November, 2013 XenMobile 8.6 MDM Edition Mobile Device Management Adolfo Montoya, Karen Sciberras,...

November, 2013

XenMobile 8.6 MDM EditionMobile Device Management

Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford

Lead Support Readiness Specialist

© 2013 Citrix | Confidential – Do Not Distribute

Ground Rules

• Introduce yourself

• Expect FULL participation!

• We will use Polls on GoToTraining

• Please raise your hand for questions or comments on GoToTraining

• Type comments and questions in Chat window

• I will check your work by making you presenter… be ready!

• I will call you by name

© 2013 Citrix | Confidential – Do Not Distribute4

Objectives

At the end of this course, you will be able to :

• Module 1: Verify iOS 7 MDM Policiesᵒ Configure and test some of the new iOS 7 restrictions policies

• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filteringᵒ Install XenMobile Mail Managerᵒ Configure and test XenMobile Mail Manager to filter ActiveSync traffic against Exchange

Server 2010

• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offloadᵒ Configure SSL Offload on NetScaler to load balance HTTP connections to Device Manager

serverᵒ Verify that mobile devices (e.g. iOS/Android) can enroll successfully


Objectives

• Module 4: Integrate XenMobile Device Manager with Microsoft PKIᵒ Setup Client Certificate authentication on Windows ᵒ Configure Client Certificate authentication with XenMobile Device Managerᵒ Configure Exchange Server 2010 for Client Certificate authenticationᵒ Verify mobile devices can enroll and test Client Certificate authentication and

access their mailbox

• Module 5: Learn Samsung KNOX and Amazon MDM Policiesᵒ Learn and configure new Samsung KNOX and Amazon MDM restriction policies


Assessment

There would be an assessment at the end of the course, covering the following modules:

• Module 1: Verify iOS 7 MDM Policies

• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering

• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload

• Module 4: Integrate XenMobile Device Manager with Microsoft PKI

• Module 5: Learn Samsung KNOX and Amazon MDM Policies

Module 1:Verify iOS 7 MDM Policies


iOS7 HighlightsFeature DescriptionPer App VPN Managed apps can initiate a per App VPN tunnel.

OpenIn Document Control Restrict opening of documents in managed apps and accounts.

Enterprise SSO Single Sign On experience for enterprise resources that requires Kerberos authentication.

Silent Install/UnInstall Only applicable to supervised iOS devices.

New Volume Purchase Program (VPP) service

• Workflow based VPP Registration• Revoke and Re-Issue VPP licenses

Auto Configure Apps Push and auto configure iOS7 apps.

Restrictions • Prevent device unlock via biometric scanning• Prevent document transfer via AirDrop• Prevent password syncing via iCloud• … (many others)

Prevent App UnInstall Only applicable to supervised iOS devices.


iOS7 Policies in XenMobile 8.6


Per App VPN


OpenIn Doc. Control

Module 2:Deploy XenMobile Mail Manager for ActiveSync Filtering


Introduction

The XenMobile Mail Manager (XMM) allows you to utilize XDM to gain Dynamic Access Control for Exchange Active Sync (EAS) devices.

Here are some of the features:

• To access EAS device partnership information provided by exchange.

• To perform an EAS Wipe on a mobile device.

• To access information about Blackberry devices, and

• To perform control operations such as Wipe, and Password Reset.


XMM Components

The XenMbile Mail Manager (XMM) consist of three main components:

• Exchange ActiveSync (EAS) Access Control Management: Communicates with Device Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User Agent

• Remote Powershell Management: Responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by EAS Access Control Management.

• Mobile Service Provider: Provides a web service interface so that Device Manager can query EAS and/or Blackberry devices, and issue control operations such as Wipe against them.


XMM Components


System and Software RequirementsComponent Requirement

Server Software • MS SQL or MS SQL Express 2008/2012• Microsoft .NET Framwork 4.5• Exchange Server 2010 SP2 or higher, OR Exchange 2013• MS Office 365• Blackberry Enterprise Service v5 (optional)

Server Machine Requirements

• Windows Management Framework must be installed• PowerShell V2 supported• The PowerShell execution policy must be set to RemoteSigned

by running “Set-ExecutionPolicy RemoteSigned” from the PowerShell command prompt.

Memory 1 GB

HDD NTFS-formatted with 150 MB disk space


Permissions

If you are using the XMM with an onsite Exchange Server, you will need to ensure the minimum permissions specified in the Exchange Configuration Management Console must be allowed to execute the following Exchange-specific PowerShell commands:

• Get-CASMailbox

• Set-CASMailbox

• Get-Mailbox

• Get-ActiveSyncDevice

• Get-ActiveSyncDeviceStatistics

• Clear-ActiveSyncDevice


Before Installation…

Ensure that the following conditions are met:• .NET Framework 4.5

• SQL Server (one of the following):ᵒ MS SQL 2008ᵒ MS SQL 2008 Expressᵒ MS SQL 2012ᵒ MS SQL 2012 Expressᵒ MS SQL 2012 Express\LocalDB

• XMM “one LDAP Per Domain” Caveatᵒ XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of

more than one LDAP configuration (such as the root domain, sub-domain), you will need to install XMM for each domain.


Installation


Configuring XMM

You can use the XMM Configuration utility to extend the capabilities of XDM to perform the following configuration:

• Create access control rules that can either allow of block Exchange ActiveSync (EAS) devices from accessing Exchange services.

• Build dynamic and statics rules that enforce corporate email policies, allowing you to block those users in violation.

• Perform an EAS wipe out of compliance devices


To configure the Exchange Server


To configure the Database Properties


To configure the Mobile Service Provider (MSP)


To configure the Mobile Service Provider (MSP) hostname in Device Manager


XMM and Exchange ‘Quarantine’ Mode

• XMM when configured in conjunction with MS Exchange ‘Quarantine’ mode, will allow the Exchange Admin to quarantine a user’s device until that device can be determined to be compliant

• In Exchange quarantine mode, a user’s email inbox is blocked, but the user can still see their calendar, appointments, and contacts.


Understanding XMM Access Rules

XenMobile Mail Manager allows you to configure three types of rules:

• Default

• Local

• XDM (rules from Device Manager)


XMM Access Rules – Default Rules

Default access control rules serve as a “catch-all” rule that can be set to allow or deny a device that does not meet the criteria of either the XDM rules or local rules.

The Default Rule’s desired state may be set to Allow, Block, or Unchanged.

If “Unchanged” is selected, the effect will be that XMM will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.


To configure Default access rules


XMM Access Rules – Local Rules

Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties:

• ActiveSync Device Id – Uniquely identifies a specific device.

• Device Type – A set of devices, such as “iPad”, “WP8”, or “Touchdown”.

• User Agent – A set of devices identified by platform version, such as “iOS/6.1.2”.

• User – A specific user.


To configure Local rules


XMM Access Rules – XDM rules

XDM rules are defined within XenMobile Device Manager. These rules are delivered to XenMobile Mail Manager and continuously updated. XDM rules can identify devices by properties known to XDM, such as:• Enrolled in Device Manager

• Jailbroken (iOS) or rooted (Android) devices

• Forbidden Apps are installed (blacklisted apps)

• Non-suggested apps are installed

• Unmanaged

• Out Of Compliance

• Non-Compliant Password

• Revoked status

• Inactive Device

• Anonymous status


To configure XDM rules

Module 3:Integrate XenMobile Device Manager and NetScaler via SSL Offload


Pre Nike Deployment – SSL Bridge

SSL3 00100011 0

XM DM

443

8443

SSL3 00100011 0

443

8443

DMZ


Nike Deployment – SSL Offload

SSL3 00100011 0

XM DM

443

8443

80

DMZ


NetScaler SSL Offload setup

XDM

443

8443 80

DMZ

SSL Offload vServer 1

SSL Offload vServer 2

443HTTP

HTTP

HTTPS

HTTPS

Insert Client Certificate in the HTTP Header

Client Cert Auth enabled

No Client Auth


What’s needed?

• Two virtual serversᵒ 443 ᵒ 8443


What’s needed?

• Bind one or more XDM services on HTTP (80)


What’s needed?

• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Bind both – Devices and Root CA certificates on virtual serverᵒ This is important for iOS enrollment to work!


What’s needed?

• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Create an SSL Policy that only gets executed when a Client Cert is detected


What’s needed?

• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Configure NetScaler to insert NSClientCert headerᵒ This is important for iOS enrollment to work!


• Copy the a_patch_860_9998.jar file to \XenMobile Device Manager \tomcat\webapps\[instance_name]\WEB-INF\lib (on all cluster nodes, in a clustered ZDM config)

• Restart XDM service

• Browse to http://XDMURL/instance/help-patches.jsp and confirm the patch shows up under the 'in use' column of the resulting page

NetScaler SSL Offload patch for XDM

http://xdmurl/instance/help-patches.jsp




Module 4:Integrate XenMobile Device Manager with Microsoft PKI


Create a Certificate Service Account

• XDM will use certificate to authenticate connection to MS Certificate Authority

• The Certificate used will be tied to a user which in this case will be the service account

• This protects the XDM connection from account deletion/disabling ᵒ if the user account were to be disabled, ᵒ deleted in Active Directory if the Admin leaves the company, etc

• This account needs no special rights. A standard AD user is sufficient.


Install Microsoft Certification Services

• Sign in as service account that will be running the CA

• Ensure service account is a local administrator

• CA Type – Enterprise

• Configure IIS for CA installationᵒ Ensure both Client Cert Mapping and IIS client Cert Mapping are checked


CA Configuration for Client Certificate

• Create certificate for IIS https binding

• IIS Authentication modeᵒ Enable Cert Based Authentication

• /CertSrv homeᵒ Configure SSL setting to accept Certificates

• Create a certificate for Service Account userᵒ Create User Templateᵒ Security tab – grant Service Account user full controlᵒ Request SSL certificate for Service Account user

• Install requested certificate

• Export certificate and private key


Disable Windows Auth to Test CA Connection

• Uncheck Enable Integrated Windows Authentication.




• Close and relaunch your browser

• This tests the certificate that was created to authenticate with CA

• Test on the certificate server with service account

• Should be prompted to select certificate




• Close and relaunch your browser

• This tests the certificate that was created to authenticate with CA

• Test on the certificate server with service account

• Should be prompted to select certificate

• Do not proceed with configuration until this part works


Setup XDM CA OptionsImport Users Certificate for Service Account


Setup XDM CA Options

Service root URL – trailing “/” at the end is needed


Configure Available Templates

Click New TemplateEnter the name of the template created for this

Note: The Template name is case sensitive



• If the wrong template is specified, the following errors are seen:ᵒ In the zdm.log file

2013-11-13 05:37:03,736 [http-nio-443-exec-7] DEBUG com.sparus.nps.pki.connector.CertSrvResponseParser [UID=28,[email protected],dev=9] - Parsed CrtSrv response, found: error=trueReqId=nullMessage=Your request was denied. The disposition message is: "Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: XDM User Template.“



• If the wrong template is specified, the following errors are seen:ᵒ In the zdm.log fileᵒ In the event viewer of server running Certificate Authority



Select the Server cert you recently uploaded. In this case, administrator-user-cert.pfx


Define a Credential Provider

Name Provider

Issuing Entity created in previous set

Select SIGN and select your template you entered earlier.


Define a Credential Provider

Define key size: Must be 2048

Subject Name: $user.username

Fill in username and UPN. UPN is used by Exchange to determine rights to a user mailbox for example.


Determine Distribution Method


Create iOS/Andriod CredentialCreate an iOS/Andriod Credential

Select credential provider and MS CA provider you created.


Caveats

• When creating a certificate template, Windows 2003 must be selected as the certificate template type. ᵒ This is needed as Windows 2008 templates are not exposed via web enrollment due

to changes in the MS CA. ᵒ There is potentially a workaround by pointing to another enrollment .dll on the MS

side, but that hasn't been explored.


Set CAS to Accept CertificatesVerify in Exchange Management Console.

Basic authentication box should be checked if you want to allow both cert and windows based authentication.


Verify AD Client Certificates is Enabled

Connect to CAS IIS Admin console and enable Client Cert Authenticaiton


ActiveSync configured to accept Client Cert


Ensure Windows Authentication is Enabled


Access Configuration Editor


Access Configuration Editor

Select system.webServer->Security->authentication->ClientCertificateMappingAuthentication


Enable CertificateMappingAuthentication


Configure iOS ActiveSync Profile


Configure iOS Deployment Package

Module 5:Learn Samsung KNOX and Amazon MDM Policies


What is Samsung KNOX

• Dual persona approach for device, app, and data security

• Samsung markets it as the most comprehensive mobile solution for work and play

• KNOX compatible devices include:• Samsung S4

• Samsung Note3

• Samsung Note 10.1 (2014 Edition)

http://www.samsung.com/global/business/mobile/solution/security/samsung-knox


XenMobile 8.6 KNOX PoliciesUse Case/Policy DescriptionExchange ActiveSync for KNOX Provision EAS profile to the containerBrowser Restrictions Disable popup, cookies, auto-fill and JavascriptSilent App. UnInstall Uninstalls apps that are provisioned to the containerContainer Passcode Protect apps in container using a PIN codeApp. Blacklisting B/L apps and prevent users from launching these appsEnterprise VPN IPSec VPN policy for apps provisioned to the container

Lock Container Admin can lock container in case the device is lost or stolen

Unlock and Reset Passcode Admin can unlock container and reset container passcode

Container Wipe Admin can selectively wipe KNOX container from device


KNOX Icon on Device Home Screen

KNOX is an app on device Login to container Access corporate apps


Amazon/XenMobile IntegrationFeature Description

Silent Install/Uninstall Install and Uninstall Apps w/o user interventionPrevent App Uninstall Prevent user from uninstalling appsDevice Restrictions Prevent use of

• Location Services• Factory Reset• Bluetooth• Turn Off Wi-Fi• App. install from Non Amazon app. store


Prevent ShareFile Uninstall


Device Restrictions


Review

• Module 1: Verify iOS 7 MDM Policiesᵒ Configure and test some of the new iOS 7 restrictions policies

• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filteringᵒ Install XenMobile Mail Managerᵒ Configure and test XenMobile Mail Manager to filter ActiveSync traffic against

Exchange Server 2010

• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offloadᵒ Configure SSL Offload on NetScaler to load balance HTTP connections to Device

Manager serverᵒ Verify that mobile devices (e.g. iOS/Android) can enroll successfully


Review

• Module 4: Integrate XenMobile Device Manager with Microsoft PKIᵒ Setup Client Certificate authentication on Windows ᵒ Configure Client Certificate authentication with XenMobile Device Managerᵒ Configure Exchange Server 2010 for Client Certificate authenticationᵒ Verify mobile devices can enroll and test Client Certificate authentication and

access their mailbox

• Module 5: Learn Samsung KNOX and Amazon MDM Policiesᵒ Learn and configure new Samsung KNOX and Amazon MDM restriction policies

Work better. Live better.

November, 2013 XenMobile 8.6 MDM Edition Mobile Device Management Adolfo Montoya, Karen Sciberras,...

Documents

Transcript of November, 2013 XenMobile 8.6 MDM Edition Mobile Device Management Adolfo Montoya, Karen Sciberras,...