I have a web application that will be used by customers in intranets. It uses features that require a secure context, such as getUserMedia. What is the best practice for this these days?

Customers will have little technical knowledge and the app may be used by people just passing by, so creating and installing a certificate authority on the browsers is too cumbersome. There is no guarantee that there will be an internet connection all the time, although it's acceptable to require it during installation. A warning message for the TLS certificate is acceptable (not ideal, but it could be explained), but self-signed certificates do not solve the problem, as they're still considered insecure contexts. I'll have no control over the intranet, and the device running the service may be accessed by IP only, without a hostname or a local DNS server.

What alternatives are there to get a secure context that are as frictionless as possible?

solution based on Chrome 88 no guarantees for earlier and later versions.

Server: Nothing special must be accessible by IP or DNS

Client side:

1. Batch File that will be a shortcut on user's desktop and starts web app in chrome as an application - separate window.

the use of start "WEB APP" /MAX ... is to make sure that the cmd window of batch file will disappear as fast as possible.

@Echo off 

set WEB_APP_URL=http://app.ip.or.dns

start "WEB APP" /MAX "C:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=%WEB_APP_URL%  --allow-running-insecure-content --ignore-certificate-errors --app=%WEB_APP_URL%

if you want to have this application a totally different chrome profile add this

set COMMON_USER_DATA_DIR=C:\\Users\\Public\\YOUR_APP\\

--user-data-dir=%COMMON_USER_DATA_DIR% --profile-directory=Default --allow-profiles-outside-user-dir