the screenshot or recording UI, but the content may not be captured.
+
+  File Save Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on policy, you may not be able to save files from Mattermost to personal or unmanaged locations. Files may be limited to locations approved by your organization.
+
+  Browser and Sharing Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on policy, links may open only in an approved browser and sharing may be restricted to managed apps. If you try to open a link in an unapproved browser or share content to an unmanaged app, the action may be blocked.
+
+  Frequently Asked Questions
+  --------------------------
+
+  What Happens If I Leave the Organization or Lose My Device?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  If you leave the organization, or your device is lost or compromised, your IT support team can wipe Mattermost work data from your iOS device. This is called a **selective wipe**.
+
+  A selective wipe means that:
+
+  * Only Mattermost work data is removed from your device.
+  * Personal apps, photos, and files are untouched.
+  * You are logged out of the affected Mattermost workspace.
+  * Other Mattermost workspaces on your device remain unaffected.
+
+  Why Can’t I Access Mattermost After Enrollment?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Mattermost may restrict access after enrollment if Intune detects a risk, such as:
+
+  * Your device operating system is out of date
+  * The device is too old to meet security requirements
+  * A jailbroken device is detected
+  * Malware is detected
+  * Re-authentication is required
+
+  If this occurs, Intune blocks access and displays an error message in the Mattermost mobile app explaining what action is required. Contact your IT support team for help.
+
+  What Happens When I Log Out Manually?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  When you log out of Mattermost:
+
+  * All workspace data is securely removed from the device.
+  * Intune protection for that workspace is removed.
+
+  You can sign back in with Microsoft if you need access again.
+
 Reset your password
 --------------------
 

diff --git a/source/end-user-guide/access/log-out.rst b/source/end-user-guide/access/log-out.rst
@@ -34,3 +34,10 @@ When you log out, the following additional data is also deleted:
 - All files saved in the cache directory for that server.
 - All thumbnails and data saved to the clipboard for all servers (not just the server you've logged out of).
 - The ``image_cache`` cache directory (Android mobile app)
+
+If you have multiple Mattermost accounts on the same server, logging out of one account will not log you out of the other accounts.
+
+What happens if I log out while my device is enrolled in Intune MAM?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If your device is enrolled in Intune MAM (Mobile Application Management), logging out of Mattermost will remove all workspace data and Intune protection for that workspace from your iOS device. You can sign back in with Microsoft if you need access again. Learn more about `accessing your workspace with Intune MAM <https://docs.mattermost.com/end-user-guide/access/access-your-workspace.html#itab--Mobile-via-Microsoft-Intune-MaM--0_1-Mobile-via-Microsoft-Intune-MaM>`_.
diff --git a/source/images/intune-mam-system-console.png b/source/images/intune-mam-system-console.png
diff --git a/source/integrations-guide/mattermost-mission-collaboration-for-m365.rst b/source/integrations-guide/mattermost-mission-collaboration-for-m365.rst
@@ -6,7 +6,7 @@ Connect Microsoft 365, Teams, and Outlook with Mattermost
 
 Mattermost Mission Collaboration for Microsoft extends Microsoft for mission-critical coordination, command and control, incident response, and DevSecOps workflows in demanding environments, including air-gapped and classified networks by embedding Mattermost inside Teams. Use data-sovereign tools like secure chat, Playbooks, and Calls directly within M365, Teams, and Outlook.
 
-This app is designed to work with Microsoft 365, Teams, and Outlook and is currently in :ref:`Beta <administration-guide/manage/feature-labels:beta>`. From Mattermost v10.9, this integration supports third-party Single Sign-On (SSO). See the :doc:`user provisioning </administration-guide/manage/admin/user-provisioning>` product documentation for details on setting up SSO.
+This app is designed to work with Microsoft 365, Teams, and Outlook and is currently in :ref:`Beta <administration-guide/manage/feature-labels:beta>`. From Mattermost v10.7.1, this integration supports Entra ID-based Single Sign-On (SSO) for automatic authentication. Users must exist in both Mattermost and Microsoft with matching email addresses; the integration handles authentication but does not automatically provision new users. See the :doc:`user provisioning </administration-guide/manage/admin/user-provisioning>` product documentation for details on setting up SSO.
 
 .. image:: ../images/mattermost-in-msteams-2.png
   :alt: Mattermost embedded as a Microsoft Teams app.
@@ -95,7 +95,7 @@ A Microsoft Teams app is installed into Microsoft Teams. This app facilitates co
 
 2. Go to **System Console > Plugins > Plugin Management > Upload Plugin**, and upload the plugin binary you downloaded in the previous step.
 
-3. Go to **System Console > Plugins > Plugin Management**. In the **Installed Plugins** section, scroll to **MSTeams DevSecOps**.
+3. Go to **System Console > Plugins > Plugin Management**. In the **Installed Plugins** section, scroll to **Mattermost Mission Collaboration for Microsoft**.
 
 4. Enter an **Application Version**. You can start with ``1.0.0``.
 
@@ -155,11 +155,36 @@ Authentication
 
 This plugin supports automatic authentication when logged into Microsoft Teams. Teams authentication automatically logs users into Mattermost if the email addresses in both platforms match exactly. Regular authentication methods (LDAP, SAML, email/password, OpenID) can additionally be used for Mattermost.
 
+The integration automatically configures Content Security Policy (CSP) and Frame Ancestors settings to ensure secure embedding of Mattermost within Microsoft Teams, Outlook, and other Microsoft 365 applications. Deep linking is supported, allowing users to select links in Teams notifications and navigate directly to specific Mattermost posts or conversations.
+
 In air-gapped environments or during business continuity disruptions, users who can't join Microsoft Teams, can continue to access Mattermost using their Mattermost credentials by opening Mattermost in a separate app (e.g., in a new browser window). Alternatively, a Mattermost admin can pre-distribute the Mattermost desktop app using Windows MSI or the mobile app via EMM.
 
 .. image:: ../images/mattermost-in-msteams.png
   :alt: Mattermost embedded in a Microsoft Teams tab.
 
+Activity Feed notifications
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When you're mentioned in Mattermost while working in Microsoft Teams, you'll receive notifications directly in your Teams Activity Feed. This keeps you connected to important Mattermost conversations without switching applications.
+
+**What triggers notifications:**
+
+- Direct mentions using @username
+- Channel-wide mentions using @channel, @all, or @here
+- Direct messages sent to you
+
+**How it works:**
+
+When someone mentions you in Mattermost, a notification appears in your Microsoft Teams Activity Feed. Select the notification to open Mattermost and view the full context of the message. This feature uses the ``TeamsActivity.Send`` permission configured during the Azure app registration setup.
+
+**Disable notifications:**
+
+System admins can disable Activity Feed notifications for specific users or across your organization by configuring the ``disable_user_activity_notifications`` setting in the plugin configuration. This setting is useful if you want to reduce notification noise or if users prefer to check Mattermost manually.
+
+.. note::
+
+  Activity Feed notifications require the ``TeamsActivity.Send`` application permission to be configured in Azure (step 6 of the `Register an MS Teams app in Azure <#register-an-ms-teams-app-in-azure>`__ section).
+
 Get Help
 ---------
 

diff --git a/source/security-guide/mobile-security.rst b/source/security-guide/mobile-security.rst
@@ -25,6 +25,17 @@ Mobile access platforms
 
 Mattermost mobile applications can be operated under the protection of mobile access platforms like `Hypori <https://www.hypori.com/>`_. These platforms provide an additional layer of security by creating a virtualized environment for mobile applications, ensuring that sensitive data is isolated from the device's operating system. This approach enhances data protection and minimizes the risk of data leakage or unauthorized access.
 
+Microsoft Intune Mobile Application Management (MAM)
+----------------------------------------------------
+
+Mattermost supports Microsoft Intune Mobile Application Management (MAM) to enforce app-level data protection on **iOS** devices without requiring full device enrollment in a mobile device management (MDM) solution. Intune MAM applies security policies directly to the Mattermost mobile app based on user identity, enabling organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy.
+
+Intune MAM for Mattermost is currently supported on iOS only. For Android deployments, we recommend using **Android Enterprise work profiles** as an alternative approach until Mattermost adds support for Intune MAM on Android.
+
+Intune MAM enforcement is applied per Mattermost workspace and is evaluated continuously at runtime. If a device becomes non-compliant or enrollment fails, access to protected content is blocked automatically. This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership of the underlying device.
+
+Learn more about the :ref:`security capabilities enabled through Intune MAM <deployment-guide/mobile/mobile-security-features:microsoft intune mobile application management (mam)>`.
+
 Jailbreak and root detection
 -----------------------------