Tulip Player: Allow updates without requiring broad access to s3.amazonaws.com (Enterprise / Air‑gapped environments)

Context & Probleme description:
In our factory environment, Tulip Player is running on Android tablets deployed in a highly restricted OT network (almost air‑gapped).
Outbound internet access is limited and strictly controlled by domain allow‑listing.
We currently whitelist and trust the following Tulip-controlled domains:

*.tulip.co (including our instance domain)

download.tulip.co

*.tulip-custom-widgets.com

This allows normal Player operation.

However, Tulip Player updates are distributed via Amazon S3 under the shared domain:

s3.amazonaws.com (e.g. https://s3.amazonaws.com/co.tulip.cdn/)

From a security standpoint, it is not reasonable for us (or most industrial IT/OT teams) to whitelist the entire s3.amazonaws.com domain, as it is a multi‑tenant global storage endpoint well outside Tulip’s control.
As a result:

  • Player auto‑updates are blocked in our OT network
  • Tablets periodically get stuck requiring an update
  • Our current workaround is to manually move tablets to a separate “office” network to perform updates, which is operationally painful and error‑prone

Requested Feature / Improvements:
We would like to request an enterprise‑friendly update distribution mechanism that does not require allowing access to s3.amazonaws.com.
Examples of possible solutions (any of these would solve the problem):

  1. Host Player update artifacts on a Tulip‑controlled domain
    For example:
    updates.tulip.co or reuse download.tulip.co
    This would allow customers to safely whitelist a Tulip‑owned domain only.

  2. Support a configurable update endpoint (advanced / enterprise option)
    Allow the Player to be configured with a custom update base URL(via configuration file, environment variable, managed setting…)
    This would allow customers to place a reverse proxy under their control in front of Tulip’s S3 backend.

Could you investigate an MDM solution or possibly have the tablets connect to a VM that’s within your factory network?

Hi jasonh,
Thanks for your response, and sorry for the late reply.
I’m slightly worried about the effort required to implement an MDM solution on our side. Do you have any pointers or documentation you could share, in case we explore that path?

Thanks

Yes, I’ve looked into MDM for air gapped environments. I haven’t looked too deep, but I focused on 2 different companies:

Ivanti (Offers cloud based and on-premise solutions)
Ivanti MDM for Classified & Air-Gapped Networks

Plane (Didn’t look into specific solution offers, but I believe they offer both cloud and on-premise options)
Air-Gapped Project Management for Secure Environments | Plane

Ultimately, we shifted to other devices and put wireless devices on the backburner. Hopefully this helps!