Monthly Archives: October 2015

Creating and renewing an APNs Certificate for XenMobile

The following content is a brief and unofficial prerequisites guide to creating and renewing an Apple APNS certificate prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
INTERNET INFORMATION SERVICES – iis
CERTIFICATE AUTHORITY – ca
APPLE PUSH NOTIFICATION SERVICE – apns
CERTIFICATE SERVICE REQUEST – csr

What is an Apple Push Notification service (APNs)Certificate and how does it work?
APNs certificates allow and enable for the safe, secure propagation of information/notifications to iOS and OS X devices with source of information/notifications originating from a XenMobile Server with a trusted and signed APNs certificate by Apple and Citrix. In this particular overview I am referring to MDM/Mobility vendor’s e.g Citrix, Airwatch by VMware, MobileIron etc.

APNs certificates allows any end-user to enroll his/her iOS device (iPhone, iPad) weather it be corporate or personally owned (BYO) against a XenMobile Server in order to obtain organisation specific configurations e.g Wi-Fi configurations and of course security leading best practise policies e.g the users PIN must be alphanumeric, 6 characters in length and must be changed once every 90 days to meet organisation password policy guidelines etc.

I wont attempt to explain how APNs certificates work technically I do understand it but I believe Apple’s documentation is simple very clear to understanding and provides a great overview of how APNS works and functions so please visit the following links – https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9.

Creating and renewing an APNS Certificate with IIS (SuGgEsTeD for PoC Environments + Draft)
0: You will require a valid Citrix partner account to access your Citix My Account – http://www.citrix.com/account.html and you will require a valid Apple ID to login into the APNs Portal to complete your APNs signing request and for on-going APNs maintenance i.e. renewing, revoking your APNs certs. If you do not have a valid Apple ID you can create one at the following link – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId.
1: Prior to creating your APNs cert you should consider the following which is will your customers PoC ever move to a pilot or event to production? If it may then you/they should carefully consider exactly where you will generate your Certificate Signing Request (CSR) for your APNs certificate to be used with the XenMobile.
2: Open up IIS on your chosen Windows Server and click Server Certificates and select “Create Certificate Request” and enter in the following information when requested into the “Distinguished Name Properties” pop-up window which appears and once completed click next and on the “Cryptographic Service Provider Properties” window select the “Microsoft RSA SChannel Cryptographic Provider” from the Cryptographic service provider and the Bit length of”2048″ from the dropdown lists. Then save the CSR on your desktop providing it with a name e.g XM_APNS-CSR.txt

IIS Request Your Response
Common Name e.g myMDM-for-xm-anps.axendatacentre.com
Organization
Organizational Unit
City/locality
State/province
Country/region

3: Next navigate to https://xenmobiletools.citrix.com/ from the IIS Windows server that you generated this XenMobile APNs CSR from and sign-in with your Citrix partner access details.
4: Upload your CSR as described on-screen at https://xenmobiletools.citrix.com/ which then return a *.plist file to download (Save it).
5: Next navigate to Apple’s Push Certificates Portal at – https://identity.apple.com/pushcert/ and login with your Apple ID. Next click “Create a Certificate” and upload your *.plist file that you downloaded from the XenMobile Tools portal as per step 4 above where instructed following the on-screen instructions. It will then prompt you to download a *.pem file ignore the filename e.g MDM_Zenprise.pem.
6: Import the *.pem file from the download APNs portal from step 5 above into IIS using the complete a CSR response and specific a friendly name (use the same common name you specified in step 2 above. Optional if your cert import fails the be sure to import Apples intermediate and root certificates from – http://www.apple.com/certificateauthority/ and repeat the import process once more. Also check out – http://support.apple.com/kb/ht5012 entitled “Lists of available trusted root certificates in iOS” for further help & guidance.
7: Export the imported APNs certificate via IIS and specify the path to save the cert which will be in *.pfx format and also specific a strong password to protect your APNs cert and finally note to self DO NOT FORGET the password.
8: When prompted during the XMS Admin WebUI configuration post completing the XMS CLI setup, follow the below import process in table format.

Import Keystore
Keystore Type PKCS #12
Use as APNs
Keystore file The path to your completed XM APNs cert which will be in *.pfx
Password The password you typed in at step 7 above

Creating and renewing an APNS Certificate with NetScaler (SuGgEsTeD + Draft)
Coming soon…

What’s new with XenApp/XenDesktop 7.6 Feature Pack (FP3)

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp, XenDesktop FP3 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
EXPERIENCE 1st – x1
STOREFRONT SERVER – sfs
FEATURE PACK – fp
THINWIRE PLUS – thinwire +
THINWIRE COMPATIBLE – thinwire c
USER EXPERIENCE – ux

What is new in FP3?
0: ++An absolutely MUST read entitled “HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3” which is available at – http://support.citrix.com/article/CTX202687 prior to implementing any of the new graphics mode/encoder(s) within XAD 7.6 FP3.
1: Support for Windows 10 Enterprise Edition, in the Standard VDA for Windows Desktop OSes.
2: HDX Broadcast updates include the following:

Framehawk (Admin guide – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf) virtual display channel is integrated into the standalone VDA package.
Thinwire Compatible Modehttp://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-hdx-landing/thinwire-compatibility-mode.html also referred to as Thinwire +/Plus is the very latest encoder to deliver a fantastic and rich X1 UX for virtual apps and desktops delivered from Windows Server 2012 R2, Windows 8.1 and 10 powered by XAD 7.6 FP3. To learn more about check out – https://www.citrix.com/blogs/2015/10/09/a-big-leap-in-ica-protocol-innovation-for-citrix/. Set the “Use video codec for compression” to “Do not use” which will force the use of Thinwire Compatibility Mode by default for user ICA/HDX sessions on XAD 7.6 FP3.

HDX Framehawk Performance in XenApp and XenDesktop 7.6 FP3

3: ++Updated Studio built-in policies ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-templates.html which include the following:

– Very High Definition User Experience+
– High Server Scalability *+
– High Server Scalability-Legacy OS **
– Optimized for WAN *+
– Optimized for WAN-Legacy OS **
– Security and Control

+ New or adjusted to meet today’s new requirements
* Windows 8.1-10, Windows Server 2012 R2
** Windows 7, Windows Server 2008 R2

4: Support for signature devices (Wacom) and drawing tablets which can be applied by adding the following USB device policy settings ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-ica/xad-policies-settings-usb.html.
5: The HDX 3D Pro VDA used to deliver HDX Rich Graphical apps now supports full-screen apps including 3D and gaming apps within single monitor for ICA sessions.
x: For a full and compete list with accurate descriptions and overviews please check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.

What’s new with StoreFront 3.0.1?
This release contains a number of fixed issues ref – http://docs.citrix.com/en-us/storefront/3/sf-about-30/fixed-issues.html including support for TLS 1.0-1. Please beware that SSL 3.0 is NOT supported and Citrix strongly recommends that you do not use it.