Set up Slack for Intune mobile apps
This guide outlines the steps required to configure and deploy the Slack for Intune mobile apps for your org. You’ll find references to Microsoft’s documentation throughout with additional details about the Intune service.
What to expect
- Setup requires admin permissions in Intune, Azure and Slack.
- Once the initial setup is complete, you can set App Protection Policies and App Configuration Policies.
- When using Slack for Intune, members will need to download the Slack for Intune app from their mobile app store or the Microsoft App Partner store.
Initial Slack for Intune setup
To get started, an Intune and Azure admin will need to configure the required settings. The below steps are the minimum requirements to set up the Slack for Intune apps. Admins can set up Configuration Policies and Conditional Access Policies later on.
Step 1: Add the Slack for Intune apps to your Microsoft Endpoint Manager
- In the Apps tab of the Microsoft Endpoint Manager, click Add and select the appropriate App type.
- Search for ‘Slack for Intune’, select the app and assign it to the people and/or groups that you’d like to target.
For additional support for adding an app to your Microsoft Endpoint Manager, check out Microsoft’s Intune Quickstart Guide.
Step 2: Add an App Protection Policy
Members can only register and sign in once an App Protection Policy has been applied. This ensures that no one can access the Slack for Intune apps without the security settings provided by Microsoft Intune.
- In the Apps tab of the Microsoft Endpoint Manager, click App Protection Policies and create a new policy for the appropriate mobile platform. If you’re deploying to both iOS and Android devices, you’ll need to create two separate policies.
- Add the Slack for Intune app to your policy.
- Configure the security settings.
- Assign the policy to the people or group that you’d like to target and click Save.
Note: It can take some time for a new App Protection Policy to reach individual devices. To validate that your new policy is set up and working correctly, follow this guidance from Microsoft’s Intune documentation.
Step 3: Grant admin consent via the Azure AD admin centre
Members can only successfully register to the Intune service once admin consent has been granted.
- Navigate to the Enterprise applications tab in the Azure AD admin centre.
- Search for ‘Slack for Intune’.
- Click Permissions.
- Click Grant admin consent for Slack for Intune.
For additional support for application management settings, you can refer to the Microsoft documentation.
Deploying the Slack for Intune apps to mobile devices
If you’re deploying to Android devices, you’ll need to download the Company Portal app from the Play Store, as well as the Slack for Intune app.
iOS devices only require the Slack for Intune app.
Both platforms can use the Microsoft Authenticator to assist with signing in, if it's installed.
Troubleshoot your member’s device registration
Members registering their device for Slack for Intune may experience an error message, a stuck loading page or an app crash. To address these issues, have an Intune or Azure admin confirm the following configurations on the Microsoft side:
- Ensure that you’ve granted admin consent in Azure AD.
- Ensure that an App Protection Policy has been assigned to the member. If it was recently assigned, you may need to wait for the policy to reach the device.
- Ensure that your App Configuration Policy has the right keys and values
If the device registration continues to fail, feel free to contact us so that we can troubleshoot with you.
App Protection Policies
Before members can authenticate and sign into Slack, they will need to successfully register their Slack for Intune app. Doing so requires you to configure App Protection Policies on the Microsoft side.
Tip: The Slack for Intune apps defer to the Intune supported settings for App Protection Policies. To understand the expected behaviour of your particular configuration, refer to Microsoft’s documentation for iOS or Android.
App Protection Policy Settings
These settings allow you to specify how your members can interact with Slack on their mobile devices. The expected behaviours for the available policies are outlined below.
| Restrict web content transfer with other apps | If this setting is configured to Microsoft Edge, members will be required to be signed into Edge with their corporate Azure AD account for the content to transfer successfully. |
Intune allows admins to specify an unmanaged browser to open links. Slack supports Blackberry Access:
|
|
| Save copies of org data |
Currently, we only support Local Storage and Photo Library for ‘Allow users to save copies to selected services’. When this setting is configured to Block:
Android: The download button is hidden if all save locations are blocked. If any of the save locations are permitted, the download button is visible to the end user.
iOS: Files will be downloaded in an encrypted format. Download buttons will still be shown in the app and if clicked, files will appear to be downloading, but the content will be downloaded as encrypted and unreadable. |
| Allow user to save copies to selected services | In order for the camera to function as expected and take photos from within the Slack for Intune app, this setting needs to be set to local storage if the parent setting, ‘Save copies of org data’, is set to Block (Android only). |
| Select managed universal links |
We do not currently support external links redirecting back to the Slack for Intune app. Even if admins add URLs for the Slack for Intune app to the universal link list, the redirects will fail to open the Slack for Intune app. |
App Configuration Policies
Slack for Intune supports App Configuration Policies for both managed apps and managed devices. On Android, there are some distinctions when creating the App Configuration Policy and the settings will differ slightly for managed apps vs managed devices.
If you have an App Configuration Policy that is applied to both platforms (Android and iOS) and/or both managed and unmanaged devices, you can add all of these settings in the same policy. The different platforms will consume and execute the relevant keys.
You can safely ignore any additional keys that may appear in the Microsoft Intune admin centre when creating or editing an App Configuration Policy. These will have no impact on Slack for Intune app functionality.
Supported keys
| Key | Device | Example |
|
allowed_intune_domain Can be a list of domains that users should be allowed to access. Members will be fast-forwarded through the workspace-URL page if only one domain is listed. Members will need to enter the workspace URL during sign in if more than one domain is listed. |
Unmanaged iOS or Android devices |
allowed_intune_domain = acme, acmecorp (will not fast-forward) allowed_intune_domain = acme (will fast-forward to acme.slack.com) |
|
WhitelistedDomains Controls which domains users can access. Members will be fast-forwarded through the workspace-URL page if only one domain is listed. Members will need to enter the workspace URL during sign in if more than one domain is listed. |
Managed Android devices |
WhitelistedDomains = acme, acmecorp |
|
IntuneMAMUPN* IntuneMAMUPN is required if the device is managed and using an Intune MAM managed app. |
Managed iOS devices |
* See the Microsoft instructions for details on which settings require this configuration.
Access control
In addition to the policies on the Microsoft side, you can configure Access Control in Slack. When enabled, members and guests will only be able to access your org from the Slack for Intune apps. If you’d like to enable this setting, please contact us at feedback@slack.com.
Note: App-based Conditional Access via Azure AD and device-based Conditional Access policies are not currently supported.
- Org owners
- Available on the Enterprise Grid subscription