Configure Microsoft Intune Mobile Application Management (MAM)

Available on Entry, Enterprise, and Enterprise Advanced plans (not available on Professional)

You can configure the Mattermost Mobile App on iOS to enforce Microsoft Intune App Protection Policies (MAM) so organizational data remains protected on Bring Your Own Device (BYOD) and mixed-use devices without requiring device enrollment (MDM).

This guide documents the required configuration to enable Intune MAM successfully on iOS.

Read This First

Intune MAM enforcement in Mattermost is identity-based and applies only to the sign-in method selected as the enforced Auth Provider in System Console > Environment > Mobile Security.

• The enforced authentication provider must resolve users using Azure AD objectId (IdAttribute = objectId).

• MSAL access tokens must include the oid claim, and it must match the same Azure AD objectId (confirm identity alignment: objectId ↔ oid).

Important

If Intune MAM enrollment fails due to a technical error, the affected Mattermost server is removed from the mobile app and cached data for that server is wiped from the device.

Unsupported Scenarios

This guide doesn’t apply when:

• You require Intune MAM on Android devices.

• You want Intune MAM enforcement for a sign-in method not backed by Microsoft Entra ID.

• The enforced authentication provider cannot resolve users to Azure AD objectId.

• You require a rollout model where users can bypass or defer Intune MAM for the enforced sign-in method.

Other authentication methods, such as guest access, may still be enabled separately, but they aren’t evaluated by Intune MAM.

Prerequisites

Confirm the following before continuing:

• Microsoft Entra ID is used for authentication.

• You can commit to Azure AD objectId as the authoritative identity.

• Mattermost Enterprise Advanced licensing is available for the server.

• Target users are licensed for Microsoft Intune.

• You can register applications and grant tenant-wide admin consent in Microsoft Entra.

• If enforcing Intune MAM on SAML, users already exist in Mattermost (mobile sign-in does not create users for SAML).

Note

In this guide, OpenID Connect (OIDC) refers to the Microsoft Entra sign-in method used by the Mattermost Mobile App via MSAL.

Configuration Overview

Successful Intune MAM enforcement requires coordinated configuration across:

• Microsoft Entra ID – app registration, scope, API permissions, admin consent

• Microsoft Intune – iOS App Protection Policies

• Mattermost Server – MAM enablement and provider selection

• Mattermost Mobile App (iOS) – enrollment and enforcement

Complete the steps below in order.

Setup Summary

1. Confirm identity requirements and alignment (objectId ↔ oid).

2. Configure Microsoft Entra (server-referenced application).

3. Configure Intune App Protection Policies.

4. Enable Intune MAM in Mattermost and select the enforced provider.

5. Deploy the official Mattermost iOS app.

6. Validate enrollment and enforcement.

Values You’ll Need Later

Capture these during setup:

Value	Where to get it	Where you use it
Directory (tenant) ID	Entra app registration overview	Mattermost System Console
Application (client) ID	Entra app registration overview	Mattermost System Console
Application ID URI	Entra app > Expose an API	Used to form the api://<APPLICATION-ID>/login.mattermost scope reference in Authorized client applications
login.mattermost scope	Entra app > Expose an API	Authorized client applications
Mobile client application ID	Provided by Mattermost	Entra app > Authorized client applications
iOS bundle IDs (prod/beta)	This guide	Intune App Protection Policies

Step 1: Identity Configuration for Intune MAM

This step defines the required identity model for the authentication provider selected for Intune MAM enforcement.

Required Identity Model

Microsoft Intune MAM for Mattermost requires Azure AD objectId as the authoritative user identifier. The following is non-negotiable.

• IdAttribute must equal objectId for the enforced provider.

• MSAL access tokens must include the oid claim.

• Confirm identity alignment (objectId ↔ oid) before enabling Intune MAM.

Confirm Identity Alignment (objectId ↔ oid)

For the same user, the following values must match:

• Azure AD objectId

• MSAL access token oid claim

• SAML objectidentifier (if applicable)

• LDAP msDS-aadObjectId (if applicable)

Any mismatch prevents enrollment.

Identity Enforcement by Authentication Method

OIDC (Mobile sign-in via MSAL)

• Mattermost uses the MSAL access token for identity and enrollment.

• Confirm identity alignment (objectId ↔ oid).

SAML (Entra-backed)

• SamlSettings.IdAttribute must map to objectidentifier.

• Email, UPN, and immutableID aren’t supported.

• Users must already exist in Mattermost before mobile sign-in.

LDAP (Entra ID Domain Services)

• Use msDS-aadObjectId.

• Do not use objectGUID.

Runtime Enforcement Behavior

When Intune MAM is enabled for a provider:

• Enforcement occurs during active sessions, not only at login.

• If Intune MAM becomes newly required due to policy, licensing, or configuration changes, enrollment may be triggered immediately.

• Users can’t bypass enforcement for the enforced provider.

Pre-flight Checklist

• Licensed Intune test user available

• Ability to grant tenant-wide admin consent

• Enforced provider identified (OIDC or SAML)

• IdAttribute = objectId configured

• Identity alignment verified (objectId ↔ oid)

• Official Mattermost iOS app deployed

• Target bundle IDs known: com.mattermost.rn (Production), com.mattermost.rnbeta (Beta)

Step 2: Microsoft Entra Configuration for Intune MAM

You register a single-tenant Microsoft Entra application that is referenced by Mattermost Server. This application validates MSAL access tokens and supports Intune MAM enrollment.

You don’t register the Mattermost Mobile app itself. Redirect URI configuration isn’t required.

Entra Application Registration

1. Go to Identity > Applications > App registrations

2. Select New registration

3. Configure:

   • Name: Mattermost Mobile (Intune MAM)

   • Supported account types: Single tenant

4. Register the app

5. Copy:

   • Application (client) ID

   • Directory (tenant) ID

Expose the API and Create the Scope

1. Go to Expose an API

2. Confirm Application ID URI is set (for example, api://<APPLICATION-ID>)

3. Add a scope named login.mattermost

4. Save your changes.

Authorize the Official Mobile Client

Authorize the official Mattermost Mobile client application ID (provided by Mattermost) to request the login.mattermost scope.

1. In the Entra app registration, go to Expose an API.

2. Under Authorized client applications, select Add a client application.

3. Add the official Mattermost Beta Mobile client application ID (provided by Mattermost) as 64e9952b-20eb-46dc-92ad-99089ed24903.

4. Authorize the api://<APPLICATION-ID>/login.mattermost scope.

5. Save your changes.

API Permissions and Admin Consent

1. Go to API permissions.

2. Select Add a permission.

3. Add the following Microsoft Graph delegated permissions:

   • Microsoft Graph → email (Delegated)

   • Microsoft Graph → profile (Delegated)

4. Select Grant admin consent for your tenant.

These are the permissions the customer admin must grant for the Entra application referenced by Mattermost Server.

If these permissions are missing or lack tenant-wide admin consent, enrollment can fail with an Entra permissions/admin-consent error (for example, AADSTS650057) or a user-visible Consent Denied message during first sign-in.

Configure MSAL tokens and required claims

Before enabling Intune MAM, ensure the Entra app registration issues access tokens with the claims Mattermost expects during mobile sign-in.

1. In the Entra app registration, go to Token configuration.

2. Select Add optional claim.

3. Under Token type, select Access.

4. Add the following optional claims:

   • email

   • family_name

   • given_name

   • preferred_username

   • upn

5. Save your changes.

Note

Mattermost Intune MAM enforcement uses the MSAL access token. If required claims are missing, sign-in and/or enrollment may fail.

Enable MSAL v2 access tokens

1. Open the app Manifest.

2. Set the token version to 2:

   • If your manifest shows api.requestedAccessTokenVersion, set it to 2.

   • Otherwise set accessTokenAcceptedVersion to 2.

3. Save your changes.

Step 3: Configure Intune App Protection Policies

1. Go to Intune admin center > Apps > App protection policies.

2. Create a policy:

   • Platform: iOS/iPadOS

   • Targeted app: Managed apps

3. Add the Mattermost app by bundle ID:

   • com.mattermost.rn (Production)

   • com.mattermost.rnbeta (Beta)

4. Configure protection settings.

5. Assign to Entra ID user groups.

6. Save your changes.

Separate policies are required for Production and Beta apps.

Step 4: Configure Mattermost Server for Intune MAM

1. Go to System Console > Environment > Mobile Security

2. Set Enable Microsoft Intune MAM to True

3. Select Auth Provider:

   • OpenID Connect (Entra-backed)

   • SAML 2.0 (Entra-backed)

4. Enter:

   • Tenant ID

   • Application (Client) ID

5. Save your changes.

The enforced provider must resolve identity using IdAttribute = objectId.

Step 5: Deploy the Mattermost iOS App

Download and install the official Mattermost iOS app using:

• Apple App Store (Production)

• TestFlight (Beta)

Wrapped, re-signed, or privately distributed apps aren’t supported.

Step 6: Validate Enrollment

Validate with a licensed test user on iOS.

Confirm:

• Enrollment completes successfully

• Enforcement applies at sign-in and mid-session

• Identity alignment is correct (objectId ↔ oid)

Expected Behavior During Mobile Sign-In

1. User signs in via MSAL.

2. Mattermost validates the access token.

3. Intune MAM enrollment is triggered.

4. App Protection Policies are applied.

If enrollment is required but cannot complete, access is blocked until enrollment succeeds.

Troubleshooting

Most failures are caused by:

• Identity mismatch (objectId ↔ oid)

• IdAttribute not set to objectId

• Missing Entra API permissions or admin consent

• App Protection Policy not targeting the user or app

• Unsupported client or platform

Quick Diagnostics

1. Confirm identity alignment (objectId ↔ oid).

2. Confirm IdAttribute = objectId.

3. Confirm Entra permissions and admin consent.

4. Confirm Auth Provider selection.

5. Confirm Intune policy targeting.

If the user declines enrollment, retry is allowed.

Intune MAM Errors

The errors below may occur during mobile sign-in or when Intune MAM enforcement is triggered mid-session. Some errors are shown in the Mattermost Mobile App, while others are silent and must be diagnosed using Mattermost server logs.

Note

In the table below, Fallback: Web SSO means the mobile app uses the non-Intune version of the configured sign-in method (SAML or OpenID Connect) as if Intune MAM were not enabled.

Error	Meaning	Admin cause & next step
Enrollment Failed Error ID: (varies) HTTP: (varies) Scenario: Enrollment failed (technical) User message: "Enrollment Failed" Retry: No Fallback: None	Intune MAM enrollment failed due to a technical error.	Cause: Enrollment could not be completed due to a technical failure (MSAL error, Intune enrollment API failure, identity mismatch, or missing Entra permissions). Behavior: The server is removed immediately and there is no retry option; cached data for that server is wiped. Next step: Fix the underlying issue, then have the user re-add the server in the mobile app. Admin checks: Verify IdAttribute = objectId; confirm identity alignment (objectId ↔ oid); confirm tenant-wide admin consent; confirm App Protection Policy targets the user and the correct iOS bundle ID.
Enrollment Declined Error ID: (varies) HTTP: (varies) Scenario: User declined enrollment User message: "Enrollment Declined" Retry: Yes Fallback: None	The user declined Intune MAM enrollment.	Cause: The user canceled the enrollment prompt. Behavior: A Retry option is shown; no server data is removed unless a later technical enrollment failure occurs. Next step: Instruct the user to retry enrollment when ready.
Consent Denied Error ID: (varies) HTTP: (varies) Scenario: Admin consent missing (first login) User message: "You denied consent for Intune management. The affected accounts have been unenrolled and signed out." Retry: Yes (after admin consent) Fallback: None	Enrollment cannot complete because required Entra app permissions don’t have tenant-wide admin consent.	Cause: Tenant-wide admin consent has not been granted for the required delegated permissions on the Entra app registration configured in Mattermost Server. Behavior: The message may appear as if the user denied consent, but the underlying issue is missing admin consent. Next step: In Microsoft Entra, grant tenant-wide admin consent for Microsoft Graph delegated permissions email and profile on the same Entra app registration configured in Mattermost, then have the user retry mobile sign-in.
(silent) Error ID: api.user.login_by_intune.not_available.app_error HTTP: 501 Scenario: Enterprise not compiled User message: (silent) Retry: No Fallback: Standard SSO (non-Intune)	Intune MAM login is not available on this server.	Cause: The server does not support Intune MAM (feature not available in this build or not enabled for the deployment). Next step: Confirm the server build includes Intune MAM support and the deployment is licensed for Enterprise Advanced. User guidance: Have the user sign in via web/desktop using the standard (non-Intune) SSO flow for their provider (SAML or OpenID Connect) while the server is updated or configuration is corrected.
(silent) Error ID: api.user.login_by_intune.not_configured.app_error HTTP: 400 Scenario: Intune not configured User message: (silent) Retry: No Fallback: Standard SSO (non-Intune)	Intune MAM is enabled for the org but not configured on the server.	Cause: Intune MAM isn't fully configured in System Console > Environment > Mobile Security. Next step: Enable Microsoft Intune MAM and ensure Tenant ID, Application (Client) ID, and Auth Provider are set correctly. Admin checks: Confirm the selected auth provider is Entra-backed and required permissions/admin consent have been granted for the Entra app registration. User guidance: Have the user sign in via web/desktop using the standard (non-Intune) SSO flow for their provider (SAML or OpenID Connect) while the server is updated or configuration is corrected.
Bot accounts cannot sign in using this method. Error ID: api.user.login_by_intune.bot_login_forbidden.app_error HTTP: 403 Scenario: Bot tried to login User message: "Bot accounts cannot sign in using this method." Retry: No Fallback: None	The account cannot use Intune MAM sign-in.	Cause: Bot accounts are not allowed to authenticate via Intune MAM. Next step: Use a human user account for Intune MAM enrollment and access.
Your account has been deactivated. Please contact your administrator. Error ID: api.user.login_by_intune.account_locked.app_error HTTP: 409 Scenario: User deleted/disabled User message: "Your account has been deactivated. Please contact your administrator." Retry: No Fallback: None	The account is not permitted to sign in.	Cause: The user is deleted, disabled, or locked in Mattermost. Next step: Re-enable or restore the user account in Mattermost, then retry sign-in and enrollment.
(silent) Error ID: ent.intune.login.not_configured.app_error HTTP: 403 Scenario: IsConfigured() = false User message: (silent) Retry: No Fallback: Standard SSO (non-Intune)	Intune MAM is not configured for the current sign-in path.	Cause: Intune MAM isn't configured for the requested authentication path (configuration incomplete or mismatched provider selection). Next step: Confirm Intune MAM is enabled and configured, and the selected Auth Provider matches how users authenticate (OIDC vs SAML). User guidance: Have the user sign in via web/desktop using the standard (non-Intune) SSO flow for their provider (SAML or OpenID Connect) while the server is updated or configuration is corrected.
We couldn't complete your sign in. Please try again. Error ID: ent.intune.login.extract_auth_data.app_error HTTP: 400 Scenario: IdAttribute mapping failed User message: "We couldn't complete your sign in. Please try again." Retry: Yes (1x) Fallback: None	Identity mapping failed during sign-in.	Cause: The server couldn’t extract or map the identity attribute required for Intune MAM (commonly IdAttribute is misconfigured or the token isn't MSAL v2). Next step: Ensure IdAttribute = objectId, then confirm identity alignment (objectId ↔ oid). Verify the Entra app issues v2 tokens (accessTokenAcceptedVersion = 2).
Your account isn't fully set up yet. Please sign in to Mattermost via the web or desktop app first. Error ID: ent.intune.login.account_not_found.app_error HTTP: 428 Scenario: SAML user account not found User message: "Your account isn't fully set up yet. Please sign in to Mattermost via the web or desktop app first." Retry: No Fallback: None	The user does not exist in Mattermost for SAML-based sign-in.	Cause: When SAML is the selected provider for Intune MAM enforcement, mobile sign-in cannot create a new user. Next step: Have the user sign in once via the web or desktop app to provision the account, then retry mobile sign-in. Admin checks: Ensure provisioning is in place (web/desktop first sign-in, LDAP sync, or another provisioning method).
We couldn't verify your sign in. Please try again. Error ID: ent.intune.validate_token.invalid_token.app_error HTTP: 400 Scenario: Token validation failed User message: "We couldn't verify your sign in. Please try again." Retry: Yes (1x) Fallback: None	The access token could not be validated.	Cause: Token validation failed (token malformed, wrong issuer/audience, missing permissions, or Entra configuration mismatch). Next step: Verify the configured Tenant ID and Application (Client) ID match the Entra app registration referenced by Mattermost Server. Confirm tenant-wide admin consent has been granted for Microsoft Graph delegated permissions email and profile on that same app registration. Then confirm identity alignment (objectId ↔ oid) for the affected user. Admin checks: Confirm v2 tokens (accessTokenAcceptedVersion = 2) and that Microsoft Graph delegated permissions email and profile have tenant-wide admin consent.
Your sign in session has expired. Please try signing in again. Error ID: ent.intune.validate_token.token_expired.app_error HTTP: 400 Scenario: Token expired User message: "Your sign in session has expired. Please try signing in again." Retry: Yes (1x) Fallback: None	The authentication session expired before enrollment completed.	Cause: The access token or interactive session expired during sign-in/enrollment. Next step: Have the user sign in again and complete enrollment promptly. Admin checks: If repeated, confirm the device can reach Entra/Intune endpoints during enrollment and prompts aren't being blocked.
We couldn't complete your sign in. Please contact your IT administrator. Error ID: ent.intune.validate_token.missing_claims.app_error HTTP: 400 Scenario: Required claims missing User message: "We couldn't complete your sign in. Please contact your IT administrator." Retry: No Fallback: None	The access token is missing required claims for sign-in and enrollment.	Cause: Required claims are missing from the MSAL access token (most commonly oid, or optional claims required by Mattermost). Next step: Confirm MSAL v2 access tokens are issued (accessTokenAcceptedVersion = 2) and the token includes oid. In the Entra app registration, go to Token configuration and ensure optional claims are added for the Access token: email, family_name, given_name, preferred_username, and upn. Confirm the enforced provider uses IdAttribute = objectId, then verify identity alignment (objectId ↔ oid).
There was a configuration issue. Please contact your IT administrator. Error ID: ent.intune.validate_token.invalid_tenant_id.app_error HTTP: 400 Scenario: Token tenant ≠ configured tenant User message: "There was a configuration issue. Please contact your IT administrator." Retry: No Fallback: None	The token tenant does not match the configured tenant.	Cause: The token was issued by a different tenant than the one configured in Mattermost. Next step: Verify the Tenant ID configured in System Console > Environment > Mobile Security matches the Entra tenant issuing MSAL tokens for the user.
AADSTS650057 (invalid_resource) Error ID: (AADSTS650057) HTTP: (varies) Scenario: invalid_resource User message: (MSAL/Entra error) Retry: No (until fixed) Fallback: None	The Entra app configuration is missing required permissions and/or admin consent.	Cause: Required Intune MAM API permissions are missing or do not have tenant-wide admin consent. Next step: In the Microsoft Entra admin center, go to Enterprise applications (not App registrations), search for Mattermost Mobile / Mattermost Mobile Beta, then open Permissions and add/grant admin consent for the Intune MAM permissions (for example, https://msmamservice.api.application/.default and Microsoft Mobile Application Management → user_impersonation (Delegated)). Then have the user retry sign-in.
NotLicensed Error ID: (NotLicensed) HTTP: (varies) Scenario: License missing or inactive User message: (varies) Retry: No Fallback: None	The server is not licensed for Intune MAM enforcement.	Cause: Enterprise Advanced licensing is missing or not applied to the server. Next step: Apply an Enterprise Advanced license to the server and confirm the license is active, then retry.
HTTP 403 Forbidden Error ID: (HTTP 403) HTTP: 403 Scenario: Server-side access blocked User message: (varies) Retry: No Fallback: None	Server-side access is blocked by a gating condition.	Cause: A server gating condition is preventing enrollment (not an Intune service failure). Next step: Verify Enterprise Advanced licensing, Intune MAM is enabled, Auth Provider selection matches how users authenticate, configured Tenant ID and Application (Client) ID are correct, and tenant-wide admin consent is granted. Then confirm identity alignment (objectId ↔ oid) and Intune App Protection Policy targeting for the correct iOS bundle ID.

Consent During First Login

If a user’s first mobile sign-in fails with Consent Denied or:

You denied consent for Intune management. The affected accounts have been unenrolled and signed out.

Treat this as missing tenant-wide admin consent for the Entra app registration referenced by Mattermost Server. See the Consent Denied entry in the Intune MAM Errors table above for remediation steps.

To resolve this:

1. In the Microsoft Entra admin center, go to Enterprise applications.

2. Search for Mattermost Mobile or Mattermost Mobile Beta.

3. Go to Permissions and add/grant tenant-wide admin consent for the Intune MAM permissions (for example, https://msmamservice.api.application/.default and Microsoft Mobile Application Management → user_impersonation (Delegated)).

4. Have the user retry mobile sign-in.

Rollout and Recovery Guidance

• Pilot with a small group first

• Validate identity alignment before broad rollout

• Expect enforcement to occur mid-session if requirements change