Adds Mobile Ephemeral Mode documentation

source/administration-guide/configure/environment-configuration-settings.rst

@@ -4384,6 +4384,100 @@ Prevent screen capture
 
   Changing this configuration setting takes effect when mobile users restart their Mattermost mobile app or log out and log back in.
 
+Mobile ephemeral mode
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../../_static/badges/ent-adv.rst
+  :start-after: :nosearch:
+
+See :ref:`Mobile Ephemeral Mode in mobile security features <deployment-guide/mobile/mobile-security-features:mobile ephemeral mode>` for a full description of how the timers and operations interact.
+
+These settings apply globally to all mobile users. Changes are delivered to connected devices in real time; offline devices continue operating under their last-known configuration until they reconnect. Timer state persists across app and device restarts.
+
+When a timer expires, active cached content such as posts and file previews is purged, and the app notifies the user that data was removed due to policy enforcement. After a purge, users re-sync from the server on reconnection — server URLs are recoverable from keychain entries so server access is not lost.
+
+.. config:setting:: mobile-enable-ephemeral-mode
+  :displayname: Enable Mobile Ephemeral Mode (Mobile Security)
+  :systemconsole: Environment > Mobile Security
+  :configjson: .NativeAppSettings.MobileEnableEphemeralMode
+  :environment: MM_NATIVEAPPSETTINGS_MOBILEENABLEEPHEMERALMODE
+  :description: Controls whether mobile clients enforce server-configured ephemeral data policies. Default is **true**.
+
+    - **true**: **(Default)** Mobile clients enforce the server-configured ephemeral data policies.
+    - **false**: Ephemeral data policies are not enforced on mobile clients.
+
+Enable Mobile Ephemeral Mode
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
++------------------------------------------------------+--------------------------------------------------------------------------------------------------+
+| Controls whether mobile clients enforce the          | - System Config path: **Environment > Mobile Security**                                          |
+| server-configured ephemeral data policies.           | - ``config.json`` setting: ``NativeAppSettings`` > ``MobileEnableEphemeralMode`` > ``true``      |
+|                                                      | - Environment variable: ``MM_NATIVEAPPSETTINGS_MOBILEENABLEEPHEMERALMODE``                       |
+| - **true**: **(Default)** Ephemeral data policies    |                                                                                                  |
+|   are enforced.                                      |                                                                                                  |
+| - **false**: Ephemeral data policies are not         |                                                                                                  |
+|   enforced on mobile clients.                        |                                                                                                  |
++------------------------------------------------------+--------------------------------------------------------------------------------------------------+
+
+.. config:setting:: mobile-disconnection-timeout-seconds
+  :displayname: Disconnection Timeout (Mobile Security)
+  :systemconsole: Environment > Mobile Security
+  :configjson: .NativeAppSettings.MobileDisconnectionTimeoutSeconds
+  :environment: MM_NATIVEAPPSETTINGS_MOBILEDISCONNECTIONTIMEOUTSECONDS
+
+  Grace period after the WebSocket drops before the device is considered offline. Default is **60** seconds. Values below 5 are not recommended.
+
+Disconnection timeout
+^^^^^^^^^^^^^^^^^^^^^
+
++------------------------------------------------------+------------------------------------------------------------------------------------------------------------------+
+| Grace period in seconds after the WebSocket drops    | - System Config path: **Environment > Mobile Security**                                                          |
+| before the device is considered offline. Once        | - ``config.json`` setting: ``NativeAppSettings`` > ``MobileDisconnectionTimeoutSeconds`` > ``60``                |
+| elapsed, the Offline Persistence Timer begins        | - Environment variable: ``MM_NATIVEAPPSETTINGS_MOBILEDISCONNECTIONTIMEOUTSECONDS``                               |
+| counting down.                                       |                                                                                                                  |
+|                                                      |                                                                                                                  |
+| Numerical input in seconds. Default is **60**.       |                                                                                                                  |
+| Values below 5 are not recommended.                  |                                                                                                                  |
++------------------------------------------------------+------------------------------------------------------------------------------------------------------------------+
+
+.. config:setting:: mobile-offline-persistence-timer-hours
+  :displayname: Offline Persistence Timer (Mobile Security)
+  :systemconsole: Environment > Mobile Security
+  :configjson: .NativeAppSettings.MobileOfflinePersistenceTimerHours
+  :environment: MM_NATIVEAPPSETTINGS_MOBILEOFFLINEPERSISTENCETIMERHOURS
+
+  How long cached content is retained after the device goes offline. Default is **2** hours. Set to **0** for immediate purge when the Disconnection Timeout elapses.
+
+Offline persistence timer
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
++------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
+| How long cached content is retained after the        | - System Config path: **Environment > Mobile Security**                                                             |
+| device is considered offline, in hours.              | - ``config.json`` setting: ``NativeAppSettings`` > ``MobileOfflinePersistenceTimerHours`` > ``2``                   |
+|                                                      | - Environment variable: ``MM_NATIVEAPPSETTINGS_MOBILEOFFLINEPERSISTENCETIMERHOURS``                                 |
+| Numerical input in hours. Default is **2**.          |                                                                                                                     |
+| Set to **0** for immediate purge on disconnect.      |                                                                                                                     |
++------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
+
+.. config:setting:: mobile-auto-cache-cleanup-days
+  :displayname: Auto Cache Cleanup (Mobile Security)
+  :systemconsole: Environment > Mobile Security
+  :configjson: .NativeAppSettings.MobileAutoCacheCleanupDays
+  :environment: MM_NATIVEAPPSETTINGS_MOBILEAUTOCACHECLEANUPDAYS
+
+  Maximum age for content cached on the device, regardless of connection status. Default is **7** days. Set to **0** for zero-persistence mode.
+
+Auto cache cleanup
+^^^^^^^^^^^^^^^^^^
+
++------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+| Maximum age in days for content cached on the        | - System Config path: **Environment > Mobile Security**                                                  |
+| device, regardless of connection status.             | - ``config.json`` setting: ``NativeAppSettings`` > ``MobileAutoCacheCleanupDays`` > ``7``                |
+|                                                      | - Environment variable: ``MM_NATIVEAPPSETTINGS_MOBILEAUTOCACHECLEANUPDAYS``                              |
+| Numerical input in days. Default is **7**.           |                                                                                                          |
+| Set to **0** for zero-persistence mode.              |                                                                                                          |
++------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+
 .. config:setting:: mobile-enable-secure-file-preview
   :displayname: Enable secure file preview on mobile (File sharing)
   :systemconsole: Site Configuration > File sharing and downloads

source/deployment-guide/mobile/mobile-security-features.rst

@@ -80,6 +80,45 @@ This approach allows organizations to extend zero-trust and data loss prevention
 
 See the :doc:`Microsoft Intune MAM configuration guide </deployment-guide/mobile/configure-microsoft-intune-mam>` for deployment and configuration details.
 
+Mobile Ephemeral Mode
+---------------------
+
+Mobile applications typically cache messages, files, and attachments on-device indefinitely. Two security concerns drive the need for administrator-controlled data lifecycle management on mobile devices:
+
+- **Unbounded sensitive data accumulation.** Without data-age controls, weeks or months of sensitive content can accumulate on any device a user has logged into — well beyond what operational need justifies.
+- **Offline exposure after device loss.** Remotely wiping a device requires it to be reachable — the condition least likely to hold when a device is lost, stolen, or in an adversarial environment. Unmanaged or personally-owned devices may not be enrolled in MDM at all, leaving cached content with no remote deletion path.
+
+Mobile Ephemeral Mode addresses both concerns by giving administrators direct, server-side control over how long data persists on mobile devices. The app enforces this policy locally — including while offline and across app and device restarts — so data is removed based on elapsed time, not device reachability.
+
+Mobile Ephemeral Mode defines three distinct data operations, each triggered independently:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 15 35 50
+
+   * - Operation
+     - Trigger
+     - What happens
+   * - **Delete**
+     - Auto Cache Cleanup expiry
+     - Data older than the configured age threshold is removed. Authentication credentials and tokens are preserved. Users do not need to re-authenticate.
+   * - **Purge**
+     - Offline Persistence Timer expiry
+     - All persisted content, metadata, and files are removed. Authentication credentials and tokens are preserved in secure storage, so users can reconnect without re-authenticating.
+   * - **Wipe**
+     - Server-initiated revocation event
+     - All persisted data is removed, including authentication credentials and tokens. Users must re-authenticate after a wipe.
+
+The Disconnection Timeout is a grace period before the device is considered offline, preventing brief network interruptions from triggering a purge. Once it elapses without reconnecting, the Offline Persistence Timer begins counting down.
+
+**Timer state persists across app and device restarts.** If a device is powered back on after a threshold has passed, the purge or delete executes before any content is displayed.
+
+Setting **Auto Cache Cleanup** to ``0`` activates zero-persistence mode: no content is ever written to disk. In this mode the Offline Persistence Timer is irrelevant — there is no local cached data written to disk to purge.
+
+Mobile Ephemeral Mode generates an :ref:`audit log <administration-guide/manage/logging:audit logging>` event for each delete, purge, and wipe operation. Because these operations can execute on a device that is unreachable — where no administrator has direct visibility — audit logging provides verifiable proof that ephemeral policies were enforced. This supports compliance requirements for data lifecycle management and destruction accountability. Events that occur while the device is offline are reported to the server on reconnection.
+
+See the :ref:`Mobile Ephemeral Mode configuration settings <administration-guide/configure/environment-configuration-settings:mobile ephemeral mode>` to configure these controls.
+
 Mobile data isolation
 ------------------------
 

source/security-guide/mobile-security.rst

@@ -94,4 +94,11 @@ Burn-on-read messages reduce the window of exposure for sensitive content by aut
 
 Administrators can enable burn-on-read messaging and set the burn-on-read duration to align with organizational policies. Learn more about :ref:`sending burn-on-read messages <end-user-guide/collaborate/send-messages:send burn-on-read messages>` and :ref:`enabling burn-on-read messages <administration-guide/configure/site-configuration-settings:enable burn-on-read messages>`.
 
+Mobile Ephemeral Mode
+---------------------
+
+Mobile applications typically cache messages, files, and attachments indefinitely. Without data-age controls or a device-side deletion mechanism, a lost or stolen device retains all cached content — and MDM remote wipe cannot help when the device is offline. Mobile Ephemeral Mode addresses this by giving administrators timer-based controls that run on-device, independently of server connectivity, ensuring data is removed based on elapsed time rather than device reachability.
+
+Administrators can configure the maximum age of cached content and how long data persists after a device goes offline. A server-initiated wipe triggered by access revocation removes all data, including credentials, as soon as the device receives the command. Learn more about :ref:`Mobile Ephemeral Mode <deployment-guide/mobile/mobile-security-features:mobile ephemeral mode>`.
+
 `Book a live demo <https://mattermost.com/request-demo/>`_  or `talk to a Mattermost expert <https://mattermost.com/contact-sales/>`_ to explore tailored solutions for your organization's secure collaboration needs. Or try Mattermost yourself with a `1-hour preview <https://mattermost.com/sign-up/>`_ for instant access to a live sandbox environment.

source/use-case-guide/mission-ready-mobile.rst

@@ -5,7 +5,7 @@ Mission environments demand secure, reliable mobile collaboration, from intellig
 
 Mattermost provides a secure, mission-ready mobile platform built for defense, law enforcement, and public sector operations. Optimized for low-bandwidth and disconnected conditions, Mattermost ensures secure communication on government-issued devices while enabling compliant collaboration on personal phones—without reliance on consumer apps or invasive controls.
 
-With protections including ID-only push notifications, biometric authentication, jailbreak detection, and full MDM/EMM support, Mattermost delivers control, compliance, and usability across a range of challenging field conditions.
+With protections including ID-only push notifications, biometric authentication, jailbreak detection, ephemeral data lifecycle controls, and full MDM/EMM support, Mattermost delivers control, compliance, and usability across a range of challenging field conditions.
 
 .. image:: /images/mission-ready-mobile.png
    :alt: An infographic illustrating "Security-Optimized Mobility" with two devices side-by-side: A Mattermost server (on the left) and a mobile device (on the right). The Mattermost server displays a list of security features, including "Zero Trust Security (Channel ABAC, Files ABAC)," "Secure File Viewer," "TLS Data in Transit (Post Quantum)," "Authentication and Access Control (MFA, SSO)," "Data Spillage Handling," and more, with asterisks (*) indicating functionality scheduled for release later in 2025. On the right, the mobile device mirrors corresponding security features, such as "Secure File Viewer," "TLS," "Burn on Read," "End-to-End Encryption," "Biometric Authentication," and others, with blue arrows connecting the related features on the server and the mobile device, signifying seamless integration and support for advanced security across these endpoints.
@@ -32,7 +32,7 @@ When personal devices are the only available channel—whether in partner nation
 
 **Benefits**
 
-- **Enable trusted communications on BYOD** using lightweight AppConfig policies with :doc:`EMM optionality </deployment-guide/mobile/deploy-mobile-apps-using-emm-provider>` that avoids intrusive control while ensuring essential security baselines.
+- **Enable trusted communications on BYOD** using lightweight AppConfig policies with :doc:`EMM optionality </deployment-guide/mobile/deploy-mobile-apps-using-emm-provider>` that avoids intrusive control while ensuring essential security baselines. Pair with :ref:`Mobile Ephemeral Mode <deployment-guide/mobile/mobile-security-features:mobile ephemeral mode>` to enforce admin-controlled data lifecycle — automatically purging cached messages without requiring MDM connectivity.
 - **Prevent unauthorized data sharing**: Mitigate leakage with :ref:`screenshot and screen recording prevention <deployment-guide/mobile/mobile-security-features:screenshot and screen recording prevention>` and :ref:`jailbreak/root detection <deployment-guide/mobile/mobile-security-features:jailbreak and root detection>` that block high-risk mobile behaviors.
 - **Secure access without cloud dependency** via :ref:`self-hosted deployments <deployment-guide/server/server-deployment-planning:deployment options>` or :doc:`air-gapped infrastructures </deployment-guide/reference-architecture/deployment-scenarios/air-gapped-deployment>` that prevent sensitive data from touching public networks.
 - **Deliver rapid alerts with low bandwidth impact** using :ref:`ID-only push notifications <administration-guide/configure/environment-configuration-settings:id-only push notifications>`, ideal for DDIL (disconnected, intermittent, low-bandwidth) conditions.
@@ -48,6 +48,7 @@ Mattermost on mobile is hardened to operate under mission-grade security expecta
 - **Zero Trust security architecture** with channel- and file-level :doc:`attribute-based access control (ABAC) </administration-guide/manage/admin/attribute-based-access-control>`.
 - **TLS with post-quantum readiness** and end-to-end* :doc:`encryption options </security-guide/security-guide-index>` for high-assurance deployments.
 - **Burn-on-read messaging**: Use :ref:`secure file viewers <security-guide/mobile-security:secure file preview>`, :ref:`burn on read messaging <end-user-guide/collaborate/send-messages:send burn-on-read messages>`, and advanced data spillage controls* to protect sensitive information and minimize persistent data exposure.
+- **Ephemeral data lifecycle controls**: :ref:`Mobile Ephemeral Mode <deployment-guide/mobile/mobile-security-features:mobile ephemeral mode>` enforces admin-defined retention limits on approved personal devices — automatically deleting cached content by data age and time offline, with audit logging of deletion events reported to the server on reconnection.
 - **DoD STIG container support** with FIPS 140-3 validation*, and :ref:`audit logging <administration-guide/manage/logging:audit logging>` to ensure deployment compliance in regulated missions.
 - **Isolated mobile sessions** from host operating systems by partnering with platforms like Hypori in high-assurance BYOD scenarios.