Set up Slack for Intune mobile apps

This guide outlines the steps required to configure and deploy the Slack for Intune mobile apps for your org. You’ll find references to Microsoft’s documentation throughout with additional details about the Intune service.

What to expect

  • Setup requires admin permissions in Intune, Azure, and Slack.
  • Once the initial set up is complete, you can set App Protection Policies and App Configuration Policies.
  • When using Slack for Intune, members will need to download the Slack for Intune app from their mobile app store, or the Microsoft App Partner store.

Initial Slack for Intune set up

To get started, an Intune and Azure admin will need to configure the required settings. The below steps are the minimum requirements to set up the Slack for Intune apps. Admins can set up Configuration Policies and Conditional Access Policies later on.

Step 1: Add the Slack for Intune apps to your Microsoft Endpoint Manager

  1. In the Apps tab of the Microsoft Endpoint Manager, click Add and select the appropriate App type.
  2. Search for “Slack for Intune”, select the app and assign it to the people and/or groups you want to target.

For additional support for adding an app to your Microsoft Endpoint Manager, check out Microsoft’s Intune Quickstart Guide.

Step 2: Add an App Protection Policy

Members can only register and sign in once an App Protection Policy is applied. This ensures that no one can access the Slack for Intune apps without the security settings provided by Microsoft Intune.

  1. In the Apps tab of the Microsoft Endpoint Manager, click App Protection Policies and create a new policy for the appropriate mobile platform. If you’re deploying to both iOS and Android devices, you’ll need to create two separate policies.
  2. Add the Slack for Intune app to your policy.
  3. Configure the security settings.
  4. Assign the policy to the people or group you want to target and click Save.

Note: It can take some time for a new App Protection Policy to reach individual devices. To validate that your new policy is set up and working correctly, follow this guidance from Microsoft’s Intune documentation.

Step 3: Grant admin consent via the Azure AD admin center

Members can only successfully register to the Intune service once admin consent is granted. 

  1. Navigate to the Enterprise applications tab in the Azure AD admin center.
  2. Search for “Slack for Intune.”
  3. Click Permissions.
  4. Click Grant admin consent for Slack for Intune.

For additional support for application management settings, you can refer to the Microsoft documentation.


Deploying the Slack for Intune apps to mobile devices

If you’re deploying to Android devices, you’ll need to download the Company Portal app from the Play Store, as well as the Slack for Intune app.

iOS devices only require the Slack for Intune app.

Both platforms can use the Microsoft Authenticator to assist with signing in, if it's installed.


Troubleshoot your member’s device registration

Members registering their device for Slack for Intune may experience an error message, a stuck loading page, or an app crash. To address these issues, have an Intune or Azure admin confirm the following configurations on the Microsoft side:

If the device registration continues to fail, feel free to contact us so that we can troubleshoot with you.

 

App Protection Policies

Before members can authenticate and sign into Slack, they will need to successfully register their Slack for Intune app. Doing so requires you to configure App Protection Policies on the Microsoft side.

Tip: The Slack for Intune apps defer to the Intune supported settings for App Protection Policies. To understand the expected behavior of your particular configuration, refer to Microsoft’s documentation for iOS or Android.

App Protection Policy Settings

These settings allow you to specify how your members can interact with Slack on their mobile devices. The expected behaviors for the available policies are outlined below.

Restrict web content transfer with other apps If this setting is configured to Microsoft Edge, members will be required to be signed into Edge with their corporate Azure AD account for the content to transfer successfully.
  Intune allows admins to specify an unmanaged browser to open links. Slack supports Blackberry Access:
  • Unmanaged browser ID: access://open?url=http
  • Unmanaged browser name: Blackberry Access
Save copies of org data

Currently, we only support Local Storage and Photo Library for “Allow users to save copies to selected services." When this setting is configured to Block:

 

Android: The download button is hidden if all save locations are blocked. If any of the save locations are permitted, the download button is visible to the end user.

 

iOS: Files will be downloaded in an encrypted format. Download buttons will still be shown in the app and if clicked, files will appear to be downloading, but the content will be downloaded as encrypted and unreadable.

Allow user to save copies to selected services In order for the camera to function as expected and take photos from within the Slack for Intune app, this setting needs to be set to local storage if the parent setting, "Save copies of org data," is set to Block (Android only).
Select managed universal links

We do not currently support external links redirecting back to the Slack for Intune app. Even if admins add URLs for the Slack for Intune app to the universal link list, the redirects will fail to open the Slack for Intune app.

 

App Configuration Policies

Slack for Intune supports App Configuration Policies for both managed apps and managed devices. On Android, there are some distinctions when creating the App Configuration policy and the settings will differ slightly for managed apps vs. managed devices.

If you have an App Configuration Policy that is applied to both platforms (Android and iOS) and/or both managed and unmanaged devices, you can add all of these settings in the same policy. The different platforms will consume and execute the relevant keys.

You can safely ignore any additional keys that may appear in the Microsoft Intune admin center when creating or editing an App Configuration Policy. These will have no impact on Slack for Intune app functionality.

 

Supported keys

Key Device Example

allowed_intune_domain

Can be a list of domains that users should be allowed to access.

Members will be fast-forwarded through the workspace-URL page if only one domain is listed.

Members will need to enter the workspace URL during sign in if more than one domain is listed. 

Unmanaged iOS or Android devices allowed_intune_domain = acme, acmecorp
(will not fast-forward)

allowed_intune_domain = acme
(will fast-forward to acme.slack.com)

WhitelistedDomains

Controls which domains users can access.

Members will be fast-forwarded through the workspace-URL page if only one domain is listed.

Members will need to enter the workspace URL during sign in if more than one domain is listed. 

Managed Android devices
WhitelistedDomains = acme, acmecorp

IntuneMAMUPN*
Enables specific data transfer settings in the App Protection Policy to function correctly on managed devices. 

IntuneMAMUPN is required if the device is managed and using an Intune MAM managed app.

Managed iOS devices  

* See the Microsoft instructions for details on which settings require this configuration.

Access Control

In addition to the policies on the Microsoft side, you can configure Access Control in Slack. When enabled, members and guests will only be able to access your org from the Slack for Intune apps. If you’d like to enable this setting, please reach out to us at feedback@slack.com.

Note: App-based Conditional Access via Azure AD and device-based Conditional Access policies are not currently supported.

Who can use this feature?
  • Org Owners
  • Available on the Enterprise Grid plan