We have set up IP address restrictions on our network so no one outside the firm can access NetDocuments unless they authenticate through VPN or Citrix. We have discovered this does not apply to the mobile apps for Android and iOS. Any idea why this is the case? Do the mobile apps connect a certain way, or have a special way to lock them down?
First, verify if the users aren't first authenticating inside the IP restrictions, and then using their refresh token outside the IP range.
Once you create a valid oAuth token inside the IP range, that oAuth token will work wherever the user is. This applies to mobile, ndSync, ndOffice, and ndMail - anything using the oAuth authentication protocol.
The way our oAuth tokens work is that they act as though the conditions from the time the oAuth token was created still apply. So if you login from inside the IP address range and create the token then, when you access the mobile app from outside the IP address range later, it acts as if you are inside the IP address range.
Users will not be able to create a refresh token (first-time login, or when renewing expired tokens) outside the IP restrictions. Only if the user has already created the token while inside the restriction, then it will work anywhere they go after that. If the tokens expire, the user will have to return to a secure IP address to create a new token; otherwise, they will not be able to login outside the network.
In the future, we may implement a way to fix it so that oAuth is managed within the context of the IP restrictions. But this would need to support offline work too.
Additionally, customers may want to look into using an MDM or EMM solution to further secure their users' mobile access.