Browse Guides

Configuring Intune App Protection (MAM) for the Halo Mobile applications
Reading mode
Copy Link
Link Copied!
Print
Feedback
This guide has multiple versions available:
<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><blockquote> <p><strong>Halo version:</strong> v2.244+</p> </blockquote> <blockquote> <p><strong>Halo Mobile version:</strong> Halo mobile app (iOS &amp; Android) - v1.5+</p> </blockquote> <blockquote> <p><strong>Audience:</strong> Halo administrators configuring Microsoft Intune protection for their organisation.</p> </blockquote> <blockquote> <p><strong>Last updated:</strong> 03/07/2026</p> </blockquote> <hr /> <h2 id="introduction">1. Introduction</h2> <p>The Halo mobile app lets your agents connect to your Halo instance from a phone or tablet.</p> <p>By default, sign-in uses the same method as the Halo web application, but can optionally be protected with <strong>Microsoft Intune App Protection</strong> so that Halo data on the device is PIN-gated and remotely wipeable.</p> <p>There are two sign-in modes, chosen automatically based on your Halo settings:</p> <table> <thead> <tr> <th>Mode</th> <th>When</th> <th>What the user gets</th> </tr> </thead> <tbody> <tr> <td><strong>Standard SSO</strong></td> <td>Default. Intune App Protection not enabled.</td> <td>Normal Halo or Entra (if web app SSO is configured) sign-in. Halo tokens stored securely on device.</td> </tr> <tr> <td><strong>Intune-protected</strong></td> <td>You enable Intune App Protection (MAM).</td> <td>Entra sign-in via the Microsoft broker app, Intune enrolment, then Halo access - with App Protection policy applied.</td> </tr> </tbody> </table> <hr /> <p>This guide covers everything needed to set up <strong>Intune-protected</strong> sign-in.</p> <h3 id="prerequisites-checklist">Prerequisites checklist</h3> <ul class="contains-task-list"> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Halo web app on version 2.244 or later.</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Halo mobile applications (iOS or Android) on version 1.5 or later.</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Halo mobile application enabled in your Halo instance.</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Microsoft Entra ID (Azure AD) tenant with an SSO app registration already configured for Halo. This must be configured in the &quot;Single Sign-on&quot; module.</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Halo Agents are synced with Microsoft Entra ID (Azure AD).</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> For Intune features only: an Intune subscription (Plan 1 or a suite that includes it) and the appropriate admin roles.</li> <li class="task-list-item"><input disabled="disabled" type="checkbox" /> Admin who can grant tenant admin consent in Entra.</li> </ul> <hr /> <h2 id="how-it-all-fits-together">2. How it all fits together</h2> <p>Configuration happens in up to three places. The first two are required to enable sign-in with a Microsoft broker app. Intune configuration is optional, but MAM policies are recommended to allow enrolment with Intune.</p> <pre><code>1. Microsoft Entra ID (your Halo SSO app registration) - Expose an API - access_as_user - Authorise Halo Mobile - Grant admin consent ↓ 2. Halo Configuration - Activate &quot;Enable Intune App Protection (MAM) for the Mobile App&quot; in Advanced Settings. - Pick a &quot;Single Sign-On Configuration&quot; record for the Mobile app to use for authentication in Advanced Settings. - Choose an Intune enrolment mode (required or optional) in Advanced Settings. ↓ 3. Microsoft Intune (Optional) - MAM / App Protection Policies - Conditional Access - MDM - Managed Configuration </code></pre> <p>At sign-in, the app reads your instance's settings, and if Intune is enabled, it authenticates against your SSO app registration through the Microsoft broker, enrols the app with Intune, then exchanges that token for a Halo session.</p> <p>If no broker app (Intune Company Portal on Android, Microsoft Authenticator on iOS) is installed on the device, then sign-in can still be completed but, Intune enrolment cannot be completed.</p> <hr /> <h2 id="choose-what-you-need">3. Choose what you need</h2> <table> <thead> <tr> <th>Your goal</th> <th>Configure</th> </tr> </thead> <tbody> <tr> <td>Entra sign-in via the Microsoft broker app</td> <td><strong>Entra SSO</strong> (§4) + <strong>Halo settings</strong> (§5)</td> </tr> <tr> <td>Protect Halo data on personal/BYOD devices</td> <td><strong>MAM</strong> - App Protection Policy (§7). Requires Entra steps §4 + Halo settings §5.</td> </tr> <tr> <td>Force a device to be managed before access</td> <td><strong>MDM</strong> device enrolment + (optionally) <strong>Conditional Access</strong> (§8, §9).</td> </tr> <tr> <td>Auto-connect the app to a fixed Halo URL on managed devices</td> <td><strong>MDM</strong> managed config <code>halo_url</code> (§8.3).</td> </tr> <tr> <td>Guarantee protection is enforced, not just attempted</td> <td><strong>Conditional Access</strong> &quot;Require app protection policy&quot; (§9).</td> </tr> </tbody> </table> <hr /> <blockquote> <p><strong>Recommendation:</strong> use <strong>Conditional Access</strong> to enforce protection. Halo's &quot;Intune enrolment mode = Required&quot; (§5.3) is a convenient in-app fallback, but Intune Conditional Access is the robust, Microsoft-native enforcement point.</p> </blockquote> <hr /> <h2 id="microsoft-entra-id-azure-configuration">4. Microsoft Entra ID (Azure) configuration</h2> <p>These steps let the Halo mobile app use a native Microsoft broker app to request a token scoped to <strong>your</strong> SSO application, which Halo then validates and exchanges for a Halo session.</p> <p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU4NGVhMmI5LTMzYjctNGI0Yy05NmQxLTQwNmVhYmYxMjI5NyJ9.5OVUbrC-LgNfMy7l0saLZRUe9dkSX27wqht9EVfz6RE" alt="Entra ID Expose an API" /></p> <h3 id="prerequisite-azure-sso-already-set-up-in-halo">4.1 Prerequisite - Azure SSO already set up in Halo</h3> <p>Standard Entra SSO for Halo must already be working. The steps below modify that same SSO app registration.</p> <p>To configure Single Sign-On with Entra in Halo this, please see the following guide;</p> <ul> <li><a href="https://usehalo.com/guides/2667">Single Sign-On (SSO) in Halo</a></li> </ul> <p><em>Note that SSO must be configured in the Single Sign-on module - not the legacy Entra SSO settings</em>.</p> <h3 id="expose-an-api-on-your-sso-app-registration">4.2 Expose an API on your SSO app registration</h3> <ol> <li>In the <strong>Microsoft Entra admin center</strong> → <strong>Entra ID → App registrations</strong>, open your Halo <strong>SSO application</strong>.</li> <li>Under <strong>Manage → Expose an API</strong>.</li> <li>Confirm the <strong>Application ID URI</strong>. By default, Entra proposes <code>api://{your-sso-app-client-id}</code>. Keep the default unless you have a reason to use a custom URI or you already have a custom URI configured (see §4.6).</li> <li>Select <strong>Add a scope</strong> and create: <ul> <li><strong>Scope name:</strong> <code>access_as_user</code></li> <li><strong>Who can consent:</strong> Admins and users (or Admins only, per your policy)</li> <li><strong>Display name/description:</strong> e.g. &quot;Access Halo as a user&quot;</li> <li><strong>State:</strong> Enabled</li> </ul> </li> <li>Save. The full scope string is the Application ID URI + <code>/access_as_user</code>.</li> </ol> <blockquote> <p>If you changed the Application ID URI from the default, you must also set the matching value in Halo (§5.4).</p> </blockquote> <h3 id="authorise-the-halo-mobile-app-as-a-client">4.3 Authorise the Halo Mobile app as a client</h3> <p>Still under <strong>Expose an API</strong>, in <strong>Authorized client applications</strong>:</p> <ol> <li>Select <strong>Add a client application</strong>.</li> <li><strong>Client ID:</strong> <code>65d704f3-fff1-42e0-a7bb-cec47b215837</code> (the <strong>Halo Mobile</strong> app - a multi-tenant app published in Halo's own tenant).</li> <li>Tick the <code>access_as_user</code> scope you created.</li> <li><strong>Add application.</strong></li> </ol> <p>This pre-authorises the mobile app so your users aren't prompted to consent to the scope individually.</p> <h3 id="set-requestedaccesstokenversionaccesstokenacceptedversion-to-2">4.4 Set requestedAccessTokenVersion/accessTokenAcceptedVersion to 2</h3> <ol> <li>In the SSO application, open <strong>Manifest</strong>.</li> <li>In the Microsoft Graph App Manifest, ensure the <strong>requestedAccessTokenVersion</strong> is set to <em>2</em>. This may not show, and you may only have access to the AAD Graph App Manifest; in which case proceed to step 3.</li> <li>In the Microsoft Graph App Manifest, ensure the <strong>accessTokenAcceptedVersion</strong> is set to <em>2</em>. This may not show, and you may only have access to the Microsoft Graph App Manifest.</li> <li>Save.</li> </ol> <h3 id="grant-admin-consent">4.5 Grant admin consent</h3> <p>The Halo Mobile app requests the delegated permissions <code>User.Read</code> and <code>DeviceManagementManagedApps.ReadWrite</code> (the latter allows the app to enrol itself for Intune App Protection). These typically require <strong>tenant admin consent</strong>.</p> <ul> <li>Grant consent from <strong>Entra ID → Enterprise applications → Halo Mobile → Permissions → Grant admin consent</strong>, <strong>or</strong></li> <li>Use the consent link Halo provides on the Advanced Settings page in the &quot;Mobile App&quot; section.</li> </ul> <h3 id="application-id-uri-default-vs-custom">4.6 Application ID URI - default vs custom</h3> <ul> <li><strong>Default</strong> (<code>api://{client-id}</code>): nothing extra to do.</li> <li><strong>Custom</strong> (e.g. a verified-domain URI): whatever you set here must match what Halo validates against. Set the matching <strong>Application ID URI</strong> value in the Single Sign-On record in Halo.</li> </ul> <h3 id="reference-halo-mobile-app-identifiers">4.7 Reference - Halo Mobile app identifiers</h3> <table> <thead> <tr> <th>Item</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Halo Mobile app (client id)</td> <td><code>65d704f3-fff1-42e0-a7bb-cec47b215837</code></td> </tr> <tr> <td>App bundle / package id</td> <td><code>com.haloservicesolutions</code></td> </tr> <tr> <td>Delegated permissions</td> <td><code>User.Read</code>, <code>DeviceManagementManagedApps.ReadWrite</code></td> </tr> </tbody> </table> <hr /> <h2 id="halo-configuration">5. Halo configuration</h2> <p>All under <strong>Config → Advanced Settings</strong> except §5.4.</p> <p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjE0ZGJkY2M4LTE4MzMtNDdkMC1hNTQ3LWJmODNkYjczZmIxYyJ9.amgp6iq-vWFFlgEsnVGATgm4N7bVoZzKEB8IfQLNVSA" alt="Halo mobile settings in Advanced Settings" /></p> <h3 id="enable-intune-app-protection-mam-for-the-mobile-app">5.1 Enable Intune App Protection (MAM) for the Mobile App</h3> <p>Turns on the Intune-protected sign-in flow for your instance. When enabled (and an SSO record is selected, §5.2), the app stops using the standard authorization-code flow and routes through Intune.</p> <blockquote> <p><strong>Note:</strong> enabling this locks out older app versions that don't support the new flow.</p> </blockquote> <h3 id="mobile-app-single-sign-on-configuration">5.2 Mobile app single sign-on configuration</h3> <p>Select which Entra <strong>Single Sign-on</strong> record the mobile app should use for its MSAL sign-in. The app takes the <strong>client id</strong> and <strong>tenant id</strong> from this record.</p> <h3 id="intune-enrolment-mode">5.3 Intune enrolment mode</h3> <ul> <li><strong>Required</strong> - in-app gate: users cannot sign in until Intune enrolment succeeds.</li> <li><strong>Optional</strong> - enrolment is attempted; if it fails, the user is still allowed in (with messages shown in some cases).</li> </ul> <p>Conditional Access (§9), if configured, overrides this and makes enrolment mandatory regardless. Use this setting as a fallback where CA isn't in place.</p> <p><strong>Note that a MAM policy targeting the agents using the mobile app will need to be configured if setting enrollment to required</strong>.</p> <h3 id="application-id-uri-only-if-you-customised-it-in-4.6">5.4 Application ID URI (only if you customised it in §4.6)</h3> <p>Set this to match the custom Application ID URI on your SSO app registration. Leave blank to use the Entra default (<code>api://{client-id}</code>). This is found on the Single Sign-On configuration record in &quot;Config &gt; Integrations &gt; Single Sign-On&quot;.</p> <p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjMyN2FkNmNjLTVhMTctNDY1ZC1hYzNmLWNhYTlkMGMzYTFkOCJ9.bTGK5EGphczzs7naKDFsZw-n5GGzDmegLb0V4y89f1w" alt="Halo Application ID URI setting in Single Sign-on configuration" /></p> <h3 id="what-the-app-reads">5.5 What the app reads</h3> <p>For reference, <code>/api/InstanceInfo</code> exposes the resulting settings to the app: <code>mobileapp_enable_mam</code>, <code>mobileapp_azure_tenant_id</code>, <code>mobileapp_api_scope</code> (<code>api://.../access_as_user</code>), and <code>mobileapp_intune_enrollment_mode</code>.</p> <hr /> <h2 id="mdm-vs-mam-what-they-are">6. MDM vs MAM (what they are)</h2> <ul> <li><strong>MAM (Mobile Application Management) / App Protection Policies (APP)</strong> protects <em>the app's data only</em> - PIN, copy/paste and screenshot controls, selective wipe - <strong>without managing the device</strong>. Ideal for BYOD. This is the primary Intune feature for the Halo app.</li> <li><strong>MDM (Mobile Device Management)</strong> manages <em>the whole device</em> (device enrolment via Company Portal). Needed only if you want device-wide control, managed-config auto-connect, or device-compliance Conditional Access.</li> </ul> <p>You can use MAM alone, MDM alone, or both. Most organisations protecting Halo on personal devices want <strong>MAM</strong>.</p> <hr /> <h2 id="intune-app-protection-mam-setup">7. Intune App Protection (MAM) setup</h2> <h3 id="prerequisites">7.1 Prerequisites</h3> <ul> <li><strong>Licensing:</strong> Intune Plan 1 (or a suite that includes it) with MAM capability. Device-only licences do not support App Protection Policies. Your Halo agents that log into the Mobile app will require an Intune licence.</li> <li><strong>Admin role:</strong> Intune Administrator / Global Administrator (or an Application Manager RBAC role with Managed-apps permissions).</li> <li><strong>Broker app</strong> on the device (see §10): Company Portal (Android) / Microsoft Authenticator (iOS). Enrolment requires the broker.</li> </ul> <h3 id="create-app-protection-policies">7.2 Create App Protection Policies</h3> <p>Create <strong>one policy per platform</strong>:</p> <ol> <li>In the <strong>Microsoft Intune admin center</strong> → <strong>Apps → Protection</strong> (a.k.a. App protection policies) → <strong>Create policy</strong> → choose <strong>iOS/iPadOS</strong> or <strong>Android</strong>.</li> <li><strong>Basics:</strong> name (e.g. <code>Halo - iOS - APP</code>) and description.</li> <li><strong>Apps:</strong> select the Halo app. You can add the Halo app to Intune by following §8.1 (required if you plan on using MDM) or add it as a <strong>custom app</strong> by bundle id/package name (<code>com.haloservicesolutions</code>).</li> <li><strong>Data protection:</strong> configure DLP controls (cut/copy/paste, save-as, &quot;send org data to other apps&quot;, etc.).</li> <li><strong>Access requirements:</strong> PIN, biometrics, credentials.</li> <li><strong>Conditional launch:</strong> min OS/app/SDK version, jailbreak/root checks, and the action on failure (block/wipe).</li> <li><strong>Assignments:</strong> assign to the relevant <strong>user groups</strong>.</li> <li><strong>Create.</strong></li> </ol> <blockquote> <p>App protection policies take time to apply and are delivered/refreshed on app check-in, so newly-set controls (clipboard, screenshots, PIN) may not be active immediately after first sign-in.</p> </blockquote> <hr /> <h2 id="intune-mdm-setup-optional">8. Intune MDM setup (optional)</h2> <p>Only needed for device-level management, managed-config auto-connect, or device-compliance CA.</p> <h3 id="add-the-halo-app-to-intune">8.1 Add the Halo app to Intune</h3> <p>Add the Halo app in Intune &gt; Apps;</p> <ul> <li><strong>iOS:</strong> add the App Store app (and assign it); the Halo bundle id is <code>com.haloservicesolutions</code>.</li> <li><strong>Android:</strong> add via Managed Google Play; app id <code>com.haloservicesolutions</code>.</li> </ul> <h3 id="device-enrolment">8.2 Device enrolment</h3> <p>Enrol devices via Company Portal (Android Enterprise / iOS Automated or Device Enrolment). See Microsoft documentation on how to configure this.</p> <h3 id="auto-connect-via-managed-config-halo_url">8.3 Auto-connect via managed config (<code>halo_url</code>)</h3> <p>You can pre-set and lock the Halo URL so the app skips the &quot;enter your Halo URL&quot; screen.</p> <ul> <li><strong>Important:</strong> this uses the <strong>Managed devices</strong> app configuration channel, which requires an <strong>MDM-enrolled device</strong>. It does <strong>not</strong> work through the MAM-only channel. BYOD/MAM-only users type the URL as normal.</li> <li><strong>Console:</strong> <strong>Apps → Configuration → Create → Managed devices</strong>, one policy per platform, targeting the Halo app, with key <strong><code>halo_url</code></strong> = your Halo URL (e.g. <code>https://mycompany.haloitsm.com</code>).</li> </ul> <p>When this is set, the &quot;Enter your Halo URL&quot; screen will not show, and it will instead show a &quot;Connecting to Halo&quot; screen and auto-connect to the Halo instance specified.</p> <hr /> <h2 id="conditional-access-optional-recommended">9. Conditional Access (optional, recommended)</h2> <p>Conditional Access (CA) is the Microsoft-native way to <strong>enforce</strong> that the app is protected before it can obtain a token.</p> <h3 id="what-it-does-here">9.1 What it does here</h3> <p>With a &quot;Require app protection policy&quot; CA policy in place, Entra will not issue a token to the app until it is enrolled and protected. The app detects this and drives the user through Intune enrolment automatically, then completes sign-in.</p> <h3 id="create-the-policy">9.2 Create the policy</h3> <ol> <li><strong>Microsoft Intune admin center → Endpoint security → Conditional access → Create new policy</strong> (or via <strong>Entra ID → Conditional Access</strong>).</li> <li><strong>Users:</strong> target the relevant users/groups.</li> <li><strong>Target resources:</strong> the cloud app(s) the policy protects. The target for this is <strong>your Halo SSO app</strong> (not the Halo Mobile application).</li> <li><strong>Conditions:</strong> set <strong>Device platforms</strong> (iOS, Android).</li> <li><strong>Grant → Require app protection policy</strong>.</li> <li>Enable and create.</li> </ol> <blockquote> <p>App Protection Policies (§7) must exist and be assigned <strong>before</strong> turning this on, or users will be blocked. App Protection Policies take time to apply.</p> </blockquote> <h3 id="device-compliance-ca-caveat">9.3 Device-compliance CA - caveat</h3> <p>A CA policy that requires a <strong>compliant / managed device</strong> (&quot;Require device to be marked as compliant&quot; / hybrid-joined) <strong>cannot</strong> be satisfied by MAM app protection - the device itself must be <strong>MDM-enrolled</strong> via Company Portal. The Halo app detects this case and tells the user to enrol their device; it cannot do it for them. Only use device-compliance CA if you're running full MDM.</p> <h3 id="conditional-access-vs-halo-enrolment-mode">9.4 Conditional Access vs Halo enrolment mode</h3> <table> <thead> <tr> <th>Setting</th> <th>Enforcement point</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><strong>CA &quot;Require app protection policy&quot;</strong></td> <td>Microsoft Entra</td> <td>Recommended. Robust; overrides Halo enrolment mode.</td> </tr> <tr> <td><strong>Halo enrolment mode = Required</strong></td> <td>Halo app</td> <td>Fallback where CA isn't configured.</td> </tr> <tr> <td><strong>Halo enrolment mode = Optional</strong></td> <td>Halo app</td> <td>Attempts enrolment; allows access if it fails.</td> </tr> </tbody> </table> <hr /> <h2 id="broker-apps-company-portal-microsoft-authenticator">10. Broker apps (Company Portal / Microsoft Authenticator)</h2> <p>Intune enrolment and CA remediation require a Microsoft <strong>broker</strong> app on the device:</p> <ul> <li><strong>Android:</strong> Intune <strong>Company Portal</strong>.</li> <li><strong>iOS:</strong> <strong>Microsoft Authenticator</strong>.</li> </ul> <p>Without the broker, sign-in may fall back to the browser but <strong>enrolment cannot complete</strong>. If a user is missing it, the app prompts them to install the correct one from the store. Consider deploying the broker to users in advance.</p> <hr /> <h2 id="troubleshooting-admin-facing">11. Troubleshooting (admin-facing)</h2> <table oid=""> <thead> <tr> <th>User sees</th> <th>Likely cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>&quot;Needs admin approval&quot; at sign-in</td> <td>Admin consent not granted (§4.5).</td> <td>Grant tenant admin consent for Halo Mobile.</td> </tr> <tr> <td>&quot;Install Company Portal / Microsoft Authenticator&quot;</td> <td>Broker app missing.</td> <td>Install the correct broker (§10).</td> </tr> <tr> <td>No Intune licence / not licensed</td> <td>User has no Intune licence, or no APP assigned.</td> <td>Assign an Intune licence and an App Protection Policy.</td> </tr> <tr> <td>Enrolment/setup not completed by your organisation</td> <td>&quot;Expose an API&quot; / client authorisation/consent incomplete (§4).</td> <td>Recheck §4.2–4.5.</td> </tr> <tr> <td>Device must be enrolled (compliance)</td> <td>Device-compliance CA in place; device not MDM-enrolled.</td> <td>User enrols device via Company Portal, or relax the CA (§9.3).</td> </tr> <tr> <td>&quot;Sign in again - new policies&quot;</td> <td>Halo MAM/SSO settings changed since last sign-in.</td> <td>Expected after config changes; user re-signs in.</td> </tr> <tr> <td>Tenant mismatch error</td> <td>Signed-in account isn't in the SSO tenant configured in Halo.</td> <td>Confirm the SSO record/tenant (§5.2).</td> </tr> <tr> <td>Unable to validate token</td> <td>Token exchange failed, likely configuration not completed or Application ID URI doesn't match between Halo and Entra</td> <td>Recheck §4.2–4.6.</td> </tr> <tr> <td>Agent not found with Azure OID </td> <td>The Entra user/tenant combo does not exist in Halo as an Agent account</td> <td>Run an Entra sync for the tenant, and sync Entra users to Halo agent accounts. Verify the agent can log into the Web application with Entra SSO.</td> </tr> </tbody> </table> <hr /> <h2 id="appendix">12. Appendix</h2> <h3 id="glossary">Glossary</h3> <ul> <li><strong>MDM</strong> - Mobile Device Management (whole-device management).</li> <li><strong>MAM / APP</strong> - Mobile Application Management / App Protection Policy (app-data protection, no device enrolment).</li> <li><strong>Conditional Access (CA)</strong> - Entra rules gating token issuance.</li> <li><strong>Broker</strong> - Company Portal (Android) / Microsoft Authenticator (iOS).</li> <li><strong>UPN / OID / Tenant ID</strong> - user principal name / Entra object id / directory id. User matching for the Halo exchange is by <strong>OID + tenant</strong> (UPN matching is disabled for multi-tenant security).</li> <li><strong>Token exchange</strong> - the grant Halo uses to swap the Entra-issued token for a Halo session token.</li> </ul> <h3 id="reference">Reference</h3> <table> <thead> <tr> <th>Item</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Halo Mobile app (client id)</td> <td><code>65d704f3-fff1-42e0-a7bb-cec47b215837</code></td> </tr> <tr> <td>App id (bundle/package)</td> <td><code>com.haloservicesolutions</code></td> </tr> <tr> <td>Delegated permissions</td> <td><code>User.Read</code>, <code>DeviceManagementManagedApps.ReadWrite</code></td> </tr> <tr> <td>Scope to expose</td> <td><code>{Application ID URI}/access_as_user</code></td> </tr> <tr> <td>Managed config key</td> <td><code>halo_url</code></td> </tr> </tbody> </table>
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.