:Harvey:Support

Harvey Mobile Intune Setup Guide (iOS and Android)

This document walks through how to set up Microsoft Intune management for the Harvey iOS and Harvey Android applications.

Last updated: May 28, 2026

Harvey Mobile Intune Setup Guide (iOS and Android)

This document walks through how to set up Microsoft Intune management for the Harvey iOS and Harvey Android applications.

We are constantly updating and improving our Intune integration, please make sure you have the latest versions of the Harvey apps before proceeding.

MDM vs MAM

There are 2 ways to configure Intune for Harvey. One is for MDM (mobile device management) where an organization has an installed certificate on a device and manages that device fully. The other is MAM (mobile app management) where the user brings their own device (BYOD) and apps are individually managed without control over the device itself. In both cases the App Protection Policies will be the same, but it changes what you can do with App Configuration Policies on Intune. MDM inherently has more control and offers a smoother login experience over MAM.

Adding Intune Protection in your Harvey Workspace

IMPORTANT: if you use MAM you must enable this toggle for Intune to function

A workspace admin will need to enable Intune protection under Settings > Ecosystem. This will apply Intune protection for all users in your workspace, and is the field that our mobile application checks in order to register a user with the Intune SDK.

Ecosystem

Entra Details

iOS Application ID: 9c6a05ad-a415-43ef-8db8-5099a482201d

Android Application ID: 60500a7f-38fa-4aad-bc8b-9829bbacded3

Required permissions:

  • Microsoft Graph: User.Read
  • Microsoft Mobile Application Management: DeviceManagementManagedApps.ReadWrite

How Enrollment Works

Intune enrollment happens after the user has successfully authenticated with Harvey using Auth0. The flow is as follows:

First, the user is prompted to login to Harvey through Auth0 (the same as the web). Our mobile apps use the same SSO configuration that the web uses, so no changes are typically needed here.

Once the user successfully logs in, we check if we need to enroll in Intune protections. There are 2 ways that can happen:

  1. First we check if there is an MDM policy installed on the device by looking for the IntuneMAMUPN (iOS) or upn (Android) value in the App Configuration Policy. If this is present, we proceed with enrollment.
  2. If the device is not under MDM, we then check the Harvey workspace setting enabled by the toggle discussed in the previous step. If this toggle is enabled, we proceed with enrollment.

If neither of these two things are true, the app will not be protected and will allow the user to access the app without restriction. You must use MDM with IntuneMAMUPN (iOS) / upn (Android) set or the toggle to ensure Intune protections are applied.

The enrollment process is handed off to the Microsoft Intune SDK which will verify the user is licensed and assigned a policy. Once this verification is done, the app will say “This app is now being protected by your organization” and will prompt the user to close the app. Subsequent opens of the app will have Intune protections applied.

Adding an App Protection Policy

  1. Sign into intune.microsoft.com
  2. In the first blade click “Apps”
  3. In the second blade under Manage apps click “Protection”
  4. Click “+ Create” at the top and select iOS/iPadOS or Android. You will need to create separate policies for each platform.
  5. Create a name for your policy and click “Next”
  6. On the Apps tab:
    1. For iOS: Click “+ Select public apps”. On the “Select apps to target” pane, search for “Harvey” and click on “Harvey AI” in the results. Click “Select” at the bottom of the pane.
    2. For Android: Click “+ Select custom apps”. On the “Select apps to target” pane, enter ai.harvey.mobileandroid as the Package ID for the Harvey Android app and click “Add”. Make sure the correct PackageID shows up under “Selected Apps” at the bottom of the pane and click “Select” to save this.
  7. Click “Next”
  8. Under “Data Protection” update the configuration in compliance with your company's policies. When you are finished click “Next”
  9. Do the same thing for “Access requirements” and click “Next” when you are finished.
  10. And again for “Conditional launch”.
  11. On the “Assignments” tab, add groups under the “Included groups” section. Be very careful here to not accidentally add users to the “Excluded groups” section unless you specifically want to restrict access to those groups / users. Click “Next” when you are finished.
  12. Finally, review the policy and click “Create”

Note: You can also simply add Harvey AI as a targeted app to an existing App Protection Policy if you want to use the same settings as all other apps in your ecosystem.

Adding an App Configuration Policy

  1. Navigate back to Apps in the first blade and open “Configuration” under “Manage apps”
  2. Click “+ Create” at the top and select either “Managed devices” if you are using MDM, or “Managed apps” if you are using MAM without enrollment.
  3. Name the configuration policy and under “Target policy to” select “All apps” if you want this configuration to apply to all applications, or “Selected apps” if you want it to only apply to specific applications. For specific applications make sure you add the Harvey AI public app (iOS) or a custom app with Package ID ai.harvey.mobilenadroid (Android).

App Configuration Properties

Important: Keys are case sensitive.

Every field is optional except IntuneMAMUPN (iOS) or upn (Android). If you use MDM, we highly recommend adding email as it provides a smoother login experience for your users. Note that when creating a configuration for Android, Intune has a JSON editor that exposes these values for you automatically.

Key

Value Type

Values

Description

IntuneMAMUPN (iOS) upn (Android)

String

Any, but likely {{userprincipalname}}

  • UPN of the account allowed to sign into the app.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

email (iOS Only)

String

Any valid email, but likely {{mail}} when using MDM

The email address to pre-fill during login. For managed devices this should be {{mail}}

region

String

US, EU, AU

Sets the default region to be used at login. The default is US. MDM only.

auth_provider

String

microsoft_edge, default_browser, wkwebview

Sets the provider used for authentication. Leaving this blank will use the default Auth0 webview flow (recommended).

  • microsoft_edge will force the use of the Microsoft Edge browser. (iOS and Android)
  • default_browser will redirect to the device’s default browser instead of using the in-app web view. (iOS only)
  • wkwebview will use the older style WKWebView for configurations that require this (may solve issues with VPN conditional access policies). (iOS only)

MDM only.

Recommended configuration

This is the configuration we recommend for the smoothest experience. This assumes you are using MDM with Microsoft Intune and Company Portal. Note that most fields are omitted entirely.

Key

Value Type

Values

IntuneMAMUPN (iOS) upn (Android)

String

{{userprincipalname}}

email

String

{{mail}}

region

String

US - omit entirely, it is the default AU or EU - include

Deprecated configuration values

These configuration values appeared in previous versions of our mobile app, but have since been deprecated.

Key

Alternative

disable_voice_input

Use the Harvey permission use:assistant_voice_input instead.

intune_policy_refresh_interval_minutes

We rely on Microsoft’s Intune SDK to perform check-ins regularly making this obsolete.

disable_file_upload

Use Intune’s native data protection policies instead.

disable_document_scanning

Use Intune’s native data protection policies instead.

Conditional Access

If you have applied conditional access policies in Entra, please ensure you are only applying the policies to the Harvey iOS or Harvey Android target. Attempting to apply a conditional access policy to the Harvey Authentication target will prevent the user from being able to log in. If this is a requirement, you will need to use the Microsoft Edge authentication described above.

Conclusion and Troubleshooting

You should now be set up properly with Intune management for the Harvey iOS and Android applications. Verify that you can log in with the user accounts assigned in Entra, and also that when a user logs in, they are prompted to authenticate directly with Microsoft after logging into the Harvey account. You will see an alert pop up that says “Your organization is now protecting its data in this app. Restart the app to continue”. You can also verify your Intune restrictions are being applied (e.g. if you restrict Screen Capture, try to take a screenshot of the Harvey app and verify it will block you from doing so). Fully closing the app by swiping up on it in the app switcher and doing a cold restart may be necessary for all policies to be applied.

Please reach out to your customer support manager if you have any questions or issues.

Common Issues

FAQs

Getting Started with Harvey

A high level overview of Harvey features and how to navigate our platform.

User Login Guide

Learn how to log in to your Harvey account securely and without issues.

How to Set Up Your User Profile

Discover how to customize Harvey to fit your needs.

Harvey Guide: Learn How to Use Harvey Directly in Harvey

Learn how to use Harvey directly in the product with instant, cited answers sourced from the Help Center.

Choosing Between Threads and Review Tables

Learn how review tables and threads work together to streamline your document review and analysis.