MAM configuration for Qlik Analytics mobile app with Intune

Andrew_Kruger — Mon, 01 Jun 2026 11:37:59 GMT

This article documents an example of how to configure MAM control of the Qlik Analytics Mobile app.

The example is provided as is. Qlik does not offer guidance on configuring Entra Conditional Access policies or broader Intune deployments. For those details, see Learn about Conditional Access and Intune in the Microsoft documentation.

As per Securing and configuring the Qlik Analytics mobile app with Microsoft Intune and the section titled Conditional Access scope considerations, the authentication flow for the mobile app follows the Qlik Cloud IDP OIDC progression.

The pattern and steps outlined in this article are the working example Qlik used in verification testing of the Conditional Access control for the Qlik Analytics mobile app policy deployment. Your own policy and configuration definitions may vary, and Microsoft documentation or support should be contacted for further help that is specific to your Entra and Intune environments.

Identify the IDP App Registration:
1. Navigate to Entra ID → App registrations
2. Locate the OIDC IDP app registration and note the Application (client) ID
3. Confirm this is the client ID presenting itself during the OIDC browser redirect
Modify Existing All Cloud Apps Policy
1. Navigate to Protection → Conditional Access → Policies
2. Open the existing All Cloud Apps policy
3. Go to Cloud apps or actions → Exclude and add the IDP app registration client ID
4. In Conditions → Device platforms: Any device
5. In Conditions → Client apps: Browser + Mobile apps and desktop clients
6. Grant access: Require device to be marked as compliant
7. Save and set to Report-only at first
Create a new Targeted Policy for IDP Registration
1. Create a new CA policy
2. Set Users to the same scope as the existing policy
3. Set Cloud apps to include IDP app registration only
4. In Conditions → Device platforms: iOS, Android, macOS, Linux
5. In Conditions → Client apps: Browser + Mobile apps and desktop clients
6. Grant access: Require multifactor authentication (MFA)
7. Set to Report-only at first
Validate in Report-Only before enabling
1. Navigate to Sign-in logs
2. Attempt the auth flow on a test device
3. Check the sign-in log entry for the OIDC redirect leg
4. Confirm report-only shows that the existing policy (Step 2) would have passed for a compliant device excluded
5. Confirm report-only shows that the new policy (Step 3) would have passed for MFA on Authentication via Authenticator
6. Once both are confirmed, switch both policies to enabled

On the test device:

Clear app session state and OIDC tokens
Re-attempt the full auth flow end-to-end
Confirm OIDC leg completes → local token issued -> on Authentication via Authenticator
Confirm MSAL leg completes → MAM policy on device confirmed
Confirm Qlik Analytics loads successfully

Environment

Qlik Cloud
Qlik Analytics mobile with Intune

article MAM configuration for Qlik Analytics mobile app with Intune in Official Support Articles

MAM configuration for Qlik Analytics mobile app with Intune

Environment