Post on 24-Sep-2020
605: Secure Mobile Access with the New XenMobile
Hands-on Lab Exercise Guide
Walter Hofstetter, Christopher Friend, and
Frank Martinez
May 2015
| 1 |
Table of Contents Table of Contents ....................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 5
Exercise 1: Initial Configuration of the XenMobile Server ........................................................... 6
Exercise 2: XenMobile Server Getting Started Wizard ..............................................................14
Exercise 3: Configure Policies on XenMobile Server .................................................................24
Exercise 4: Adding Categories and Applications to XenMobile Server ......................................44
Exercise 5: Assigning Applications to a Delivery Group ............................................................68
Exercise 6: Configure NetScaler Gateway for Enterprise Store .................................................75
Exercise 7: Device Enrollment ..................................................................................................93
Exercise 8: Verify Enrollment and Enterprise App Store .......................................................... 101
Exercise 9: Working with Device and MDX Policies ................................................................ 109
Optional Lab: PKI Integration - Certificate Based Authentication ............................................. 126
| 2 |
Overview
Hands-on Training Module
Objective
This training will provide hands-on experience with the following:
Initial configuration of XenMobile Server 10.0 with FIPS mode enabled
Integrating XenMobile Server with NetScaler Gateway to terminate the MDM SSL traffic securely (SSL Offload) and allow access to the corporate network using mVPN
Work with Device- and App- (MDX) policies to achieve secure operation mode, which avoids data leakage through apps/OS and devices taken out of the campus.
Prerequisites
Basic understanding of Web/SaaS/Mobile apps.
Familiarity with navigating the NetScaler Configuration Utility.
Basic understanding of http/https communication.
Basic understanding of networking concepts (i.e.: IP addressing and communication)
Audience
Citrix Partners, Customers, Sales Engineers, & Consultants.
| 3 |
Lab Environment Details
The lab environment for the exercises to come contains the following:
External access to common services (HTTP, SSL, SMTP, RDP, SSH, DNS) to simulate a
real production environment customized
1 Active Directory namespace
Pre-configured enterprise applications (Exchange & MSSQL)
XenMobile Enterprise components (XenMobile Server, NetScaler Gateway)
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
| 4 |
Lab Guide Conventions
This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used
VM Name IP Address Description / OS
AD.training.lab 192.168.10.11
Windows Server 2012 R2 Standard. Domain
controller for training.lab, DNS, DHCP services,
and license server.
DDC 192.168.10.40 Windows Server 2012 R2 Std. with XenDesktop
7.6 installed.
XMS
192.168.10.20
XenMobile Server 10.0. Students will perform the
initial/basic XenMobile Server and configure apps,
policies, and delivery groups.
XMS MAM LB VIP 192.168.10.21 Load Balancing VIP MAM (e.g. for Clustering)
Exchange 192.168.10.15 Windows Server 2008 R2 with Exchange 2010
installed
NS
NSIP=192.168.10.50
VIP=192.168.10.100
VIP=192.168.10.101
NS/AGEE 10.5. Students will perform steps to
integrate NetScaler Gateway with Citrix StoreFront
and XenMobile Server.
SQLServer
192.168.10.12
Windows Server 2012 Standard with SQL Server
installed.
VDA 192.168.10.205 Windows 8.1 Professional with XenDesktop VDA
installed.
Win81Client 192.168.10.201 Windows 8.1 Professional virtual machine
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises.
VM Name Username Password Description
Win81Client administrator Citrix123 Domain admin
NS1 nsroot nsroot NetScaler admin
AD.training.lab administrator Citrix123 Domain admin
| 5 |
Scenario You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTeX, Inc.
in order to provide management of devices along with access to internal applications and data
resources from any mobile device. Your task is to use the guidelines outlined below to implement a
solution that meets the business needs.
High-level guidelines:
MDM Enrollments needs to assure, that device passwords and restriction can be enforced.
MAM Enrollments may be used to secure company data; specifically e-mail security is a
concern. Additionally MAM Enrollments are being used for BYO Scenarios.
All data has to be encrypted during transit and rest, FIPS compliant cryptography has to be
leveraged.
| 6 |
Exercise 1
Initial Configuration of the XenMobile Server
Overview
Configuring the XenMobile Server is a two-part process. The initial configuration is done at the console of the server by configuring the new password, network settings (i.e: IP address, subnet mask, default gateway), database location, and external FQDN. Once this is done, you connect to the Administration Console from a web browser to configure the basic configuration via the Start-up Wizard. In this lab, you will perform the initial configuration at the console of the XenMobile 10 server.
Step by step guidance
Estimated time to complete this lab: 20 minutes.
Step Action
1. Within XenCenter, select the SQLServer virtual machine and click the Console tab.
Login as:
Username training\administrator
Password Citrix123
Start the SQL Configuration Manager and verify that the SQL Server Service has been
started. If not, right click on the service and start it now.
| 7 |
Step Action
2. Within XenCenter, select the XMS virtual machine and click the Console tab. You will
notice that the XenMobile Server is (in First Time Use mode).
Configure the following:
New Password Citrix123
Re-enter new password Citrix123
3. Configure the following settings:
IP Address 192.168.10.20
Netmask 255.255.255.0
Default gateway 192.168.10.1
Primary DNS server 192.168.10.11
Secondary DNS server [optional] Leave blank and hit Enter
Hit Enter to commit the settings.
4. The network settings are applied. Hit Enter to accept the default [y] to generate a random
password to secure server data.
| 8 |
Step Action
5. You are given the option to enable FIPS mode. Press [y] and Hit Enter to enable FIPs
mode
6. Next we will configure the database.
You will be asked what remote Database you will be connecting to.
Hit Enter to accept the default [mi] for Microsoft SQL.
7. To enable a secure connection you must copy or import a Root certificate.
Hit Enter to accept the default [y] to upload a root certificate.
8. Hit Enter to accept the default [c] to copy the certificate.
9. In XenCenter, select the AD.training.lab virtual machine and click the Console tab.
Login with the following credentials:
Username training\administrator
Password Citrix123
Note: FIPS mode only supports an SSL encrypted remote
database connection.
Note: Ensure you log into the remote Desktop. If not, you will
not be able to paste the root certificate into the XMS server.
| 9 |
Step Action
10. Click on the Desktop tile if required
11. Browse to C:\Software\Certificates to locate the Root.pem certificate
12. Open the Root.pem certificate with Notepad, highlight and copy the contents.
| 10 |
Step Action
13. In XenCenter, select the XMS virtual machine and click the Console tab. Right-click and
paste the certificate. Hit Enter twice.
14. Configure the database with the following settings:
Server sqlserver.training.lab
Port Hit Enter to accept the default [1433]
Username training\administrator
Password Citrix123
Database name Hit Enter to accept the default [DB_service]
Hit Enter to accept the default [y] to commit the settings.
15. You are prompted to enable clustering. Delete [y] and Enter [n] and hit the Enter key.
| 11 |
Step Action
16. You are prompted for the XenMobile hostname.
Enter <IP2 FQDN> from your portal page and hit the Enter key.
17. Hit Enter to accept the default [y] to commit the settings.
18. Configure the following communication ports (Port listeners):
HTTP [80]
HTTPS with certificate authentication [443]
HTTPS with no certificate authentication [8443]
HTTPS for management [4443]
Hit Enter to accept the default [y] to commit the settings.
Note: Your IP2 FQDN is available on the portal page.
Example Only: 75-126-159-220.mycitrixtraining.net
| 12 |
Step Action
19. You are asked to use the same password for all certificates of the PKI.
Hit Enter to accept the default [y].
Configure the following:
New Password: Citrix123
Re-enter new password: Citrix123
Hit Enter to accept the default [y] to commit the settings.
20. You are prompted to configure the XenMobile console administrator account.
Configure the account as follows:
Username: [administrator]
Password: Citrix123
Re-enter new password: Citrix123
Hit Enter to accept the default [y] to commit the settings.
Note: This configuration is for all the Public Key Infrastructure (PKI) certificates.
This step creates the device manager’s certificate authorities. If you intend to
cluster XenMobile Server nodes, you will need to provide identical passwords for
subsequent nodes.
| 13 |
Step Action
21. You are asked if this is an upgrade from a previous release.
Hit Enter to accept the default [n].
The initial system configuration is complete.
Make a note of the URL given to complete the setup process.
Exercise Summary
In this exercise, the student performed the initial configuration of the XenMobile Server. During the
first time use, you configured the XenMobile Server networking information, FQDN, DNS Server,
and connection to a remote SQL database.
| 14 |
Exercise 2
XenMobile Server Getting Started Wizard
Overview
In this exercise we will go through the XenMobile Server Getting Started wizard, in order to
configure categories, applications, policies, and delivery groups. The applications and policies will
be assigned to the delivery groups.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step Action
1. In XenCenter, select the Win81Client virtual machine and click the Console tab.
Login with the following credentials:
Username: training\administrator
Password: Citrix123
2. Click on the Desktop tile.
| 15 |
Step Action
3. Launch Internet Explorer and browse to https://192.168.10.20:4443
Click Continue to this website to accept the certificate error.
Login with the following credentials:
Username administrator
Password Citrix123
Click Sign in.
4. The Get Started page is displayed. Click Start to begin the configuration wizard.
| 16 |
Step Action
5. The Initial Configuration window is displayed.
Click Next to accept the use of the evaluation license.
6. On the SSL Certificate page, click Import.
| 17 |
Step Action
7. Configure the following settings:
Import Keystore
Keystore type PKCS#12
Use as APNs
Keystore file APNS.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import.
A confirmation window pops up.
Click OK.
| 18 |
Step Action
8. Click Import again.
Configure the following settings:
Import Keystore
Keystore type PKCS#12
Use as Server
Keystore file MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import.
| 19 |
Step Action
9. Click Import again.
Configure the following settings:
Import Keystore
Keystore type PKCS#12
Use as SSL Listener
Keystore file MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import.
10. You receive a prompt
Click OK.
| 20 |
Step Action
11. Click Import again.
Configure the following settings:
Import Certificate
Use as Server
Certificate import* Root.cer (Browse to \\Ad\Software\Certificates)
Click Import.
12. The APNs, Server, Root and SSL Listener certificates are displayed.
Click Next.
| 21 |
Step Action
13. Click Next. You are prompted to configure NetScaler Gateway.
Configure the following settings:
Name NSG
Alias Leave Blank
External URL https://<IP1 FQDN>
Logon Type Domain only
Password Required On
Click Next.
Note: Your IP1 FQDN is available on the portal page.
Example Only: 75-126-159-219.mycitrixtraining.net
| 22 |
Step Action
14. The LDAP Configuration page is displayed.
Configure the following settings:
Primary Server 192.168.10.11
Port 389 (Default)
Domain name training.lab
User base DN dc=training,dc=lab (auto-filled in)
Group base DN dc=training,dc=lab (auto-filled in)
User ID: administrator@training.lab
Password Citrix123
Domain alias training.lab
Use search by sAMAccountName
Click Next.
15. Click Next to skip the Notification Server configuration.
16. Click Finish on the Summary page.
| 23 |
Step Action
17. The initial configuration is complete. Click Start Managing Apps and Devices.
18. In XenCenter, select the XMS virtual machine.
Click Reboot to reboot the server.
Click Yes on the popup window to reboot the vm.
19. Wait until the XMS server is back up before continuing with the next exercise.
Exercise Summary
The Getting Started wizard takes you through configuring licensing, certificates, NetScaler Gateway
& LDAP settings for the XenMobile Server.
| 24 |
Exercise 3
Configure Policies on XenMobile Server
Overview
XenMobile Server empowers enterprise organizations to apply device configurations, settings, and security parameters to multiple devices. In this exercise, students will configure policies on XenMobile Server to push to iOS or Android mobile devices.
Step by step guidance
Estimated time to complete this lab: 20 minutes.
Step Action
1. Select the Win81Client virtual machine.
If the vm screen is locked, login with the following credentials:
Username: training\administrator
Password: Citrix123
2. Open a browser and navigate to https://192.168.10.20:4443.
3. Login with the following credentials
Username: administrator
Password: Citrix123
Click Sign in.
| 25 |
Step Action
4. In the XenMobile Server management console, select the Configure tab and click the
Device Policies node on the green ribbon.
5. On the Device Policies window, click Add.
6. Click Passcode
| 26 |
Step Action
7. The Policy Information page is displayed. Configure the following:
Policy name Passcode
Click Next.
8. Click the checkbox next to the Samsung Safe, Samsung KNOX, Windows Phone 8.1, and
Windows 8.1 Tablet, and platforms. These platforms will be disabled.
| 27 |
Step Action
9. The Policy Information window is displayed for iOS devices.
Configure the following settings:
Passcode required On
Minimum length 6
Maximum failed sign-on attempts 4
Click Next.
| 28 |
Step Action
10. The Policy Information window is displayed for Android devices.
Configure the following settings:
Passcode required On
Minimum length 6
Maximum failed sign-on attempts 4
Click Next
11. Apply policy to AllUsers and click Save.
| 29 |
Step Action
12. The Passcode policy is displayed.
13. Click Add again.
14. The Add a New Policy window is displayed. Click More.
15. Under the Security column, select Credentials.
| 30 |
Step Action
16. The Credentials Policy configuration is displayed.
Configure the following:
Policy Name* Root Certificate
17. On the left side of the Window, deselect the Windows 8.1 Tablet platform.
Click Next.
| 31 |
Step Action
18. The Policy Information window for iOS devices is displayed.
Configure the following settings:
Credential Name* Root Certificate
The credential file path* Root.cer (Click browse and navigate to
\\AD\Software\Certificates)
Click Next.
19. The Policy Information window for Android devices is displayed.
Configure the following settings:
Credential File Path: Root.cer (Click browse and navigate to
\\AD\Software\Certificates)
Click Next.
| 32 |
Step Action
20. Apply policy to AllUsers and click Save.
21. The Root Certificate policy is displayed.
22. Click Add again.
23. The Add a New Policy window is displayed. Click Restrictions.
24. The Restrictions Policy configuration is displayed.
Configure the following:
Policy Name* Device Restrictions
| 33 |
Step Action
25. On the left side of the Window, deselect the Windows Phone 8.1, Windows 8.1 Tablet and
Amazon platforms.
Click Next.
26. The Policy Information window is displayed for iOS devices. Here you will see a list of the
possible hardware restrictions for iOS devices, the required iOS version and device mode to
apply the policy.
Scroll down and set AirDrop to OFF and click Next.
Note: This policy can only apply in Supervised Mode.
Please test on your device. If using iOS, skip to Step 28.
Note: If you are using an iOS device, deselect the Samsung
SAFE platform also.
| 34 |
Step Action
27. The Policy Information window is displayed for Samsung SAFE devices. Here you will see
a list of the possible hardware restrictions to Samsung devices with SAFE mode enabled
Scroll down and set NFC to OFF and click Next.
28. Apply policy to AllUsers and click Save.
29. The Device Restrictions policy is displayed.
30. Click Add again
31. The Add a New Policy window is displayed. Type Location in the search bar and click the
Search button.
Note: This policy can only apply on Samsung SAFE. Please
test on your device.
| 35 |
Step Action
32. Select Location Services.
33. In the Policy Name field type Geofence Policy and click Next.
| 36 |
Step Action
34. The Policy information window is displayed for iOS devices
Configure the following settings:
Report if Location Services are disabled On
Geofencing On
Radius 500 Meters
Center Point Latitude 36.1214
Center Point Longitude -115.1689
Warn on Perimeter breach On
Wipe Corporate data on perimeter breach On
Click Next.
| 37 |
Step Action
35. The Policy information window is displayed for Android devices
Configure the following settings:
Report if Location Services are disabled On
Geofencing On
Radius 500 Meters
Center point latitude 36.1214
Center point longitude -115.1689
Warn user on perimeter breach On
Device connects to XenMobile for policy refresh Wipe corporate data
Delay on local wipe 60 seconds
Click Next.
36. Apply policy to AllUsers and click Save.
37. The Geofence Policy is displayed
| 38 |
Step Action
38. Click Add again
39. The Add a New Policy window is displayed. Click More.
40. Under the Security column, select Samsung MDM License Key.
| 39 |
Step Action
41. Enter Samsung SAFE in the policy name and uncheck Samsung KNOX.
Click Next.
42. Leave the default string in the ELM license key field.
Click Next and assign the policy to the AllUsers delivery group.
Click Save.
43. Click Add again
| 40 |
Step Action
44. The Add a New Policy window is displayed. Type App Inventory in the search bar and
click the Search button. Click More
Choose App Inventory, enter App Inventory in the policy name and uncheck all but iOS and
Android in the platform section. The Policy will be enabled by default for iOS and Android.
Click Next three times and assign the policy to the AllUsers delivery group.
Click Save
45. The last policy we’re going to setup is to assure Android devices are getting policy updates
and new apps without user interaction. On iOS this is being accomplished by APNS, for
Android devices we’ll setup a scheduler (Interval or always connected).
Click Add again.
The Add a New Policy window is displayed. Select Scheduling and enable only the
Android platform to keep connected to the XenMobile Server.
| 41 |
Step Action
46. Enter Schedule as the policy name, disable the Symbian platform and select Always as to
permanently keep the device connected.
Click Next and assign the policy to the AllUsers delivery group.
47. You should have the following policies defined by now.
48. Click the Settings tab on the green ribbon.
Navigate to More> Client> Client Properties
| 42 |
Step Action
49. The Client Properties are displayed.
Click the checkbox next to Enable Worx PIN Authentication then click Edit.
50. Change the Value parameter to true and click Save.
51. Configure the remaining Client Properties the with the following settings:
Enable User Password Caching true
Encrypt secrets using Passcode true
Worx Pin Strength Requirement Strong
Enable FIPs Mode true
| 43 |
Step Action
52. After all the changes your Client Properties should look like this:
Exercise Summary
You have now configured a Passcode, Credentials and Device Restrictions Policies. The root
certificate is required to enable trust between WorxMail and Exchange. Check to see what device
restrictions have applied, not all will be possible to add at a device level without entering a device
into supervised or SAFE mode. You have also configured secure client property settings ensuring
strict security requirements have been met. Now you are ready to create add categories and
applications to XenMobile Server.
| 44 |
Exercise 4
Adding Categories and Applications to XenMobile Server
Overview
In this exercise students will create Categories within the XenMobile Server. Students will then add
mobile, web, and SaaS applications and assign them to the appropriate category.
Step by step guidance
Estimated time to complete this lab: 25 minutes.
Step Action
1. On the green ribbon, click on the Apps tab.
2. Click Category.
3. The Categories Window pops up. In the Add new category text box, enter Sales Apps
and click the plus sign in the green box.
| 45 |
Step Action
4. The Sales Apps category is added.
5. Repeat Steps 2-3 to add the following categories:
Engineering Apps, Office Apps, and Web Links.
6. The categories have been added.
Click the X on the top right corner to close the window.
7. Click Add.
| 46 |
Step Action
8. In the Add App window, click the Web Link app type.
| 47 |
Step Action
9. The Add Web App window is displayed. Configure the following settings:
App Name Citrix
App description Citrix Company site
URL http://www.citrix.com
App is hosted in internal network Off
App Category Web Links
Click Next.
10. Assign to AllUsers and click Save.
11. Click Add again.
| 48 |
Step Action
12. This time select MDX.
13. Configure the application as follows:
Name* WorxMail
App category Office Apps
| 49 |
Step Action
14. Deselect the Windows Phone platform options on the left.
Click Next.
15. In the iOS MDX App window, click Upload.
Select \\AD\Software\XenMobile MDX Apps\iOS\WorxMail.mdx file.
| 50 |
Step Action
16. The iOS MDX App details and policy options appear.
17. Scroll down to the Network Access section and configure the following:
Network access Tunneled to the internal network
| 51 |
Step Action
18. Scroll down to the Applications Settings section and configure the following settings:
WorxMail Exchange Server exchange.training.lab
WorxMail user domain training
Background network services exchange.training.lab:443
Background network service gateway <IP1>FQDN:443
Export Contacts ON
Click Next.
19. In the Android MDX App window, click Upload.
Select \\AD\Software\XenMobile MDX Apps\Android\CitrixEmail.mdx file.
Note: Your IP1 FQDN is available on the portal page
Example Only: 75-126-159-219.mycitrixtraining.net
| 52 |
Step Action
20. The Android MDX App details and policy options appear.
21. Scroll down to the Network Access section and configure the following:
Network access Tunneled to the internal network
| 53 |
Step Action
22. Scroll down to the Applications Settings section and configure the following settings:
WorxMail Exchange Server exchange.training.lab
WorxMail user domain training
Background network services exchange.training.lab:443
Background network service gateway <IP1>FQDN:443
Export Contacts ON
Click Next.
23. Click Next. The Approvals window is displayed.
24. Click Next to skip the Approvals window.
25. Assign to AllUsers and click Save to save the application and its settings.
Note: Your IP1 FQDN is available on the portal page.
Example Only: 75-126-159-219.mycitrixtraining.net
| 54 |
Step Action
26. WorxMail has been added to the App Store.
27. Repeat Steps 11-12 of this exercise to add WorxWeb.
28. Configure the application as follows:
Name WorxWeb
App category Office Apps
| 55 |
Step Action
29. Deselect the Windows Phone platform option on the left.
Click Next.
30. In the iOS MDX App window, click Upload.
Select \\AD\Software\XenMobile MDX Apps\iOS\WorxWeb.mdx file.
31. The iOS MDX App details and policy options appear.
| 56 |
Step Action
32. Scroll down to the Application Settings section and configure the following:
Preloaded bookmarks “Citrix”,Edocs,http://support.citrix.com/proddocs
Home page URL http://www.citrix.com
Browser UI Read-only address bar
Click Next.
33. In the Android MDX App window, click Upload.
Select \\AD\Software\XenMobile MDX Apps\Android\CitrixBrowser.mdx file.
34. The Android MDX App details and policy options appear.
| 57 |
Step Action
35. Scroll down to the Application Settings section and configure the following:
Preloaded bookmarks “Citrix”,Edocs,http://support.citrix.com/proddocs
Home page URL http://www.citrix.com
Browser UI Read-only address bar
Click Next.
36. Click Next to skip the Approvals configuration.
37. Apply to AllUsers and click Save.
38. WorxWeb has been added to the App Store.
Note: If you are performing this lab with an iOS device,
go to Step 42.
| 58 |
Step Action
39. Navigate to Configure > Settings and expand the More node.
40. Under the Server section, click on Google Play Credentials.
41. Enter your Google credentials and device id below.
User name:
Password:
Device ID:
Note: To obtain your device id, download the
Device ID application from the Google Play store.
| 59 |
Step Action
42. Navigate to Configure -> Apps and click Add again.
43. Select Public App Store.
44. The App Information window is displayed.
Configure the following settings:
Name* GoToMeeting
App category Default
| 60 |
Step Action
45. Windows Tablet and Windows Phone are disabled by default.
Click Next.
46. In the Search text box, enter GoToMeeting and click Search.
47. The Search results are displayed.
Click on GoToMeeting.
48. Scroll down and expand Worx Store Configuration.
Note: If you are performing this lab with an iOS device,
uncheck the Google Play platform.
| 61 |
Step Action
49. App ratings and Allow app comments are enabled by default.
Click Next.
50. The iPad search results are displayed.
Click GoToMeeting.
51. Scroll down and expand Worx Store Configuration.
52. Allow App ratings and Allow app comments are enabled by default.
Click Next.
| 62 |
Step Action
53. The Search results for Google Play are displayed.
Click GoToMeeting.
54. Scroll down and expand Worx Store Configuration.
55. App ratings and Allow app comments are enabled by default.
Click Next.
56. Click Next to skip the Approvals configuration.
Apply to the AllUsers group and click Save.
| 63 |
Step Action
57. GoToMeeting has been added from the public app store.
58. Click Add again and select Public App Store.
Name* Citrix Receiver
App category Default
59. Windows Tablet and Windows Phone are disabled by default.
Click Next.
Note: If you are performing this lab with an iOS device,
uncheck the Google Play platform.
| 64 |
Step Action
60. Name the application Citrix Receiver.
Click Next.
61. In the Search text box, enter Citrix Receiver and click Search.
62. The search results for iPhone are displayed.
Click on Citrix Receiver.
63. Scroll down and expand Worx Store Configuration.
| 65 |
Step Action
64. Enable Allow App ratings and Allow app comments are enabled by default.
Click Next.
65. The search results for iPads are displayed.
Click on Citrix Receiver.
66. Scroll down and expand Worx Store Configuration.
67. Allow App ratings and Allow app comments are enabled by default.
Click Next.
| 66 |
Step Action
68. The search results for Google Play are displayed.
Click on Citrix Receiver.
69. Scroll down and expand Worx Store Configuration.
70. Allow App ratings and Allow app comments are enabled by default.
Click Next.
71. Click Next to skip the Approvals configuration.
Apply to the AllUsers group and click Save.
| 67 |
Step Action
72. Citrix Receiver is added to the Enterprise App Store.
Exercise Summary
You have now added web links, mdx apps, and public store applications to XenMobile Server for
your iOS or Android devices. Now you are ready to add applications to delivery groups in order to
control the deployment of the apps
| 68 |
Exercise 5
Assigning Applications to a Delivery Group
Overview
In this exercise students will create Delivery Groups within the XenMobile Server. Students will then map Active Directory groups to those roles and assign applications to the respective delivery groups.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1. Select the Configure tab, and on the green ribbon, click Delivery Groups.
2. Click Add.
3. Name the Delivery Group Sales.
Click Next.
| 69 |
Step Action
4. The Select User Groups window is displayed.
Type Sales in the Include user groups text box and click the Search button.
5. The Sales group is enumerated. Click the checkbox next to the Sales group.
Click Next.
| 70 |
Step Action
6. The Policies window is displayed. Drag the App Inventory, Schedule, Root Certificate,
Samsung Safe, Device Restrictions and Passcode policies to the right to assign to the
delivery group.
Leave the Geofence Policy unassigned for right now.
Then click Next.
7. The Applications window is displayed.
| 71 |
Step Action
8. Drag GoToMeeting, Citrix Receiver, WorxMail, and WorxWeb applications over to the
Required Applications box. Drag the Citrix web link over to the Optional Applications
box.
Click Next.
9. The Actions window is displayed.
Click Next to skip.
| 72 |
Step Action
10. The Summary page is displayed.
Click Save.
11. The Sales delivery group is saved.
12. Click on the Sales delivery group.
| 73 |
Step Action
13. The properties of the delivery group are displayed.
Click on Deploy.
14. Click Deploy again on the Deploy devices popup window.
15. Click the X to close the Sales delivery group properties window.
| 74 |
Step Action
16. Repeat the steps with the same policies and apps for a new delivery group called
Engineering.
17. Verify the setting of the AllUsers delivery group and make sure only the Passcode policy
is set and all apps are defined as Optional Apps.
Exercise Summary
In this exercise, you added applications to the XenMobile Server. You have also created delivery
groups, mapped an AD group to the delivery group, and assigned applications to the delivery group.
This allows an administrator to easily assign applications to users based on their group.
| 75 |
Exercise 6
Configure NetScaler Gateway for Enterprise Store
Overview
In this exercise you will use the XenMobile Get Started wizard within the NetScaler Configuration
Utility to configure NetScaler Gateway for an Enterprise Store. The wizard will create the virtual
server, load balancing virtual server, policies, and profiles necessary to connect to the enterprise
store on the XenMobile Server.
Step by step guidance
Estimated time to complete this lab: 20 minutes.
Step Action
1. By using SSL Offload will the SSL session will be terminated on the NetScaler. In order
to allow the backend traffic to tcp port 80 (HTTP) we need to re-configure the firewall of
the XenMobile Server.
Switch to XenCenter and go to the console of the XenMobile Server (XMS) and logon
with the following credentials:
Username admin
Password Citrix123
| 76 |
Step Action
2. Enable tcp port 80 traffic to the XenMobile Server. Optionally you can add the
NetScaler Gateway SNIP in the Access white list, to add additional security.
-----------------------------------
Main Menu
-----------------------------------
[0] Configuration
[1] Clustering
[2] System
[3] Troubleshooting
[4] Help
[5] Log Out
-----------------------------------
Choice: [0 - 5] 0
-----------------------------------
Configuration Menu
-----------------------------------
[0] Back to Main Menu
[1] Network
[2] Firewall
[3] Database
[4] Listener Ports
-----------------------------------
Choice: [0 - 4] 2
Configure which services are enabled through the firewall.
Can optionally configure allow access white lists:
- comma separated list of hosts or networks
- e.g. 10.20.5.3, 10.20.6.0/24
- an empty value means no access restriction
- enter c as value to clear list
HTTP service
Port: 80
Enable access (y/n) [n]: y
Access white list []:
Management HTTPS service
Port: 4443
Enable access (y/n) [y]:
Access white list []:
SSH service
Port [22]: 22
Enable access (y/n) [n]:
Management API (for initial staging) HTTPS service
Port [30001]:
Enable access (y/n) [n]:
Remote support tunnel
Port [8081]:
Enable access (y/n) [n]:
Applying firewall settings ...
Writing iptables configuration...
Restarting iptables...
3. Select the Win81Client virtual machine in XenCenter.
| 77 |
Step Action
4. In IE, open another tab and navigate to http://192.168.10.50 and log on with the
following credentials:
Username nsroot
Password nsroot
5. In the NetScaler Gateway Configuration Utility, scroll down to the Integrate with Citrix
Products section and click XenMobile.
Click Get Started.
| 78 |
Step Action
6. Scroll down to the bottom of the window and click Continue.
7. Configure the following settings:
IP Address 192.168.10.100
Port 443
Virtual Server Name XenMobileGateway
Click Continue.
| 79 |
Step Action
8. The wildcard.mycitrixtraining.net certificate is selected by default.
Click Continue.
| 80 |
Step Action
9. Configure the following Authentication Settings:
IP Address 192.168.10.11
Port 389
Base DN dc=training,dc=lab
Service account administrator@training.lab
Password Citrix123
Confirm Password Citrix123
Server Logon Name Attribute sAMAccountName
Click Continue.
Note: A best practice is to use a service account for the Base DN. However, for this lab environment and exercise, we are using the administrator account.
| 81 |
Step Action
10. Configure the following MAM Controller FQDN, LB VIP Address and Port No., select
HTTP communication to XenMobile Server and click Continue:
Load Balancing FQDN for MAM IP2FQDN
Load Balancing IP address for MAM 192.168.10.21
Port 8443
Note: Your IP2 FQDN is available on the portal page.
Example Only: 75-126-27-196.mycitrixtraining.net
| 82 |
Step Action
11. The wildcard.citrixtraining.lab certificate is selected by default for the load
balancer SSL communication.
Click Continue.
12. Add the XenMobile Server to the load balancer and click Continue.
| 83 |
Step Action
13. Click Load Balance Device Manager Servers.
14. The Load Balancing Virtual Server Configuration window comes up.
Configure the following settings:
IP Address* 192.168.10.101
Name*: XenMobileMDM
Click Continue.
15. Select the existing certificate wildcard.mycitrixtraining.net and click
Continue.
| 84 |
Step Action
16. For SSL Offload we need to install the Device Certificate (CA), which can be exported
from the XenMobile Server.
Open a new Tab in your browser; connect to https://192.168.10.20:4443 and login as
administrator.
Navigate to Configure -> Settings -> Certificates and export the cacerts.pem.
17.
Click on Export and save the file.
18. Back on the NetScaler GUI Tab, choose to Install Certificate and click Browse.
Navigate to the certificate.pem file you downloaded in the previous step and select
it.
Click Continue.
| 85 |
Step Action
19. The XenMobile Server should be “known” from the first part when configuring the MAM
load balancer.
If not you may us the Add Server button and add XMS (192.168.10.20).
Click Continue.
20. You can review / edit the configuration before exiting the wizard.
Click Done.
| 86 |
Step Action
21. NetScaler Gateway and XenMobile Server Load Balancing should be reported as “up”.
22. Navigate to NetScaler Gateway > Virtual Servers and double-click the
_XM_XenMobileGateway virtual server.
23. Scroll down to the Policies section. Click on Session Policies.
| 87 |
Step Action
24. Notice that the wizard has created all session policies and profiles.
25. Select the PL_OS_192.168.10.100 policy and click Edit > Edit Action.
| 88 |
Step Action
26. Select the Published Applications tab and configure the following settings:
Web Interface address Unchecked (The field should be blank)
Single Sign-on Domain Unchecked (The field should be blank)
| 89 |
Step Action
27. Select the Client Experience tab and configure the following settings:
Split Tunnel* On
Clientless Access* On
Clientless Access URL Encoding* Clear
Single Sign-on to Web Applications Checked
28. Scroll down and click OK to close the session profile.
29. Click Close, then click Back to close the Policy Binding window.
| 90 |
Step Action
30. Navigate to NetScaler Gateway > Resources > Intranet Applications and click Add.
31. Enter the following Intranet Application settings:
Name* Mobility
Mode* Transparent
Protocol* TCP (Accept the default)
Destination Type IP Address and Netmask (Accept the default)
IP Address* 192.168.10.0
Netmask 255.255.255.0
Click Create.
| 91 |
Step Action
32. Navigate to NetScaler Gateway > Virtual Servers and double-click the
_XM_XenMobileGateway virtual server.
33. Under the Advanced section on the right, click the “+” next to Intranet Applications.
34. Scroll down to the Intranet Applications section.
Click No Intranet Application.
35. Click the “>”.
| 92 |
Step Action
36. Click the radio button next to the Mobility intranet application.
Click OK.
37. Click Bind.
38. The Mobility intranet application is now bound to the _XM_XenMobileGateway virtual
server.
Exercise Summary
In this exercise, you used the wizard to configure NetScaler Gateway to connect to an enterprise
store. The wizard created the virtual server as well as the authentication and session policies. The
wizard is designed to simplify configuration for the administrator so that manual configuration of the
policies is avoided.
Note: A best practice is to save the running configuration after making
changes. This prevents loss of configuration in the event the NetScaler is
rebooted.
| 93 |
Exercise 7
Device Enrollment
Overview
In order for XenMobile Server to manage mobile devices, the WorxHome client must be installed
and configured on the endpoint device. In this exercise, you will install WorxHome and configure
the XenMobile Server IP address that the device should connect to for enrollment.
Step by step guidance
Estimated time to complete this lab: 8 minutes.
Step iOS Android
1. Download and install WorxHome from the
Apple App Store.
Download and install WorxHome from the
Google Play Store.
2. After installation is complete, launch the
WorxHome application.
After installation is complete, launch the
WorxHome application.
Note: If your device is enrolled with another MDM solution, the enrollment will fail. To continue, you must un-enroll from your existing MDM solution.
| 94 |
3. You are prompted for the server URL, UPN
or e-mail address.
Enter the IP2 FQDN
Your IP2 FQDN is available from the portal
page.
Example Only:
75-126-27-196.mycitrixtraining.net
Tap Next.
You are prompted for the server URL, UPN
or e-mail address.
Enter the IP2 FQDN
Your IP2 FQDN is available from the portal
page.
Example Only:
75-126-27-196.mycitrixtraining.net
Tap Next.
| 95 |
4. Tab Yes to enroll your device.
Tab Yes to enroll your device.
5. Enter the user credentials.
Username: sales1
Password: Citrix123
Tap Sign On.
You are prompted to activate the Device
Administrator.
Tap Activate.
6. A browser message “Enroll Your
iPhone/iPad” will appear.
Enter the user credentials.
Username: sales1
Password: Citrix123
Tap Sign On.
| 96 |
7. In the following steps the device will be
prepared for corporate usage.
You will go through the tasks to install the
following profiles:
XenMobile CA
XenMobile Profile Service
MDM Configuration
For each of these you need to confirm the
installation, enter the device PIN and
confirm you trust the management.
WorxHome has enrolled your device
against the MDM service and will SSO to
the MAM instance (Authenticating).
If using a Samsung SAFE capable device
you will be asked to accept the terms and
conditions and enter your current PIN code
to confirm
If your PIN code does not meet the new
requirements, enter and confirm a 6-digit
PIN code.
WorxHome will ask for a PIN code, which
was defined as Client Properties in the
XenMobile Server configuration.
Note: Your PIN can not be
consecutive numbers. (IE:123456).
| 97 |
| 98 |
8. WorxHome has enrolled your device
against the MDM service and will SSO to
the MAM instance (Authenticating).
WorxHome will ask for a PIN code, which
was defined as Client Properties in the
XenMobile Server configuration.
Enter and confirm your 6-digit PIN code.
Click OK to install the CA certificate.
9. You need to confirm, that WorxHome is
allowed to use the devices location service.
If you do not have screen lock configured,
you are prompted to configure your screen
lock settings.
Specify a PIN in the settings.
Note: Your PIN can not be
consecutive numbers. (IE:123456).
| 99 |
10. Depending on your current settings and
installed apps you’ll be requested to:
Enter a passcode (passcode policy)
Confirm app install (mandatory apps)
Enter App Store password (public apps)
This is done in Settings >Security >
Unknown Sources.
11. Tab on the + Worx Store icon to access
the enterprise store.
Mandatory MDX Apps will be pushed
automatically after you confirm.
Note: Some Android devices require you to allow installation of apps from unknown sources before WorxWeb and WorxMail can be installed.
| 100 |
12. You are taken to the Google Play store to
install “public app store apps” such as
Citrix Receiver.
Tap Install > Accept.
13. All installed applications are accessible on your springboard.
Exercise Summary
In this exercise, you have now enrolled your iOS or Android device. You also successfully pushed
mobile applications to your mobile device. Only after the device is successfully enrolled can it be
managed by policies on the XenMobile Server.
Note: Order of application installs
may vary. You may have to
logoff/login in order for applications
to download.
| 101 |
Exercise 8
Verify Enrollment and Enterprise App Store
Overview
Before we’re going to work closer with security policies, we’ll verify which policies and apps have
been installed. Likely, you’ll find pending or failed deployment in the current setup, however the
console should unleash potential causes. Review an app on your Enterprise app store.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step iOS Android
1. Launch WorxHome and tap on the menu
button. Here you can information about
your mobility status. Click Device Info.
Launch WorxHome and tap on the menu
button. Here you can information about
your mobility status. Click Device Info.
2. Verify your login name (sales1), device
information (XMS Server, WorxHome
Version and location).
Verify your login name (sales1) and device
information (XMS Server, WorxHome
Version).
| 102 |
3. Open IE on your Windows 8 VM and connect to the XMS console on
https://192.169.10.20:4443 and login as administrator.
We’ll verify the communication and enrollment status from XenMobile Server side.
Navigate to Manage > Devices.
Your device should appear in the list and both MDM and MAM mode (Green)
4. If clicking on a device, a pop-up will be displayed with options to display device details or
actions to perform against it.
Click on Notify to send a test message to your device.
Note: The device assigned to 2 delivery groups, which
provide 4 policies and 5 applications.
| 103 |
5. Enter “Test message from XMS” in the message box and deselect the SMTP and SMS
checkboxes.
Click on Notify
6. Check your device for the message.
| 104 |
7. Switch to your XMS Console screen and click on the Secure button and use the Locate
function.
8. After a short while, you should be able to see your location on the device details click on
show more > (to speed this up launch WorxHome from your device)
9. You can verify the status of the deployment, in the device details. Click on your device in
the device list and select Show More >
| 105 |
10. Click 4 Assigned Policies under the Device details section on the left.
You should see quickly if any of the policies or apps couldn’t be deployed. Deployment
errors can have various reasons and sometimes it just needs a bit more time until the
deployment is finished and XMS is aware of that.
11. Deployment failures will also be visible on the device list.
As you see in the screen above, this Android reported a deployment error. Clicking on the
show more again will display the following screen:
The Samsung SAFE policy, which enables additional management capabilities, could not
be deployed, as this device is a Samsung device, but doesn’t support the SAFE features.
12. Select 7 Delivery Groups typically provides more details on the deployment operation.
| 106 |
13. In this step, we’re going to observe the changes applied to the device during the
enrollment process.
14. Navigate in your iOS device to Settings >
General -> Profiles & Device
Management. There’s should be 2 profiles;
MDM Configuration and XenMobile CA.
In the MDM Configuration, you’ll find the
restrictions and managed apps.
In the XenMobile CA you’’ find details about
Certificates installed.
Navigate in your Android device to
Settings > Security -> Device
Administrator. Worx Home will be listed
and checked as Device Administrator.
Navigate to Settings > Security ->
Trusted Credentials -> User.
The only certificate exposed to the user is
the Root.cer from the credential policy.
15. Close Settings and switch to Worx Home
Note: Removal of the Profiles will render the device as unmanaged and company access is denied. Only devices in “Supervised Mode” will restrict the user from profile removal.
Note: Disabling the Worx Home as device Administrator will render the device as unmanaged and company access is denied.
| 107 |
16. The company appstore can be accessed from Worx Home by taping on the + sign.
17. The store offers the links, apps from the pulbic App Store and MDX enabled apps. When
you added apps on the XenMobile Server console, you allowed App Store rating and
reviewing in the app policy.
18. Tap on the GoToMeeting icon, rate the app and write some text in the review.
| 108 |
19. Switch to IE on your Windows 8 VM and connect to the XMS console
https://192.169.10.20:4443 and login as administrator.
Navigate to Configure > Apps and click on GoToMeeting > Show more.
The deployment information provides information about how many time the app has been
installed against failed or pending deployments.
Verify your rating in the Worx Store on you mobile devices from the previous step.
Exercise Summary
In this exercise, you have verified the enrollment of a mobile device in your lab. The device is
confirmed and operating in MDM and MAM mode. The device is able to receive notifications, either
through APNS or scheduling. Common policies such as password policies were enforced.
| 109 |
Exercise 9
Working with Device and MDX Policies
Overview
In the previous step you verified the XenMobile Server manages your device and policies have
been applied. This exercise will show some of the limitations of MDM and how XME closed the gap
with the MDX technology. You’ll go through steps to apply tighter security policies and verify the
effect for the user.
The guide assumes, that your Android device isn’t SAFE capable, otherwise the MDM and/or MDX
polices may be used. Due to the diversity of the Android products, some steps may not work or
software might not be available for testing some advanced policies (e.g. NFC blocking).
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step Action
1. Current MDM policies configured on XMS.
Delete the Samsung SAFE Policy to ensure NFC is enabled on your device.
The Geofence policy is the only policy NOT assigned to any delivery groups yet.
2. For iOS devices, you may verify, that only
the passcode, root cert and app inventory
polices are relevant and successfully
deployed.
The device restriction policy for iOS is
configured to disallow AirDrop, but this
policy is only for devices enrolled in
supervised mode
For Android device, this exercise would
require a device, which has NFC (Near
Field Communication) hardware built in.
http://www.nfcworld.com/nfc-phones-list/
provides a list of NFC equipped devices. Or
check for this Logo:
| 110 |
3. Verify AirDrop operation with a 2nd device if
available or ask a colleague to work
together on this lab.
Verify NFC operation with a 2nd device of
available or ask a colleague to work
together on this lab.
4. Make sure your device has AirDrop
enabled and activated on the control
center.
Make sure your device has NFC enabled
activated. Go to Settings > Wireless &
Networks > More.
5. Open a picture or take a picture with your
camera app and tap on the share icon.
Use your favorite tool to exchange files
(Beam file) or read / write to an NFC tag.
6. AirDrop is still working as expected. NFC is still working as expected.
Note: If you don’t have a second device or no colleague/student to verify AirDrop is functional, go to Step 7.
Note: If you don’t have a second
device or no colleague/student to
verify NFC is functional, go to Step 7.
| 111 |
7. We’ll add a new MDX app and go though some security policies to assure data only can
be shared in a controlled manner.
No data may be shared outside the policy enforced by MDX.
Switch to your XMS Console (https://192.168.10.20:4443) and navigate to Configure ->
Apps and add a new app by clicking on the add icon:
8. We’ll add Worx Edit to the Enterprise App Store, to work with office documents in a
secure sandboxed environment on the mobile device. Click MDX
Configure Worx Edit for iOS and Android as follow:
App Name Worx Edit
App Category Office Apps
iOS binary \\ad\Software\XenMobile MDX
Apps\iOS\WorxEdit.mdx
Android binary \\ad\Software\XenMobile MDX
Apps\Android\WorxEdit.mdx
The policies we’re going to set is aiming for inbound data exchange exclusively with
Worx Mail and limiting the clipboards cut and copy functions.
Verify the following settings in the app policies:
Erase app data on lock ON
Cut/Copy Restricted
Paste Unrestricted
Document Exchange (Open In) Restricted
Inbound document exchange (Open In) Restricted
Block AirDrop (iOS)
Block NFC (Android)
ON
Assign Worx Edit to Sales and Engineering groups and click Save.
| 112 |
9. We also want to verify the security policy of the Worx Mail application.
Click on the Edit button.
10. Change / verify the following values are set in the policies for iOS and Android.
App Passcode
ON
This setting forces the user to enter the
configured PIN when launching /
switching to the app. This policy works in
conjunction with the inactivity timer
(default 60 Min)
Maximum offline period
24
Must connect to XMS for app entitlement /
policy changes once a day at least
App update grace period
72
An app update can’t be postponed longer
than 3 days
Erase app data on lock
ON
When ever a lock is issues, e.g. because
of a last device, app entitlement removal
or Worx Home removal, all data will be
deleted.
Cut and copy Restricted
Paste Unrestricted
Document Exchange (Open In) Restricted
Inbound document Exchange (Open In) Restricted
AirDrop / Block NFC ON
After you’re finished with the changes click on the Save button.
| 113 |
11. Open a new tab on the browser and connect to outlook web on your exchange server
https://exchange.training.lab/owa and login as training\user1 password=Citrix123. Click
OK to accept timezone.
12. Create and new message and attach the citrix-secure-email-deployment-
guide.pdf located at C:\.
Send to salesone@training.lab.
13. Conduct the next steps on the mobile device, which is enrolled to the training lab you
configured during the class.
| 114 |
14. Launch Worx Home and open the Worx Store. Swipe down on the screen to refresh the
store if Worx Edit isn’t listed yet.
15. Install Worx Edit by tapping on the respective icon / plus sign. A confirmation for the app
install will be requested from the user. The process is the same for both iOS and Android,
though screens might slightly differ.
| 115 |
16. Launch Worx Mail on your iOS device.
Exchange server and user ID has been
populated by the configuration already.
Submit your password (Citrix123).
Launch Worx Mail on your Android device.
Exchange server and user ID has been
populated by the configuration already.
Submit your password (Citrix123).
17. You’ll find the message in your inbox from
UserOne.
You’ll find the message in your inbox from
UserOne.
| 116 |
18. Open the e-mail, click on the attached PDF
and try to share it with other apps (open in).
As you see, MDX won’t allow any other app
except Worx Edit to handle the attachment
from Worx Mail.
Open the e-mail, click on the attached PDF
and try to share it with other apps (open in).
Worx Edit is the only app, which is allowed
by the MDX policy to handle the
attachments form Worx Mail.
19. Create a new message or reply to UserOne
and add picture you just take from your
classroom.
Create a new message or reply to UserOne
and add picture you just take from your
classroom.
Note: Using security groups allows
creating different domains of data
sharing between MDX apps.
Note: Using security groups allows
creating different domains of data
sharing between MDX apps.
| 117 |
20. By default the camera is not blocked by the
MDX policy.
Turn Block Camera on in the App
Restriction of Worx Mail
Terminate Worx Mail, sign-out and sign-in
to Worx Home. Refresh the store and start
Worx Mail again from the springboard.
Create a new message to UserOne and try
to attach a picture from your camera.
The policy changes do not allow the
camera usage while the Worx Mail app is
active. The camera can still be used in
other apps.
By default the camera is not blocked by the
MDX policy.
Turn Block Camera on in the App
Restriction of Worx Mail
“Kill” Worx Mail, sign-out and sign-in to
Worx Home. Refresh the store and start
Worx Mail again from the springboard.
Create a new message to UserOne and try
to attach a picture from your camera.
The policy changes do not allow the
camera usage while the Worx Mail app is
active. The camera can still be used in
other apps.
21. The last MDX policies for Worx Mail we
want to test are the clipboard restrictions
(App Interaction).
The result of this policy is that data can be
pasted into Worx Mail, but we don’t allow
any data copied to the clipboard from
Worx Mail.
The last MDX policies for Worx Mail we
want to test are the clipboard restrictions
(App Interaction).
The result of this policy is that data can be
pasted into Worx Mail, but we don’t allow
any data copied to the clipboard from
Worx Mail.
| 118 |
22. Open a web page on your mobile browser,
copy some text into the clipboard and paste
it into a new message to the UserOne
message.
The text will be pasted as expected.
Open a web page on your mobile browser,
copy some text into the clipboard and paste
it into a new message to the UserOne
message.
The text will be pasted as expected.
23. Op Open the message from UserOne in
Worx Mail and copy the body text to the
clipboard and paste it to a local Notes or
Memo app.
Did you notice the missing paste function?
Open the message from UserOne in
Worx Mail and copy the body text to the
clipboard and paste it to the local Gmail
app.
You may see the past button, but no data.
24. We have successfully implemented measures against data leakage by encrypting all data
during transit and rest and defined communication to the datacenter and in between apps.
For this setup we want to further lock the devices to restrict installations of mobile apps
and assure the device cannot be taken outside the campus with our data.
| 119 |
25. In our environment we don’t allow the Skype app for security reasons.
Switch to your XMS Console (https://192.168.10.20:4443) and navigate to Configure ->
Device Policies and add a new policy by clicking on the add icon:
Enter App A and click on Search.
Choose App Access. Then click More and App Access again.
26. Enter the following data into the App Access Policy:
Policy Name Blacklist Skype
Access Policy Forbidden
App name Skype
App identifier (iOS) com.skype.skype
App identifier (Android) com.skype.raider
Assignment (Delivery Group) Sales
Click Save to close.
The following policy has been created.
27. We’ll create a notification template, which can be used to warn users in case of Skype has
been detected on the managed device.
Navigate to Settings -> Notification Templates and add a new action by clicking on the
add icon:
| 120 |
28. Y You can ignore the warning about SMS / SMTP server as we’ll use the inbound
(Worx Home) messaging.
Click No, set up later to continue.
29. Enter the following data into the Notification Template:
Name Skype Install Detected
Type Device noncompliant of B/W app policy
Worx Home Activated
Message Company policy doesn't allow
installations of the Skype app.
Please remove Skype to avoid blocked
access to corporate resources.
For assistance please call Phone No.
1234
Click Activate on Worx Home channel, then click Add to save and continue.
| 121 |
30. Now, we’re ready to configure an Action based on the event of B/W App triggered and tell
XMS to send a custom notification to the user.
Navigate to Configure -> Actions and add a new action by clicking on the add icon:
Enter the following data into the Actions:
Name Skype Action
Trigger Type Event
Event The device is noncompliant with
the App Access policy
Action Send notification
Notification Template Skype Install Detected
Timing After 1 Min, every 5 Minutes
Assign the Action to the Sales delivery group; click Next and Save and Deploy.
31. You can check the status by navigating to Configure -> Actions, highlight the
Skype Action and click on Show more >
32. If you don’t have the Skype app installed yet, please do so, in order to test the policy /
action we just configured.
| 122 |
33. Your device should play the configured sound and display the notification.
(Refresh the policy in Worx Home if necessary - )
34. Remove the Skype Action form the Sales deployment group, to avoid getting the
notification every 5 minutes.
35. The second device policy we’re going to apply is targeting to avoid any device with
corporate data leaves a certain perimeter.
We already created a geofence policy, but didn’t assign it to a delivery group. First we
need to verify / define the correct location.
Navigate to Manage -> Devices, highlight your device and click on Show more -> and
Click on 2. Properties. Location information can be obtained here.
Copy the data into you clipboard / empty WordPad document.
Note: In a real deployment we would
probably issue selective wipe after a grace
period or deny access to corporate resources.
| 123 |
36. Navigate to Configure -> Policies and edit Geofence Policy.
Enter the following data into the Actions:
Policy Name Geofence Policy
Report if location Services are disabled ON
Geofencing ON
Radius 500 Meters
Latitude Enter current latitude
Longitude Enter current longitude
Warn user on perimeter breach ON
Wipe corporate data on perimeter breach OFF
Assign the policy to the Sales delivery group; click Next and Save.
37. Check your mobile device, if the new policy has been received.
Navigate to Manage -> Devices, highlight your device and click on Show more -> and
Click on 4. Assigned Policies. The Geofence Policy should appear here.
Note: If this is your last exercises you’re doing in this lab,
consider to turn “Wipe corporate data on perimeter
breach” to see the data being deleted from the device.
| 124 |
38. If the policy is listed in the Pending tab, you may refresh the policy from Worx Home ->
Device Info.
39. T To verify the Geofence Policy, you may either go for a walk; remember we defined a 500
Meter radius, or you can change the geofence data (latitude / longitude).
Save and deploy the changed policy.
| 125 |
40. You may have to refresh the policy on your mobile device again or wait until the policy has
been refreshed.
You should get a notification, which notifies you, that the device is no longer in the
geofence area.
Exercise Summary
In this exercise, you have applied tightened security policies for MDX apps and to assure data
cannot be shared outside defined areas. Additionally you added MDM policies to make sure
unwanted apps are not tolerated on the devices and data may be wiped if the device leaves the
companies campus.
| 126 |
Optional Lab
PKI Integration - Certificate Based Authentication
Overview
Certificate based authentication is a key requirement for many organizations to avoid issues around
password management.
In this exercise we’re going to connect the XenMobile server to a Microsoft CA PKI and configure
the system to issue user certificates and deploy these during the enrollment phase.
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step Action
1. Within XenCenter, select the AD.training.lab virtual machine and click the Console tab.
Login as training\administrator using password Citrix123.
Before we add an additional role to our AD server, we need to add the administrator to the
IIS_IUSRS group.
Open Active Directory Users and Computers and add the training\administrator user to
the IIS_IUSRS group.
Note: Best practices is to create a service account
which has explicit rights on the CA, but no other
privileges.
| 127 |
2. The Microsoft AD Certificate Service is already installed, but we need to add the web
enrollment service to allow the XenMobile Server remotely request user certificates.
Open Server Manager and click on Add roles and features and add the
Certificate Enrollment Web Service.
3. Make the AD CS Configuration with the following data:
Credential TRAINING\Administrator
Role Service Certificate Enrollment Web Srvc
CA for CES CA Name
Authentication Type Client certificate Auth
Service Account TRAINING\administrator
Server Certificate AD.training.lab
Close the Server Manager once the configuration has completed.
4. On the AD server launch mmc (Microsoft Management Console) and add the certificate
Snap-in.
| 128 |
5. Right click on Personal and Request new Certificate.
6. Request a User certificate for the current user (training\administrator)
7. Export the new created certificate and save it on
c:\Software\Certificates\CertAdmin.pfx.
Include the private key in the export and use Citrix123 as password to protect the key.
| 129 |
8. While still on the mmc, load the Certificate Template snap-in, right click on the User
template and select Duplicate Template.
9. Enter the following data into the copied User cert template:
Compatibility Windows Server 2003
Template name XMCert
Subject Name Supply in the request
Cryptography – Key Size 2048
Click Apply to save the data into the template.
10. Load the Certificate Authority snap-in, right click on Certificate Template and select
New -> Certificate Template to Issue.
11. Choose the XMCert we just created from the copied User template.
| 130 |
12. Verify the XMCert it’s available in the list of templates for the CA.
13. In the Internet Information Server Services Manager configure to accept client
certificate for the CertSrv web site.
14. Switch to your Windows 8.1 VM and navigate to \\ad\software\certitifcates.
Double click on the CertAdmin.pfx file.
Use all default value from the import process and save it in the keychain.
| 131 |
15. Open IE on the Windows 8.1 VM and navigate to
https://ad.training.lab/certsrv
As you imported the CertAdmin certificate and configured IIS to allow certificate based
authentication, you should see the following login screen.
16. This is the landing page of the MS CA server.
17. Select Request a certificate -> Advanced certificate request -> Submit Certificate…
to verify the availability of the XMCert template.
| 132 |
18. Switch to your XMS Console (https://192.168.10.20:4443) and navigate to
Configure -> Settings -> Certificate and import the
\\ad\software\certitifcates\CertAdmin.pfx certificate.
Import Keystore
Keystore Type PKCS#12
Use as Server
Keystore file CertAdmin.pfx
Password Citrix123
If the keystore import doesn’t work (depending on build) you may try to convert using
OpenSSL. Consider to copy the pfx to the NetScaler using scp and convert by issue:
openssl pkcs12 -in CertAdmin.pfx -out CertAdmin.pem
19. Navigate to Configure -> Settings -> Certificate Management and select PKI
Entities.
20. Click on Add and select Microsoft Certificate Services Entity.
21. Enter the following data to configure the Certificate Services Entity:
Name MS CA
Web enrollment URL https://ad.training.lab/
certnew.cer page name certnew.cer
certfnsh.asp certfnsh.asp
Authentication type Client Certificate
SSL Client Certificate Administrator
Template (Case Sensitive) XMCert
CA Certificate training-AD-CA
| 133 |
22. Click Save to continue. You should have now a PKI entity listed.
23. Navigate to Configure -> Settings -> Certificate Management and select
Credential Providers.
24. Enter the following data to configure the Credential Provider:
Name MS CA
Issuing Entity MS CA
Issuing method SIGN
Templates XMCert
Key Algorithm RSA
Key size 2048
Signature Algorithm SHA256
Subject name CN=$user.username
Subject Alternate Name – UPN $user.userprincipalname
Distribution – Issuing CA Cert training-AD-CA
Distribution – Distribution mode Prefer Centralized
Renewal = ON Renew within 30 days of exp.
Click Save to continue. You should have now a Credential Provider listed.
| 134 |
25. Two more steps are required, to leverage the certificate based authentication.
On the Windows 8.1 host open IE and connect to the NetScaler
http://192.168.10.50
Login as:
Username training\administrator
Password Citrix123
26. Navigate to Configuration -> NetScaler Gateway -> Virtual Server and double click on
_XM_XenMobileGateway.
Click on No CA Certificate and the > sign to add our root certificate, which is installed
in the NetScaler already.
27. Select Training_root from the list of installed certificates.
Click OK and bind the make root certificate available to the vServer.
28. Click on the plus sign next to SSL Parameters in the right panel.
| 135 |
29. Enable Client Authentication and Client Certificate as Mandatory.
30. Click Done and add the required authentication policy by clicking on the plus sign.
Select CERTIFICATE policy and choose Primary type.
Note: You may consider to remove support
for the SSL v3 protocol here too, due to
vulnerabilities concerns (not needed by XME).
| 136 |
31. Add a new authentication policy by clicking on the plus sign.
32. Enter the following data to configure the Authentication CERT Server:
Name CertAuthPol
Server Name AD_Training
Expression ns_true
User Name Field SubjectAltName:PrincipalName
Click Create to continue.
Ensure the CertAuthPol policy has a higher priority (lower number) than the LDAP
Policy.
| 137 |
33. Depending on the NetScaler version, it’s known that the XenMobile Wizard created the
LDAP Policy with a priority of 0. Verify and correct if necessary.
Click on the LDAP Policy.
If priority is < 90, select Edit Binding and assign a priority of 100.
| 138 |
34. The last step is to configure the XenMobile Enterprise Server for user certificate delivery
for authentication.
Switch to your XMS Console (https://192.168.10.20:4443) and navigate to
Configure -> Settings -> NetScaler Gateway.
Enable Deliver user certificate for authentication, select MS CA as Credential provider
and click the Save button.
35. This concludes the backend configuration for the PKI integration for use certificate based
authentication. Users might have to re-enroll, to leverage the certificate authentication.
Exercise Summary
In this exercise, you enabled the XenMobile Enterprise to communicate to the MS Cert Server in
the lab. Together with the NetScaler Gateway the backend system will request a user certificate
from the MS Cert Server and deliver it to Worx Home during the enrollment process.
Note: CertAuth may not behave as expected on early XMS builds
(Unable to enroll). Please consult e-docs for any update and
supported NetScaler Gateway versions once the product is released.
| 139 |
Revision: Change Description Updated By Date
1.0 Original Version
Walter Hofstetter,
Christopher Friend
and Frank Martinez
May 2015
About Citrix
Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to
work and collaborate from anywhere, securely accessing apps and data on any of the latest
devices, as easily as they would in their own office. Citrix solutions help IT and service providers
build clouds, leveraging virtualization and networking technologies to deliver high-performance,
elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop
virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations
of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.
Citrix products are in use at more than 330,000 organizations and by over 100 million users
globally. Annual revenue in 2012 was $2.59 billion. Learn more at http://www.citrix.com.