About MDM and in-app registration
Use Mobile Device Management (MDM) and in-app registration together to securely deliver Connected Experiences apps to a large number of devices. MDM lets you scale app delivery, secure content access, and manage data on mobile devices. With MDM and in-app registration, users can register their devices themselves from within the mobile app. They don't need direct access to Splunk Secure Gateway or a Splunk platform instance.
MDM and in-app registration are currently available for the following Connected Experiences apps:
- Splunk Mobile for iOS
- Splunk Mobile for Android
- Splunk AR for iOS
The Connected Experiences apps support MRM providers that are part of the AppConfig community. See https://www.appconfig.org/members/ to learn more about the different AppConfig member tiers. This includes, but isn't limited to, Microsoft InTune, MobileIron, VMware AirWatch, IBM, and Citrix.
See the AppConfig website for the iOS and Android standards and check with your MDM provider to see if they follow these standards:
Distributing a Connected Experiences app with MDM
As an admin, you can deploy a supported Connected Experiences app to a large number of devices using a compatible MDM provider. MDM providers that are a part of the AppConfig community are supported.
MDM offers secure app distribution within your organization so you can scale your mobile app deployment. MDM provides the following features:
- Enforce data loss prevention.
- Receive app-specific configuration information.
- Apply MDM security policies to protect your data.
- Tunnel network connections to servers behind an enterprise firewall so device users don't need to set up VPN access.
After deploying a supported Connected Experiences app with your MDM provider, configure the app for in-app registration.
In-app registration with MDM
With MDM and in-app registration, users can register their devices in the mobile app themselves. Users don't need access to Splunk Secure Gateway or a Splunk platform instance.
Generate an instance ID file to allow the mobile app to locate and connect to your Splunk platform instance. Multistep encryption ensures that your data is secure when deploying the mobile apps at scale with MDM and in-app registration.
Generate instance ID files
Generate an instance ID file from Splunk Secure Gateway on the Splunk platform instances that you want your users to register to. The instance ID file contains the Splunk Secure Gateway public key, Secure Gateway ID, deployment ID, and an MDM private signing key. The instance ID file allows the mobile device to locate and connect to the Splunk platform instances.
If you're providing users access to more than one Splunk instance, upload the instance ID files to Splunk Secure Gateway to combine them. Splunk Secure Gateway runs a concatenation script that places information from all instance ID files in a single JSON file.
Use your MDM provider to deploy a compatible Connected Experiences mobile app to user devices. The steps to do this depend on the MDM provider you're using, but generally the steps look like this:
- Load the mobile app from the Apple App Store or Google Play Store into the MDM provider portal.
- Load the instance ID file into an app configuration, conforming to the AppConfig protocol.
- Push the mobile app and the app configuration to your users' mobile devices. The Connected Experiences mobile app can then use the contents of the app configuration to allow users to register within the mobile app.
To learn more about the AppConfig protocol, see the Manage App Configuration for App Deverlops documentation at https://storage.googleapis.com/appconfig-media/appconfig-content/uploads/2017/01/ManagedAppConfig.pdf.
Sending a registration request
When a user launches the mobile app, the app presents the list of Splunk platform instances pushed in the app configuration. The user selects an instance and enters their Splunk platform credentials. The mobile app sends an encrypted and digitally signed registration request payload that contains the user's Splunk platform credentials, a version identifier, and the Splunk Secure Gateway Deployment ID to Splunk Secure Gateway.
Authenticating the device
Spacebridge routes the encrypted credentials to the Splunk instance to authenticate the registration request. Splunk Secure Gateway decrypts the payload, and if the user's credentials are authorized, Splunk Secure Gateway generates a Splunk access token and returns it to the mobile app in an encrypted bundle. Once the mobile app verifies the signature and decrypts the bundle using the device's private key, the user can access their Splunk platform data within the Connected Experiences mobile app.
Troubleshoot SAML Authentication with the Connected Experiences apps
Set up MDM and in-app registration for iOS devices
This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6, 2.6.3, 2.7.3