Tag Archives: Citrix

2017 UKI #CitrixPartnerLove Challenge #7 Stop the Difference

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/nqooPlWElw to print.

SAML Sign-in to Virtual Smartcard for Virtual Apps & Desktops

The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing virtual apps and desktops authenticated via SAML IdP (Google OAuth) powered by XenApp & XenDesktop 7.14.1+ and NetScaler Unified Gateway 11.1 prior to deploying a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
FEDERATED AUTHENTICATION SERVICE – fas
SECURITY ASSERTION MARKUP LANGUAGE – saml
IDENTITY PROVIDER – idp
SERVICE PROVIDER – sp
USER AGENT – ug
NETSCALER UNIFIED GATEWAY – nug or netscaler ug
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
STOREFRONT – sf

What is OAuth?
Wikipedia definition – https://en.wikipedia.org/wiki/OAuth and Google’s definiton – https://developers.google.com/identity/protocols/OAuth2.

What is SAML?
Wikipedia definition – https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language.

Why this blog article?
For me as organisations begin shifting to a Cloud native or Cloud First (i prefer hybrid cloud) stratergy they begin too embrace PaaS e.g Citrix Cloud, Office 365 BUT a common major problem is where does the users identity live and do I need replicate it (read-only, passwd hashes e.t.c) and secondly mobilising of data repositories is another major requirement vs. problem. ShareFile can help in solving your data mobilisation problems which I will follow up in a separate blog article in the future to expand upon this, but for now back to SAML and Identity.

Utilising the Federation Authentication Service or FAS for short which is part of XenApp and XenDesktop (see feature matrix – https://www.citrix.co.uk/products/xenapp-xendesktop/feature-matrix.html) in-line with NetScaler UG enables organisations to solve numerous problems about identity (where is lives vs. its synced to data centres A through C e.t.c) enabling access to any type of app fronted by NetScaler Unified Gateway working inline with FAS.

NetScaler for me is your organisations front door (knock knock) e.g https://go.axendec.com or if you know me #10 Downing Street from on any device and it controls how the users authenticates requirements e.g AD, AAD, SAML vs. OAuth 2.0, Biometrics (e.g VeridiumID watch – https://www.veridiumid.com/video-citrix-ready-partnerspeak-veridium/ which is Citrix Ready and be sure to check out https://www.veridiumid.com/biometric-authentication-technology/biometric-connectors/), however in this scenario i’ll focus on access from devices that support a modern web browser (HTML5) to keep it simple. The below table depicts a user that has successfully loaded onto NUG with SMAL vs. OAuth 2.0 credentials and they can go left towards SaaS web apps or right towards virtual apps & desktops where FAS + StoreFront + Int Windows CA will generate a virtual smart card from the SAML token passed from NetScaler to SSO onto the required resource e.g Windows Server 2016 virtual desktop.

SaaS NetScaler Unified Gateway Virtual Apps & Desktops
User logins with SAML credentials e.g AAD, Google OAuth 2.0
← SAML or OAuth 2.0 Token →
Office365 XenApp & XenDesktop,
StoreFront, FAS & Internal Windows CA

PoC SuGgEsTeD Architecture Diagram – BASIC
I have gone for a very simple diagram approach here to help those will little to no knowledge on SAML, OAuth 2.0, AD Shadow accts, virtual smart cards get up to speed.

User Login Flow (Not Step by Step its High Level)
1. The user navigates to the SAML IdP logon webpage setup, configured and hosted by NetScaler UG.
2. The user is automatically redirect to the Google auth login web page to authenticate.
3. Once the user is successfully authenticated at Google they are re-directed back to the NetScaler UG and auto signed in and auto redirected (Responder Policy) to the configured Unified Gateway (my use case here) or ICA Proxy vServer.
4. The user can then select from a choice of Full vs. Clientless VPN or Virtual Apps & Desktops (Selected). Note that in the username will be user@domain while still on the NetScaler UG.
5. The user is SSO onto ReceiverforWeb hosted + powered by StoreFront and the user selects to launch an there choosen HDX virtual app and or desktop(s), you’ll now notice that the username is now first, last name.
6. StoreFront initiates and generates a ICA/HDX file for the user while communicating with FAS + internal Windows CA to generate a virtual smart card for the user that will be used to SSO the user onto there requested resource(s) e.g a Virtual Desktop.
7. The user receives the ICA/HDX file and Receiver automatically launches his/her virtual app and or desktop.

Demonstration WhoamI?

PoC SuGgEsTeD Architecture Diagram – ADVANCED

The Actual Login Flow
Coming…*

Pre-requistes & System Requirements – Google OAuth 2.0
1. Navigate to https://console.developers.google.com/projectselector/apis/credentials and sign-in with your Google credentials.
2. Select “Credentials” under API Manager then select to “Create” a Project
3. Enter in a new “Project Name” and read and review Googles EULA and notification service about updates etc.
4. Google will create your Project
5. Select “Create credentials” and from the drop down select “OAuth client ID”
6. Configure “OAuth consent screen” the bare minimum is to select “Product name shown to users” e.g MYProJectName and then select “Save” you can return later and complete …
7. Now you need to create a client ID select the application type to be “Web Application”
Enter in a friendly name:
– For “Authorized JavaScript origins” enter in “:4443”
– https://YOUR-FQDN:4443
– For “Authorized redirect URIs” enter in “:4443”
– https://YOUR-FQDN:4443/oauth/login
– Select “Create” twice
Google will now create your OAuth credentials and a popup screen will appear with your “Client ID” e.g xnxnxnxnxnxnxnxnxnxnx.apps.googleusercontent.com and “Client Secret” e.g 123456789xnxnxn
8. Now store of copy of these for later in a safe please as you’ll need it for the NetScaler configuration later.

Pre-requistes & System Requirements – Citrix
NetScaler
1. Review the deploying NetScaler guide for your chosen resource location at – http://docs.citrix.com/en-us/netscaler/12/deploying-vpx.html. If your wondering what a Resource Location click this link – http://docs.citrix.com/en-us/citrix-cloud/overview/about/what-are-resource-locations.html.
2. Download vs. deploy your NetScaler virtual appliance on your own terms e.g upload and boot on a hypervisor vs. deployed via a IaaS market place.

– Traditional hypervisors configurations for PoC vs. Home purposes only 2vCPU 2-4GB of RAM
– Cloud hypervisors e.g Azure, AWS for PoC vs. Home purposes only 2vCPU 3.5GB or RAM

3. Licensing Your NetScaler
3.1 You’ll need to license the appliance so obtain trial of e.g VPX 1000 and or 3000 from http://store.citrix.com/store/citrix/en_US/pd/productID.278306700/ThemeID.33753000 or search for Citrix Eval Store at Google.com.
3.2 The above link should redirect your to the NetScaler ADC part of the Eval Store
3.4 Select model type of “VPX” then select variation e.g “1000 vs. 3000 Platinum” and for duration select “30, 60 or 90 Days“.
3.5 Complete the onscreen steps and please note that you will require a valid Citrix.com account or you need to create an account in order to complete the trial request to obtain the eval license.
3.6 Once you’ve received your eval license via email navigate to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html and select find and allocate your licenses or look for the licensing button (link) and select it.
3.7 If your eval license it not visible e.g created by a Citrix rep or one of our partners –https://www.citrix.com/buy/partnerlocator/ select “Don’t see your product?” top right-hand side (small text!). A pop-up appears now enter in the eval lic provided in the format of “NNNN-XXXXX-XXXXX-XXXXX-XXXXX” and select to continue.
3.8 You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
3.9 In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
3.10 Your NetScaler is now licensed now simple enable the required features that you need vs. require by right clicking a feature e.g NetScaler Gateway select “enable” e.t.c

4. If your in a Public Cloud setup your (Network) Security Groups to allow you external traffic to your NetScaler and i’d suggest that your disable SSH on port 22 from the world and only enable https 443 and use a Windows server + PuTTY within your Azure RG vs. EC2 VPC to interact with your NetScaler. Note: I am keeping it simple here re DMZ/Edge vs. TRU vs. Mgmt networks. Traditional rules apply for Private Cloud setups or WWW vs. DMZ vs. TRU vs. Mgmt networks.

Federated Authentication Service (FAS)
1. Download FAS Software is part of the XAD 7.9+ ISO – https://www.citrix.co.uk/downloads/xenapp-and-xendesktop/ and select 7.15 LTSR
2.
System Requirements – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html
3. Deploy GPO Policies – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_6ba9/
– List + Enable XAD Broker/Controller
– Enable in-session certificate support
4. Certificate Authority – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_27dd. You may require or choose an Internal Microsoft Windows CA 2012 R2 or 2016 (Test with in this PoC)
Active Directory Certificate Services – https://technet.microsoft.com/en-us/library/hh831740.aspx
– Configuring Windows for Certificate Logon – http://support.citrix.com/article/CTX206156
– Setup Certificate Authority – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_8dfa
5. VERY IMPORTSANT When Configuring User Rules for FAS list all the required StoreFront Servers, VDA’s and User(s) either by individual object or group e.g. AD Security group PoC SAML Users – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_6ba3
6. Enable FAS for the default or custom Store on StoreFront – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_32e2
7. A full AD Admin account for all components will help and save time during the PoC

Deploying @gmail login to NetScaler using OAuth 2.0 / SAML
Coming….

Recommended Reading
– Credit to Citrix *CTP Dave Brett – http://bretty.me.uk/citrix-xendesktop-7-9-google-accounts-and-fas-for-xendesktop/ and I’d strongly recommend your read his blog post! His approach vs. requirements differs slightly from that of my own requirements. He saved me a lot of time and in testing + reading through eDocs so @dbretty thank you!
– Configure StoreFront with OKTA (CTX232042) – https://support.citrix.com/article/CTX232042
Integrating NetScaler with Microsoft Azure Active Directory
– Credit to Citrix CTP Aaron Parker – Integrating Citrix NetScaler with Azure AD and Conditional Access


#CitrixPartnerLove
However in the *interim if your a Citrix Partner and you want to learn more and how to deploy this today! You can access the following on-demand entitled “SAML to Virtual Smartcard Sign-in for Virtual Apps & Desktops” at – http://enablement.citrix.com/library/items/1261 BUT you will require a valid Citrix partner login.

Top 10 Suggested Unified Experience Tips for Citrix Users 2016

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENDESKTOP – xd
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
EXPERIENCE 1st – x1
XENAPP – xa
VIRTUAL DESKTOP – vd
THINWIRE COMPATIBLE MODE – tcm also known as ecm or thinwire+
SELF-SERVICE PASSWORD RESET – sspr
VIRTUAL GPU – vgpu
PROOF OF CONCEPT – poc

Suggested Top 10 for 2016
This is numbered 1 through 10 but in reality is in no particular order!

1. E-mail discovery for Citrix Receiver using DNS SRV records – http://docs.citrix.com/en-us/receiver/windows/4-3/receiver-windows-install-wrapper/receiver-windows-cfg-command-line-42.html internally and externally on the Gateway – http://docs.citrix.com/en-us/netscaler-gateway/10-1/ng-xa-xd-integration-edocs-landing/ng-clg-integration-wrapper-con/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html.
2. Implement SplitDNS or more technically correct “split-horizon DNS” – https://en.m.wikipedia.org/wiki/Split-horizon_DNS my favourite personally over email based discovery :-)!
3. Brand your NetScalers (Unified) Gateway – http://docs.citrix.com/en-us/netscaler-gateway/11-1/vpn-user-config/custom-portal.html and App Store (StoreFront) – http://docs.citrix.com/en-us/storefront/3-7/manage-citrix-receiver-for-web-site/unified-receiver-experience.html to match and keep it clear, clean and simple!

4. Implement HDX Adaptive Display v2 available in 7.11+ – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/policies/reference/ica-policy-settings/graphics-policy-settings.html as your default Graphics Mode and if you can’t then Thinwire Compatible Mode – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/hdx/thinwire.html.

5. If using Skype for Business 2015 or 2016 implement the HDX RealTime Optimisation Pack 2.x.n http://docs.citrix.com/en-us/hdx-optimization/2-1/hdx-realtime-optimization-pack-overview.html to offload the video/audio to the local end-points (Windows, Mac and Linux) saving on backend compute and density loss for XenApp.*

6. Implement domain pass-through for internal users – http://docs.citrix.com/en-us/storefront/3-7/plan/user-authentication.html.
7. Deploy the (latest) HTML5 Receiver for remote access – http://docs.citrix.com/en-us/receiver/html5/2-2/user-experience.html.

8. When using Citrix Receiver for Windows (with HDX engine 14.4), the GPU can be used for H.264 decoding wherever it is available at the client – http://docs.citrix.com/en-us/receiver/windows/4-5/improve.html.
9. Deploy Self-Service Password Reset (SSPR) – http://docs.citrix.com/en-us/self-service-password-reset/1-0.html.

10. The most difficult to justify probably re the cost(s) but assigning a low end vGPU GRID profile or utilising the Intel Iris Pro Graphics with XenServer 7 to provide enough/suitable GPU capacity to all virtual apps & desktops (oldISH and modern) provides a much better experience so setup a PoC to see and try if for yourself and finally NVidia now supports H.264 offloading onto there GRID Cards in 7.11 🙂 – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/whats-new.html#par_anchortitle_59c9.

HDX Thinwire “For actively changing regions” or HDX Adaptive Display v2

The following content is a brief and unofficial overview of the new HDX policy setting that enables HDX Adaptive Display v2. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENSERVER – xs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
HDX ADAPTIVE DISPLAY V2 – hdxadv2

Introduction
The following capability is also referred to as Selective use of H.264, Selective H.264, HDX Adaptive Display v2 and Hybrid mode – https://www.citrix.com/blogs/2016/09/28/hdx-graphics-gone-hybrid/ but in this blog post it’s referred to as “HDX Adaptive Display v2” but its technical accurate name from eDoc’s is “Selective use of a video codec (H.264) to compress graphics” as reffered to here – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/whats-new.html#par_anchortitle_59c9.

Overview
In the release of XAD 7.11 (Seven11) a new Thinwire HDX policy was released which is part of the following policy Use video codec for compression” with the following option selected “For actively changing regions” which enables HDX Adaptive Display v2 – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/whats-kmnew.html#par_anchortitle_59c9 which blends the following Citrix HDX Graphics modes H.264 & Thinwire Compatible Mode together to offer the best UX but also to provide a balanced apporach by implementing the most right vs. relevant HDX graphics mode to offer the best rich & HD experience or near to local-like experience while balancing all compute, network resources between the server and or desktop VDA over the organisational network, internet to the users end-point.

The following CTX blog article – https://www.citrix.com/blogs/2016/09/28/lossless-compression-lowering-the-cost-of-pixel-perfection/ most accurately describes the what, the how and the why? So be sure read it and watch the following YouTube video demonstration entitled “Citrix Desktop Master Class – Adaptive Display v2 Demo by Lee Bushen“.

Understanding Actively Changing Regions
If you take a look at the below example of a YouTube web page (rendered in HTML in Oct 2016) e.g delivered as a virtual app published internet browser or a virtual desktop and you access the above YouTube web page HDX Adaptive Display v2 will selectively utilise H.264, Thinwire and overlay lossless text.

To further understand this in greater details please refer to this Citrix blog article first and foremost https://www.citrix.com/blogs/2016/09/28/lossless-compression-lowering-the-cost-of-pixel-perfection/ and then watch
Citrix Desktop Master Class – What’s New in XenApp/XenDesktop 7.11 – Sept 2016available at – https://www.youtube.com/watch?v=rGHdTX202_U but scrub to 1:12:00 if you just want to understand HDX Adaptive Display v2 in greater detail.

Name of application e.g an Internet Browser
Organisation logo, banner of YouTube Channel
YouTube menu
YouTubeVideo  Title
Description 
YouTube Channels
Organisation Videos Library

YouTube Video Thumbnail YouTube Video Thumbnail YouTube Video Thumbnail YouTube Video Thumbnail YouTube Video Thumbnail YouTube Video Thumbnail
Title
Owner
Title
Owner
Title
Owner
Title
Owner
Title
Owner
Title
Owner
Start menu, taskbar and notification centre

What’s New and Understanding Citrix XenApp & XenDesktop 7.11 (Seven 11)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.11 (Seven 11) prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
EXPERIENCE 1st – x1
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
THINWIRE COMPATIBLE MODE – tcm also known as ecm or thinwire+
UNIVERSAL WINDOWS PLATFORM – uwp
FEDERAL INFORMATION PROCESSING STANDARD – fips
SELF-SERVICE PASSWORD RESET – sspr
PROVISIONING SERVER – pvs
MACHINE CREATION SERVICES – mcs
AZURE RESOURCE MANAGER – arm

What’s New
1. XAD 7.11 infrastructure support on Windows Server 2016 for the Controller, StoreFront, Studio, Director, Server VDA, Session Recording Server & Agent, Universal Print Server.
2. Self-Service Password Reset 1.0 (SSPR) is now part of the StoreFront 3.7 & XAD 7.11 (Platinum feature) release and can be installed on Windows Server 2008 R2, 2012 R2 and 2016* and allows users to unlock or reset their AD passwords through a series of questions. For a detailed overview please read the CTX blog entitled “StoreFront 3.7 has been released!“- https://www.citrix.com/blogs/2016/09/14/storefront-3-7-has-been-released/

3. SQL Server 2014 Express is still installed by default when installing the XAD Controller which became the default in XAD 7.9 release ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/whats-new.html#par_anchortitle_ddbe so be aware of the installation behavioural changes for SQL and SQL Server 2016 is now supported ref –http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/system-requirements.html#par_anchortitle_384a and for a full list of the supported databases for XAD please refer to http://support.citrix.com/article/CTX114501 which contains and up to date tablised view of XAD versions vs. SQL versions and which are and are’nt supported! Finally DB sizing can be found by referring to the LTSR release of XAD 7.6 at – http://docs.citrix.com/en-us/categories/solution_content/implementation_guides/database-sizing-guidance-for-xendesktop-7-6.html which has great guidance on database sizing for XAD 7.6+.

4. Publish URL’s, documents and media files from network shares (WAHOO!) is now available on as part of the XAD 7.11 release. It currently only supports publishing of content via PoSH cmdlets and all the examples can be found and a detaied overview of the feature is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/publish-content.html*.

Example Publishing a Word Document from Citrix eDoc’s*
New-BrokerApplication -Name ReadMe -PublishedName”ReadMe Document” -ApplicationType PublishedContent -CommandLineExecutable \\MyFolderShare\Documents\ReadMe.doc -DesktopGroup Content

5. Use of System Center Virtual Machine Manager to provision VMs used to create AppDisks. If you are unfamiliar with AppDisks the following YouTube video from the Citrix channel demonstrates how’s setup, create and assign your AppDisks to users virtual desktops. There is also a fantastic AppDisks FAQ avaiable at – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-8/downloads/AppDisk%20FAQ.pdf

6. Installation behavioural changes for CIS programs entitled “Citrix Customer Experience Improvement Program (CEIP)” and “Citrix Call Home“. For more information please refer to and read – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/manage-deployment/cis.html.
7. New HDX enhancements include:

– A new HDX policy setting combining Thinwire Compatible Mode (ECM) and H.264 can be enabled by selecting the following policy Use video codec for compression and select For actively changing regions. If you do not then the default HDX graphics mode is used which is Use video codec for compression Use video codec when preferred. For a more detailed overview please check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/policies/reference/ica-policy-settings/graphics-policy-settings.html.
– Up to 5% bandwidth reduction with the new behavioural enhancements for video content with Thinwire and requires XAD 7.11 with either Windows Receiver 4.5 or Linux 13.4.
– Support for USB generic mass storage devices for XenApp
TWAIN 2.0 scanning protocol support with Windows Receiver 4.5+
– New behavioural changes for the optimisation of client USB devices – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/policies/reference/ica-policy-settings/usb-devices-policy-settings.html
– Support for publishing universal apps for Windows 10, Server 2016 using the Microsoft Universal Windows Platform (UWP).
– Support for H.264 hardware encoding with supported nVidia GPU cards (NVENC hardware encoding – https://developer.nvidia.com/nvidia-video-codec-sdk) and also to read the following entitled “Better Together: Citrix XenDesktop 7.11 + NVIDIA GRID” from – https://blogs.nvidia.com/blog/2016/09/14/citrix-xendesktop-nvidia-grid/!
Default VDA policy settings for XAD 7.11 – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/policies/policies-default-settings.html

8. StoreFront 3.7 includes SSRP 1.0 as mentioned above in point 2., UI support for small form factor devices improving the user’s overall experience when you configur the unified Citrix Receiver experience on StoreFront against your Store(s) which can be configured by reffering to – http://docs.citrix.com/en-us/storefront/3-7/manage-citrix-receiver-for-web-site/unified-receiver-experience.html so when connecting to from e.g Safari on an iPhone your end-users experience is way better try for yourself! Finally a great new addition or rather enhancement to Zones in StoreFront 3.7 & XAD 7.11 is that now client location based zone preference passes the zone information to the controller (required configuration – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/manage-deployment/zones.html#par_anchortitle_1db7) which in turn utilises this information to select the more appropriate workstation/server VDA’s that are closest in proximity to the user so when connecting to virtual apps & desktops there receive the best rich HD experience possible.
9. Windows Server 2016 analysis and reporting including Expanded security analysis with AppDNA 7.11 – http://docs.citrix.com/en-us/dna/7-11/whats-new.html.
10. Automate Director notifications with Citrix Octoblu – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/director/alerts-notifications.html#par_anchortitle_1d19. For a detailed overview and look at this integration be sure to read the blog post – http://horacegoesskiing.com/index.php/2016/09/16/using-xenappxendesktop-7-11-alert-policies-with-octoblu/.
11. Support for Windows Server 2016 as a server and a target platform for PVS 7.11 including an enhanced diagnostic model so much more so be sure to review the PVS 7.11 online documentation at – http://docs.citrix.com/en-us/provisioning/7-11.html.
12. Citrix XenApp and XenDesktop 7.6 FIPS 140-2 Sample Deployments (Technically NOT new but very useful for Citrix customers and partners alike) – http://docs.citrix.com/content/dam/docs/en-us/categories/public-sector/downloads/Citrix%20XenApp%207.6%20and%20XenDesktop%207.6%20FIPS%20140-2%20Sample%20Deployments.pdf
13. Provisioning Citrix workloads in Microsoft Azure using ARM is now available. For a detailed how-to read – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/install-prepare/azure-rm.html but before deploying your VM’s be sure to read the following whitepaper entitled “The scalability and economics of delivering Citrix XenApp services from Microsoft Azure” available from – https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/xa711-scalability-azure-rm.pdf. To get started with deploying and using XenApp 7.x in Azure take a look at deploying the XenApp Trial in the Azure Marketplace at – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/citrix-xacitrix-xa-trial/ which will be you a complete XA 7.x enviromnent in Azure along with StoreFront, NetScaler and 2x VM’s to deliver a server virtual desktop and the other for delivery of just virtual apps.
14. Citrix Receiver 7.1 is ready for iOS 10 – https://www.citrix.com/blogs/2016/09/15/citrix-receiver-ready-for-ios-10/.
15. Finally be sure to check out and be aware of the list of known issues with XAD 7.11 release at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/whats-new/known-issues.html

* Microsoft Windows Server 2016 is currently still in TP and is not officially released as of writing this blog post.

For a completely detailed summary of what is avaiable in XAD 7.11 (Seven 11) check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/whats-new.html.

XenApp and XenDesktop 7.x.n (As of this blog post its 7.11) Features
https://www.citrix.com/go/products/xendesktop/feature-matrix.html

Quick upgrade guide to XenApp 7.11 and XenDesktop 7.11 by #Citrix #CTP @ervik
http://www.ervik.as/quick-upgrade-guide-to-xenapp-7-11-and-xendesktop-7-11/

Upgrading My Azure XAD 7.9 environment to XAD 7.11
Coming…

Installing a XAD 7.11 PoC environment on Azure
I have testing installing XAD 7.11 (Seven 11) onto Windows Server 2016 Technical Preview 5 or TP5 on Azure via the Azure Market Place – https://azure.microsoft.com/en-us/marketplace/?term=Windows+Server+2016+TP5. The CLEAN installation that I performed did not have any issues or errors however the when creating the machine catalog for Windows Server 2016 TP5 even installing the Server DVA 7.11 it will revert to recommended VDA release of 7.8 only so you have been warned!

Once Microsoft releases Windows Server 2016 officially I will follow-up with an overview of setting up and configuring XAD 7.11 on Windows Server 2016 hosted on Microsoft Azure.

Scheduled & Coming…

What’s new with XenApp/XenDesktop 7.6 Feature Pack (FP3)

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp, XenDesktop FP3 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
EXPERIENCE 1st – x1
STOREFRONT SERVER – sfs
FEATURE PACK – fp
THINWIRE PLUS – thinwire +
THINWIRE COMPATIBLE – thinwire c
USER EXPERIENCE – ux

What is new in FP3?
0: ++An absolutely MUST read entitled “HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3” which is available at – http://support.citrix.com/article/CTX202687 prior to implementing any of the new graphics mode/encoder(s) within XAD 7.6 FP3.
1: Support for Windows 10 Enterprise Edition, in the Standard VDA for Windows Desktop OSes.
2: HDX Broadcast updates include the following:

Framehawk (Admin guide – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf) virtual display channel is integrated into the standalone VDA package.
Thinwire Compatible Modehttp://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-hdx-landing/thinwire-compatibility-mode.html also referred to as Thinwire +/Plus is the very latest encoder to deliver a fantastic and rich X1 UX for virtual apps and desktops delivered from Windows Server 2012 R2, Windows 8.1 and 10 powered by XAD 7.6 FP3. To learn more about check out – https://www.citrix.com/blogs/2015/10/09/a-big-leap-in-ica-protocol-innovation-for-citrix/. Set the “Use video codec for compression” to “Do not use” which will force the use of Thinwire Compatibility Mode by default for user ICA/HDX sessions on XAD 7.6 FP3.

HDX Framehawk Performance in XenApp and XenDesktop 7.6 FP3

3: ++Updated Studio built-in policies ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-templates.html which include the following:

– Very High Definition User Experience+
– High Server Scalability *+
– High Server Scalability-Legacy OS **
– Optimized for WAN *+
– Optimized for WAN-Legacy OS **
– Security and Control

+ New or adjusted to meet today’s new requirements
* Windows 8.1-10, Windows Server 2012 R2
** Windows 7, Windows Server 2008 R2

4: Support for signature devices (Wacom) and drawing tablets which can be applied by adding the following USB device policy settings ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-ica/xad-policies-settings-usb.html.
5: The HDX 3D Pro VDA used to deliver HDX Rich Graphical apps now supports full-screen apps including 3D and gaming apps within single monitor for ICA sessions.
x: For a full and compete list with accurate descriptions and overviews please check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.

What’s new with StoreFront 3.0.1?
This release contains a number of fixed issues ref – http://docs.citrix.com/en-us/storefront/3/sf-about-30/fixed-issues.html including support for TLS 1.0-1. Please beware that SSL 3.0 is NOT supported and Citrix strongly recommends that you do not use it.

XenApp 7.6 XenDesktop 7.6 including Feature Pack (FP) 1

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp 7.6, XernDesktop 7.6 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
VIRTUAL DELIVERY AGENT – vda
LIGHT WEIGHT DIRECTORY PROTOCOL – ldap
ACTIVE DIRECTORY – ad
CERTIFICATE SIGNING REQUEST – csr
CONNECTION LEASING – cl
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
DYNAMIC HOST CONFIGURATION PROTOCOL – dhcp
FEATURE PACK – fp

What’s New now with Feature Pack 1 (FP1)
0: If you are new to XenDesktop 7.x, XenApp & XenDesktop 7.5, 7.6 then I would suggest that you begin by reading and reviewing the Technical Overview of XAD 7.6 – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-architecture-article.html and follow on by understanding the System Requirements for XAD 7.6 at – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-system-requirements-76.html.
1: XenApp – http://www.citrix.com/products/xenapp/whats-new.html.

2: XenDesktop – http://www.citrix.com/products/xendesktop/whats-new.html. 3: How to setup and configure session pre-launch and lingers for XAD 7.6 – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-dg-manage-sessions.html#xad-dg-manage-sessions__prelaunch-linger including a video from Citrix TV is embedded below. 4: Connection Leasing (Previously or rather similar to Local Host Cache (LHC) under XenApp 6.x and downwards) provides the ability to allow end-users within your organisation the ability to continue to access Citrix published desktops, applications even if your MS SQL highly available database is offline using the new feature in XAD 7.6. Please note that you should always still have a H/A SQL database environment in-place and connection leasing does require the 7.6 VDA. For more information please read and review – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-connection-leasing.html#xad-connection-leasing. 5: How-to perform a XenApp 6.5 migration – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-xamigrate.html#xad-xamigrate and the general eDocs node that covers off migrations from previous versions of XenApp 6.x and XenDesktop 4.x, 5.x are covered at – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-upgrade-existing-environment.html. 6: Overview & Understanding High Definition eXperience (HDX) under XAD 7.6 including Flash and USB/Drive redirection, GPU Sharing and Network traffic priorities – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-hdx-landing.html. 7: For a complete and full list of what’s new in XenApp 7.6 and XenDesktop 7.6 take a look at – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-whats-new.html. 8: What’s new in the XAD 7.6 FP1? Check out http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-whats-new-7-6fp1.html for a list of the full details. I’ve provided summary below of what it includes: – Session Recording which/was formerly Smart Auditor. – Updated Citrix Licensing. – Updated Director which includes enable/disable session recording for the detail check out http://support.citrix.com/article/CTX142260. – HDX Real-Time Optimization Pack 1.7 for Microsoft Lync 2013 the details here at – http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-17/lync-realtime-optimization-pack-17.html. Detailed How-to Upgrade to Citrix Receiver 4.2.x.n 1: Learn what is required in order to perform an upgrade of your existing Citrix Receiver 3.4 implementation to to 4.2.100 by download this handy and useful PDF best practises guide at – http://docs.citrix.com/content/dam/en-us/receiver/windows/4-2/downloads/Receiver_for_Windows_4.2_Upgrade_Best_Practice_Guide.pdf. 2: It is also worth mentioning that the current new Citrix Receiver for Windows 4.2.x.n now supports TLS 1.1, 1.2, Start menu integration & shortcut management, USB 3.0 and so much more please check out – http://support.citrix.com/proddocs/topic/receiver-windows-42/receiver-windows-42-about.html#receiver-windows-42-about for more information so upgrading does and will provide numerous useful benefits for CTX SysAdmins and there end-users. Upgrading & Migration
1: XenApp 7.5 Migration Guide – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenapp-75-migration-guide.pdf.
2: Upgrading & Migration Microsite for XenApp 6.x to XenApp 7.5 – http://www.citrix.com/products/xenapp/tech-info/upgrade.html.
3: Introduction to XenApp 7.6 Upgrade Planning recorded GoToWebcast from 07/102014 available at – https://citrix.webcasts.com/viewer/event.jsp?ei=1040823. If you would any overview please read the orginal events web page at – http://www.citrix.com/events/introduction-to-xenapp-76-upgrade-planning.html. Citrix Education
1: CXA-104 Citrix XenApp 7.6: Overview – – http://training.citrix.com/mod/ctxcatalog/course.php?id=925. 2: CXA-105 Getting Started with Citrix XenApp and XenDesktop 7.6 – http://training.citrix.com/mod/ctxcatalog/course.php?id=973 3: CXA-208 Moving to XenApp 7.6 – http://training.citrix.com/mod/ctxcatalog/course.php?id=1096. 4: CXD-105 Citrix XenApp and XenDesktop Help Desk Support – http://training.citrix.com/mod/ctxcatalog/course.php?id=1011. GUI Installation & Overview for XenApp 7.6, XenDesktop 7.6
1: XenApp 7.6 Reviewers Guide provides a simple installation overview which can be downloaded at https://www.citrix.com/content/dam/citrix/en_us/documents/oth/xenapp-reviewers-guide.pdf and the XenDesktop 7.6 equivalent can be found at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xendesktop-reviewers-guide.pdf. Unattended Installation of XAD 7.6 Infrastructure Components & The VDA
1: The installation executable is located at x64\XenDesktop Setup\XenDesktopServerSetup.exe within the installation media path. The below is an example and simply replace x with mounted ISO, CD/DVD drive letter or the UNC path to the XAD7.5-6 installation media. If you do not include the /xenapp switch it will automatically install XenDesktop.

x:\x64\XenDesktop Setup\XenDesktopServerSetup.exe /xenapp /components controller,desktopstudio /configure_firewall

2: Sample installation code to insert into a batch script from Citrix eDocs that will install the VDA on Desktop OS as a master image and it will include Citrix Receiver.


x:\x64\XenDesktop Setup\XenDesktopVdaSetup.exe /quiet /components
vda,plugins /controllers “Contr-Main.mydomain.local” /enable_hdx_ports /optimize
/masterimage /baseimage /enable_remote_assistance

If you are looking for how-to install the VDA for groups of machines in AD the please checkout this eDocs node the batch script that will allow you to install/configure or even remove the VDA – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-install-vda-adscript.html.
3: For more detailed information check out – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-install-command.html.

High-Definition user eXperience (HDX) 1: So what is HDX? That’s a very good question an introduction whitepaper to your questions can be found at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-hdx-technologies.pdf. 2: Now that you’ve read through the whitepaper you will want to begin configuring and testing some of the HDX policies in Studio to test out HDX capabilities. Start with reading through the HDX eDocs node at – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-hdx-landing.html. If your more interested in HDX 3D Pro which leverages GPU cards installed on workstations, servers within the data centre then I would suggest to start by reviewing – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-hdx3dpro-intro.html. For a visual aid surrounding of how GPU technologies with work XenApp & XenDesktop take a look at how GPU pass-through works at – http://www.nvidia.com/object/xenapp.html for with XenApp and for a vGPU works for XenDesktop check out – http://www.nvidia.com/object/virtual-gpus.html. 3: High Definition User Experience template policy in Studio explained and feedback requested – http://blogs.citrix.com/2014/11/13/citrix-studio-templates-help-needed-out-of-the-box-configuration-for-xendesktop-and-xenapp/. Citrix Unveils New Version of Market Leading Third-Generation Unified Platform for Application and Desktop Virtualization
http://www.citrix.com/news/announcements/aug-2014/citrix-unveils-new-version-of-market-leading-third-generation-un.html Citrix Offers Technology Preview of Linux Virtual Apps and Desktops Delivered from XenApp and XenDesktop

http://www.citrix.com/news/announcements/aug-2014/citrix-offers-technology-preview-of-linux-virtual-apps-and-deskt.html Deploying Unified Communications (UC) Lync 2010/2013 1: Lync Feature Matrix is available at – http://support.citrix.com/article/CTX200279 which is very useful for understanding what is and what isn’t supported and whether you need to deploy either the HDX Optimisation Pack of the Microsoft VDI Plug-in. 2: Delivery options for deploying Microsoft Lync for XenApp 7.6 or XenDesktop 7.6 explained in detail at – http://blogs.citrix.com/2014/10/23/delivering-lync-from-xenapp-and-xendesktop/. I’ve summarised your options below: – Generic HDX Realtime * Pure ICA/HDX between two end-points and the infrastructure. – HDX RealTime Optimization Pack for Lync® * Optimised softphone with offloading of the media engine by Citrix Note: 1.6 is for Lync 2010 and 1.7 is for Lync 2013 check out 1.7 – http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-17/hdx-realtime-optimization-pack-about-17.html which is compatible with Lync Server 2013, Lync Server 2010, and Lync Online (Office 365). – Microsoft® Lync® VDI Plug-in * Optimised softphone with offloading of the media engine by Microsoft check out the CTX article for a how-to at – http://support.citrix.com/article/CTX138408. – Local App Access utilises a * XAD policy applied to users to utilise the locally installed Lync app over published Lync app from XenApp. If you want to under more about how-to enable this XAD feature please review – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-laa-intro.html. * Please refer to eDocs or CTX200279 3: UC with XenApp and XenDesktop Solutions Brief – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/unified-communications-with-xendesktop-solutions-overview.pdf.

XenMobile Device Manager 8.5

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.5 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – ldap
CERTIFICATE – cert
STORAGEZONE CONNECTOR – szc
XENMOBILE APPCONTROLLER – xac

Apple iOS 7 Support
You will need to apply Citrix’s iOS7 patch for XenMobile Device Manager 8.5 otherwise users attempting to enroll there BYO or Corporate iOS devices will receive the following Server ErrorCould Not Connect 500 reference – http://support.citrix.com/article/CTX139106. The patch and how-to apply it can be downloaded at – http://support.citrix.com/article/CTX139052.

Apple APNS
1: If you do not have a Apple ID for your organisation click here to create one – Apple ID https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US. I would suggest creating an external e-mail addr that is bound to the XenMobile or XDM domain service so that multiple SysAdmins within your organisation have access to the APNS portal to issue and or renew your APNS certificates which expire annually upon the date that they where issued. I would also suggest that if your ticketing system support auto generation of a support ticket annually to utilise this feature to generate a new ticket annually to notify support and have the ticket assigned to be actioned to eventually be renewed and uploaded to the XDM web ui console at http://FQDN/zdm.
2: Once you have created your Apple ID generate a CSR on the intended XDM server via IIS
3: Submit to Citrix to sign and they will return a *.plist file as a response.
3: Login with your newly created Apple ID to Apple APNS Portal – https://identity.apple.com/pushcert/.
4: Upload your signed CSR from Citrix (*.plist response) which then generate a *.pem certificate file.
5: Import the *.pem certificate response from APNS into IIS using complete certificate request then export from IIS filling in the password fields.
6: Delete the certificate in IIS.
7: Remove the IIS role and restart your XDM. The XDM installation installs Tomcat which clashes with IIS which is why we uninstall the IIS role prior to the XDM installation.

TCP Ports
1: The following TCP ports are required to enable the XDM to achieve device enrollment, retrieve mobile apps from external App Stores e.g Apple iTunes – https://itunes.apple.com/gb/genre/ios/id36?mt=8, Google Play Store – https://play.google.com/store?hl=en_GB and Samsung Apps – http://apps.samsung.com/venus/main/getMain.as?COUNTRY_CODE=GBR and much more.

80 – HTTP
443 – HTTPS
8443 – Secure
2159 – Apple APNS
2156 – Apple APNS
5223 – Apple Over the air WiFi enrollment
2: Troubleshooting Apple APNS – http://support.apple.com/kb/TS4264, http://support.apple.com/kb/HT3576

FQDN or Public Static IP Address
1: When installing the XDM which is the better option to use? A FQDN e.g http://axendatacentre.com/zdm or an IP addr: http://127.0.0.1/zdm? A FQDN provides the flexibility to move the XDM server between ISP’s as you always lose your IP addr range when moving from one ISP to another as all you need to do is adjust the DNS records to point to the new IP addr provided by your new ISP and the Tomcat CA remains unaffected and can still issue device certificates during enrollment.
2: If you did choose an IP addr over an FQDN and you moved the XDM to another static IP addr you would need to reinstall the XDM as the Tomcat CA would no longer be valid and able to issue device certificates.

Adding An iOS Public App
1: Search for iTunes WordPress as an example
2: Click on the first link in your search results which will typically direct you to the iTunes web page preview of the iOS mobile app e.g – https://itunes.apple.com/gb/app/wordpress/id335703880?mt=8.
3: Now make sure it’s that mobile app that you wish to add to the XDM software repository and copy the link.
TIP: You know the URL is valid as it always ends in ?mt=8
4: Login to the XDM admin console e.g https://FQDN/zdm and click the Applications tab.
5: Click new External iOS app
6: Copy and paste the URL and click GO thereafter it will contact the iTunes web page and collect an image, product name and description.
7: Select or Deselect any of the available check boxes , then click Create.
8: Navigate to the Deployment tab
9: Click the iOS base package or create an apps package for external apps give it a name, select the users then under resources select push apps and select WordPress now click finish.
10: You can click to deploy that updated deployment package or wait for iOS devices to connect back to the XDM whereby they will be notified of an update to external app package and imitate the trigger to prompt the user to download the WordPress iOS mobile app from iTunes (Remember the user will put in there iTunes password prior to it downloading).

Configuring An External Enterprise CA
Coming soon! In the meantime check out – http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configcert-ssl-tsk.html

XenMobile 8.5 Support Articles
General Support – http://support.citrix.com/product/xm/v8.5/
XenMobile Device Manager 8.5 Release Notes – http://support.citrix.com/article/CTX138116
XenMobile Device Manager 8.5.0 Patch for iOS 7 Compatibility – http://support.citrix.com/article/CTX139052
FAQ – Worx Home for Mobile Devices and MicroVPN Technology – http://support.citrix.com/article/CTX136914
Device Manager Web Services – http://support.citrix.com/article/CTX138803
XenMobile Enterprise Reference Architecture for XDM8.5, XAC2.8, SCZ 2.0 – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/reference-architecture-for-mobile-device-and-app-management.pdf

More coming soon!
In the mean time check out the Admin Guide at – http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-intro-wrapper-con-85.html and download the software package at – http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-85-mdm-edition.html