Discussions
Start typing to search…

Discussions

Ask a Question
Back to all

Parametrize Android/iOS apps for MDM.

3 days ago

Hi people,

I have recently been rolling out ControlD in our organization. Mac/Windows/Linux deployment went smoothly, however, I had problems with deploying en masse to mobile devices. Note that I have already sent an email about this to customer support, but I would like to duplicate it here.

The problem with iOS is less severe -- I can just deploy a single endpoint for all iOS devices using an MDM profile, however with Android you're stuck with one of the two methods:

  1. Manually type the DoT endpoint into Android's Private DNS. This has the following downsides:
    1. Uses a non-standard port (853/tcp) -- many public hotspots block this one, preventing the device from using the hotspot until you disable Private DNS
    2. Not scalable -- unfortunately Android doesn't have a way to specify Private DNS in an MDM policy.
  2. Give out provision links to users, to use ControlD Quick Setup app
    1. ControlD app installs itself as a VPN overlay -- I think this will prevent users from using another (e.g. corporate) VPN together with ControlD.
    2. Again, not scalable.
  3. Push ControlD Quick Setup app through MDM
    1. Can use DoH on Android, so not blocked by hotspots
    2. Again, uses up VPN overlay on Android (and presumably iOS -- but on iOS you can just use DoH profiles)
    3. Can be done, but there's no way to personalize the app at scale, even if using a single profile for all devices

However, for point 3, there is a way to solve this. Mobile apps can be parametrized by including the necessary parameters in the app manifests.

For Android, here's a doc on developer.android.com on how you can include parameters (such as profile name, or other stuff) into the app manifest so that corporate MDM could manage them.

For iOS, there's something called Total App Setup by iMazing Profile Editor which I use to generate profiles -- but it again requires those parameters to be exposed (I didn't research on how to do this on iOS.

PS. Dear ControlD team -- I see you have some managed payloads for Intune in your documentation, but I'm not sure if this can be translated for Jumpcloud. Again, Jumpcloud relies on managed parameters on Android (notably, Slack supports this). Would be very cool if you added this to your app.

Thank you!

Log in to add a comment.