Difference between revisions of "Mobile App Installation"

From TMS Support Wiki
Jump to navigation Jump to search
(SSL stuff)
 
(58 intermediate revisions by the same user not shown)
Line 1: Line 1:
<h2>Overview</h2>
The PTS 5 mobile app's primary purpose is to facilitate the recording of collection and delivery of prescriptions, either from the dispensary to the ward, or from the pharmacy to a patient's home address. This is known as delivery tracking and was formerly the sole purpose of the app, however new features are being added all the time.
The PTS 5 mobile app's primary purpose is to facilitate the recording of collection and delivery of prescriptions, either from the dispensary to the ward, or from the hospital to a patient's home address. This is known as delivery tracking and was formerly the sole purpose of the app, however new features are being added all the time.


<h2>Installation</h2>
=Hardware Requirements=
<ul>
<li>The current minimum supported Android OS version is Android 6.0 "Marshmallow".</li>
<li>The current minimum supported iOS version is iOS 14 (iOS 12 for v1.86 and older).</li>
<li>The device must have a camera and the app must have permission to use it.</li>
<li>The device must be connected to the internal wireless network and/or be able to access your PTS application server over HTTP or HTTPS (as appropriate).</li>
</ul>
 
=Installation=
The PTS 5 App is available for both Android and iOS devices. If you have yet to purchase a device it is important to consult with IT as more often than not the choice between iOS or Android will be dictated by them, and in most cases devices not purchased through IT will not be able to connect to the internal network correctly.
The PTS 5 App is available for both Android and iOS devices. If you have yet to purchase a device it is important to consult with IT as more often than not the choice between iOS or Android will be dictated by them, and in most cases devices not purchased through IT will not be able to connect to the internal network correctly.


<h3>Android</h3>
==Android==
<ol><li>The latest version of the app is always made available on Google Play (search “PTS 5”). It is preferable to install the app via Google Play as this will ensure that you get any software updates automatically and free of charge. Internet connection is required.</li>
<ol><li>The latest version of the app is always made available on Google Play (search “PTS 5”). It is preferable to install the app via Google Play as this will ensure that you get any software updates automatically and free of charge. Internet connection is required for this.</li>
<li>Your IT department should have an MDM (mobile device management) solution in place for deploying and managing apps on your Trust’s devices. If this is the case it would be a good idea to consult with your IT department about the best way to proceed. A centralised solution like this is usually preferable to ad-hoc, unmanaged installations.</li>
<li>Your IT department should have an MDM (mobile device management) solution in place for deploying and managing apps on your Trust’s devices. If this is the case it would be a good idea to consult with your IT department about the best way to proceed. A centralised solution like this is usually preferable to ad-hoc, unmanaged installations.</li>
<li>Alternatively, the apk file is available for download from tmsinsight.com. If you have no other option you may download the installer to your computer and then transfer the file to your device for installation.</li>
<li>Alternatively, we can provide the latest apk file for manual installation. If you have no other option you may download the apk file to your computer and then transfer the file to your device for installation.</li>
<li>Once the application is installed it is critical that the device is connected to the internal wireless network. The app will not function if it cannot connect to your PTS application server.</li>
<li>The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.</li></ol>
<li>The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.</li></ol>


<h3>iOS</h3>
==iOS==
Firstly, it is even more important that you involve Trust IT in the purchasing, setup and deployment of iOS devices and apps. Unless you follow Trust IT procedures, you will be unable to connect a device to your internal wireless network and you will not be able to download the app to your device. It’s not possible to circumvent Trust IT iOS policies.
Firstly, it is even more important that you involve Trust IT in the purchasing, setup and deployment of iOS devices and apps. Unless you follow Trust IT procurement procedures, you will be unable to connect a device to your internal wireless network and you will not be able to download the app to your device.


<ol><li>The iOS version of the app is what’s known as a Custom app for Private Distribution (previously known as a B2B app). The difference between this and a normal app is the way it is listed; the app does not appear on the normal app store and instead only appears in Apple Business Manager once we have approved your Organisation ID.</li>
<ol><li>The iOS version of the app is what’s known as a Custom app for Private Distribution (previously known as a B2B app). The difference between this and a normal app is the way it is listed; the app does not appear on the normal app store and instead only appears in Apple Business Manager once we have approved your Organisation ID.</li>
<li>In Apple Business Manager, sign in with an account that has privileges to manage system-wide settings.</li>
<li>In Apple Business Manager, sign in with an account that has privileges to manage system-wide settings.</li>
<li>Click Settings at the bottom of the sidebar, click Enrolment Information below Organisation Settings, then enable Custom Apps.</li>
<li>Click Settings at the bottom of the sidebar, click Enrolment Information below Organisation Settings, then enable Custom Apps.</li>
<li>Let us know your Organisation ID so we can add your organisation to the approval list for PTS Delivery. To locate your Organisation ID, go to Settings, then select Device Management Settings below Organisation Settings.</li>
<li>Go to Settings, then select Device Management Settings below Organisation Settings. Make a note of your Organisation ID and Organisation Name.</li>
<li>You can now purchase the PTS 5 app from the Custom Apps section.</li>
<li>Let us know the Organisation ID and corresponding Organisation Name so we can add your organisation to the list for PTS 5 app distribution. Bear in mind that the Organisation Name must match exactly, including punctuation and case sensitivity.</li>
<li>We'll let you know your organisation is registered. You can now "purchase" the PTS 5 app from the Custom Apps section.</li>
<li>Once licenses have been purchased, you must then turn to your MDM (mobile device management) solution to roll the app out to user’s devices. You should refer to the instructions supplied by the MDM vendor for the correct procedure.</li>
<li>Once licenses have been purchased, you must then turn to your MDM (mobile device management) solution to roll the app out to user’s devices. You should refer to the instructions supplied by the MDM vendor for the correct procedure.</li>
<li>Once the application is installed it is critical that the device is connected to the internal wireless network. The app will not function if it cannot connect to your PTS application server.</li>
<li>The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.</li></ol>
<li>The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.</li></ol>


<h4>Further iOS Purchasing Notes</h4>
===Further iOS purchasing notes===
<ol><li>Instructions for how to use Apple Business Manager are subject to change without notice.</li>
<ol><li>Instructions for how to use Apple Business Manager are subject to change without notice.</li>
<li>Even though Apple’s directions don’t mention it, we also sometimes seem to need your Organisation Name that corresponds with the Organisation ID. The organisation name field is case-sensitive and requires matching punctuation.</li>
<li>Again even though Apple’s directions don’t mention it, we also need your Organisation Name that corresponds with the Organisation ID. The organisation name field is case-sensitive and requires matching punctuation.</li>
<li>For the time being we can still support organisations that are enrolled with the older VPP program. The process is much the same, we simply need the APP Apple ID (which takes the form of an email address) as opposed to the newer Organisation ID. We do not know for how much longer the VPP program will be supported.</li>
<li>For the time being we can still support organisations that are enrolled with the older VPP program. The process is much the same, we simply need the VPP Apple ID (which takes the form of an email address) as opposed to the newer Organisation ID. We do not know for how much longer the VPP program will be supported.</li>
</ol>
</ol>


<h2>App Settings</h2>
As much as we'd like to also list the app on the normal app store for simplicities sake, Apple will not allow a business to business app to be listed on the public app store.
 
=App settings=
Once the app is installed there are a few settings that need to be set before you can use it.
Once the app is installed there are a few settings that need to be set before you can use it.


<ul><li><strong>PTS Server IP Address</strong><br/>
<ul><li><strong>PTS Server Details</strong><br/>
Enter the IP address of your PTS application server, e.g. 192.168.0.1. If you don’t know what it is, IT will be able to find it out for you if you send them the URL you normally use to access PTS. Alternatively you can enter the direct path to the PTS API directory, e.g. <nowiki>https://192.168.0.1/PTSWeb/api/</nowiki></li>
Enter the path to your PTS application <strong>using the IP address, e.g. <i><nowiki>https://192.168.0.1/PTSWeb</nowiki></i>, or the fully qualified domain name, e.g. <i><nowiki>https://server.domain.nhs.uk/PTSWeb</nowiki></i></strong>. Unfortunately the hostname alone is very unlikely to work on Android or iOS. Pharmacy IT will be able to find out the IP address or FQDN for you if you send them the URL you normally use to access PTS on your PCs. Be sure to review the SSL section below if using https.</li>


<li><strong>Auto-Upload</strong><br/>
<li><strong>Auto-Upload</strong><br/>
If enabled the app will attempt to automatically upload data after every collection or delivery. This is usually desirable but can get annoying if network conditions mean that each upload takes a long time.</li>
If enabled the app will attempt to automatically upload data after every collection or delivery. This is usually desirable but can get annoying if network conditions mean that each upload takes a long time.</li>
<li><strong>Auto-Refresh</strong><br/>
If enabled the app will attempt to re-download prescription data from PTS after every successful upload (automatic and manual uploads alike). This is usually for the best, but again, poor network conditions can sometimes mean this causes too many interruptions.</li>


<li><strong>Domain Username</strong><br/>
<li><strong>Domain Username</strong><br/>
Sometimes, a network will insist that you provide domain credentials (AKA Windows credentials or Active Desktop credentials) before it will allow the app to access an internal server such as your PTS server. If this is the case, enter a valid username here. This account is ONLY used to let the app connect to your network; nothing you do within the app is necessarily assigned to this user.</li>
Sometimes, a network will insist that you provide domain credentials (AKA Windows credentials or Active Desktop credentials) before it will allow the app to access an internal server such as your PTS server. If this is the case, enter a valid username here. This account is ONLY used to let the app connect to your network; nothing you do within the app is assigned to this user based on this setting.</li>


<li><strong>Domain Password</strong><br/>
<li><strong>Domain Password</strong><br/>
Line 57: Line 68:
If a delivery address is specified on the item then the app assumes that the delivery is off-site, such as to a patient's home address. For convenience - and as a safeguard - the app will not allow delivery if it deems the destination to be too far away, and will instead suggest GPS navigation beyond a certain distance from the destination address. The minimum distance is defined here, in metres. This feature can be effectively disabled by entering a very high value.</li>
If a delivery address is specified on the item then the app assumes that the delivery is off-site, such as to a patient's home address. For convenience - and as a safeguard - the app will not allow delivery if it deems the destination to be too far away, and will instead suggest GPS navigation beyond a certain distance from the destination address. The minimum distance is defined here, in metres. This feature can be effectively disabled by entering a very high value.</li>
</ul>
</ul>
=Configuring the PTS application=
There are three fundamental steps to take to get PTS ready to use the mobile app:
<ol>
<li>Input the provided Device License Key into Application Settings.</li>
<li>Configure the relevant [[Prescription Types|prescription types]] to [[Prescription_Types#Type_details_tab|record collection and record delivery]].</li>
<li>Configure the Porter (or similar) [[Roles|role]] to include one or more [[Setting_Up_User_Views|Mobile App Screen]] user views.<br/>
<i>We suggest two (or more) different user views; one with a "waiting for collection" status filter and another with a "waiting for delivery" status filter, grouped by either bag or current ward (but not both).</i>
</li>
</ol>
Please see the linked pages for more detailed information.
=SSL=
=SSL=
Attempting to use an SSL (HTTPS) connection to the PTS server is likely to fail without some changes to the certificate.
Attempting to use an SSL (HTTPS) connection to the PTS server is likely to fail without some changes.


=== Overview of the SSL issue ===
==SSL certificate is expired==
iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers, even if you manually specify one in settings. Disabling this requires jailbreaking/rooting the device which is not something most IT departments will consider. Using the IP address in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the hostname and not the IP address.
First of all, it may go without saying, but it is always worth verifying that the server certificate is genuinely in good order before investigating further. Windows based devices and browsers are more likely to display a simple warning when accessing an insecure website, and since they can just bypass it, users may not have reported this behaviour yet. It's not impossible that the certificate has been expired for some time.
 
==Devices unable to resolve server hostname==
iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers, even if you manually specify your own in network settings. "Fixing" this requires jailbreaking/rooting the device which is not something IT departments will consider.
 
Using the IP address or the FQDN in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the simple hostname, and not the IP address or FQDN.
 
=== iOS only workaround ===
It may be possible to override the remote DNS server lookup by adding .local to the hostname in the PTS Server IP Address field. For example:<blockquote><nowiki>https://PTSServer.local/PTSWeb</nowiki></blockquote>However, this may require that Apple's Bonjour service is installed on the server, and it's possible that the .local version of the hostname may need to be added to the certificate (see below).


=== Solution ===
=== Solution ===
The better solution is to generate a new SSL certificate that implements the IP address and the FQDN as Subject Alternative Names (SAN).


==== iOS Only ====
SANs are normally used when multiple hostnames are routed to the same server and the SSL certificate needs to be configured to accept them all. A little known feature is that it's possible to add an IP address as a SAN too. The process for adding SANs to a certificate is beyond the scope of this guide, but suffice to say that the IP address and the FQDN of the PTS server should be added to the SAN list.
It may be possible to override the remote DNS server lookup by adding .local to the hostname in the PTS Server IP Address field. For example:<blockquote><nowiki>https://PTSServer.local/PTSWeb/api/</nowiki></blockquote>However, this may require that Apple's Bonjour service is installed on the server, and it's possible that the .local version of the hostname may need to be added to the certificate (see below).


==== All Device Types ====
For example (e.g. where hostname is "PTS"):<blockquote>SAN 1: DNS Name=PTS
The better solution is to generate a new SSL certificate that references the IP address of the server as a Subject Alternative Name (SAN).


SANs are normally used when multiple hostnames are routed to the same server and the SSL certificate should accept them all. A little known feature is that it's possible to add an IP address as a SAN too. The process for adding SANs to a certificate is beyond the scope of this guide, but suffice to say that the IP address of the PTS server should be added to the SAN list.
SAN 2: DNS Name=PTS.local


For example:<blockquote>SAN 1: DNS Name=pts
SAN 3: DNS Name=PTS.domain.nhs.uk


SAN 2: DNS Name=ptsserver
SAN 4: IP Address=93.184.216.34


SAN 3: DNS Name=pts.local
SAN 5: IP Address=2606:2800:220:1:248:1893:25c8:1946</blockquote>Note the difference between the "DNS Name" and "IP Address" headers.  


SAN 4: IP Address=93.184.216.34
While it's not strictly a valid configuration it's conceivable that adding the IP address as a DNS Name may help too in certain edge cases.
 
== The certificate is self-signed and the mobile device does not trust it ==
Self signed certificates are common within the NHS. Devices and apps that have to support an SSL certificate from an unknown certificate authority typically white list the CA in the device or app configuration itself. As a nationally used mobile app installed in hundreds of different network configurations, the PTS app is in the somewhat unique position of having to support multiple unknown certificate authorities, and unfortunately maintaining a list of all of our customers CAs within the app is not plausible.
 
===Solution===
IT should be able to manually install and trust certificates on the device itself, if not through the MDM.


SAN 5: IP Address=2606:2800:220:1:248:1893:25c8:1946</blockquote>Note the difference between the "DNS Name" and "IP Address" headers. It's conceivable that adding the IP address as a DNS Name may help too in certain edge cases.
Alternatively, some Trusts have found success by installing a wildcard certificate, signed by a trusted certificate authority, to the PTS web server. Reports suggest this may mean that the FQDN will have to be used to access the system throughout the trust (i.e. not just for the mobile app).

Latest revision as of 14:04, 13 June 2024

The PTS 5 mobile app's primary purpose is to facilitate the recording of collection and delivery of prescriptions, either from the dispensary to the ward, or from the pharmacy to a patient's home address. This is known as delivery tracking and was formerly the sole purpose of the app, however new features are being added all the time.

Hardware Requirements

  • The current minimum supported Android OS version is Android 6.0 "Marshmallow".
  • The current minimum supported iOS version is iOS 14 (iOS 12 for v1.86 and older).
  • The device must have a camera and the app must have permission to use it.
  • The device must be connected to the internal wireless network and/or be able to access your PTS application server over HTTP or HTTPS (as appropriate).

Installation

The PTS 5 App is available for both Android and iOS devices. If you have yet to purchase a device it is important to consult with IT as more often than not the choice between iOS or Android will be dictated by them, and in most cases devices not purchased through IT will not be able to connect to the internal network correctly.

Android

  1. The latest version of the app is always made available on Google Play (search “PTS 5”). It is preferable to install the app via Google Play as this will ensure that you get any software updates automatically and free of charge. Internet connection is required for this.
  2. Your IT department should have an MDM (mobile device management) solution in place for deploying and managing apps on your Trust’s devices. If this is the case it would be a good idea to consult with your IT department about the best way to proceed. A centralised solution like this is usually preferable to ad-hoc, unmanaged installations.
  3. Alternatively, we can provide the latest apk file for manual installation. If you have no other option you may download the apk file to your computer and then transfer the file to your device for installation.
  4. The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.

iOS

Firstly, it is even more important that you involve Trust IT in the purchasing, setup and deployment of iOS devices and apps. Unless you follow Trust IT procurement procedures, you will be unable to connect a device to your internal wireless network and you will not be able to download the app to your device.

  1. The iOS version of the app is what’s known as a Custom app for Private Distribution (previously known as a B2B app). The difference between this and a normal app is the way it is listed; the app does not appear on the normal app store and instead only appears in Apple Business Manager once we have approved your Organisation ID.
  2. In Apple Business Manager, sign in with an account that has privileges to manage system-wide settings.
  3. Click Settings at the bottom of the sidebar, click Enrolment Information below Organisation Settings, then enable Custom Apps.
  4. Go to Settings, then select Device Management Settings below Organisation Settings. Make a note of your Organisation ID and Organisation Name.
  5. Let us know the Organisation ID and corresponding Organisation Name so we can add your organisation to the list for PTS 5 app distribution. Bear in mind that the Organisation Name must match exactly, including punctuation and case sensitivity.
  6. We'll let you know your organisation is registered. You can now "purchase" the PTS 5 app from the Custom Apps section.
  7. Once licenses have been purchased, you must then turn to your MDM (mobile device management) solution to roll the app out to user’s devices. You should refer to the instructions supplied by the MDM vendor for the correct procedure.
  8. The app will attempt to verify your software license with each login attempt. Licenses are based on concurrent users. The correct licence key will be provided to you upon purchase and should be entered by a PTS system administrator into Setup > Application Settings > Devices Licence Key.

Further iOS purchasing notes

  1. Instructions for how to use Apple Business Manager are subject to change without notice.
  2. Again even though Apple’s directions don’t mention it, we also need your Organisation Name that corresponds with the Organisation ID. The organisation name field is case-sensitive and requires matching punctuation.
  3. For the time being we can still support organisations that are enrolled with the older VPP program. The process is much the same, we simply need the VPP Apple ID (which takes the form of an email address) as opposed to the newer Organisation ID. We do not know for how much longer the VPP program will be supported.

As much as we'd like to also list the app on the normal app store for simplicities sake, Apple will not allow a business to business app to be listed on the public app store.

App settings

Once the app is installed there are a few settings that need to be set before you can use it.

  • PTS Server Details
    Enter the path to your PTS application using the IP address, e.g. https://192.168.0.1/PTSWeb, or the fully qualified domain name, e.g. https://server.domain.nhs.uk/PTSWeb. Unfortunately the hostname alone is very unlikely to work on Android or iOS. Pharmacy IT will be able to find out the IP address or FQDN for you if you send them the URL you normally use to access PTS on your PCs. Be sure to review the SSL section below if using https.
  • Auto-Upload
    If enabled the app will attempt to automatically upload data after every collection or delivery. This is usually desirable but can get annoying if network conditions mean that each upload takes a long time.
  • Auto-Refresh
    If enabled the app will attempt to re-download prescription data from PTS after every successful upload (automatic and manual uploads alike). This is usually for the best, but again, poor network conditions can sometimes mean this causes too many interruptions.
  • Domain Username
    Sometimes, a network will insist that you provide domain credentials (AKA Windows credentials or Active Desktop credentials) before it will allow the app to access an internal server such as your PTS server. If this is the case, enter a valid username here. This account is ONLY used to let the app connect to your network; nothing you do within the app is assigned to this user based on this setting.
  • Domain Password
    If you are providing domain credentials enter the corresponding password here. If you have a generic login for pharmacy that you use to log in to your PCs we recommend that you use those credentials.
  • Require bag scan on delivery
    If enabled, attempting to deliver a bag will prompt the user to confirm the correct bag is being delivered by scanning it again.
  • Skip user scan on collection
    The app needs to know who is performing collection and whether they have permission to do it. The app can either prompt for a user's barcode to be scanned and attribute the collection to them, or skip the user scan prompt and attribute collection to the currently logged in user. Typically the user scan on collection is skipped, assuming delivery personnel can authorise their own collections.
  • Skip user scan on delivery
    The app needs to know who is performing delivery and whether they have permission to do it. The app can either prompt for a user's barcode to be scanned and attribute the delivery to them, or skip the user scan prompt and attribute delivery to the currently logged in user. Typically the user scan on delivery is not skipped, and delivery personnel should be made to authorise deliveries by scanning a valid recipients barcode.
  • Minimum Delivery Proximity
    If a delivery address is specified on the item then the app assumes that the delivery is off-site, such as to a patient's home address. For convenience - and as a safeguard - the app will not allow delivery if it deems the destination to be too far away, and will instead suggest GPS navigation beyond a certain distance from the destination address. The minimum distance is defined here, in metres. This feature can be effectively disabled by entering a very high value.

Configuring the PTS application

There are three fundamental steps to take to get PTS ready to use the mobile app:

  1. Input the provided Device License Key into Application Settings.
  2. Configure the relevant prescription types to record collection and record delivery.
  3. Configure the Porter (or similar) role to include one or more Mobile App Screen user views.
    We suggest two (or more) different user views; one with a "waiting for collection" status filter and another with a "waiting for delivery" status filter, grouped by either bag or current ward (but not both).

Please see the linked pages for more detailed information.

SSL

Attempting to use an SSL (HTTPS) connection to the PTS server is likely to fail without some changes.

SSL certificate is expired

First of all, it may go without saying, but it is always worth verifying that the server certificate is genuinely in good order before investigating further. Windows based devices and browsers are more likely to display a simple warning when accessing an insecure website, and since they can just bypass it, users may not have reported this behaviour yet. It's not impossible that the certificate has been expired for some time.

Devices unable to resolve server hostname

iOS and Android are not easily able to resolve hostnames on an internal network. They are hard-coded at the OS level to use specific, remote DNS servers, even if you manually specify your own in network settings. "Fixing" this requires jailbreaking/rooting the device which is not something IT departments will consider.

Using the IP address or the FQDN in the path instead of the hostname is usually the simple way of side-stepping this issue, however that causes problems when the server requires an SSL connection, as the certificate will likely be based on the simple hostname, and not the IP address or FQDN.

iOS only workaround

It may be possible to override the remote DNS server lookup by adding .local to the hostname in the PTS Server IP Address field. For example:

https://PTSServer.local/PTSWeb

However, this may require that Apple's Bonjour service is installed on the server, and it's possible that the .local version of the hostname may need to be added to the certificate (see below).

Solution

The better solution is to generate a new SSL certificate that implements the IP address and the FQDN as Subject Alternative Names (SAN).

SANs are normally used when multiple hostnames are routed to the same server and the SSL certificate needs to be configured to accept them all. A little known feature is that it's possible to add an IP address as a SAN too. The process for adding SANs to a certificate is beyond the scope of this guide, but suffice to say that the IP address and the FQDN of the PTS server should be added to the SAN list.

For example (e.g. where hostname is "PTS"):

SAN 1: DNS Name=PTS

SAN 2: DNS Name=PTS.local

SAN 3: DNS Name=PTS.domain.nhs.uk

SAN 4: IP Address=93.184.216.34

SAN 5: IP Address=2606:2800:220:1:248:1893:25c8:1946

Note the difference between the "DNS Name" and "IP Address" headers.

While it's not strictly a valid configuration it's conceivable that adding the IP address as a DNS Name may help too in certain edge cases.

The certificate is self-signed and the mobile device does not trust it

Self signed certificates are common within the NHS. Devices and apps that have to support an SSL certificate from an unknown certificate authority typically white list the CA in the device or app configuration itself. As a nationally used mobile app installed in hundreds of different network configurations, the PTS app is in the somewhat unique position of having to support multiple unknown certificate authorities, and unfortunately maintaining a list of all of our customers CAs within the app is not plausible.

Solution

IT should be able to manually install and trust certificates on the device itself, if not through the MDM.

Alternatively, some Trusts have found success by installing a wildcard certificate, signed by a trusted certificate authority, to the PTS web server. Reports suggest this may mean that the FQDN will have to be used to access the system throughout the trust (i.e. not just for the mobile app).