Currently Domino Mobile Apps doesn't work with the on-demand VPN feature of iOS, which basically auto-connects VPN based on a list of configured domains. Most organizations will not expose their Domino servers via NRPC to the internet, so a VPN connection is often a requirement for DMA to work.
In iOS, features like on-demand VPN can only be used if the app interacts with the networking APIs correctly: https://developer.apple.com/library/archive/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/CommonPitfalls/CommonPitfalls.html
Specifically:
- "In iOS, using sockets directly using POSIX functions or CFSocket does not automatically activate the device’s cellular modem or on-demand VPN."
- "If the server is on the other side of an on-demand VPN that becomes available only when the user tries to access a whitelisted host, connecting by IP does not activate that VPN, which means that the host will never become reachable."
- "In iOS, NSFileHandle does not automatically activate the device’s cellular modem or on-demand VPN."
According to HCL support, DMA currently uses these network APIs in a way that doesn't support on-demand VPN.
Desired situation:
- user opens DMA
- VPN connects automatically (based on the Domino server FQDN), everything works
- user stops using DMA
- VPN disconnects automatically after 1 minute idle timeout
Current situation:
- user opens DMA, gets a connection failure message
- user opens VPN client, navigates to profiles, switches from "on-demand" (which is used for everything else) to "manual for DMA" and connects
- user opens DMA again, now everything works
- user stops using DMA
- user opens VPN client again and terminates the VPN connection
- user tries to work with other apps, gets connection failures
- user remembers (with a hint from the help desk) that he/she forgot to switch the VPN profile back to "on-demand" after using DMA
- user opens VPN client (again), navigates to profiles, switches from "manual for DMA" back to "on-demand"
- user can continue working normally, until he/she wants to use DMA again
Please ask Apple to support on-demand VPN's when software is using POSIX for networking.
We are unable to fix this as it's a limitation in iOS, not Nomad. As Nomad uses NRPC (Notes Remote Procedure Call) through a Web Secure Sockets layer (WSS) this is only available on iOS by using POSIX for networking.
Apple's own documentation states that iOS does not support enacting an on-demnad VPN from a POSIX connection. Therefore we are unable to affect a change that would enable this function.
The user will have to enable the VPN if outside a corporate connected network.
https://developer.apple.com/library/archive/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/CommonPitfalls/CommonPitfalls.html#//apple_ref/doc/uid/TP40010220-CH4-SW2
Is this still an limitation? https://help.hcltechsw.com/nomad/1.0/hcln_limitations.html
I agree with this idea. In my company , we are using VM-Airwatch as MDM/MAM. I want to use Nomad Apps, but I cannot connect the domino server from mobile device.. Adding support for iOS on-demand VPN is very important for development of Domino and Nomad.
necessary implementation (don't work on vmware WS1)
I support the idea. Also keep in mind that you can solve that problem today by deploying a Domino passthru server in the DMZ and configure your Nomad clients via MarvelClient to use Domino passthru as the gateway to your "real" Domino servers.
I support the demand for an expansion of VPN support. Without on-demand vpn the app is useless.For us these missing feature is a also a reason why we haven't rolled out the DMA/Nomad Client.
We have long worked with HCL and Mobile Iron on this Issue.
Our Users want their data on the road and not to manually activate VPN each time.
In our current situation that is an servere Issue, because our exectutives want to switch to Exchange based Services, because "they are better"
This should be up and working fast in the mobile App, so that we can score a point to stay at Domino.
That is the reason why we not yet deployed DMA to our 15.000 iOS Devices.
besides iOS On-Demand VPN - Per App VPN using MobileIron or Airwatch App tunnel should be supported too.
iOS On-Demand VPN is used by many customers I'm working with. They would expect, that VPN on demand can be used like any other app will do. Apple provides easy to use network APIs to support on-demand VPN.
Why is it that complicated to add it to Nomad?
Without this feature DMA is nearly useless for users on the road. They will find it to bothersome to do all the manual steps.