diff --git a/source/deployment-guide/mobile/configure-microsoft-intune-mam.rst b/source/deployment-guide/mobile/configure-microsoft-intune-mam.rst new file mode 100644 index 00000000000..2a87ff1eaeb --- /dev/null +++ b/source/deployment-guide/mobile/configure-microsoft-intune-mam.rst @@ -0,0 +1,468 @@ +Configure Microsoft Intune Mobile Application Management (MAM) +============================================================== + +.. include:: ../../_static/badges/entry-adv.rst + :start-after: :nosearch: + +You can configure the Mattermost Mobile App to enforce Microsoft Intune App Protection Policies (MAM) on iOS devices so organizational data remains protected on Bring Your Own Device (BYOD) and mixed-use devices without requiring device enrollment (MDM). This guide provides the required configuration to activate Intune MAM successfully on iOS. + +Getting Started +--------------- + +This configuration spans identity, mobile enforcement, and licensing systems. The guide is intentionally explicit to prevent misconfiguration and destructive enrollment failures. It's organized to help you validate fit first, then configure Intune MAM correctly. + +* Initial sections help you determine whether Intune MAM is compatible with your deployment. +* `Identity <#identity-configuration-for-intune-mam>`__ sections explain the required identity model and enforcement behavior. +* Configuration sections provide a prescriptive order of operations. +* `Validation <#validation-checklist>`__ and `Troubleshooting <#troubleshooting>`__ describe expected runtime behavior and failure modes. + +When Not to Use This Guide +--------------------------- + +If any of the following apply, stop. This configuration will fail. + +* You require Android Intune MAM support (not yet available). +* Your deployment can't use Microsoft Entra ID (Azure AD). +* The authentication method you plan to protect with Intune MAM can't use Azure AD ``objectId`` as the authoritative user identifier. +* You need a rollout model where users can defer or bypass Intune enrollment. + +Before You Continue +------------------- + +Before proceeding, confirm the following are true: + +* You use Microsoft Entra ID for authentication. +* You can commit to Azure AD ``objectId`` as the authoritative identity. +* You have (or can obtain) a Mattermost Enterprise Advanced license. +* Target users are licensed for Microsoft Intune. +* You can register applications and grant admin consent in Microsoft Entra. +* If using SAML for Intune MAM enforcement, users must already exist in Mattermost before signing in on mobile. Mobile sign-in doesn’t create users for SAML. + +If any of the above are not true, do not proceed. + +.. note:: + + In this guide, OpenID Connect (OIDC) refers to the Microsoft Entra sign-in method used by the Mattermost Mobile App via MSAL. + +Configuration Overview +---------------------- + +Configuring Intune MAM for the Mattermost Mobile App requires coordinated setup across the following 4 systems: + +* **Microsoft Entra ID (Azure AD)** – identity, app registration, API permissions +* **Microsoft Intune** – app protection policies and user targeting +* **Mattermost Server** – MAM enablement and identity alignment +* **Mattermost Mobile App (iOS)** – enrollment and enforcement + +If any system is misconfigured, Intune MAM enrollment will fail. + +Before beginning configuration, review the `Identity Configuration <#identity-configuration-for-intune-mam>`__ section to confirm your deployment meets the required identity model. + +Setup Order +~~~~~~~~~~~ + +.. important:: + + Intune MAM enforcement is evaluated only for the authentication provider selected in **System Console > Environment > Mobile Security**. Before you enable Intune MAM, confirm all of the following for the selected provider: + + * Mattermost resolves user identity to Azure AD objectId (``IdAttribute`` = ``objectId``). + * MSAL access tokens include the ``oid`` claim. + * Required Intune MAM API permissions have tenant-wide admin consent. + +Follow this setup order exactly to avoid enrollment failures and rework. + +Step 1: Confirm Identity Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Commit to Azure AD ``objectId`` as the authoritative identity. +* Ensure the authentication provider selected for Intune MAM enforcement (OIDC or SAML) is backed by Microsoft Entra ID and resolves users to Azure AD ``objectId``. +* If LDAP is used to provision those users, LDAP must also resolve the same Azure AD ``objectId``. +* Confirm MSAL access tokens include the ``oid`` claim. + +These conditions are enforced through Microsoft Entra configuration. If they are not met, Intune MAM enrollment will fail even if all other steps are completed correctly. + +Step 2: Configure Microsoft Entra for Mattermost Mobile Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Register a Microsoft Entra application used by Mattermost Server to validate MSAL access tokens and support Intune MAM enrollment. +* Grant required Intune MAM API permissions and tenant-wide admin consent. +* Configure the Microsoft Entra application to issue MSAL v2 access tokens that include the ``oid`` claim. + +See the detailed Entra configuration steps for execution details. + +Step 3: Configure Mattermost Server for Intune MAM +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Enable Intune MAM in the System Console. +* Set ``IdAttribute = objectId``. +* Verify Enterprise Advanced licensing. + +Step 4: Configure Intune App Protection Policies +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Create an iOS App Protection Policy. +* Add the Mattermost bundle ID based on the app you deploy: + + * **Mattermost Mobile (Production)**: ``com.mattermost.rn`` + * **Mattermost Mobile Beta**: ``com.mattermost.rnbeta`` + +* Assign the policy using Microsoft Entra groups. + +Step 5: Validate Using the Mobile App +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Ensure test users are assigned in Intune and properly licensed, and perform the first validation login using a Microsoft Entra administrator account that can grant tenant-wide admin consent. +* Test enrollment from an iOS device. +* Confirm enforcement behaviors. +* Verify mid-session enforcement behavior. + +If enrollment doesn't complete as expected, see the `Troubleshooting <#troubleshooting>`__ section for guidance. + +Identity Configuration for Intune MAM +-------------------------------------- + +This section defines the identity requirements, constraints, and runtime behavior for the authentication method selected for Microsoft Intune MAM enforcement. + +.. important:: + + - Mattermost can support multiple authentication methods at the same time. Intune MAM enforcement applies only to the authentication method selected in the Intune MAM configuration in the Mattermost System Console. That authentication method must resolve users by Azure AD ``objectId``. Other authentication methods are not evaluated by Intune MAM. + - Intune MAM enforcement is identity-based and policy-driven. Mattermost roles and permissions don't affect whether Intune MAM is required or which protections apply. + +All identity prerequisites for the authentication method selected for Intune MAM enforcement must be met before enabling Intune MAM or enrolling users. + +Required Identity Model +~~~~~~~~~~~~~~~~~~~~~~~~ + +Microsoft Intune MAM for Mattermost requires Azure AD ``objectId`` as the authoritative user identifier. + +* No alternative identifiers are supported. +* If identity is misconfigured, Intune MAM enrollment will fail, even if all other configuration steps are correct. +* There is no fallback or partial enforcement mode. +* This requirement applies regardless of authentication method. + +Identity Consistency Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Azure AD ``objectId`` must be resolved consistently across all sign-in paths used by the authentication method selected for Intune MAM, including any of the following that apply to that authentication method and user population: + +* Mobile (OIDC via MSAL) +* Web (SAML), if the same IdP is used +* LDAP sync (if you use LDAP to provision those users) + +``IdAttribute`` is the Mattermost Server configuration that specifies which user attribute contains the Azure AD ``objectId``. + +The following rules apply: + +* ``IdAttribute`` must equal Azure AD ``objectId``. +* MSAL access tokens must include the ``oid`` claim. +* Any mobile, web, or directory sign-in flows used by the authentication method selected for Intune MAM must resolve to the same Azure AD ``objectId``. + +If any authentication path resolves a different identifier, enrollment will fail. + +Supported Identity Attributes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Only the identity attributes listed below are supported for Intune MAM. + ++-------------------+------------------+------------------------------+ +| Attribute | Supported | Result | ++===================+==================+==============================+ +| objectId | Required | Works | ++-------------------+------------------+------------------------------+ +| email | Not supported | Enrollment fails | ++-------------------+------------------+------------------------------+ +| preferred_username| Not supported | Identity mismatch | ++-------------------+------------------+------------------------------+ +| objectGUID | Not supported | Breaks mobile authentication | ++-------------------+------------------+------------------------------+ +| Custom attributes | Not supported | Unsupported by Intune | ++-------------------+------------------+------------------------------+ + +Attribute Synchronization and Access Enforcement +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When Intune MAM is enabled, some users may authenticate exclusively through the Mattermost Mobile App. If your deployment uses SAML or OIDC, note the following behavior: + +* User attributes synchronize only at login. +* Changes made in the identity provider do not apply until the next login. +* Mobile-only users may not trigger attribute synchronization. + +As a result, attribute-based access control (ABAC) may not apply immediately. + +If proactive enforcement of attribute-based access changes is required, we recommend LDAP (including Entra ID Domain Services). This behavior affects access enforcement, not Intune MAM enrollment. + +Runtime Enforcement Behavior +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mattermost Mobile App enforces Intune MAM requirements during active sessions, not only at login. + +If Intune MAM becomes newly required due to policy, licensing, or configuration changes: + +* Enrollment is triggered immediately. +* Access to sensitive content is restricted until enrollment succeeds. +* Users can't bypass enforcement. + +Plan rollouts assuming enforcement can occur instantly. + +Once your identity model and enforcement behavior are understood and aligned, ensure the following prerequisites are in place before beginning configuration. + +Microsoft Entra Configuration for Intune MAM +-------------------------------------------- + +This section provides the detailed Microsoft Entra configuration required to support Mattermost Mobile App authentication and Intune MAM enforcement. Complete this section before +`configuring the Mattermost server <#configure-mattermost-server>`__ or `Intune App Protection Policies <#configure-intune-app-protection-policies>`__. + +The steps below require changes in App registrations (manifest + API permissions) and Enterprise applications (admin consent). + +Entra Application Registration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Register an application in Microsoft Entra that will be used by the Mattermost Mobile App for authentication and Intune MAM enrollment. This application represents the Mattermost Mobile client and is used to acquire MSAL access tokens during mobile sign-in. + +This Entra application is referenced by the Mattermost server when Intune MAM is enabled to validate MSAL access tokens issued during mobile sign-in. Redirect URI configuration isn't required for Intune MAM enforcement. + +Access Token Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mattermost Mobile App relies on the MSAL access token for identity resolution and Intune MAM enforcement. + +The following requirements must be met: + +* Access tokens must include the ``oid`` claim. +* The application must issue tokens compatible with MSAL v2. +* ``accessTokenAcceptedVersion`` must be set to ``2`` in the app manifest. + +Detailed Prerequisites +---------------------- + +Microsoft Requirements +~~~~~~~~~~~~~~~~~~~~~~~ + +* Microsoft Entra tenant +* Permissions to register applications and grant admin consent in Microsoft Entra +* Microsoft Intune App Protection Policies enabled +* Microsoft Entra–backed sign-in functions for web and mobile +* Targeted users are licensed for Microsoft Intune + +.. note:: + + Microsoft Entra uses both App registrations and Enterprise Applications to represent the same application. You may need access to both areas to complete registration, permission assignment, and admin consent. + +Mattermost Requirements +~~~~~~~~~~~~~~~~~~~~~~~ + +* Mattermost Enterprise Advanced license +* An authentication method backed by Microsoft Entra is configured (OIDC or SAML) +* Intune enabled +* The authentication method selected for Intune MAM enforcement in the System Console must be backed by Microsoft Entra + +User Requirements +~~~~~~~~~~~~~~~~~ + +* Users authenticate via Microsoft Entra +* Users exist in Mattermost + +With prerequisites in place, the next sections describe how identity requirements are enforced across each authentication method and the Microsoft Entra permissions required for Intune MAM enrollment and validation. + +Identity Enforcement by Authentication Method +--------------------------------------------- + +Only the authentication method selected for Intune MAM enforcement must meet these requirements. Apply the same identity rule consistently for that selected method. + +OIDC (Mobile sign-in via MSAL) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Only the access token is used. +* The ``oid`` claim is required. + +SAML (Web Login) +~~~~~~~~~~~~~~~~~ + +* ``SamlSettings.IdAttribute`` must map to ``objectidentifier``. +* Email, UPN, and ``immutableID`` are not supported. + +.. important:: + + When SAML is selected as the authentication method for Intune MAM enforcement, users must already exist in Mattermost before signing in on mobile. Users who haven't yet been provisioned must first sign in using the Mattermost web or desktop application. Mobile sign-in doesn't create new users for SAML-based authentication. If a user attempts to sign in on mobile before being provisioned, the user will be prompted to sign in using web or desktop. + +LDAP (Entra ID Domain Services) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Use ``msDS-aadObjectId`` as the identity attribute. +* Do not use ``objectGUID``. + +With prerequisites met and identity requirements understood, proceed to the configuration steps in the next section. + +Configure Mattermost Server +---------------------------- + +1. Go to **System Console > Environment > Mobile Security**. +2. Enable **Microsoft Intune App Protection Policies**. +3. Configure the following fields using values from the Microsoft Entra application created earlier: + + * **Application (Client) ID** + * **Directory (Tenant) ID** + * **Authentication Provider**: + * OIDC (Microsoft Entra-backed), or + * SAML (backed by Microsoft Entra) + +4. Set ``IdAttribute`` to ``objectId``. +5. Save your changes. + +.. important:: + + If you select **SAML** as the authentication provider for Intune MAM enforcement, the SAML identity provider must be backed by Microsoft Entra ID. Mattermost doesn't validate whether a SAML IdP is Entra-backed. Using a non-Entra SAML identity provider with Intune MAM will result in enrollment failures. + +Validation Checklist +-------------------- + +Before rolling out to production, validate the configuration using a test user account. This checklist validates identity alignment, which is the most common cause of Intune MAM enrollment failure. Confirm the following values match for the same user (using Entra, Mattermost logs, or directory sync data as applicable): + +* Azure AD ``objectId`` +* MSAL access token ``oid`` claim +* SAML ``objectidentifier`` (if applicable) +* LDAP ``msDS-aadObjectId`` (if applicable) + +Any mismatch will cause Intune MAM enrollment to fail. + +Deploy or Update Mattermost Mobile Apps +--------------------------------------- + +Install the Mattermost iOS mobile app using one of the following supported methods: + +* Apple App Store (production) +* TestFlight (beta) + +Other distribution methods, including Intune-wrapped apps, re-signed binaries, or private IPA deployments, aren't supported for Intune MAM enforcement and won't work. + +.. note:: + + - Mattermost Beta (``com.mattermost.rnbeta``) and Production (``com.mattermost.rn``) apps can share the same Microsoft Entra app registration when using an exposed API configuration. Separate app registrations are optional and only required if you intentionally isolate environments or scopes. + - MDM device enrollment isn't required. Intune App Protection Policies are enforced at the app level and require the official Mattermost iOS app from the App Store or TestFlight. + +Configure Intune App Protection Policies +---------------------------------------- + +1. Go to the **Microsoft Intune Admin Center**. +2. Create an iOS App Protection Policy. +3. Add the appropriate Mattermost iOS bundle ID: + + * **Mattermost Mobile (Production)**: ``com.mattermost.rn`` + * **Mattermost Mobile Beta**: ``com.mattermost.rnbeta`` + +4. Assign the policy using Microsoft Entra groups. + +.. note:: + + - You must create separate Intune App Protection Policies for each Mattermost iOS app you deploy. Policies applied to one bundle ID do not apply to the other. + - Intune App Protection Policies are assigned using Microsoft Entra groups, not Mattermost teams, channels, or roles. + +Expected Mobile Login & Enrollment Flow +--------------------------------------- + +When Intune MAM is enabled: + +1. The mobile app checks: + * Platform is iOS + * Intune MAM is enabled + * Authentication service matches + * License is **Enterprise Advanced** + +2. The user taps **Sign in**. +3. MSAL authenticates the user. +4. Mattermost validates the access token. +5. Intune MAM enrollment is triggered. +6. App protection policies are applied. + +Troubleshooting +--------------- + +Most Intune MAM enrollment failures are caused by: + +* Incorrect ``IdAttribute`` +* Missing Microsoft Entra API permissions +* Access token missing the ``oid`` claim +* The authentication method selected for Intune MAM resolves a different identifier than expected (not Azure AD ``objectId``) +* Android device usage + +Always fix identity alignment first. + +Intune MAM Errors +~~~~~~~~~~~~~~~~~~ + +The following errors are displayed in the Mattermost Mobile App during user login or when enrollment is triggered mid-session. Errors aren't displayed in the Mattermost System Console. + ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| Error | Meaning | Cause & Next Step | ++===============================+=============================================+==================================================================================================================================+ +| Enrollment Failed | Intune MAM enrollment failed due to a | Technical enrollment failure (MSAL error, enrollment API failure, identity mismatch, or missing required Entra permissions). | +| | technical error | | +| | | The server is removed immediately with **no retry option**. Fix the underlying issue before re-adding the server. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| Enrollment Declined | User declined Intune MAM enrollment | User canceled the enrollment prompt. A **Retry** option is presented to the user. | +| | | | +| | | Instruct the user to retry enrollment when ready. No server data is removed unless enrollment later fails technically. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| AADSTS650057 | Required Intune MAM API permission is | This error appears during MSAL authentication or token validation. | +| (invalid_resource) | missing | | +| | | The ``https://msmamservice.api.application/.default`` permission is missing or lacks admin consent. | +| | | | +| | | Add the permission in Microsoft Entra and grant admin consent. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| MissingAuthAccountError | Access token doesn't contain the identity | MSAL error indicating the access token doesn't contain the identity claim Mattermost expects. | +| | claim Mattermost expects | | +| | | Unsupported or custom ``IdAttribute`` used, or required claim missing from the access token. | +| | | | +| | | Use only supported ``IdAttributes`` (``objectId``) and ensure the ``oid`` claim is present. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| User mismatch | Mobile identity doesn't match the | Mutable identifiers (email, ``preferred_username``) used, or user email/UPN changed. | +| | server-side user | | +| | | Reconfigure identity to use Azure AD ``objectId`` exclusively. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| NotLicensed | Server isn't licensed for Intune MAM | Enterprise Advanced license missing or not applied to the server. | +| | | | +| | | Verify license tier and server coverage. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ +| HTTP 403 Forbidden | Server-side access is blocked | Server gating condition, not an Intune failure. | +| | | | +| | | Verify Enterprise Advanced license, Intune is enabled in the System Console, valid Tenant ID and Client ID, authentication | +| | | provider is configured, admin consent is granted, and ``IntuneScope`` is set. | ++-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ + +Enrollment Failure Session Behavior +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If Intune MAM enrollment fails due to a **technical error**, the following occurs: + +* The user is logged out of the affected Mattermost server. +* The server is removed from the Mattermost Mobile App. +* All cached data for that server is wiped from the device. + +If a user has multiple Mattermost servers configured in the app, **only the failing server is removed**. Other servers remain accessible and unaffected. + +If the user **declines enrollment**, retry is allowed and no server data is removed unless enrollment later fails due to a technical error. + +Consent Required During First Login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In some cases, a user’s first mobile sign-in may succeed, but Intune MAM enrollment doesn't complete. Authentication can succeed even when required Intune MAM permissions are missing, which can make this issue non-obvious during initial rollout or testing. + +This issue occurs when required Microsoft Entra permissions for Intune MAM haven't yet been granted with tenant-wide admin consent. This issue is most commonly encountered during initial rollout or testing, before admin consent has been granted for the tenant. + +If users are prompted for Microsoft Entra consent during first login, this is expected behavior when tenant-wide admin consent hasn't yet been granted. A Microsoft Entra administrator with permission to grant tenant-wide admin consent must approve the request on behalf of the organization before Intune MAM enrollment can complete. + +Verify that the following permissions have been granted with admin consent in Microsoft Entra: + +* Microsoft Mobile Application Management → ``user_impersonation`` (Delegated) +* ``https://msmamservice.api.application/.default`` + +If admin consent is missing, Intune MAM enrollment can't complete, even if authentication succeeds. + +To resolve this: + +1. Go to **Microsoft Entra Admin Center > Enterprise applications**. +2. Locate the Mattermost Mobile enterprise application (service principal). +3. Grant **tenant-wide admin consent** for all required Intune MAM permissions. +4. Have the affected user **retry mobile sign-in**. + +Once admin consent is granted, enrollment should complete successfully on retry. \ No newline at end of file diff --git a/source/deployment-guide/mobile/mobile-app-deployment.rst b/source/deployment-guide/mobile/mobile-app-deployment.rst index e982c7a43f5..31912dd5f11 100644 --- a/source/deployment-guide/mobile/mobile-app-deployment.rst +++ b/source/deployment-guide/mobile/mobile-app-deployment.rst @@ -25,6 +25,7 @@ Learn what’s required to build and deploy Mattermost mobile apps. :hidden: :titlesonly: + /deployment-guide/mobile/configure-microsoft-intune-mam.rst /deployment-guide/mobile/deploy-mobile-apps-using-emm-provider.rst /deployment-guide/mobile/distribute-custom-mobile-apps.rst /deployment-guide/mobile/host-your-own-push-proxy-service.rst @@ -33,6 +34,7 @@ Learn what’s required to build and deploy Mattermost mobile apps. /deployment-guide/mobile/secure-mobile-file-storage.rst /deployment-guide/mobile/mobile-faq.rst +* :doc:`Configure Microsoft Intune MAM for Mattermost ` * :doc:`Distribute custom mobile apps ` * :doc:`Host your own push proxy service ` * :doc:`Mobile VPN options ` diff --git a/source/deployment-guide/mobile/mobile-security-features.rst b/source/deployment-guide/mobile/mobile-security-features.rst index 6ab27fb4db1..15ac79fa701 100644 --- a/source/deployment-guide/mobile/mobile-security-features.rst +++ b/source/deployment-guide/mobile/mobile-security-features.rst @@ -53,6 +53,29 @@ Preventing file downloads protects sensitive information from being inadvertentl See the :ref:`secure file preview ` and :ref:`managing PDF link navigation ` configuration settings documentation for details on enabling these features. +Microsoft Intune Mobile Application Management (MAM) +---------------------------------------------------- + +Mattermost supports Microsoft Intune MAM to enforce identity-based, app-level data protection on iOS devices without requiring full device enrollment in a mobile device management (MDM) solution. + +Intune MAM applies security policies directly to the Mattermost mobile app using Microsoft Entra ID as the identity authority. This enables organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy. + +Key security capabilities enabled through Intune MAM include: + +* **Mandatory enrollment** before accessing Mattermost on mobile +* **Identity-based enforcement** using Microsoft Entra ID +* **Selective wipe** of Mattermost work data without affecting personal apps or device data +* **Clipboard, file sharing, and data transfer restrictions** +* **Screenshot and screen recording prevention** +* **Managed browser enforcement** and controlled link handling +* **Immediate enforcement** when policies or licensing change, including during active sessions + +Intune MAM enforcement is applied **per Mattermost workspace** and evaluated continuously at runtime. If a device becomes non-compliant, enrollment fails, or required policies are not met, access to protected content is blocked automatically. + +This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership or management of the underlying device. + +See the :doc:`Microsoft Intune MAM configuration guide ` for deployment and configuration details. + Mobile data isolation ------------------------ diff --git a/source/end-user-guide/access/access-your-workspace.rst b/source/end-user-guide/access/access-your-workspace.rst index 7a5c3c553fc..415e0cdcd78 100644 --- a/source/end-user-guide/access/access-your-workspace.rst +++ b/source/end-user-guide/access/access-your-workspace.rst @@ -53,6 +53,107 @@ Access your Mattermost instance with your credentials using a web browser, the d 3. Enter your user credentials to log into Mattermost. 4. The team that displays first in the team sidebar opens. If you're not a member of a team yet, you're prompted to select a team to join. +.. tab:: Mobile via Microsoft Intune + :parse-titles: + + When your organization uses Microsoft Intune App Protection to secure Mattermost on iOS mobile devices, you must enroll to access Mattermost on mobile. Enrollment adds extra protection to work data while keeping your personal device and apps private. + + What to Expect + --------------- + + Enrollment is mandatory and cannot be bypassed. It happens during sign-in and is typically a quick process. Access to Mattermost content is blocked until enrollment completes. + + After enrolling, your Mattermost experience generally stays the same, but some restrictions are enforced. + + Intune protections apply **per Mattermost workspace** (the Mattermost server you sign in to). If you have access to multiple Mattermost workspaces, each workspace may have different protections and requirements in place. This guide explains what to expect when the workspace you are connecting to is protected by Intune. + + .. note:: + + * Intune protections are based on your **user account**, not your Mattermost role or permissions. + * Intune policies are controlled by your organization, not by Mattermost. + * If you have questions about protections, contact your IT support team. + + Sign In to Enroll + ----------------- + + You only need to complete enrollment once per account. + + 1. Open the Mattermost mobile app on your iOS device. + 2. Sign in with Microsoft (your organization’s sign-in option). + 3. Enter your credentials. + + During enrollment, you may be asked to confirm your Microsoft sign-in again. This is normal and usually takes only a few seconds. + + 5. When enrollment completes, you are notified. + 6. If your organization’s Intune App Protection Policy requires it, you’ll be prompted to set a PIN to protect your work data. + + Once the PIN is confirmed, the Mattermost Mobile App unlocks access to your workspace. + + If you dismiss enrollment during sign-in, return to the sign-in flow and complete enrollment to continue using Mattermost on that device. + + Mid-Session Enrollment + ---------------------- + + If enrollment is triggered while you're already signed in and you tap **Cancel**, you won’t be able to continue using Mattermost on that device until enrollment succeeds. You can retry immediately, or `log out <#what-happens-when-i-log-out-manually>`__ and retry later. + + What Changes After Enrollment? + ------------------------------ + + Your organization’s Intune App Protection Policy may restrict how you copy, capture, save, and share data from Mattermost. The exact behavior depends on the specific policy settings your organization has configured. + + Screenshot and Screen Recording Restrictions + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Depending on your organization’s policy, you may not be able to take screenshots or record your screen while using Mattermost. If screenshot or screen recording is blocked, your device may still show the screenshot or recording UI, but the content may not be captured. + + File Save Restrictions + ~~~~~~~~~~~~~~~~~~~~~~ + + Depending on policy, you may not be able to save files from Mattermost to personal or unmanaged locations. Files may be limited to locations approved by your organization. + + Browser and Sharing Restrictions + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Depending on policy, links may open only in an approved browser and sharing may be restricted to managed apps. If you try to open a link in an unapproved browser or share content to an unmanaged app, the action may be blocked. + + Frequently Asked Questions + -------------------------- + + What Happens If I Leave the Organization or Lose My Device? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you leave the organization, or your device is lost or compromised, your IT support team can wipe Mattermost work data from your iOS device. This is called a **selective wipe**. + + A selective wipe means that: + + * Only Mattermost work data is removed from your device. + * Personal apps, photos, and files are untouched. + * You are logged out of the affected Mattermost workspace. + * Other Mattermost workspaces on your device remain unaffected. + + Why Can’t I Access Mattermost After Enrollment? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Mattermost may restrict access after enrollment if Intune detects a risk, such as: + + * Your device operating system is out of date + * The device is too old to meet security requirements + * A jailbroken device is detected + * Malware is detected + * Re-authentication is required + + If this occurs, Intune blocks access and displays an error message in the Mattermost mobile app explaining what action is required. Contact your IT support team for help. + + What Happens When I Log Out Manually? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + When you log out of Mattermost: + + * All workspace data is securely removed from the device. + * Intune protection for that workspace is removed. + + You can sign back in with Microsoft if you need access again. + Reset your password -------------------- diff --git a/source/end-user-guide/access/log-out.rst b/source/end-user-guide/access/log-out.rst index 3a1dcb3811c..980534efca4 100644 --- a/source/end-user-guide/access/log-out.rst +++ b/source/end-user-guide/access/log-out.rst @@ -34,3 +34,10 @@ When you log out, the following additional data is also deleted: - All files saved in the cache directory for that server. - All thumbnails and data saved to the clipboard for all servers (not just the server you've logged out of). - The ``image_cache`` cache directory (Android mobile app) + +If you have multiple Mattermost accounts on the same server, logging out of one account will not log you out of the other accounts. + +What happens if I log out while my device is enrolled in Intune MAM? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If your device is enrolled in Intune MAM (Mobile Application Management), logging out of Mattermost will remove all workspace data and Intune protection for that workspace from your iOS device. You can sign back in with Microsoft if you need access again. Learn more about `accessing your workspace with Intune MAM `_. \ No newline at end of file diff --git a/source/security-guide/mobile-security.rst b/source/security-guide/mobile-security.rst index 24c07ba45fc..e3a6f8785e0 100644 --- a/source/security-guide/mobile-security.rst +++ b/source/security-guide/mobile-security.rst @@ -25,6 +25,15 @@ Mobile access platforms Mattermost mobile applications can be operated under the protection of mobile access platforms like `Hypori `_. These platforms provide an additional layer of security by creating a virtualized environment for mobile applications, ensuring that sensitive data is isolated from the device's operating system. This approach enhances data protection and minimizes the risk of data leakage or unauthorized access. +Microsoft Intune Mobile Application Management (MAM) +---------------------------------------------------- + +Mattermost supports Microsoft Intune MAM to enforce app-level data protection on iOS devices without requiring full device enrollment in a mobile device management (MDM) solution. Intune MAM applies security policies directly to the Mattermost mobile app based on user identity, enabling organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy. + +Intune MAM enforcement is applied per Mattermost workspace and is evaluated continuously at runtime. If a device becomes non-compliant or enrollment fails, access to protected content is blocked automatically. This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership of the underlying device. + +Learn more about the :ref:`security capabilities enabled through Intune MAM `. + Jailbreak and root detection -----------------------------