Category Archives: XenMobile Device Manager

Creating and renewing an APNs Certificate for XenMobile

The following content is a brief and unofficial prerequisites guide to creating and renewing an Apple APNS certificate prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
INTERNET INFORMATION SERVICES – iis
CERTIFICATE AUTHORITY – ca
APPLE PUSH NOTIFICATION SERVICE – apns
CERTIFICATE SERVICE REQUEST – csr

What is an Apple Push Notification service (APNs)Certificate and how does it work?
APNs certificates allow and enable for the safe, secure propagation of information/notifications to iOS and OS X devices with source of information/notifications originating from a XenMobile Server with a trusted and signed APNs certificate by Apple and Citrix. In this particular overview I am referring to MDM/Mobility vendor’s e.g Citrix, Airwatch by VMware, MobileIron etc.

APNs certificates allows any end-user to enroll his/her iOS device (iPhone, iPad) weather it be corporate or personally owned (BYO) against a XenMobile Server in order to obtain organisation specific configurations e.g Wi-Fi configurations and of course security leading best practise policies e.g the users PIN must be alphanumeric, 6 characters in length and must be changed once every 90 days to meet organisation password policy guidelines etc.

I wont attempt to explain how APNs certificates work technically I do understand it but I believe Apple’s documentation is simple very clear to understanding and provides a great overview of how APNS works and functions so please visit the following links – https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9.

Creating and renewing an APNS Certificate with IIS (SuGgEsTeD for PoC Environments + Draft)
0: You will require a valid Citrix partner account to access your Citix My Account – http://www.citrix.com/account.html and you will require a valid Apple ID to login into the APNs Portal to complete your APNs signing request and for on-going APNs maintenance i.e. renewing, revoking your APNs certs. If you do not have a valid Apple ID you can create one at the following link – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId.
1: Prior to creating your APNs cert you should consider the following which is will your customers PoC ever move to a pilot or event to production? If it may then you/they should carefully consider exactly where you will generate your Certificate Signing Request (CSR) for your APNs certificate to be used with the XenMobile.
2: Open up IIS on your chosen Windows Server and click Server Certificates and select “Create Certificate Request” and enter in the following information when requested into the “Distinguished Name Properties” pop-up window which appears and once completed click next and on the “Cryptographic Service Provider Properties” window select the “Microsoft RSA SChannel Cryptographic Provider” from the Cryptographic service provider and the Bit length of”2048″ from the dropdown lists. Then save the CSR on your desktop providing it with a name e.g XM_APNS-CSR.txt

IIS Request Your Response
Common Name e.g myMDM-for-xm-anps.axendatacentre.com
Organization
Organizational Unit
City/locality
State/province
Country/region

3: Next navigate to https://xenmobiletools.citrix.com/ from the IIS Windows server that you generated this XenMobile APNs CSR from and sign-in with your Citrix partner access details.
4: Upload your CSR as described on-screen at https://xenmobiletools.citrix.com/ which then return a *.plist file to download (Save it).
5: Next navigate to Apple’s Push Certificates Portal at – https://identity.apple.com/pushcert/ and login with your Apple ID. Next click “Create a Certificate” and upload your *.plist file that you downloaded from the XenMobile Tools portal as per step 4 above where instructed following the on-screen instructions. It will then prompt you to download a *.pem file ignore the filename e.g MDM_Zenprise.pem.
6: Import the *.pem file from the download APNs portal from step 5 above into IIS using the complete a CSR response and specific a friendly name (use the same common name you specified in step 2 above. Optional if your cert import fails the be sure to import Apples intermediate and root certificates from – http://www.apple.com/certificateauthority/ and repeat the import process once more. Also check out – http://support.apple.com/kb/ht5012 entitled “Lists of available trusted root certificates in iOS” for further help & guidance.
7: Export the imported APNs certificate via IIS and specify the path to save the cert which will be in *.pfx format and also specific a strong password to protect your APNs cert and finally note to self DO NOT FORGET the password.
8: When prompted during the XMS Admin WebUI configuration post completing the XMS CLI setup, follow the below import process in table format.

Import Keystore
Keystore Type PKCS #12
Use as APNs
Keystore file The path to your completed XM APNs cert which will be in *.pfx
Password The password you typed in at step 7 above

Creating and renewing an APNS Certificate with NetScaler (SuGgEsTeD + Draft)
Coming soon…

XenMobile Device Manager 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
APPLE PUSH NOTIFICATION SERVICE – apns
ROLE BASED ACCESS CONTROL – rbac
LIGHT WEIGHT DIRECTORY PROTOCOL – ldap
ACTIVE DIRECTORY – ad
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns

Self-paced Online (SPO) XenMobile Device Manager Training
1: Course # CXM-200 entitled “Deploying Citrix XenMobile Device Manager Server” at – http://training.citrix.com/mod/ctxcatalog/course.php?id=834. Note at the time of writing this blog entry Thursday 17/07/2014 this SPO was freely available with a valid Citrix.com account.
2: Course # CXM-201
Administering and Managing Devices with Citrix XenMobile 9.0 – http://training.citrix.com/mod/ctxcatalog/course.php?id=923. Login to view the price at http://training.citrix.com.

XenMobile APNS Signing Portal
This service requires a valid Citrix.com partner access details to sign-in and sign your APNS CSR – https://xenmobiletools.citrix.com/. Please review the documented APNS process for XenMobile Device Manager at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-config-requesting-apns-con.html.

Handset Security
1: How do you know a handset is secure outside of MDM or EMM providers? Well I typically search for a security Whitepaper or security micro sites that covers off the h/w and or software security hardening of these mobile handsets and I have listed a few below enjoy. Note the resources are not listed in any particular order.

Samsung Knox – https://www.samsungknox.com/en/support/knox/white-paper

Windows Phone 8.1 Security Overview – http://download.microsoft.com/download/B/9/A/B9A00269-28D5-4ACA-9E8E-E2E722B35A7D/Windows-Phone-8-1-Security-Overview.pdf

iOS Security – http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

Android Security Overview – https://source.android.com/devices/tech/security/

XenMobile Enterprise 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE ENTERPRISE – xme
XENMOBILE CLOUD – xc
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
PUBLIC KEY INFRASTRUCTURE – pki

XenMobile Security
1: Citrix have published a Whitepaper in PDF format covering the security within XenMobile which can be downloaded directly at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf there is also a new security web page within the XenMobile microsite on Citrix.com at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
2: Security harden your XDM implementation leveraging Microsoft’s leading best practises I have listed below are a few (starter) useful resources. I always believe that you should challenge the way you are manage your infrastructure periodically from the services, ports, packages running on servers to the ACL at the edge of your network to ensure that you are using the latest leading best practises for monitoring, managing and supporting your environment(s) end-2-end and often this will require input from a Server, DBA SysAdmin & network engineer.

Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/gg236605.aspx
http://technet.microsoft.com/en-us/library/dd548350(v=ws.10).aspx

Windows Server 2012
http://technet.microsoft.com/en-us/library/jj898542.aspx
http://technet.microsoft.com/en-us/library/hh831360.aspx.

What’s New & Fixed
1: Support for Windows Phone 8.1 MDM API’s which include but not limited to software inventory, disabling of the camera, encryption e.t.c and for a complete list checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-config-win-81.html.
2: New MDX policies for Windows Phone 8.1 e.g Document exchange (Open In), App restrictions, iOS e.g AirDrop, Social media integration and others.

For a full list of MDX policies for iOS checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html and for Windows Phone 8.1 checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html.

3: Cloud enabled Enterprise Mobility Management (EMM) powered by with XenMobile Cloud – http://www.citrix.com/products/xenmobile/tech-info/cloud.html.

4: New RBAC options within XDM to optionally ring or disown devices.
5: IPv6 licensing is now supported for XDM 9.0 check out – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-xenmobile-licenses-con.html in addition checkout this Citrix Blog article for a set by step how-to – http://blogs.citrix.com/2014/07/02/install-license-server-for-xenmobile-device-manager-in-xenmobile-9-0/.
6: XDM clustering for multiple geographic sites so that the device management service is resilient to outages at individual sites – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-ha-wrapper-con.html.
7: FIPS Compliance – http://support.citrix.com/proddocs/topic/xenmobile-90/clg-appwrap-fips-con.html
8: Secret Vault for iOS and Android- http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-secret-vault-ios-andr.html.
9: Penetration tested by Veracode and Gotham who are specialists in digital science and research.
10: Full a complete and full list of Whats new in XenMobile 9.0 please take a look at – http://support.citrix.com/proddocs/topic/xenmobile/xmob-understand-whats-new.html.
11: XenMobile 9.0 – Issues Fixed in This Release – http://support.citrix.com/article/CTX140926.
12: Always check in with the XenMobile data sheet for the most up to date and accurate features and details for XenMobile vs. editions at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf?accessmode=direct.

Citrix Support Forums for XenMobile 9.0
You can access the latest online Citrix Discussions focused on XenMobile 9 at – discussions.citrix.com/forum/1487-xenmobile-9x/ and previous discussions can be found at – discussions.citrix.com/forum/302-xenmobile/, including ZenPrise 7.x.

Wrapping & Deploying Worx Mobile Apps for Windows Phone 8.1
1: This CTX article provides a lot of detailed pre-requites & FAQ – http://support.citrix.com/article/CTX200105.
2: http://blogs.citrix.com/2014/07/11/deploying-worx-home-and-worx-apps-to-windows-phone-8-1-with-xenmobile/.

Xenmobile 9 Basic Upgrade Video Demonstration

XME Supported Mobile OS/Hardware Platforms
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platforms.html

XenMobile 9.0 MDM Policies by OS Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platform-matrix.html

XenMobile 9.0 Compatibility Matrix
Currently the following NetScaler (Gateway) builds are supported for XenMobile 8.6 and 8.7 is 10.1.124.1308.e and for XenMobile 9.0 the following are supported 10.1.126.1203.e, 10.1.124.1308.e and 10.5 reference – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-compatibilitymatrix-con.html.

Worx features by Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-worx-feature-platform-matrix-con.html

XenMobile Public Key Infrastructure (PKI) Integration
Prior to implementing with XME I would suggest that you review and read through the PKI section in eDocs for XenMobile Enterprise 9.0 at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-security-pki-overview-con.html so that you are aware and familiar with the supported PKI capabilities supported by XenMobile 9.0. The below embedded videos are from Citrix TV and covering the Symantec PKI integration for XenMobile 9.0.


http://www.citrix.com/tv/#videos/10866XenMobile Symantec PKI Integration Part1


http://www.citrix.com/tv/#videos/10867XenMobile Symantec PKI Integration Part2

Deploying & Hardening XenMobile 9.0
1: Here is a really good blog article to help you understand XenMobile Bandwith requirements and considerations – http://blogs.citrix.com/2014/07/10/xenmobile-bandwidth/ .
2. How-to restrict the XDM admin console from the Internet when using SSL Offloading – http://blogs.citrix.com/2014/07/14/mobility-experts-restrict-xenmobile-device-manager-admin-web-console-access-from-internet-when-deployed-in-ssl-offload-mode/.