Ability to use setup keys with Android / IPhone #1193

@remotoservicos commented on GitHub (Dec 27, 2024):

+1

@remotoservicos commented on GitHub (Dec 27, 2024): +1

saavagebueno commented

@mad73923 commented on GitHub (Jan 17, 2025):

+1

@mad73923 commented on GitHub (Jan 17, 2025): +1

saavagebueno commented

@srinfvald commented on GitHub (Jan 28, 2025):

+1

@srinfvald commented on GitHub (Jan 28, 2025): +1

saavagebueno commented

@Jackquattrassi commented on GitHub (Jan 28, 2025):

+1

I suggest adding the ability to directly include server url and the key via a QR code. This would enhance professionalism and improve usability.

@Jackquattrassi commented on GitHub (Jan 28, 2025): +1 I suggest adding the ability to directly include server url and the key via a QR code. This would enhance professionalism and improve usability.

saavagebueno commented

@mad73923 commented on GitHub (Jan 30, 2025):

I just found out reading the source code of the mobile clients: Using Setup Keys for iOS is already supported! BUT only for selfhosted netbirds!

Prerequisites:

Selfhosted management server

Steps:

Backup your management.json
Delete the the complete blocks DeviceAuthorizationFlow and PKCEAuthorizationFlow in management.json
Restart the management server
Connect your mobile devices via Setup Key (Menu - Change Server - type in your server URL - hit change and the textfield for setup key will appear)

Downsides:

You can't choose or switch between the authorization flows without adapting the JSON
All clients (whether mobile or not) need to use setup keys. SSO will be completely disabled.
This is only available for selfhosted instances

@mad73923 commented on GitHub (Jan 30, 2025): I just found out reading the source code of the mobile clients: Using Setup Keys for iOS is already supported! BUT only for selfhosted netbirds! ![Image](https://github.com/user-attachments/assets/bdaaa46e-a014-4fce-a3b0-60549b6be2cd) Prerequisites: - Selfhosted management server Steps: 1. Backup your management.json 2. Delete the the complete blocks `DeviceAuthorizationFlow` and `PKCEAuthorizationFlow` in management.json 3. Restart the management server 4. Connect your mobile devices via Setup Key (Menu - Change Server - type in your server URL - hit change and the textfield for setup key will appear) Downsides: - You can't choose or switch between the authorization flows without adapting the JSON - All clients (whether mobile or not) need to use setup keys. SSO will be completely disabled. - This is only available for selfhosted instances

saavagebueno commented

@Silex commented on GitHub (Feb 28, 2025):

@mad73923 nice finding, but when you say "SSO will be completely disabled", how does login work for the dashboard UI? or is SSO only disabled for peers?

@Silex commented on GitHub (Feb 28, 2025): @mad73923 nice finding, but when you say "SSO will be completely disabled", how does login work for the dashboard UI? or is SSO only disabled for peers?

saavagebueno commented

@mad73923 commented on GitHub (Feb 28, 2025):

Hi @Silex
no worries, this only applies to the device authorization flow. SSO for the dashboard still works.
BR

@mad73923 commented on GitHub (Feb 28, 2025): Hi @Silex no worries, this only applies to the device authorization flow. SSO for the dashboard still works. BR

saavagebueno commented

@William-BCLabs commented on GitHub (May 13, 2025):

@mad73923 Feature not shown on android.

@William-BCLabs commented on GitHub (May 13, 2025): @mad73923 Feature not shown on android.

saavagebueno commented

@nutzlichsein commented on GitHub (May 25, 2025):

+1 for this feature on both iOS and Android

my workaround for now is setting up a generic user used for my employee devices (so they can't tamper with admin page of my netbird.io).

@nutzlichsein commented on GitHub (May 25, 2025): +1 for this feature on both iOS and Android my workaround for now is setting up a generic user used for my employee devices (so they can't tamper with admin page of my netbird.io).

saavagebueno commented

@nazarewk commented on GitHub (Aug 22, 2025):

Hello, as a part of answering the customer, I have synced with the team about the state of the feature.

The general consensus was that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to:

they're not tied to User identity in any way
they reduce security due to the above and the fact that they do not expire
using Setup Keys on user-devices wouldn't pass even the most basic of security certifications

We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins.

I have so far seen/came up with those use cases to give you some idea:

persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose,
managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI),

@nazarewk commented on GitHub (Aug 22, 2025): Hello, as a part of answering the customer, I have synced with the team about the state of the feature. The general consensus **was** that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to: - they're not tied to User identity in any way - they reduce security due to the above and the fact that they do not expire - using Setup Keys on user-devices wouldn't pass even the most basic of security certifications We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins. I have so far seen/came up with those use cases to give you some idea: - persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose, - managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI),

saavagebueno commented

@pierrechapuis commented on GitHub (Aug 22, 2025):

Hello there,

Thanks for considering the possibility of bringing this feature to Android.

In my team’s opinion, setting devices up using a Serial key is a more user-friendly/peace of mind.

Regular users do not need to manage user accounts, which can be prone to forgetting credentials.
Instead, they can simply obtain a Serial key from their administrator to add their new device to the NetBird network (either computer or iPhone/iPad).

Generating Serial keys with associated tags is a convenient way for administrators to predefine communication boundaries, ensuring each newly added device automatically inherits the correct access policies and knows which peers it’s allowed to interact with.

So indeed, bringing Setup Key support to Android —just like on iOS— would be very helpful for us.

@pierrechapuis commented on GitHub (Aug 22, 2025): Hello there, Thanks for considering the possibility of bringing this feature to Android. In my team’s opinion, setting devices up using a Serial key is a more user-friendly/peace of mind. Regular users do not need to manage user accounts, which can be prone to forgetting credentials. Instead, they can simply obtain a Serial key from their administrator to add their new device to the NetBird network (either computer or iPhone/iPad). Generating Serial keys with associated tags is a convenient way for administrators to predefine communication boundaries, ensuring each newly added device automatically inherits the correct access policies and knows which peers it’s allowed to interact with. So indeed, bringing Setup Key support to Android —just like on iOS— would be very helpful for us.

saavagebueno commented

@shujiepan commented on GitHub (Aug 30, 2025):

Hello, as a part of answering the customer, I have synced with the team about the state of the feature.

The general consensus was that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to:

they're not tied to User identity in any way

they reduce security due to the above and the fact that they do not expire

using Setup Keys on user-devices wouldn't pass even the most basic of security certifications

We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins.

I have so far seen/came up with those use cases to give you some idea:

persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose,

managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI),

"In Android, it is more convenient to introduce the setup-key for registration, and it is quite necessary. If security is considered, it would be a good idea to have the user confirm the phone permissions via fingerprint when connecting to NetBird."

@shujiepan commented on GitHub (Aug 30, 2025): > Hello, as a part of answering the customer, I have synced with the team about the state of the feature. > > The general consensus **was** that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to: > > * they're not tied to User identity in any way > * they reduce security due to the above and the fact that they do not expire > * using Setup Keys on user-devices wouldn't pass even the most basic of security certifications > > We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins. > > I have so far seen/came up with those use cases to give you some idea: > > * persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose, > * managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI), "In Android, it is more convenient to introduce the setup-key for registration, and it is quite necessary. If security is considered, it would be a good idea to have the user confirm the phone permissions via fingerprint when connecting to NetBird."

saavagebueno commented

@mulder999 commented on GitHub (Nov 6, 2025):

With organization without SSO in place or that need to cope with external visitors, setup key is actually more relevant and flexible to quickly setup any user device:

Setup key can be made to expire every day if needed
Setup key do not grant any access to any web console of any kind
Setup key can be turned into qr-code for quick enrollment of mobile devices

@mulder999 commented on GitHub (Nov 6, 2025): With organization without SSO in place or that need to cope with external visitors, setup key is actually more relevant and flexible to quickly setup any user device: - Setup key can be made to expire every day if needed - Setup key do not grant any access to any web console of any kind - Setup key can be turned into qr-code for quick enrollment of mobile devices

saavagebueno commented

@markcst commented on GitHub (Nov 18, 2025):

Hi! I currently don't understand if we can use setup keys to completely avoid SSO login on Android.

Of course there is the Add a pre-shared key field in the Advanced menu, but even when one (apparently correctly?) has added the key (after entering, the selfhosted domain name of the server, naturally), it doesn't seem to work, cause clicking on the Netbird symbol in the home page then brings to the SSO login page, but that should have been skipped and the client registered using the key itself, exactly like it happens, for instance, on Linux.

Does this happens especially, or only, in cases when one already has ad IdP currently implemented and working in the Netbird setup, like @mad73923, for what I've understood, was trying to say?

And in any case: it is the intended behavior? If so, why? Isn't the pre-shared key there, even on the Android client, to avoid this very case?

EDIT-1: Ok, I was likely wrong. The key field to fill in the Android app is not the pre-shared key one under Advanced, but the Setup key under Change Server, after inserting the domain name.
Unfortunately, what it happens is that when I tap on Change Server, after typing the selfhosted domain, the confirmation modal ( Server was changed) towers over everything, one can only press Ok. But after that I'm taken back to the home, and going back to che Change Server menu resets the procedure at the point of asking for the server changing.
TLDR; It is impossibile to insert the Setup key in the correct field, cause the field is never reachable

Hello, as a part of answering the customer, I have synced with the team about the state of the feature.

The general consensus was that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to:
* they're not tied to User identity in any way

* they reduce security due to the above and the fact that they do not expire

* using Setup Keys on user-devices wouldn't pass even the most basic of security certifications
We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins.

I have so far seen/came up with those use cases to give you some idea:
* persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose,

* managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI),

@markcst commented on GitHub (Nov 18, 2025): Hi! I currently don't understand if we can use setup keys to completely avoid SSO login on Android. Of course there is the _Add a pre-shared key_ field in the _Advanced_ menu, but even when one (apparently correctly?) has added the key (after entering, the selfhosted domain name of the server, naturally), it doesn't seem to work, cause clicking on the Netbird symbol in the home page then brings to the SSO login page, but that should have been skipped and the client registered using the key itself, exactly like it happens, for instance, on Linux. Does this happens especially, or only, in cases when one already has ad IdP currently implemented and working in the Netbird setup, like @mad73923, for what I've understood, was trying to say? And in any case: it is the intended behavior? If so, why? Isn't the pre-shared key there, even on the Android client, to avoid this very case? EDIT-1: Ok, I was likely wrong. The key field to fill in the Android app is not the _pre-shared key_ one under _Advanced_, but the _Setup key_ under _Change Server_, after inserting the domain name. Unfortunately, what it happens is that when I tap on _Change Server_, after typing the selfhosted domain, the confirmation modal ( _Server was changed_) towers over everything, one can only press _Ok_. But after that I'm taken back to the home, and going back to che _Change Server_ menu resets the procedure at the point of asking for the server changing. TLDR; It is impossibile to insert the Setup key in the correct field, cause the field is never reachable <img width="441" height="744" alt="Image" src="https://github.com/user-attachments/assets/e4a35c4e-28b7-4046-b8a5-1c4fede8ee4a" /> > Hello, as a part of answering the customer, I have synced with the team about the state of the feature. > > The general consensus **was** that Setup Keys is not a feature intended for user-owned devices (which mobile devices almost exclusively are) due to: > > * they're not tied to User identity in any way > > * they reduce security due to the above and the fact that they do not expire > > * using Setup Keys on user-devices wouldn't pass even the most basic of security certifications > > > We are willing to revisit the decision when we gather enough valid use cases for the feature to exist. Please describe your use cases in addition to/instead of giving thumbs up/+1 on this feature request. We would expect the use cases to be generally unfit for periodical (or permanent/non-expiring) user logins. > > I have so far seen/came up with those use cases to give you some idea: > > * persistently streaming proprietary CCTV system results through a set of iPad devices, simply because there was no other client application available/allowed to be used for this purpose, > > * managing a large fleet of devices through MDM, automatically logging them in (this requires much more than simply allowing the Setup Key to be passed through the UI),

saavagebueno commented

@mad73923 commented on GitHub (Nov 19, 2025):

Hi @markcst

pre-shared key is related to wireguard
setup key is related to netbird

BR
Matthias

@mad73923 commented on GitHub (Nov 19, 2025): Hi @markcst pre-shared key is related to wireguard setup key is related to netbird BR Matthias

saavagebueno commented

@markcst commented on GitHub (Nov 19, 2025):

Hi @markcst

pre-shared key is related to wireguard
setup key is related to netbird

BR
Matthias

Thanks for the clarification!

As for the setup key usage on the Android app, where are we so far?

I don't understand whether it can be used (like on Linux, for instance) without going through an SSO/IdP login screen, to register/login clients.

If not, I'm not sure whether this is a bug or intended behavior.

I'd like to work on a solution and submit a PR, in that case

@markcst commented on GitHub (Nov 19, 2025): > Hi @markcst > > pre-shared key is related to wireguard > setup key is related to netbird > > BR > Matthias Thanks for the clarification! As for the setup key usage on the Android app, where are we so far? I don't understand whether it can be used (like on Linux, for instance) without going through an SSO/IdP login screen, to register/login clients. If not, I'm not sure whether this is a bug or intended behavior. I'd like to work on a solution and submit a PR, in that case

saavagebueno commented