Wednesday, 12 October 2016

XenMobile 10 MDM Upgrade Tool

XenMobile 10 MDM Upgrade Tool

You use the XenMobile 10 MDM Upgrade Tool to upgrade from XenMobile 9.0 to XenMobile 10. The tool is supported for upgrades from XenMobile MDM edition deployments.

Important: Using the tool to upgrade from XenMobile App Edition or XenMobile Enterprise Edition is not supported. Likewise, you cannot use the tool to upgrade from XenMobile 8.6 or 8.7 to XenMobile 10. In addition, if the Multi-Tenant Console (MTC) is enabled on XenMobile 9.0, the MTC cannot be migrated to XenMobile 10.

If your XenMobile 9.0 setup is based on named SQL instances, you need to follow steps specific to this situation. For details see, .

The Upgrade Tool is built within the XenMobile 10 virtual machine. You enable the one-time only wizard through the command-line console during the initial installation of XenMobile 10.

What the Upgrade Tool does

The XenMobile 10 MDM Upgrade Tool migrates configuration and user data from the XenMobile 9.0 server to a new instance of XenMobile 10 with the same fully qualified domain name (FQDN).

You can choose to test drive the upgrade or to do a full production upgrade. When you choose Test Drive in the tool, only configuration data is migrated to XenMobile 10; no device or user data is migrated. This option lets you compare XenMobile 9.0 and XenMobile 10 without affecting your production environment.

When you choose Production Upgrade in the tool, all configuration, device, and user data is migrated. When you log on to the XenMobile 10 console after the upgrade, you see all the user and device data that was migrated from XenMobile 9.

Note: This is not an in-place migration; all data is copied during migration, not moved, to XenMobile 10. Everything in XenMobile 9.0 remains intact until you move the XenMobile 10 server into production. When users connect to XenMobile 10 in production, if for some reason you want to revert to XenMobile 9.0, those users must re-enroll in XenMobile 9.0. After a successful production upgrade, to move XenMobile 10 to live production, you must do the following:

1. Update the DNS entry to map the XenMobile 9.0 FQDN to the new XenMobile 10 server IP.
2. If NetScaler is load balancing XenMobile Device Manager servers, you need to switch the XenMobile 9.0 service to the XenMobile 10 service.

What the Upgrade Tool Does Not Do
The following information is not migrated to XenMobile 10 when you use the Upgrade Tool:


  • Licensing information.
  • Reports data.
  • Automated actions.
  • Server group policies and associated deployments.
  • MSP group.
  • Policies and packages related to Windows CE and Windows 8.0.
  • Deployment packages not in use; for example, when no users or groups are assigned to a deployment package.
  • Any other configuration or user data as described in the migration.log file.
  • CXM Web (replaced by Citrix WorxWeb).
  • DLP policies (replaced by Citrix Sharefile).
  • Custom Active Directory attributes.
  • If you have configured multiple branding policies, the branding policy is not migrated. XenMobile 10 supports one branding policy; you have to leave one branding policy in XenMobile 9.0 to successfully migrate to XenMobile 10.
  • Any settings in the auth.jsp file in XenMobile 9.0 that are used to restrict access to the console. Console access restrictions in XenMobile 10 are firewall settings that you can configure in the command line interface.
Also note the following changes with XenMobile 10:
  • XenMobile 10 does not support Active Directory users who are assigned to local groups.
  • The local groups hierarchy is flattened.
Terminology Change with XenMobile 10
Note that after you upgrade, deployment packages in Device Manager are now referred to as delivery groups, as shown in the following figure. For more information, see.

Inside the delivery group, you can view the MDM policies, actions, and apps required for the group of users who require the resources.

Device Enrollment After Upgrade
Users do not need to re-enroll their devices after you upgrade to XenMobile 10. The devices should connect automatically to the XenMobile 10 server based on the heartbeat interval.

If you want to connect a device to XenMobile 10 immediately, on the device, use WorxHome > Device Info > Refresh Policy.

After the user devices connect, check to make sure you see the devices in the XenMobile console, as shown in the following figure.
Posted by at 2 comments:

Saturday, 8 October 2016

Importing Certificates

Importing Certificates
The following procedure describes how to configure FIPS on XenMobile by importing the certificate, which is required when you use a VMware hypervisor.

SQL Prerequisites
1. The connection to the SQL instance from XenMobile needs to be secure and must be SQL Server version 2012 or SQL Server 2014. To secure the connection, see Microsoft Management Console.

2. If the service does not restart properly, check the following:Open Services.msc.
a. Copy the logon account information used for the SQL Server service.

b. Open MMC.exe on the SQL Server.

c. Go to File > Add/Remove Snap-in and then double-click the certificates item to add the certificates snap-in. Select the computer account and local computer in the two pages on the wizard.

d. Click OK.

e. Expand Certificates (Local Computer) > Personal > Certificates and find the imported SSL certificate.

f. Right-click the imported certificate (selected in the SQL Server Configuration Manager) and then click All Tasks > Manage Private Keys.

g. Under Group or User names, click Add.

h. Enter the SQL service account name you copied in the earlier step.

i. Clear the Allow Full Control option. By default the service account will be given both Full control and Read permissions, but it only needs to be able to read the private key.

j. Close MMC and start the SQL service.

3. Ensure the SQL service is started correctly.

Internet Information Services (IIS) Prerequisites
1. Download the rootcert (base 64).

2. Copy the rootcert to the default site on the IIS server, C:\inetpub\wwwroot.

3. Check the Authentication check box for the default site.

4. Set Anonymous to enabled.

5. Select the Failed Request Tracking rules check box.

6. Ensure that .cer is not blocked.

7. Browse to the location of the .cer in an Internt Explorer browser from the local server, http://localhost/certname.cer. The root cert text should appear in the browser.

8. If the root cert does not appear in the Internet Explorer browser, make sure that ASP is enabled on the IIS server as follows.
a. Open Server Manager.
b. Navigate to the wizard in Manage > Add Roles and Features.
c. In the server roles, expand Web Server (IIS), expand Web Server, expand Application Development and then select ASP.
d. Click Next until the install completes.

9. Open Internet Explorer and browse to http://localhost/cert.cer.
Note: You can use the use the IIS instance of the CA for this procedure.

Importing the Root Certificate During Initial FIPS Configuration
When you complete the steps to configure XenMobile for the first time in the command-line console, you must complete these settings to import the root certificate. For details on the installation steps,

Enable FIPS: Yes
Upload Root Certificate: Yes
Copy(c) or Import(i): i
Enter HTTP URL to import: http://FQDN of IIS server/cert.cer
Server: FQDN of SQL Server
Port: 1433
User name: Service account which has the ability to create the database (domain\username).
Password: The password for the service account.
Database Name: This is a name you choose.
Posted by at No comments:

Tuesday, 4 October 2016

Configuring XenMobile in a Web Browser

Configuring XenMobile in a Web Browser

After completing the initial portion of the XenMobile configuration in your hypervisor Command Prompt window, complete the process in your web browser.

1. In your web browser, navigate to the location provided at the conclusion of the Command Prompt window configuration.

2. Type the XenMobile console administrator account user name and password you created in the Command Prompt window.

3. On the Get Started page, click Start. The Licensing page appears.

4. Configure the license. XenMobile comes with an evaluation license valid for 30 days. For details on adding and configuring licenses and configuring expiration notifications, see . Important: If you intend to cluster nodes, or instances, of XenMobile, you need to use the Citrix Licensing on a remote
server.

5. On the Certificate page, click Import. The Import dialog box appears.
6. Import your APNs and SSL Listener certificate. For details on working with certificates, see. 
Note: The SSL Listener certificate requires restarting the server.

7. If appropriate to the environment, configure NetScaler Gateway. For details on configuring NetScaler Gateway, see.

Note: You can deploy NetScaler Gateway at the perimeter of your organization's internal network (or intranet) to provide a secure single point of access to the servers, applications, and other network resources that reside in the internal network. In this deployment, all remote users must connect to NetScaler Gateway before they can access any resources in the internal network.

Note: Although NetScaler Gateway is an optional setting, after you enter data on the page, you must clear or complete the required fields before you can leave the page.

8. Complete the LDAP configuration to access users and groups from Active Directory. For details on configuring the LDAP connection, see.

9. Configure the notification server to be able to send messages to users. For details on notification server configuration, see.

Configuring FIPS with XenMobile
Federal Information Processing Standards (FIPS) mode in XenMobile supports U.S. federal government customers by configuring the server to use only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile server with FIPS mode ensures that all data at rest and data in transit for both the XenMobile client and server are fully compliant with FIPS 140-2.

Before installing a XenMobile Server in FIPS mode, you need to complete the following prerequisites.

->You must use an external SQL Server 2012 or SQL Server 2014 for the XenMobile database. The SQL Server also must be configured for secure SSL communication. For instructions on configuring secure SSL communication to SQL Server, see the SQL Server Books Online.

->Secure SSL communication requires that an SSL certificate be installed on your SQL Server. The SSL certificate can either be a public certificate from a commercial CA or a self-signed certificate from an internal CA. Note that SQL Server 2014 cannot accept a wildcard certificate. Citrix recommends, therefore, that you request an SSL certificate with the FQDN of the SQL Server.

->If you use a self-signed certificate for SQL Server, you will need a copy of the root CA certificate that issued your self-signed certificate. The root CA certificate must be imported to the XenMobile server during installation.

Configuring FIPS mode
You can enable FIPS mode only during the initial setup of XenMobile server. It is not possible to enable FIPS after installation is complete. Therefore, if you plan on using FIPS mode, you must install the XenMobile server with FIPS mode from the start. In addition, if you have a XenMobile cluster, all cluster nodes must have FIPS enabled; you cannot have a mix of FIPS and non-FIPS XenMobile servers in the same cluster.

There is a Toggle FIPS mode option in the XenMobile command-line interface that is not for production use. This option is intended for non-production, diagnostic use and is not supported on a production XenMobile server.

1. During initial setup, enable FIPS mode.

2. Upload the root CA certificate for your SQL Server. If you used a self-signed SSL certificate rather than a public certificate on your SQL Server, choose Yes for this option and then do one of the following:

a. Copy and paste the CA certificate.
b. Import the CA certificate. To import the CA certificate, you must post the certificate to a website that is accessible from the XenMobile server via an HTTP URL. For details, see the section later
in this article.

3. Specify the server name and port of your SQL Server, the credentials for logging into SQL Server, and the database name to create for XenMobile.

Note: You can use either a SQL logon or an Active Directory account to access SQL Server, but the logon you use must have the DBcreator role.

4. To use an Active Directory account, enter the credentials in the format domain\username.

5. Once these steps are complete, proceed with the XenMobile initial setup.

To confirm that the configuration of FIPS mode is successful, log on to the XenMobile command-line interface. The phrase In FIPS Compliant Mode appears in the logon banner.
Posted by at No comments:
Subscribe to: Posts (Atom)