MS Intune Mobile App Support config, setup, troubleshooting, and end user workflows #8599
Conversation
cwarnermm
requested review from
DSchalla,
enahum,
iyampaul,
roberson-io and
yasserfaraazkhan
cwarnermm
added
1: Dev Review
|
Newest code from mattermost has been published to preview environment for Git SHA 599a914 |
|
@cwarnermm I glanced at it and I spotted a few things that are incorrect.. going to take my time to |
| * **Microsoft Entra ID (Azure AD)** – identity, app registration, API permissions | ||
| * **Microsoft Intune** – app protection policies and user targeting | ||
| * **Mattermost Server** – MAM enablement and identity alignment | ||
| * **Mattermost Mobile App (iOS)** – enrollment and enforcement |
There was a problem hiding this comment.
there is nothing to configure on the mobile app
There was a problem hiding this comment.
This section is intended to give admins a broad overview of the work ahead across multiple systems. This bulleted list is introduced "coordinated setup across the following systems", and the mobile app setup is enrollment and enforcement.
Let me know if you'd like changes made to this area.
|
|
||
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure all authentication methods (OAuth, SAML, LDAP) resolve to the same value. | ||
| * Confirm access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
this will be part of the configuration steps when configuring in Entra, not sure this is needed here.
There was a problem hiding this comment.
Is it accurate to say that Entra configuration enforces these conditions, or should we phrase this as "must be validated by the admin during Entra setup"?
| * You require Android Intune MAM support (not yet available). | ||
| * Your deployment cannot use Microsoft Entra ID (Azure AD). | ||
| * Your identity strategy cannot use Azure AD ``objectId`` as the authoritative user identifier. | ||
| * You need a rollout model where users can defer or bypass Intune enrollment. |
There was a problem hiding this comment.
This point is interesting, cause they can have multiple login methods, only the login method selected in the Intune MAM configuration in the system console is subject to this.
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
| * Register the Mattermost mobile app as a public/native Entra application. | ||
| * Copy the **Application (Client) ID**. | ||
|
|
||
| To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app | ||
|
|
||
| * Configure the iOS platform with the correct bundle ID and redirect URI. | ||
|
|
||
| For Entra portal steps, see: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration | ||
|
|
||
| For redirect URI formatting details, see: https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-redirect-uri | ||
|
|
||
| * Grant required Intune MAM API permissions with admin consent. | ||
|
|
||
| To grant tenant-wide admin consent, see: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent |
There was a problem hiding this comment.
not at all.
Register an Application in Entra that will be use to authenticate the users.
this link works To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app and we can keep that, but probably best to direct them to configure this for Single tenant
The redirect URI should remain empty
Once the app is registered, they should Expose an API more info here: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis
The API to be exposed should be api://<APPLICATION-ID> normally filled automatically, then add a scope named login.mattermost
Once that is done, they need to Add a client application, add the Client Id as listed below and assign the Authorized scopes to api://<APPLICATION-ID>/login.mattermost
- Mattermost Mobile Beta:
64e9952b-20eb-46dc-92ad-99089ed24903 - Mattermost Mobile:
not yet created, we will need to update this document
in addition I will share a script once we have the Client Id for Mattermost Mobile so we can attach it here.
Then in Token configuration -> Add optional claim, Select Token type Access then select the claims
- family_name
- given_name
- preferred_username
- upn
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name - Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
| 3. Enter your credentials. | ||
| 4. When prompted, tap **Enroll**. | ||
|
|
||
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. |
There was a problem hiding this comment.
this does not happen during sign-in only if Intune is enabled mid-session
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. | ||
|
|
||
| 5. When enrollment completes, you are notified. | ||
| 6. When prompted, enter a PIN to add an extra layer of protection for your work data. |
There was a problem hiding this comment.
this is only if the policy enforces a PIN
|
|
||
| .. note:: | ||
|
|
||
| If you tap **Cancel**, you will not be able to use Mattermost on mobile until enrollment succeeds. You can retry immediately or `log out <#what-happens-when-i-log-out-manually>`__ and retry later. |
There was a problem hiding this comment.
this is only in mid-session, not during signin
| If you try to copy content from Mattermost into another app, the paste will not work. | ||
|
|
||
| Screenshot & Screen Recording Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To prevent sensitive content from being captured, you will not be able to take screenshots or record your screen while using Mattermost. | ||
|
|
||
| If you try to take a screenshot or record your screen, the screenshot or recording will not be captured. | ||
|
|
||
| File Save Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To keep work files protected, you will not be able to save files to personal locations. | ||
|
|
||
| If you try to save a file from Mattermost to a personal location, the save will not work. Files can be saved only to locations approved by your organization. | ||
|
|
||
| Browser & Sharing Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To ensure data stays within protected apps, you will not be able to open links in unapproved browsers or share content to unmanaged apps. | ||
|
|
||
| If you tap a link in Mattermost, it opens only in an approved browser. If you try to share content to an unmanaged app, the share will not work. |
There was a problem hiding this comment.
All of these are enforced or not depending on the Intune policy, perhaps we should point to a microsoft documentation that explains each policy or we should try to be broad with the explanation.
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA 6334a30 |
|
Newest code from mattermost has been published to preview environment for Git SHA 3350638 |
|
Newest code from mattermost has been published to preview environment for Git SHA 0f31a06 |
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA f47ab17 |
|
Newest code from mattermost has been published to preview environment for Git SHA a2dfc71 |
|
Newest code from mattermost has been published to preview environment for Git SHA 90580db |
|
Newest code from mattermost has been published to preview environment for Git SHA 3af81d6 |
Documentation for:
Docs Previews Shortcuts for Reviewers:
Decision Makers & Risk Assessors
System Administrators
End Users