Tag Archives: MDX

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 – https://docs.citrix.com/en-us/xenmobile/server/system-requirements.html.

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices

– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP
uem.axendatacentre.com <-> 81.x.x.1 <-> UEM Listener on XMS
mam.axendatacentre.com <-> 81.x.x.2 + * <-> MAM Listener on XMS
uem.axendatacentre.com (XMS V/A) <->

Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple’s APNs Certificates portal is accessible at – https://identity.apple.com/pushcert, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 its quiet extensive and in-depth.

1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at – https://docs.citrix.com/en-us/xenmobile/server/authentication/apns.html.

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.


9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.


14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC – https://docs.citrix.com/en-us/xenmobile/server/users/rbac-roles-and-permissions.html.

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> when they should be accessing the direct IP addr of the XMS v/a <-> Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> IP addr on Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
FQDN: ldap.axendatacentre.com
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g xms@axendatacentre.com
Password: *****
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with https://docs.citrix.com/en-us/xenmobile/server/authentication/netscaler-gateway-and-xenmobile.html.

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

My 30 Days of Citrix SecureNotes

The views expressed here are my own and do not necessarily reflect the views of Citrix.

The past 30 days I thought I’d try a XenMobile secure app I’d honestly never really used before as I store my notes within a secure app which is only accessible from my Citrite Windows 7-10 virtual desktop. This blog is a summary of my views about using Citrix Secure Notes why I am now going to switch to Secure notes from my primary note taking app and its NOT a traditional noting taking app at all!. It is also worth mentioning that before I begin discussing Secure Notes I personally have never really found a note taking app that meets my personal requirements vs. DEMANDS maybe that is because I been doing personal/business web development with languages such as PHP, HTML(5), CSS, Javascript in my personal time since I was a teenage so prehaps I’m looking for something that looks vs. feels like something i’d develop one day? Who knows! For now I’ll leave this thought as it stands and back to Secure Notes!

I thought i first start off with a tour of Secure Notes followed on by my personal views and thoughts of using Citrix’s Secure Notes thereafter.

Tour of Secure Notes

1. You can login from a web browser at http://securenotes.citrix.com and if you want to sign-in via your organisations IdP select “Log in with my company credentials
2.Enter in your organisations ShareFile subdomain e.g MyOrgName
3. It will redirect you to you’re organisations IdP login where you will be prompted for a username + password and potentially another form of authentication like a receiving a telephone call, virtual token or asked to verify yourself using your biometric authentication.
4. Once you are signed in your can begin creating a note (secure website version of Secure Notes) by providing it a heading and then in the body text your notes or drag and drop pictures, tag your notes and assign it to a notebook (collection of notes perhaps by project vs. organisation vs. team meetings e.t.c), delete unwanted or irrelevant notes, set a reminder against a note, favourite the note or search of other notes that you’ve created.
5. Now you can see in this image that I have been using for sometime now its still less than 30 days but I’m using notebooks to assign my notes by partner, customer vs. major events and i’ve tagged selective notes that require a follow-up and then I remove tags once its completed.
6. I have switched to the Notebooks view from theAll Notes which organises your notes based upon your created notebooks in my case by customer, partner & events and then I assign my notes to these notebooks so i can easily navigate notes for example by a partner or just use the search filter (whats right vs. relevant to you).
7. All your notes are stored securely within your ShareFile personal folder, and if your using Drive Mapper with your Citrix virtual apps & desktops the path to see your notes is at – “S:\Personal Folders\WorxNotes.root” and it does not matter whether your creating your notes using the website version of Secure Notes at – http://securenotes.citrix.com or even if you create your notes using the secure XenMobile enabled app called “Secure Notes” which is available from the public app store for iOS – https://itunes.apple.com/us/app/citrix-secure-notes/id1157570015?mt=8 and Android – https://play.google.com/store/apps/details?id=com.citrix.note.droid&hl=en_GB and controlled by XenMobile MDX technology to stop cut, copy and paste. You can learn more about MDX by reading the XenMobile security white paper available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf.
8. If I now switch to a mobile world and I mean using a smart phone or tablet and for convenience sake I’ll be using the Secure Notes app I can see that I have the similar same capabilities and functionality vs. the secure website versions.
9. I can insert a picture, tag it, favourite it, set a reminder e.t.c but now I can record audio.
10. I can create my notes offline and when your back online it will sync your note(s) back up to ShareFile and you’ll notice the red cloud icon disappear.
11. Send your notes as an embedded message within Secure Mail body vs. PDF file attachment by selecting your preferred choice.

My Personal Views

Lite Tech Overview of Secure Notes
Review all the features and caveat at – https://docs.citrix.com/en-us/xenmobile-apps/10/secure-notes.html

1. Currently only iOS 9-10, Android 5-8 phones BUT its not supported on Tablets!*
2. Selecting a storage location for your notes upon setting up the app your asked if your prefer to store your notes in Microsoft Exchange Server or for your Secure Notes + within a ShareFile StorageZone. You can provide users with a choice of both upon on-boarding within the Secure Notes app.
3. Once users have been setup the XenMobile Secure Hub agent can handle SSO or push the app to users whom have enrolled into XenMobile’s MDM.
4. Supported file formats include – *.M4A, *.JPEG, *.PNG, *.BMP, *.GIF, *.WebP for rich editing experience.

XenMobile 10.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile 10.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What’s New
1: XenMobile is now a single unified hardened Linux virtual appliance.
2: Complete overhaul of the Web UI which dramatically simplifies policy setup & configuration of MDM + MAM policies and it allows for the management of multiple platforms within a single policy.
3: Built-in V6 Citrix Licensing server provides a 30 day trial/evaluation and also support for remote V6 CTX licensing server.
4: Built-in PostgreSQL database recommended for PoC’s and there’s also support for remote MS SQL database which is recommended for production deployments.
4: XMS V/A includes IPtables which is a Linux firewall – http://en.wikipedia.org/wiki/Iptables.
5: XMS placement is in the DMZ. The V/A is hardened and is FIPS 140-2 compliant and remember you data is actually stored in a MS SQL database unless your utilising PostgreSQL database within the XMS V/A.
6: Traffic flow and ports between NetScaler Gateway and the XenMobile Server (XMS) have changed please refer to eDocs for an architecture overview of the changes at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html.
7: The Admin Web UI is now on https://XMS-FQDN:4443/. This port is not configured as part of the XenMobile 10 wizard on NetScaler Gateway build 10.5-55.8 which means that you will not be able to access the mgmt. Admin Web UI from the internet it will only be accessible from the DMZ and the TRU network dependant upon your firewall(s) ACL list.
8: New WorxHome build which is also backwards compatible from XenMobile 10.x.n
9: The XenMobile NetScaler Connector (XNC) currently is still a separate Windows Server.
9: You can find our more by watching the following Mobility Master Class: What’s New in XenMobile 10 available from Citrix TV.

Mobility Master Class: What’s New in XenMobile 10

Mobility Master Class: Citrix XenMobile 10 Clustering & MDM Migrations

Deploying XenMobile 10
1: Review the system requirements for XMS at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-system-requirements.html to understand the supported hypervisors, computing requirements. You should also make sure that you review the latest XM architecture as it has changed between XenMobile 9.0 vs. 10.0 and it can be viewed at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html. You’ll notice that the traffic between NSG and the XMS V/A has changed however all traffic externally still occurs on there traditional ports (443, 8443, 2195, 2196, 5223).
2: Review and understand the NetScaler Gateway compatible requirements at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html.
3: Make sure that you print out and fill-in all the pre-requitses for the XMS V/A ref – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html prior to deploying your XMS V/A on your chosen hypervisor.
4: Once you have uploaded the V/A to the hypervisor and booted it complete the onscreen instructions ref – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-install.html. Once you are finished login into the Admin WebUI replacing the IP Addr with your XMS V/A ip addr from this example https://XMS-IPADDR:4443/ and login with Administrator account your specified during the deployment and NOT admin which is used to access the XMS V/A CLI from your hypervisor only.
5: Once you’ve logged in you’ll need to have the following listed below available to successfully complete the second part of the initial XenMobile 10 deployment. There is also a pre-requites check list available at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html.

– Citrix v6 licensing file for either local or remote. Remote is recommended for H/A purposes.*
– Microsoft Active Directory (AD) ip addr or FQDN, base DN, domain, search service account with read-only permissions.
– Certificate in *.p12 or *.pfx format for the SSL_Listener which is used for two way secure HTTPS communication to the XMS V/A.
– APNS certificate.
– Separate MDM and MAM+ FQDN’s correctly setup in DNS with fwd and reserve lookup’s configured and each configured with its own static IP addr for external resolution.
– 3x VIP for configuring XenMobile 10 with NetScaler Gateway +. You can find a compatible NSG V/A version and builds at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-10-understand-compatibilitymatrix-con.html.
– MS SQL Database server configured to accept traffic and with write/read privileges to create and manage the remote XMS database.
– Mail server configuration which enables and provides workflow email messages, notifications to users e.t.c

6: Follow the onscreen prompts and once completed the web UI deployment wizard then you have successfully deployed a XMS V/A. Please not reboot the XMS V/A so that the existing SSL certificates for HTTPS can be unbound and the newly uploaded SSL cert(s) can be bound to HTTPS.
7: You may now setup a XMS cluster and configure H/A with a NSG and thereafter begin configuring your XenMobile 10.0 environment. See the H/A section for a how-to.
8: Logon to one of the XMS v/a direct IP addr e.g https://XMS:4443/ if in H/A fronted by the NSG as the XenMobile 10 wizard will not configure 4443 which means that you cannot access the mgmt interface via the VIP owned by the NSG. This means that the mgmt interface is not accessible either internally or externally on the FQDN that resolves the VIP owned by the NSG.
9: Scaling XenMobile 10.0 from 1000 up to 100,000 devices – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-scaling-xm.html.

XMS V/A High-Availability (H/A)
1: Prior to understanding how-to setup a XMS H/A or clustering you need to understand that the minimum requirements are for a remote CTX v6 licensing server and MS SQL database as the XMS V/A do not hold any user/cfg information this is all held in the remote database.
2: Once your have setup XMS follow the prompts in the CLI to enable clustering and configure the IPtables firewall ACL and then finally shut it down and clone it.
3: Rename the cloned XMS V/S to your required naming convention and then boot up the cloned XMS V/A login to the CLI and changed the IP addr and ensure that the IPtables firewall ACL ports are correctly enabled then shutdown the V/A.
4: Boot the first XMS V/A and then 60 seconds later boot the cloned XMS V/A and login to the CLI to very the cluster is enabled and then login into the XMS admin WebUI to verify that the cluster is up and functioning as expected. The original XMS V/A will be the oldest in the cluster.
5: You can now proceed to setting up the load-balancing for the XMS V/A’s with NSG to service MDM + MAM requests.

Supported NetScaler Gateway (Builds & Versions) for XM 10
1: MR5; MR4; MR3; 10.1.130 MR & 10.1.129 MR ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html.

Deploying XM 10 with NetScaler Gateway 10.5.x.n (Draft)
1: Before beginning its worth mentioning that the way I will be describing how-to deploy XenMobile 10 in this blog article will be to utilise to external static IP addr’s + FQDN’s that are NATed to DMZ IP addr’s and I will utilising SplitDNS for device mgmt. in/outside of my TRU network. I will also be implementing the described XenMobile 10 environment below utilising an SSL Bridge although offloading includes a few more minor steps the intention of this section is aimed at helping you front your XenMobile 10.0 deployment with a NSG 10.5.x.n V/A.
2: Please review the following CTX article entitled “FAQ: XenMobile 10 and NetScaler 10.5 Integration” – http://support.citrix.com/article/CTX200430 which will aid you in been able to setup and configure load-balancing for XMS V/A’s, mVPN for Worx’s apps for XenMobile 10 with NetScaler Gateway 10.5.x.n.
3: You’ll require the following prior to be beginning:

– Correct NetScaler (Gateway) build +_ version the NSG version + build I’ll be discussing here is NetScaler Gateway MR5 but you can check the latest supported version + builds at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html
– 1x FQDN for MDM e.g. mdm.axendatacentre.com * that resolves to both external internet routable static IP addr and your internal assigned static IP. Please note that this should match exactly the FQDN entered in at the time of the deployment of your XMS V/A during the first phase in the CLI the text your looking for is/was “XenMobile Server FQDN:” and its highlighted in yellow. It is also worth/noting that if you have utilised an internal domain e.g xms.abc.local as the FQDN this will only manage devices internally as that FQDN is not routable on the internet so you’ll only be able to manage devices INSIDE of the trusted network to its recommended to a FQDN that is internet routable and you can utilise SplitDNS to manage traffic requests to the NSG VIP’s for XenMobile.
– 1x FQDN for MAM (Worx’s Apps) e.g. mobileapps.axendatacentre.com * that resolves to both external internet routable static IP addr and your internal assigned static IP
– 2x External routable internet IP addr’s * e.g which most IT Pro’s utilise to ping to check internet connectivity
– 3x Internal IP addr’s owned by the NSG as VIP
|- 1x for MDM
|- 1x for MAM Gateway
|- 1x for Load-balancing IP
– Wildcard certificate for your domain e.g *.domain.com
– If your implementing SSL Offloading (HTTP) of your XenMobile traffic for MAM then you’ll require the devices cert from the XMS V/A which can be downloaded from the XMS Web AdminUI at https://xms:4443/

4: Setup the NetScaler Gateway configuration within the Admin WebUI of the XMS V/A following the process outlined at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-netscaler-gateway.html its fairly straight forward and simple.
5: Login into the NSG Admin WebUI interface and click the XenMobile Wizard in the bottom left-hand corner and then you’ll be prompted to setup either XenMobile 9.0 or XenMobile 10.0 please selected XenMobile 10.0 and click “Get Started” to continue.
6: Ensure that “Access through NetScaler Gateway” which is for MAM, “Load Balance XenMobile Servers” which is for MAM are checked they should be by default, however you know have the opportunity to deselect either if one depending upon your deployment scenario/use case and obviously your acquired license. The current XenMobile 10 datasheet is available at –
7: Enter in your first VIP for the MAM Gateway then port should be 443 and provide a suitable name.
8: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain *.axendatacentre.com) or upload your SSL cert.
9: Create your (s)LDAP binding you will need to provide the following:

– LDAP IP addr
– LDAP Port default is 389
– Base DN e.g Cn=Users,dc=axendatacentre,dc=com
– Service account username & password
– Timeout default is 3 seconds
– Server Login sAMAccountName or UserPrincipalName (SuGgEsTeD)

10: Now enter in your MDM FQDN and then the Load-balancing IP addr beneath and accept the default port of 8443. You can now also choose to select HTTPS (SSL Bridge) vs. HTTP (SSL Offload) and you can choose your DNS mode including split tunnelling.
11: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain *.axendatacentre.com) or upload your SSL cert.
12: Enter in your MDM VIP and you’ll notice the default ports are 443, 8443 for communication to the XMS V/A(s). You’ll notice that you cannot change the SSL traffic configuration as I specified to not to perform any SSL offloading in set 10 above or its under section “Load Balancing IP address for MAM” within the NSG XenMobile 10 wizard.
13: Next add in the XMS ip addr’s of each V/A in your XMS cluster and provide an appropriate name and ports are automated defaulted to 443, 8443.
14: Click continue to finish and then click done and you have now setup and configured all your traffic for XenMobile to route through your NSG V/A and we are performing SSL Bridging in the above scenario.

Worx Features by Platform
1:The following eDocs web page lists the features by Worx app which includes WorxHome, WorxMail, WorxWeb, WorxEdit, WorxNotes, WorxTasks & WorxDesktop ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-feature-platform-matrix.html.
2: Be sure to also checkout the known issues list at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-knownissues-con.html and it is also worth noting that as of writing this blogging entry WorxTask’s is in Tech Preview (TP) ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-tasks.html.

You should follow the XenMobile team on twitter at – https://twitter.com/xenmobile for the very latest on Worx’s apps, updates, upgrades and so much more.

1: The XenMobile security web page is available at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
2: The XenMobile Security whitepaper is available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf and I would strongly advise that you read/review it to get a better understanding of how XenMobile can help and assist any organisations EMM (Mobility) requirements.
3: The Mobile Application Management with XenMobile and the Worx App SDK –
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/mobile-containers-with-citrix-mdx.pdf, this is well worth reading.

XenMobile AppController 2.10

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 2.10 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
GoToMeeting – gtm
GoToAssist – gta

Understanding MDX Technologies
1: Citrix MDX technologies provides and enable IT to wrap enhanced security, traffic around mobile apps for Android and iOS. The technologies can be segregated into 3 tiers called MDX ACCESS, MDX INTERAPP & MDX VAULT when determining what policy(s) to enforce. I will not look into the capabilities of each tier at a high level.
2: MDX VAULT enables encryption of the private data storage of MDX wrapped mobile apps. Check out – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-encryption-con.html.
3: MDX INTERAPP allows IT to control the application fabric of MDX wrapped mobile apps e.g restricting what apps it can open in (Document Open In); opening a service of the mobile platform e.g maps when a user clicks on an address in WorxMail.
4: MDX ACCESS enables and allows IT to set a MDX wrapped mobile apps traffic to be tunnelled via a mVPN, blocked or to the internet. The mVPN can be configured with either SecureBrowse (Only internal traffic traverses up the mVPN and anything bound for the internet does not) or FullVPN (All traffic flows up the mVPN).
5: You can find more surrounding the MDX policies at these two links one for iOS at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-policies-andr-con-1.html.

Wrapping native *.APK, *.IPA mobile apps to become MDX enabled
1: Take a look at the following documentation in eDocs at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appwrap-toolkit-wrapper.html then the MDX Toolkit Documentation –http://support.citrix.com/servlet/KbServlet/download/37081-102-709208/MDXToolkit%20Documentation%20v1.0.pdf and video available at showing how to wrap Android mobile apps – http://www.citrix.com/tv/#videos/9465. I have embedded the video below from Citrix.com/TV:

Pre-requisites, Understanding & Installing The XenMobile 8.7 Components End-2-End for a PoC or a Demo Environment (DRAFT & MAY CONTAIN ERROR(S))
Coming soon!

XenMobile Enterprise 8.7

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 8.7 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
GoToMeeting – gtm
GoToAssist – gta

What’s New The Highlights
0: XenMobile Datasheet by edition – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf.
1: Enrol and manage Windows 8.1 including support for Windows 8.1 RT devices – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-understand-device-platforms.html.
2: Worx Home supports pin history & pin cycle checking.
3: Configure and deploy VPN cfgs to Amazon devices.
4: Shared Device Management support allows for multiple individuals to leverage MDM capabilities once the device has been enrolled.
5: ShareFile Single Sign-On (SSO) support from Worx apps to ShareFile.
6: Samsung SAFE devices support with the ability to now install Worx Home on Samsung SAFE devices running Android 4.3 and later from Google Play Store.
7: Support for Android 4.4.
8: Battery retention has improved by approximately 15% please see point 11 below for further details re the Tests performed.
9: IBM notes support for iOS in WorxMail.
10: Geo-fencing on Android.
11: A full and complete list of what’s new check out – http://support.citrix.com/proddocs/topic/xenmobile/xmob-understand-whats-new.html.
12: For a list of the new features in NetScaler Gateway 10.1 and NetScaler Gateway 10.1, Build 120.1316.e check out – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-whats-new-con.html.

XenMobile Compatibility Matrix
1: http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-understand-compatibilitymatrix-con.html

Supported Device Platforms
1: http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-understand-device-platforms.html

Pre-requisites, Understanding & Installing The XenMobile 8.7 Components End-2-End for a PoC or a Demo Environment (DRAFT & MAY CONTAIN ERROR(S))
1: I would suggest starting with this really good XenMobile Architectural XenMobile Diagram to help you understand where the individual components are placed between the DMZ and TRUSTED network, so check out – http://www.citrix.com/content/dam/citrix/en_us/images/info-graphics/xenmobile_architecture_86.png.
2: Understanding how-to deploy the components of XenMobile Enterprise – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-understand-deploy-architecture-wrapper-n-con.html and I would also recommend reading and understanding what ports are required to be enabled at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-deploy-component-port-reqs-n-con.html and the review the XenMobile and NetScaler Gateway checklists which are available at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-prepare-xenmobile-checklist-con.html & http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-checklist-10-1-con.html#ng-checklist-10-1-con followed understanding the Server & SAML certificate types/ requirements of XenMobile at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-deploy-certificates-con.html.
3: Sizing & System requirements for XenMobile 8.7 – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-deploy-netscaler-gateway-reqs-con.html.
4: How-to Install XenMobile 8.7 – . If your looking to install XDM at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-deploy-device-manager-install-steps-tsk.html for a basic visual overview and instructions. To deploy the XAC use the following to pre-configure the XenMobile AppControllers IP addr, DNS e.t.c at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-change-ipaddress-tsk.html followed by configuring the XAC using the initial web UI wizard at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-setup-wizard-tsk.html. To configure your NetScaler Gateway for the first time use – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-configure-basic-settings-wrapper-con.html, http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-config-ng-with-wizards-con.html followed by the initial NSG wizard accessible via the Web UI upon your initial login – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-config-first-time-new-install-con.html thereafter you can use the built-in NSG wizard to setup and configure remote access to the XAC for XenMobile Enterprise 8.7 at – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-install-simplified-config-tsk.html.

Enrolling by OS Platform
0: Prior to enrolling any devices you may want to consider configuring enrolment options – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-connect-config-enroll-mode-con.html.
1: iOS – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-ios-user-enroll-device-tsk.html.
2: Android – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-android-user-enroll-device-tsk.html.
3: Windows – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-enroll-users-devices-wrapper-con.html.
4: Symbian – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-symbian-user-enroll-device-tsk.html.

Performing In-place Upgrades from XenMobile 8.6 to 8.7
I performed in-place upgrade within my XenMobile Enterprise demo environment running Hyper-v on Microsoft Windows Server 2012 from 8.6 to 8.7 without any issues or errors.
2: Note: As I focus on PoC’s and Training the upgrade methods used below will be different for production environments and you should follow – http://support.citrix.com/article/CTX140444 for steps and guidance.
3: My current setup consisted of a XDM cluster on 8.6 l/b by NetScaler using a MS SQL database. I first performed a snapshot of both XDM servers and the SQL database then proceeded to shutdown the second XDM server and executed the XDM 8.7 software package on the primary XDM server which detected a XDM installation and performed a in-place upgrade following the onscreen steps. Once the software update completed I rebooted the VM and then proceeded to connect to XDM mgmt. Web UI locally via https://localhost/zdm on the primary XDM server desktop (Note: SSL error is normal as the FQDN your connected to is not for localhost but your organisations FQDN) and then logged in as a XDM admin then as domain user to verify that the SHP works as expected. Next shutdown the primary XDM server and boot the secondary XDM server and repeat the process above and once verified shutdown the secondary XDM server and boot the primary XDM server wait a few minute then boot the secondary XDM server and what a few minutes and then login to https://XDM-FQDN/Instance/helper.jsp e.g https://mdm.citrix.lab/zdm/helper.jsp and verify that the XDM cluster is active and working, next login to https://XDM-FQDN/Instance/ as a domain user and then a XDM admin to verify that everything works as expected e.g send a notification to an iOS device or enrol a new device using a custom deployment policies to verify your XDM is functioning as expected.

1: XenMobile FIPS 140-2 Compliance – http://support.citrix.com/proddocs/topic/xenmobile-87/clg-appwrap-fips-con.html.
2: XDM supports internal and external PKI’s – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-manage-security-pki-overview-con.html; SAML – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-manage-securityid-saml-con.html.
3: Network Access Control (NAC) – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-manage-securityid-configurenac-con.html.
4: Client certificate based authentication using Configuring Device Manager with Microsoft Active Directory Certificate Services – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-dm-manage-securityid-configdm-mscertificatesvs-con.html.

Synergy SYN308: Citrix Mobility & Desktop Integration

XenMobile Enterprise 8.5, 8.6, 8.7, 9.0 PoC Considerations

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 8.5, 8.6, 8.7 and 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

Preparation & Pre-requisites (DRAFT & MAY CONTAIN ERROR(S))
0: Never use a production NetScaler or NetScaler Gateway for PoC why? When you upload the trial licenses it will require a reboot which cannot be completed in a production environment without a planned maintenance window. Also you may want to use the latest NS(G) during the PoC for best results & optimal performance likewise some versions require a e release of NS(G) which will mean a firmware upgrade to your production NS(G) eventually.
1: If you don’t understand all the components of XenMobile Enterprise then I would suggest researching and reading (Data sheets of each) to understand what the XenMobile Device Manager, XenMobile AppController, XenMobile NetScaler Connector, XenMobile Mail Manager, NetScaler (Gateway) and finally what ShareFile StorageZone Connectors are all capable of individually as integrated as part of a Mobility Solution. XenMobile Enterprise can also include the delivery of hosted shared and VDI desktops, hosted published Windows apps delivered from XenApp, XenDesktop as part of the overall EMM Solution.
2: XenMobile Enterprise is an integration of a number of the Citrix products mentioned above deployed together to form a complete EMM solution.
3: Identify and visually understand where potentially all the components/products sit within the whole overall mobility solution. Here is a great visual reference that is clean and clear to understand – http://www.citrix.com/content/dam/citrix/en_us/images/info-graphics/xenmobile_architecture_86.png?accessmode=direct.
4: Review the pre-requites and checklists if available for each product that you wish to deploy within XenMobile. I have listed a few here for you starting with all the required ports – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-component-port-reqs-n-con.html, for the checklist – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-prepare-xenmobile-checklist-con-.html, for or XDM – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-device-manager-sys-reqs-con.html, for XAC – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-appc-sysreqs-wrapper-con.html, for NSG – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-netscaler-gateway-reqs-con.html, for SF – http://support.citrix.com/proddocs/topic/sharefile-storagezones-22/sf-storage-center-sys-reqs.html and for XD – http://support.citrix.com/proddocs/topic/xendesktop-71/cds-system-requirements-71.html.
5: Now that you have an understanding of the requirements for each and you should by now know and understand each product a little more read through the XenMobile 8.6 Reference Architecture – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-reference-architecture-for-xenmobile-86.pdf.
6: Deploying the XenMobile Solution – http://support.citrix.com/article/CTX139235 as well as download a copy of the XenMobile MDXToolKit Documentation v1.0 – http://support.citrix.com/article/CTX140458.

Pre & Post Discovery Meeting (DRAFT & MAY CONTAIN ERROR(S))
1: Ensure that you educate the organisation as to what XenMobile is and is capable of doing re MDM, MAM and MIM.
2: Setup 2-3 GoToMeeting sessions. The first is to answer any Q&A that the organisation has for you re the pre-requites and ensure that they have started to prepare any external dependencies e.g iOS Enterprise Developer Account. The second is to ensure that all the pre-requites have been completed prior to the installation onsite for the PoC and to answer any further Q&A the organisation has. If the organisation has not completed the pre-requites then proceed with the third GoToMeeting and if the pre-requites have not being completed I would strongly advise escalating to managers on both that your PoC will more than likely be unsuccessful as your need ports opened, servers build, software downloaded, certificates e.t.c and you will need to focus on installing and then configuring the products to be integrated together and into mgmt infrastructure e.g (s)LDAP and finally configure policies and if applicable wrapping Worx, ShareFile *.ipa and *.apk files to become *.mdx to provide secure sandboxed, internet and intranet browsing (WorxWeb) + e-mail (WorxMail) and data sharing (ShareFile).
3: Decide on a database platform note that Postgres SQL is built-in to the XDM software package and is great for PoC’s or alternatively you can use MS SQL.
4: Decide upon the XDM management addr for mobile devices you can use either an IP Addr for FQDN e.g mdm.axendatacentre.com, however I would recommend a FQDN. Why? When you install and configure the XDM your creating and configuring a CA if use used an IP addr and you decided to move the XDM server from one subnet to another and could not provide the exact IP or you move from one ISP to another you’ll get a new IP addr range you will break the CA and all enrolled devices will become unmanaged so install using an FQDN and you can always adjust the underlying IP addr of the XDM’s serves FQDN this not compromising/breaking the XDM’s CA and all devices will remain managed and connected to the XDM. Remember changing an IP addr of an external FQDN does and will require 24 hours for DNS to propagate through out the internet.
5: Login to your Citrix My Account at – http://www.citrix.com/ locate and click Partner Central (Opens a new tab) then once the web page loads click Sales in the navigation menu bar and click on SalesIQ (Opens a new tab) then once loaded click on PoC Central scroll down and download the XenMobile PoC kit. Note only valid Citrix Partners may download content from Citrix SalesIQ.

PoC Notes & Tips
1: Deploy your first few XenMobile 8.7 PoC’s using single NIC’s.
2: Stick with 2-3 devices during a PoC to maximise your PoC success and remember a PoC is designed to prove a concept or a technology.
3: If your deploying ShareFile On-Prem SZ remember to back SZKeys.txt in the root of your ShareFile data CIFS share.
4: Your PoC should run smoothly provided that you can confirm that all the perquisites for XenMobile Enterprise are successfully completed prior to arriving onsite and this should also potentially include having a basic customer defined MDM, MDX policy agreement so that you can setup and configure these policies post successfully deploying the XenMobile components so that you can begin your initial testing to check that everything is operating as expected thereafter you demonstrate that the deployment is active and working as expected. At this stage you can either define what MDM, MDX policies you wish to trial or test during the PoC however hopefully this has too also been previously agreed and you can begin defining the policies by platform and for any Worx or 3rd party signed MDX mobiles apps.
5: XDM clustering for high-availability in XenMobile 9.0 has changed so please refer to this blog article – which will help your understand what Tomcat configuration changes are required prior to performing an in place upgrade from XenMobile Device Manager 8.7 to 9.0. This changes also means that your XDM cluster can now reside in alternatively data centres ref – .

Support NetScaler Gateway (Builds + Versions) for XM 9.0
1:;;;;;;;;; ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html.