Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Author: Jeroen J.V Lebon 1
Citrix Endpoint Management Onboarding Handbook
Citrix Systems Netherlands BV
Spaces Zuidas, 5th floor
Barbara Strozzilaan 201
1083 HN
Amsterdam
Phone: +31 (0)20 302 3400
E-mail: [email protected]
Web: http://www.citrix.nl
Customer Name
Author: Jeroen J.V Lebon 2
Citrix Endpoint Management Onboarding Handbook
Table of Contents Versioning ......................................................................................................................................................................... 4
Terminology....................................................................................................................................................................... 4
Introduction ........................................................................................................................................................................ 5
References ........................................................................................................................................................................ 5
Why Endpoint Management from Citrix Cloud? ................................................................................................................ 5
Endpoint Management Benefits ........................................................................................................................................ 6
Endpoint Management Features ....................................................................................................................................... 6
Endpoint Management compared to Workspace Premium .............................................................................................. 7
Endpoint Management High Level Architecture................................................................................................................ 7
Endpoint Management Traffic Flow .................................................................................................................................. 8
Endpoint Management Cloud Connector Traffic Flow ...................................................................................................... 8
Citrix Cloud Trial Request for Endpoint Management and Content Collaboration ........................................................... 9
Sign up for Citrix Cloud with an existing Citrix Account ................................................................................................ 9
Sign up for Citrix Cloud if you don’t have a Citrix Account ........................................................................................... 9
Fill in the required information and accept the Terms of Service to create a Citrix Cloud account. ......... 10
Select a Home Region that best suits your Performance and Business needs ......................................................... 11
Request an Endpoint Management Trial .................................................................................................................... 12
Endpoint Management Trial Sales Engineer engagement ......................................................................................... 13
We need more information about how to setup your Endpoint Management Cloud site. ......................... 14
Citrix Content Collaboration Trial Request ...................................................................................................................... 14
Start your Endpoint Management Trial by specifying your Site details........................................................................... 16
Configure MDM ......................................................................................................................................... 16
Site Name .................................................................................................................................................. 17
Cloud data center region ........................................................................................................................... 17
OPTIONAL – Limit access to the Endpoint Management console to this IP address: ............................. 18
Completing the Request ............................................................................................................................ 18
Preparing the Citrix Endpoint Management and Citrix Content Collaboration Prerequisites ......................................... 19
Citrix Cloud Connector Requirements ........................................................................................................................ 19
Server Requirements ................................................................................................................................ 19
Platform Requirements.............................................................................................................................. 19
Citrix Cloud Resource Location Setup ............................................................................................................................ 20
Setting Up the default Resource Location................................................................................................. 20
Citrix Cloud Connector Setup.......................................................................................................................................... 21
Download Citrix Cloud Connector ............................................................................................................. 21
Installation Requirements .......................................................................................................................... 21
The following occurs during installation .................................................................................................... 21
Complete the Citrix Cloud Connector Setup ............................................................................................. 22
Citrix Gateway Requirements ......................................................................................................................................... 22
Citrix Gateway Requirements ................................................................................................................... 22
Citrix Gateway Platform Requirements ..................................................................................................... 22
Citrix Gateway MAM Requirements .......................................................................................................... 22
Citrix Gateway Requirements for Citrix Content Collaboration ................................................................. 22
Citrix Content Collaboration Requirements ..................................................................................................................... 23
Content Collaboration StorageZones Controller Requirements ............................................................... 23
Author: Jeroen J.V Lebon 3
Citrix Endpoint Management Onboarding Handbook
Content Collaboration StorageZones Controller Server Role Requirements ........................................... 23
Content Collaboration Platform Requirements ......................................................................................... 23
Customer Infrastructure Components ............................................................................................................................. 23
Infrastructure Components Reference Table ............................................................................................ 23
Network and Firewall Requirements ............................................................................................................................... 24
Open ports from Internal Network to Citrix Cloud ..................................................................................... 24
Open ports from Internet to DMZ .............................................................................................................. 24
Open ports from DMZ to Internal .............................................................................................................. 25
Open ports from Internal to DMZ .............................................................................................................. 25
Open ports from DMZ to Internet .............................................................................................................. 25
Open ports from Internal to Internet .......................................................................................................... 25
Open ports from Corporate WIFI to Internet ............................................................................................. 25
Port requirement for AutoDiscovery Service connectivity ......................................................................... 26
Certificate Pinning Prerequisites ............................................................................................................... 26
Google/Apple/Microsoft Requirements ........................................................................................................................... 27
Apple ......................................................................................................................................................... 27
Google ....................................................................................................................................................... 27
Microsoft .................................................................................................................................................... 27
Deployment Use Cases .................................................................................................................................................. 28
Deployment Scenarios .................................................................................................................................................... 28
Endpoint Management MDM Pilot Test Cases Example ................................................................................................ 29
Pilot MDM Test Matrix ................................................................................................................................................ 29
Citrix mobile productivity apps/MDX Pilot Test Cases Example ..................................................................................... 30
Pilot Citrix mobile productivity apps /MDX Test Matrix ............................................................................................... 30
Author: Jeroen J.V Lebon 4
Citrix Endpoint Management Onboarding Handbook
Versioning Version Date Description Author
1.0 26 December 2017 Jeroen J.V Lebon
1.1 5 February 2018 Update Jeroen J.V Lebon
1.2 4 April 2018 Update Jeroen J.V Lebon
1.3 20 July 2018 Update Jeroen J.V Lebon
1.4 10 October 2018 Update Jeroen J.V Lebon
Name Title Role
Jeroen J.V Lebon Senior Sales Engineer – Mobility Specialist Author
Christopher Friend Field Readiness Manager, EMEA Field Readiness Contributor / Reviewer
Jaromir Kirson Lead Sales Engineer, Key Account Managers Contributor / Use cases
Justin Maeder Product Manager, Endpoint Management Contributor / Reviewer
Kathy Paxton Content Developer Contributor / Reviewer
Team Citrix Endpoint Management Rapid Deployment Contributor / Reviewer
Terminology
Terminology
Term Definition
Customer Refers to (customer name) and its representatives
Citrix Refers to Citrix Systems and its representatives
MDM Mobile Device Management
MAM Mobile Application Management
APNS Apple Push Notification Service
MDX Mobile Device Experience
ADS AutoDiscovery Service
UEM Unified Endpoint Management
SNIP Subnet IP
NSIP Citrix Gateway IP
VIP Virtual IP
NSG Citrix Gateway
Author: Jeroen J.V Lebon 5
Citrix Endpoint Management Onboarding Handbook
Introduction Citrix Endpoint Management delivered via Citrix Cloud provides industry leading Enterprise Mobility Management (EMM) and Unified Endpoint Management (UEM) capabilities for all business types who are looking to embrace the cloud and reduce TCO for their mobile infrastructure. Endpoint Management is an elastic pay-as-you-go SaaS subscription which allows IT to easily secure and manage mobile devices and applications while giving users the freedom to experience work and life their way. As part of a Bring Your Own Device (BYOD) program, Endpoint Management even allows end-users to use their own personal device for access to critical corporate resources. An assisted web-based onboarding process can have Endpoint Management up and running in a matter of hours, saving IT the time and resources required to build out the infrastructure themselves. As part of the onboarding process, Endpoint Management easily integrates with on-premises enterprise systems allowing IT to quickly gain control over mobile devices and applications.
References This document is created with the intension to consolidate all the available information around Citrix Endpoint Management and provide you with the information you need to proceed in a smooth enablement and onboarding to Endpoint Management. In the below table, you can find reference links to detailed information online. Please read this information or contact your Citrix Sales Engineer if you need more information or have questions. In addition, you can use this document to record changes for your internal processes and document the service for internal references to high-level and functional designs.
Endpoint Management General Information https://docs.citrix.com/en-us/citrix-endpoint-management/citrix-endpoint-management.html
Endpoint Management Use Cases https://support.citrix.com/article/CTX223709
Cloud Connector https://docs.citrix.com/en-us/endpoint-management/system-requirements.html#cloud-connector-requirements
Citrix Cloud https://citrix.cloud.com/
Endpoint Management How to https://support.citrix.com/pages/xenmobile-how
Citrix Software Downloads https://www.citrix.nl/downloads/
Citrix Content Collaboration Firewall Configuration and IP Address
https://support.citrix.com/article/CTX208318
AutoDiscovery Service https://docs.citrix.com/en-us/citrix-endpoint-management/device-management.html#endpoint-management-autodiscovery-service
Why Endpoint Management from Citrix Cloud? 1. Faster deployment. Hours instead of days. 2. No upfront cost. Minimal to no infrastructure. 3. Access to new features and bug fixes before the on-premises releases. 4. Peace of mind. 99.9% uptime. 5. No co-mingling of customer data with dedicated instances. 6. Predictable budget. 7. OpEx. Pay and get value as you go.
Author: Jeroen J.V Lebon 6
Citrix Endpoint Management Onboarding Handbook
Endpoint Management Benefits 1. Citrix Cloud Connector technology provides a secure channel for communications between Citrix Cloud and your
Resource Locations. This enables cloud management without requiring any complex networking or infrastructure configurations such as VPNs or IPSec Tunnels.
2. Fully secure and redundant channel connecting Citrix Cloud to corporate resource locations. 3. Easy deployment without complex infrastructure configurations. 4. Consistency with other Citrix Cloud services: All Citrix Cloud services including virtualized apps and desktops have
standardized on Citrix Cloud Connector for enterprise connectivity delivered with a single consistent experience. 5. Provide enterprise connectivity to customers with strict corporate security requirements that do not allow for IPSec
connectivity to cloud services. 6. Citrix Endpoint Management MDX Security Specifics include FIPS compliant SSL encryption for all MDX application
data at rest and in transit (FIPS Citrix Gateway on-premises required). 7. Highly available architecture including redundant database resources and disaster recovery options for every data
center. 8. Enterprise Integration with LDAP, PKI and certificate services to meet security and identity requirements.
Endpoint Management Features Device and OS management including iOS, Android, Android Enterprise, Windows 10, macOS, Chrome OS, Citrix
Ready workspace hub, and IoT
Application management including MDX, Android Enterprise, Intune App Protection, Samsung KNOX, App Configuration, and more
Business class mobile productivity apps including Secure Mail, Secure Web, Citrix Files, ShareConnect, QuickEdit
BYOD solution including MDM-independent MAM with no device agent requirements
Workspace Environment Management (WEM) for optimized desktop application performance
Micro VPN for complete application data encryption and isolation
Mobile SaaS for transparent access to all managed apps
Microsoft Intune/EMS app protection policies integrated with Citrix Cloud console for simple Office 365 management
Author: Jeroen J.V Lebon 7
Citrix Endpoint Management Onboarding Handbook
Endpoint Management compared to Workspace Premium This information is current as of October 1, 2018. For the latest offerings, see https://www.citrix.com/products/citrix-workspace/.
Citrix Endpoint
Management
Citrix Workspace
Premium
Citrix Workspace
Premium Plus*
Access via Workspace app ✓ ✓ ✓
Workspace Environment Management service ✓ ✓ ✓
Secure Unified Endpoint Management ✓ ✓ ✓
Enterprise App Store ✓ ✓ ✓
Mobile Device Management ✓ ✓ ✓
Mobile Application Management ✓ ✓ ✓
Micro-VPN ✓ ✓ ✓
Citrix mobile productivity apps (Secure Mail, Secure
Web, Secure Hub, QuickEdit)
✓ ✓ ✓
Integration with Microsoft EMS/Intune ✓ ✓ ✓
Citrix Content Collaboration (ShareFile Premium - 1 TB/user*) ✓ ✓
Citrix Access Control (SSO, Citrix Gateway, Cloud App Control for
SaaS & Web Apps, Secure Browser, web filtering)
✓ ✓
Citrix Analytics Advanced for Access Control (performance and
security analytics)
✓ ✓
Citrix Analytics Advanced for Workspace (performance and
security analytics)
✓ ✓
* Includes Citrix Virtual Apps and Desktops, not covered in this handbook.
Endpoint Management High Level Architecture
Author: Jeroen J.V Lebon 8
Citrix Endpoint Management Onboarding Handbook
Endpoint Management Traffic Flow
Endpoint Management Cloud Connector Traffic Flow
Author: Jeroen J.V Lebon 9
Citrix Endpoint Management Onboarding Handbook
Citrix Cloud Trial Request for Endpoint Management and Content Collaboration Sign up for Citrix Cloud with an existing Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with an existing Citrix.com account can use this to get started with Citrix Endpoint Management. Just enter your existing username and password.
Sign up for Citrix Cloud if you don’t have a Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with no Citrix.com account click Don’t have an account? Sign up and try it free. This link redirects you to the http://onboarding.cloud.com webpage.
Author: Jeroen J.V Lebon 10
Citrix Endpoint Management Onboarding Handbook
Fill in the required information and accept the Terms of Service to create a Citrix Cloud account.
Author: Jeroen J.V Lebon 11
Citrix Endpoint Management Onboarding Handbook
Select a Home Region that best suits your Performance and Business needs When your organization is onboarded to Citrix Cloud and you sign in for the first time, you are asked to choose a region -- currently the US or EMEA. Pick a region that maps to where the majority of your users and resources will be located.
Important: You can choose a region only once, when your organization is onboarded. You cannot change
your region later.
NOTE: The selected region is for services hosted by the Citrix Cloud platform and NOT the region where the
Endpoint Management instances are located. For more information visit: https://docs.citrix.com/en-
us/citrix-cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html
Author: Jeroen J.V Lebon 12
Citrix Endpoint Management Onboarding Handbook
Request an Endpoint Management Trial After you log in with your Citrix Cloud account, a screen similar to the following appears. In the Endpoint Management tile, click Request Trial.
After you click Request Trial, a pop-up notification appears. Read the information and click Close to continue.
Contact your local Sales Representative to arrange the Kick-off Meeting.
Author: Jeroen J.V Lebon 13
Citrix Endpoint Management Onboarding Handbook
The button then changes to View trial status. You receive an email notification when your trial is available.
Endpoint Management Trial Sales Engineer engagement After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. Provide your Citrix Sales Engineer with the below required information.
Site Name [customers choice].xm.cloud.com
Customer Organization Name
Customer Contact Name
Customer Email
Region US East, US West, West Europe, SE Asia & Sydney
Request Type Pilot for Endpoint Management Cloud purchase Endpoint Management Cloud Production
Tunnel Options Cloud Connector None – Local users
Citrix Sales Engineer Email
Kick-off Meeting Date & Time
The Kick-off meeting introduces Sales and the Customer to the Rapid Deploy and Cloud Ops teams. We will
cover the entire process, expectations, requirements, and Citrix Cloud account creation. Please give us at
least a 24-hour notice for this Kick-off meeting. The Kick-off meeting can only take place when all the
prerequisites are in place.
Author: Jeroen J.V Lebon 14
Citrix Endpoint Management Onboarding Handbook
We need more information about how to setup your Endpoint Management Cloud site. After you click Manage, the following prompt indicates that the rapid deployment team hasn't selected an enterprise connectivity type.
Citrix Content Collaboration Trial Request Note: ShareFile is offered within Citrix Workspace under the name Content Collaboration. After you log in with your (existing or newly created) Citrix Cloud account, a screen similar to the following appears. In the Content Collaboration tile, select the drop-down box and click Request Trial.
Author: Jeroen J.V Lebon 15
Citrix Endpoint Management Onboarding Handbook
If you are already a ShareFile customer, you can link your current ShareFile Account.
Enter your subdomain in the required field and then click Request Trial.
Author: Jeroen J.V Lebon 16
Citrix Endpoint Management Onboarding Handbook
Start your Endpoint Management Trial by specifying your Site details When you receive the email from the Endpoint Management Rapid Deployment Team indicating that your Site is approved, you next set up the Site Details to complete the provisioning of your Endpoint Management Cloud Service. Follow the below steps to provide the information necessary to provision your site. After providing this information, you can start with implementing the prerequisites in this document.
Log in to Citrix Cloud and click Get Started to specify your Endpoint Management Site Details
Configure MDM
Click Configure MDM
Author: Jeroen J.V Lebon 17
Citrix Endpoint Management Onboarding Handbook
To complete this step, make sure that you have two machines running Windows 2012 R2 or Windows 2016 Server ready to install the Cloud Connector. For help, click the book icon on the right to open the Guidance pane.
Site Name
The site name is used to create the URL for your Endpoint Management Cloud site and used for device enrollment. Up to 16 characters are supported. For example: http://yoursitename.xm.citrix.com.
Cloud data center region
Choose a geographic region that is closest to your primary resource location (data center). The chosen region will identify the physical location where each of the Endpoint Management cloud instances will reside.
Author: Jeroen J.V Lebon 18
Citrix Endpoint Management Onboarding Handbook
OPTIONAL – Limit access to the Endpoint Management console to this IP address:
Provide a publicly accessible URL to limit who has access to the Endpoint Management console.
Click Next to complete the request.
Completing the Request
Click Request Site to complete the web form and request your Endpoint Management site.
The Endpoint Management Rapid Deployment team will now begin provisioning the customer site. An email
is sent to the account holder once the site provisioning is completed.
Author: Jeroen J.V Lebon 19
Citrix Endpoint Management Onboarding Handbook
Preparing the Citrix Endpoint Management and Citrix Content Collaboration Prerequisites While waiting for Endpoint Management to be provisioned, be sure to prepare for your Endpoint Management deployment by installing Cloud Connector. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.
Citrix Cloud Connector Requirements Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. For Endpoint Management in production, a minimum availability of 2 cloud connectors is required. In a pilot of Endpoint Management, 1 cloud connector is sufficient. Cloud Connector supports all Endpoint Management authentication types.
Server Requirements
A dedicated physical or virtual machine ☐
Windows Server 2012 R2 or Windows Server 2016 ☐
2 vCPUs ☐
4 GB RAM ☐
50 GB Hard Disk Space ☐
Active Directory Domain-Joined ☐
Domain/Forest Functional Level – 2008 R2 or Higher ☐
Platform Requirements
.NET: .NET 4.5.1 or later ☐
Internet Connectivity ☐
Clock set to the correct UTC time ☐
Author: Jeroen J.V Lebon 20
Citrix Endpoint Management Onboarding Handbook
Citrix Cloud Resource Location Setup Resource Locations contain the resources required to deliver services to your subscribers. You manage these resources from Citrix Cloud.
Setting Up the default Resource Location
Select the default resource location My Resource Location (Name can be changed later) or choose to create a new one by selecting New Resource Location.
When you choose a new resource location, the web form prompts you to enter a new name for the new resource location.
Author: Jeroen J.V Lebon 21
Citrix Endpoint Management Onboarding Handbook
Citrix Cloud Connector Setup The Cloud Connector server serves as a channel that authenticates and encrypts all communication between Citrix Cloud and your resources such as Active Directory, DNS, and PKI.
Download Citrix Cloud Connector
To begin, click Download Cloud Connector to download the installation file needed for the setup.
Installation Requirements
You can only install the Connector onto a domain-joined machine. The installer will not allow the install to occur if it is not on a domain-joined machine.
The machine where you are installing the connector needs to be in sync with UTC time for proper installation and operation.
Switch Enhanced Security Configuration (ESC) off during installation.
Check if the required .NET version is installed. If it isn't, install the required version as described in the Citrix Cloud Connector Requirements table in this document
Copy the installer (CWCConnector.exe) to the server and run it. Make sure your browser allows the download of executable files.
You cannot install the Connector on machine templates cloned across multiple machines. Do a separate install of the Connector onto all machines.
Have outbound access to the internet through TCP port 443 (https).
The following occurs during installation
An initial connectivity check to Citrix Cloud
Prompts for Citrix Cloud administrator user name and password
If you are an administrator to more than 1 customer: You are prompted to choose the customer for whom you wish to associate the Connector installation.
Author: Jeroen J.V Lebon 22
Citrix Endpoint Management Onboarding Handbook
If the customer for which you're installing the Connector has more than 1 resource location: You are prompted to choose the resource location to associate with the Connector installation.
A final connectivity check to ensure Connector-to-cloud communication
Complete the Citrix Cloud Connector Setup
After installation completes, click Test Connection to test the connection between Cloud Connector and Citrix Cloud.
Click Save & Exit when completed. Click Finish to complete the device management portion of the deployment process.
For detailed technical information about Cloud Connector servers, see: https://docs.citrix.com/en-us/citrix-
cloud/citrix-cloud-connector.html.
Citrix Gateway Requirements A Citrix Gateway is required in your resource location if you require a micro VPN for either or both of the following scenarios:
Access to internal network resources for line-of-business applications wrapped with our MDX technology and connecting to internal backend infrastructures.
The use of Citrix mobile productivity apps, such as Citrix Secure Mail, for making email securely available to your users. Many Endpoint Management production licenses entitle you to 2 VPX 3000 Citrix Gateways. Depending on your deployment scenario, user personas, and functional requirements, a different Citrix Gateway might be required. Contact your sales rep for additional information.
Citrix Gateway Requirements
New Deployment – VPX 3000 series or greater Existing Citrix Gateway deployments are supported – with a new Citrix Gateway virtual server required
☐
2 - 4 vCPUs ☐
Recommended 4 GB per vCPU ☐
20 GB Hard Disk Space ☐
Citrix Gateway Platform Requirements
Citrix Gateway Subnet IP Address (SNIP) ☐
Citrix Gateway Management IP Address (NSIP) ☐
Citrix Gateway Internal FQDN ☐
LDAP (Active Directory) Service Account ☐
Citrix Gateway MAM Requirements
Citrix Gateway Public IP Address (VIP) ☐
Public DNS Name – Example: http://mam.company.com ☐
Public SSL certificate 2048-bit key ☐
Proxy Load Balance IP (Internally NOT Routable – RFC1918) ☐
Citrix Gateway Requirements for Citrix Content Collaboration
Citrix Gateway Public IP Address (VIP) ☐
Public DNS Name – Example: http://ShareFile.company.com ☐
Public SSL certificate 2048-bit key ☐
Author: Jeroen J.V Lebon 23
Citrix Endpoint Management Onboarding Handbook
Citrix Content Collaboration Public FQDN (http://mycompany.sharefile.com) Requested in Citrix Content Collaboration Trial
☐
Citrix Content Collaboration StorageZone Controller Internal IP Address
Citrix Content Collaboration Requirements Citrix Content Collaboration is a cloud-based file sharing service that enables users to easily and securely exchange documents. Content Collaboration enables users to send large documents by email, securely handle document transfers to third parties, and access a collaboration space from desktops or mobile devices. Content Collaboration provides users with a variety of ways to work, including a web-based interface, mobile clients, desktop tools, and integration with Microsoft Outlook. Content Collaboration StorageZones Controller extends the Content Collaboration software as a service (SaaS) cloud storage by providing your Content Collaboration account with private data storage.
Content Collaboration StorageZones Controller Requirements
A dedicated physical or virtual machine ☐
Windows Server 2012 R2 or Windows Server 2016 ☐
2 vCPUs ☐
4 GB ☐
50 GB Hard Disk Space ☐
Content Collaboration StorageZones Controller Server Role Requirements
Web Server (IIS) ☐
Application Development: ASP.NET 4.5.2 ☐
Security: Basic Authentication ☐
Security: Windows Authentication ☐
Content Collaboration Platform Requirements
The Citrix Files app installer requires administrative privileges on the Windows Server
☐
Content Collaboration Admin Username ☐
Customer Infrastructure Components When implementing an Endpoint Management infrastructure with secure connectivity to your internal network: The Citrix Gateway on-premises and Endpoint Management in the Cloud need to communicate with the internal network resources listed in the below table. You can record your information in the following table for reference during the preparation, onboarding, and Pilot phases.
Infrastructure Components Reference Table
DNS Server IP Address ☐
DNS Server FQDN ☐
Proxy Server for Outgoing Traffic ☐
Proxy Authentication needed? Yes/No ☐
Proxy Server for Incoming Traffic ☐ Proxy Authentication needed? Yes/No ☐
Active Directory Server Internal IP Address ☐ Active Directory Server Internal FQDN ☐ Active Directory Server Port ☐
Author: Jeroen J.V Lebon 24
Citrix Endpoint Management Onboarding Handbook
AD Server SSL Certificate – max 2048-bit key ☐ Active Directory Domain Name ☐ Active Directory User Base DN ☐ Active Directory Search User ID ☐ Active Directory Search User Password is known and tested ☐ SMTP Server External IP ☐ SMTP Server External FQDN ☐ SMTP Server Port ☐ SMTP Relay User name (if needed) ☐ SMTP Relay User Password is known and tested (if needed) ☐ Exchange Internal IP Address ☐ Exchange Internal FQDN ☐ Exchange Server Port ☐ Exchange Server SSL Cert – max 2048-bit key ☐ SharePoint Server Internal IP (if needed) ☐ SharePoint Server Internal FQDN ☐ SharePoint Server Port ☐ All FQDNs are tested, including reverse lookup Yes/No ☐
Network and Firewall Requirements To enable devices and apps to communicate with Endpoint Management, you open specific ports in your firewalls. The following tables list the ports that must be open.
Open ports from Internal Network to Citrix Cloud
TCP port Description Source IP Destination Destination IP
443 Cloud Connector
https://*.citrixworkspacesapi.net https://*.cloud.com https://*.sharefile.com https://cwsproduction.blob.core.wind ows.net/downloads https://*.servicebus.windows.net
☐
4443 Administrative Console
https://*.citrixworkspacesapi.net https://*.cloud.com https://*.citrix.com https://*.blob.core.windows.net
☐
Open ports from Internet to DMZ
TCP port Description Source IP Destination Destination IP
443 Endpoint Management Client Device
Citrix Gateway IP ☐
443 Endpoint Management Client Device
Citrix Gateway VIP Content Collaboration
☐
443 Content Collaboration Public IP
CTX208318 Citrix Gateway VIP Content Collaboration
☐
443 StoreFront Citrix Gateway IP ☐
Author: Jeroen J.V Lebon 25
Citrix Endpoint Management Onboarding Handbook
Open ports from DMZ to Internal
TCP port Description Source IP Destination Destination IP
389 or 636 Citrix Gateway NSIP (or, if using a load balancer, SNIP)
LDAP/Active Directory IP ☐
53 (UDP) Citrix Gateway SNIP DNS Server IP ☐
443 Citrix Gateway SNIP Exchange (EAS) Server IP ☐
80/443 Citrix Gateway SNIP Internal Web Apps/Services ☐
443 Citrix Gateway SNIP Content Collaboration StorageZones Controller IP
☐
123 Citrix Gateway SNIP NTP server ☐
1494 Citrix Gateway SNIP Virtual Apps and Desktops ☐
1812 Citrix Gateway NSIP RADIUS Authentication Server
☐
2598 Citrix Gateway SNIP Virtual Apps and Desktops ☐
3268 Citrix Gateway NSIP Secure Global Catalog Server ☐
3269 Citrix Gateway NSIP Global Catalog Server ☐
Open ports from Internal to DMZ
TCP port Description Source IP Destination Destination IP
443 Admin Client Citrix Gateway NSIP ☐
Open ports from DMZ to Internet
TCP port Description Source IP Destination Destination IP
8443 Citrix Gateway SNIP Endpoint Management Cloud
☐
443 Citrix Gateway Launch Darkly ☐
Open ports from Internal to Internet
TCP port Description Source IP Destination Destination IP
443 Exchange (EAS) Server IP
Endpoint Management Push Notification Listener (us-east-1.mailboxlistener.xm.citrix.com) (eu-west-1.mailboxlistener.xm.citrix.com) (ap-southeast-1.mailboxlistener.xm.citrix.com)
☐
443 Content Collaboration StorageZones Controller IP
Content Collaboration Control Plane
CTX208318 ☐
Open ports from Corporate WIFI to Internet
TCP port Description Source IP Destination Destination IP
5223 Endpoint Management Client Device
Apple APNS Servers 17.0.0.0/8 ☐
5228 Endpoint Management Client Device
Firebase Cloud Messaging android.apis.google.com ☐
5229 Endpoint Management Client Device
Firebase Cloud Messaging android.apis.google.com ☐
5230 Endpoint Management Client Device
Firebase Cloud Messaging android.apis.google.com ☐
Author: Jeroen J.V Lebon 26
Citrix Endpoint Management Onboarding Handbook
443 Endpoint Management Client Device
Windows Push Notification Service
*.notify.windows.com ☐
443 Endpoint Management Client Device
Apple iTunes App Store ax.itunes.apple.com *.mzstatic.com vpp.itunes.apple.com
☐
443 Endpoint Management Client Device
Google Play play.google.com ☐
443 / 80 Endpoint Management Client Device
Microsoft App Store login.live.com *.notify.windows.com
☐
443 Endpoint Management Client Device
Endpoint Management AutoDiscovery Service
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)
☐
8443 / 443 Endpoint Management Client Device
Endpoint Management ☐
443 Content Collaboration StorageZones Controller IP
Content Collaboration Control Plane
CTX208318 ☐
Port requirement for AutoDiscovery Service connectivity This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix AutoDiscovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.
Note: ADS connections might not support your proxy server.
In this scenario, allow the ADS connection to bypass the proxy server.
Certificate Pinning Prerequisites If you want to enable certificate pinning, complete the following prerequisites:
Collect Endpoint Management server and Citrix Gateway certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.
Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.
Author: Jeroen J.V Lebon 27
Citrix Endpoint Management Onboarding Handbook
To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:
Port requirement for AutoDiscovery Service connectivity
FQDN IP Address Port IP and Port Usage
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)
52.5.138.94 443 Secure Hub - ADS Communication
ads.xm.cloud.com (Secure Hub versions supported as of January 1, 2019); (discovery.mdm.zenprise.com (Secure Hub 10.6.15 and older)
52.1.30.122 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication
Google/Apple/Microsoft Requirements
Apple
Apple Push Certificate http://identity.apple.com ☐
Google Play Account https://accounts.google.com/signup ☐
Google Play Device ID
http://docs.citrix.com/en-us/endpoint-management/provision-devices/google-play-credentials.html On a device with no sim (dial pad), install the Device ID app: https://play.google.com/store/apps/details?id=com.redphx.deviceid
Microsoft
Windows Store developer account
https://msdn.microsoft.com/en-us/library/windows/apps/jj863494.aspx ☐
Windows Store Publisher ID. https://msdn.microsoft.com/en-us/library/windows/apps/hh967786.aspx ☐ Enterprise certificate from Symantec
https://msdn.microsoft.com/library/windows/apps/jj206943.aspx ☐
Public SSL certificate for AutoDiscovery
http://docs.citrix.com/en-us/endpoint-management/provision-devices/autodiscovery.html
☐
Application Enrollment Token (AET)
https://msdn.microsoft.com/en-us/library/windows/apps/jj735576%28v=vs.105%29.aspx
☐
For more detailed information on the supported mobile platforms for Endpoint Management, see
https://docs.citrix.com/en-us/endpoint-management/system-requirements/support-device-platforms.html.
Author: Jeroen J.V Lebon 28
Citrix Endpoint Management Onboarding Handbook
Deployment Use Cases Below are the various deployment use cases which are feasible with Endpoint Management.
Citrix Endpoint Management and Citrix Gateway on Enterprise
Citrix Endpoint Management and Citrix Gateway on Enterprise for Mobile App Management
Citrix Endpoint Management and Citrix Gateway on Enterprise for Mobile App Management with Citrix Content Collaboration for Enterprise File Sharing
Citrix Endpoint Management for Mobile Device Management
For more detailed information on the deployment use cases, see the Citrix Support Article
https://support.citrix.com/article/CTX223709 or this white paper:
https://citrix.sharefile.com/d-sba63ccb1290430ca.
Deployment Scenarios
Scenario Use Case Example
Citrix Endpoint Management
BYOD or company issued Medium Security/privacy requirements Native or Secure email View/edit email attachments Already have a solution for EFSS Need secure off-the-shelf apps Looking into developing own mobile apps -or- Company owned, shared device “Kiosk,” for example, an iPad used by warehouse workers for inventory
Workspace Premium
BYOD or company issued High security/privacy requirements Secure email View/edit email attachments Need to solve EFSS Need secure off-the-shelf apps Need to secure several internally developed mobile apps Can’t store any data on mobile device
Author: Jeroen J.V Lebon 29
Citrix Endpoint Management Onboarding Handbook
Endpoint Management MDM Pilot Test Cases Example This section lists example test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.
Pilot MDM Test Matrix Secure Hub Version iOS = Android= Windows=
Endpoint Management Version 10.x
Citrix Gateway Version 10.x
Test Cases Category Expected Result Result
From Secure Hub, enroll using an Enrollment URL Invitation and a one-time PIN number From Secure Hub, enroll to the XM Service using Active Directory credentials
Enrollment The ability to use a unique URL to enroll into the system without requiring AD credentials
☐ ☐
The ability to enroll into Endpoint Management and have policies and profiles sent down automatically
☐ ☐
The ability to use a single app on each platform to enroll and subsequently control MDM policies
☐ ☐
Via the XM Service Administration console, define and deploy policies that will secure the device
Security Policies The ability to provision security policies, such as enforcing a passcode and setting restrictions
☐ ☐
Via the XM Service Administration console, define and deploy policies that will aid the user and simplify the configuration of the device
Provisioning Policies
The ability to provision Wi-Fi, VPN, Email and Proxy policies ☐ ☐
The ability to issue certificates to the device, including user-based certificates that can be used as credentials
☐ ☐
The ability to deliver apps (in-house or from a public App Store) to the device.
☐ ☐
Via the XM Service Administration console, understand the current state of a device
Operational Supportability/ Administration
The ability to determine device status, inventory, software inventory and MDM policy deployment status
☐ ☐
The ability to locate devices ☐ ☐
Test the support functionality within Secure Hub
Support The ability to use Secure Hub to determine why the device might be out of compliance
☐ ☐
The ability to automatically collect logs from the device and send to the helpdesk
☐ ☐
The ability to initiate a live chat session with a helpdesk operator
☐ ☐
Via the XM Service Administration console, remotely de-provision devices
De-provisioning The ability to perform a selective wipe remotely and to remove from the device the provisioned policies, apps and data
☐ ☐
The ability to perform a full wipe (factory reset) ☐ ☐
The ability to revoke a device to remove the provisioned profiles, apps and data and prevent the device from being enrolled again
☐ ☐
Author: Jeroen J.V Lebon 30
Citrix Endpoint Management Onboarding Handbook
Citrix mobile productivity apps/MDX Pilot Test Cases Example This section lists example test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.
Pilot Citrix mobile productivity apps /MDX Test Matrix Secure Hub Version iOS = Android= Windows=
Endpoint Management Version 10.x
Citrix Gateway Version 10.x
Test Success Criteria iOS Android Win10
Post Enrollment Gateway Logon
When Secure Hub ‘flips’ from enrollment to Citrix Gateway, the user should not need to re-enter credentials
☐ ☐ ☐ ☐ N/A N/A
Citrix PIN Creation User should be prompted to create a 6-digit Citrix PIN ☐ ☐ ☐ ☐ N/A N/A Endpoint Management app store
User can access Endpoint Management app store from within Secure Hub and is entitled to Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and Citrix Files
☐ ☐ ☐ ☐ N/A N/A
Secure App Installs Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and Citrix Files can all be installed
☐ ☐ ☐ ☐ N/A N/A
Collect Secure Hub Logs
Swipe right within Secure Hub to the Support Page and then tap Secure Hub
☐ ☐ ☐ ☐ N/A N/A
Inactivity Timer <15 Minutes
Launch Secure Web and authenticate if required. Leave device unattended for 10 minutes, then attempt to access Secure Web. Secure Web should open without requiring Citrix PIN
☐ ☐ ☐ ☐ N/A N/A
Inactivity Timer >15 Minutes
Launch Secure Web and authenticate if required. Leave device unattended for 18 minutes, then attempt to access Secure Web. Secure Web should prompt for Citrix PIN before opening.
☐ ☐ ☐ ☐ N/A N/A
MDX App Wipe After admin sends an MDX App Wipe command via the console, user data is removed from all Citrix mobile productivity apps
☐ ☐ ☐ ☐ N/A N/A