Monthly Archives: November 2013

XenMobile Device Manager 8.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.6 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
CERTIFICATE – cert
VOLUME PURCHASE PROGRAM – vpp
XENMOBILE APPCONTROLLER – xac

APNS IIS Chaining Error
If your experiencing a chaining error when completing your APNS cert response in IIS then please navigate to http://www.apple.com/certificateauthority/ and download the Apple Root Certificate + CRL and the Apple Integration Certificate + CRL and install these appropriately into trusted root ca authority, intermediate stores of the IIS server that you are intended to complete the APNS certificate response on.

You can register/create an Apple ID at – http://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US and the APNS portal is available at – http://identity.apple.com/ to submit your signed APNS CSR to be signed.

Installing XDM 8.6 (DRAFT & MAY CONTAIN ERROR(S))
0: I would recommend downloading and reading through the current Citrix Reference Architecture for XenMobile 8.6 at –
http://support.citrix.com/article/CTX13981
1: Review the system requirements –
http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-device-manager-sys-reqs-con.html and remember to consider if you are ever going to intend managing your mobile, smart devices inside and outside of your organisations trusted network. I use split DNS so the same FQDN is accessible both in/outside of my demo environment. I FQDN is typically best over a IP addr as you can always adjust the underlying IP Address of the XDM FQDN in DNS (Internal and Externally) to move it (a) from one subnet to another with different IP addressing (b) from ISP to ISP (You will always get a new allocated IP range as ISP are allocated IPv4, IPv6 address blocks) without having to reinstall the XDM. Your probably asking your why would I need to reinstall the XDM? When you install the XDM you will also configure a CA as the XDM will push certs to the devices being enrolled to restrict the devices capabilities based upon the MDM policies that you have applied within the XDM web UI so if the IP addr changes you need to reinstall and re-enrol every device so using a FQDN means that your adjust your DNS records both internally and externally with the new IP addr for your FQDN and there is no need to reinstall the XDM as the FQDN has not changed and devices will still be managed.
2: Network TCP Ports Source vs. Destination – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-component-port-reqs-n-con.html.
3: Generate an APNS certificate or use your existing APNS certificate – http://support.citrix.com/proddocs/topic/xenmobile-connect-users/xmob-dm-config-requesting-apns-con.html. If you have any chaining error(s) please refer to the APNS process in the beginning of this WordPress blog article/entry.
4: Download and install the latest STABLE versions of the Oracle Java JDK and JCE files at – http://www.oracle.com/technetwork/java/javase/downloads/index.html. You should never use BETA or builds known to be unstable or insecure. Remember to extract and copy the *.jar files to the following paths – once the Java JDK has been installed on the XDM 8.6 server.
5: Liaise with networking team(s) to ensure that your internal and external firewalls ACL are correctly configured for your XDM deployment. Take a look at the Architecture Diagram – http://www.citrix.com/content/dam/citrix/en_us/images/info-graphics/xenmobile_architecture_86.png and the read through the latest Reference Architecture documentation for XM8.6 – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-reference-architecture-for-xenmobile-86.pdf.
6: I would once again recommended downloading and reading through the Deploying the XenMobile Solution ( Currently based off 8.5 at the time of writing this blog entry) – http://support.citrix.com/article/CTX139235, alternatively continue.
7: Navigate to this eDoc’s link to begin the installation of the XDM 8.6 – http://support.citrix.com/proddocs/topic/xmob-install-dm-86/xmob-deploy-device-manager-install-steps-tsk.html

Creating A Valid Chained Certificate For Your XDM’s FQDN
There are various different methods for achieving or generating a *.pfx12 certificate you can always choose to disagree with my approach and use your own method(s) and or approach(s).

Microsoft Enterprise CA ( WaRniNg – (DRAFT & MAY CONTAIN ERROR(S)) )
1: Create a CSR for your XDM FQDN on your Enterprise CA or another server that is domain joined and has the Enterprise CA root certificate installed and valid. Please also be sure to ensure your select 2048Bit encryption when competing the wizard and save the CSR request to your desktop for convenience.
2: Open up the text document to retrieve CSR code by selecting all and copying.
3: Navigate to your Microsoft Enterprise CA CSR signing website e.g http://FQDN/certsrv
4: Request a certificate
5: Click Or, submit an advanced certificate request
6: Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
7: Enter in the CSR generated code from the XAC or XDM into the Saved Request input box then change the “Certificate Template” to Web Server
8: Click Submit
9: Download the certificate response in Base 64 format and save as certname-base64.* and then prior to closing the web page save the cert in DER format if required in the following format certname-DER.*. Tip download the *.p7b formats for each aswell. NOTE: Upon completion of importing and activating your cert on the XDM server(s) you should delete any unsecured or unused XDM certs on your file servers and desktop for security purposes.
10: Now complete the SSL signing request certificate in IIS on the Enterprise CA using the Base64 format signed SSL certificate and then export the cert and enter in a strong password and please do not forget the password. Save the exported cert on your desktop and copy onto a file share or to your file server and then copy the *.pfx12 cert you’ve just generated on your XDM’s desktop for simplicity as the next steps will require you to edit two files in notepad and create directory to put the the SSL certificate in.
10: Follow the steps in the following CTX article at – http://support.citrix.com/article/CTX136952 or http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-manage-securityid-configcert-ssl-tsk.html to apply your Enterprise CA signed *.pfx12 SSL certificate to your XDM’s FQDN.

Checkout these Microsoft certificates resources for further help and guidance.

1: http://support.microsoft.com/kb/295281 – How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed
2: http://technet.microsoft.com/en-us/library/cc754490.aspx – Request Certificates by Using the Certificate Request Wizard
3: http://technet.microsoft.com/en-us/library/bb727098.aspx – Chapter 6 – Managing Microsoft Certificate Services and SSL

OpenSSL
1: You will require a clean, fresh installation of XDM without any devices enrolled as I have not tested this process POST devices being enrolled.
2: Download OpenSSL for Windows at – http://www.openssl.org/related/binaries.html, alternatively if the link is dead or moved locate the download at – http://www.openssl.org/.
3: Install OpenSSL by following the onscreen instructions and remember to check the pre-requites prior to installation of OpenSSL.
4: Now that you have installed OpenSSL following the steps in this Citrix blog article at – http://blogs.citrix.com/2013/11/05/creating-a-private-key-and-csr-for-xdm/.

Deploying and Load Balancing a XDM cluster
1: These two videos available on the Citrix Blog available at – http://blogs.citrix.com/2014/03/05/configuring-xenmobile-device-manager-ha-clustering-in-less-than-15-minutes-part-1/, http://blogs.citrix.com/2014/03/05/configuring-xenmobile-device-manager-ha-clustering-in-less-than-15-minutes-part-2/ that show you how to implement a XDM cluster for high availability referenced from the following eDocs node – http://support.citrix.com/proddocs/topic/xmob-dm-config-86/xmob-dm-manage-ha-wrapper-con.html.
2: Once your NetScaler (Gateway) has been deployed and the initial configuration completed and the appropriate NS(G) licenses uploaded then please watch this video on Citrix TV – http://www.citrix.com/tv/#videos/9294 which shows you how-to L/B the XDM using the XenMobile wizard in the NS(G).

Deploying Strong Authentication
1: Client Certificate Authentication in XenMobile 8.6 – http://support.citrix.com/article/CTX139857.

XenMobile Enterprise 8.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 8.6 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
SHAREFILE STORAGEZONE CONNECTOR – szc
XENMOBILE APPCONTROLLER – xac
RECEIVER FOR WEB – RfW
OUT OF OFFICE – ooo
GoToMeeting – gtm
VOLUME PURCHASE PROGRAM – vpp

What’s New The Highlights
0: XenMobile Datasheet by edition – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf.
1: Single Agent for enrolment and MDM, MDX policy control.
2: WorxMail supports OOO, GoToMeeting Fast join with telephone number and pin auto-dialled from your calendar, Office 365 Exchange.
3: Additional support for Amazon KindleFire MDM API, Samsung KNOX API and iOS 7 MDM API’s.
4: Support for Kerberos authentication along with secure pin-based authentication to validate a user’s access to a organisation delivered, signed and secured MDX mobile app.
5: Support for Apples new VPP.
6: XenMobile Cloud based offering is available.
7: Uploading of native unsigned IPA, APK files to the XAC 2.9 along with Multi-domain support,
8: Redirection of HTTP, HTTPS network traffic from WorxWeb via a NSG to proxy servers within your organisation.
9: Auto-based discovery to enrol now supports email based discovery and UPN.
10: A full and complete list is available at http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-understand-whats-new-n-con.html, http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/whats-new-in-xenmobile-86.pdf.
11: NetScaler Gateway 10.1.120.1316.e is required – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-understand-whats-new-n-con.html. You can find out more about this new enhanced release at – http://blogs.citrix.com/2013/11/28/whats-new-with-the-citrix-netscaler-gateway-release-10-1-120-1316-e/.

Single Agent for Enrolment, Self-serve Store and MDM, MDX Policy Enforcement
The latest release of Worx Home now provides organisations with much simplified approach to enrol and to manages employee BYO, Corporate smart phones and tablets. When users launch the app the either enter in the XDM server addr or enter in there organisations email addr which is simpler for the user and automatically resolves the organisations XDM servers addr either a IP addr or FQDN. Next they input there user credentials typically AD as there are alternative enrolment options check out – .

Once there access credentials are validated it will open up Safari (iOS) or Chrome (Andriod) and create a secure session back to the XDM server to download the company/organisational and MDM certificates. This process historically required the user to take steps 1 through 3 in the browser now it will automatically take the user between the Settings area and the browser to install the company/organisational and MDM certificates (NOTE: Above is based of an iOS device).

Once the user has completed the certificate installation on their smart phone, tablet is successfully. The final step will see the browser automatically re-directing the user to Worx Home to validate the enrolment and allow for any signed MDX or public apps to be prompted to the user to install.

The users device(s) have now been enrolled successfully and are being safely and securely managed by the organisations IT, Infrastructure or IS department.

Worx Home now manages the MDM certificates which can restrict the users ability to use Siri, Safari and it also managed MDX policies enforced against *.MDX files pushed from the XAC which can restrict the MDX mobile app from leveraging the iCloud API and restrict the copy and pasting of text outside of the MDX mobile app(s) to public delivered mobile apps e.g Facebook, LinkedIn, Twitter from iTunes.

How-to Deploy
MORE coming soon but take a look at these initial resources below in the coming soon section. There will more in-depth content for XDM 8.6, XAC 2.9 in separate blog articles. This entry will cover XenMobile Enterprise as a MDM, MAM and MIM solution for your organisation.

Coming Soon!
The mean time check out these links.
1: Getting started with XenMobile eDocs – http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-con.html
2: What’s new with XenMobile Enterprise 8.6 Video and PDFed slide deck – http://www.citrix.com/products/xenmobile/whats-new.html
3: XenMobile Enterprise 8.6 Product Videos – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-product-videos-con.html

Mobile Device, Application and Information Management

The following content is a brief and unofficial article about Mobile Device, Application and Information Management. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE INFORMATION MANAGEMENT – mim
MOBILE APPLICATION PERFORMANCE MANAGEMENT – mapn
ACTIVE DIRECTORY – ad

What is MDM?
It’s the capability to restrict the services and mobile applications provided by a mobile platform only e.g disabling of Siri on iOS, Chrome on Android via MDM API’s provided by the mobile OS. To achieve these capabilities and many more a MDM server e.g XenMobile Device Manager will request a mobile device to securely authenticate via a agent installed on the mobile OS e.g Citrix Enrol with a users organisational access details which will then present or rather enable the user to proceed with the MDM enrolment process i.e securely
downloading (HTTPS) and installing a secure organisation profile and MDM policies enforced by IT which effectively will restrict the devices capabilities to access mobile applications of the mobile OS or disable services e.g Disable Siri from been available when a iPhone or iPad is locked but when the user of the iOS device safely unlocks the iPhone or iPad with a pin code they can use Siri.

What is MAM?
It allows and enables your organisation to deliver safe and secure applications from your organisations data centre. This applications can be native mobile apps (iOS, Android), SaaS and Windows published applications which can now be repurposed with the Windows Mobile SDK – https://www.citrix.com/go/mobile-sdk-for-windows-apps.html and http://www.citrix.com/mobilitysdk/docs/videos/RapidStarts.htm to improve the users experience on a mobile device (iOS). As these are logical resources published or delivered and installed on an mobile device you can only lock the resources, perform a selective wipe or perform an erase of the data within the mobile apps (Published apps you simple disable that surest access via AD).

What is MApM?
It’s an acronym for essentially describing the ability to provide intelligent reporting against mobile apps via an agent on smart devices.

What is MIM?
It provides organisations the ability to take their trusted data held within internally only accessed Shared Areas, SharePoint sites e.t.c and allows organisational employees or 3rd parties i.e contractors the ability to download and potential edit office based documents, watch videos on corporate issued or BYO devices on or offline in a safe and secured environment with the ability to perform a wipe, lock or configure a poison pill against the organisational trusted data that is stored on the users device(s).