MS Intune Mobile App Support config, setup, troubleshooting, and end user workflows #8599
Conversation
cwarnermm
requested review from
DSchalla,
enahum,
iyampaul,
roberson-io and
yasserfaraazkhan
cwarnermm
added
1: Dev Review
|
Newest code from mattermost has been published to preview environment for Git SHA 599a914 |
|
@cwarnermm I glanced at it and I spotted a few things that are incorrect.. going to take my time to |
|
|
||
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure all authentication methods (OAuth, SAML, LDAP) resolve to the same value. | ||
| * Confirm access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
this will be part of the configuration steps when configuring in Entra, not sure this is needed here.
There was a problem hiding this comment.
Is it accurate to say that Entra configuration enforces these conditions, or should we phrase this as "must be validated by the admin during Entra setup"?
There was a problem hiding this comment.
I mean, this is something that they will HAVE to configure in Entra when they register the application (This is not registering the mobile application, just an Entra application, then during the configuration of that Application they will need to add some claims the the access token, but the access token even without optional claims, will include the oid
Screenshot for reference
| * You require Android Intune MAM support (not yet available). | ||
| * Your deployment cannot use Microsoft Entra ID (Azure AD). | ||
| * Your identity strategy cannot use Azure AD ``objectId`` as the authoritative user identifier. | ||
| * You need a rollout model where users can defer or bypass Intune enrollment. |
There was a problem hiding this comment.
This point is interesting, cause they can have multiple login methods, only the login method selected in the Intune MAM configuration in the system console is subject to this.
There was a problem hiding this comment.
I think we need to make this clearer.. for example they can have users with another login method and this is then a false statement, guest users and again this is a false statement.
source/deployment-guide/mobile/configure-microsoft-intune-mam.rst
Outdated
Show resolved
Hide resolved
| * Register the Mattermost mobile app as a public/native Entra application. | ||
| * Copy the **Application (Client) ID**. | ||
|
|
||
| To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app | ||
|
|
||
| * Configure the iOS platform with the correct bundle ID and redirect URI. | ||
|
|
||
| For Entra portal steps, see: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration | ||
|
|
||
| For redirect URI formatting details, see: https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-redirect-uri | ||
|
|
||
| * Grant required Intune MAM API permissions with admin consent. | ||
|
|
||
| To grant tenant-wide admin consent, see: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent |
There was a problem hiding this comment.
not at all.
Register an Application in Entra that will be use to authenticate the users.
this link works To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app and we can keep that, but probably best to direct them to configure this for Single tenant
The redirect URI should remain empty
Once the app is registered, they should Expose an API more info here: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-expose-web-apis
The API to be exposed should be api://<APPLICATION-ID> normally filled automatically, then add a scope named login.mattermost
Once that is done, they need to Add a client application, add the Client Id as listed below and assign the Authorized scopes to api://<APPLICATION-ID>/login.mattermost
- Mattermost Mobile Beta:
64e9952b-20eb-46dc-92ad-99089ed24903 - Mattermost Mobile:
not yet created, we will need to update this document
in addition I will share a script once we have the Client Id for Mattermost Mobile so we can attach it here.
Then in Token configuration -> Add optional claim, Select Token type Access then select the claims
- family_name
- given_name
- preferred_username
- upn
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name - Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name- Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
- Production Mobile Client ID -> @iyampaul still needs to configure this, I need it too.
login.mattermostis the FINAL scope- Not all claims are mandatory, but let's act as if they are.
- The script I can provide once I have the Production Mobile Client ID, the Guidance should be in the document I shared in the section that describes the configuration for "Expose an API"
| 3. Enter your credentials. | ||
| 4. When prompted, tap **Enroll**. | ||
|
|
||
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. |
There was a problem hiding this comment.
this does not happen during sign-in only if Intune is enabled mid-session
| During enrollment, you may see the Microsoft sign-in screen again. This is normal and usually takes only a few seconds. | ||
|
|
||
| 5. When enrollment completes, you are notified. | ||
| 6. When prompted, enter a PIN to add an extra layer of protection for your work data. |
There was a problem hiding this comment.
this is only if the policy enforces a PIN
|
|
||
| .. note:: | ||
|
|
||
| If you tap **Cancel**, you will not be able to use Mattermost on mobile until enrollment succeeds. You can retry immediately or `log out <#what-happens-when-i-log-out-manually>`__ and retry later. |
There was a problem hiding this comment.
this is only in mid-session, not during signin
| If you try to copy content from Mattermost into another app, the paste will not work. | ||
|
|
||
| Screenshot & Screen Recording Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To prevent sensitive content from being captured, you will not be able to take screenshots or record your screen while using Mattermost. | ||
|
|
||
| If you try to take a screenshot or record your screen, the screenshot or recording will not be captured. | ||
|
|
||
| File Save Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To keep work files protected, you will not be able to save files to personal locations. | ||
|
|
||
| If you try to save a file from Mattermost to a personal location, the save will not work. Files can be saved only to locations approved by your organization. | ||
|
|
||
| Browser & Sharing Restrictions | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| To ensure data stays within protected apps, you will not be able to open links in unapproved browsers or share content to unmanaged apps. | ||
|
|
||
| If you tap a link in Mattermost, it opens only in an approved browser. If you try to share content to an unmanaged app, the share will not work. |
There was a problem hiding this comment.
All of these are enforced or not depending on the Intune policy, perhaps we should point to a microsoft documentation that explains each policy or we should try to be broad with the explanation.
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA 6334a30 |
|
Newest code from mattermost has been published to preview environment for Git SHA 3350638 |
|
Newest code from mattermost has been published to preview environment for Git SHA 0f31a06 |
Co-authored-by: Elias Nahum <[email protected]>
|
Newest code from mattermost has been published to preview environment for Git SHA f47ab17 |
|
Newest code from mattermost has been published to preview environment for Git SHA a2dfc71 |
|
Newest code from mattermost has been published to preview environment for Git SHA 90580db |
|
Newest code from mattermost has been published to preview environment for Git SHA 3af81d6 |
enahum
left a comment
enahum
left a comment
There was a problem hiding this comment.
@cwarnermm let me know if you would like us to have a sync session to go through all this.
| * You require Android Intune MAM support (not yet available). | ||
| * Your deployment cannot use Microsoft Entra ID (Azure AD). | ||
| * Your identity strategy cannot use Azure AD ``objectId`` as the authoritative user identifier. | ||
| * You need a rollout model where users can defer or bypass Intune enrollment. |
There was a problem hiding this comment.
I think we need to make this clearer.. for example they can have users with another login method and this is then a false statement, guest users and again this is a false statement.
| * You can register applications and grant admin consent in Microsoft Entra. | ||
| * If using SAML for Intune MAM enforcement, users must already exist in Mattermost before signing in on mobile. Mobile sign-in doesn’t create users for SAML. | ||
|
|
||
| If any of the above are not true, do not proceed. |
There was a problem hiding this comment.
they can proceed even if the users aren't created when logging in with SAML on the mobile app.
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure the authentication provider selected for Intune MAM enforcement (OIDC or SAML) is backed by Microsoft Entra ID and resolves users to Azure AD ``objectId``. | ||
| * If LDAP is used to provision those users, LDAP must also resolve the same Azure AD ``objectId``. | ||
| * Confirm MSAL access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
this looks like is part of Step 2
|
|
||
| * Enable Intune MAM in the System Console. | ||
| * Set ``IdAttribute = objectId``. | ||
| * Verify Enterprise Advanced licensing. |
| Step 5: Validate Using the Mobile App | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| * Ensure test users are assigned in Intune and properly licensed, and perform the first validation login using a Microsoft Entra administrator account that can grant tenant-wide admin consent. |
There was a problem hiding this comment.
and perform the first validation login using a Microsoft Entra administrator account that can grant tenant-wide admin consent
this part is only a recommendation
| * OIDC (Microsoft Entra-backed), or | ||
| * SAML (backed by Microsoft Entra) | ||
|
|
||
| 4. Set ``IdAttribute`` to ``objectId``. |
There was a problem hiding this comment.
this is not relevant in that section
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | Error | Meaning | Cause & Next Step | | ||
| +===============================+=============================================+==================================================================================================================================+ | ||
| | Enrollment Failed | Intune MAM enrollment failed due to a | Technical enrollment failure (MSAL error, enrollment API failure, identity mismatch, or missing required Entra permissions). | | ||
| | | technical error | | | ||
| | | | The server is removed immediately with **no retry option**. Fix the underlying issue before re-adding the server. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | Enrollment Declined | User declined Intune MAM enrollment | User canceled the enrollment prompt. A **Retry** option is presented to the user. | | ||
| | | | | | ||
| | | | Instruct the user to retry enrollment when ready. No server data is removed unless enrollment later fails technically. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | AADSTS650057 | Required Intune MAM API permission is | This error appears during MSAL authentication or token validation. | | ||
| | (invalid_resource) | missing | | | ||
| | | | The ``https://msmamservice.api.application/.default`` permission is missing or lacks admin consent. | | ||
| | | | | | ||
| | | | Add the permission in Microsoft Entra and grant admin consent. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | MissingAuthAccountError | Access token doesn't contain the identity | MSAL error indicating the access token doesn't contain the identity claim Mattermost expects. | | ||
| | | claim Mattermost expects | | | ||
| | | | Unsupported or custom ``IdAttribute`` used, or required claim missing from the access token. | | ||
| | | | | | ||
| | | | Use only supported ``IdAttributes`` (``objectId``) and ensure the ``oid`` claim is present. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | User mismatch | Mobile identity doesn't match the | Mutable identifiers (email, ``preferred_username``) used, or user email/UPN changed. | | ||
| | | server-side user | | | ||
| | | | Reconfigure identity to use Azure AD ``objectId`` exclusively. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | NotLicensed | Server isn't licensed for Intune MAM | Enterprise Advanced license missing or not applied to the server. | | ||
| | | | | | ||
| | | | Verify license tier and server coverage. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ | ||
| | HTTP 403 Forbidden | Server-side access is blocked | Server gating condition, not an Intune failure. | | ||
| | | | | | ||
| | | | Verify Enterprise Advanced license, Intune is enabled in the System Console, valid Tenant ID and Client ID, authentication | | ||
| | | | provider is configured, admin consent is granted, and ``IntuneScope`` is set. | | ||
| +-------------------------------+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+ |
There was a problem hiding this comment.
was this taken from the md files I shared earlier?
not sure if it is the same, but this is the "updated" one I have
| Error ID | HTTP | Scenario | User Message | Retry? | Fallback? |
|---|---|---|---|---|---|
api.user.login_by_intune.not_available.app_error |
501 | Enterprise not compiled | (silent) | No | ✅ Web SSO |
api.user.login_by_intune.not_configured.app_error |
400 | Intune not configured | (silent) | No | ✅ Web SSO |
api.user.login_by_intune.bot_login_forbidden.app_error |
403 | Bot tried to login | "Bot accounts cannot sign in using this method." | No | ❌ |
api.user.login_by_intune.account_locked.app_error |
409 | User deleted/disabled | "Your account has been deactivated. Please contact your administrator." | No | ❌ |
ent.intune.login.not_configured.app_error |
403 | IsConfigured() = false | (silent) | No | ✅ Web SSO |
ent.intune.login.extract_auth_data.app_error |
400 | IdAttribute mapping failed | "We couldn't complete your sign in. Please try again." | Yes (1x) | ❌ |
ent.intune.login.account_not_found.app_error |
428 | SAML user account not found | "Your account isn't fully set up yet. Please sign in to Mattermost via the web or desktop app first." | No | ❌ |
ent.intune.validate_token.invalid_token.app_error |
400 | Token validation failed | "We couldn't verify your sign in. Please try again." | Yes (1x) | ❌ |
ent.intune.validate_token.token_expired.app_error |
400 | Token expired | "Your sign in session has expired. Please try signing in again." | Yes (1x) | ❌ |
ent.intune.validate_token.missing_claims.app_error |
400 | Required claims missing | "We couldn't complete your sign in. Please contact your IT administrator." | No | ❌ |
ent.intune.validate_token.invalid_tenant_id.app_error |
400 | Token tenant ≠ config tenant | "There was a configuration issue. Please contact your IT administrator." | No | ❌ |
There was a problem hiding this comment.
I wonder if we should provide a Step by Step bullet point or something on how to actually configure this, I think this guide says a lot but if the person doing this do not have Entra / Intune experience they may not know what to do.
| Sign In to Enroll | ||
| ----------------- | ||
|
|
||
| You only need to complete enrollment once per account. |
There was a problem hiding this comment.
this is not really true, this happens each time you login
| 2. Sign in with Microsoft (your organization’s sign-in option). | ||
| 3. Enter your credentials. | ||
|
|
||
| During enrollment, you may be asked to confirm your Microsoft sign-in again. This is normal and usually takes only a few seconds. |
There was a problem hiding this comment.
absolutely DOES NOT happen, the only time you are asked to do this is if Intune is turned on mid-session
|
Newest code from mattermost has been published to preview environment for Git SHA 3ec94eb |
|
Newest code from mattermost has been published to preview environment for Git SHA 5147147 |
enahum
left a comment
enahum
left a comment
There was a problem hiding this comment.
sorry, the comments remain in a pending state
|
|
||
| * Commit to Azure AD ``objectId`` as the authoritative identity. | ||
| * Ensure all authentication methods (OAuth, SAML, LDAP) resolve to the same value. | ||
| * Confirm access tokens include the ``oid`` claim. |
There was a problem hiding this comment.
I mean, this is something that they will HAVE to configure in Entra when they register the application (This is not registering the mobile application, just an Entra application, then during the configuration of that Application they will need to add some claims the the access token, but the access token even without optional claims, will include the oid
Screenshot for reference
| * Register the Mattermost mobile app as a public/native Entra application. | ||
| * Copy the **Application (Client) ID**. | ||
|
|
||
| To register an application in Microsoft Entra, see: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app | ||
|
|
||
| * Configure the iOS platform with the correct bundle ID and redirect URI. | ||
|
|
||
| For Entra portal steps, see: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration | ||
|
|
||
| For redirect URI formatting details, see: https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-redirect-uri | ||
|
|
||
| * Grant required Intune MAM API permissions with admin consent. | ||
|
|
||
| To grant tenant-wide admin consent, see: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent |
There was a problem hiding this comment.
To finalize the documentation, I'll need:
- Production Mobile Client ID
- Confirmation that
login.mattermostis the final scope name- Confirmation that all listed access token claims are mandatory
- The script you mentioned (or guidance on where it will live)
- Production Mobile Client ID -> @iyampaul still needs to configure this, I need it too.
login.mattermostis the FINAL scope- Not all claims are mandatory, but let's act as if they are.
- The script I can provide once I have the Production Mobile Client ID, the Guidance should be in the document I shared in the section that describes the configuration for "Expose an API"
| Step 5: Validate Using the Mobile App | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| * Ensure test users are assigned in Intune and properly licensed. |
There was a problem hiding this comment.
They'll get an alert saying
"Consent Denied"
"You denied consent for Intune management. The affected accounts have been unenrolled and signed out."
So of course, this is not true from the part of the user, but still the consent is missing.
| | Custom attributes | Not supported | Unsupported by Intune | | ||
| +-------------------+------------------+------------------------------+ | ||
|
|
||
| Attribute Synchronization & Access Enforcement |
There was a problem hiding this comment.
"Your account isn't fully set up yet. Please sign in to Mattermost via the web or desktop app first."
Documentation for:
Docs Previews Shortcuts for Reviewers:
Decision Makers & Risk Assessors
System Administrators
End Users