MS Intune Mobile App Support config, setup, troubleshooting, and end user workflows

source/deployment-guide/mobile/mobile-app-deployment.rst

@@ -25,6 +25,7 @@ Learn what’s required to build and deploy Mattermost mobile apps.
     :hidden:
     :titlesonly:
 
+    /deployment-guide/mobile/configure-microsoft-intune-mam.rst
     /deployment-guide/mobile/deploy-mobile-apps-using-emm-provider.rst
     /deployment-guide/mobile/distribute-custom-mobile-apps.rst
     /deployment-guide/mobile/host-your-own-push-proxy-service.rst
@@ -33,6 +34,7 @@ Learn what’s required to build and deploy Mattermost mobile apps.
     /deployment-guide/mobile/secure-mobile-file-storage.rst
     /deployment-guide/mobile/mobile-faq.rst
 
+* :doc:`Configure Microsoft Intune MAM for Mattermost </deployment-guide/mobile/configure-microsoft-intune-mam>`
 * :doc:`Distribute custom mobile apps </deployment-guide/mobile/distribute-custom-mobile-apps>`
 * :doc:`Host your own push proxy service </deployment-guide/mobile/host-your-own-push-proxy-service>`
 * :doc:`Mobile VPN options </deployment-guide/mobile/consider-mobile-vpn-options>`

source/deployment-guide/mobile/mobile-security-features.rst

@@ -53,6 +53,29 @@ Preventing file downloads protects sensitive information from being inadvertentl
 
 See the :ref:`secure file preview <administration-guide/configure/environment-configuration-settings:enable secure file preview on mobile>` and :ref:`managing PDF link navigation <administration-guide/configure/environment-configuration-settings:allow pdf link navigation on mobile>` configuration settings documentation for details on enabling these features.
 
+Microsoft Intune Mobile Application Management (MAM)
+----------------------------------------------------
+
+Mattermost supports Microsoft Intune MAM to enforce identity-based, app-level data protection on iOS devices without requiring full device enrollment in a mobile device management (MDM) solution.
+
+Intune MAM applies security policies directly to the Mattermost mobile app using Microsoft Entra ID as the identity authority. This enables organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy.
+
+Key security capabilities enabled through Intune MAM include:
+
+* **Mandatory enrollment** before accessing Mattermost on mobile
+* **Identity-based enforcement** using Microsoft Entra ID
+* **Selective wipe** of Mattermost work data without affecting personal apps or device data
+* **Clipboard, file sharing, and data transfer restrictions**
+* **Screenshot and screen recording prevention**
+* **Managed browser enforcement** and controlled link handling
+* **Immediate enforcement** when policies or licensing change, including during active sessions
+
+Intune MAM enforcement is applied **per Mattermost workspace** and evaluated continuously at runtime. If a device becomes non-compliant, enrollment fails, or required policies are not met, access to protected content is blocked automatically.
+
+This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership or management of the underlying device.
+
+See the :doc:`Microsoft Intune MAM configuration guide </deployment-guide/mobile/configure-microsoft-intune-mam>` for deployment and configuration details.
+
 Mobile data isolation
 ------------------------
 

source/end-user-guide/access/access-your-workspace.rst

@@ -53,6 +53,107 @@ Access your Mattermost instance with your credentials using a web browser, the d
   3. Enter your user credentials to log into Mattermost. 
   4. The team that displays first in the team sidebar opens. If you're not a member of a team yet, you're prompted to select a team to join.
 
+.. tab:: Mobile via Microsoft Intune
+  :parse-titles:
+
+  When your organization uses Microsoft Intune App Protection to secure Mattermost on iOS mobile devices, you must enroll to access Mattermost on mobile. Enrollment adds extra protection to work data while keeping your personal device and apps private.
+
+  What to Expect
+  ---------------
+
+  Enrollment is mandatory and cannot be bypassed. It happens during sign-in and is typically a quick process. Access to Mattermost content is blocked until enrollment completes.
+
+  After enrolling, your Mattermost experience generally stays the same, but some restrictions are enforced.
+
+  Intune protections apply **per Mattermost workspace** (the Mattermost server you sign in to). If you have access to multiple Mattermost workspaces, each workspace may have different protections and requirements in place. This guide explains what to expect when the workspace you are connecting to is protected by Intune.
+
+  .. note::
+
+    * Intune protections are based on your **user account**, not your Mattermost role or permissions.
+    * Intune policies are controlled by your organization, not by Mattermost.
+    * If you have questions about protections, contact your IT support team.
+
+  Sign In to Enroll
+  -----------------
+
+  You only need to complete enrollment once per account.
+
+  1. Open the Mattermost mobile app on your iOS device.
+  2. Sign in with Microsoft (your organization’s sign-in option).
+  3. Enter your credentials.
+
+     During enrollment, you may be asked to confirm your Microsoft sign-in again. This is normal and usually takes only a few seconds.
+
+  5. When enrollment completes, you are notified.
+  6. If your organization’s Intune App Protection Policy requires it, you’ll be prompted to set a PIN to protect your work data.
+
+     Once the PIN is confirmed, the Mattermost Mobile App unlocks access to your workspace.
+
+  If you dismiss enrollment during sign-in, return to the sign-in flow and complete enrollment to continue using Mattermost on that device.
+
+  Mid-Session Enrollment
+  ----------------------
+
+  If enrollment is triggered while you're already signed in and you tap **Cancel**, you won’t be able to continue using Mattermost on that device until enrollment succeeds. You can retry immediately, or `log out <#what-happens-when-i-log-out-manually>`__ and retry later.
+
+  What Changes After Enrollment?
+  ------------------------------
+
+  Your organization’s Intune App Protection Policy may restrict how you copy, capture, save, and share data from Mattermost. The exact behavior depends on the specific policy settings your organization has configured.
+
+  Screenshot and Screen Recording Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on your organization’s policy, you may not be able to take screenshots or record your screen while using Mattermost. If screenshot or screen recording is blocked, your device may still show the screenshot or recording UI, but the content may not be captured.
+
+  File Save Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on policy, you may not be able to save files from Mattermost to personal or unmanaged locations. Files may be limited to locations approved by your organization.
+
+  Browser and Sharing Restrictions
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Depending on policy, links may open only in an approved browser and sharing may be restricted to managed apps. If you try to open a link in an unapproved browser or share content to an unmanaged app, the action may be blocked.
+
+  Frequently Asked Questions
+  --------------------------
+
+  What Happens If I Leave the Organization or Lose My Device?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  If you leave the organization, or your device is lost or compromised, your IT support team can wipe Mattermost work data from your iOS device. This is called a **selective wipe**.
+
+  A selective wipe means that:
+
+  * Only Mattermost work data is removed from your device.
+  * Personal apps, photos, and files are untouched.
+  * You are logged out of the affected Mattermost workspace.
+  * Other Mattermost workspaces on your device remain unaffected.
+
+  Why Can’t I Access Mattermost After Enrollment?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Mattermost may restrict access after enrollment if Intune detects a risk, such as:
+
+  * Your device operating system is out of date
+  * The device is too old to meet security requirements
+  * A jailbroken device is detected
+  * Malware is detected
+  * Re-authentication is required
+
+  If this occurs, Intune blocks access and displays an error message in the Mattermost mobile app explaining what action is required. Contact your IT support team for help.
+
+  What Happens When I Log Out Manually?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  When you log out of Mattermost:
+
+  * All workspace data is securely removed from the device.
+  * Intune protection for that workspace is removed.
+
+  You can sign back in with Microsoft if you need access again.
+
 Reset your password
 --------------------
 

source/end-user-guide/access/log-out.rst

@@ -34,3 +34,10 @@ When you log out, the following additional data is also deleted:
 - All files saved in the cache directory for that server.
 - All thumbnails and data saved to the clipboard for all servers (not just the server you've logged out of).
 - The ``image_cache`` cache directory (Android mobile app)
+
+If you have multiple Mattermost accounts on the same server, logging out of one account will not log you out of the other accounts.
+
+What happens if I log out while my device is enrolled in Intune MAM?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If your device is enrolled in Intune MAM (Mobile Application Management), logging out of Mattermost will remove all workspace data and Intune protection for that workspace from your iOS device. You can sign back in with Microsoft if you need access again. Learn more about `accessing your workspace with Intune MAM <https://docs.mattermost.com/end-user-guide/access/access-your-workspace.html#itab--Mobile-via-Microsoft-Intune-MaM--0_1-Mobile-via-Microsoft-Intune-MaM>`_.

source/security-guide/mobile-security.rst

@@ -25,6 +25,15 @@ Mobile access platforms
 
 Mattermost mobile applications can be operated under the protection of mobile access platforms like `Hypori <https://www.hypori.com/>`_. These platforms provide an additional layer of security by creating a virtualized environment for mobile applications, ensuring that sensitive data is isolated from the device's operating system. This approach enhances data protection and minimizes the risk of data leakage or unauthorized access.
 
+Microsoft Intune Mobile Application Management (MAM)
+----------------------------------------------------
+
+Mattermost supports Microsoft Intune MAM to enforce app-level data protection on iOS devices without requiring full device enrollment in a mobile device management (MDM) solution. Intune MAM applies security policies directly to the Mattermost mobile app based on user identity, enabling organizations to protect corporate or mission-sensitive data on Bring Your Own Device (BYOD) and mixed-use devices while preserving user privacy.
+
+Intune MAM enforcement is applied per Mattermost workspace and is evaluated continuously at runtime. If a device becomes non-compliant or enrollment fails, access to protected content is blocked automatically. This approach allows organizations to extend zero-trust and data loss prevention (DLP) controls to mobile users without assuming ownership of the underlying device.
+
+Learn more about the :ref:`security capabilities enabled through Intune MAM <deployment-guide/mobile/mobile-security-features:microsoft intune mobile application management (mam)>`.
+
 Jailbreak and root detection
 -----------------------------