Hi,
We’ve been trying to set up the Milestone XProtect Mobile server component over the last few months, and ran into some issues, which lead me to write the following feature requests
Feature 1: Support for disabling authentication options, and only allowing EntraID authentication through the web client and smart client.
Rationale: If companies expose their mobile server publicly, in the current setup, this would allow anyone to hammer the login page with credentials (basic or AD), potentially locking out AD users after a few failed attempts (or: guessing a correct login in worst case).
When using EntraID for authentication and authorization, we get much more granular control on the login process, and added protection from this.
This is also requested by other people
Feature 2: Modify the mobile app to allow it to reach a Mobile server behind a reverse proxy which requires extra authentication.
Rationale: We’ve got Xprotect Mobile Server set up behind a reverse proxy which requires EntraID authentication before reaching the Web Client login page. This works perfectly fine using a (mobile or desktop) browser. However, when using the XProtect Mobile App, we immediately get an ‘Invalid Server Certificate’ error. All used certificates are publicly trusted and valid.
Rationale for the reverse proxy setup with extra authentication policy: Only authorized users can reach the mobile server, which effectively protects the mobile server from exploits like these.
Feature 3: PWA on the XProtect web client
Include a web app manifest to the current web client. More info here:
Web app manifests - Progressive web apps | MDN
Rationale: This way, the mobile server can be consulted from a mobile device without having to install the XProtect Mobile app. The page would behave like a (fullscreen!) native app on the device, while using the edge or chrome browser engine, without displaying the tabs/status bars/navigation.
This would effectively solve all of our issues (1 and 2) as well, because the web client app behaves correctly inside a browser, with the XProtect mobile server behind the reverse proxy as described above, unlike the XProtect Mobile app itself.
While these issues are not solved, we cannot publicly expose the Mobile server, which renders it more or less useless to us. A workaround could be a VPN (even: a per-app VPN solution), but we feel like there should be better options nowadays.