Skip to main content Skip to complementary content

Deploying Qlik Sense Mobile Client Managed with Microsoft Azure and Intune

The Qlik Sense Mobile Client Managed app can be deployed using Microsoft Azure and Intune. Some configuration changes are required in the Microsoft Azure portal to enable Single Sign On (SSO) and Intune management of Qlik Sense Mobile Client Managed.

Before you begin:

  • Azure AD Connect must be configured to replicate your primary domain (Active Directory) and the Azure Portal (Azure Active Directory).
  • Azure AD Application Proxy Connector must be installed and configured.

To deploy the app using Microsoft Azure and Intune:

  • Set up a Qlik Sense Enterprise on Windows virtual proxy
  • Set up Kerberos constrained delegation in Active Directory
  • Add an Azure enterprise application for Qlik Sense Enterprise on Windows virtual proxy
  • Add an Azure app registration for Qlik Sense Mobile Client Managed
  • Add the Qlik Sense Mobile Client Managed app to the Intune Company Portal
  • Define a Qlik Sense Mobile Client Managed app protection policy
  • Define a Qlik Sense Mobile Client Managed configuration policy
  • Deploy the Qlik Sense Mobile Client Managed app

Set up a Qlik Sense Enterprise virtual proxy

  1. Open the Qlik Management Console (QMC) on the Qlik Sense Enterprise on Windows server by entering the QMC address in your browser.
    By default, the QMC address is https://<QPS server name>/qmc.
  2. Go to Proxies > Central Proxy.
  3. Enable Kerberos Authentication.
  4. From the QMC home page, go to Virtual Proxies.
  5. Click Create new Virtual Proxy.
  6. Enter the following information:
    • Identification
    • Authentication
    • Load Balancing
    • Host allow list sections
    Information noteNote the prefix used, it will be used later in the Azure Portal configuration (https://sense_server_fqdn/prefix).
    Information noteThe Windows Authentication pattern must be set to Mozilla.
  7. Click Save.

Set up Kerberos constrained delegation in Active Directory

  1. Log in to a server that has access to Active Directory in your primary domain.
  2. Open a Windows Power Shell as an administrator.
  3. Create a Service Principal Name (SPN) for the Qlik Sense Enterprise on Windows installation using the following command: 
    setspn.exe -U -S HTTP/sense_server_fqdn domain\sense_server_service_account
  4. Open Active Directory Users and Computer.
  5. Find the computer that hosts the Azure AD App Proxy, to modify the machine properties.
  6. Go to the Delegation tab and choose Trust the computer for delegation to specified services only.
  7. Select Use any authentication protocol and add the SPN created.
  8. Open ADSI, confirm that the Azure AD app proxy host is set to delegate to the Qlik Sense server.

Add an Azure enterprise application for Qlik Sense Enterprise on Windows virtual proxy

  1. Log in to the Azure portal and select Azure Active Directory Service.
  2. Select Application Proxy and confirm there is at least one active application proxy.
  3. Select Enterprise Applications.
  4. Click New application.
  5. Select On-premises application.
  6. Enter a name for the new application.
  7. Enter the URL for the server where Qlik Sense Enterprise on Windows is installed.
    Information noteInclude the QSE virtual proxy prefix is in the URL path.
    For example: https://sense_server_fqdn/prefix
  8. Set up the External URL.
    Information noteThis will be used later for the App Registration for Microsoft Intune. For example, https://sensekcd-qlikemmnet.msappproxy.net/prefix/.
    Note: The URL consists of a prefix (sensekcd-) followed by your tenant name followed by msappproxy.net followed by the QSE virtual proxy prefix.
  9. Ensure that the application is using Azure Active Directory for its Pre-Authentication method.
  10. Ensure that a valid Connector Group is selected to direct traffic to the application proxy.
  11. Select Single sign-on properties for the Enterprise Application.
  12. Choose Integrated Windows Authentication for Single Sign-on Mode.
  13. Enter the SPN you created earlier.
  14. Choose On-premises user principal name for Delegated Login Identity.
  15. Click Save.
  16. Select the enterprise application you added and click Properties.
  17. Set User assignment required to Yes, and click Save.

Add an Azure app registration for Qlik Sense Mobile Client Managed

  1. Log in to the Azure portal and select Azure Active Directory Service.
  2. Select Apps Registrations.
  3. Click New Application Registration.
  4. Enter a Name.
  5. Enter a Redirect URI type Public client/native (mobile & desktop) with a URI of qliksense-intune://com.qlik.qliksense.mobile.
  6. Click Register to continue.

  7. Take note of this app registration's Application ID.
  8. On the left hand panel, click Authentication.

  9. Click Add a platform and add an Android platform.

    Enter Package Name com.qlik.qliksense.mobile.

    Enter Signature hash 17PV4mdIRAc/3SeFXILsSWg1aDU=.

    Click Configure and then click Done.

  10. Add and grant the following delegated permissions:
  • Microsoft Mobile Application Management – Read and Write the User's App Management data.

    This permission is found under the APIs my organization sers tab

  • The Web app / API defined above – Access <Web App / API name>
  • Microsoft Graph – Read Directory Data
  • Windows Azure Active Directory – Sign in and read user profile
Information noteSome of these permissions require Admin consent.

Add the Qlik Sense Mobile Client Managed app to the Intune Company Portal

  1. Log in to the Microsoft Endpoint Manager Admin Center.
  2. Select Apps.
  3. Select All Apps.
  4. Click Add.
  5. Select an App type of Android Store App for Android, or iOS Store App for iOS.
  6. Click Select and then Search the App Store.

    Search for and select Qlik Sense Mobile Client Managed.

  7. Click Next and review/change Assignments ensuring that the appropriate users and devices are assigned to the app.
  8. Click Next and then click Create.
Information notePerform these same steps for both Android and iOS versions of Qlik Sense Mobile Client Managed.

Define a Qlik Sense Mobile Client Managed app protection policy

  1. Log in to the Microsoft Endpoint Manager Admin Center.
  2. Select Apps.
  3. Select App protection policies.
  4. Click Create Policy and select iOS/iPadOS or Android.
  5. Enter a Name and Description.
  6. Click Next.
  7. Enter a value of Yes for target to all app types.
  8. Add a public app of Qlik Sense Mobile Client Managed for Android or iOS as defined above and click Next.

  9. Click on Select Required Apps and select the Qlik Sense Mobile Client Managed for Android or iOS app added above.
  10. If applicable, configure the data protection, access requirements and conditional launch values.
  11. Click Create.
  12. If the protection policy is configured to limit data transfer from Qlik Sense Mobile Client Managed, then the limitation should be set to policy managed apps so that Qlik Sense Mobile Client Managed can send diagnostics emails.
  13. Information noteFor Android, use a browser to display help and use a PDF viewer to display the Qlik Sense Mobile Client Managed Terms and Conditions document.
    Information noteFor iOS protection policy, a similar setting is required to allow Qlik Sense Mobile Client Managed to send diagnostic emails. Help and terms and conditions are displayed within the iOS Qlik Sense Mobile Client Managed app itself.
Information notePerform these same steps for both Android and iOS versions of Qlik Sense Mobile Client Managed.

Define a Qlik Sense Mobile Client Managed configuration policy

  1. Log in to the Microsoft Endpoint Manager Admin Center.
  2. Select Apps.
  3. Select App configuration policies.
  4. Click Add.
  5. Select an enrollment type of Managed Apps for Android or Managed Devices for iOS.
  6. Enter a Name and Description.
  7. Add a public app of the Qlik Sense Mobile Client Managed app previously added to the Company Portal. Click Next.

  8. Under the General configuration settings, enter a name of mdm, and for value enter the JSON document:

    { "Accounts" : [ {
      "name":"Your server name",
      "url":"<external URL>",
      "config": { 
        "AADAppId" : "<the Application Id noted above>"
        } } ] }
  9. Click Next and assign the appropriate users or user groups.

  10. Click Next and then click Create.

  11. Ensure that the app configuration shows as assigned with an enrollment type of Managed apps for Android, or Managed devices for iOS.
Information notePerform these same steps for both Android and iOS versions of Qlik Sense Mobile Client Managed.

Deploy the Qlik Sense Mobile Client Managed app to Android devices

  1. On an Intune enrolled Android device open the Company Portal and install Qlik Sense Mobile Client Managed.
  2. Launch Qlik Sense Mobile Client Managed.
  3. You should be prompted to indicate that the app is being managed. If you aren't then there is likely a configuration issue with the App protection policy.
  4. You should see your Qlik Sense Mobile Client Managed deployment in the Qlik Sense Mobile Client Managed server list. If you don't then there is likely a configuration or a user assignment issue.
  5. Logging in to Qlik Sense Mobile Client Managed deployment should follow the Azure SSO login flow.

Deploy the Qlik Sense Mobile Client Managed app to iOS devices

  1. On an Intune enrolled iOS device open the Company Portal and install Qlik Sense Mobile Client Managed.
    Intune will present a dialog asking to manage Qlik Sense Mobile Client Managed.
  2. Click Yes or Manage.
  3. Launch Qlik Sense Mobile Client Managed.
    You should see the Qlik Sense Mobile Client Managed server you defined above. If you don't then there is likely a configuration or a user assignment issue.
  4. Click on the server and log in using SSO if required.
  5. You will see an Intune dialog indicating that the App data is managed. Click OK. Qlik Sense Mobile Client Managed will exit.
  6. Logging in to Qlik Sense Mobile Client Managed deployment should follow the Azure SSO login flow.