Managing Mobile Endpoint
- Gary Leicht
- Shirly Tsang
Infoblox Mobile Endpoint is a lightweight mobile cloud service that sends DNS queries over an encrypted channel using DNS over Transport Layer Security (DoT). It provides visibility into infected and compromised devices detected on the network — including Android, iOS, and ChromeOS — preventing DNS-based data exfiltration, DNS tunneling, and blocking device communication with botnets and their command-and-control infrastructure. Note that Mobile Endpoint is not a VPN client.
By default, the Mobile Endpoint client uses an on-device VPN to intercept DNS traffic. For iOS devices, administrators can also configure the Extension Type as a DNS Proxy. (See the Installing Mobile Endpoint section below for more details.)
Supported Devices
Mobile Endpoint supports the following devices:
Android 11+
iOS 14+
ChromeOS
To enable end users to connect to Infoblox Platform services, the Mobile Endpoint client must be downloaded and installed on all supported devices. The client enforces security policies applied to remote networks, regardless of where end users are located or which networks they are connected to.
You will also need to download the MDM configuration file for your device. For more details, see
Deploying Infoblox Mobile Endpoint Without MDM
As an alternative to deploying Mobile Endpoint with an MDM configuration file, you can use the MDM-less option to deploy Mobile Endpoint on iOS and Android devices. This method uses a QR code to register the app.
For details, see Deployment of MDM-less Mobile Endpoint Using QR Code (no MDM feature).
Domain Management
Mobile Endpoint routes DNS queries directly to Infoblox Threat Defense. If your network setup includes internally hosted domains, you should add them to the bypassed internal domains list to ensure uninterrupted access to local resources (e.g., servers, printers, and computers). Once added, DNS requests for internal domains are sent to local DNS servers for resolution.
Mobile Endpoint supports dual-stack IPv4/IPv6 as well as IPv6 DNS configurations. This enables it to protect devices in various network environments, including roaming clients.
When Mobile Endpoint is connected to a network, the endpoint can communicate with Infoblox Platform by using either IP address protocols. In dual-stack environments, Mobile Endpoint can proxy IPv6 DNS queries and forward them to Infoblox Platform over IPv4.
For information on how to add domains to the bypass list, see Configuring Internal Domains.
Additional Features
Mobile Endpoint includes the following support features to assist in managing devices with MDM:
Integration with Logs
Allows log files to be sent directly to the Infoblox Platform.
Users can also choose to email logs to designated recipients, in addition to or instead of sending them to the Platform.
Multiple Anycast IP Support
If the primary server fails, healthcheck redirect IP requests to the next available Anycast server. This condition will persist until the primary Anycast server is again perational.
Once the primary Anycast server resumes operation, traffic automatically reverts to the primary server.
Automatic Reestablishment of Protection
If a user disables Mobile Endpoint protection and does not manually re-enable it, the protection automatically reestablish after 30 minutes of non-use.
For additional information on installing and using Mobile Endpoint, see the following:
Enrollment of Mobile App Using VMWare Workspace One (Airwatch)
Enrollment of Mobile Device Management App Using Cisco Meraki
Enrollment of Mobile Device Management App Using Microsoft Intune
Enrollment of Mobile Device Management App using MobileIron for iOS Devices
Installing and Using Mobile Endpoint Management on Devices Running the Chrome Operating System