Tag Archives: PFX

XenMobile Device Manager 8.5

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.5 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – ldap
CERTIFICATE – cert
STORAGEZONE CONNECTOR – szc
XENMOBILE APPCONTROLLER – xac

Apple iOS 7 Support
You will need to apply Citrix’s iOS7 patch for XenMobile Device Manager 8.5 otherwise users attempting to enroll there BYO or Corporate iOS devices will receive the following Server ErrorCould Not Connect 500 reference – http://support.citrix.com/article/CTX139106. The patch and how-to apply it can be downloaded at – http://support.citrix.com/article/CTX139052.

Apple APNS
1: If you do not have a Apple ID for your organisation click here to create one – Apple ID https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US. I would suggest creating an external e-mail addr that is bound to the XenMobile or XDM domain service so that multiple SysAdmins within your organisation have access to the APNS portal to issue and or renew your APNS certificates which expire annually upon the date that they where issued. I would also suggest that if your ticketing system support auto generation of a support ticket annually to utilise this feature to generate a new ticket annually to notify support and have the ticket assigned to be actioned to eventually be renewed and uploaded to the XDM web ui console at http://FQDN/zdm.
2: Once you have created your Apple ID generate a CSR on the intended XDM server via IIS
3: Submit to Citrix to sign and they will return a *.plist file as a response.
3: Login with your newly created Apple ID to Apple APNS Portal – https://identity.apple.com/pushcert/.
4: Upload your signed CSR from Citrix (*.plist response) which then generate a *.pem certificate file.
5: Import the *.pem certificate response from APNS into IIS using complete certificate request then export from IIS filling in the password fields.
6: Delete the certificate in IIS.
7: Remove the IIS role and restart your XDM. The XDM installation installs Tomcat which clashes with IIS which is why we uninstall the IIS role prior to the XDM installation.

TCP Ports
1: The following TCP ports are required to enable the XDM to achieve device enrollment, retrieve mobile apps from external App Stores e.g Apple iTunes – https://itunes.apple.com/gb/genre/ios/id36?mt=8, Google Play Store – https://play.google.com/store?hl=en_GB and Samsung Apps – http://apps.samsung.com/venus/main/getMain.as?COUNTRY_CODE=GBR and much more.

80 – HTTP
443 – HTTPS
8443 – Secure
2159 – Apple APNS
2156 – Apple APNS
5223 – Apple Over the air WiFi enrollment
2: Troubleshooting Apple APNS – http://support.apple.com/kb/TS4264, http://support.apple.com/kb/HT3576

FQDN or Public Static IP Address
1: When installing the XDM which is the better option to use? A FQDN e.g http://axendatacentre.com/zdm or an IP addr: http://127.0.0.1/zdm? A FQDN provides the flexibility to move the XDM server between ISP’s as you always lose your IP addr range when moving from one ISP to another as all you need to do is adjust the DNS records to point to the new IP addr provided by your new ISP and the Tomcat CA remains unaffected and can still issue device certificates during enrollment.
2: If you did choose an IP addr over an FQDN and you moved the XDM to another static IP addr you would need to reinstall the XDM as the Tomcat CA would no longer be valid and able to issue device certificates.

Adding An iOS Public App
1: Search for iTunes WordPress as an example
2: Click on the first link in your search results which will typically direct you to the iTunes web page preview of the iOS mobile app e.g – https://itunes.apple.com/gb/app/wordpress/id335703880?mt=8.
3: Now make sure it’s that mobile app that you wish to add to the XDM software repository and copy the link.
TIP: You know the URL is valid as it always ends in ?mt=8
4: Login to the XDM admin console e.g https://FQDN/zdm and click the Applications tab.
5: Click new External iOS app
6: Copy and paste the URL and click GO thereafter it will contact the iTunes web page and collect an image, product name and description.
7: Select or Deselect any of the available check boxes , then click Create.
8: Navigate to the Deployment tab
9: Click the iOS base package or create an apps package for external apps give it a name, select the users then under resources select push apps and select WordPress now click finish.
10: You can click to deploy that updated deployment package or wait for iOS devices to connect back to the XDM whereby they will be notified of an update to external app package and imitate the trigger to prompt the user to download the WordPress iOS mobile app from iTunes (Remember the user will put in there iTunes password prior to it downloading).

Configuring An External Enterprise CA
Coming soon! In the meantime check out – http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configcert-ssl-tsk.html

XenMobile 8.5 Support Articles
General Support – http://support.citrix.com/product/xm/v8.5/
XenMobile Device Manager 8.5 Release Notes – http://support.citrix.com/article/CTX138116
XenMobile Device Manager 8.5.0 Patch for iOS 7 Compatibility – http://support.citrix.com/article/CTX139052
FAQ – Worx Home for Mobile Devices and MicroVPN Technology – http://support.citrix.com/article/CTX136914
Device Manager Web Services – http://support.citrix.com/article/CTX138803
XenMobile Enterprise Reference Architecture for XDM8.5, XAC2.8, SCZ 2.0 – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/reference-architecture-for-mobile-device-and-app-management.pdf

More coming soon!
In the mean time check out the Admin Guide at – http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-intro-wrapper-con-85.html and download the software package at – http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-85-mdm-edition.html

XenMobile Device Manger 8.0.1

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.0.1 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – ldap

Apple APNS
1: Generate a CSR on the intended XDM server via IIS
2: Create an Apple ID – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US
3: Login with your newly created Apple ID to Apple APNS Portal – https://identity.apple.com/pushcert/
4: Upload your signed CSR from Citrix which then be generated into an *.pem certificate file.
5: Import your *.pem certificate file from APNS into IIS using complete certificate request then export from IIS filling in the password fields.

XenMobile Device Manager Version 8.0.1
1: You’ll need a license file which can be downloaded from www.citrix.com.
2: APNS *.pem certificate file converted into a *.pfx12 certificate file.
3: External FQDN e.g xdm.yourdomain.co.uk or devicemanager.yourdomain.co.za
4: Server requirements check out – http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-sys-reqs-con.html
5: Test that your external FQDN resolves to the intended xdm server using a trace or ping then apply the following changes to your f/w to allow the following networking ports access – http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-sys-reqs-other-prereqs-con.html
6: Install XDM using the default postgres DB for 100x users or less alternatively then utilise the documented best practises for alternatively SQL DB engines.
7: Once installed navigate to http://xdm.yourdomain.co.uk/zdm to access the console. Note you can also access the following resources aswell after the FQDN of the xdm server /zdm/enroll which provides links to the current enrolment agents for xdm.

User Provisioning
1: You can optionally create users manually within the xdm console this approach is time consuming and a manual task for a SysAdmin.
2: You can upload a *.csv file containing all the required user information to provision users this approach is far more favourable but its a manual approach to user provisioning.
3: Provision users using your organisations AD environment is the best approach and less time consuming for SysAdmins. The xdm supports LDAP and LDAPS* and performs a real-time query to your AD server instead of caching a local dataset copy and then periodically updating this cache at a predefined intervals.

* LDAPS is a secure connection of LDAP between the xdm server and your organisations AD server.

Troubleshooting Tips
1: Setup a reoccurring calendar invite using your support ticketing system or group exchange invite to renew your APNS certificate which expires annually and needs to be renewed and uploaded to the xdm server otherwise iOS devices will become unresponsive as they reply on the APNS network.
2: Always deploy the xdm server using a FQDN over a Static IP as it is easier to adjust DNS records if and when moving your xdm server is needs be to another IP address range e.g changing ISPs. It is also easier to remember a FQDN over a IP address.
3: OS harden the server no matter if the xdm server is placed in the DMZ or a TRUSTED network it prevents and limits exposing the xdm server to network related threats or attacks.
4: Place the xdm server behind a networking appliance e.g NetScaler to load-balance the HTTP, HTTPS traffic, scale-out more xdm servers.
5: Read through the Citrix Reference Architecture for MDM and MAM.