Skip to content

Creating and Deploying Mobile Profiles for ntkMobile

Mobile profiles are now authored as independent mobile vault definitions. They are not derived from desktop sources and are not merged from desktop settings at build time.

Prerequisites

  • Create or open a profile with Target Platform set to Mobile or Both.
  • Have at least one mobile-compatible provider type available: S3-family, OneDrive, DropBox, or Google Drive.
  • Optional: create reusable provider instances on the Providers page before authoring the profile.

1. Create or Open a Mobile-Capable Profile

  1. Open Profiles.
  2. Create a new profile or edit an existing one.
  3. Set Target Platform to Mobile or Both.

Target platform controls the editor tabs:

  • Desktop shows Desktop Sources only.
  • Mobile shows Mobile Vaults and Policy.
  • Both shows Desktop Sources, Mobile Vaults, and Policy.

2. Open the Mobile Vaults Tab

  1. Switch to Mobile Vaults.
  2. Enter an optional Conductor Address if this profile should carry a profile-specific endpoint.
  3. Use Add Vault to create one or more mobile vault definitions.

The live preview updates as you edit, so you can inspect the mobile payload before saving.

New vaults default Encryption to on. In the preview and built payload this appears as encryptionType: "Enabled" unless you turn it off before saving.

3. Configure Each Vault

Each vault is edited independently and saved directly into mobileSettings.vaults on the profile.

For each vault, configure:

  • Name
  • Provider — chosen in the vault form
  • Description when needed
  • Encryption toggle — new vaults default this to on; the built payload stores "Enabled" when on and "Disabled" when off
  • Settings such as strict mode, sync deletions, compress on upload, and zero trust options

Provider connection details (endpoint, bucket, credentials, or OAuth extras) are not entered manually. They come from the provider instances you assign in the picker. ABAC attributes for mobile vaults are configured on the Policy tab, not on the Mobile Vaults tab.

4. Assign Provider Instances

Provider instances are created and managed on the Providers page. For S3 and S3_COMPATIBLE vaults, at least one provider assignment is required. Other compatible vault types can also use assignments to resolve provider-specific configuration at build time.

  1. In a vault card, locate the Provider Assignments section.
  2. Click Add Provider. A picker dialog opens showing available provider instances grouped by type.
  3. Select the compatible provider instance.
  4. For S3-family providers (S3, S3_COMPATIBLE), select an Assigned Bucket from the dropdown that appears on the assignment.
  5. Repeat for additional provider assignments if needed.

ntkDeploy resolves the full provider configuration — endpoint, region, credentials, or OAuth extras — from the assigned provider instance at build time. The vault stores only the assignment references, not raw credential fields.

To manage the provider inventory used by mobile vaults, see Using Providers.

5. Save and Reopen the Profile

  1. Click Save Profile or Save Changes.
  2. Reopen the profile.
  3. Return to Mobile Vaults and confirm the vault list, provider assignments, settings, and conductor address persisted correctly.

This verifies the mobile profile state is stored directly with the profile, not recomputed from desktop data.

6. Use Both Mode When You Need Desktop and Mobile Output

Profiles with Target Platform = Both support both deployment flows at once:

  • Desktop Sources defines the desktop appconfig JSON body that is previewed in the editor and encrypted into appconfig.ntkd at deployment time.
  • Mobile Vaults defines the ntkMobile .ntkprofile artifact.
  • Policy lets you assign ABAC data to desktop sources and mobile vaults in one place, and shows previews for both target formats.

The desktop and mobile configurations are edited separately. Changing desktop sources does not rewrite the mobile vault list.

The Policy tab right pane shows a target-aware JSON preview: - Mobile profiles show the mobile payload preview. - Desktop profiles show the desktop appconfig preview. - Both profiles show both previews side by side.

7. Assign Mobile Vault ABAC in the Policy Tab

ABAC attributes for mobile vaults are managed exclusively on the Policy tab. They no longer appear on the Mobile Vaults tab.

When the profile target includes mobile output, the Policy tab exposes vault-level ABAC editing.

Use it to:

  • choose a mobile vault,
  • edit its ABAC groups,
  • verify configured vaults at a glance,
  • manage Desktop Sources and Mobile Vaults together in Both mode.

8. Deploy or Export the Mobile Profile

Open the deployment flow and select the mobile-capable profile.

Deployment behavior depends on the selected target platform:

  1. Mobile profiles use the mobile flow: review the preview, enter and confirm the profile password, choose a delivery method, then deploy or export.
  2. Both profiles stay on the standard desktop wizard. You still select device groups and review preflight, but the same deployment password encrypts both appconfig.ntkd and .ntkprofile.

Password rules are the same in both cases:

  • minimum 8 characters,
  • confirmation must match,
  • the password is never stored.

The exported mobile artifact is an encrypted .ntkprofile envelope that ntkMobile can import directly. Desktop appconfig.ntkd uses the same NtkProfileCrypto envelope format.

9. What Gets Embedded in the Mobile Artifact

The mobile artifact is built from the profile's saved mobile settings:

  • mobileSettings.conductorAddress when present
  • mobileSettings.vaults
  • vault-specific provider assignments (resolved to full config at build time), settings, and ABAC data (from the Policy tab)

If a profile-specific conductor address is not set, ntkDeploy can still fall back to the global Settings conductor value during build.

Troubleshooting

  • Invalid conductorAddress values must use host:port format.
  • A mobile profile must contain at least one valid vault.
  • S3 and S3_COMPATIBLE vaults require at least one provider instance assignment. Other vault types can still be saved without assignments, but the generated payload will contain an empty providerConfig until a compatible provider instance is assigned.
  • Unsupported desktop-only providers still surface compatibility warnings in the mobile preview and deployment flow.
  • Password validation blocks export until both password fields match and satisfy policy.

Next Steps