Slack Mac App Proxy
If you never want your Mac to use a proxy, even if one is detected with WPAD, leave this box unchecked. To use an automatic proxy configuration script, also known as a.PAC file, enable the “Automatic Proxy Configuration” checkbox. Enter the address of the script in the URL box. Your network administrator or proxy provider will provide you with the address to the proxy configuration script, if you need one.
Try Slack for free with your teammates. All it takes is an email address to get started. Application Proxy supports single sign-on. For more information on supported methods, see Choosing a single sign-on method. Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy. It is not intended for internal users on the corporate network. It's a Cocoa/AppKit app, made with macOS native technologies that integrates most of macOS features in the Slack experience. It's the best app in the town, surpassing Ripcord (which is developed in Qt and is ugly and foreign in macOS) or using Slack in the browser (my usual option), or using the Electron client. We are no longer supporting this browser, so you’ll need to switch to one of our supported browsers to keep using Slack. We know this can be a pain, and we’re sorry for asking you to do it. We know this can be a pain, and we’re sorry for asking you to do it. How to Format Code on Slack on PC or Mac. This wikiHow teaches you how to share code with other Slack users in an easy-to-read format. It's in the menu on a PC, or the Applications folder on a Mac.
-->Edge for iOS and Android is designed to enable users to browse the web and supports multi-identity. Users can add a work account, as well as a personal account, for browsing. There is complete separation between the two identities, which is like what is offered in other Microsoft mobile apps.
Edge for iOS is supported on iOS 12.0 and later. Edge for Android is supported on Android 5 and later.
Note
Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and Android can't access these settings.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an Intune app protection policy that ensures the browsing experience is protected.
Note
New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser when required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in Edge for iOS and Android rather than the Managed Browser.
Apply Conditional Access
Organizations can use Azure AD Conditional Access policies to ensure that users can only access work or school content using Edge for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. Details on creating this policy can be found in Require app protection policy for cloud app access with Conditional Access.
Follow Scenario 2: Browser apps require approved apps with app protection policies, which allows Edge for iOS and Android, but blocks other mobile device web browsers from connecting to Office 365 endpoints.
Note
This policy ensures mobile users can access all Microsoft 365 endpoints from within Edge for iOS and Android. This policy also prevents users from using InPrivate to access Microsoft 365 endpoints.
With Conditional Access, you can also target on-premises sites that you have exposed to external users via the Azure AD Application Proxy.
Create Intune app protection policies
App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
- Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. For Android devices, this level validates Android device attestation. This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
- Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
- Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.
Slack App Proxy
Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a minimum, must meet the following conditions:
They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion.
They are assigned to all users. This ensures that all users are protected, regardless of whether they use Edge for iOS or Android.
Determine which framework level meets your requirements. Most organizations should implement the settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.
Important
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.
Single sign-on to Azure AD-connected web apps in policy-protected browsers
Edge for iOS and Android can take advantage of single sign-on (SSO) to all web apps (SaaS and on-premises) that are Azure AD-connected. SSO allows users to access Azure AD-connected web apps through Edge for iOS and Android, without having to re-enter their credentials.
SSO requires your device to be registered by either the Microsoft Authenticator app for iOS devices, or the Intune Company Portal on Android. When users have either of these, they are prompted to register their device when they go to an Azure AD-connected web app in a policy-protected browser (this is only true if their device hasn't already been registered). After the device is registered with the user's account managed by Intune, that account has SSO enabled for Azure AD-connected web apps.
Note
Device registration is a simple check-in with the Azure AD service. It doesn't require full device enrollment, and doesn't give IT any additional privileges on the device.
Utilize app configuration to manage the browsing experience
Edge for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint Manager, administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Intune App Protection Policy (APP) channel. Edge for iOS and Android supports the following configuration scenarios:
- Only allow work or school accounts
- General app configuration settings
- Data protection settings
Important
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Edge for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of Android Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.
Note
With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to as a Managed Apps App Configuration Policy.
Only allow work or school accounts
Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the Microsoft 365 value. Some companies have a requirement to capture all communications information within their corporate environment, as well as, ensure the devices are only used for corporate communications. To support these requirements, Edge for iOS and Android on enrolled devices can be configured to only allow a single corporate account to be provisioned within the app.
You can learn more about configuring the org allowed accounts mode setting here:
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these configuration keys.
General app configuration scenarios
Edge for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is currently only offered when Edge for iOS and Android has an Intune App Protection Policy applied to the work or school account that is signed into the app and the policy settings are delivered only through a managed apps App Configuration Policy.
Important
Edge for Android does not support Chromium settings that are available in Managed Google Play.
Edge supports the following settings for configuration:
- New Tab Page experiences
- Bookmark experiences
- App behavior experiences
- Kiosk mode experiences
These settings can be deployed to the app regardless of device enrollment status.
New Tab Page experiences
Edge for iOS and Android offers organizations several options for adjusting the New Tab Page experience.
Organization logo and brand color
These settings allow you to customize the New Tab Page for Edge for iOS and Android to display your organization's logo and brand color as the page background.
To upload your organization's logo and color, first complete the following steps:
- Within Microsoft Endpoint Manager, navigate to Tenant Administration -> Customization -> Company Identity Branding.
- To set your brand's logo, next to Show in header, choose 'Organization logo only'. Transparent background logos are recommended.
- To set your brand's background color, select a Theme color. Edge for iOS and Android applies a lighter shade of the color on the New Tab Page, which ensures the page has high readability.
Next, utilize the following key/value pairs to pull your organization's branding into Edge for iOS and Android:
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandLogo | true shows organization's brand logo false (default) will not expose a logo |
| com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandColor | true shows organization's brand color false (default) will not expose a color |
Homepage shortcut
This setting allows you to configure a homepage shortcut for Edge for iOS and Android. The homepage shortcut you configure appears as the first icon beneath the search bar when the user opens a new tab in Edge for iOS and Android. The user can't edit or delete this shortcut in their managed context. The homepage shortcut displays your organization's name to distinguish it.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.homepage | Specify a valid URL. Incorrect URLs are blocked as a security measure. For example: https://www.bing.com |
Multiple top site shortcuts
Similarly to configuring a homepage shortcut, you can configure multiple top site shortcuts on new tab pages in Edge for iOS and Android. The user can't edit or delete these shortcuts in a managed context. Note: you can configure a total of 8 shortcuts, including a homepage shortcut. If you have configured a homepage shortcut, that will override the first top site configured.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.managedTopSites | Specify set of value URLs. Each top site shortcut consists of a title and URL. Separate the title and URL with the For example: GitHub https://github.com/ LinkedIn https://www.linkedin.com |
Industry news
You can configure the New Tab Page experience within Edge for iOS and Android to display industry news that is relevant to your organization. When you enable this feature, Edge for iOS and Android uses your organization's domain name to aggregate news from the web about your organization, organization's industry, and competitors, so your users can find relevant external news all from the centralized new tab pages within Edge for iOS and Android. Industry News is off by default.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.NewTabPage.IndustryNews | true shows Industry News on the New Tab Page false (default) hides Industry News from the New Tab Page |
Bookmark experiences
Edge for iOS and Android offers organizations several options for managing bookmarks.
Managed bookmarks
For ease of access, you can configure bookmarks that you'd like your users to have available when they are using Edge for iOS and Android.
- Bookmarks only appear in the work or school account and are not exposed to personal accounts.
- Bookmarks can't be deleted or modified by users.
- Bookmarks appear at the top of the list. Any bookmarks that users create appear below these bookmarks.
- If you have enabled Application Proxy redirection, you can add Application Proxy web apps by using either their internal or external URL.
- Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
- Bookmarks are created in a folder named after the organization's name which is defined in Azure Active Directory.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.bookmarks | The value for this configuration is a list of bookmarks. Each bookmark consists of the bookmark title and the bookmark URL. Separate the title and URL with the For example: Microsoft Bing https://www.bing.comTo configure multiple bookmarks, separate each pair with the double character |
My Apps bookmark
By default, users have the My Apps bookmark configured within the organization folder inside Edge for iOS and Android.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.MyApps | true (default) shows My Apps within the Edge for iOS and Android bookmarks false hides My Apps within Edge for iOS and Android |
App behavior experiences
Edge for iOS and Android offers organizations several options for managing the app's behavior.
Default protocol handler
By default, Edge for iOS and Android uses the HTTPS protocol handler when the user doesn't specify the protocol in the URL. Generally, this is considered a best practice, but can be disabled.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.defaultHTTPS | true (default) default protocol handler is HTTPS false default protocol handler is HTTP |
Disable data sharing for personalization
By default, Edge for iOS and Android prompts users for usage data collection and sharing browsing history to personalize their browsing experience. Organizations can disable this data sharing by preventing this prompt from being shown to end users.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.disableShareUsageData | true disables this prompt from displaying to end users false (default) users are prompted to share usage data |
| com.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistory | true disables this prompt from displaying to end users false (default) users are prompted to share browsing history |
Slack Desktop App
Disable specific features
Edge for iOS and Android allows organizations to disable certain features that are enabled by default. To disable these features, configure the following setting:
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.disabledFeatures | password disables prompts that offer to save passwords for the end user inprivate disables InPrivate browsing To disable multiple features, separate values with |
Note
Edge for Android does not support disabling the password manager.
Disable extensions
You can disable the extension framework within Edge for Android to prevent users from installing any app extensions. To do this, configure the following setting:
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.disableExtensionFramework | true disables the extension framework false (default) enables the extension framework |
Kiosk mode experiences on Android devices
Edge for Android can be enabled as a kiosk app with the following settings:
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.enableKioskMode | true enables kiosk mode for Edge for Android false (default) disables kiosk mode |
| com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode | true shows the address bar in kiosk mode false (default) hides the address bar when kiosk mode is enabled |
| com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode | true shows the bottom action bar in kiosk mode false (default) hides the bottom bar when kiosk mode is enabled |
Data protection app configuration scenarios
Edge for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied to the work or school account that is signed into the app and the policy settings are delivered only through a managed apps App Configuration Policy:
- Manage account synchronization
- Manage restricted web sites
- Manage proxy configuration
- Manage NTLM single sign-on sites
These settings can be deployed to the app regardless of device enrollment status.
Manage account synchronization
By default, Microsoft Edge sync enables users to access their browsing data across all their signed-in devices. The data supported by sync includes:
- Favorites
- Passwords
- Addresses and more (autofill form entry)
Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above. For more information see Microsoft Edge Sync.
Organizations have the capability to disable Edge sync on iOS and Android.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.account.syncDisabled | true (default) disables Edge sync false allows Edge sync |
Manage restricted web sites
Organizations can define which sites users can access within the work or school account context in Edge for iOS and Android. If you use an allow list, your users are only able to access the sites explicitly listed. If you use a blocked list, users can access all sites except for those explicitly blocked. You should only impose either an allowed or a blocked list, not both. If you impose both, only the allowed list is honored.
Organization also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If the organization allows it, restricted web sites can be opened in the personal account context, the Azure AD account’s InPrivate context, or whether the site is blocked entirely. For more information on the various scenarios that are supported, see Restricted website transitions in Microsoft Edge mobile. By allowing transitioning experiences, the organization's users stay protected, while keeping corporate resources safe.
Note
Edge for iOS and Android can block access to sites only when they are accessed directly. It doesn't block access when users use intermediate services (such as a translation service) to access the site.
Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.AllowListURLs | The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe Examples: |
| com.microsoft.intune.mam.managedbrowser.BlockListURLs | The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe Examples: URL1 URL2 URL3http://www.contoso.com/ https://www.bing.com/ https://expenses.contoso.com |
| com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock | true (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts are not disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context. false prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
| com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked | true allows restricted sites to be opened in the Azure AD account's InPrivate context. If the Azure AD account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account. false (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked. In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
| com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification 'Link opened with InPrivate mode. Your organization requires the use of InPrivate mode for this content.' By default, the snack bar notification is shown for 7 seconds. |
The following sites are always allowed regardless of the defined allow list or block list settings:
https://*.microsoft.com/*http://*.microsoft.com/*https://microsoft.com/*http://microsoft.com/*https://*.windowsazure.com/*https://*.microsoftonline.com/*https://*.microsoftonline-p.com/*
URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.
A wildcard can only match a portion (e.g.,
news-contoso.com) or entire component of the hostname (e.g.,host.contoso.com) or entire parts of the path when separated by forward slashes (www.contoso.com/images).You can specify port numbers in the address. If you do not specify a port number, the values used are:
- Port 80 for http
- Port 443 for https
Using wildcards for the port number is not supported. For example,
http://www.contoso.com:*andhttp://www.contoso.com:*/are not supported.URL Details Matches Does not match http://www.contoso.comMatches a single page www.contoso.comhost.contoso.comwww.contoso.com/imagescontoso.com/http://contoso.comMatches a single page contoso.com/host.contoso.comwww.contoso.com/imageswww.contoso.comhttp://www.contoso.com/*Matches all URLs that begin with www.contoso.comwww.contoso.comwww.contoso.com/imageswww.contoso.com/videos/tvshowshost.contoso.comhost.contoso.com/imageshttp://*.contoso.com/*Matches all subdomains under contoso.comdeveloper.contoso.com/resourcesnews.contoso.com/imagesnews.contoso.com/videoscontoso.host.comnews-contoso.comhttp://*contoso.com/*Matches all subdomains ending with contoso.com/news-contoso.comnews-contoso.com.com/dailynews-contoso.host.comnews.contoso.comhttp://www.contoso.com/imagesMatches a single folder www.contoso.com/imageswww.contoso.com/images/dogshttp://www.contoso.com:80Matches a single page, by using a port number www.contoso.com:80https://www.contoso.comMatches a single, secure page www.contoso.comwww.contoso.comhttp://www.contoso.com/images/*Matches a single folder and all subfolders www.contoso.com/images/dogswww.contoso.com/images/catswww.contoso.com/videosThe following are examples of some of the inputs that you can't specify:
*.com*.contoso/*www.contoso.com/*imageswww.contoso.com/*images*pigswww.contoso.com/page*- IP addresses
https://*http://*http://www.contoso.com:*http://www.contoso.com: /*
Manage proxy configuration
You can use Edge for iOS and Android and Azure AD Application Proxy together to give users access to intranet sites on their mobile devices. For example:
Slack Mac App Proxy Unblocker
- A user is using the Outlook mobile app, which is protected by Intune. They then click a link to an intranet site in an email, and Edge for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is automatically routed through Application Proxy, to authenticate with any applicable multi-factor authentication and Conditional Access, before reaching the intranet site. The user is now able to access internal sites, even on their mobile devices, and the link in Outlook works as expected.
- A user opens Edge for iOS and Android on their iOS or Android device. If Edge for iOS and Android is protected with Intune, and Application Proxy is enabled, the user can go to an intranet site by using the internal URL they are used to. Edge for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is automatically routed through Application Proxy, to authenticate before reaching the intranet site.
Before you start:
- Set up your internal applications through Azure AD Application Proxy.
- To configure Application Proxy and publish applications, see the setup documentation.
- The Edge for iOS and Android app must have an Intune app protection policy assigned.
- Microsoft apps must have an app protection policy that has Restrict web content transfer with other apps data transfer setting set to Microsoft Edge.
Note
Edge for iOS and Android updates the Application Proxy redirection data based on the last successful refresh event. Updates are attempted whenever the last successful refresh event is greater than one hour.
Target Edge for iOS with the following key/value pair, to enable Application Proxy:
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.AppProxyRedirection | true enables Azure AD App Proxy redirection scenarios false (default) prevents Azure AD App Proxy scenarios |
Note
Edge for Android does not consume this key. Instead, Edge for Android consumes Azure AD Application Proxy configuration automatically as long as the signed-in Azure AD account has an App Protection Policy applied.
For more information about how to use Edge for iOS and Android and Azure AD Application Proxy in tandem for seamless (and protected) access to on-premises web apps, see Better together: Intune and Azure Active Directory team up to improve user access. This blog post references the Intune Managed Browser, but the content applies to Edge for iOS and Android as well.
Manage NTLM single sign-on sites
Organizations may require users to authenticate with NTLM to access intranet web sites. By default, users are prompted to enter credentials each time they access a web site that requires NTLM authentication as NTLM credential caching is disabled.
Organizations can enable NTLM credential caching for particular web sites. For these sites, after the user enters credentials and successfully authenticates, the credentials are cached by default for 30 days.
| Key | Value |
|---|---|
| com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs | The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe Examples: For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list. |
| com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO | Number of hours to cache credentials, default is 720 hours |
Deploy app configuration scenarios with Microsoft Endpoint Manager
If you are using Microsoft Endpoint Manager as your mobile app management provider, the following steps allow you to create a managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.
Sign into Microsoft Endpoint Manager.
Select Apps and then select App configuration policies.
On the App Configuration policies blade, choose Add and select Managed apps.
On the Basics section, enter a Name, and optional Description for the app configuration settings.
For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Edge for iOS and Android by selecting both the iOS and Android platform apps. Click Select to save the selected public apps.
Click Next to complete the basic settings of the app configuration policy.
On the Settings section, expand the Edge configuration settings.
If you want to manage the data protection settings, configure the desired settings accordingly:
For Application proxy redirection, choose from the available options: Enable, Disable (default).
For Homepage shortcut URL, specify a valid URL that includes the prefix of either http:// or https://. Incorrect URLs are blocked as a security measure.
For Managed bookmarks, specify the title and a valid URL that includes the prefix of either http:// or https://.
For Allowed URLs, specify a valid URL (only these URLs are allowed; no other sites can be accessed). For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list.
For Blocked URLs, specify a valid URL (only these URLs are blocked). For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list.
For Redirect restricted sites to personal context, choose from the available options: Enable (default), Disable.
Note
When both Allowed URLs and Blocked URLs are defined in the policy, only the allowed list is honored.
If you want to additional app configuration settings not exposed in the above policy, expand the General configuration settings node and enter in the key value pairs accordingly.
When you are finished configuring the settings, choose Next.
On the Assignments section, choose Select groups to include. Select the Azure AD group to which you want to assign the app configuration policy, and then choose Select.
When you are finished with the assignments, choose Next.
On the Create app configuration policy Review + Create blade, review the settings configured and choose Create.
The newly created configuration policy is displayed on the App configuration blade.
Use Edge for iOS and Android to access managed app logs
Users with Edge for iOS and Android installed on their iOS or Android device can view the management status of all Microsoft published apps. They can send logs for troubleshooting their managed iOS or Android apps by using the following steps:
- Open Edge for iOS and Android on your device.
- Type
about:intunehelpin the address box. - Edge for iOS and Android launches troubleshooting mode.
For a list of the settings stored in the app logs, see Review client app protection logs.
To see how to view logs on Android devices, see Send logs to your IT admin by email.
Next steps
Today we’ve just shipped a new version of the Slack Desktop application for macOS. We built it with Electron, and, as a result, it’s faster, sports a frameless look, and has a number of behind-the-scenes improvements to make for a much better Slack experience.
There are, of course, different ways to build desktop applications with web technologies. Unlike a 100% in-box approach that some other apps take, Slack takes a hybrid approach where we ship some of the assets as part of the app, but most of the assets and code are loaded remotely. Since there isn’t much information out there about how to do this with Electron, we wanted to dive into a bit more detail about how our hybrid application works.
First, Some History
Originally, the Slack desktop application was written using the MacGap v1 framework, which internally used WebView to host web content inside of a native app frame. While that served us well for a long time (including the retrofitting of multiple-team support), this architecture was starting to show its age. New features such as HTTP/2 are only coming to Apple’s new WKWebView view, and moving to this would effectively require a complete rewrite of the application. Furthermore, WebView was tied to the operating system’s version of Safari, meaning that we didn’t have many options when older versions of macOS had an issue in Safari that affected our app.
Separately, when we created the Slack Windows application, we couldn’t use the existing codebase, so we decided to bet on a brand new platform called Electron.
We’ve written about Electron before, but to summarize, Electron is a platform that combines the rendering engine from Chromium and the Node.js runtime and module system.
Since very early in the development of the Slack Electron app, we’ve had a working macOS version (albeit with many missing features). It was useful for us to be able to share our app with coworkers using macOS, for things like design feedback. So, when we looked into how to modernize the Mac app, moving to a unified codebase across Mac, Windows, and Linux was an easy choice.
Technology Stack
Despite being the first production Electron application outside of Atom, the Slack Desktop application has been kept fairly up-to-date with regards to web technologies. Our app has migrated from a CoffeeScript application written with vanilla DOM APIs to a modern ES6 + async/awaitReact application, and we’re currently incrementally moving our app to TypeScript.
The Chromium Multi-process Model
Electron inherits Chromium’s multi-process model — the main application as well as every Slack team that you’re signed into live in a separate process with its own memory space. For us, this means that we can restart individual teams that crash or have other issues without affecting the rest of the app, as well as protection from GPU driver issues via a separate GPU process.
On macOS, these renderer processes are labeled “Slack Helper;” you’ll see one for every team, plus three extra for crash reporting, the GPU, and the process that hosts the team switcher.
The WebView Tag
While we generally trust the local Slack application to run with full access to the desktop and Node.js, allowing remote content to directly access desktop features and Node.js is insecure — if someone were to Man-In-The-Middle Slack, they would have full control over user computers! To prevent this, we use a feature of Electron ported from Chrome Apps called the WebView element (unrelated to Apple’s WebView view mentioned above). Conceptually, this HTML element is similar to an iframe, in that it includes another site inline as a block element. However, it actually creates a separate Chromium renderer process and delegates rendering of content for its hosting renderer, similar to how the Flash plugin host framework works.
Before any navigation occurs, we get a chance to run custom code with Node.js integration enabled, called a “preload script.” This script runs before the DOM is created and before the page has an origin, but gives us access to Electron and Node.js APIs.
Slack Desktop App Mac
One thing that we can do in our preload script is set a key on the window object. This allows us to expose an API to the webapp side of Slack. Since we define this API, we can set up a Security Boundary that only grants the webapp certain methods.
There are a few things that you must do in order for this approach to be secure:
- You must ensure that you don’t leak Node.js modules into your API surface.
- You should be thoughtful about your APIs, especially ones involving file paths. Make sure that a malicious caller of your API can’t access data on a user’s file-system.
- You only have to worry about access to JS objects via JavaScript itself, being able to see Node.js objects via the DevTools console tab is generally safe. DevTools has access to hidden V8 methods that JavaScript doesn’t, so being able to get to Node.js objects through, for example, the “closure” pseudovariable is not a concern.
Communicating between processes
Communicating between all of these different processes is Tricky Business. On top of Chromium’s low-level IPC module which lets you send messages between processes, we’ve built a library called electron-remote.
electron-remote is a pared-down, faster version of Electron’s remote module, using ES6 Proxy Objects. Using proxies, we create an object which represents the window on a remote renderer, and all method calls get sent as messages to that remote. This lets you accomplish the same things as the traditional remote module, but without the pitfalls of remote event handlers and synchronous IPC. How to set what apps start up with mac.
First, set up the API you want to create in the main window. To make our example easier to understand, we’ll use a global variable:
Next, in our preload script, we’ll actually wire it up:
Now, your web application has access to a new object desktopIntegration which has a bounceDock method:
Being able to access remote objects efficiently makes implementing your webapp’s API much easier. In our case, it allows us to easily send Redux App Actions to update our app’s state and by proxy, the UI that depends on that state, to render updates to the badges on the Dock icon, or to update the unreads state on the team switcher items.
You must be careful when using electron-remote to audit your remote objects the same way that you audit your other preload objects — being able to ask another process to do something malicious is just as bad as doing it in-process!
Open Source Libraries
As part of writing the Slack Desktop application, we’ve developed a number of libraries and tools that we’ve open-sourced:
We’ve also spent some time contributing to the Electron project itself, to help improve the framework for developers.
As you can see, the new Slack Desktop app helps our development team have the best of both worlds — the rapid iteration and ecosystem of web development, and the ability (with a bit of C++ and elbow grease!) to access the underlying Mac operating system in ways that websites can’t reach. We’re excited for the future of our Desktop apps, especially all the things we can do to bring together your team’s work together.
If you want to help us make Slack a little better each day, check out Careers site and apply today. Apply now