Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature is in Public Preview.
This page is for IT and security teams preparing to roll out the Azure Databricks Genie mobile app in their organization. It covers the security model, recommended configuration, and deployment process.
How the Genie mobile app keeps data secure
The Genie mobile app does not bypass existing Azure Databricks governance. Users inherit the same data permissions and access controls as in the web version of Azure Databricks.
Identity and access
- Access to Genie One is workspace-scoped and data is governed by Unity Catalog. Users see only workspaces where they have at least Consumer access. Row-level and column-level security continues to apply. See What is consumer access?.
- Enabling the preview at the account level does not grant any user access. It only allows the official app to authenticate against your account. Membership and entitlements still come from your existing user-management process.
- The app uses the same OAuth client and flow as a browser. You do not need a separate IdP application registration. See Authentication and access control.
- The app uses the same authentication flow as the web experience. It is a first-party OAuth client that signs in through
login.databricks.comwith Microsoft Entra ID. Existing MFA, conditional-access, and device-posture policies all continue to apply.
Device safeguards
- Tokens are encrypted with automatic rotation. Only the authenticated device can access Genie One.
- Authentication uses Microsoft Entra ID, including SSO and factors such as biometrics (face or fingerprint).
Network and infrastructure
The Genie app does not use a separate mobile data plane:
- The app uses HTTPS to reach the same workspace and account URLs as a browser. There are no mobile-only endpoints and no unauthenticated APIs.
- Existing network and DLP controls still apply, including IP access lists, context-based ingress, Private Link, mobile VPN, and on-device DLP.
- Genie Mobile supports workspaces with the compliance security profile enabled. Data in compliance security profile workspaces does not move or leave the region, consistent with web browser access.
Baseline configuration recommendations
Apply the following baseline security controls when deploying the Genie app. If your organization's mobile strategy is more restrictive, implement the stricter controls.
| Control | Recommended baseline |
|---|---|
| Identity | SSO with MFA |
| Network ingress | IP access lists enabled on the workspace. A configured method, such as VPN, for devices to connect from an allowed IP address. |
| Workspace controls | Genie mobile enabled at the account level. If using a VPN, ensure the VPN IPs are allowed in each workspace. |
| Device posture | Implement device posture checks consistent with your mobile strategy. |
| App distribution | Public store install (App Store or Google Play). |
Note
Per-app VPN provides the strongest network control because only traffic from the Genie app reaches the workspace. The VPN must cover both login.databricks.com and your workspace host.
Account-level IP access lists are not currently supported. Use workspace-level IP access lists to control mobile access.
Understand your environment
Workspace configuration
Before enabling the Genie mobile app, check the following workspace settings:
- Feature enablement: Confirm the preview is enabled before rolling out to users. See Enable the app.
- IP access lists: If your workspace uses IP access lists, mobile users' IP addresses must be in the list. This typically requires a VPN.
Network access
If your workspace has an IP access list, mobile devices must connect from an allowed IP address. A VPN is the most common solution.
Per-app VPN provides the strongest isolation: only traffic from the Genie app routes through the VPN. The per-app VPN must cover both login.databricks.com and your workspace host.
If your workspace is accessible only through Private Link with public ingress blocked, mobile devices need a network path that terminates inside the private network. Common patterns include:
- A mobile VPN that terminates on-premises or in a VPC peered to the workspace network.
- ExpressRoute, Direct Connect, or Interconnect with mobile-network breakout through a corporate gateway and Private Link.
For more information, see Users to Azure Databricks networking.
iOS: Universal Links and the AASA file
On iOS, the Genie app uses Apple Universal Links to intercept links to /one/* on workspace hosts and /mobile-redirect on login.databricks.com. Apple validates this by fetching https://<host>/.well-known/apple-app-site-association from each host the first time the app sees that domain.
If your network blocks this path (for example, at a proxy that strips unauthenticated requests), Universal Link interception silently falls back to opening the workspace URL in Safari instead of in the app, and the OAuth callback to /mobile-redirect does not return the user to the app. Make sure this path is reachable from the device's active network the first time the app launches.
Per-app VPN on iOS
The login redirect on iOS opens in the system browser, not inside the app. A per-app VPN scoped only to the Genie app will not cover the sign-in window. To avoid sign-in failures:
- Cover
login.databricks.comin the device-wide VPN, or in the per-app VPN of the system browser and the Genie app. - Use a ZTNA or device-tunnel posture that always covers
login.databricks.comand workspace hosts regardless of which app initiated the flow.
Not supported
- Context-based ingress: The Genie One mobile path does not currently honor account-level context-based ingress policies. If you rely on context-based ingress as an IP/VPN alternative, gate mobile users at the workspace IP access list instead.
- TLS inspection: The app does not pin certificates. TLS inspection proxies that present a corporate root certificate trusted by the device will work, provided your MDM delivers the corporate root to the device through the standard mechanism (Apple Configuration Profile or Android device certificate store). Certificate pinning may be added before general availability.
Deployment process
Use the following general steps to roll out the Genie mobile app:
- Prepare your workspace. Confirm Genie Mobile is enabled at the account level. Identify the workspaces whose users you want to allow on mobile. Update workspace IP access lists with VPN egress IPs if you use a VPN.
- Decide the network posture. For most enterprises, this is a per-app VPN or device tunnel. Update it to include
login.databricks.comand your workspace domains. Validate that mobile devices can access the workspace. - Update Microsoft Entra ID policies. Ensure your mobile policy allows authentication to your workspace and enforces device posture requirements.
- Deploy the app. The app is available from the Apple App Store and Google Play. If you use an MDM, add
com.databricks.one.mobileto your MDM catalog as a managed iOS Store App or managed Google Play app, and assign it to target device groups. - Pilot with a small group of users. Walk users through app installation, VPN setup, sign-in, and opening a Genie space. Document any errors to seed helpdesk documentation.
- Roll out broadly. Communicate the installation process and any VPN requirements to users through your IT communication channels.
IP access lists
Add the egress IPs of the network mobile devices will use to the workspace-level IP access list. Account-level IP access lists are not currently enforced on the mobile sign-in path.
See Configure IP access lists for workspaces.
VPN and network reachability
If your workspace is only reachable through Private Link, PrivateLink, or Private Service Connect, configure a mobile VPN that covers both login.databricks.com and the workspace host.
Identity provider policy
Add the Genie mobile app as an allowed client in Microsoft Entra ID with SSO, conditional access, MFA, and device posture rules that align with your mobile strategy.
App distribution
The app is available from the Apple App Store and Google Play Store.
To deploy through MDM, see your MDM provider's documentation:
- Intune: Add apps to Microsoft Intune
- Jamf: Deploy a mobile device app from Jamf Pro using Self Service
- BlackBerry: Managing apps
- Google Workspace MDM: Manage mobile apps for your organization
Mobile Device Management (MDM) compatibility
The Genie app supports the following MDMs: