Securing and configuring the Qlik Analytics mobile app with Microsoft Intune

The Qlik Analytics mobile app gives field teams secure access to Qlik Cloud analytics on their mobile devices. You can use Microsoft Intune and Microsoft Entra ID to control access, protect company data, and provide the settings users need to connect to your Qlik Cloud tenant.

This topic covers how to configure Intune app protection policies, app configuration policies, and Qlik Cloud access controls to manage and secure the Qlik Analytics mobile app on Android and iOS devices.

Setting up Microsoft Intune for the Qlik Analytics mobile app in Microsoft Entra ID

This section outlines the main steps to register and manage the Qlik Analytics mobile app in Entra ID and Intune. Configure Entra ID and Intune according to your organization's requirements. For detailed instructions on application registration, see the Microsoft Intune documentation.

Registering the Qlik Analytics app in Microsoft Entra ID

Register the Qlik Analytics mobile app in Microsoft Entra ID to use it with Microsoft Intune.

Do the following:

1. In Entra ID, go to App registrations and select New registration.

2. Select the link to Enterprise applications, since you are integrating a globally registered application.

3. Search for the application ID: 53dfc2c0-8711-4bb3-a48f-b384ff663ab9. This is the Qlik global app registration.

4. If required, the Intune administrator can initiate registration by signing in and visiting:

   https://login.microsoftonline.com/common/adminconsent?client_id=53dfc2c0-8711-4bb3-a48f-b384ff663ab9

5. Once the Qlik Analytics mobile app is added and appears under Enterprise applications, complete the following:

   • Assign users and groups if you want to limit who can access the app.

   • Under Permissions, grant admin consent for your domain.

Conditional Access policy guidance

The Qlik Analytics mobile app is globally registered in Microsoft Entra ID with application ID 53dfc2c0-8711-4bb3-a48f-b384ff663ab9. This registration appears as a cloud application in your tenant. Any Conditional Access policy scoped to All cloud apps applies to this app registration.

Conditional Access and authentication flow

The Allowed with Intune authentication flow includes two sign-in steps:

1. App authentication (MSAL sign-in)

   The Qlik Analytics mobile app uses MSAL to authenticate the user with Entra. Intune MAM policies are evaluated during this step.

2. Browser-based Qlik Cloud sign-in

   The app opens an external browser on the device to complete Qlik Cloud authentication. For Intune flows, Microsoft Edge is enforced.

In this second step, Entra evaluates the browser—not the Qlik Analytics mobile app—as the client application when applying Conditional Access policies for the app registration. Any grant control applied to the app registration must be supported by the browser used in this step.

Conditional Access scope considerations

Because the Qlik Analytics app registration is visible as a cloud application in your tenant, Conditional Access policies scoped to All cloud apps also apply to the browser sign-in step.

If a policy uses Require app protection policy as the grant control, the browser used in the Qlik sign-in step must satisfy this requirement independently. This requires Microsoft Edge to have an Intune app protection policy deployed for your users. If Edge is not covered by an app protection policy, the browser sign-in step may be blocked.

Before deployment

Before deploying the Qlik Analytics mobile app with Intune MAM enforcement, verify with your Microsoft Entra or Intune administrator how your existing Conditional Access policies apply to the browser used in the Qlik sign-in step.

Qlik does not provide guidance on configuring Entra Conditional Access policies or broader Intune deployment configurations. For guidance, see Learn about Conditional Access and Intune in the Microsoft documentation.

Configuring mobile access with MAM in Qlik Cloud

Intune (MAM) enforcement is controlled by the mobile access permission assigned to users and groups in the Qlik Cloud Administration activity center. This is the main configuration step on the Qlik side and must be completed alongside your Intune and Entra configuration.

Mobile access permissions

You configure mobile access permissions in the Administration activity center > Manage users > Permissions.

Open the permission settings for the User Default or a custom role, expand Features and actions and locate Mobile > Native mobile app.

For more information about the permission settings, see Setting access to the Qlik Analytics mobile app.

Permission assignment guidance for Intune-governed tenants

For tenants that use Intune app protection, assign Allowed with Intune to all users and groups that require mobile access, regardless of device management state.

Why Allowed is not sufficient for Intune-governed users

The mobile access permission applies to the user, not the device. If a user is assigned Allowed on their corporate, MDM-enrolled device, they carry the same access permission when they sign in on a personal, unmanaged device.

That personal device has no MDM enrollment and no Intune broker. With the user's access permission set to Allowed, the Qlik Analyticsmobile app does not require Intune enrollment, and access is granted without app protection policies being applied. The user can access the tenant from an unmanaged device with no Intune protection, bypassing your organization's Intune policies.

Recommended assignment pattern for Intune-governed tenants

Use Allowed only for tenants or groups where Intune app protection is not required, such as internal non-Intune tenants or specific service accounts.

Identity provider compatibility

Enforcement of Intune MAM requires Microsoft Entra ID as the identity provider (IdP) for your Qlik Cloud tenant. The following table summarizes mobile app support across identity provider configurations.

Important considerations

App protection policies control which apps can share data with each other.

• If users need to send diagnostic emails from the Qlik Analytics mobile app, the policy must allow data transfer between apps.

• The Qlik Analytics mobile app requires access to the device browser to complete sign-in. Your app protection policy must permit this.

• Key Intune app policy settings to review:

  • Data protection > Send org data to other apps

  • Data protection > Select apps to exempt (com.qlik.qsm)

  • Functionality > Restrict web content transfer with other apps—when configured to open URLs in Microsoft Edge, the Qlik Cloud sign-in page is opened in Edge. Edge then performs its own Microsoft authentication before rendering the page. If your Conditional Access policies apply a grant control to All cloud apps or to your IdP app registration, that grant control is evaluated against Edge at this point. See Conditional Access policy guidance for the implications of different grant controls at that evaluation point.

{
  "policyName": "<policy name>",
  "Accounts": [
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    },
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    }
  ]
}

{
  "policyName": "<policy name>",
  "Accounts": [
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    },
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    }
  ]
}

{
  "policyName": "<policy name>",
  "Accounts": [
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    },
    {
      "name": "<tenant name>",
      "url": "<tenant URL>"
    }
  ]
}