/
Best Practices for Mobile Endpoint
Document toolboxDocument toolbox

Best Practices for Mobile Endpoint

Owned by Gary Leicht
Last updated: Jan 27, 2025
2 min read

Advisory: Compatibility and Deployment Requirements for Infoblox Mobile Endpoint

To enhance compatibility with VPN solutions, including on-demand VPN, Infoblox Mobile Endpoint for iOS can use the native iOS DNS proxy framework to intercept all DNS traffic.

Requirements:

  • Operating System: iOS/iPadOS 14.x or later

  • Deployment Method: Managed via an MDM (Mobile Device Management) solution

Compatibility Notes:

  • VPN Compatibility:
    Infoblox does not support any VPN clients running on the same mobile device (iOS/Android) along with Infoblox Mobile Endpoint, except when the device uses the iOS native DNS proxy framework to intercept all DNS traffic on iOS/iPadOS 14.x and later and is deployed via an MDM.

Pre-Installation Checklist

Before installing Infoblox Mobile Endpoint, ensure the following conditions are met to avoid functionality issues:

  1. Disable Local DNS Services:

    • Ensure the local device is not running any DNS service.

  2. Firewall Configuration for TCP Port 443:

    • Do not block TCP port 443, as Mobile Endpoint must access the following global IPv4 DNS Anycast addresses:

      • 52.119.41.100

      • 103.80.6.100

      • 52.119.40.100

      • 103.80.5.100

    • Mobile Endpoint must also be able to access the following domains using TCP port 443:

      • csp.infoblox.com

      • threatdefense.infoblox.com and its subdomains

  3. Firewall Configuration for UDP Port 53:

    • Do not apply any firewall rules or otherwise block UDP port 53, as Mobile Endpoint uses it to:

      • Identify the public IP address of the endpoint.

      • Determine the AWS region to which the endpoint is connected.

    • Access requirements (on UDP port 53). The UDP port 53 query is used to identify (1) the public IP address of the mobile endpoint and (2) the AWS region to which mobile endpoint is connected.:

      • 52.119.40.100

      • 103.80.5.100

  4. Restricting User Control Over the Endpoint Application:

    • Set the allowServiceControl parameter to False in the MDM application configuration to prevent users from disabling the endpoint application on their devices.

  5. Ensuring Unique Usernames:

    • Verify that the userId parameter in the MDM application configuration is properly configured and not set to its default value as per the application configuration that Infoblox provides. This ensures each device has a unique username in the Infoblox Portal.

  6. Locking VPN Configuration:

    • Add the device configuration in the MDM and push it to the devices to:

      • Prevent users from disabling or deleting the VPN configuration.

      • Enable automatic VPN configuration without requiring user action.

    • For additional information, see the MDM Enrollment Documentation.

Reinstallation and Device Restoration:

If a device is deactivated or deleted, Mobile Endpoint can be reinstalled, and the device can be restored and reconfigured.