Slides from my Citrix XenMobile session at the MobilityDay 2016 conference.

1. 29.09.2016.
Zagreb
Hotel Antunović

2. Zagreb, 29.09.2016.
XenMobile: Enterprise
mobile management
solution
Tomica Kaniški
tomica@kaniski.eu | http://blog.kaniski.eu/

3. POKROVITELJI
AKADEMSKI PARTNERI DIGITALNI PARTNER PRIJATELJI KONFERENCIJE
GENERALNI SPONZOR GENERALNI MEDIJSKI SPONZOR GLAVNI SPONZORI
MEDIJSKI PARTNERI
SPONZORI

4. Agenda
 XenMobile
 editions
 scenarios
 features
 WorxApps
 NetScaler
 integration
 deployment
 tips
 resources

5. XenMobile provides...
 unified management of devices & applications
 corporate app store
 mobile device and app management
 unified access getaway & SSO
 workflow-driven productivity apps
 military-grade (FIPS) security
 mobile content management
 broad platform support

6. Editions...
 XenMobile MDM
 mobile device management (MDM)
 allow IT Administrators to enroll and enforce restriction
policies to corporate-owned or BYO devices
 XenMobile Advanced
 mobile device and application management (MDM + MAM)
 adds support for IT Admins to create enterprise app store for
mobile, web/SaaS and Windows apps with MDX capabilities
(securing data and network resources)
 XenMobile Enterprise
 enterprise mobile management (EMM) solution
 adds ShareFile capability for data mobility management

7. Scenarios: XenMobile MDM
 mobile device management
 jailbreak detection
 selective or full wipe
 geolocation tracking
 passcode enforcement
 pushing applications
 native mail client access control
 Wi-Fi & VPN access control
 access to local documents/files for editing

8. Scenarios: XenMobile Advanced
 all MDM edition use scenarios
 federated single sign-on (SSO)
 secure email
 secure browsing
 automated account provisioning
 workflows
 policy-based interapp security
 app specific microVPN tunnels
 unified corporate app store
 access to local documents/files for editing

9. Scenarios: XenMobile Enterprise
 all XenMobile Advanced edition use scenarios
 secure document sharing,
syncing & editing (ShareFile
Enterprise)

10. Features
 single administrative experience with RBAC
 unified XenMobile server (Linux appliance)
 simplified deployment and configuration
 designed for 100,000 user environments (with 150,000+
devices)
 integrated enterprise store with ratings, screenshots and
app reviews
 cross-platform app & policy definitions
 single sign-on for MDX apps
 FIPS 140-2 support
 connectivity checks & support bundle
 integrated Worx productivity apps

11. The „big picture”

12. Worx apps (1)
 WorxHome
 authenticates users (AD with certificates, tokens and other
second factors)
 permits lock/wipe of corporate data/apps on selected devices
 SSO for all managed apps (hosted (HDX) apps and desktops,
web/SaaS apps, MDX managed mobile apps)
 access to the MDX apps (determines policies and app
entitlements and controls data exchange)
 provides gateway tickets for microVPN access, certificates for
protected websites, SAML tokens for ShareFile access, ...

13. Worx apps (2)
 WorxWeb
 HTML5-compatible browser
 whitelist/blacklist URLs, set bookmarks and home page
 leverages microVPN (full tunnel) or SecureBrowse (client-side
rewrite)
 https://bramwolfs.com/2012/08/24/cloud-gateway-a-wrap-up-so-far-
part-2/
 WorxMail
 ActiveSync mail/calendar/contacts client
 microVPN or STA to sync email from Exchange or Office 365

14. Worx apps (3)
 WorxEdit
 open, view, create or edit Microsoft Office documents
 view PDF files
 track changes from multiple reviewers
 local storage for offline copy editing
 WorxNotes
 create, sync and share notes
 create notes from WorxMail messages
 ShareFile integration for storage and sync
 integrated with Exchange server (email and calendar)

15. Worx apps (4)
 WorxTasks
 securely manage tasks
 integration with Outlook tasks and WorxMail
 WorxDesktop
 secure „VDI like” access to physical desktop
 access work files and apps
 ShareFile
 secure enterprise file share and sync
 mobile content editing
 SharePoint & network files integration

16. Zagreb, 29.09.2016.
DEMO
Worx apps

17. NetScaler
 hardware (MPX, SDX) or software appliance (VPX)
 provides content switching and load balancing for
MDM, MAM or EMM
 manages the complete lifecycle of the
request/response transaction
 supports connection reuse (reduces TCP overhead on
web servers)
 communicates with XenMobile (better together)
 built-in monitor for XenMobile
 built-in diagnostic tools for XenMobile
 supports microVPN (MDX) technology in XenMobile

18. NetScaler addresses
 NSIP
 NetScaler IP (IP of the appliance)
 management IP
 SNIP
 subnet IP
 communication to backend services like XenMobile, AD,
database, ... („points of presence” in different subnets)
 VIP
 virtual IP
 IP address of a virtual server (client-side access)

19. The „big picture”

20. Deployment of EMM (1)
 prerequisites:
 firewall ports
 http://docs.citrix.com/en-us/xenmobile/10-3/xmob-system-
requirements/xmob-deploy-component-port-reqs-con.html
 hypervisor of choice
 SQL Server 2012+
 XenMobile license
 service accounts (DB creator, AD reader)
 4 free IP Addresses in the DMZ
 2 free public IP addresses
 2 SSL certificates (or a wildcard certificate)
 Apple Push Notification Services certificate (APNS)
 for managing Apple devices
 NetScaler Gateway
 NetScaler Standard or higher supports Load Balancing
 SMTP server (optional)

21. Deployment of EMM (2)
 steps:
 XenMobile
 import the XenMobile appliance(s)
 initial configuration from CLI (IP, database, NTP, ...)
 additional configuration from console (SSL, NSGW, LDAP, ...)
 create additional appliance(s)/enable clustering
 update the environment (for WM10)
 integration with NetScaler
 import the NetScaler appliance(s)
 initial configuration from CLI (NSIP)
 additional configuration from console (license, SSL, ...)
 XenMobile integration wizard
 create additional appliance(s)/enable HA mode

22. Zagreb, 29.09.2016.
DEMO
XenMobile Enterprise deployment and NetScaler integration

23. Tips...
 XenMobile
 don’t install and upgrade the first node and later try to add another
one (hint: database schema upgrades... sometimes )
 use VM cloning for multiplication of nodes
 RBAC – can’t add a group to Support role
 create another role, tailored to your wishes
 restart appliances to pick up certificates & updates
 NetScaler
 4K certificates limitation on VPX
 only hardware appliances support 4K certificates
 vCPU limitation on Hyper-V (intentional!)
 limited to two vCPUs (use VMware instead )
 bug with AD authentication in GUI
 if you password contains special characters, beware... 

24. Conclusion
 complete enterprise mobility management solution
 three „flavours” – MDM, MDM+MAM, EMM
 end-to-end security, easy deployment and great user
experience
 integration with NetScaler appliance is easy and
preferred
 nice built-in productivity apps
 fast deployment

25. Resources
 https://www.citrix.com/products/xenmobile/
 http://docs.citrix.com/en-us/xenmobile/10/xmob-about.html
 https://www.citrix.com/downloads/xenmobile.html
 https://www.citrix.com/content/dam/citrix/en_us/documents/pr
oducts-solutions/xenmobile-security-understanding-the-
technology-used-by-xenmobile.pdf
 http://www.robinhobo.com/how-to-setup-citrix-xenmobile-10-
including-configuring-netscaler/
 http://www.carlstalhood.com/netscaler-gateway-11-ldap-
authentication/
 http://www.ingmarverheij.com/one-content-switch-to-rule-
them-all/

26. Ankete
Popunite ankete i osvojite vrijedne
nagrade!
Ankete su dostupne na:
a) Mobilnim uređajima (Android, Apple, Windows)
b) Web-u http://www.mobilityday.com
PIN za pristup se nalazi na poleđini akreditacije i u vašem
on-line profilu.

27. Zagreb, 29.09.2016.
HVALA!