Tag Archives: Mobile Device Enrollment

Creating and renewing an APNs Certificate for XenMobile

The following content is a brief and unofficial prerequisites guide to creating and renewing an Apple APNS certificate prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
INTERNET INFORMATION SERVICES – iis
CERTIFICATE AUTHORITY – ca
APPLE PUSH NOTIFICATION SERVICE – apns
CERTIFICATE SERVICE REQUEST – csr

What is an Apple Push Notification service (APNs)Certificate and how does it work?
APNs certificates allow and enable for the safe, secure propagation of information/notifications to iOS and OS X devices with source of information/notifications originating from a XenMobile Server with a trusted and signed APNs certificate by Apple and Citrix. In this particular overview I am referring to MDM/Mobility vendor’s e.g Citrix, Airwatch by VMware, MobileIron etc.

APNs certificates allows any end-user to enroll his/her iOS device (iPhone, iPad) weather it be corporate or personally owned (BYO) against a XenMobile Server in order to obtain organisation specific configurations e.g Wi-Fi configurations and of course security leading best practise policies e.g the users PIN must be alphanumeric, 6 characters in length and must be changed once every 90 days to meet organisation password policy guidelines etc.

I wont attempt to explain how APNs certificates work technically I do understand it but I believe Apple’s documentation is simple very clear to understanding and provides a great overview of how APNS works and functions so please visit the following links – https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9.

Creating and renewing an APNS Certificate with IIS (SuGgEsTeD for PoC Environments + Draft)
0: You will require a valid Citrix partner account to access your Citix My Account – http://www.citrix.com/account.html and you will require a valid Apple ID to login into the APNs Portal to complete your APNs signing request and for on-going APNs maintenance i.e. renewing, revoking your APNs certs. If you do not have a valid Apple ID you can create one at the following link – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId.
1: Prior to creating your APNs cert you should consider the following which is will your customers PoC ever move to a pilot or event to production? If it may then you/they should carefully consider exactly where you will generate your Certificate Signing Request (CSR) for your APNs certificate to be used with the XenMobile.
2: Open up IIS on your chosen Windows Server and click Server Certificates and select “Create Certificate Request” and enter in the following information when requested into the “Distinguished Name Properties” pop-up window which appears and once completed click next and on the “Cryptographic Service Provider Properties” window select the “Microsoft RSA SChannel Cryptographic Provider” from the Cryptographic service provider and the Bit length of”2048″ from the dropdown lists. Then save the CSR on your desktop providing it with a name e.g XM_APNS-CSR.txt

IIS Request Your Response
Common Name e.g myMDM-for-xm-anps.axendatacentre.com
Organization
Organizational Unit
City/locality
State/province
Country/region

3: Next navigate to https://xenmobiletools.citrix.com/ from the IIS Windows server that you generated this XenMobile APNs CSR from and sign-in with your Citrix partner access details.
4: Upload your CSR as described on-screen at https://xenmobiletools.citrix.com/ which then return a *.plist file to download (Save it).
5: Next navigate to Apple’s Push Certificates Portal at – https://identity.apple.com/pushcert/ and login with your Apple ID. Next click “Create a Certificate” and upload your *.plist file that you downloaded from the XenMobile Tools portal as per step 4 above where instructed following the on-screen instructions. It will then prompt you to download a *.pem file ignore the filename e.g MDM_Zenprise.pem.
6: Import the *.pem file from the download APNs portal from step 5 above into IIS using the complete a CSR response and specific a friendly name (use the same common name you specified in step 2 above. Optional if your cert import fails the be sure to import Apples intermediate and root certificates from – http://www.apple.com/certificateauthority/ and repeat the import process once more. Also check out – http://support.apple.com/kb/ht5012 entitled “Lists of available trusted root certificates in iOS” for further help & guidance.
7: Export the imported APNs certificate via IIS and specify the path to save the cert which will be in *.pfx format and also specific a strong password to protect your APNs cert and finally note to self DO NOT FORGET the password.
8: When prompted during the XMS Admin WebUI configuration post completing the XMS CLI setup, follow the below import process in table format.

Import Keystore
Keystore Type PKCS #12
Use as APNs
Keystore file The path to your completed XM APNs cert which will be in *.pfx
Password The password you typed in at step 7 above

Creating and renewing an APNS Certificate with NetScaler (SuGgEsTeD + Draft)
Coming soon…

Mobile Device, Application and Information Management

The following content is a brief and unofficial article about Mobile Device, Application and Information Management. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE INFORMATION MANAGEMENT – mim
MOBILE APPLICATION PERFORMANCE MANAGEMENT – mapn
ACTIVE DIRECTORY – ad

What is MDM?
It’s the capability to restrict the services and mobile applications provided by a mobile platform only e.g disabling of Siri on iOS, Chrome on Android via MDM API’s provided by the mobile OS. To achieve these capabilities and many more a MDM server e.g XenMobile Device Manager will request a mobile device to securely authenticate via a agent installed on the mobile OS e.g Citrix Enrol with a users organisational access details which will then present or rather enable the user to proceed with the MDM enrolment process i.e securely
downloading (HTTPS) and installing a secure organisation profile and MDM policies enforced by IT which effectively will restrict the devices capabilities to access mobile applications of the mobile OS or disable services e.g Disable Siri from been available when a iPhone or iPad is locked but when the user of the iOS device safely unlocks the iPhone or iPad with a pin code they can use Siri.

What is MAM?
It allows and enables your organisation to deliver safe and secure applications from your organisations data centre. This applications can be native mobile apps (iOS, Android), SaaS and Windows published applications which can now be repurposed with the Windows Mobile SDK – https://www.citrix.com/go/mobile-sdk-for-windows-apps.html and http://www.citrix.com/mobilitysdk/docs/videos/RapidStarts.htm to improve the users experience on a mobile device (iOS). As these are logical resources published or delivered and installed on an mobile device you can only lock the resources, perform a selective wipe or perform an erase of the data within the mobile apps (Published apps you simple disable that surest access via AD).

What is MApM?
It’s an acronym for essentially describing the ability to provide intelligent reporting against mobile apps via an agent on smart devices.

What is MIM?
It provides organisations the ability to take their trusted data held within internally only accessed Shared Areas, SharePoint sites e.t.c and allows organisational employees or 3rd parties i.e contractors the ability to download and potential edit office based documents, watch videos on corporate issued or BYO devices on or offline in a safe and secured environment with the ability to perform a wipe, lock or configure a poison pill against the organisational trusted data that is stored on the users device(s).