CCM is integrated with Active Directory, passwords of CCMadministrator and CCMsysuser are syncronized.
When users try to login into extension mobility service they receive error  which is:
Proxy Authentication Not Allowed: the appID that is specified does not have rights to log in or log out other users.
I guess that appID is CCMSysUser here, so where could these right could possibly be turned on? I've tried looking in the attributes of CCMSysuser in Active Directory - no luck, nothing like proxy rights/auth found.