Deploying Qlik Sense Mobile with Microsoft Azure and Intune

The Qlik Sense Mobile app can be deployed using Microsoft Azure and Intune. Some configuration changes are required in the Microsoft Azure portal to enable Single Sign On (SSO) and Intune management of Qlik Sense Mobile.

Before you begin:

  • Azure AD Connect must be configured to replicate your primary domain (Active Directory) and the Azure Portal (Azure Active Directory).
  • Azure AD Application Proxy Connector must be installed and configured.

To deploy the app using Microsoft Azure and Intune:

  • Set up a Qlik Sense Enterprise virtual proxy
  • Set up Kerberos constrained delegation in Active Directory
  • Add an Azure enterprise application for Qlik Sense Enterprise virtual proxy
  • Add an Azure app registration for Qlik Sense Mobile
  • Add the Qlik Sense Mobile app to the Intune Company Portal
  • Define a Qlik Sense Mobile app protection policy
  • Define a Qlik Sense Mobile configuration policy
  • Deploy the Qlik Sense Mobile app

Set up a Qlik Sense Enterprise virtual proxy

  1. Open the Qlik Management Console on the Qlik Sense Enterprise server.
  2. Go to Proxies > Central Proxy.
  3. Enable Kerberos Authentication.
  4. From the Qlik Management Console home page, go to Virtual Proxies.
  5. Click Create new Virtual Proxy.
  6. Enter the following information:
    • Identification
    • Authentication
    • Load Balancing
    • Host white list sections
    Note: Note the prefix used, it will be used later in the Azure Portal configuration (https://sense_server_fqdn/prefix).
    Note: The Windows Authentication pattern must be set to Mozilla.
  7. Click Save.

Set up Kerberos constrained delegation in Active Directory

  1. Log in to a server that has access to Active Directory in your primary domain.
  2. Open a Windows Power Shell as an administrator.
  3. Create a Service Principal Name (SPN) for the Qlik Sense Enterprise installation using the following command: 
    setspn.exe -U -S HTTP/sense_server_fqdn domain\sense_server_service_account
  4. Open Active Directory Users and Computer.
  5. Find the computer that hosts the Azure AD App Proxy, to modify the machine properties.
  6. Go to the Delegation tab and choose Trust the computer for delegation to specified services only.
  7. Select Use any authentication protocol and add the SPN created.
  8. Open ADSI, confirm that the Azure AD app proxy host is set to delegate to the Qlik Sense server.

Add an Azure enterprise application for Qlik Sense Enterprise virtual proxy

  1. Log in to the Azure portal and select Azure Active Directory Service.
  2. Select Application Proxy and confirm there is at least one active application proxy.
  3. Select Enterprise Applications.
  4. Click New application.
  5. Select On-premises application.
  6. Enter a name for the new application.
  7. Enter the URL for the server where Qlik Sense Enterprise is installed.
    Note: Include the QSE virtual proxy prefix is in the URL path.
    For example: https://sense_server_fqdn/prefix
  8. Setup the External URL.
    Note: This will be used later for the App Registration for Microsoft Intune. For example, https://sensekcd-qlikemmnet.msappproxy.net/prefix/.
    Note: The URL consists of a prefix (sensekcd-) followed by your tenant name followed by msappproxy.net followed by the QSE virtual proxy prefix.
  9. Ensure that the application is using Azure Active Directory for its Pre-Authentication method.
  10. Ensure that a valid Connector Group is selected to direct traffic to the application proxy.
  11. Select Single sign-on properties for the Enterprise Application.
  12. Choose Integrated Windows Authentication for Single Sign-on Mode.
  13. Enter the SPN you created earlier.
  14. Choose On-premises user principal name for Delegated Login Identity.
  15. Click Save.
  16. Select the enterprise application you added and click Properties.
  17. Set User assignment required to Yes, and click Save.

Add an Azure app registration for Qlik Sense Mobile

  1. Log in to the Azure portal and select Azure Active Directory Service.
  2. Select Apps Registrations.
  3. Click New Application Registration.
  4. Enter a Name.
  5. Enter an App registration type of native.
  6. Enter a Redirect URL of msauth://com.qlik.qliksense.mobile/17PV4mdIRAc%2F3SeFXILsSWg1aDU%3D.
  7. For the App Registration click Settings and select Redirect URLs.
  8. Add an additional redirect URL of qliksense-intune://com.qlik.qliksense.mobile and click Save.
  9. Take note of this app registration's Application ID.
  10. Add and grant the following delegated permissions:
  • Microsoft Mobile Application Management- Read and Write the User's App Management data
  • The Web app / API defined above - Access <Web App / API name>
  • Microsoft Graph – Read Directory Data
  • Windows Azure Active Directory – Sign in and read user profile
    Note: Some of these permissions require Admin permissions. The first person to log in to Qlik Sense Mobile must be a user with tenant administration capabilities such that they can consent to the necessary permissions.

Add the Qlik Sense Mobile app to the Intune Company Portal

  1. Log in to the Azure portal and select the Intune service.
  2. Select Client Apps.
  3. Select Apps.
  4. Click Add.
  5. Select an App type of Android Store App for Android, or iOS Store App for iOS.
  6. Click Select a file and browse to the Qlik Sense Mobile apk file for Android, or ipa file for iOS, and save it.
  7. Click Configure and enter the following:
    • Name
    • Description
    • Minimum operating system
  8. Click OK.
  9. Once the app is uploaded, click Assignments and ensure that the appropriate users and devices are assigned to the app.
  10. Refresh the list of apps. You should see the new app of type Managed Android Store App for Android, or Managed iOS Store App for iOS, with an Assigned value of YES.

Define a Qlik Sense Mobile app protection policy

  1. Log in to the Azure portal and select the Intune service.
  2. Select Client Apps.
  3. Select App protection policies.
  4. Click Create Policy.
  5. Enter a Name and Description.
  6. Enter a Platform of Android or iOS.
  7. Enter a value of Yes for target to all app types.
  8. Click on Select Required Apps and select the Qlik Sense Mobile for Android or iOS app added above.
    Note: For iOS you must add the Qlik Sense Mobile app via its bundle id com.qlik.qliksense.mobile.
    For Android you add the Qlik Sense Mobile app via its package id com.qlik.qliksense.mobile.
  9. Click Settings and configure the various settings, then click Save.
  10. If the protection policy is configured to limit data transfer from Qlik Sense Mobile then the limitation should be set to policy managed apps so that Qlik Sense Mobile can send diagnostics emails.
  11. Note: For Android use a browser to display help and use a PDF viewer to display the Qlik Sense Mobile Terms and Conditions document.
    Note: For iOS protection policy a similar setting is required to allow Qlik Sense Mobile to send diagnostic emails. Help and terms and conditions are displayed within the iOS Qlik Sense Mobile app itself.

Define a Qlik Sense Mobile configuration policy

  1. Log in to the Azure portal and select the Intune service.
  2. Select Client Apps.
  3. Select App configuration policies.
  4. Click Add.
  5. Enter a Name and Description.
  6. Select an enrollment type of Managed Apps for Android or Managed Devices for iOS.
  7. Click Assignments and assign the appropriate users or user groups.
  8. Click Select the required app and select the Qlik Sense Mobile app added to the Company Portal.
  9. Click Configuration settings and enter a name of mdm.
  10. For Value enter the json document { "Accounts" : [ {"name":"Your server name","url":"<external URL>", "config": { "AADAppId" : "<the Application Id noted above>"} } ] }
  11. Click Save.
  12. Ensure that the app configuration shows as assigned with an enrollment type of Managed apps for Android, or Managed devices for iOS.

Deploy the Qlik Sense Mobile app to Android devices

  1. On an Intune enrolled Android device open the Company Portal and install Qlik Sense Mobile.
  2. Launch Qlik Sense Mobile.
  3. You should be prompted to indicate that the app is being managed. If you don't then there is likely a configuration issue with the App protection policy.
  4. You should see your Qlik Sense Mobile deployment in the Qlik Sense Mobile server list. If you don't then there is likely a configuration or a user assignment issue.
  5. Logging in to Qlik Sense Mobile deployment should follow the Azure SSO login flow.

Deploy the Qlik Sense Mobile app to iOS devices

  1. On an Intune enrolled iOS device open the Company Portal and install Qlik Sense Mobile.
    Intune will present a dialog asking to manage Qlik Sense Mobile.
  2. Click Yes or Manage.
  3. Launch Qlik Sense Mobile.
    You should see the Qlik Sense Mobile server you defined above. If you don't then there is likely a configuration or a user assignment issue.
  4. Click on the server and log in using SSO if required.
  5. You will see an Intune dialog indicating that the App data is managed. Click OK. Qlik Sense Mobile will exit.
  6. Logging in to Qlik Sense Mobile deployment should follow the Azure SSO login flow.