Cloud Secure Edge (CSE) Mobile App

The mobile app is a cross-platform endpoint client, installed on end users’ mobile devices. The app is used to register and authenticate end users’ devices with the Cloud Command Center. Note that the mobile app is optional on MDM-managed devices, on which you can install a Device Certificate via your device manager.

Sections #

Key features of the mobile app #

The mobile app provides the following features:

• Device Registration for device authentication
• Device Trust Scoring for device posture checks
• Auto-update capability so an end user can upgrade with a single click
• List of Service Tunnels an end user can access

List of Hosted Websites an end user can access

Register the Mobile App & Supported OSs

The mobile app allows your end users to register their device with Cloud Secure Edge (CSE) and access CSE-secured services.

Supported OSs #

Detailed installation instructions for your users to install the CSE apps can be found in the Support Portal.

The mobile app can be installed on the following platforms:

Installation #

The mobile app can be downloaded from the Apple App Store or the Google Play Store.

Registration #

The mobile app securely registers an end user’s device, allowing organizations to roll out a zero-trust security model whereby corporate applications are only accessed by registered devices. By default, CSE’s device registration flow is designed for a zero-trust security model and requires end users to complete the following steps:

1. Provide the Invite Code needed to register a device to an organization;
2. Authenticate with the organization’s Identity Provider;
3. Set device ownership type; and
4. Install certificates.

Once the end user has completed these steps, a Trusted Device Certificate will be issued for the device and placed in the application keychain.

Accessing Services and Networks via the Mobile App

Overview #

Using the mobile app, end users can access Hosted Websites and Service Tunnels.

Accessing Hosted Websites #

Once registered, end users can access any Hosted Websites assigned to them via the Services tab.

Tapping on the Open button will navigate end users to the relevant website in their default browser.

Note on Root Certificates #

The Trusted Root and Device Certificates for registered mobile devices are stored in the application keychain. In order for end users to access Hosted Websites on mobile devices, the device must be able to pass TLS validation. There are two options for accomplishing this:

Protect your Hosted Website with Let’s Encrypt Certificates. Both iOS and Android devices implicitly trust Let’s Encrypt certificates. No additional configuration is required. Leverage a Device Manager to push a Private PKI certificate. If your website is protected by your own Custom Certificate or the Cloud Secure Edge (formerly Banyan) PKI, you can leverage a Device Manager to push that certificate to the mobile device for TLS validation.

Accessing Service Tunnels #

End users can access Service Tunnels assigned to them via the Tunnel tab.

The Tunnel tab shows the last-accessed Service Tunnel for the end user. The user can connect and disconnect from the tunnel by tapping the large Connect button.

Note: When connecting to a tunnel for the first time, the end user must allow the mobile app permissions to configure the VPN on the device.

End users can choose which Service Tunnel to connect to by tapping the Change Tunnel button. They will then be presented with a list of Service Tunnels that are assigned to them, and they can pick which tunnel to connect to by tapping on that tunnel.

Note on Android VPN settings #

Android devices have a Block connections without VPN setting which, when turned on, drops all traffic that does not go through a VPN. Since Service Tunnels on mobile only tunnel select traffic, this will cause the device to drop network traffic and not work properly. Do NOT turn on the Block connections without VPN Android setting when using Service Tunnels on mobile.