Citrix XenMobile getting started shopping list 6


This blog is based on my presentation at Citrix Synergy, and CUGtech. In this presentation I spoke about my personal XenMobile and ShareFile experiences from the field. You can download this presentation here:

Citrix XenMobile is available in 3 editions.

XenMobile MDM Edition: mostly used for Corporate Owned Personally Enabled (COPE) devices. While the user make use of the device, IT is able to manage it.

XenMobile App Edition: used for both Bring Your Own Devices (BYOD) and COPE devices. This allows the user to make use of corporate applications on any device.

XenMobile Enterprise Edition: This is the combination of the MDM Edition and App Edition and includes ShareFile Enterprise.

XenMobile MDM Edition

To get started with XenMobile MDM Edition at least you need the following:

  1. XenMobile Device Manger server installed on a Windows Server 2008 / 2012 (R2).
  2. Public IP, Content Switching on NetScaler is hard to setup because of the client certificates
  3. FQDN like
  4. Public SSL certificate
  5. XenMobile MDM Edition license
  6. When using Apple devices you need a APNS certificate (See APNs section)
  7. Firewall ports from External -> MDM server port 8443 and 443
  8. Firewall ports from MDM server -> Apple 2195 and 2196

XenMobile App Edition

To get started with XenMobile App Edition at least you need the following:

  1. App Controller VM imported in Microsoft Hyper-V, Citrix XenServer or VMware vSphere
  2. Public IP, at the moment Content Switching on NetScaler is not possible because of the NetScaler Gateway limitations
  3. FQDN like, or reuse the existing NetScaler Gateway configuration in your organization
  4. Public SSL certificate
  5. XenMobile MAM Edition license
  6. Developer Accounts for MDX wrapping (See MDX wrapping section)
  7. Firewall ports from External -> NetScaler Gateway port 443
  8. Firewall ports from NetScaler -> Intranet server port 80,443 or 25 to allow WorxWeb and WorxMail communication

XenMobile Enterprise Edition

To get started with XenMobile Enterprise Edition both MDM and App Edition requirements are applicable. However, with XenMobile Enterprise you will also get ShareFile Enterprise which means on-premises writables StorageZones. In addition to above Editions for XenMobile Enterprise you need at least the following:

  1. ShareFile StorageZone Controller installed on a Windows server 2008 / 2012 (R2)
  2. Public IP, Content Switching on NetScaler is possible
  3. FQDN like to let ShareFile ControlPlane connect to the on-premises environment
  4. Public SSL certificate
  5. XenMobile Enterprise Edition license
  6. Citrix XenMobile AppController or Microsoft AD FS server as SAML identity provider
  7. Firewall ports from External -> NetScaler port 443

Apple Push Notification service (APNs) APNS_Logo

A Apple device can’t communicate to a provider directly. The Device first needs to be notified by the APNs network before it will connect to the provider. More information on the Apple Push Notification Service can be found here:

Because of this XenMobile needs a APNs certificate to enable management of Apple devices. This certificate needs to be signed by Citrix and Apple. Citrix has build a self service portal to sign the APNs certificate More information on the APNs certicate can be found here:

MDX WrappingMDX Toolkit

Before an application can be offered via the Citrix AppController a mobile application first needs to be wrapped. Actually this means reprogramming the application and adding the Citrix code / policies to the application itself. More information on MDX wrapping can be found here:

To wrap iOS application you will need to order a Apple Developer account. Please pay attention to the different types of Apple Developer Account, the iOS Developer Standard Program is limited to only 100 devices and needs all the UDIDs first. Better to join the iOS Developer Enterprise Program which has no limitations at all.

To wrap Windows Mobile applications you will need to order a Microsoft Windows Store Developer Account. More information on this developer program can be found here:

iOS and Android applications need to be wrapped on a Apple Mac device. Windows applications need to be wrapped on a Windows device.

Citrix NetScaler 1403033973337

Citrix NetScaler Gateway is only required for the XenMobile App Editon. Other editions can do without however, if you don’t want to deploy your XenMobile MDM and ShareFile server in the DMZ you can make use of NetScaler ADC as a reverse proxy. NetScaler ADC include NetScaler Gateway what is required for the XenMobile App editon.

At the moment NetScaler ADC is only able to act as a reverse proxy for XenMobile MDM editon. NetScaler AAA module is not compatible with XenMobile Device Mananger, which means that unauthenticated traffic is still able to reach the backend server in your secure environment. If corporate policy requires to eliminate unauthenticated traffic in the secure environment you better deploy the XenMobile MDM server in the DMZ.

Last but not least: AWARENESS!

Before you start implementing please make sure to involve the user in het process. Inform them what they can expect after you implemented all this kind of mobility. IMHO this is the only way to get success out of your mobility solution. If you don’t inform them they won’t use it and continue to work with all the native tools which you can’t control like you can with a mobility solution.

6 thoughts on “Citrix XenMobile getting started shopping list

  1. Reply Mark Dec 4,2014 3:03 pm

    Very brief and informative. One confusion around wrapping I have is I downloaded WorxMail-Release-9.0.2-49.ipa from Citrix website do I still have to wrap it using MDX Toolkit if I want to deliver it using AppController.

    • Reply Anton Dec 8,2014 2:44 pm

      Hi Mark,

      Yes if you want to be able to manage the app and specify policies rather than just offering the app you need to wrap the application.


  2. Reply Mark Dec 8,2014 2:48 pm

    Thanks for your reply. Right now I am getting “Unable to download apps” error on all the iPad devices could this be because I haven’t wrapped the apps ?

    • Reply Anton Dec 8,2014 2:54 pm

      Try to add a link to a public App Store to push a app like Citrix Receiver.

      • Reply Mark Dec 8,2014 4:11 pm

        Added Citrix Receiver and ShareFile links to Public App Store. But now I am getting a different error “Access to your company network is not currently available”. Creates the profiles on the iPad devices bit now does not even initiate the app download process

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.