Managed configuration for Zerotier iOS/iPadOS app

  1. Is the Zerotier VPN configuration a subtype of the iOS/iPasOS “Custom SSL” VPN type? Is it possible to pre-configure the Zerotier network id using a KVP on the “Custom VPN” configuration profile payload, created either via Configurator or using the MDM/UEM configuration payload?

  2. If mobileconfig isn’t possible, can the Zerotier app be hosted as a managed app in a MDM/UEM catalog and delivered to the device with a managed app configuration (i.e. appconfig plist or KVPs)?

at this time, the answer to both is no.

If the Authorized flag is toggled programmatically from a linked UEM based on the device’s compliance posture using the POST /api/network/{networkId}/member/{nodeId} API call, is de-authorization a “kick” or will existing connections persist? If connections persist de-authorization, is there a re-auth timer? Is the timer global, per-policy, or per-device?

A deauth is effectively a “kick”

I must be missing something to test this in the UI. I can uncheck Auth? but nothing happens either in the UI (the device retains the ONLINE label) or on the device ([VPN] remains in the status bar). Is there a hidden Apply I’m missing in the portal?

The “ONLINE” label is just based on the last time the node talked to the network controller. It does not signify whether it is able to access the network itself.

On the device itself, “ONLINE” signifies if it can connect to other ZeroTier nodes. Again, it does not signify whether it is able to access a network itself.

The app itself will show Access Denied for the network shortly after being deauthorized.

TY. Confirmed same. Next I’ll try programatically using the ZeroTierController PS Module.

Note that the module you’re referring to was not developed here at ZeroTier and as such we can’t really help with support if you run into any issues with it.

Understood. I actually plan to review the .psm1 directly from the repo instead of installing the .nupkg as a quickstart to writing my own client. Basically I just need a microservice to sink compliance events from the UEM and translate them into Auth toggles.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.