thank you for the very quick answer, so i am guessing the issue is both for current and beta versions, as i am having difficulty making it work :
those are the version i am testing on :
a) Tableau app (19.402.1795)
b) Tableau Beta app ( 19.506.1876)
but it would work seemlessly if we would use Edge browser on an IOS device managed by InTune ? right as this is the supported architecture,
with conditional access.
one more question from our security team, is the app native or just a layer on top of "apple webkit" and would be seen as browser on our end ?
You are correct, it applies to all versions of the Tableau Mobile app at this time. I have never had an opportunity to test on a mobile browser but it could work. Browsers have different access on mobile devices than does an app. I'd be interested to hear if it working with a browser. Ironically, the mobile version of Edge is not supported for Tableau Server (see All Technical Specifications | Tableau Software and click on "Server" at the top, then scroll down to "Web Browsers"). I would recommend Safari for iOS and Chrome for Android.
Your question about the app being native is a good one! I've never had anyone ask before. Can you please create a Support Case so we can forward it to our Security team as a formal inquiry? You can open a case by navigating to Support Case | Tableau Software Feel free to use my name and a link to this discussion in the case!
Nabil this was an artifact of having the integrated windows authentication not passing correctly from the azure application proxy to the tableau server.
we have since resolved those issues and now have a single login to our on prem tableau server via azure application proxy.
We leverage intune for MDM, but the tableau mobile app does not support the conditional access check for intune compliance.
I am curious as to what exactly you had to do to make this work?
We use Kerberos authn internally for our tableau servers and our azure ad application proxies are set up to delegate user credentials with Kerberos Constrained Delegation. This works intermittently. We have tried both the Tableau Mobile App GA and Beta apps. The apps are exempted from conditional access.
Tableau has an article about publishing Tableau Server behind a load balancer or proxy. Did you have to do any of those steps to make this work?
In short; anything you did to your setup for this to work consistently would be of interest!
We didn't add any of the app proxies to the load balancer settings in tableau.
From what i can tell Microsoft and Tableau have been making various changes to the authentication in the last few months.
Does it work consistently internally for you, kerberos without going thru the app proxy? Do you have multiple application proxies?
are you using the mobile app or mobile browser?
i've found the kerberos via application proxy to be a little clunky when you use various clients (safari, chrome, edge, internet explorer, installed app) and then the OS.
also i can't believe i forgot we had an intermittent issue we just fixed.
it turned out to be reverse DNS lookups. took us 1-2 weeks to resolve, but Bridget figured it out.
How many PTR records do you have for the name you are using to access tableau?
Has there been any progress on the issue- ability to use Conditional Access when connecting to Tableau Server using the Tableau Mobile app?
Do you suggest/recommend any alternate approach to make the mobile app working. in these kind of architectures.
Our Mobile Development team is currently looking into all the steps necessary to build in the ability to use Conditional Access but we have no commitment on the timeline for release. My understanding is that the change is quite comprehensive and will take quite a bit of code change... and therefore, time.
The current workarounds, that I'm aware of, are to allow traffic from the Tableau Mobile app to bypass or to use a mobile browser.
Wonder if any update for conditional access support in Tableau Mobile?
Understood much time is required to implement the change.
Conditional access is really important to company using Azure AD:
- User cannot enjoy tableau mobile if company enforce conditional access (e.g. intune check) for keeping as data loss preventaion in mobile devices. (security)
- Without conditional access, MFA cannot be bypassed even if the device is intune-enrolled (user friendliness)
Thank you very much!
We should have a Beta for the Intune SDK in the next week or so. However, this may or may not work for you if you require Conditional Access. Long story short:
1. If Conditional access is needed, can you configure Azure App proxy in “pass-through” mode? If so, you will be able to use the upcoming Beta and eventually the final release down the road (in a couple of months).
2. If Conditional access is needed, and you cannot configure Azure App proxy in “pass-through” mode, then we don’t have a solution for now. We're working on alternatives but have no timeline for now.
Feel free to message me directly if you want to be added to the upcoming Beta program. I'll need your name, organization name, Apple ID (we use Apple's Beta program, TestFlight) and an email address.
Hope this information helps!