Control Authentication and Access for Tableau Mobile

Supported authentication methods

Tableau Server

Tableau Mobile supports the following authentication methods for Tableau Server.

Method	Considerations for Tableau Mobile
Local (basic) authentication
Kerberos	iOS only
SAML
NTLM
Mutual SSL	Requires Tableau Server version 2019.4 or later Proxy support for Android only Sign in with Device Browser must be enabled for iOS
OpenID Connect	Requires Tableau Server version 2019.4 or later Sign in with Device Browser must be enabled

For information about configuring these methods, see the Tableau Server Help for Windows(Link opens in a new window) and Linux(Link opens in a new window).

Tableau Cloud

Tableau Mobile supports all three authentication methods for Tableau Cloud.

Default Tableau method
Google via OpenID Connect (Sign in with Device Browser must be enabled)
SAML

For information about configuring these methods, see Authentication(Link opens in a new window) in the Tableau Cloud Help.

Authentication with the device browser

OpenID Connect (including Google) and mutual SSL authentication takes place using the mobile device’s browser (Safari, Chrome). The exchange between the browser and Tableau Mobile is secured by OAuth Proof Key for Code Exchange(Link opens in a new window) (PKCE).

For this authentication to take place, you must enable the Sign in with Device Browser setting, by following the instructions below. The one exception to this requirement is mutual SSL authentication on Android, which requires no configuration changes.

Tableau Server (version 2019.4 or later)

If you use an MDM or MAM system, set the AppConfig parameter, RequireSignInWithDeviceBrowser, to true. Alternatively, Tableau Server users can enable the "Sign in with Device Browser" setting on their individual devices. The AppConfig parameter overrides the user setting.

Tableau Cloud

Set the AppConfig parameter, RequireSignInWithDeviceBrowser, to true. To set AppConfig parameters, you need to deploy the app with an MDM or MAM system. The user setting has no effect for Tableau Cloud, so if you don’t use an MDM or MAM system, you won’t be able to allow Google authentication.

Override the default browser used for authentication

When you configure Tableau Mobile to use the browser for authentication, it uses the default browser for the device: Safari for iOS and Chrome for Android. To enable Conditional Access for Microsoft Intune, you must configure Tableau Mobile to use Microsoft Edge for authentication instead. This requires two AppConfig parameters:

Set RequireSignInWithDeviceBrowser to true, to make it so Tableau Mobile uses the browser for authentication.
Set OverrideDeviceBrowser to Edge, to change the browser used to authenticate from the device default to Microsoft Edge. If you change this parameter without requiring sign in with the browser, it will have no effect. For more information, see the AppConfig parameters for Tableau Mobile.

In addition to setting the AppConfig parameters for Tableau Mobile, configure your Microsoft Intune environment as follows:

If you use Azure App Proxy, it must use passthrough as its preauthentication method.
The authentication method must be SAML or OpenID.
The identity provider must be Azure Active Directory.

Temporarily keep users signed in

To temporarily keep Tableau Mobile users signed in, make sure that connected clients are enabled for Tableau Cloud or Tableau Server. If you disable this default setting, users will be required to sign in every time they connect to the server.

Verify the connected clients setting for Tableau Cloud

Sign in to Tableau Cloud as an administrator.
Select Settings, and then select the Authentication tab.
Under Connected Clients, note the Let clients automatically connect to this Tableau Cloud site setting.

For more information, see Access Sites from Connected Clients in Tableau Cloud Help.

Verify the connected clients setting for Tableau Server

Sign in to Tableau Server as an administrator.
In the site menu, select Manage All Sites, and then select Settings > General.
Under Connected Clients, note the Let clients automatically connect to Tableau Server setting.

For more information, see Disable Automatic Client Authentication in Tableau Server Help.

Change how long users remain signed in to Tableau Server

When the connected clients setting is not enabled, the length of a session on Tableau Mobile is controlled by Tableau Server limits. When the connected clients setting is enabled, Tableau Mobile uses OAuth tokens to re-establish the session and keep users signed in, as long as the tokens are valid.

Change token values for connected clients

To keep a user signed in, Tableau Mobile sends a refresh token to the authentication system, which then delivers a new access token to the mobile device. You can change how long users remain signed in by adjusting settings for refresh tokens.

In the command-line interface for Tableau Services Manager, set the following options:

refresh_token.idle_expiry_in_seconds: Sets the number of seconds a token can go unused before expiring. The default value of 1,209,600 equals 14 days. Enter a value of -1 to never expire idle tokens.
refresh_token.absolute_expiry_in_seconds: Sets the number of seconds before refresh tokens completely expire. The default value of 31,536,000 equals 365 days. Enter a value of -1 to never expire tokens.
refresh_token.max_count_per_user: Sets the maximum number of refresh tokens that can be issued to each user. The default value is 24. Enter a value of -1 to entirely remove token limits.

To set the options above, use this syntax in the command-line interface:

tsm configuration set -k <config.key> -v <config_value>.

For example, to limit the number of refresh tokens to 5 per user, you would enter the following:

tsm configuration set -k <refresh_token.max_count_per_user> -v <5>

For more information, see TSM configuration set Options(Link opens in a new window) in Tableau Server Help.

Change session limits for Tableau Server

If you disable connected clients, the session limits for Tableau Server determine the length of a session on Tableau Mobile. These limits don’t affect connected clients, because refresh tokens re-establish the session as long as the tokens are valid. For more information, see Verify session lifetime configuration in Tableau Server Help.

In the command-line interface for Tableau Services Manager, set the following option:

wgserver.session.idle_limit

Sets the number of minutes before a Tableau session expires, again requiring sign in. The default value is 240.

Enable app lock for added security

Long-lived authentication tokens allow users to remain signed in, giving them frictionless access to data. However, you might have concerns about this open access to data in Tableau Mobile. Rather than requiring users to sign in more frequently, you can enable app lock to give users a secure yet simple way to access content.

App lock for Tableau Mobile doesn’t authenticate users with Tableau Server or Tableau Cloud; instead, it provides a layer of security for users who are already signed in. When app lock is enabled, users must open the app using the security method they have configured for unlocking their devices. Supported biometric methods are Face ID or Touch ID (iOS) and fingerprint, face, or iris (Android). Supported alternative methods are passcode (iOS) and pattern, pin, or password (Android).

Before you enable app lock

Make sure that the Connected Clients setting for Tableau Server or Tableau Cloud is enabled. For more information, see Temporarily keep users signed in. If you don’t have this setting enabled, users will be required to sign in every time they connect to Tableau Server or Tableau Cloud, eliminating the need for an app lock.

For Tableau Server, you can control precisely how long users remain signed in by adjusting the expiration values for refresh tokens. For more information, see Change how long users remain signed in to Tableau Server. An app lock is intended for use with long-lived tokens, such as those that use the default expiration values.

Note: If your Tableau Server installation uses a reverse proxy server, be aware that your users may need to sign in upon unlocking the app. This is because their reverse proxy tokens expired, but their refresh tokens are still active.

Enable the app lock setting

For Tableau Cloud

Sign in to Tableau Cloud as an administrator.
Select Settings, and then select the Authentication tab.
Under App Lock for Tableau Mobile, check the Enable app lock setting.

For Tableau Server versions 2019.4 and later

Sign in to Tableau Server as an administrator.
Navigate to the site for which you want to enable app lock.
Select Settings.
Under Tableau Mobile, check the Enable app lock setting.

For Tableau Server versions 2019.3 and earlier

The setting to enable app lock is not available for Tableau Server versions 2019.3 and earlier; however, you can still enable app lock with an AppConfig parameter for MDM and MAM systems. See RequireAppLock in AppConfig keys.

User-enabled app lock

Users can also individually enable app lock for their devices via a setting within the app. However, users can’t disable app lock via this setting if it is enabled by their administrator.

Tableau Mobile settings screen

When app lock is enabled

After you enable app lock, users who are signed in will be required to unlock the app when they open it. If users haven’t set up a method to unlock their devices, they will be prompted to do so in order to unlock the app.

If users fail to unlock the app, they will have the option to either try again or log out of Tableau. If users fail to unlock the app after five attempts using a biometric method, or if their devices are not configured for biometrics, they will be prompted to unlock using an alternative method such as a passcode.

Repeated failures to unlock the app using a passcode will result in the user being locked out of the device as a whole, not just the app. The number of attempts before this occurs depends on the device. Further attempts to unlock the device are delayed by increasing amounts of time.

Single sign-on for Tableau Mobile

For single sign-on (SSO) authentication, Tableau Mobile supports SAML and OpenID Connect for all mobile platforms and Kerberos for iOS devices.

SAML

If Tableau Cloud or Tableau Server is configured to use SAML, users are automatically redirected to the identity provider (IdP) for sign-in within Tableau Mobile. However, SAML doesn't relay credentials to other mobile apps using SSO. SAML doesn't require special configuration for mobile devices, except in the case of devices using Microsoft Intune. To enable SAML for Microsoft Intune, see Override the default browser used for authentication.

OpenID Connect

If Tableau Server is configured to use OpenID Connect for authentication, or if Tableau Cloud is configured to use Google (via OpenID Connect), single sign on takes place with the external identity provider (IdP) using the mobile device’s browser. To enable SSO with the browser, see Authentication with the device browser. To enable OpenID Connect specifically for Microsoft Intune, see Override the default browser used for authentication.

Kerberos (iOS and Tableau Server only)

To use Kerberos authentication, devices must be specially configured for your organization. Kerberos configuration is beyond the scope of this document and Tableau Support, but here are some third-party resources to help get you started.

Kerberos Single Sign-on for iOS(Link opens in a new window) on the Sam's Tech Notes blog
Mobile Single Sign On from iOS to SAP NetWeaver(Link opens in a new window) on the SAP Community Network
The Configuration Profile Key Reference(Link opens in a new window) in the iOS Developer Library

When you set up a configuration profile, you'll need the URLs used to access your Tableau server. For the URLPrefixMatches key, if you decide to list the URL strings explicitly, include URLs with all protocol options and the appropriate port numbers.

If your servers use SSL, your URLs should use the https protocol and the server’s fully qualified domain name. One of the URLs also should specify port 443.

For example, enter https://fully.qualifed.domain.name:443/ and https://servername.fully.qualified.domain.name/
If your users access your Tableau server by specifying only the local server name, you should also include those variations.

For example, enter http://servername/ and http://servername:80/

Note: Signing out does not clear Kerberos tickets on a device. If stored Kerberos tickets are still valid, anyone using a device can access the server and site a user last signed in to, without providing credentials.

Thanks for your feedback!

Your feedback has been successfully submitted. Thank you!

Tableau Mobile Deployment Guide