Overview
ChatGPT for Intune is a separate iOS app for ChatGPT Enterprise organizations that manage mobile access management (MAM) through Microsoft Intune and Microsoft Entra. It lets IT teams apply Microsoft app protection policies and Conditional Access policies to the ChatGPT mobile experience.
Availability
ChatGPT for Intune is available for iOS and iPadOS, for Enterprise accounts only.
Login requires enterprise Microsoft authentication only - ChatGPT for Intune does not support personal accounts.
Admin setup and organization onboarding with OpenAI are required.
Before you begin
ChatGPT for Intune requires organizational onboarding with OpenAI. To begin onboarding, reach out to your OpenAI account director, or contact OpenAI sales.
Additionally, check that:
You have Microsoft Intune admin access and Microsoft Entra admin access.
Intended users have the appropriate Intune and Microsoft Entra licensing.
Intended users can access the relevant ChatGPT Enterprise workspace.
Microsoft Authenticator is available on test devices if your tenant uses brokered Microsoft authentication or Conditional Access.
You have shared your Microsoft Entra tenant ID with OpenAI.
Review the app details
Use these details when reviewing the Microsoft Entra enterprise application and configuring Intune:
| App name | ChatGPT iOS Intune |
| Application ID / client ID | 9e8e8f66-e7c1-4682-a6dc-1b0d1534a132 |
| iOS bundle ID | com.openai.chat.intune |
Note: The ChatGPT iOS Intune enterprise application is separate from the standard ChatGPT iOS app. If your organization uses another enterprise application for browser or desktop ChatGPT Enterprise single sign-on, do not assume the same mobile permissions apply to ChatGPT for Intune.
Required API permissions
The ChatGPT iOS Intune enterprise application uses these delegated permissions:
User.Read— Lets the Microsoft sign-in flow read the signed-in user's basic profile.DeviceManagementManagedApps.ReadWrite— Lets the app enroll with MAM and receive or enforce the assigned app protection policy for the signed-in managed user.
Admin consent
Customer Entra admins may need to review the enterprise application and grant admin consent.
If ChatGPT for Intune does not appear in Microsoft search, inspect recent sign-in or approval attempts in Entra or Intune, approve the app, and then create or target the Intune policy around the iOS bundle ID com.openai.chat.intune.
Set up ChatGPT for Intune
Make ChatGPT for Intune available to the intended iOS users through your organization's normal app deployment process.
Make sure Microsoft Authenticator is installed and up to date on iOS test devices if your tenant uses brokered Microsoft authentication or Conditional Access.
Review the ChatGPT iOS Intune enterprise application in Microsoft Entra and grant admin consent if prompted.
Create an Intune App Protection Policy for iOS and iPadOS.
Target the intended users or groups.
Include the ChatGPT for Intune iOS app.
If ChatGPT for Intune does not appear in Microsoft search, add it as a custom iOS app with bundle ID
com.openai.chat.intune.
Confirm that the intended users are in scope for the Intune App Protection Policy.
Assign any required Conditional Access policies, or confirm that the intended test device, broker, and compliance state are allowed by your existing Conditional Access rules.
Have test users sign in and validate Microsoft authentication, MFA, policy enrollment, workspace landing, and the data loss prevention scenarios your organization needs.
App configuration policy
An App Configuration Policy is not required for the minimum iOS setup today. Use one only if your organization has a specific Intune app-configuration requirement.
You do not need to provide a workspace ID managed app configuration key for the minimum iOS setup today.
What end users should do
Install ChatGPT for Intune.
Install Microsoft Authenticator if needed.
Select Sign in with Microsoft.
Complete Microsoft authentication and MFA.
Confirm that you land in the expected enterprise environment.
Validate the specific policy scenarios your IT team cares about.
Test the setup
Ask test users to validate:
They can install and open ChatGPT for Intune.
They can select Sign in with Microsoft, complete Microsoft authentication, and satisfy MFA and Conditional Access requirements.
They are targeted by an Intune App Protection Policy that includes
com.openai.chat.intune.They land in the expected ChatGPT Enterprise account and workspace.
The assigned app protection policies apply as expected.
Current data protection behavior comes from the Microsoft Intune SDK defaults plus your organization's assigned policies.
Ask users to report crashes, authentication loops, repeated broker prompts, wrong-account landing, or policy enrollment failures with screenshots and timestamps.
Your required data loss prevention scenarios behave as expected, such as copy and paste restrictions, file transfer controls, save-as behavior, screenshot or screen-capture controls, link opening, and remote wipe behavior where supported by Microsoft Intune and the app.
Common Setup Issues
Consent or approval errors
Review the ChatGPT iOS Intune enterprise application in Microsoft Entra and grant admin consent if needed.
Check recent sign-in or consent attempts for the affected user and application ID
9e8e8f66-e7c1-4682-a6dc-1b0d1534a132.
Users are licensed for Intune but cannot sign in
Confirm that the affected users are assigned to the Intune App Protection Policy that includes
com.openai.chat.intune.Allow time for Microsoft policy propagation, then have the users fully quit and reopen the app before retrying.
Sign-in works, but app protection does not apply
Confirm that Microsoft Authenticator is installed and up to date if brokered Microsoft authentication is expected.
Confirm that the affected users are targeted by the correct Intune App Protection Policy.
Confirm that the policy includes the ChatGPT for Intune iOS bundle ID
com.openai.chat.intune.Confirm that users are testing ChatGPT for Intune, not the standard ChatGPT iOS app.
Blocked on an unmanaged or non-compliant device
Ask your Microsoft admin whether unmanaged iOS devices are allowed for the assigned Conditional Access or Intune policies.
If your policy requires device enrollment or managed-device compliance, testing on a personal unmanaged device may fail even if ChatGPT for Intune is configured correctly.
Repeated Microsoft broker prompt or MFA / Conditional Access loop
Install or update Microsoft Authenticator.
Confirm that the user can satisfy the organization's MFA and Conditional Access requirements outside ChatGPT for Intune.
Ask your Microsoft admin to check Entra sign-in logs for the affected user and the ChatGPT iOS Intune app.
Wrong workspace or account landing
If users land in the wrong workspace or account after sign-in, contact OpenAI Support with the affected user's email, Microsoft Entra tenant ID, expected workspace, and approximate timestamp with timezone.
Additional Admin Notes
ChatGPT for Intune is a separate iOS app from the standard ChatGPT app available in the Apple iOS App store - once you have completed the admin setup guidelines listed in this article, end users must download and use the ChatGPT for Intune app, and not the standard ChatGPT app.
Intune licensing alone is not sufficient. Users must also be targeted by the relevant Intune App Protection Policy.
ChatGPT for Intune supports enterprise Microsoft authentication only and does not support personal accounts.
App protection behavior depends on the policies your organization assigns and the controls supported by Microsoft Intune and the app. Validate the specific scenarios your organization needs before broad rollout.
Need More Help?
Reach out to your OpenAI account director, or contact OpenAI sales with questions. You can also contact support. It will be helpful to provide a detailed description of the problem, and important data that might help in troubleshooting, including any of the relevant info below:
the affected user's email
ChatGPT workspace
Microsoft Entra tenant ID
approximate timestamp with timezone
iOS version
ChatGPT for Intune build or version
a screenshot of the error
whether Microsoft Authenticator is installed
whether the device is enrolled, managed, or unmanaged
and whether the user is assigned to the intended Intune App Protection Policy.