Category Archives: Mobile Application Performance Management

XenMobile 10.0 PoC Considerations

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile 10.0 prior to deploying in a PoC which will eventually mature to a Pilot, UAT then finally into an Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
MICROVPN – mVPN
FIREWALL – f/w
CERTIFICATE – cert
ACTIVE DIRECTORY – ad
INFRASTRUCTURE-AS-A-SERVICE – iaas
ENTERPRISE MOBILITY MANAGEMENT – emm
MOBILE CONTENT/INFORMATION MANAGEMENT – mc/im
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam

Preparation & Pre-requisites (DRAFT & MAY CONTAIN ERROR(S))
1: XenMobile 10 is completely different from XenMobile 9 as it is now a single harden Linux V/A and the communication paths between the NSG and the XMS V/A are also now differently likewise setting and configuring XM 10 is different from XM 9 and its substantially more quicker and easier.
2: Never use a production NSG for a customer PoC why? When you upload the trial licenses it will require the NSG V/A to reboot which cannot be completed in a production environment without a scheduled and carefully planned maintenance window.
3: You may want to use the latest NS(G) firmware for the XM PoC to achieve the best possible outcome, result and of course to have the best optimal performance.
4: XenMobile has the ability to integration of a number of the Citrix products to form an end-2-end EMM solution that encompasses MDM, MAM, MC/IM.
5: Identify and visually understand where potentially all the components/products sit within the whole overall mobility solution. Here is a great visual reference that is clean and clear to understand – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html for XenMobile 10.
6: Review the pre-requites and checklists if available for each product that you wish to deploy within XenMobile. I have listed a few here for you starting with all the required ports:

Architecture – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html
System Requirements – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-system-requirements.html
Ports – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-deploy-component-port-reqs-con.html
Pre-Installation Checklist – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html

7: Now that you have an understanding of the requirements I would strongly advise that you also read through the XenMobile security whitepaper available at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf. Although you may not actually want to read through this whitepaper even just a brief glance at the MDX technology sections will provide you with a greater understanding of mVPN’s and the MDX framework that powers all of Citrix’s Worx App’s – http://www.citrix.com/products/xenmobile/tech-info/worx-mobile-apps.html.

Pre & Post Discovery Meetings (DRAFT & MAY CONTAIN ERROR(S))
1: Ensure that you educate the organisation as to what XenMobile is and it’s capabilities surrounding enterprise mobility management commonly referred to EMM. I often find that individuals still today don’t have a very clear and defined understanding of what is MDM and MAM are so its worth educating your customer.
2: I would suggest that you setup 2-3 GoToMeeting sessions a minimum. This is to ensure and allow the organisation to ask any questions surrounding the pre-requites and system requirements of XenMobile including supporting any and all external dependencies e.g iOS Enterprise Developer Account for signing Worx’s apps. The second reason is to ensure that all the pre-requites have been completed successfully prior to you arriving onsite to complete a PoC implementation and to answer any further Q&A the organisation has. If the organisation has not completed the pre-requites then proceed with the third GoToMeeting and if the pre-requites have still not being completed successfully I would strongly advise escalating to managers on both organisations and rescheduling your PoC deployment date to an alternative date as the chances of your PoC being successfully will be less likely and as for example the required ports may not be opened correctly, certificates for securing communication are completed etc. If you do choose to proceed you’ll more than likely spend a great deal of time troubleshooting in order to successfully complete your XenMobile 10 PoC deployment.
3: Decide on a database platform note that Postgres SQL is built-in to the XMS V/A and it is recommended PoC deployments only, where as a remote MS SQL database is best utilised for production deployments.
4: Decide upon the MDM management addr for mobile devices which should be a FQDN e.g mdm.axendatacentre.com. If you intend to manage devices both in and outside of your organisation I would recommended implementing SplitDNS ref – http://en.wikipedia.org/wiki/Split-horizon_DNS.

Example of SplitDNS
///////////////////
Internal 10.10.1.1 resolves to mdm.axendatacentre.com over the corporate trusted Wi-Fi or wired ethernet
External 8.8.8.100 resolves to mdm.axendatacentre.com over 3/4G

5: Login to your Citrix My Account at – http://www.citrix.com/ locate and click Partner Central (Opens a new tab) then once the web page loads click Sales in the navigation menu bar and click on SalesIQ (Opens a new tab) then once loaded click on PoC Central scroll down and download the XenMobile PoC kit. Note only valid Citrix Partners may download content from Citrix SalesIQ.

How-to resolve – Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile
1: The following error message Profile Installation Failed The server certificate for ‘https://XM-FQDN:8443″ is invalid is received when enrolling iOS 7.x.n + with XenMobile 10.
2: The issues is related to the private key within the exported *.p12/pfx certificate when exported from a Windows machine with either Certificate Manager or IIS Manager on Windows Server.
3: I would suggest that you download and run DigiCert Certificate Utility for Windows from – https://www.digicert.com/util/ on the server that originated the CSR that was used to generate a wildcard certificate. Once the tool is open find your wildcard cert and follow the steps at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to export the certificate BUT before you proceed with the export please highlight the intended wildcard certificate and select “Test Key” once its completed successfully select “Export Certificate” option.
4: Upload the exported DigiCert p12/pfx cert to the XMS V/A for both the server and the SSL listener and restart the XMS V/A.
5: Once the XMS V/A is online login to both the SFP and the Admin WebUI to validate that the XMS V/A is active and responding as normal/expected.
6: Begin enrolling your iOS device and the following error message Profile Installation FailedThe server certificate for “https://” is invalid should no longer appear and you should be able to successfully enroll your iOS device.

PoC Notes & Tips
1: Deploy your first few XenMobile 10.0 PoC as single entities without the complexity of clustering, load-balancing e.t.c
2: Stick with 2 devices during a PoC to maximise your success and remember a PoC is designed to prove a concept or that a technology works as described.
3: If your deploying ShareFile On-Prem SZ remember to backup the SZKeys.txt in the root of your ShareFile Data CIFS share.
4: Support NetScaler Gateway (Builds + Versions) for XM 10.0 currently include – 10.5.55.8 MR5, 10.5.54.9 MR4, 10.5.53.9 MR3, 10.1.130 MR and 10.1.129 MR ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html. Please review the following CTX article entitled “FAQ: XenMobile 10 and NetScaler 10.5 Integration” available at – http://support.citrix.com/article/CTX200430 which is a great and resourceful CTX article.
5: Although this is typically not considered during a PoC Citrix provides detailed overview of scaling XenMobile 10.0 from 1000 up to 100,000 devices fronted by both VPX and MPX NS appliances – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-scaling-xm.html.

XenMobile AppController 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns

New & Existing XenMobile AppController (XAC) Admin & User Consoles
1: The NEWEST console is a troubleshooting one which is accessible at https://XAC-FQDN:4443/ControlPoint/support which allows troubleshooting of NetScaler Gateway, XenMobile Device Manager
2: Control Point Admin console – https://XAC-FQDN:4443/ControlPoint/
3: Hidden Admin console – https://XAC-FQDN:4443/admin.
4: Receiver for Web (RfW) provides user access to SaaS, Web-links – https://XAC-FQDN:4443/Citrix/StoreWeb/ natively. You can integrate XAC with StoreFront to enumerate published Windows apps, Sever and Desktop VDI’s from XenApp, XenDesktop 7.x.

What’s New
0: XenMobile Security PDF document – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf and XenMobile security microsite is also available at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
1: Support for Windows Phone 8.1 MDX Policy’s for WorxMail and WorxWeb only – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-worx-about-wrapper.html. You can learn how to wrap Worx apps for Windows Phone 8.1 using this useful CTX article entitled “FAQ: Windows Phone 8.1 and XenMobile 9” – http://support.citrix.com/article/CTX200105 and also watching the following video below from Citrix TV.

2: New troubleshooting and support console that can download logs, perform connectivity tests and upload logs to http://taas.citrix.com. The console is available at – https://XAC-FQDN:4443/ControlPoint/support once you have successful authenticated at https://XAC-FQDN:4443/ControlPoint/. You will need to know the admin access details for NSG, XAC and XDM in order to effectively use this console.

3: Wrapping iOS Worx Apps Video.

4: Wrapping Andriod Worx Apps including covering off how-to sign multiple *.APK files using a BASH script. Refer to the XenMobile 9.0 MDX Toolkit Documentation
– http://support.citrix.com/article/CTX140458 for more information once you have watched this video.

5: XenMobile 9.0 MDX Toolkit Documentation – http://support.citrix.com/article/CTX140458

Installing & Deploying XAC 9.0
1: Review and understand the systems & networking pre-requites of the XAC virtual appliance at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-sysreqs-wrapper-con.html and http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-prepare-xenmobile-checklist-con.html.
2: Deploy the XAC virtual appliance on your chosen hypervisor and boot it and follow the onscreen instructions to apply the IP addr, DNS e.t.c and reboot upon completion connect to the Web Admin UI to compete the initialisation wizard thereafter you can begin to setup and configure your XAC virtual appliance and upload your MDX signed Worx apps and configure the MDX policies as required per app per supported platform. Don’t forget to generate and sign a CSR for the XAC and optionally sign it with your Enterprise CA (PoC/Demo environments) or a Public CA (PROD environments) and apply your own SSL certificate(s) to the XAC refer to – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-appc-cert-install-con.html or for a video demonstration watch – http://www.citrix.com/tv/#videos/9501.
3: Configuring MDX policies for Windows Phone 8.1 – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html, iOS – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html. Finally checkout how-to configure encryption policies – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-encryption-con.html.
5: Once you have setup and configured your XAC appliance you can setup high-availability – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-ha-wrapper-con.html.
6: If you are looking for the XenMobile Reference Architecture please refer to http://support.citrix.com/article/CTX140433.

XenMobile Enterprise 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE ENTERPRISE – xme
XENMOBILE CLOUD – xc
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
PUBLIC KEY INFRASTRUCTURE – pki

XenMobile Security
1: Citrix have published a Whitepaper in PDF format covering the security within XenMobile which can be downloaded directly at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf there is also a new security web page within the XenMobile microsite on Citrix.com at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
2: Security harden your XDM implementation leveraging Microsoft’s leading best practises I have listed below are a few (starter) useful resources. I always believe that you should challenge the way you are manage your infrastructure periodically from the services, ports, packages running on servers to the ACL at the edge of your network to ensure that you are using the latest leading best practises for monitoring, managing and supporting your environment(s) end-2-end and often this will require input from a Server, DBA SysAdmin & network engineer.

Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/gg236605.aspx
http://technet.microsoft.com/en-us/library/dd548350(v=ws.10).aspx

Windows Server 2012
http://technet.microsoft.com/en-us/library/jj898542.aspx
http://technet.microsoft.com/en-us/library/hh831360.aspx.

What’s New & Fixed
1: Support for Windows Phone 8.1 MDM API’s which include but not limited to software inventory, disabling of the camera, encryption e.t.c and for a complete list checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-config-win-81.html.
2: New MDX policies for Windows Phone 8.1 e.g Document exchange (Open In), App restrictions, iOS e.g AirDrop, Social media integration and others.

For a full list of MDX policies for iOS checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html and for Windows Phone 8.1 checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html.

3: Cloud enabled Enterprise Mobility Management (EMM) powered by with XenMobile Cloud – http://www.citrix.com/products/xenmobile/tech-info/cloud.html.

4: New RBAC options within XDM to optionally ring or disown devices.
5: IPv6 licensing is now supported for XDM 9.0 check out – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-xenmobile-licenses-con.html in addition checkout this Citrix Blog article for a set by step how-to – http://blogs.citrix.com/2014/07/02/install-license-server-for-xenmobile-device-manager-in-xenmobile-9-0/.
6: XDM clustering for multiple geographic sites so that the device management service is resilient to outages at individual sites – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-ha-wrapper-con.html.
7: FIPS Compliance – http://support.citrix.com/proddocs/topic/xenmobile-90/clg-appwrap-fips-con.html
8: Secret Vault for iOS and Android- http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-secret-vault-ios-andr.html.
9: Penetration tested by Veracode and Gotham who are specialists in digital science and research.
10: Full a complete and full list of Whats new in XenMobile 9.0 please take a look at – http://support.citrix.com/proddocs/topic/xenmobile/xmob-understand-whats-new.html.
11: XenMobile 9.0 – Issues Fixed in This Release – http://support.citrix.com/article/CTX140926.
12: Always check in with the XenMobile data sheet for the most up to date and accurate features and details for XenMobile vs. editions at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf?accessmode=direct.

Citrix Support Forums for XenMobile 9.0
You can access the latest online Citrix Discussions focused on XenMobile 9 at – discussions.citrix.com/forum/1487-xenmobile-9x/ and previous discussions can be found at – discussions.citrix.com/forum/302-xenmobile/, including ZenPrise 7.x.

Wrapping & Deploying Worx Mobile Apps for Windows Phone 8.1
1: This CTX article provides a lot of detailed pre-requites & FAQ – http://support.citrix.com/article/CTX200105.
2: http://blogs.citrix.com/2014/07/11/deploying-worx-home-and-worx-apps-to-windows-phone-8-1-with-xenmobile/.

Xenmobile 9 Basic Upgrade Video Demonstration

XME Supported Mobile OS/Hardware Platforms
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platforms.html

XenMobile 9.0 MDM Policies by OS Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platform-matrix.html

XenMobile 9.0 Compatibility Matrix
Currently the following NetScaler (Gateway) builds are supported for XenMobile 8.6 and 8.7 is 10.1.124.1308.e and for XenMobile 9.0 the following are supported 10.1.126.1203.e, 10.1.124.1308.e and 10.5 reference – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-compatibilitymatrix-con.html.

Worx features by Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-worx-feature-platform-matrix-con.html

XenMobile Public Key Infrastructure (PKI) Integration
Prior to implementing with XME I would suggest that you review and read through the PKI section in eDocs for XenMobile Enterprise 9.0 at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-security-pki-overview-con.html so that you are aware and familiar with the supported PKI capabilities supported by XenMobile 9.0. The below embedded videos are from Citrix TV and covering the Symantec PKI integration for XenMobile 9.0.


http://www.citrix.com/tv/#videos/10866XenMobile Symantec PKI Integration Part1


http://www.citrix.com/tv/#videos/10867XenMobile Symantec PKI Integration Part2

Deploying & Hardening XenMobile 9.0
1: Here is a really good blog article to help you understand XenMobile Bandwith requirements and considerations – http://blogs.citrix.com/2014/07/10/xenmobile-bandwidth/ .
2. How-to restrict the XDM admin console from the Internet when using SSL Offloading – http://blogs.citrix.com/2014/07/14/mobility-experts-restrict-xenmobile-device-manager-admin-web-console-access-from-internet-when-deployed-in-ssl-offload-mode/.