Citrix XenMobile Guide: July 2016

Monday, 25 July 2016

Supported Device Platforms in XenMobile

XenMobile 10.x supports devices running the following platforms for enterprise mobility management, including app and device management. Due to platform restrictions and security features, not all functionality is supported on all platforms. To support older versions of mobile operating systems, such as Android 4.1 and iOS 7, see in the Citrix Support Knowledge Center.

Android

XenMobile 10.3

Operating systems supported for all modes: Android 4.4.x, 5.x, 6.x

Operating systems supported for MDM-only mode: Android 4.1.x, 4.2.x, 4.3

Worx Home is supported on x86-based Android devices for MDM capabilities. App management is ONLY available on ARM-based Android devices. With the MDX Toolkit 10.3, MDX wrapped enterprise apps are supported on Android x86- based devices. MDX-wrapped applications are not supported on Android x64-based devices.

Some Android devices used for testing with XenMobile 10.3 on the operating systems listed above are:

a. Nexus 10, 7, 5, 9

b. Samsung Galaxy S4 and Note 3, 4, 5

c. Galaxy Tablet 2, S3, S4, S5

d. HTC One

e. Samsung Tablet P750

f. Samsung S6 and S6 Edge

g. OnePlus X

XenMobile 10 and 10.1

Operating systems supported for all modes: 4.4.x, 5.x, 6.x

Operating systems supported for MDM-only mode: 4.1.x

Android 4.2 and 4.3 are not supported.

Worx Home is supported on x86-based Android devices for MDM capabilities. App management is only available on Android devices with ARM-based processors. MDX-wrapped applications are not supported on Android x86-based devices.

Some Android devices used for testing with XenMobile 10 and 10.1 on the operating systems listed above are:

a. Nexus 10, 7, 5, 9

b. Galaxy S4 and Note 2, 3

c. Galaxy Tablet 2, S3, S4, S5

d. Moto X

e. HTC One

f. HTC Desire, LG

g. Samsung Tablet P750

These devices are supported for device management only:

a. Android 3.0â€“3.2

b. Android 2.3

SAFE and KNOX

On compatible Samsung devices, XenMobile 10.x supports and extends both Samsung for Enterprise (SAFE) and Samsung KNOX policies. You must enable the SAFE APIs by deploying the built-in Samsung Enterprise License Management (ELM) key to a device before you can deploy SAFE policies and restrictions. To enable the Samsung KNOX API, you also need to purchase a Samsung KNOX license by using the Samsung KNOX License Management System (KLMS) in addition to deploying the Samsung ELM key.

XenMobile supports Amazon Kindle devices running Fire OS 3.0 and earlier versions running proprietary operating systems based on Android. For HTC-specific policies, XenMobile supports HTC API version 0.5.0. In the case of Sony-specific policies, XenMobile supports Sony Enterprise SDK 2.0.

iOS

XenMobile 10.3

iOS 9.x

iOS 8.4.x

Some iOS devices that XenMobile 10.3 supports:

iPhone 5, 5s, 5c, 6, 6+

iPad 2, 3

Mac OS X

MacBook, Air, Mini, Mini Retina 10.9.5, 10.10, 10.11

XenMobile 10 and 10.1

iOS 9.x

iOS 8.4.x

Some iOS devices that XenMobile 10 and 10.1 support:

iPhone 5, 5s, 5c, 6, 6+

iPad2, 3, Mini, Air, Air2, Mini Retina

Windows Phone and Tablet

XenMobile 10.3

a. Windows 10 tablet

b. Windows 10 tablet is not supported when XenMobile is in MAM-only mode.

c. Windows Phone 8.1/10

d. For Windows Phone 10, you must install a patch from the .

e. Windows Phone 8.1 and 10 are not supported when XenMobile is in MAM-only mode.

f. Windows Phone 8.1 compatibility with Worx Home:

g. Worx Home 10.0 when XenMobile is in Enterprise mode.

h. Worx Home 9.1.0 when XenMobile is in MDM-only mode.

i. Windows 8.1 Pro and Enterprise editions (32-bit and 64-bit)

j. Windows RT 8.1

l. Windows Mobile/CE

m. Windows CE is not supported when XenMobile is in MAM-only mode.

Some Windows devices that XenMobile 10.3 supports:

a. Windows Tablet 10, 8.1

b. Windows Phone 10, 8.1

c. HTC (Windows Phone 8.1)

d. Nokia 920, 925, 1020, 1520 (Windows Phone 8.1)

e. Windows Tablet Surface Pro 3

f. Windows Tablet Surface 2

g. Windows Tablet RT

XenMobile 10 and 10.1

a. Windows 10 tablet

b. Windows Phone 8.1 / 10:

Windows Phone 8.1 is not supported when XenMobile is in MAM-only mode.

Windows Phone 10 is not supported on XenMobile 10.1.

c. Windows Phone 8.1 compatibility with Worx Home:

Worx Home 10.0 when XenMobile is in Enterprise mode

Worx Home 9.0.3 when XenMobile is in MDM-only mode

d. Windows 8.1 Pro and Enterprise editions (32-bit and 64-bit)

e. Windows RT 8.1

f. Windows Mobile: XenMobile 10.1 does not support Windows Mobile devices. Users with devices running Windows Mobile or Windows CE must continue to use XenMobile 9.

Some Windows devices that XenMobile 10 and 10.1 support:

a. Windows Tablet 8.1

b. HTC (Windows Phone 8.1)

c. Nokia 920, 925, 1020, 1520 (Windows Phone 8.1)

d. Windows Tablet Surface Pro 3

e. Windows Tablet Surface 2

f. Windows Tablet RT

Saturday, 23 July 2016

Downloading XenMobile Product Software

You can download product software from the Citrix web site. You need to log on to the site and then click the Downloads link on the Citrix web page. You can then select the product and type you want to download. For example, the following figure shows XenMobile product software drop-down list:

When you click Find, a page listing the available downloads appears with the most recent version at the top of the list:

You can select your software from the available list of options. For example, if you select XenMobile 8.6 Enterprise Edition, you can download the software for Device Manager, App Controller, NetScaler Gateway, and other XenMobile components as shown in the following figure:

To download the software for NetScaler Gateway

You can use this procedure to download the NetScaler Gateway virtual appliance or software upgrades to your existing NetScaler Gateway appliance.

1. Go to the Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select NetScaler Gateway.

5. In Select Download Type, select Product Software and then click Find. You can also select Virtual Appliances to download NetScaler VPX. When you select this option, you receive a list of software for the virtual machine for each hypervisor.

6. On the NetScaler Gateway page, expand NetScaler Gateway or Access Gateway.

7. Click the appliance software version you want to download.

8. On the appliance software page for the version you want to download, select the virtual appliance and then click Download.

9. Follow the instructions on your screen to download the software.

To download the software for Device Manager

1. Go to the Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select XenMobile.

5. In Select Download Type, select Product Software and then click Find.

6. On the XenMobile Product Software page, click XenMobile 8.6 MDM Edition.

7. Under XenMobile Device Manager, click Download next to XenMobile Device Manager 8.6.

8. Follow the instructions on your screen to download the software.

To download the software for App Controller

1. Go to the Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select XenMobile.

5. In Select Download Type, select Product Software and then click Find.

6. On the XenMobile Product Software page, click XenMobile 8.6 App Edition.

7. On the XenMobile 8.6 App Edition page, click the appropriate App Controller virtual image in order to install App Controller on XenServer, VMware, or Hyper-V.

8. Follow the instructions on your screen to download the software.

To download the MDX Toolkit

You can run the MDX Toolkit for wrapping iOS and Android apps on Mac OS X Versions 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks).

1. Go to the Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select XenMobile.

5. In Select Download Type, select Product Software and then click Find.

6. On the XenMobile Product Software page, click XenMobile 8.6 App Edition.

7. On the XenMobile 8.6 App Edition page, expand Worx Mobile Apps.

8. Locate MDX Toolkit & SDK for iOS and Android Build <number> where <number> is the toolkit build number, such as 324.

9. Click Download.

10. Follow the instructions on your screen to download the software.

Friday, 22 July 2016

Sign the CSR

Before you can submit the certificate to Apple, it needs to be signed by Citrix so it can be used with XenMobile.

1. In your browser, go to the website.

2. Click Upload the CSR.

3. Browse to and select the certificate.

4. On the XenMobile APNs CSR Signing page, click Sign. The CSR is signed and automatically saved to your configured download folder.

To submit the signed CSR to Apple to obtain the APNs certificate

After receiving your signed Certificate Signing Request (CSR) from Citrix, you need to submit it to Apple to obtain the APNs certificate.

1. Click Create a Certificate.

2. If this is the first time you are creating a certificate with Apple, select the I have read and agree to these terms and conditions check box and then click Accept.

3. Click Choose File, browse to the signed CSR on your computer and then click Upload. A confirmation message should appear stating that the upload is successful.

4. Click Download to retrieve the .pem certificate.

To create a .pfx APNs certificate by using Microsoft IIS

To use the APNs certificate from Apple with XenMobile, you need to complete the certificate request in Microsoft IIS, export the certificate as a PCKS #12 (.pfx) file and then import the APNs certificate into XenMobile.

Important: You need to use the same IIS server for this task as the server you used to generate the CSR.

1. Open Microsoft IIS.

2. Click the Server Certificates icon.

3. In the Server Certificates window, click Complete Certificate Request.

4. Browse to the Certificate.pem file from Apple. Then, type a friendly name or the certificate name and click OK.

5. Select the certificate that you identified in Step 4 and then click Export.

6. Specify a location and file name for the .pfx certificate and a password and then click OK.

7. Copy the .pfx certificate to the server on which XenMobile will be installed.

8. Sign on to the XenMobile console as an administrator or as a user with access to the About tab.

9. Click the About tab and then click Update APNs Certificate.

10. In the Update APNs Certificate dialog box, browse to the APNs certificate .pfx file on your computer and then enter a new password.

11. Click Load APNs Certificate.

12. Click Update.

To create a .pfx APNs certificate on a Mac computer

1. On the same Mac computer running Mac OS X that you used to generate the CSR, locate the Production identity (. pem) certificate that you received from Apple.

2. Double-click the certificate file to import the file into the keychain.

3. If you are prompted to add the certificate to a specific keychain, keep the default login keychain selected and then click OK. The newly added certificate will appear in your list of certificates.

4. Click the certificate and then on the File menu, click Export to begin exporting the certificate into a PCKS #12 (.pfx) certificate.

5. Give the certificate file a unique name for use with the XenMobile server, choose a folder location for the saved certificate, select the .pfx file format and then click Save.

6. Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.

7. The Keychain Access application will prompt you for the login password or selected keychain. Enter the password and then click OK. The saved certificate is now ready for use with the XenMobile server.

To create a .pfx APNs certificate by using OpenSSL

After you use OpenSSL to create a Certificate Signing Request (CSR), you can also use OpenSSL to create a .pfx APNs certificate.

1. At a command prompt or shell, execute the following command.

openssl pkcs12 -export -in MDM_Zenprise_Certificate.pem -inkey Customer.key.pem -out apns_identity. p12

2. Enter a password for the .pfx certificate file. Remember this password because you need to use the password again when you upload the certificate to XenMobile.

3. Note the location for the .pfx certificate file and then copy the file to the XenMobile server, so you can use the XenMobile console to upload the file.

To import an APNs certificate into XenMobile

After you have requested and received a new APNs certificate, you import the APNs certificate into XenMobile to either add the certificate for the first time or to replace an existing certificate.

1. Sign on to the XenMobile console as an administrator.

2. Click Configure > Settings > Certificates.

3. On the Certificates page, click Import. The Import dialog box appears.

4. Browse to the .p12 file on your computer.

5. Enter a password and then click Import.

For more information about certificates in XenMobile, see the Certificate section.

To renew an APNs certificate

To renew an APNs certificate, you need to perform the same steps you would if you were creating a new certificate. Then, you visit the and upload the new certificate. After logging on, you see your existing certificate or you may see a certificate that was imported from your previous Apple Developers account. On the Certificates Portal, the only difference when renewing the certificate is that you click Renew. You must have a developer account with the Certificates Portal in order to access the site.

Certificates. If the certificate is expired, however, do not revoke the certificate.

1. Generate a CSR using Microsoft Internet Information Services (IIS).

2. Click Renew.

3. Generate a PCKS #12 (.pfx) APNs certificate using Microsoft IIS.

4. Update the new APNs certificate to XenMobile in Configure > Settings > Certificates.

5. In Import dialog box, import the new certificate.

Wednesday, 20 July 2016

Configuring Roles with RBAC

The Role-Based Access Control (RBAC) feature in XenMobile lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions.

XenMobile implements four default user roles to logically separate access to system functions:

1. Administrator. Grants full system access.

2. Provisioning. Used by administrators to provision all Windows Mobile/CE devices as a group using the Device Provisioning Tool.

3. Support. Grants access to remote support.

4. User. Used by users who can enroll devices and access the Self Help Portal.

You can also create new user roles with permissions to access specific system functions beyond the functions defined by these default roles by using the default roles as templates that you customize.

Roles can be assigned to local users (at the user level) or to Active Directory groups (all users in that group have the same permissions). If a user belongs to several Active Directory groups, all the permissions are merged together to define the permissions for that user. For example, if ADGroupA users can locate manager devices, and ADGroupB users can wipe employee devices, then a user who belongs to both groups can locate and wipe devices of managers and employees.

You can use the RBAC feature in XenMobile to do the following:

1. Create a new role.

2. Add groups to a role.

3. Associate local users to roles.

1. In the XenMobile console, click Configure > Settings > Role-Based Access Control.

The Role page appears, which displays the four default user roles, plus any roles you have previously added.

2.Click Add to add a new user role, click the pen icon to the right of an existing role to edit the role, or click the trash can icon to the right of a role you previously defined to delete the role. You cannot delete the default user roles.

a. When you click Add or the pen icon, the Add Role or the Edit Role page appears.

b. When you click the trash can icon, a confirmation dialog appears. Click Delete to remove the selected role.

3. Enter the following information to create a new user role or to edit an existing user role:

a. RBAC name: Enter a descriptive name for the new user role. You cannot change the name of an existing role.

b. RBAC template: Click a template as the starting point for the new role or click a new template for an existing role.

Using a template is optional; you can directly select the options you want to assign to a role in the Authorized Access and Console Features fields.

a. Click Apply to populate the Authorized access and Console features check boxes with the0 predefined access and feature permissions for the selected template.

b. Select and clear the check boxes in Authorized access and Console features to customize the role.

c. Apply permissions: Select the groups to which you want to apply the selected permissions.

If you click To specific user groups, a list of groups appears from which you can select one or more groups.

4. Click Next. The Assignment page appears.

5. Enter the following information to assign the role to user groups and then click Save.

a. Select domain: In the list, click a domain.

b. Include user groups: Click Search to see a list of all available groups, or type a full or partial group name to limit the list to only groups with that name.

c. In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in a list of selected groups to the right of the search box.

To remove a user group from the Selected user groups list, do one of the following:

a. Click Search to see a list of all user groups in the selected domain.

b. Type a full or partial group name in the search box, and then click Search to limit the list of user groups.

User groups in the list have check marks next to their name in the resulting list. Scroll through the list and clear the check box next to each group you want to remove.

Tuesday, 19 July 2016

Samsung browser device policies

You can create Samsung browser device polices for Samsung SAFE and Samsung KNOX devices to define whether users' devices can use the browser or to limit which browser functions users' devices can use. You can completely disable the browser, or you can enable or disable pop-ups, Javascript, cookies, autofill, and whether to force fraud warnings.

1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

2. Click Add to add a new policy. The Add New Policy dialog box appears.

3. Click More, and then under Apps, click Samsung Browser. The Samsung Browser Policy information page appears.

4. In the Policy Information pane, enter the following information:

a. Policy Name: Type a descriptive name for the policy.

b. Description: Type an optional description of the policy.

5. Click Next. The Policy Platforms page appears.

6. Devloyment Rules.

7. Under Platforms, select Samsung platforms you want to add. If you are only configuring for one platform, clear the other, then configure the following settings:

a. Disable browser: Select whether to completely disable the Samsung browser on users's devices. The default is OFF, which lets users use the browser. When you disable the browser, the following options disappear.

b. Disable pop-up: Select whether to allow pop-up messages on the browser.

c. Disable Javascript: Select whether to allow Javascript to run on the browser.

d. Disable cookies: Select whether to allow cookies.

e. Disable autofill: Select whether to allow users to turn on the browser's autofill function.

f. Force fraud warning: Select whether to display a warning when users visit a fraudulent or compromised website.

8. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.

a. In the lists, click options to determine when the policy should be deployed.

i.You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.

ii. Click New Rule to define the conditions.

iii. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.

iv. Click New Rule again if you want to add more conditions. You can add as many conditions as you

would like.

b. Click the Advanced tab to combine the rules with Boolean options.

The conditions you chose on the Base tab appear.

c. You can use more advanced Boolean logic to combine, edit, or add rules.

i.Click AND, OR, or NOT.

ii. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

At any time, you can click to select a condition and then click EDIT to change the condition or

Delete to remove the condition.

iii. Click New Rule again if you want to add more conditions.

In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

9. Click Next. The Samsung Browser Device Policy page appears.

10. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.

11. Expand Deployment Schedule and then configure the following settings:

a. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON . If you choose OFF, no other options need to be configured.

b. Next to Deployment schedule, click Now or Later. The default option is Now.

c. If you click Later, click the calendar icon and then select the date and time for deployment.

d. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.

e. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

12. Click Save to save the policy.

Sunday, 17 July 2016

XenMobile Deployment Prerequisites

Before you deploy the XenMobile solution and install the components, make sure you have the right prerequisites and system requirements. This effort will prepare you to configure the network settings, open ports in your firewall, install certificates and licenses, and configure authentication.

This section details the deployment information you need to gather and includes the XenMobile Solution Pre-Installation Checklist to guide you through the recommended settings.

Gathering Information Before You Deploy XenMobile Components

Before you install XenMobile components in your network, you need the right prerequisites. These prerequisites include:

1. Network settings. These settings include IP addresses, ports, DNS, Network Time Protocol (NTP) and SMTP servers, and the IP address or fully qualified domain name (FQDN) of a load balancer.

2. Hardware and sizing requirements. These include Windows Servers, hypervisors, and NetScaler Gateway requirements. The NetScaler Gateway appliance you select (VPX, MDX, or SDX) determines the maximum number of user connections to your XenMobile deployment.

3. Certificates. These include server, root, intermediate, Apple Push Notification Service (APNS), and certificates for wrapping mobile apps with the MDX Toolkit.

4. Licenses. Licenses are required for XenMobile MDM Edition and NetScaler Gateway.

5. Active Directory settings. These settings are required for XenMobile MDM Edition and for XenMobile App Edition.

6. Authentication method Before deploying XenMobile components, it's important to decide on an authentication method. For example, you should decide if you are implementing the Worx PIN that you configure in App Controller. The Worx PIN caches Active Directory credentials and works with client certificate authentication. Authentication settings can enable LDAP, RADIUS, one-time passwords, client certificate authentication, and two-factor authentication. If users connect to internal web sites, you need to configure authentication for NetScaler Gateway and SharePoint to allow single sign-on (SSO) to work.

7. Load balancers. Load balancers manage connections to your XenMobile deployment. You might also need to plan for packet inspection appliances to monitor network traffic entering your internal network.

8. Email server and data synchronization settings These settings include Exchange Server and ActiveSync configurations for XenMobile MDM Edition and WorxMail.

9. Databases. These databases include either Microsoft SQL Server or Postgres for XenMobile MDM Edition. The Postgres database comes with XenMobile MDM Edition and installs when you install Device Manager.

Gathering Network Information

You need to identify the following network settings and configure appropriate server settings before you install the XenMobile components in your network:

1. IP addresses for each XenMobile component. For example, for NetScaler Gateway, you need the system IP (NSIP) and the subnet IP (SNIP) addresses.

2. Opening the appropriate ports in your firewall to allow network traffic to communicate with each component.

3. Domain Name Servers (DNS) for name resolution with users inside your network and users who connect from remote locations. You might need different IP addresses for each DNS server.

4. Network Time Protocol (NTP) server. The NTP server synchronizes the time between all of your network components. Citrix recommends that you use an NTP server for your XenMobile deployment.

5. SMTP server for email. When you configure an SMTP server, you need the fully qualified domain name (FQDN) of the email server, such as mail.mycompany.com. You also need to identify the port, the email addresses used for the send function, and user email addresses and passwords.

The XenMobile Pre-Installation checklist includes a section where you can write down all of your network settings. You might need to coordinate with other team members to configure the ports and servers you need for the XenMobile deployment.

Obtaining and Installing Certificates

Certificates are used to create secure connections and authenticate users. XenMobile MDM requires a certificate from the Apple Push Notification Service (APNS). XenMobile MDM also uses its own PKI service or obtains certificates from the Microsoft Certificate Authority (CA) for client certificates.

All Citrix products support wildcard and SAN certificates. For most deployments, you only need two wildcard or SAN certificates. You can use the following formats:

1. External - *.mycompany.com

2. Internal - *.myinternaldomain.net

For NetScaler Gateway and App Controller, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway configuration utility or the App Controller management console. After you create the CSR, submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or App Controller.

For more information about installing certificates, see the following topics in Citrix eDocs:

1. NetScaler Gateway: Installing and Managing Certificates

2. App Controller: Configuring Certificates in App Controller

3. Device Manager: Requesting an APNS Certificate

Configuring Client Certificates for Authentication

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to a NetScaler Gateway virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to the NetScaler Gateway virtual server, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

Determining Your Hardware, Hypervisor, and Sizing Requirements

Each XenMobile component has specific hardware, hypervisor, or sizing requirements:

1. User devices. This hardware requirement includes the number and types of devices that enroll when you deploy Device Manager, such as iPads or Android phones.

2. Hardware or hypervisor. These requirements include the hardware resources to support your number of users and devices. You install App Controller and NetScaler VPX on a hypervisor, such as XenServer. You can also deploy the physical NetScaler or NetScaler Gateway appliance. The number of users who connect determines the NetScaler Gateway appliance model you select, or the number of App Controller instances you install on the hypervisor.

Your hypervisor, such as XenServer, must contain enough disk space and memory to support multiple instances of App Controller or NetScaler VPX.

3. Sizing. The number of devices that connect to XenMobile components. For example, if Device Manager supports 5,000 devices, the Device Manager server needs from 2 through 4 CPUs, a minimum of 4 gigabytes (GB) of memory, and 24 GB of disk space.

This section describes detailed hardware or hypervisor requirements for each XenMobile component.

NetScaler Gateway Requirements

To determine which of the following NetScaler Gateway models suit the needs of your organization, you need to consider how many users will connect. You can use the following guidelines:

1. NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler documentation in Citrix eDocs.

2. NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections.

3. NetScaler Gateway VPX - a virtual machine that can handle up to 875 user connections.

Saturday, 16 July 2016

XenMobile Configuration Tests and Troubleshooting

After you install and configure each component in your XenMobile deployment, you can test your configuration:

1. You can test your NetScaler Gateway settings by connecting to the appliance.

2. You can install applications that connect to each XenMobile component. For example, you can deploy Worx Enroll to register user devices with Device Manager.

3. You can configure Device Manager and AppController to communicate with each other and then test the connection.

4. You can also test to make sure users can use Worx Home to connect from their mobile devices through NetScaler Gateway by using Micro VPN, and then open and install mobile apps from App Controller.

This section describes the configuration tests you can carry out, and what to do if you experience problems.

Testing Your NetScaler Gateway Configuration

After you configure the initial settings on NetScaler Gateway, you can test your settings by connecting to the appliance.

To test the NetScaler Gateway settings, open a Web browser and type the web address. For example, in the address bar, type https://my.company.com or https:// 192.168.96.183.

At the logon screen, enter the test user name and password from Active Directory. At the logon screen, enter the test user name and password from Active Directory. When you log on, Receiver for Web appears and displays your applications and virtual desktops. NetScaler Gateway passes the user name and password on to Receiver for Web with single sign-on.

Configuring GoToAssist Settings for Worx Apps

App Controller and Citrix GoToAssist integrate to provide continuous technical support for mobile device users who are using WorxMail or WorxWeb. When you configure settings, you can add an email address, phone number, chat information, and ticket information. If the user needs assistance, they can tap a chat button on their mobile device and the GoToAssist web page opens.

To get started, you need to do the following:

1. After you purchase XenMobile, you receive a promotion code for GoToAssist.

2. Log on to the GoToAssist web site.

3. Create a new service for integrating GoToAssist with XenMobile.

When you do these steps, GoToAssist generates the email address that users can use to create a support ticket. This also creates an integration key that you enter in the App Controller management console.

When users start GoToAssist from their mobile device, the Worx app provisions XenMobile App Edition and GoToAssist accounts. GoToAssist sends an account key (token) to XenMobile App Edition which is then sent to the Worx app. Users can use

GoToAssist to receive technical support in the following ways:

a. Enter a valid email address to allow support personnel to contact them.

b. Use chat to contact support personnel.

c. Create an incident form by clicking Create Incident. If support personnel are not available through chat, GoToAssist redirects users to the incident form automatically.

When you configure GoToAssist in App Controller, the settings appear on the Support Options page in Settings. On this page you can view the settings for phone, chat, and ticket options. In Support Options, you can do the following:

a. Edit existing GoToAssist settings for phone, chat, or the ticket.

b. Add email or key support options.

c. Delete an option.

On the Support Options page, you can add the following support information, however Citrix recommends using the GoToAssist page in Settings to configure support settings.

a. Phone numbers

b. Email addresses

c. Chat settings

d. Ticket settings

e. Custom key settings

To configure GoToAssist settings in App Controller

1. In the App Controller management console, click the Settings tab.

2. In the navigation pane, under System Configuration, click GoToAssist.

3. In the details pane, next to GoToAssist Configuration, click Edit.

4. In Support email, enter the email address for support personnel.

Users can choose to use the email address to contact support personnel instead of GoToAssist.

5. In Support phone, enter the phone number for users to use to contact support personnel.

6. In GoToAssist chat leave the default token number or enter one of your own. When users request a chat session, this token is sent to the Worx app.

7. In GoToAssist ticket, enter the email address that you can use to differentiate GoToAssist support requests and then click Save.

To edit support settings

1. In the App Controller management console, click the Settings tab.

2. In the navigation pane, click Support Options.

3. In the details pane, next to an item, under Actions, click the pencil icon.

4. In the Add Property dialog box, do the following:

a. In Value, change the value for the support option type.

For example, if you are editing the chat option, enter the new key in this field.

b. In Name, change the name of the value.

c. In Description, add a description for the option.

5. Click Save

The changes appear in the Support Options details pane.

To add support information by using Support Options

You can add a support email address or a custom key.

1. In the App Controller management console, click the Settings tab.

2. In the navigation pane, click Support Options.

3. In the details pane, click Add.

4. In the Add Property dialog box, do the following:

a. In Key, select either SUPPORT_EMAIL or Custom Key.

b. If you select Custom Key, enter a name of the custom key you want to add in the blank field that appears. Keys have two parts: key name and the value, such as GTA_PHONE=5551212.

c. In Value, add the value for the support option type.

For example, if you are editing the chat option, enter the new chat key in this field.

d. In Name, add a name of the value.

e. In Description, add a description for the option and then click Save.

To remove a support option

1. In the App Controller management console, click the Settings tab.

2. In the navigation pane, click Support Options.

3. In the details pane, click an option and then under Actions click the X icon.

4. To confirm, click Yes.

Friday, 15 July 2016

To add a SCEP device policy for iOS

This policy allows you to configure iOS devices to retrieve a certificate using Simple Certificate Enrollment Protocol (SCEP) from an external SCEP server. If you want to deliver a certificate to the device using SCEP from a PKI that is connected to XenMobile, you should create a PKI entity and a PKI provider in distributed mode. For details, see PKI Entities.

1. In the XenMobile console, click Configure > Device Policies.

The Device Policies page appears.

2. Click Add.

The Add a New Policy page appears.

3. On the Add a New Policy page, click More and then under Security, click SCEP.

The SCEP Policy information page appears.

4. In the Policy Information pane, enter the following information:

a. Policy Name: Type a descriptive name for the policy.

b. Description: Optionally, type a description for the policy.

5. Click Next.

The iOS Platform Information page appears.

6. On the iOS Platform Information page, enter the following information:

a. URL base: Type the address of the SCEP server to define where SCEP requests are sent, over HTTP or HTTPS. The private key isnâ€™t sent with the Certificate Signing Request CSR), so it may be safe to send the request unencrypted. If, however, the one-time password is allowed to be reused, you should use HTTPS to protect the password. This step is required.

b. Instance name: Type any string that the SCEP server recognizes. For example, it could be a domain name like example.org. If a CA has multiple CA certificates, you can use this field to distinguish the required domain. This step is required.

c. Subject X.500 name (RFC 2253): Type the representation of a X.500 name represented as an array of Object Identifier (OID) and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["1.2.5.3", "bar" ] ] ]. You can represent OIDs as dotted numbers with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).

d. Subject alternative names type: In the list, click an alternative name type. The SCEP policy can specify an optional alternative name type that provides values required by the CA for issuing a certificate. You can specify None, RFC 822 name, DNS name, or URI.

e. Maximum retries: Type the number of retries allowed when a user enters an incorrect password. The default is 3.

f. Retry delay: Type a time interval after which users exceed the maximum number of retries and a lockout is enforced. The default is 10.

g. Challenge password: Enter a pre-shared secret. This step is required.

h. Key size (bits): In the list, click the key size in bits, either 1024 or 2048. The default is 1024.

i. Use as digital signature: Specify whether you want the certificate to be used as a digital signature. If someone is using the certificate to verify a digital signature, such as verifying whether a certificate was issued by a CA, the SCEP server would verify that the certificate can be used in this manner prior to using the public key to decrypt the hash.

j. Use for key encipherment: Specify whether you want the certificate to be used for key encipherment. If a server is using the public key in a certificate provided by a client to verify that a piece of data was encrypted using the private key, the server would first check to see whether the certificate can be used for key encipherment. If not, the operation fails.

k. SHA1/MD5 fingerprint (hexadecimal string): If your CA uses HTTP, use this field to provide the fingerprint of the CA certificate, which the device uses to confirm authenticity of the CA response during enrollment. You can enter a SHA1 or MD5 fingerprint, or you can select a certificate to import its signature.

7. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).

8. If you click Select date, click the calendar to select the specific date for removal.

9. In the Allow user to remove policy list, click Always, Password required, or Never.

10. If you click Password required, next to Removal password, type the necessary password.

11. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.

a. In the lists, click options to determine when the policy should be deployed.

i. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.

ii. Click New Rule to define the conditions.

iii. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.

vi. Click New Rule again if you want to add more conditions. You can add as many conditions as you

would like.

b. Click the Advanced tab to combine the rules with Boolean options.

The conditions you chose on the Base tab appear.

c. You can use more advanced Boolean logic to combine, edit, or add rules.

i. Click AND, OR, or NOT.

ii. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

iii. Click New Rule again if you want to add more conditions.

In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

12. Click Next. The SCEP Policy assignment page appears.

13. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.

14. Expand Deployment Schedule and then configure the following settings:

a. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.

b. Next to Deployment schedule, click Now or Later. The default option is Now.

c. If you click Later, click the calendar icon and then select the date and time for deployment.

d. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.

e. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

15. Click Save to save the policy.

Sunday, 10 July 2016

Downloading and Installing the MDX Toolkit

The Citrix MDX Toolkit is available from the Citrix web site. The MDX Toolkit runs on a computer running Mac OS X Versions 10.7 (Lion), 10.8 (Mountain Lion), and 10.9 (Mavericks). The tool is not supported on a Windows-based computer.

Important: You must update to the latest version of Worx Home 8.6 on Android and iOS devices before you wrap apps with the 2.2.321 version of the MDX Toolkit. If not, when you try to open the apps in earlier versions of Worx Home, an incompatibility error message appears.

After you download the tool from the Citrix web site, you install the tool on your computer. When you install the tool, you are prompted for licensing, the location where you want to install the tool, and installation information.

The installation package includes a small utility for removing the MDX Toolkit. You can find the utility at the following location on your computer: /Applications/Citrix/ CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility to start the uninstaller app and then follow the prompts. When you remove the tool, you receive amessage prompting you for your user name and password.

To install the MDX Toolkit

1. Click the installation package that you downloaded to your computer to start the installation and then click Continue.

2. Read and accept the End User License Agreement and then click Continue.

3. Follow the prompts to install the MDX Toolkit.

Upgrading the MDX Toolkit

To upgrade the MDX Toolkit, you must first remove earlier versions of the tool from your computer. Then, you can install the latest version.

To remove the App Preparation Tool

1. On your Mac OS X computer, navigate to the directory Go > Application > Citrix > CGAppPrepTool > Uninstaller.app.

2. Double-click the Uninstaller icon. A message prompts you to confirm the removal of the MDX Toolkit.

3. Click Continue.

4. Enter your user name and password, click OK and then click Done.

After you remove the earlier version of the tool, you can then install the new version of the tool.

Wrapping Android and iOS Mobile Apps

Citrix provides the MDX Toolkit so that you can wrap a mobile app for iOS or Android with Citrix logic and policies. The tool can securely wrap an app that was created within your organization or a mobile app made outside the company. When you install the MDX Toolkit, the Worx SDK libraries also install and appear in the MDX SDK folders on your computer in the tool and data directories. The MDX SDK folders are required for the integration of wrapped iOS mobile apps with Citrix Worx. When you wrap iOS apps that include the Worx SDK libraries, you can publish the apps in the Apple App Store and the Citrix Worx Store. After the app is wrapped, you can upload then the app to XenMobile App Edition. For more information about the Worx App SDK, such as an overview for ISVs, and to download the SDK, see Worx App SDK on the Citrix web site.

Prerequisites

Before you wrap an iOS app, download and install the iOS Distribution Provisioning Profile and Distribution Certificate to your computer. The provisioning profile signs the app for distribution.

Wrapping Android Mobile Apps

For Android apps, you need to follow these basic steps:

1. Specify an Android mobile app APK file. When you click Next , the MDX Toolkit validates the Android SDK path. If the tool cannot validate the path, you can browse to the SDK on your computer.

2. Choose the Java Development Kit (JDK) on your computer for wrapping Android mobile apps. If the JDK is not installed on your computer, the tool prompts you to install the tool. When you click Install, the tool locates the tool on the Web and then installs the JDK on your computer.

3. Choose the Android Software Development Kit (SDK) on your computer for wrapping Android mobile apps and choose the Android APK tool.

4. Choose the keystore for signing Android mobile apps. When you wrap the app, you must provide the keystore that was created when the app was developed. The Android operating system requires that all installed mobile apps be digitally signed with a certificate with a private key that is held by the developer. The certificate does not need to be signed by a Certificate Authority. Android mobile apps can use self-signed certificates. For more information about signing Android mobile apps, see the Android developers web site.

When you wrap the mobile app with the MDX Toolkit, you can select the option Use debug keystore. This option allows you to sign the mobile app if the release keystore is not available during development. To create an Android app that users install on their devices, you must create a retail build of the app and disable Use debug keystore so you can sign the package with a real key. A keystore can contain multiple private keys, in most cases it will be only one key. If the keystore contains multiple private keys, when you wrap the app, you can select the key alias.

When the MDX Toolkit finishes wrapping the app, the app file name includes _andr . The file type is .mdx .

Wrapping iOS Mobile Apps

For iOS apps, you need to following these basic steps:

1. Specify an iOS mobile app IPA file.

2. In the MDX Toolkit wizard, choose the option to deploy the app from XenMobile or to deploy the app from the Apple App Store.

3. Choose the iOS Distribution Provisioning Profile and Distribution Certificate to sign the app for distribution.

When the MDX Toolkit finishes wrapping the app, the app file name includes _iOS . The file type is .mdx.

When you run the MDX Toolkit, the app determines the application type and version. You can select the minimum and maximum operating system versions.

Uploading the Wrapped App and Configuring Policies

After you complete wrapping the app, you then upload the MDX file to App Controller. You use the App Controller management console to configure specific app details and policy settings that Citrix Receiver or the Worx Store enforces. When users log on, the app appears in the store. Users can then subscribe, download, and install the app on their device. For more information about configuring the app details and policy settings in App Controller, see Adding Apps.

Saturday, 9 July 2016

Building Your XenMobile Solution

The XenMobile components you deploy are based on the device or app management requirements of your organization. The components of XenMobile are modular and build on each other. For example, you want to give users in your organization remote access to mobile apps and you need to track the device types with which users connect. In this scenario, you would deploy NetScaler Gateway, XenMobile Device Manager, and App Controller.

This section discusses this and additional scenarios for deploying the XenMobile components in your network, as well as for the NetScaler appliance. The topics include architectural diagrams, information about the Citrix products you can integrate into your deployment, a recommended order in which to deploy the components, and the ways users connect depending on the deployment scenario you implement.

Deploying XenMobile Components

You can deploy XenMobile components to enable users to connect to resources in your internal network in the following ways:

1. Connections to the internal network. If your users are remote, they can connect by using a VPN or Micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network.

2. Device enrollment in Device Manager. Users can enroll mobile devices in DeviceManager so you can manage the devices that connect to network resources.

3. Web, SaaS, and mobile apps from App Controller. Users can access their web, SaaS, and mobile apps from AppController by using Worx Home or Receiver.

4. Windows-based apps and virtual desktops. Users can connect with Citrix Receiver or a web browser to access Windows-based apps and virtual desktops from StoreFront or the Web Interface.

To achieve some or all of these capabilities, Citrix recommends deploying XenMobile components in the following order:

1. NetScaler Gateway. You can configure settings in NetScaler Gateway to enable communication with App Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. You must install App Controller, StoreFront, or the Web Interface before using the Quick Configuration wizard in NetScaler Gateway.

2. Device Manager. After you install Device Manager, you can configure policies and settings that allow users to enroll their mobile devices.

3. App Controller. After you install App Controller, you can configure mobile, web, and SaaS apps. Mobile apps can include apps from the Apple App Store or Google Play. Users can also connect to mobile apps you wrap with the MDX Toolkit and upload to App Controller.

4. MDX Toolkit. You can wrap .ipa or .apk apps and Worx apps with the MDX Toolkit. After you wrap the apps, you can upload the apps to App Controller.

5. StoreFront (optional). You can provide access to Windows-based apps and virtual desktops from StoreFront through connections with Receiver.

6. ShareFile Enterprise (optional). If you deploy ShareFile, you enable enterprise directory integration through App Controller or Security Assertion Markup Language (SAML). For more information about ShareFile, see ShareFile Enterprise in Citrix eDocs.

If you install all of the XenMobile components in your network, the deployment may look like the following figure:

The topics in this section detail the possible deployment scenarios in your network for the XenMobile components, as well as for the NetScaler appliance. The topics include architectural diagrams, information about the Citrix products you can integrate into your deployment, and the ways users connect depending on the deployment scenario you implement.

Deploying NetScaler Gateway with App Controller and StoreFront

You can deploy NetScaler Gateway at the perimeter of your organization's internal network (or intranet) to provide a secure single point of access to the servers, applications, and other network resources that reside in the internal network. In this deployment, all remote users must connect to NetScaler Gateway before they can access any resources in the internal network.

You can deploy NetScaler Gateway with the following Citrix products:

- XenMobile App Edition

- StoreFront

- XenApp

- XenDesktop

- Web Interface

Users can connect to resources in your internal network by using the following methods:

1. Worx Home for users who connect with mobile devices and need access to MDX mobile apps. Users must connect with Worx Home on the mobile device to access MDX apps.

2. Receiver so users can access Windows-based applications and desktops hosted by XenApp or XenDesktop. To allow users access to their Windows-based apps, you must deploy StoreFront or the Web Interface. If users connect with Receiver on a Windows or Mac computer, MDX apps are not available to users.

3. Optionally, users can also connect with the NetScaler Gateway Plug-in for full VPN access to the internal network. Users can access email servers, files shares, and web servers with the NetScaler Gateway Plug-in for Windows or the NetScaler Gateway Plug-in for Mac.

The way you deploy App Controller in your internal network depends on how users connect: with Worx Home or with Receiver. In either scenario, you install NetScaler Gateway in the DMZ.

You can deploy the App Controller virtual machine (VM) on XenServer, VMware ESXi, or Microsoft Hyper-V located in your internal network. Users can connect to App Controller from an external connection (the Internet) or from the internal network. If users connect from the Internet or a remote location, the connection must route through NetScaler Gateway. App Controller resides in the internal network behind the firewall.

Allowing Access to MDX Apps Through NetScaler Gateway

If users connect with Worx Home and you have MDX mobile apps installed on App Controller, you place StoreFront behind App Controller in your internal network. Users can connect to App Controller through NetScaler Gateway in the DMZ to obtain their web, SaaS, Android and iOS mobile apps, along with documents from ShareFile. StoreFront resides behind App Controller to deliver Windows-based apps and virtual desktops as shown in the following figure:

Deploying Device Manager

In order to get your users' devices under management, users need to enroll their devices into Device Manager. To get started, you install Device Manager in your network. Next, you connect to Active Directory to import users by using the LDAP wizard. Then, you configure the following settings in Device Manager:

- Enrollment

- Policies

- Apps

When you finish configuring Device Manager, you can send enrollment invitations to your users. The invitation contains a link that allows users to download Worx Enroll, which then allows users to enroll their devices in Device Manager. When users log on, Device Manager authenticates the user's identity and enrolls the device.

Citrix recommends that you deploy NetScaler or NetScaler Gateway for security. You deploy NetScaler or NetScaler Gateway in the DMZ with Device Manager, as shown in the following figure. When you deploy NetScaler or NetScaler Gateway, you can use the XenMobile NetScaler Connector (XNC) to control access to email, calendar, and contacts from mobile devices. In this deployment, after enrollment, user devices connect to NetScaler or NetScaler Gateway to access resources.

If users enroll their iOS devices, the devices and Device Manager must communicate with the Apple Push Notification Service (APNS).

The preceding figure also shows the ports you need to open to enable the connections. You must open all of the ports behind the firewall for each identified service. For details about the ports, see Opening Ports for the XenMobile Solution on page 21. For details about the APNS server, also shown in the preceding figure, see Requesting an APNS Certificate in the Device Manager documentation in Citrix eDocs.

Deploying the MDX Toolkit

Mobile app management allows you to securely manage and deliver mobile apps to users. With the Citrix MDX Toolkit, you can wrap iOS and Android apps to secure access and enforce policies. After you wrap the app, you can upload the app to XenMobile App Edition and configure MDX policies. Users can then download and install the app from Citrix Receiver. They can subsequently open and work with the app from an icon on the home screen, on the mobile device, or from the Receiver home page.

For more information about MDX policies for Android and iOS mobile apps in App Controller 2.8, see the following topics in Citrix eDocs:

- Configuring MDX Policies for Android Apps in App Controller

- Configuring MDX Policies for iOS Apps in App Controller

Deploying the Entire XenMobile Solution

If you deploy all of the components of the XenMobile solution, you have successfully completed the following tasks:

- Opened the required ports for communication between each component.

- Installed each component in your network.

- Successfully tested connections from user devices.

The next section discusses the deployment prerequisites and includes a checklist for you to use to get ready for your deployment. The subsequent sections contain component installation steps, and configuration tests you can carry out.

The following figure shows the complete solution: