This blog is based on my presentation at Citrix Synergy, XenAppBlog.com and CUGtech. In this presentation I spoke about my personal XenMobile and ShareFile experiences from the field. You can download this presentation here: https://pqr.sharefile.eu/d/s93ebaedc2f64eadb
Citrix XenMobile is available in 3 editions.
XenMobile MDM Edition: mostly used for Corporate Owned Personally Enabled (COPE) devices. While the user make use of the device, IT is able to manage it.
XenMobile App Edition: used for both Bring Your Own Devices (BYOD) and COPE devices. This allows the user to make use of corporate applications on any device.
XenMobile Enterprise Edition: This is the combination of the MDM Edition and App Edition and includes ShareFile Enterprise.
XenMobile MDM Edition
To get started with XenMobile MDM Edition at least you need the following:
- XenMobile Device Manger server installed on a Windows Server 2008 / 2012 (R2).
- Public IP, Content Switching on NetScaler is hard to setup because of the client certificates
- FQDN like mdm.antonvanpelt.com
- Public SSL certificate
- XenMobile MDM Edition license
- When using Apple devices you need a APNS certificate (See APNs section)
- Firewall ports from External -> MDM server port 8443 and 443
- Firewall ports from MDM server -> Apple 2195 and 2196
XenMobile App Edition
To get started with XenMobile App Edition at least you need the following:
- App Controller VM imported in Microsoft Hyper-V, Citrix XenServer or VMware vSphere
- Public IP, at the moment Content Switching on NetScaler is not possible because of the NetScaler Gateway limitations
- FQDN like apps.antonvanpelt.com, or reuse the existing NetScaler Gateway configuration in your organization
- Public SSL certificate
- XenMobile MAM Edition license
- Developer Accounts for MDX wrapping (See MDX wrapping section)
- Firewall ports from External -> NetScaler Gateway port 443
- Firewall ports from NetScaler -> Intranet server port 80,443 or 25 to allow WorxWeb and WorxMail communication
XenMobile Enterprise Edition
To get started with XenMobile Enterprise Edition both MDM and App Edition requirements are applicable. However, with XenMobile Enterprise you will also get ShareFile Enterprise which means on-premises writables StorageZones. In addition to above Editions for XenMobile Enterprise you need at least the following:
- ShareFile StorageZone Controller installed on a Windows server 2008 / 2012 (R2)
- Public IP, Content Switching on NetScaler is possible
- FQDN like sharefile.antonvanpelt.com to let ShareFile ControlPlane connect to the on-premises environment
- Public SSL certificate
- XenMobile Enterprise Edition license
- Citrix XenMobile AppController or Microsoft AD FS server as SAML identity provider
- Firewall ports from External -> NetScaler port 443
A Apple device can’t communicate to a provider directly. The Device first needs to be notified by the APNs network before it will connect to the provider. More information on the Apple Push Notification Service can be found here: https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html
Because of this XenMobile needs a APNs certificate to enable management of Apple devices. This certificate needs to be signed by Citrix and Apple. Citrix has build a self service portal to sign the APNs certificate https://xenmobiletools.citrix.com. More information on the APNs certicate can be found here: http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-config-requesting-apns-con.html
Before an application can be offered via the Citrix AppController a mobile application first needs to be wrapped. Actually this means reprogramming the application and adding the Citrix code / policies to the application itself. More information on MDX wrapping can be found here: http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appwrap-toolkit-wrapper.html
To wrap iOS application you will need to order a Apple Developer account. Please pay attention to the different types of Apple Developer Account, the iOS Developer Standard Program is limited to only 100 devices and needs all the UDIDs first. Better to join the iOS Developer Enterprise Program which has no limitations at all.
To wrap Windows Mobile applications you will need to order a Microsoft Windows Store Developer Account. More information on this developer program can be found here: http://msdn.microsoft.com/en-us/library/windows/apps/jj863494.aspx
iOS and Android applications need to be wrapped on a Apple Mac device. Windows applications need to be wrapped on a Windows device.
Citrix NetScaler Gateway is only required for the XenMobile App Editon. Other editions can do without however, if you don’t want to deploy your XenMobile MDM and ShareFile server in the DMZ you can make use of NetScaler ADC as a reverse proxy. NetScaler ADC include NetScaler Gateway what is required for the XenMobile App editon.
At the moment NetScaler ADC is only able to act as a reverse proxy for XenMobile MDM editon. NetScaler AAA module is not compatible with XenMobile Device Mananger, which means that unauthenticated traffic is still able to reach the backend server in your secure environment. If corporate policy requires to eliminate unauthenticated traffic in the secure environment you better deploy the XenMobile MDM server in the DMZ.
Last but not least: AWARENESS!
Before you start implementing please make sure to involve the user in het process. Inform them what they can expect after you implemented all this kind of mobility. IMHO this is the only way to get success out of your mobility solution. If you don’t inform them they won’t use it and continue to work with all the native tools which you can’t control like you can with a mobility solution.