Control security with flexible mobile app settings (Override IP allowlists)

In coming weeks, admins will gain the flexibility to override IP allowlists 
for the Atlassian Cloud Mobile Apps. This is applicable to both managed and 
external users, and is offered to Atlassian Access Subscribers.

Hey Admins!
Get ready to soon override your IP allowlists for the Atlassian Cloud Mobile Apps

In an effort to secure content, many admins and organisations choose to specify the IP addresses that users must access content from, which can lead to highly restrictive working environments. IP allowlist controls who gets in and this is extended to both web and mobile platforms. For full details on the IP allowlists setting: https://support.atlassian.com/security-and-access-policies/docs/specify-ip-addresses-for-product-access/

However, in the coming weeks, you will receive greater control and flexibility over the IP allowlists setting. You will soon be able to override the previously specified IP allowlists for the Atlassian Cloud Mobile Apps; yet continue to maintain security as we run a series of checks to verify the authenticity of the mobile app to ensure it was downloaded from a genuine app store and is not modified.

This setting will be configurable via the Mobile App Management (MAM) Policy. Read more about Mobile Policy https://support.atlassian.com/security-and-access-policies/docs/mobile-app-management-mam-for-atlassian-mobile-apps/ and https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/

What is the Override IP allowlists setting?

When you use the “Override IP allowlists” setting you can apply security controls on Atlassian mobile apps Jira and Confluence without restricting users to specific IP addresses. This means that mobile app users can access the products even if they are not on the company VPN or within the allowed IP range. This setting can be applied to both managed and external users.

Even though you’re overriding IP allowlists, you can have the confidence that the mobile app is secure. This is because the mobile app runs a series of checks including App Attestation, through which the authenticity of the App itself is verified, ensuring that it was downloaded from a genuine App Store. Hence providing a high level of assurance that the app is running on a genuine device and has not been modified or tampered with. It is recommended to also enable “Block compromised devices” in conjunction for added security.

How to Configure

1. Go to admin.atlassian.com . Select your organisation if you have more than one.

2. Select Security → Mobile Apps

3. Edit Mobile Policy or Setup a new policy if you have not done so previously)

4. Select the checkbox “Override any IP allowlists to allow access from Jira and Confluence mobile apps” and Update Policy

5. Select Security → IP allowlists and see the updated policy

The image above showcases, that once the Override IP allowlist setting is enabled, Mobile apps are exempt from the previously configured IP allowlist policy. This setting is not configurable from the IP allowlist screen. Follow the steps provided above to configure this setting.

Coming Soon!

Override IP allowlists will be generally available over the coming weeks as it rolls out.

We welcome any feedback about this particular setting, and your suggestions for any other Mobile Security related functionality you would like to see.

Please feel free to use the comments below, however be mindful to never share any personal identifiable information as this is a public forum.