Xenmobile MDM Edition: Mobile Device Management

XenMobile MDM Edition
Mobile Device Management

Adolfo Montoya
July 2013
XenMobile MDM Architecture

XenMobile MDM Deployment
XenMobile Device Management
3
2013 Citrix | Confidential Do Not Distribute
XenMobile Architecture
Components
MDM Edition
Use case
Mobile device management
Jailbreak detection
Selective or full wipe
Geo location tracking
Passcode enforcement
Pushing applications
Native mail client access

control
Wi-Fi & VPN access control
Access to SharePoint &

network drives
Client Side
Server Side
Worx
Enroll
XenMobile
Device
Manager
Worx
Home
MDM Only
ShareFile
XDM
Worx Enroll
Worx Home
DMZ
XenMobile MDM Only Architecture

Active Sync
Filter
XNC
XDM
email
Worx Enroll
NetScaler
Worx Home
DMZ
XenMobile MDM HA Architecture

XDM
Cluster
Load
Balancer
Active-Passive
XDM
Worx Enroll
XDM
NetScaler
Worx Home
DMZ
SQL
XenMobile MDM Components

Client
Server
Worx Enroll Worx Home
Device Manager
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
XenMobile MDM
Worx Enroll
Worx Enroll
iOS
Android
Windows 8 Phone
Windows 8 Tablet
Windows Mobile
Symbian
XenMobile MDM
Server Requirements
Device Manager
Physical or Virtual
Quad Core Processor
6 GB Memory
20 GB disk space
XenMobile MDM
Software Requirements
Device Manager
Windows Server
2012
2008 R2 SP1
Database
MS SQL 2008 R2 and 2012
PostgreSQL 8.3
DNS Record
Public DNS
APNS Certificate
XenMobile MDM
Software Requirements
Device Manager
Apache Tomcat
Java Development Kit (JDK)
Version 7
Java Cryptography Ext. (JCE)

Local_policy.jar
US_export_policy.jar
APNS Apple Push Notification Service
APN
S

Enrollment
APN
S
XDM

MDM
Enrollment
Update
XDM
APN
S
XenMobile Device Manager Ports
Enrollment
8443 iOS
80 / 443
XDM
Device Traffic
443
XDM
Support
8081
XDM
Management
80 / 443
XDM

*.push.apple.com
gateway.push.apple.com
5223
2195
APN
S
feedback.push.apple.com
2196
XDM
XenMobile MDM
Ports
Complete list of ports used by
XenMobile MDM
Web & SaaS Apps
DMZ Zone
FIREWALL
FIREWALL
Internet Zone
Corporate LAN Zone

DNS 53
NTP 123
80/443
(App Specific)
DNS & NTP

DNS 53
NTP 123
NetScaler
80/443
(App Specific)
443
iOS only 5223
443
NSIP
80 /443
8443
SNIP
443
2195 &2196
1494 / 2598
443
80/443
AG
VIP
AppContr
oller
XNC
389/636
LB
VIP
443
9080
80 /443 /
8443
80
Goole
Apple
Play StoreApp Store
443
443
443
443 for Form-Fill auth
XDM
1433
80/443
StoreFron
t
XA/XD
Active
Directory
Exchange
StorageZo
ne
Controller
MS CS
SQL
445
CIFS
443
SharePoint
XenMobile 8.5 Reference Architecture

Go to http://
support.citrix.com/article/CTX138635
XenMobile overview
XenMobile edition comparison
Best practices on deployment
Scalability
Communication ports
ActiveSync Security
XenMobile NetScaler Connector and
Secure Mobile Gateway
Why ActiveSync filtering?

Customers might want to filter certain clients based on:
Device UUID
Username
Mobile OS version
GPS location
Mail client type
Many others!!
Use cases:
If user installs malware, block mail
If user leaves allowed zone based on GPS location, block mail
Challenges
ActiveSync components might have a
single point of failure
NetScaler value-add!
Front-ending an Exchange deployment with

NetScaler only allows basic filtering based
on User-Agent header
ADC + Policy manager service must exchange

vital information for intelligent filtering
ActiveSync Security
XNC
Worx Enroll
NetScaler
Worx Home
DMZ
XDM
ActiveSync Security
XNC
Worx Enroll
3G / 4G
LTE
NetScaler
Worx Home
DMZ
XDM
email
ActiveSync Security
Active Sync
Filter
Worx Enroll
3G / 4G
LTE
NetScaler
Worx Home
DMZ
XNC
XDM
email
ActiveSync Security
1
Active Sync
Filter
XNC
2
Worx Enroll
3G / 4G
LTE
NetScaler
Worx Home
DMZ
XDM
email
ActiveSync Security
1
Active Sync
Filter
rooted
XNC
2
Worx Enroll
3G / 4G
LTE
NetScaler
Bad
App
DMZ
XDM
email
XenMobile NetScaler Connector

Self contained installer
No dependencies!
Can be installed on:

XDM or intermediary server
Uses RESTful API

No IIS required
Ports required:
9080 for HTTP web service
9443 for SSL web service
Multiple XNCs can be clustered

Added resiliency!
ActiveSync Filter Callout

NetScaler queries the XNC (Zenprise REST server) via callout
Configure the callout policy to send REST call
Set the Request Attributes
GET request
Select a host expression
callout.asfilter.internal
Configure Request Parameters
User
Agent
IP
URL
Result-type
ActiveSync Filter Callout

Evaluate HTTP response
The result returned is TEXT
First 20 bytes are enough
ALLOW or DENY in
response
Use Responder to Filter Connections

Responder policy to evaluate:
Request PATH
Request HOSTNAME
CALLOUT Boolean value
Use the following expression:
HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") &&
HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT &&
SYS.HTTP_CALLOUT(active_sync_filter).CONTAINS("deny")
Caching Callout response

Why is there two policies for caching?
Cache_req_with_DeviceId
This uses a DeviceId_match
Stores objects in separate content group: Req_with_DeviceId
Cache_req_without_DeviceId
This uses a URL_match selector only
Stores objects in separate content group: Req_without_DeviceId
Cache responses for a reasonable amount of time

Not too long as we want to evaluate policy conditions often
Not too short so we do not swamp XNC with callout requests
NetScaler wizard sets the caching to 60 seconds!
Bind caching policies to ActiveSync Filter Vserver used for callout


Sample trace
HTTP Callout request from NetScaler to XNC
GET /services/ActiveSync/Authorize?user=amc%5Camontoya&agent=Android/4.3EAS1.3&ip=10.252.56.97&url=aHR0cHM6Ly9tYWlsLmFtYy5jdHgvTWljcm9zb2Z0LVNlcnZlci1B
Y3RpdmVTeW5jP0NtZD1Gb2xkZXJTeW5jJlVzZXI9YW1jXGFtb250b3lhJkRldmljZUlkPWF
uZHJvaWRjMTU5NDI3MDUxNiZEZXZpY2VUeXBlPUFuZHJvaWQ=&resultType=json&D
eviceId=androidc1594270516 HTTP/1.1
Host: callout.asfilter.internal

Sample trace
HTTP Response from XNC to NetScaler
HTTP/1.1 200 OK
Content-Length: 6
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 31 Jul 2013 12:30:46 GMT
"deny"
Secure Mobile Gateway

XDM
SMG
CAS
Worx Enroll
3G / 4G
LTE
Worx Home
DMZ
Secure Mobile Gateway Models

Permissive
Restrictive
Allows all devices unless

they fail a policy rule.
Allows no devices
unless they meet all
policy rules.
Secure Mobile Gateway Requirements
Windows Server 2008 R2 / 2008 SP2
Exchange 2007 / 2010 CAS
Forefront TMG 2010 Service Pack 1
IIS 7.0 / 7.5
XenMobile MDM Deployment

Installation and Configuration
XenMobile MDM Install Steps

Device Manager
XDM
Java Development Kit 7

(JDK)
Java Cryptography
Extensions 7
Replace .jar files
XenMobile Device Manager
What does XenMobile MDM Install?

Device Manager
XDM
Apache Tomcat
Database
XenMobile Web Console
What is configured during install?

Device Manager
XDM
Database
License
Server Connectors
iOS usage
http / https
RootCA / APNS certs

FQDN
Ports
XenMobile MDM
Device Manager 8.5
Getting Started wizard
3 easy steps to configure XenMobile
DM!
Build a package for mobile devices
iOS
Android
Test enrollment
Download Enroll client
Manage devices
Ready to set new policies!
XenMobile MDM
Device Manager 8.5
Is XenMobile App Controller
deployed?
MDX or native apps can be deployed
by XM App Controller
Support only with XM App Controller 2.8
Device registration will be handled by

XenMobile DM
XenMobile MDM
Device Manager 8.5
Build a mobile device package
Supported only for iOS/Android mobile
devices
XenMobile MDM
Device Manager 8.5
Build a mobile device package
Supported only for iOS/Android mobile
devices
What would you like to include in the
Base Package?
WiFi
Passcode
Jailbroken Detection
Example
- Set device as out of compliance
- Notify users
XenMobile MDM
Device Manager 8.5
Configure Active Directory or local
users
For Active Directory, select LDAP or
LDAPS
Enter your Active Directory information
Define groups that will have
XenMobile roles
Done!
XenMobile MDM
Device Manager 8.5
Test enrollment for iOS or Android
mobile devices
Download Citrix Mobile Enroll (iOS) or
Citrix Mobile Connect (Android)
Support for QR Barcode
Download app directly from App Store or
Google Play
Login with Domain credentials to finish

the device enrollment
XenMobile MDM
Device Manager 8.5
Discovering mobile devices
Once devices get Citrix Mobile
Connect or Enroll installed, XenMobile
DM will discover them
XenMobile MDM
Device Manager 8.5
You are done!
Go to Device Manager to customize
your deployment and policies

Policies

Packages
Name
Groups / Users
Resources
Schedule
Rules
MDM Policies
Device Specific
Automated Actions
App Access
SharePoint

MDM Policies
Device Specific
Automated Actions
App Access
SharePoint

MDM Policies
Device Specific
Automated Actions
App Access
SharePoint

MDM Policies
Device Specific
Automated Actions
App Access
SharePoint

MDM Policies
Device Specific
Automated Actions
App Access
SharePoint
Popular policies
XenMobile Enrollment Invitation
XenMobile Enrollment Invitation

Mode
Enrollment
Installation
Link
High Security
URL
URL + Password
URL + Pin
Two Factor
Username +
Password
Username + PIN
Mobile Device Security

Lock
Full Wipe
Locate
Unlock
Selective Wipe
Enable Tracking
Revoke Access
Location Services / Tracking
Location Services
Locate / Enable
Tracking
Work better. Live better.

Xenmobile MDM Edition: Mobile Device Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Xenmobile MDM Edition: Mobile Device Management

Uploaded by

Copyright:

Available Formats

XenMobile MDM Edition

Mobile Device Management

XenMobile MDM Architecture

2013 Citrix | Confidential Do Not Distribute

Mobile device management

Selective or full wipe

Geo location tracking

Native mail client access

Wi-Fi & VPN access control

Access to SharePoint &

2013 Citrix | Confidential Do Not Distribute

XenMobile MDM Only Architecture

XenMobile MDM HA Architecture

XenMobile MDM Components

Worx Enroll Worx Home

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

Java Cryptography Ext. (JCE)

2013 Citrix | Confidential Do Not Distribute

APNS Apple Push Notification Service

2013 Citrix | Confidential Do Not Distribute

APNS Apple Push Notification Service

2013 Citrix | Confidential Do Not Distribute

APNS Apple Push Notification Service

2013 Citrix | Confidential Do Not Distribute

XenMobile Device Manager Ports

2013 Citrix | Confidential Do Not Distribute

XenMobile Device Manager Ports

2013 Citrix | Confidential Do Not Distribute

XenMobile Device Manager Ports

2013 Citrix | Confidential Do Not Distribute

XenMobile Device Manager Ports

2013 Citrix | Confidential Do Not Distribute

XenMobile Device Manager Ports

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

Web & SaaS Apps

Corporate LAN Zone

DNS & NTP

iOS only 5223

2013 Citrix | Confidential Do Not Distribute

XenMobile 8.5 Reference Architecture

2013 Citrix | Confidential Do Not Distribute

Why ActiveSync filtering?

2013 Citrix | Confidential Do Not Distribute

Front-ending an Exchange deployment with

ADC + Policy manager service must exchange

2013 Citrix | Confidential Do Not Distribute

XenMobile NetScaler Connector

Can be installed on:

Uses RESTful API

Multiple XNCs can be clustered

ActiveSync Filter Callout

Configure Request Parameters