Customer Name - docs.citrix.com · Application management including MDX, Android Enterprise, Intune App Protection, Samsung KNOX, App Configuration, and more Business class mobile

Author: Jeroen J.V Lebon 1

Citrix Endpoint Management Onboarding Handbook

Citrix Systems Netherlands BV

Spaces Zuidas, 5th floor

Barbara Strozzilaan 201

1083 HN

Amsterdam

Phone: +31 (0)20 302 3400

E-mail: [email protected]

Web: http://www.citrix.nl

Customer Name

mailto:[email protected]

http://www.citrix.nl/



Table of Contents Versioning ......................................................................................................................................................................... 4

Terminology....................................................................................................................................................................... 4

Introduction ........................................................................................................................................................................ 5

References ........................................................................................................................................................................ 5

Why Endpoint Management from Citrix Cloud? ................................................................................................................ 5

Endpoint Management Benefits ........................................................................................................................................ 6

Endpoint Management Features ....................................................................................................................................... 6

Endpoint Management compared to Workspace Premium .............................................................................................. 7

Endpoint Management High Level Architecture................................................................................................................ 7

Endpoint Management Traffic Flow .................................................................................................................................. 8

Endpoint Management Cloud Connector Traffic Flow ...................................................................................................... 8

Citrix Cloud Trial Request for Endpoint Management and Content Collaboration ........................................................... 9

Sign up for Citrix Cloud with an existing Citrix Account ................................................................................................ 9

Sign up for Citrix Cloud if you don’t have a Citrix Account ........................................................................................... 9

Fill in the required information and accept the Terms of Service to create a Citrix Cloud account. ......... 10

Select a Home Region that best suits your Performance and Business needs ......................................................... 11

Request an Endpoint Management Trial .................................................................................................................... 12

Endpoint Management Trial Sales Engineer engagement ......................................................................................... 13

We need more information about how to setup your Endpoint Management Cloud site. ......................... 14

Citrix Content Collaboration Trial Request ...................................................................................................................... 14

Start your Endpoint Management Trial by specifying your Site details........................................................................... 16

Configure MDM ......................................................................................................................................... 16

Site Name .................................................................................................................................................. 17

Cloud data center region ........................................................................................................................... 17

OPTIONAL – Limit access to the Endpoint Management console to this IP address: ............................. 18

Completing the Request ............................................................................................................................ 18

Preparing the Citrix Endpoint Management and Citrix Content Collaboration Prerequisites ......................................... 19

Citrix Cloud Connector Requirements ........................................................................................................................ 19

Server Requirements ................................................................................................................................ 19

Platform Requirements.............................................................................................................................. 19

Citrix Cloud Resource Location Setup ............................................................................................................................ 20

Setting Up the default Resource Location................................................................................................. 20

Citrix Cloud Connector Setup.......................................................................................................................................... 21

Download Citrix Cloud Connector ............................................................................................................. 21

Installation Requirements .......................................................................................................................... 21

The following occurs during installation .................................................................................................... 21

Complete the Citrix Cloud Connector Setup ............................................................................................. 22

Citrix Gateway Requirements ......................................................................................................................................... 22

Citrix Gateway Requirements ................................................................................................................... 22

Citrix Gateway Platform Requirements ..................................................................................................... 22

Citrix Gateway MAM Requirements .......................................................................................................... 22

Citrix Gateway Requirements for Citrix Content Collaboration ................................................................. 22

Citrix Content Collaboration Requirements ..................................................................................................................... 23

Content Collaboration StorageZones Controller Requirements ............................................................... 23



Content Collaboration StorageZones Controller Server Role Requirements ........................................... 23

Content Collaboration Platform Requirements ......................................................................................... 23

Customer Infrastructure Components ............................................................................................................................. 23

Infrastructure Components Reference Table ............................................................................................ 23

Network and Firewall Requirements ............................................................................................................................... 24

Open ports from Internal Network to Citrix Cloud ..................................................................................... 24

Open ports from Internet to DMZ .............................................................................................................. 24

Open ports from DMZ to Internal .............................................................................................................. 25

Open ports from Internal to DMZ .............................................................................................................. 25

Open ports from DMZ to Internet .............................................................................................................. 25

Open ports from Internal to Internet .......................................................................................................... 25

Open ports from Corporate WIFI to Internet ............................................................................................. 25

Port requirement for AutoDiscovery Service connectivity ......................................................................... 26

Certificate Pinning Prerequisites ............................................................................................................... 26

Google/Apple/Microsoft Requirements ........................................................................................................................... 27

Apple ......................................................................................................................................................... 27

Google ....................................................................................................................................................... 27

Microsoft .................................................................................................................................................... 27

Deployment Use Cases .................................................................................................................................................. 28

Deployment Scenarios .................................................................................................................................................... 28

Endpoint Management MDM Pilot Test Cases Example ................................................................................................ 29

Pilot MDM Test Matrix ................................................................................................................................................ 29

Citrix mobile productivity apps/MDX Pilot Test Cases Example ..................................................................................... 30

Pilot Citrix mobile productivity apps /MDX Test Matrix ............................................................................................... 30



Versioning Version Date Description Author

1.0 26 December 2017 Jeroen J.V Lebon

1.1 5 February 2018 Update Jeroen J.V Lebon

1.2 4 April 2018 Update Jeroen J.V Lebon

1.3 20 July 2018 Update Jeroen J.V Lebon

1.4 10 October 2018 Update Jeroen J.V Lebon

Name Title Role

Jeroen J.V Lebon Senior Sales Engineer – Mobility Specialist Author

Christopher Friend Field Readiness Manager, EMEA Field Readiness Contributor / Reviewer

Jaromir Kirson Lead Sales Engineer, Key Account Managers Contributor / Use cases

Justin Maeder Product Manager, Endpoint Management Contributor / Reviewer

Kathy Paxton Content Developer Contributor / Reviewer

Team Citrix Endpoint Management Rapid Deployment Contributor / Reviewer

Terminology

Terminology

Term Definition

Customer Refers to (customer name) and its representatives

Citrix Refers to Citrix Systems and its representatives

MDM Mobile Device Management

MAM Mobile Application Management

APNS Apple Push Notification Service

MDX Mobile Device Experience

ADS AutoDiscovery Service

UEM Unified Endpoint Management

SNIP Subnet IP

NSIP Citrix Gateway IP

VIP Virtual IP

NSG Citrix Gateway



Introduction Citrix Endpoint Management delivered via Citrix Cloud provides industry leading Enterprise Mobility Management (EMM) and Unified Endpoint Management (UEM) capabilities for all business types who are looking to embrace the cloud and reduce TCO for their mobile infrastructure. Endpoint Management is an elastic pay-as-you-go SaaS subscription which allows IT to easily secure and manage mobile devices and applications while giving users the freedom to experience work and life their way. As part of a Bring Your Own Device (BYOD) program, Endpoint Management even allows end-users to use their own personal device for access to critical corporate resources. An assisted web-based onboarding process can have Endpoint Management up and running in a matter of hours, saving IT the time and resources required to build out the infrastructure themselves. As part of the onboarding process, Endpoint Management easily integrates with on-premises enterprise systems allowing IT to quickly gain control over mobile devices and applications.

References This document is created with the intension to consolidate all the available information around Citrix Endpoint Management and provide you with the information you need to proceed in a smooth enablement and onboarding to Endpoint Management. In the below table, you can find reference links to detailed information online. Please read this information or contact your Citrix Sales Engineer if you need more information or have questions. In addition, you can use this document to record changes for your internal processes and document the service for internal references to high-level and functional designs.

Endpoint Management General Information https://docs.citrix.com/en-us/citrix-endpoint-management/citrix-endpoint-management.html

Endpoint Management Use Cases https://support.citrix.com/article/CTX223709

Cloud Connector https://docs.citrix.com/en-us/endpoint-management/system-requirements.html#cloud-connector-requirements

Citrix Cloud https://citrix.cloud.com/

Endpoint Management How to https://support.citrix.com/pages/xenmobile-how

Citrix Software Downloads https://www.citrix.nl/downloads/

Citrix Content Collaboration Firewall Configuration and IP Address

https://support.citrix.com/article/CTX208318

AutoDiscovery Service https://docs.citrix.com/en-us/citrix-endpoint-management/device-management.html#endpoint-management-autodiscovery-service

Why Endpoint Management from Citrix Cloud? 1. Faster deployment. Hours instead of days. 2. No upfront cost. Minimal to no infrastructure. 3. Access to new features and bug fixes before the on-premises releases. 4. Peace of mind. 99.9% uptime. 5. No co-mingling of customer data with dedicated instances. 6. Predictable budget. 7. OpEx. Pay and get value as you go.

https://docs.citrix.com/en-us/citrix-endpoint-management/citrix-endpoint-management.html

https://docs.citrix.com/en-us/citrix-endpoint-management/citrix-endpoint-management.html


https://docs.citrix.com/en-us/endpoint-management/system-requirements.html#cloud-connector-requirements

https://docs.citrix.com/en-us/endpoint-management/system-requirements.html#cloud-connector-requirements

https://citrix.cloud.com/

https://support.citrix.com/pages/xenmobile-how

https://www.citrix.nl/downloads/




Endpoint Management Benefits 1. Citrix Cloud Connector technology provides a secure channel for communications between Citrix Cloud and your

Resource Locations. This enables cloud management without requiring any complex networking or infrastructure configurations such as VPNs or IPSec Tunnels.

2. Fully secure and redundant channel connecting Citrix Cloud to corporate resource locations. 3. Easy deployment without complex infrastructure configurations. 4. Consistency with other Citrix Cloud services: All Citrix Cloud services including virtualized apps and desktops have

standardized on Citrix Cloud Connector for enterprise connectivity delivered with a single consistent experience. 5. Provide enterprise connectivity to customers with strict corporate security requirements that do not allow for IPSec

connectivity to cloud services. 6. Citrix Endpoint Management MDX Security Specifics include FIPS compliant SSL encryption for all MDX application

data at rest and in transit (FIPS Citrix Gateway on-premises required). 7. Highly available architecture including redundant database resources and disaster recovery options for every data

center. 8. Enterprise Integration with LDAP, PKI and certificate services to meet security and identity requirements.

Endpoint Management Features Device and OS management including iOS, Android, Android Enterprise, Windows 10, macOS, Chrome OS, Citrix

Ready workspace hub, and IoT

Application management including MDX, Android Enterprise, Intune App Protection, Samsung KNOX, App Configuration, and more

Business class mobile productivity apps including Secure Mail, Secure Web, Citrix Files, ShareConnect, QuickEdit

BYOD solution including MDM-independent MAM with no device agent requirements

Workspace Environment Management (WEM) for optimized desktop application performance

Micro VPN for complete application data encryption and isolation

Mobile SaaS for transparent access to all managed apps

Microsoft Intune/EMS app protection policies integrated with Citrix Cloud console for simple Office 365 management



Endpoint Management compared to Workspace Premium This information is current as of October 1, 2018. For the latest offerings, see https://www.citrix.com/products/citrix-workspace/.

Citrix Endpoint

Management

Citrix Workspace

Premium

Citrix Workspace

Premium Plus*

Access via Workspace app ✓ ✓ ✓

Workspace Environment Management service ✓ ✓ ✓

Secure Unified Endpoint Management ✓ ✓ ✓

Enterprise App Store ✓ ✓ ✓

Mobile Device Management ✓ ✓ ✓

Mobile Application Management ✓ ✓ ✓

Micro-VPN ✓ ✓ ✓

Citrix mobile productivity apps (Secure Mail, Secure

Web, Secure Hub, QuickEdit)

✓ ✓ ✓

Integration with Microsoft EMS/Intune ✓ ✓ ✓

Citrix Content Collaboration (ShareFile Premium - 1 TB/user*) ✓ ✓

Citrix Access Control (SSO, Citrix Gateway, Cloud App Control for

SaaS & Web Apps, Secure Browser, web filtering)

✓ ✓

Citrix Analytics Advanced for Access Control (performance and

security analytics)

✓ ✓

Citrix Analytics Advanced for Workspace (performance and

security analytics)

✓ ✓

* Includes Citrix Virtual Apps and Desktops, not covered in this handbook.

Endpoint Management High Level Architecture

https://www.citrix.com/products/citrix-workspace/

https://www.citrix.com/products/citrix-workspace/



Endpoint Management Traffic Flow

Endpoint Management Cloud Connector Traffic Flow



Citrix Cloud Trial Request for Endpoint Management and Content Collaboration Sign up for Citrix Cloud with an existing Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with an existing Citrix.com account can use this to get started with Citrix Endpoint Management. Just enter your existing username and password.

Sign up for Citrix Cloud if you don’t have a Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with no Citrix.com account click Don’t have an account? Sign up and try it free. This link redirects you to the http://onboarding.cloud.com webpage.

http://citrix.cloud.com/

http://citrix.cloud.com/

http://onboarding.cloud.com/



Fill in the required information and accept the Terms of Service to create a Citrix Cloud account.



Select a Home Region that best suits your Performance and Business needs When your organization is onboarded to Citrix Cloud and you sign in for the first time, you are asked to choose a region -- currently the US or EMEA. Pick a region that maps to where the majority of your users and resources will be located.

Important: You can choose a region only once, when your organization is onboarded. You cannot change

your region later.

NOTE: The selected region is for services hosted by the Citrix Cloud platform and NOT the region where the

Endpoint Management instances are located. For more information visit: https://docs.citrix.com/en-

us/citrix-cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html

https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html

https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html



Request an Endpoint Management Trial After you log in with your Citrix Cloud account, a screen similar to the following appears. In the Endpoint Management tile, click Request Trial.

After you click Request Trial, a pop-up notification appears. Read the information and click Close to continue.

Contact your local Sales Representative to arrange the Kick-off Meeting.



The button then changes to View trial status. You receive an email notification when your trial is available.

Endpoint Management Trial Sales Engineer engagement After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. Provide your Citrix Sales Engineer with the below required information.

Site Name [customers choice].xm.cloud.com

Customer Organization Name

Customer Contact Name

Customer Email

Region US East, US West, West Europe, SE Asia & Sydney

Request Type Pilot for Endpoint Management Cloud purchase Endpoint Management Cloud Production

Tunnel Options Cloud Connector None – Local users

Citrix Sales Engineer Email

Kick-off Meeting Date & Time

The Kick-off meeting introduces Sales and the Customer to the Rapid Deploy and Cloud Ops teams. We will

cover the entire process, expectations, requirements, and Citrix Cloud account creation. Please give us at

least a 24-hour notice for this Kick-off meeting. The Kick-off meeting can only take place when all the

prerequisites are in place.



We need more information about how to setup your Endpoint Management Cloud site. After you click Manage, the following prompt indicates that the rapid deployment team hasn't selected an enterprise connectivity type.

Citrix Content Collaboration Trial Request Note: ShareFile is offered within Citrix Workspace under the name Content Collaboration. After you log in with your (existing or newly created) Citrix Cloud account, a screen similar to the following appears. In the Content Collaboration tile, select the drop-down box and click Request Trial.



If you are already a ShareFile customer, you can link your current ShareFile Account.

Enter your subdomain in the required field and then click Request Trial.



Start your Endpoint Management Trial by specifying your Site details When you receive the email from the Endpoint Management Rapid Deployment Team indicating that your Site is approved, you next set up the Site Details to complete the provisioning of your Endpoint Management Cloud Service. Follow the below steps to provide the information necessary to provision your site. After providing this information, you can start with implementing the prerequisites in this document.

Log in to Citrix Cloud and click Get Started to specify your Endpoint Management Site Details

Configure MDM

Click Configure MDM



To complete this step, make sure that you have two machines running Windows 2012 R2 or Windows 2016 Server ready to install the Cloud Connector. For help, click the book icon on the right to open the Guidance pane.

Site Name

The site name is used to create the URL for your Endpoint Management Cloud site and used for device enrollment. Up to 16 characters are supported. For example: http://yoursitename.xm.citrix.com.

Cloud data center region

Choose a geographic region that is closest to your primary resource location (data center). The chosen region will identify the physical location where each of the Endpoint Management cloud instances will reside.



OPTIONAL – Limit access to the Endpoint Management console to this IP address:

Provide a publicly accessible URL to limit who has access to the Endpoint Management console.

Click Next to complete the request.

Completing the Request

Click Request Site to complete the web form and request your Endpoint Management site.

The Endpoint Management Rapid Deployment team will now begin provisioning the customer site. An email

is sent to the account holder once the site provisioning is completed.



Preparing the Citrix Endpoint Management and Citrix Content Collaboration Prerequisites While waiting for Endpoint Management to be provisioned, be sure to prepare for your Endpoint Management deployment by installing Cloud Connector. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

Citrix Cloud Connector Requirements Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. For Endpoint Management in production, a minimum availability of 2 cloud connectors is required. In a pilot of Endpoint Management, 1 cloud connector is sufficient. Cloud Connector supports all Endpoint Management authentication types.

Server Requirements

A dedicated physical or virtual machine ☐

Windows Server 2012 R2 or Windows Server 2016 ☐

2 vCPUs ☐

4 GB RAM ☐

50 GB Hard Disk Space ☐

Active Directory Domain-Joined ☐

Domain/Forest Functional Level – 2008 R2 or Higher ☐

Platform Requirements

.NET: .NET 4.5.1 or later ☐

Internet Connectivity ☐

Clock set to the correct UTC time ☐



Citrix Cloud Resource Location Setup Resource Locations contain the resources required to deliver services to your subscribers. You manage these resources from Citrix Cloud.

Setting Up the default Resource Location

Select the default resource location My Resource Location (Name can be changed later) or choose to create a new one by selecting New Resource Location.

When you choose a new resource location, the web form prompts you to enter a new name for the new resource location.



Citrix Cloud Connector Setup The Cloud Connector server serves as a channel that authenticates and encrypts all communication between Citrix Cloud and your resources such as Active Directory, DNS, and PKI.

Download Citrix Cloud Connector

To begin, click Download Cloud Connector to download the installation file needed for the setup.

Installation Requirements

You can only install the Connector onto a domain-joined machine. The installer will not allow the install to occur if it is not on a domain-joined machine.

The machine where you are installing the connector needs to be in sync with UTC time for proper installation and operation.

Switch Enhanced Security Configuration (ESC) off during installation.

Check if the required .NET version is installed. If it isn't, install the required version as described in the Citrix Cloud Connector Requirements table in this document

Copy the installer (CWCConnector.exe) to the server and run it. Make sure your browser allows the download of executable files.

You cannot install the Connector on machine templates cloned across multiple machines. Do a separate install of the Connector onto all machines.

Have outbound access to the internet through TCP port 443 (https).

The following occurs during installation

An initial connectivity check to Citrix Cloud

Prompts for Citrix Cloud administrator user name and password

If you are an administrator to more than 1 customer: You are prompted to choose the customer for whom you wish to associate the Connector installation.



If the customer for which you're installing the Connector has more than 1 resource location: You are prompted to choose the resource location to associate with the Connector installation.

A final connectivity check to ensure Connector-to-cloud communication

Complete the Citrix Cloud Connector Setup

After installation completes, click Test Connection to test the connection between Cloud Connector and Citrix Cloud.

Click Save & Exit when completed. Click Finish to complete the device management portion of the deployment process.

For detailed technical information about Cloud Connector servers, see: https://docs.citrix.com/en-us/citrix-

cloud/citrix-cloud-connector.html.

Citrix Gateway Requirements A Citrix Gateway is required in your resource location if you require a micro VPN for either or both of the following scenarios:

Access to internal network resources for line-of-business applications wrapped with our MDX technology and connecting to internal backend infrastructures.

The use of Citrix mobile productivity apps, such as Citrix Secure Mail, for making email securely available to your users. Many Endpoint Management production licenses entitle you to 2 VPX 3000 Citrix Gateways. Depending on your deployment scenario, user personas, and functional requirements, a different Citrix Gateway might be required. Contact your sales rep for additional information.

Citrix Gateway Requirements

New Deployment – VPX 3000 series or greater Existing Citrix Gateway deployments are supported – with a new Citrix Gateway virtual server required

☐

2 - 4 vCPUs ☐

Recommended 4 GB per vCPU ☐


Citrix Gateway Platform Requirements

Citrix Gateway Subnet IP Address (SNIP) ☐

Citrix Gateway Management IP Address (NSIP) ☐

Citrix Gateway Internal FQDN ☐

LDAP (Active Directory) Service Account ☐

Citrix Gateway MAM Requirements

Citrix Gateway Public IP Address (VIP) ☐

Public DNS Name – Example: http://mam.company.com ☐

Public SSL certificate 2048-bit key ☐

Proxy Load Balance IP (Internally NOT Routable – RFC1918) ☐

Citrix Gateway Requirements for Citrix Content Collaboration

Citrix Gateway Public IP Address (VIP) ☐

Public DNS Name – Example: http://ShareFile.company.com ☐

Public SSL certificate 2048-bit key ☐

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector.html

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector.html

http://mam.company.com/

http://sharefile.company.com/



Citrix Content Collaboration Public FQDN (http://mycompany.sharefile.com) Requested in Citrix Content Collaboration Trial

☐

Citrix Content Collaboration StorageZone Controller Internal IP Address

Citrix Content Collaboration Requirements Citrix Content Collaboration is a cloud-based file sharing service that enables users to easily and securely exchange documents. Content Collaboration enables users to send large documents by email, securely handle document transfers to third parties, and access a collaboration space from desktops or mobile devices. Content Collaboration provides users with a variety of ways to work, including a web-based interface, mobile clients, desktop tools, and integration with Microsoft Outlook. Content Collaboration StorageZones Controller extends the Content Collaboration software as a service (SaaS) cloud storage by providing your Content Collaboration account with private data storage.

Content Collaboration StorageZones Controller Requirements

A dedicated physical or virtual machine ☐

Windows Server 2012 R2 or Windows Server 2016 ☐

2 vCPUs ☐

4 GB ☐


Content Collaboration StorageZones Controller Server Role Requirements

Web Server (IIS) ☐

Application Development: ASP.NET 4.5.2 ☐

Security: Basic Authentication ☐

Security: Windows Authentication ☐

Content Collaboration Platform Requirements

The Citrix Files app installer requires administrative privileges on the Windows Server

☐

Content Collaboration Admin Username ☐

Customer Infrastructure Components When implementing an Endpoint Management infrastructure with secure connectivity to your internal network: The Citrix Gateway on-premises and Endpoint Management in the Cloud need to communicate with the internal network resources listed in the below table. You can record your information in the following table for reference during the preparation, onboarding, and Pilot phases.

Infrastructure Components Reference Table

DNS Server IP Address ☐

DNS Server FQDN ☐

Proxy Server for Outgoing Traffic ☐

Proxy Authentication needed? Yes/No ☐

Proxy Server for Incoming Traffic ☐ Proxy Authentication needed? Yes/No ☐

Active Directory Server Internal IP Address ☐ Active Directory Server Internal FQDN ☐ Active Directory Server Port ☐



AD Server SSL Certificate – max 2048-bit key ☐ Active Directory Domain Name ☐ Active Directory User Base DN ☐ Active Directory Search User ID ☐ Active Directory Search User Password is known and tested ☐ SMTP Server External IP ☐ SMTP Server External FQDN ☐ SMTP Server Port ☐ SMTP Relay User name (if needed) ☐ SMTP Relay User Password is known and tested (if needed) ☐ Exchange Internal IP Address ☐ Exchange Internal FQDN ☐ Exchange Server Port ☐ Exchange Server SSL Cert – max 2048-bit key ☐ SharePoint Server Internal IP (if needed) ☐ SharePoint Server Internal FQDN ☐ SharePoint Server Port ☐ All FQDNs are tested, including reverse lookup Yes/No ☐

Network and Firewall Requirements To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following tables list the ports that must be open.

Open ports from Internal Network to Citrix Cloud

TCP port Description Source IP Destination Destination IP

443 Cloud Connector

https://*.citrixworkspacesapi.net https://*.cloud.com https://*.sharefile.com https://cwsproduction.blob.core.wind ows.net/downloads https://*.servicebus.windows.net

☐

4443 Administrative Console

https://*.citrixworkspacesapi.net https://*.cloud.com https://*.citrix.com https://*.blob.core.windows.net

☐

Open ports from Internet to DMZ


443 Endpoint Management Client Device

Citrix Gateway IP ☐


Citrix Gateway VIP Content Collaboration

☐

443 Content Collaboration Public IP

CTX208318 Citrix Gateway VIP Content Collaboration

☐

443 StoreFront Citrix Gateway IP ☐




Open ports from DMZ to Internal


389 or 636 Citrix Gateway NSIP (or, if using a load balancer, SNIP)

LDAP/Active Directory IP ☐

53 (UDP) Citrix Gateway SNIP DNS Server IP ☐

443 Citrix Gateway SNIP Exchange (EAS) Server IP ☐

80/443 Citrix Gateway SNIP Internal Web Apps/Services ☐

443 Citrix Gateway SNIP Content Collaboration StorageZones Controller IP

☐

123 Citrix Gateway SNIP NTP server ☐

1494 Citrix Gateway SNIP Virtual Apps and Desktops ☐

1812 Citrix Gateway NSIP RADIUS Authentication Server

☐

2598 Citrix Gateway SNIP Virtual Apps and Desktops ☐

3268 Citrix Gateway NSIP Secure Global Catalog Server ☐

3269 Citrix Gateway NSIP Global Catalog Server ☐

Open ports from Internal to DMZ


443 Admin Client Citrix Gateway NSIP ☐

Open ports from DMZ to Internet


8443 Citrix Gateway SNIP Endpoint Management Cloud

☐

443 Citrix Gateway Launch Darkly ☐

Open ports from Internal to Internet


443 Exchange (EAS) Server IP

Endpoint Management Push Notification Listener (us-east-1.mailboxlistener.xm.citrix.com) (eu-west-1.mailboxlistener.xm.citrix.com) (ap-southeast-1.mailboxlistener.xm.citrix.com)

☐

443 Content Collaboration StorageZones Controller IP

Content Collaboration Control Plane

CTX208318 ☐

Open ports from Corporate WIFI to Internet



Apple APNS Servers 17.0.0.0/8 ☐


Firebase Cloud Messaging android.apis.google.com ☐









Windows Push Notification Service

*.notify.windows.com ☐


Apple iTunes App Store ax.itunes.apple.com *.mzstatic.com vpp.itunes.apple.com

☐


Google Play play.google.com ☐

443 / 80 Endpoint Management Client Device

Microsoft App Store login.live.com *.notify.windows.com

☐


Endpoint Management AutoDiscovery Service

ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)

☐

8443 / 443 Endpoint Management Client Device

Endpoint Management ☐

443 Content Collaboration StorageZones Controller IP

Content Collaboration Control Plane

CTX208318 ☐

Port requirement for AutoDiscovery Service connectivity This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix AutoDiscovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note: ADS connections might not support your proxy server.

In this scenario, allow the ADS connection to bypass the proxy server.

Certificate Pinning Prerequisites If you want to enable certificate pinning, complete the following prerequisites:

Collect Endpoint Management server and Citrix Gateway certificates. The certificates must be in PEM format and must be a public certificate and not the private key.

Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.




To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

Port requirement for AutoDiscovery Service connectivity

FQDN IP Address Port IP and Port Usage


52.5.138.94 443 Secure Hub - ADS Communication


52.1.30.122 443 Secure Hub - ADS Communication

ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication

ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication

Google/Apple/Microsoft Requirements

Apple

Apple Push Certificate http://identity.apple.com ☐

Google

Google Play Account https://accounts.google.com/signup ☐

Google Play Device ID

http://docs.citrix.com/en-us/endpoint-management/provision-devices/google-play-credentials.html On a device with no sim (dial pad), install the Device ID app: https://play.google.com/store/apps/details?id=com.redphx.deviceid

Microsoft

Windows Store developer account

https://msdn.microsoft.com/en-us/library/windows/apps/jj863494.aspx ☐

Windows Store Publisher ID. https://msdn.microsoft.com/en-us/library/windows/apps/hh967786.aspx ☐ Enterprise certificate from Symantec

https://msdn.microsoft.com/library/windows/apps/jj206943.aspx ☐

Public SSL certificate for AutoDiscovery

http://docs.citrix.com/en-us/endpoint-management/provision-devices/autodiscovery.html

☐

Application Enrollment Token (AET)

https://msdn.microsoft.com/en-us/library/windows/apps/jj735576%28v=vs.105%29.aspx

☐

For more detailed information on the supported mobile platforms for Endpoint Management, see

https://docs.citrix.com/en-us/endpoint-management/system-requirements/support-device-platforms.html.

http://identity.apple.com/

https://accounts.google.com/signup

http://docs.citrix.com/en-us/endpoint-management/provision-devices/google-play-credentials.html

http://docs.citrix.com/en-us/endpoint-management/provision-devices/google-play-credentials.html

https://play.google.com/store/apps/details?id=com.redphx.deviceid

https://msdn.microsoft.com/en-us/library/windows/apps/jj863494.aspx

https://msdn.microsoft.com/en-us/library/windows/apps/hh967786.aspx

https://msdn.microsoft.com/library/windows/apps/jj206943.aspx





https://docs.citrix.com/en-us/endpoint-management/system-requirements/support-device-platforms.html



Deployment Use Cases Below are the various deployment use cases which are feasible with Endpoint Management.

Citrix Endpoint Management and Citrix Gateway on Enterprise

Citrix Endpoint Management and Citrix Gateway on Enterprise for Mobile App Management

Citrix Endpoint Management and Citrix Gateway on Enterprise for Mobile App Management with Citrix Content Collaboration for Enterprise File Sharing

Citrix Endpoint Management for Mobile Device Management

For more detailed information on the deployment use cases, see the Citrix Support Article

https://support.citrix.com/article/CTX223709 or this white paper:

https://citrix.sharefile.com/d-sba63ccb1290430ca.

Deployment Scenarios

Scenario Use Case Example

Citrix Endpoint Management

BYOD or company issued Medium Security/privacy requirements Native or Secure email View/edit email attachments Already have a solution for EFSS Need secure off-the-shelf apps Looking into developing own mobile apps -or- Company owned, shared device “Kiosk,” for example, an iPad used by warehouse workers for inventory

Workspace Premium

BYOD or company issued High security/privacy requirements Secure email View/edit email attachments Need to solve EFSS Need secure off-the-shelf apps Need to secure several internally developed mobile apps Can’t store any data on mobile device


https://citrix.sharefile.com/d-sba63ccb1290430ca



Endpoint Management MDM Pilot Test Cases Example This section lists example test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.

Pilot MDM Test Matrix Secure Hub Version iOS = Android= Windows=

Endpoint Management Version 10.x

Citrix Gateway Version 10.x

Test Cases Category Expected Result Result

From Secure Hub, enroll using an Enrollment URL Invitation and a one-time PIN number From Secure Hub, enroll to the XM Service using Active Directory credentials

Enrollment The ability to use a unique URL to enroll into the system without requiring AD credentials

☐ ☐

The ability to enroll into Endpoint Management and have policies and profiles sent down automatically

☐ ☐

The ability to use a single app on each platform to enroll and subsequently control MDM policies

☐ ☐

Via the XM Service Administration console, define and deploy policies that will secure the device

Security Policies The ability to provision security policies, such as enforcing a passcode and setting restrictions

☐ ☐

Via the XM Service Administration console, define and deploy policies that will aid the user and simplify the configuration of the device

Provisioning Policies

The ability to provision Wi-Fi, VPN, Email and Proxy policies ☐ ☐

The ability to issue certificates to the device, including user-based certificates that can be used as credentials

☐ ☐

The ability to deliver apps (in-house or from a public App Store) to the device.

☐ ☐

Via the XM Service Administration console, understand the current state of a device

Operational Supportability/ Administration

The ability to determine device status, inventory, software inventory and MDM policy deployment status

☐ ☐

The ability to locate devices ☐ ☐

Test the support functionality within Secure Hub

Support The ability to use Secure Hub to determine why the device might be out of compliance

☐ ☐

The ability to automatically collect logs from the device and send to the helpdesk

☐ ☐

The ability to initiate a live chat session with a helpdesk operator

☐ ☐

Via the XM Service Administration console, remotely de-provision devices

De-provisioning The ability to perform a selective wipe remotely and to remove from the device the provisioned policies, apps and data

☐ ☐

The ability to perform a full wipe (factory reset) ☐ ☐

The ability to revoke a device to remove the provisioned profiles, apps and data and prevent the device from being enrolled again

☐ ☐



Citrix mobile productivity apps/MDX Pilot Test Cases Example This section lists example test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.

Pilot Citrix mobile productivity apps /MDX Test Matrix Secure Hub Version iOS = Android= Windows=

Endpoint Management Version 10.x

Citrix Gateway Version 10.x

Test Success Criteria iOS Android Win10

Post Enrollment Gateway Logon

When Secure Hub ‘flips’ from enrollment to Citrix Gateway, the user should not need to re-enter credentials

☐ ☐ ☐ ☐ N/A N/A

Citrix PIN Creation User should be prompted to create a 6-digit Citrix PIN ☐ ☐ ☐ ☐ N/A N/A Endpoint Management app store

User can access Endpoint Management app store from within Secure Hub and is entitled to Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and Citrix Files

☐ ☐ ☐ ☐ N/A N/A

Secure App Installs Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and Citrix Files can all be installed

☐ ☐ ☐ ☐ N/A N/A

Collect Secure Hub Logs

Swipe right within Secure Hub to the Support Page and then tap Secure Hub

☐ ☐ ☐ ☐ N/A N/A

Inactivity Timer <15 Minutes

Launch Secure Web and authenticate if required. Leave device unattended for 10 minutes, then attempt to access Secure Web. Secure Web should open without requiring Citrix PIN

☐ ☐ ☐ ☐ N/A N/A

Inactivity Timer >15 Minutes

Launch Secure Web and authenticate if required. Leave device unattended for 18 minutes, then attempt to access Secure Web. Secure Web should prompt for Citrix PIN before opening.

☐ ☐ ☐ ☐ N/A N/A

MDX App Wipe After admin sends an MDX App Wipe command via the console, user data is removed from all Citrix mobile productivity apps

☐ ☐ ☐ ☐ N/A N/A

Documents

Customer Name - docs.citrix.com · Application management including MDX, Android Enterprise, Intune App Protection, Samsung KNOX, App Configuration, and more Business class mobile