Difference between revisions of "Mobile App Installation"

From TMS Support Wiki
Jump to navigation Jump to search
(SSL stuff)
Line 61: Line 61:


=== Overview of the SSL issue ===
=== Overview of the SSL issue ===
iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers, even if you manually specify one in settings. Disabling this requires jailbreaking/rooting the device which is not something most IT departments will consider. Using the IP address in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the hostname and not the IP address.
iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers (namely Google's server), even if you manually specify your own in network settings. Disabling this requires jailbreaking/rooting the device which is not something most IT departments will consider. Using the IP address in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the hostname and not the IP address.


=== Solution ===
=== Solution ===

Revision as of 12:07, 7 March 2022

Overview

The PTS 5 mobile app's primary purpose is to facilitate the recording of collection and delivery of prescriptions, either from the dispensary to the ward, or from the hospital to a patient's home address. This is known as delivery tracking and was formerly the sole purpose of the app, however new features are being added all the time.

Installation

The PTS 5 App is available for both Android and iOS devices. If you have yet to purchase a device it is important to consult with IT as more often than not the choice between iOS or Android will be dictated by them, and in most cases devices not purchased through IT will not be able to connect to the internal network correctly.

Android

  1. The latest version of the app is always made available on Google Play (search “PTS 5”). It is preferable to install the app via Google Play as this will ensure that you get any software updates automatically and free of charge. Internet connection is required.
  2. Your IT department should have an MDM (mobile device management) solution in place for deploying and managing apps on your Trust’s devices. If this is the case it would be a good idea to consult with your IT department about the best way to proceed. A centralised solution like this is usually preferable to ad-hoc, unmanaged installations.
  3. Alternatively, the apk file is available for download from tmsinsight.com. If you have no other option you may download the installer to your computer and then transfer the file to your device for installation.
  4. Once the application is installed it is critical that the device is connected to the internal wireless network. The app will not function if it cannot connect to your PTS application server.
  5. The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.

iOS

Firstly, it is even more important that you involve Trust IT in the purchasing, setup and deployment of iOS devices and apps. Unless you follow Trust IT procedures, you will be unable to connect a device to your internal wireless network and you will not be able to download the app to your device. It’s not possible to circumvent Trust IT iOS policies.

  1. The iOS version of the app is what’s known as a Custom app for Private Distribution (previously known as a B2B app). The difference between this and a normal app is the way it is listed; the app does not appear on the normal app store and instead only appears in Apple Business Manager once we have approved your Organisation ID.
  2. In Apple Business Manager, sign in with an account that has privileges to manage system-wide settings.
  3. Click Settings at the bottom of the sidebar, click Enrolment Information below Organisation Settings, then enable Custom Apps.
  4. Let us know your Organisation ID so we can add your organisation to the approval list for PTS Delivery. To locate your Organisation ID, go to Settings, then select Device Management Settings below Organisation Settings.
  5. You can now purchase the PTS 5 app from the Custom Apps section.
  6. Once licenses have been purchased, you must then turn to your MDM (mobile device management) solution to roll the app out to user’s devices. You should refer to the instructions supplied by the MDM vendor for the correct procedure.
  7. Once the application is installed it is critical that the device is connected to the internal wireless network. The app will not function if it cannot connect to your PTS application server.
  8. The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.

Further iOS Purchasing Notes

  1. Instructions for how to use Apple Business Manager are subject to change without notice.
  2. Even though Apple’s directions don’t mention it, we also sometimes seem to need your Organisation Name that corresponds with the Organisation ID. The organisation name field is case-sensitive and requires matching punctuation.
  3. For the time being we can still support organisations that are enrolled with the older VPP program. The process is much the same, we simply need the APP Apple ID (which takes the form of an email address) as opposed to the newer Organisation ID. We do not know for how much longer the VPP program will be supported.

App Settings

Once the app is installed there are a few settings that need to be set before you can use it.

  • PTS Server IP Address
    Enter the IP address of your PTS application server, e.g. 192.168.0.1. If you don’t know what it is, IT will be able to find it out for you if you send them the URL you normally use to access PTS. Alternatively you can enter the direct path to the PTS API directory, e.g. https://192.168.0.1/PTSWeb/api/
  • Auto-Upload
    If enabled the app will attempt to automatically upload data after every collection or delivery. This is usually desirable but can get annoying if network conditions mean that each upload takes a long time.
  • Domain Username
    Sometimes, a network will insist that you provide domain credentials (AKA Windows credentials or Active Desktop credentials) before it will allow the app to access an internal server such as your PTS server. If this is the case, enter a valid username here. This account is ONLY used to let the app connect to your network; nothing you do within the app is necessarily assigned to this user.
  • Domain Password
    If you are providing domain credentials enter the corresponding password here. If you have a generic login for pharmacy that you use to log in to your PCs we recommend that you use those credentials.
  • Require bag scan on delivery
    If enabled, attempting to deliver a bag will prompt the user to confirm the correct bag is being delivered by scanning it again.
  • Skip user scan on collection
    The app needs to know who is performing collection and whether they have permission to do it. The app can either prompt for a user's barcode to be scanned and attribute the collection to them, or skip the user scan prompt and attribute collection to the currently logged in user. Typically the user scan on collection is skipped, assuming delivery personnel can authorise their own collections.
  • Skip user scan on delivery
    The app needs to know who is performing delivery and whether they have permission to do it. The app can either prompt for a user's barcode to be scanned and attribute the delivery to them, or skip the user scan prompt and attribute delivery to the currently logged in user. Typically the user scan on delivery is not skipped, and delivery personnel should be made to authorise deliveries by scanning a valid recipients barcode.
  • Minimum Delivery Proximity
    If a delivery address is specified on the item then the app assumes that the delivery is off-site, such as to a patient's home address. For convenience - and as a safeguard - the app will not allow delivery if it deems the destination to be too far away, and will instead suggest GPS navigation beyond a certain distance from the destination address. The minimum distance is defined here, in metres. This feature can be effectively disabled by entering a very high value.

SSL

Attempting to use an SSL (HTTPS) connection to the PTS server is likely to fail without some changes to the certificate.

Overview of the SSL issue

iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers (namely Google's server), even if you manually specify your own in network settings. Disabling this requires jailbreaking/rooting the device which is not something most IT departments will consider. Using the IP address in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the hostname and not the IP address.

Solution

iOS Only

It may be possible to override the remote DNS server lookup by adding .local to the hostname in the PTS Server IP Address field. For example:

https://PTSServer.local/PTSWeb/api/

However, this may require that Apple's Bonjour service is installed on the server, and it's possible that the .local version of the hostname may need to be added to the certificate (see below).

All Device Types

The better solution is to generate a new SSL certificate that references the IP address of the server as a Subject Alternative Name (SAN).

SANs are normally used when multiple hostnames are routed to the same server and the SSL certificate should accept them all. A little known feature is that it's possible to add an IP address as a SAN too. The process for adding SANs to a certificate is beyond the scope of this guide, but suffice to say that the IP address of the PTS server should be added to the SAN list.

For example:

SAN 1: DNS Name=pts

SAN 2: DNS Name=ptsserver

SAN 3: DNS Name=pts.local

SAN 4: IP Address=93.184.216.34

SAN 5: IP Address=2606:2800:220:1:248:1893:25c8:1946

Note the difference between the "DNS Name" and "IP Address" headers. It's conceivable that adding the IP address as a DNS Name may help too in certain edge cases.