En.cloudgateway.xmob Install Config Xenmobile n Wrapper Con

Installing XenMobile Components

2013-12-19 18:22:26 UTC

© 2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement

http://www.citrix.com/about/legal/legal-notice.html

http://www.citrix.com/about/legal/brand-guidelines.html

http://www.citrix.com/about/legal/privacy.html

Contents

Installing XenMobile Components ......................................................................... 5

Downloading XenMobile Product Software ................................................... 6

Installing NetScaler Gateway 10.1 in Your Network ........................................ 10

Installing XenMobile MDM Edition.............................................................. 11

Installing Device Manager ................................................................. 13

Device Manager 8.6 ................................................................... 14

Installing Patches for Device Manager........................................ 15

Choosing Device Manager Components to Install ........................... 16

Installing Device Manager ...................................................... 17

Configuring Active Directory on Device Manager ...................... 31

Upgrading Device Manager to Version 8.6 ................................... 32

Backing Up and Restoring Device Manager................................... 33

To perform a full manual backup of Device Manager server 34

To perform a directory and native SQL backup of Device Managerserver ........................................................................ 35

XenMobile NetScaler Connector .......................................................... 36

XenMobile NetScaler Connector..................................................... 37

XenMobile NetScaler Connector 8.5 .......................................... 38

About This Release ......................................................... 39

Key Features........................................................... 40

XenMobile NetScaler Connector System Requirements 41

Deploying XenMobile NetScaler Connector ............................. 42

To set up listening addresses for the XNC web service 44

To configure device access control policies ...................... 45

To configure communication with the Device Manager server 46

Deploying XNC for Redundancy and Scalability 47

Installing XenMobile NetScaler Connector.............................. 48

To install XenMobile NetScaler Connector ........................ 49

To uninstall XenMobile NetScaler Connector 50

2

Managing XenMobile NetScaler Connector.............................. 51

Configuring XenMobile NetsScaler Connector 52

Choosing a Security Model for XenMobile NetScalerConnector .............................................................. 53

Configuring XenMobile NeScaler Connector Policy Modes 54

To configure static rules ....................................... 56

To configure dynamic rules .................................... 57

To configure custom policies by editing the XenMobileNetsScaler Connector XML file ................................ 58

Configuring the XenMobile NetScaler Connector XML File 59

To import a policy from Device Manager.......................... 60

To configure a connection to XenMobile NetsScalerConnector .............................................................. 61

Choosing Filters for XenMobile NetScaler Connector 63

To simulate ActiveSync traffic...................................... 65

Monitoring XenMobile NetScaler Connector ............................ 66

XenMobile Mail Manager ................................................................... 67

XenMobile Mail Manager.............................................................. 68

XenMobile Mail Manager ........................................................ 69

XenMobile Mail Manager 8.5 .............................................. 70

XenMobile Mail Manager Components.............................. 71

XenMobile Mail Manager System and Software Requirements 72

Onsite Exchange Requirements ............................... 73

Office 365 Exchange Requirements 74

Installing XenMobile Mail Manager ................................. 75

Configuring XenMobile Mail Manager............................... 76

To configure the Exchange Server ............................ 77

To configure database properties............................. 78

To configure a Mobile Service Provider 79

To configure the Mobile Service Provider hostname inDevice Manager .................................................. 80

To configure Blackberry BES servers (optional) 81

XenMobile Mail Manager and Exchange 'Quarantine' Mode 82

Understanding XenMobile Mail Manager Access Rules 83

To configure Default access control rules 85

To configure XDM (Device Manager) rules 86

To configure local rules ................................... 87

Simulation vs Powershell Mode 88

Monitoring XenMobile Mail Manager................................ 89

3

To monitor ActiveSync devices ................................ 90

To monitor BlackBerry devices ................................ 91

To view snapshot history ....................................... 92

Installing App Controller ........................................................................ 93

Installing App Controller 2.9 .............................................................. 94

Getting Ready to Install App Controller ........................................... 96

Installing App Controller on XenServer ....................................... 98

Installing App Controller by Using VMware ESXi............................. 99

Installing App Controller on Microsoft Hyper-V ............................. 100

Setting the App Controller IP Address for the First Time.................. 101

Configuring App Controller for the First Time............................... 102

Icons in the AppController Management Console...................... 105

Adding Active Directory Domains to App Controller........................ 106

Adding and Synchronizing Active Directory Domains ................. 109

Installing the MDX Toolkit....................................................................... 112

4

5

Installing XenMobile Components

Citrix recommends that you install XenMobile components in the following order:

• NetScaler or NetScaler Gateway.

• Device Manager.

• XenMobile NetScaler Connector (XNC).

• App Controller.

• StoreFront (optional). For details, see the StoreFront documentation in eDocs.

• ShareFile (optional) For details, see the ShareFile documentation in eDocs.

After you install the XenMobile components, you can use the MDX Toolkit to wrap .ipa and.apk files. Then, you can upload the MDX files to App Controller for users to download andinstall.

This section includes installation information about the following:

• NetScaler Gateway

• Device Manager

• XNC

• Mobile Mail Manager• App Controller

• MDX Toolkit

http://support.citrix.com/proddocs/topic/technologies/dws-library-wrapper.html

http://support.citrix.com/proddocs/topic/sharefile/sf-landing-page.html

6

Downloading XenMobile ProductSoftware

You can download product software from the Citrix web site. You need to log on to the siteand then click the Downloads link on the Citrix web page. You can then select the productand type you want to download. For example, the following figure shows XenMobile productsoftware drop-down list:

When you click Find, a page listing the available downloads appears with the most recentversion at the top of the list:

http://www.citrix.com

You can select your software from the available list of options. For example, if you selectXenMobile 8.6 Enterprise Edition, you can download the software for Device Manager, AppController, NetScaler Gateway, and other XenMobile components as shown in the followingfigure:

To download the software for NetScaler GatewayYou can use this procedure to download the NetScaler Gateway virtual appliance orsoftware upgrades to your existing NetScaler Gateway appliance.

1. Go to the Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select NetScaler Gateway.

Downloading XenMobile Product Software

7


5. In Select Download Type, select Product Software and then click Find.

You can also select Virtual Appliances to download NetScaler VPX. When you select thisoption, you receive a list of software for the virtual machine for each hypervisor.

6. On the NetScaler Gateway page, expand NetScaler Gateway or Access Gateway.

7. Click the appliance software version you want to download.

8. On the appliance software page for the version you want to download, select the virtualappliance and then click Download.

9. Follow the instructions on your screen to download the software.

To download the software for Device Manager1. Go to the Citrix web site.


3. Click Downloads.

4. Under Find Downloads, select XenMobile.


6. On the XenMobile Product Software page, click XenMobile 8.6 MDM Edition.

7. Under XenMobile Device Manager, click Download next to XenMobile Device Manager8.6.


To download the software for App Controller1. Go to the Citrix web site.


3. Click Downloads.



6. On the XenMobile Product Software page, click XenMobile 8.6 App Edition.

7. On the XenMobile 8.6 App Edition page, click the appropriate App Controller virtualimage in order to install App Controller on XenServer, VMware, or Hyper-V.



8



To download the MDX ToolkitYou can run the MDX Toolkit for wrapping iOS and Android apps on Mac OS X Version 10.7(Lion), Version 10.8 (Mountain Lion), or Version 10.9 (Mavericks).

1. Go to the Citrix web site.


3. Click Downloads.



6. On the XenMobile Product Software page, click XenMobile 8.6 Enterprise Edition.

7. On the XenMobile 8.6 Enterprise Edition page, expand Worx Mobile Apps.

8. Locate MDX Toolkit & SDK for iOS and Android Build 2.2.321.

9. Click Download.



9


10

Installing NetScaler Gateway 10.1 in YourNetwork

NetScaler Gateway allows remote users to securely access internal network resources. Userscan connect with any device to access their applications, email, and file shares in theinternal network. You can deploy the following models in your network:

• NetScaler SDX - a hardware platform on which virtual instances on NetScaler andNetScaler Gateway can run. NetScaler SDX can handle up to 62,500 user connections.For more information, see the NetScaler documentation in Citrix eDocs.

• NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 userconnections.

• NetScaler VPX - a virtual machine that can handle up to 875 user connections.

Before you install either the physical appliance or the virtual appliance, complete theNetScaler information in the XenMobile Solution Pre-Installation Checklist. After you installthe physical appliance by following the instructions in Installing the Model MPX Appliance,you turn on the appliance and perform the initial configuration. This includes configuring:

• NetScaler Gateway IP address (NSIP)

• Subnet IP address (SNIP)

• Default gateway

• DNS servers

• Host name

• Licenses

• Certificates that include the fully qualified domain name (FQDN)

For more information about NetScaler Gateway, see the following topics in Citrix eDocs:

• About the NetScaler Gateway MPX Appliance

• NetScaler Gateway Virtual Appliances

• Performing the Initial Configuration of the MPX Appliance

• Configuring NetScaler VPX for the First Time

• NetScaler Gateway 10.1

http://support.citrix.com/proddocs/topic/netscaler/sdx-ag-wrapper-con.html

http://support.citrix.com/proddocs/topic/xmob-prepare/xmob-prepare-xenmobile-checklist-con.html

http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-install-appliance-wrapper-con.html

http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-introduce-hardware-edocs-wrapper-con.html

http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-landing-con.html

http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-initial-config-wrapper-con.html

http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-configure-basic-settings-wrapper-con.html

http://support.citrix.com/proddocs/topic/netscaler-gateway/ng-10-1-edocs-landing-con.html

11

Installing XenMobile MDM Edition

XenMobile MDM is a robust mobile device management solution that delivers role-basedmanagement, configuration, and security for both corporate and employee-owned devices.Upon user device enrollment, IT can provision policies and apps to devices automatically,blacklist or whitelist apps, detect and protect against jailbroken or rooted devices, andwipe or selectively wipe a device that is lost, stolen, or out of compliance. Users can useany device they choose, while IT can ensure compliance of corporate assets and securecorporate content on the device. With XenMobile MDM, you can do the following:

• Configure device settings, email and applications, policies, and device and applicationrestrictions.

• Distribute internally built and externally available apps to users' iOS, Android, Samsung,Samsung Knox, HTC, Windows Phone 8, and Windows 8 devices.

• Provision devices simply and rapidly by enabling user self-service enrollment and bydistributing configuration, policy, and application packages in an automated, role-basedmanner over-the-air.

• Secure devices, applications, and data by setting authentication and access policies,blacklisting and whitelisting applications, enabling application tunnels, and enforcingsecurity policies at the gateway.

• Support users by remotely locating, locking, and wiping devices in the event of loss ortheft, as well as remotely troubleshooting device and service issues.

• Monitor devices, infrastructure, service, and telecom expenses.

• Decommission devices by identifying inactive devices and wiping or selectively wipingdevices upon employee departure.

• Run reports on user and device actions.

XenMobile MDM contains the following products:

• XenMobile Device Manager allows you to manage mobile devices, set mobile policiesand compliance rules, gain visibility to the mobile network, provide control over mobileapps and data, and shield your network from mobile threats. With a "one-click"dashboard, simple administrative console, and real-time integration with MicrosoftActive Directory and other enterprise infrastructure like PKI and Security Informationand Event Management (SIEM) systems, Device Manager simplifies the management ofmobile devices.

• The Secure Mobile Gateway provides access control for email and calendar services.You can configure Secure Mobile Gateway to allow or block access to connectionrequests from devices based on device status, app blacklists or whitelists, and a host ofother compliance conditions. The status of requests blocked by Secure Mobile Gatewaycan be immediately viewed on the Device Manager dashboard so that you can takeappropriate action.

• XenMobile Multi-Tenant Console is a web console that enables service providers andorganizations to administer several physical servers running Device Manager from asingle site.

• XenMobile Remote Support application provides several tools to assist in the inspection,troubleshooting, and modification of remotely controlled handheld devices.

• XenMobile ZSM Lite is a component that enables access to query Blackberry andActiveSync environments and provides the device and user information to DeviceManager through the XenMobile Mobile Service Provider.

Installing XenMobile MDM Edition

12

13

Installing Device Manager

You can install Device Manager 8.6 on Windows Server. Before you install Device Manager,you must install the Java components, which include:

• Oracle Java SE 7 JDK (JDK Download Edition) update 11 and later

• Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7

For more information about the Java requirements for Device Manager, see SystemRequirements.

After you download Device Manager to the Windows Server, you run the installationprogram. This section describes the selections available in the installation program and howto configure the settings.

http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-device-manager-sys-reqs-con.html


14

Installing Patches for Device Manager

If a patch has been issued to resolve a problem that applies to your situation and DeviceManager implementation, you may download the appropriate patch(es) for your system.

Patches follow the naming convention of 'a_patch_###_xxxx.jar' where ### signs are theversion release number for Device Manager and xxxx refers to the patch number.

To install the patch, copy the file 'a_patch_###_xxxx.jar' to the following directory%systemroot%\Program Files (x86)\Zenprise\ZenpriseDeviceManager\tomcat\webapps\zdm\WEB-INF\lib or the directory in which you installedDevice Manager.

After you copy the file to the directory, restart the Device Manager service.

15

Installing Patches for Device Manager

If a patch has been issued to resolve a problem that applies to your situation and DeviceManager implementation, you may download the appropriate patch(es) for your system.

Patches follow the naming convention of 'a_patch_###_xxxx.jar' where ### signs are theversion release number for Device Manager and xxxx refers to the patch number.

To install the patch, copy the file 'a_patch_###_xxxx.jar' to the following directory%systemroot%\Program Files (x86)\Zenprise\ZenpriseDeviceManager\tomcat\webapps\zdm\WEB-INF\lib or the directory in which you installedDevice Manager.

After you copy the file to the directory, restart the Device Manager service.

16

Choosing Device Manager Componentsto Install

If you are installing Device Manager on your computer for the first time, select Full install,which installs:

• The Device Manager server

• The Device Manager repository database (PostgreSQL) and automatic creation of thedatabase and requisite tables

• The integrated web application server hosting the Device Manager server

Note: If you install an Application Server prior to installing Device Manager, removeApplication Server before installing Device Manager.

Installing DatabasesDevice Manager includes the PostgreSQL database server installation. f you installed a SQLdatabase server on your computer or another server, clear the PostgreSQL check box in thelist of components during the installation wizard. The install type switches automatically toCustom. When using a Microsoft SQL server please refer to the installation instructionsprovided by Microsoft for the SQL server installation. If you do not clear the check box, thePostgreSQL installation wizard appears with configuration instructions.

If you install PostgreSQL, an installation wizard appears. The installation programautomatically selects all the default PostgreSQL options required to install an DeviceManager server. However, you can check any additional options you want to install. You canalso change the installation location with the Browse button.

During installation of PostgreSQL, define the service account that runs the PostgreSQLserver. The Service name, Account name, and Account domain fields are alreadycompleted. You need to enter a password for the service account.

If the user account does not exist, you receive a prompt to confirm creation of the account.In addition, if the password you chose is not a strong password, then you are prompted toreplace the password with a random strong password. Click No in the message dialog box tokeep the password you originally entered.

Installing License FilesAfter you configure the PostgreSQL database, you can then install licenses. If you are usinga different SQL database and did not install PostgreSQL, after choosing the initialcomponents and installation location, you install the licenses.

17


Before you install Device Manager, make sure you do the following:

• Disable TCP/IP6 on the network adapter and in the registry. For more information, seeHow to disable IP version 6 or its specific components in Windows on the Microsoft website.

• Disable the User Account Control setting in Control Panel.

Caution: Using Registry Editor incorrectly can cause serious problems that may requireyou to reinstall your operating system. Citrix cannot guarantee that problems resultingfrom the incorrect use of Registry Editor can be solved. Use Registry Editor at your ownrisk.

The setup wizard includes several discrete tasks. You need to complete the all of the tasksin this topic in consecutive order to complete the entire wizard. The installation tasksinclude:

• Device Manager components

• Installation location

• Microsoft SQL Server database installation

• Database cluster settings

• Licenses

• Device Manager and database communication

• Crystal Reports keycode

• HTTP and HTTPS connectors

• Root and server certificates

• Apple Push Notification Service (APNS) certificates

• Remote support settings

• Active Directory service account for managing users

To select Device Manager componentsAfter you download the software package to your computer, navigate to the folder and thendouble-click the Device Manager executable installation file to start the Setup Wizard.

When the wizard starts, you set the language and then read and accept the End UserLicense Agreement. After these two steps, on the Choose Components page, click to clear

http://support.microsoft.com/kb/929852

Database server to disable installation of the PostgreSQL database.

Important: Citrix recommends that you use Microsoft SQL Server instead of thePostgreSQL database that comes with Device Manager. The PostgreSQL database shouldbe used for demonstration purposes only.

After you select your components, on the Choose Install Location page, leave the defaultinstall location and then click Install. Citrix recommends that you use the default locationto install Device Manager.

To install the license on Device ManagerDevice Manager requires a license. For more information about licenses for Device Manager,see Obtaining and Installing Licenses. You upload the .crt license file from your computer.When the upload is complete, the license details appear in the XenMobile Device ManagerLicense dialog box.


18

To test the connection to the database from DeviceManager

You need to configure the Device Manager settings to connect to your database. In theConfgure database connection dialog box, you select the SQL Server database. You providethe database name or use the default value. You need to complete the followinginformation, as shown in the following figure:

• In Host name or IP address, enter the fully qualified domain name (FQDN) or IP addressof SQL Server.

• In Port, enter the port number. The default port number for SQL Server is 1433.

• In User name, enter a user name for the database.

• In Password, enter the password to connect to the SQL Server database.

• In Database name, enter the database name or leave the default value.


19

After you configure the database connection, you then enter the keycode for CrystalReports.

To configure and register Crystal ReportsWith Crystal Reports, you can process the mobile device connection and session logs togenerate activity reports online by using the Device Manager web console, or offline fromthe Device Manager repository database. The reports include a watermark with registrationinformation. To remove the watermark, you need a Crystal Reports Developer Editionlicense and a keycode for the product. If you did not enter a license serial number duringinstallation, you can define it later by following these steps:

1. Open the crconfig.xml configuration file located at in the Device Manager setup folder,which is typically %systemroot%\Program Files\Xenmobile\tomcat\webapps\DeviceManager\WEBINF\classes\crconfig.xml on a Windows Server.

2. Add your serial number by editing the <keycode></keycode> element. For example, ifyour serial number is XXXX-YYYY-ZZZZ, modify the line as follows:

<keycode>XXXX-YYYY-ZZZZ</keycode>


20

On the Crystal Report Java Reporting Components configuration page, to leave a watermarkon the reports, leave the keycode blank. Or, to remove the watermark, enter your keycodefor the product.

To configure the server connectorsWhen you configure the connection between the Device Manager agent and the DeviceManager server, you can configure the following connectors, which require the sameinformation but serve different purposes:

• If you manage IOS devices, select Enable iOS. When you select the checkbox, theauthentication code appears automatically. In Authentication code forapplications/tunnels, enter a prefix that Device Manager uses to create authenticationkeys used by the software. Use a simple alphanumeric word or passphrase. Use mixedcase, numbers, and letters only. Then, record this value for use later when youconfigure the system.

Important: You can only select Enable iOS during installation. If you do not select thisoption and you want to enable the mode in the future, you must reinstall theapplication server.


21

• HTTP connector that allows unsecure connections over port 80. You can configure thisconnector if NetScaler Gateway is installed between the Device Manager server andmobile devices.

• HTTPS connector for secure connections over port 443 with a certificate.


22

• HTTPS connector that allows secure connections over port 8443 for device enrollment.


23

When you configure connectors, you set the following parameters:

• Protocol for secure and unsecure connections (HTTP or HTTPS).

• IP addresses.

• Port settings for the connector. To allow connections over HTTPS and that usecertificates for authentication, you use port 443. For secure connections withoutcertificates, use port 8443. For unsecure connections use port 80.

• Maximum concurrent connections defines the total amount of user connections that areallowed for each connector.

To configure root and server certificates in DeviceManager

Device Manager supports root, server, and APNS certificates. Root certificates enableDevice Manager to communicate with other XenMobile components. Server certificatesenabler secure communication between Device Manager and devices.

The installation wizard prompts you to install a root certificate from a Certificate Authority(CA) first and then the server certificate. For each certificate, you provide the following


24

information:

• Keystore file path is the certificate location on your computer. Do not change thedefault path. The server configuration provides the file path automatically.

• Keystore password and Confirm keystore password is for the private key. Enter theprivate password used for each component of the local CA. Although you can use thesame password for each CA keystore component, Citrix recommends using separatepasswords for the root, server, device, and Web Service certificates. Passwords musthave at least eight characters, and can consist of alphanumeric and ASCII symbolvalues. Passwords are case sensitive.

• Organizational unit is an optional parameter. Enter a value typically given to the entityor group that has management authority over the certificate.

• Organization is an optional parameter. Enter a value typically given to the entity ororganization that is the parent that owns the certificate and its rights.

For root certificates, you need to provide the common name for the CA that issued the rootcertificate. Leave the default name to associate it with the creation of the CA componentand certificate. If you change this field, your devices may not receive the proper chain ofcertificates and will not be able to enroll.

Note: The root certificate is used to issue and sign certificates for intermediate serverand client-device certificates. The root certificate is also used to regenerateintermediate certificates in the event of compromise. You can install root certificates inthe operating system as a trusted CA root certificate.


25

For secure server certificates, you need to include the IP address or FQDN that is in thecertificate. Users connect by using the IP address or FQDN contained within the certificate.


26

To install an APNS certificate in Device ManagerTo allow users to connect from iOS devices, you must install an APNS certificate fromApple. When you install the certificate on Device Manager, you enter the associated privatekey password used to generate the original Certificate Signing Request (CSR) in the field inPrivate key password.

In Certificate file path, specify the file system location of a pre-authenticated APNScertificate file that you download and convert to PKCS#12 format from the Apple iOSDeveloper for Enterprise portal.

Note: APNS certificates are provisioned by Apple, Inc. To obtain an APNS certificate, signin to the Apple Push Certificates Portal. When you log on, you can compare theinformation on the Apple web site with the values shown in the following figure:


27

https://identity.apple.com/pushcert

Allowing Remote Support to Connect to MobileDevices

On the Configure tunnel port(s) used by remote support page, define the port range used byremote support for Android and Windows Mobile devices. The default is port 8081.


28

To designate the Device Manager administratorTo connect to the Device Manager web console, you need to configure an account with theadministrator role.

On the Extended management of the users page, you enter the administrator's name andpassword. After you enter the values, you can check the user name in Active Directory.


29

After you configure the administrator user and password, you can finish the installationwizard.

After you finish the wizard, you should do the following:

• Log on to the administration console at https://serverfqdn/zdm to configure DeviceManager.

• On the console, user the first-time use wizard to configure LDAP and your firstdeployment package.

Note: If you want to add your own server certificate instead of the self-signed servercertificate that is issued during the installation, follow the steps in this topic,Configuring an External Certificate Authority by Using SSL.


30

http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configcert-ssl-tsk.html

31

Configuring Active Directory on DeviceManager

You use Active Directory with Device Manager to manage groups of users, not individualuser accounts. Device Manager supports the following sources of user account information:

• LDAP directory. You can configure Device Manager to read an LDAP-compliant directory,such as Active Directory to import groups, user accounts, and related properties.

• Manual entry. You can use group maintenance forms in Device Manager to quicklycreate user accounts.

• Provisioning file. You can develop a file outside of Device Manager containing useraccounts and properties and then import the file. Device Manager automatically createsobjects and sets properties values.

You can perform the following actions in Device Manager for LDAP connections:

• Create a new LDAP connection.

• Edit an existing connection.

• Set the default LDAP connection.

• Activate or deactivate an LDAP connection.

When you create a new LDAP connection, you configure the LDAP directory settings andthen you import a signed secure certificate. When you define the connection parameters,you need to grant the following rights to the Search User service account:

READALLUSERINFORMATION

READALLNETWORKPERSON

Note: In the Lockout Limit field, the default is set to zero. However, Citrix recommendsusing a higher value, as well as a value that is slightly lower than the lockout limit set onyour LDAP server. For example, if your LDAP server is configured to a limit of fiveattempts before lockout, Citrix suggests that you enter a 3 or 4 in this field.

You can also map the LDAP directory attributes to the Device Manager Repository database.If you do not modify the default settings, Device Manager binds automatically to the LDAPdirectory. You can specify the base DN that defines the LDAP directory groups that areimported to Device Manager.

32

Upgrading Device Manager to Version 8.6

Upgrading the Device Manager server is a simple, in-place upgrade process. The automatedSetup Wizard updates your existing Device Manager installation and database in one step.As a best practice, it is advised to backup the database and Device Manager coreapplication directories and save them to a location as a roll-back plan.

Supported Upgrade Paths:

• 7.1.0 -> 8.5.0 -> 8.6.0

• 8.0.1 -> 8.6.0

• 8.5.0 -> 8.6.0

Note:

If you are running Device Manager version 8.0.1, you should already have the correctversion of Java on your server. If you do not, make sure that you are running Oracle Java SE7 JDK (JDK Download Edition) update 11 and above and Java Cryptography Extension (JCE)Unlimited Strength Jurisdiction Policy Files 7. For more information, see Device ManagerSystem Requirements.

Before you upgrade: Before upgrading, make sure that you perform a backup of your DeviceManager database and application directory as described here: To perform a full manualbackup of Device Manager server

To upgrade Device Manager to version 8.61. As Administrator, run the Device Manager executable installation file.

2. Follow the directions in the Setup Wizard.



33

Backing Up and Restoring DeviceManager

Backing up your Device Manger server installation and core application file system directoryis crucial to a good disaster recovery or business continuity plan. This section describesbacking up and restoring Device Manager.

You can back up Device Manager by using the following methods:

• Stop all services and then make a copy of the entire application directory on the server.

• Copy the application directories required for restoration and also perform a native SQLdatabase server backup by using the PostgreSQL utility called pgAdmin. You can alsouse Microsoft SQL Server Management Studio for your version of Microsoft SQL Server.

If you want to restore Device Manager, you also use pgAdmin or Microsoft SQL ServerManagement Studio.

34

To perform a full manual backup ofDevice Manager server

A very simple method for backing up a default installation of the Device Manager server isto stop all services and make a copy of the entire application directory on the server.

1. From the Services utility on the Device Manager server, stop the XenMobile DeviceManager and the XenMobile Device Manager Database - PostgreSQL 8.3 services. MS SQLdatabase installations should follow the best practices used for the particular type ofSQL server installation. Online and Offline backups are acceptable as long as the backupdatabase and transaction logs are maintained together for restoration.

2. Back up the XenMobile Device Manager database and application environment. This isaccomplished by making a full directory copy of the Device Manager applicationdirectory typically located at:C:\Program Files (x86)\Citrix\XenMobile Device Manager

3. Save the full directory copy to a safe external location such as tape backup or externalmedia storage system. This full directory backup contains the Database, Application,PKI configuration and certificates, and all configuration and log files.

35

To perform a directory and native SQLbackup of Device Manager server

Another method of backup for Device Manager server is to copy the application directoriesrequired for restoration and also perform a native SQL database server backup utilizing thedefault PostgreSQL utility pgAdmin. If utilizing a Microsoft SQL Server database installationthe Microsoft SQL Server Management Studio utility is used. The following steps will guideyou through the process using the default PostgreSQL pgAdmin III utility only.

1. From the Services utility on the Device Manager server, stop the XenMobile DeviceManager service.

2. Start the pgAdmin III utility fromStart > All Programs > PostgreSQL 8.3. Database backupis performed using the pgAdmin III utility if using the default PostgreSQL database. Fora Microsoft SQL Server database installation use the Microsoft SQL Server ManagementStudio application and follow the instructions provided by Microsoft or your databaseadministrator to back up your database according to your needs.

3. Enter the password for the default postgres administrator account for the database.This was recorded during installation.

4. Expand the Databases branch of the servers tree in the pgAdmin utility, right-click onthe xdm database object, and then select Backup.

5. Enter a directory location and new filename for the backup file then click OK.

6. When completed the backup process will show the following message window. Whenfinished, click Done. The resulting backup file will be saved off to your predeterminedlocation for archival and retrieval when a database restore is necessary.

7. Next, while the Device Manager service is stopped, backup at least the followingdirectories within the main application folder:

• C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf

• C:\Program Files (x86)\Citrix\XenMobile DeviceManager\tomcat\webapps\zdm\WEB-INF

8. Verify the backed-up directory has a complete copy of the Tomcat configuration andPKI certificates. These files are located under the parent directory: C:\Program Files(x86)\Citrix\XenMobile Device Manager\tomcat\conf

9. Verify that the backup directory also contains the license file normally found at:C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF

10. The Device Manager application and database environment is now fully backed up andcan be restored to the same or different system host.

36

XenMobile NetScaler Connector

Citrix is introducing a new solution for controlling access to corporate email, calendar andcontacts from mobile devices – the XenMobile NetScaler Connector (XNC). XNC allowscustomers to send a list of compliant devices from the XenMobile Device Manager toNetScaler, which in turn controls which mobile devices are allowed to synch with thecorporate Exchange server.

XenMobile MDM provides complete protection for your mobile applications, network, anddata, and ensures end-to-end security and compliance, NetScaler optimizes, secures, andcontrols the delivery of all enterprise and cloud services. Together, these two productsprovide the ability to scale, ensure high availability for apps, and maintain security whilereducing mobility deployment and management costs.

XenMobile NetScaler Connector (XNC)The XenMobile NetScaler Connector (XNC) provides a device level authorization service ofActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSyncprotocol. Authorization is controlled by a combination of policies defined within theXenMobile Device Manager and by rules defined locally by XNC.

XenMobile Device Manager provides whitelisting (approved) and blacklisting (forbidden) ofdevices based on compliance with high-level policies such as detection of jailbroken devicesor detection of specific apps. The XNC local rules are typically are used to augment the XDMrules in cases where specific overrides are required; for example to block all devices using aspecific operating system version.

NetScalerNetScaler delivers an extensive portfolio of essential datacenter security capabilities thatare significant for mobile users, their apps and data. NetScaler provides critically importantapplication security, network/infrastructure security, and identity and access management,which when combined with XenMobile MDM delivers a tightly coupled solution that enablesIT to support the security needs of mobile users and the enterprise.

37

XenMobile NetScaler Connector 8.5

The XenMobile NetScaler Connector (XNC) provides a device level authorization service ofActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSyncprotocol. Authorization is controlled by a combination of policies defined within theXenMobile Device Manager and by rules defined locally by XenMobile NetScaler Connector.

Note: For information and documentation on how to deploy and configure the NetScalerfor the XNC, contact your Citrix sales representative and request the document named'NetScaler and XenMobile Solution for Enterprise Mobility Deployment Guide'.

38

XenMobile NetScaler Connector 8.5

The XenMobile NetScaler Connector (XNC) provides a device level authorization service ofActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSyncprotocol. Authorization is controlled by a combination of policies defined within theXenMobile Device Manager and by rules defined locally by XenMobile NetScaler Connector.

Note: For information and documentation on how to deploy and configure the NetScalerfor the XNC, contact your Citrix sales representative and request the document named'NetScaler and XenMobile Solution for Enterprise Mobility Deployment Guide'.

39

About This Release

XenMobile NetScaler Connector 8.5 provides the following capabilities:

• Filter-based rules to allow or block access. XenMobile NetScaler Connector evaluates aparticular client request routed through NetScaler against the organization's rules. Theend result is a binary state of allowed, in which the client is permitted to contact theMicrosoft Exchange 2010 Client Access Server (CAS), or blocked, in which the clientrequest is dropped and access to the Exchange CAS is not permitted. Paired withsettings in the Device Manager console, you can prevent Exchange ActiveSync emailaccess to device users based on compliance criteria, such as when a blacklisted app isinstalled on the device, if the device is jailbroken, and so on.

• A two-tiered filter model. The first tier parses the incoming HTTP requests based onpath-specific information. The second tier filters based on user or device specificinformation. You can configure both tiers.

• Filter rules stored in configuration files. Specific filter rules pertaining to the useraccounts and devices in your organization are stored in the gateway's XML configurationfiles.

About This Release Contains information about this release,including XenMobile NetScaler Connectorfeatures, components, what's new, andknown issues.

System Requirements Provides system requirements forXenMobile NetScaler Connector and for theXenMobile NetScaler Connector Console.

Deploy Provides deployment information forXenMobile NetScaler Connector.

Install and Setup Provides information about how to installXenMobile NetScaler Connector on eitherits own server or on the same server asDevice Manager.

Manage Provides information on choosing a securitymodel for your organization, creating blockor allow policies, setting static or dynamicfilters, and connecting to Device Manager.This section also provides informationabout enabling and understanding emailattachment encryption.

Monitor Provides information about enablingXenMobile NetScaler Connector logging.

40

Key Features

The key features of XenMobile NetScaler Connector are:

• Access Control of HTTP ActiveSync requests. XenMobile NetScaler Connector can controlthe HTTP ActiveSync requests that mobile devices make of Exchange servers. You canbuild filters in XenMobile NetScaler Connector that enable you to allow or block userdevices based on rules and criteria that you specify. When you set the rules inXenMobile NetScaler Connector, you can turn on and off the rules in XenMobile DeviceManager, which then manages the ability for devices to access email within theorganization.

• Remote configuration. Device Manager controls the baseline and delta intervals used byXenMobile NetScaler Connector.

• Logging. On the Log tab of the XenMobile NetScaler Connector configuration utility, youcan view when the encryption is enabled for a given user device at the request level, inaddition to devices that are allowed or blocked. Remote configuration. Device Managercontrols the baseline and delta intervals used by Secure Mobile Gateway.

41

XenMobile NetScaler Connector SystemRequirements

The XenMobile NetScaler Connector communicates with NetScaler over an SSL bridgeconfigured on the NetScaler appliance that enables the appliance to bridge all securetraffic directly to XenMobile Device Manager.

XenMobile NetScaler Connector can be installed on its own server, or on the same server asthe XenMobile Device Manager and requires the following minimum system configuration:

Component Requirement

Computer andprocessor

733 MHz Pentium III 733 MHz or higher processor. 2.0 GHz PentiumIII or higher processor (recommended)

NetScaler NetScaler Applicance with software version 10.

Memory 1 gigabyte (GB)

Hard disk NTFS-formatted local partition with 150 MB of available hard-diskspace

Operating system Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008SP2 (recommended)

Other devices • Network adapter compatible with the host operating system forcommunication with the internal network

Display VGA or higher-resolution monitorThe host computer for XenMobile NetScaler Connector requires the following minimumavailable hard disk space:

• Application. 10 -15 MB (100 MB recommended)

• Logging. 1 GB (20 GB recommended)

42

Deploying XenMobile NetScalerConnector

XenMobile NetScaler Connector allows you to use NetScaler to proxy and load balanceDevice Manager communication with a XenMobile managed devices. XenMobile NetScalerConnector communicates periodically with Device Manager to synchronize policies.XenMobile NetScaler Connector and Device Manager may be clustered, together orindependently, and load balanced by NetScaler. Figure 1. XenMobile NetScaler ConnectorDeployment

XenMobile NetScaler Connector ComponentsXenMobile NetScaler Connector consists of the following four components:

• XenMobile NetScaler Connector Service. This provides a REST web service interface thatcan be invoked by NetScaler to determine if an ActiveSync request from a device isauthorized.

• XenMobile Configuration Service. This service communicates with Device Manager tosynchronize Device Manager policy changes with XenMobile NetScaler Connector.

• XenMobile Notification Service. This service sends notifications of unauthorized deviceaccess to Device Manager so that Device Manager can take appropriate measures suchas notifying the user why the device was blocked

• XenMobile NetScaler Configuration. This application allows the administrator toconfigure and monitor XenMobile NetScaler Connector.

Figure 2. XenMobile NetScaler Connector Components

Deploying XenMobile NetScaler Connector

43

44

To set up listening addresses for the XNCweb service

In order for the XenMobile NetScaler Connector to be able to receive requests fromNetScaler to authorize ActiveSync traffic, you need to specify the port on which theXenMobile NetScaler Connector will listen to NetScaler web service calls.

1. From the Start menu, select the XenMobile NetScaler Configuration utility.

2. Select the Web Service tab and type the listening addresses for the XenMobile NetScalerConnector web service. You may select HTTP and/or HTTPS. If XenMobile NetScalerConnector is co-resident with Device Manager (installed on the same server), selectport values that do not conflict with Device Manager.

3. Once the values are configured click Save, then click Start Service to start the webservice.

45

To configure device access controlpolicies

In this task, you will configure the access control policy you want to apply to your manageddevices.

1. In the XenMobile NetScaler Configuration utility, select the Path Filters tab.

2. Select the first row (“Microsoft-Server-ActiveSync” is for ActiveSync) and Click Edit.

3. From the Policy list, select the desired policy. For a policy that is inclusive of DeviceManager policies, select “Static + ZDM: Permit Mode” or “Static + ZDM: Block Mode”.These policies combine local (aka static) rules with those from Device Manager. PermitMode means that all devices not explicitly identified by the rules will be permittedaccess to ActiveSync. Block Mode means that such devices will be blocked.

4. When you have set the pollicies, click Save.

46

To configure communication with theDevice Manager server

In this task, you will specify the name and properties of the XenMobile Device Managerserver (also known as a 'Config Provider') which you want to use with XenMobile NetScalerConnector and NetScaler.

Note: This deployment tasks assumes you have already installed and configured theDevice Manager server.

1. In the XenMobile NetScaler Configuration utility, select the Config Providers tab.

2. Click Add.

3. Enter the name and URL to the Device Manager server you are using in this deployment.If you have multiple XenMobile Device Manager servers deployed in a Multi-Tenantdeployment, this this Name must be unique for each server instance. For example, forName, you could type XDM.

4. In Url, enter the Web address of the Device Manager GCP (GlobalConfig Provider),typically in the format https://DeviceManagerHost/zdm/services/MagConfigService.The MagConfigService name is case sensitive.

5. In Password, enter the password that will be used for basic HTTP authorization with theDevice Manager web server.

6. In Managing Host, enter the server name where you installed the XenMobile NetScalerConnector.

7. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset ispulled from Device Manager.

8. In Request Timeout, specify the server request timeout interval.

9. In Config Provider, select if the config provider server instance is providing the policyconfiguration.

10. In Events Enabled, enable this option if you want Secure Mobile Gateway to notifyDevice Manager when a device is blocked. This option is required if you are using SecureMobile Gateway rules in any of your Device Manager Automated Actions.

11. Once the server is configured, click Test Connectivity to test the connection to theDevice Manager server.

12. When Connectivity has been established, click Save.

47

Deploying XNC for Redundancy andScalability

If you want to scale your XNC and Device Manager deployment, you can install XNCinstances on multiple Windows servers, all pointing to the same XDM instance, and thenload balance them using Citrix NetScaler.

There are two modes for XNC configuration: non-shared and shared.

• In non-shared mode, each XNC instance communicates with an XDM server and keeps itsown private copy of the resulting policy. For example, if you had a cluster of DeviceManager servers, you could run an XNC instance on each XDM server and XNC would getpolicy from the local XDM.

• In shared mode, one XNC node is designated the master and it communicates withDevice Manager. The resulting configuration is shared among the other nodes either byWindows network share or by Windows (or 3rdparty) replication.

The entire XNC configuration is in a single folder (a few XML files). The XNC Connectorprocess detects changes to any file in this folder and automatically reloads theconfiguration. There is no failover for the master in shared mode. But the system cantolerate the master being down for minutes (for example, to reboot) because the lastknown good config is cached in the XNC Connector process.

48

Installing XenMobile NetScaler Connector

You can install the XenMobile NetScaler Connector on its own server, or on the same serverwhere you installed XenMobile Device Manager.

You might consider installing the XenMobile Netscaler Connector on its own server (separatefrom Device Manager) for the following reasons:

• If your Device Manager server is hosted remotely in the cloud (physical location).

• If you do not want your XenMobile Netscaler Connector to be affected by reboots of theDevice Manager server (availability).

• If you want a server's system resources to be devoted entirely to the XenMobileNetscaler Connector (performance)

The CPU load that XNC puts on a server depends on how many devices are managed, but ageneral rule of thumb is to provision for one additional CPU core if XNC is deployed on thesame server as XDM. For large numbers of devices (over 50 thousand), you may need toprovision additional cores if you do not have a clustered environment. The memoryfootprint of XNC in not significant enough to warrant additional memory.

49

To install XenMobile NetScaler Connector

1. Run XncInstaller.exe under an administrator account. This will install XenMobileNetScaler Connector or allow for upgrade or removal of an existing XNC.

2. Follow the onscreen instructions to complete the installation.

After the XNC install the two services XenMobile Configuration Service and the NotificationService must be restarted manually.

50

To uninstall XenMobile NetScalerConnector

1. Run XncInstaller.exe under an administrator account.

2. Follow the onscreen instructions to complete the uninstallation.

51

Managing XenMobile NetScalerConnector

You can use XenMobile NetScaler Connector to build access control rules to either allow orblock access to ActiveSync connection requests from managed devices based on devicestatus, app blacklists or whitelists and a host of other compliance conditions. Using theXenMobile NetScaler Connector utility, you can build dynamic and static rules that enforcecorporate email policies, allowing you to block those users in violation of compliancestandards. You can also set up email attachment encryption so that all attachments thatpass through your Exchange server to managed devices are encrypted and only viewable onmanaged devices by authorized users.

52

Configuring XenMobile NetsScalerConnector

You can configure XenMobile NetScaler Connector to selectively block or allow ActiveSyncrequests based on the following properties: Active Sync Service ID, Device type, User Agent(device operating system), Authorized user, and ActiveSync Command.

The default configuration supports a combination of static and dynamic groups. Youmaintain Static groups by using the SMG Controller Configuration utility. The static groupsmay consist of known categories of devices, such as all devices using a given user agent.Dynamic groups are maintained by an external source called a Gateway ConfigurationProvider and collected by XenMobile NetScaler Connector on a periodic basis. XenMobileDevice Manager is Gateway Configuration Provider and can export groups of allowed andblocked devices and users to XenMobile NetScaler Connector.

A policy is an ordered list of groups where each group has an associated action (allow orblock) and a list of group members. A policy may have any number of groups. Groupordering within a policy is important because when a match is found the action of the groupis taken, and subsequent groups are not evaluated.

A member defines a way to match the properties of a request. It can match a singleproperty (such as device ID), or multiple properties (such as device type and user agent).

53

Choosing a Security Model for XenMobileNetScaler Connector

Permissive Model (Permit Mode)Establishing a security model is essential to a successful mobile device deployment fororganizations of any size. Although it is not uncommon to allow access to a user, computer,or device by default, using some form of protected or quarantined network control, it is notalways a good practice. Every organization that manages IT security may have a slightlydifferent or tailored approach to security for mobile devices.

The same logic applies to mobile device security. The vast numbers of mobile devices andtypes, quantities of mobile devices per user, and the array of operating system platformsand applications available make the very idea of using a permissive model a weak choice. Inmost organizations the restrictive model will be the most logical choice. However, it willinvolve some thinking to successfully roll-out the XenMobile NetScaler Connector securitymodel. Although it is not uncommon to allow access to a user, computer, or device bydefault, using some form of protected or quarantined network control, it is not always agood practice

The configuration scenarios that Citrix allows for integrating XenMobile NetScaler Connectorwith XenMobile Device Manager is as follows:

The permissive security model operates on the premise that everything is either allowed orgranted access by default. Only in the case of rules and filtering will something be blockedand a restriction applied. The permissive security model is good for organizations that havea relatively loose security concern about mobile devices and only applies restrictivecontrols to deny access where appropriate (when a policy rule is failed).

The Restrictive Model (Block Mode)The restrictive security model is based on the premise that nothing is allowed or grantedaccess by default. Everything passing through the security check point is filtered andinspected, and is denied access unless the rules allowing access are passed. The restrictivesecurity model is good for organizations that have a relatively tight security criterion aboutmobile devices. The mode only grants access for use and functionality with the networkservices when all rules to allow access have passed.

54

Configuring XenMobile NeScalerConnector Policy Modes

XenMobile NetScaler Connector can run in the following six modes:

• Allow All. This policy mode will grant access for all traffic passing through XenMobileNetScaler Connector. No other filtering rules are used.

• Deny All. This policy mode will block access for all traffic passing through XenMobileNetScaler Connector. No other filtering rules are used.

• Static Rules: Block Mode. This policy mode will execute static rules with an implicitdeny or block statement at the end. Devices that are not allowed or permitted viaother filter rules will be blocked by XenMobile NetScaler Connector.

• Static Rules: Permit Mode. This policy mode will execute static rules with an implicitpermit or allow statement at the end. Devices that are not blocked or denied via otherfilter rules will be allowed through XenMobile NetScaler Connector.

• Static + ZDM Rules: Block Mode. This policy mode will execute static rules first,followed by dynamic rules from Device Manager with an implicit deny or blockstatement at the end. Devices are permitted or denied based on defined filters andDevice Manager rules. Any devices that do not match on defined filters and rules areblocked.

• Static + ZDM Rules: Permit Mode. This policy mode will execute static rules first,followed by dynamic rules from XenMobile Device Manager with an implicit permit orallow statement at the end. Devices are permitted or denied based on defined filtersand Device Manager rules. Any devices that do not match on defined filters and rulesare allowed.

The XenMobile NetScaler Connector process permits or blocks for dynamic rules based onunique ActiveSync IDs for iOS and Windows-based mobile devices received from DeviceManager. Android devices differ in their behavior based on the manufacturer and some donot readily expose a unique ActiveSync ID. To compensate, Device Manager sends user IDinformation for Android devices to make a permit or block decision. As a result, if a userhas only one Android device, permits and blocks function normally. If the user has multipleAndroid devices, all the devices are allowed since Android devices cannot be definitivelydifferentiated. The gateway can still be configured to statically block these devices byActiveSyncID, if they are known, and can also be configured to block based on device typeor user agent.

To specify the policy mode, in the SMG Controller Configuration utility, do the following:

1. Click the Path Filters tab and then click Add.

2. In the Path Properties dialog box, select a policy mode from the Policy drop-down listand then click Save.

You can review rules on the Policies tab of the configuration utility. The rules are processedon XenMobile NetScaler Connector from top to bottom. The active policy is displayed withgreen checkmark, while the rules that are not active show a red circle with a line throughit. To refresh the screen and see the most updated rules, click Refresh. The ordering ofrules can be modified in the config.xml file.

To test rules, click the Simulator tab. Specify values in the fields. These can also beobtained from the logs. Click Simulate. A result message will appear specifying Allow orBlock.

Configuring XenMobile NeScaler Connector Policy Modes

55

56

To configure static rules

You must enter static rules with values that are read by the ISAPI filtering of the ActiveSyncconnection HTTP request. Static rules enable XenMobile NetScaler Connector to permit orblock traffic by the following criteria:

• User. XenMobile NetScaler Connector uses the authorized user value and namestructure that was captured during device enrollment. This is commonly found asdomain\username as referenced by the server running XenMobile Device Managerconnected to Active Directory via LDAP. The Log tab within the XenMobile NetScalerConnector configuration utility will show the values that are passed through XenMobileNetScaler Connector if the value structure needs to be determined or is different.

• Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. Thisvalue is commonly found within the specific device properties page in the DeviceManager web console. This value can also be screened from the Log tab in theXenMobile NetScaler Connector configuration utility.

• DeviceType. XenMobile NetScaler Connector can determine if a device is an iPhone,iPad or other device type and permit or block based on that criteria. As with othervalues, the XenMobile NetScaler Connector utility can reveal all connected device typesbeing processed for the ActiveSync connection.

• UserAgent. Contains information on the ActiveSync client that is utilized. In most cases,the value specified corresponds to a specific operating system build and version for themobile device platform.

The XenMobile NetScaler Connector utility running on the server always manages the staticrules.

1. In the SMG Controller Configuration utility, click the Static Rules tab and then clickAdd.

2. In the Static Rule Properties dialog box, specify the values that you want to use ascriteria. For example, you can enter a user to allow access by entering the user name(for example, AllowedUser, and clearing the Disabled check box.

3. Click Save. The static rule is now in effect. Additionally, you can use regularexpressions to define values, but you must enable the rule processing mode in theconfig.xml file.

57

To configure dynamic rules

Dynamic rules are defined by device policies and properties in XenMobile Device Managerand can trigger a dynamic XenMobile NetScaler Connector filter based on the presence of apolicy violation or property setting. The XenMobile NetScaler Connector filters work byanalyzing a device for a given policy violation or property setting and if the device meetsthe criteria, the device is placed in a Device List. This Device List is neither an allow list ora block list. It is a list of devices that meet the criteria defined. The following configurationoptions enable you to define whether you want to allow or deny the devices in the DeviceList by using XenMobile NetScaler Connector.

Note: These dynamic rules must be configured on the Device Manager web console.

1. Open the Device Manager web console and then click Options from the console banner.

2. In the left-hand navigation, click Mobile Configuration and then click XenMobileNetScaler Connector.

3. In the Enable column, select the check boxes for the filters that you want to enable andthen select either the Allow or Deny check box.

58

To configure custom policies by editingthe XenMobile NetsScaler ConnectorXML file

You can view the basic policies in the default configuration on the Policies tab of theconfiguration tool. If you want to create custom policies, you can edit the XMLconfiguration file (config\config.xml).

1. Find the PolicyList section in the file and add a new Policy element.

2. If a new Group is also required, such as an additional static group or to support anadditional GCP, add the new Group element to the GroupList section.

3. Optionally, you can change the ordering of Groups within an existing Policy byrearranging the GroupRef elements.

59

Configuring the XenMobile NetScalerConnector XML File

XenMobile NetScaler Connector uses an XML configuration file to guide its actions. Amongother entries, the file specifies the group files and associated actions the filter will takewhen evaluating HTTP requests. By default, the file is named config.xml and can be foundat the following location: ..\Program Files\Citrix\XenMobile NetScaler Connector\config\.

GroupRef NodesThe GroupRef nodes define the logical group names - by default, the AllowGroup and theDenyGroup.

Note: The order of the GroupRef nodes as they appear in the GroupRefList node issignificant.

The id value of a GroupRef node identifies a logical container or collection of members thatare used for matching specific user accounts or devices. The action attributes specifies howthe filter will treat a member that matches a rule in the collection. For example, a useraccount or device that matches a rule in the AllowGroup set will "pass" (be allowed toaccess the Exchange CAS), while a user account or device that matches a rule in theDenyGroup set will be "rejected" (not allowed to access the Exchange CAS).

When a particular user account/device or combination meets rules in both groups, aprecedence convention is used to direct the request's outcome. Precedence is embodied inthe order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRefnodes are ranked in priority order. Thus, the nodes shown in the figure above (whichdepicts the default order) are such that rules for a given condition in the Allow group willalways take precedence over rules for the same condition in the Deny group.

Group NodesAdditionally, the config.xml defines Group nodes. These nodes link the logical containersAllowGroup and DenyGroup to external XML files. Entries stored in the external files formthe basis of the filter rules.

Note: In this release, only external XML files are supported.

The default installation implements two XML file in the configuration - allow.xml anddeny.xml.

60

To import a policy from Device Manager

1. In the XenMobile NetScaler Configuration utility, click the Config Providers tab and thenclick Add.

2. In the Config Providers dialog box, in Name, enter a user name that will be used forbasic HTTP authorization with the Device Manager web server and that hasadministrative privileges.

3. In Url, enter the Web address of the XenMobile Device Manager Gateway ConfigurationService (GCP), typically in the formathttps://xdmHost/xdm/services/MagConfigService. The MagConfigService name is casesensitive.


5. Click Test Connectivity to test gateway to configuration provider connectivity . If theconnection fails, check that your local firewall settings allow the connection, or checkwith your administrator.

6. When a connection is successfully made, clear the Disabled check box and then clickSave.

7. In Managing Host, leave the default DNS name of the local host computer. This settingused to coordinate communication with Device Manager when multiple Forefront ThreatManagement Gateway (TMG) servers are configured in an array.

After you save the settings, open the GCS.

61

To configure a connection to XenMobileNetsScaler Connector

XenMobile NetScaler Connector communicates with XenMobile Device Manager and otherremote configuration providers through secure web services.

1. In the XenMobile NetScaler Connector utility, click the Config Providers tab and thenclick Add.

2. In the Config Providers dialog box, in Name, enter a user name that will be used forbasic HTTP authorization with the Device Manager web server and has administrativeprivileges.

3. In Url, enter the Web address of the Device Manager GCP, typically in the formathttps://ZdmHost/zdm/services/MagConfigService. The MagConfigService name is casesensitive.


5. In Managing Host, enter the XenMobile NetScaler Connector server name.

6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset ispulled from Device Manager.

7. In Delta interval, specify a time period for when an update of dynamic rules is pulled.

8. In Request Timeout, specify the server request timeout interval.

9. In Config Provider, select if the config provider server instance is providing the policyconfiguration.

10. In Events Enabled, enable this option if you want XenMobile NetScaler Connector tonotify Device Manager when a device is blocked. This option is required if you are usingXenMobile NetScaler Connector rules in any of your Device Manager Automated Actions.

11. Click Save and then click Test Connectivity to test gateway to configuration providerconnectivity . If the connection fails, check that the local firewall settings allow theconnection or contact the Device Manager administrator.

12. When the connection succeeds, clear the Disabled check box and then click Save.

When you add a new configuration provider, XenMobile NetScaler Connector automaticallycreates one or more policies associated with the provider. These policies are defined by atemplate definition contained in config\policyTemplates.xml in the NewPolicyTemplate>section. For each Policy element defined within this section, a new policy is created. Theoperator may add, remove, or modify policy elements provided that the policy elementconforms to the schema definition, and that the standard substitution strings (enclosed inbraces) are mot modified. Next, add new groups for the provider and update the policy toinclude the new groups.

To configure a connection to XenMobile NetsScaler Connector

62

63

Choosing Filters for XenMobile NetScalerConnector

XenMobile NetScaler Connector filters work by analyzing a device for a given policyviolation or property setting. If the device meets the criteria, the device is placed in aDevice List. This Device List is neither an allow list or a block list. It is a list of devices thatmeet the criteria defined. The following filters are available for XenMobile NetScalerConnector within XenMobile Device Manager.

• Blacklisted Apps. Allows or denies devices based on the Device List defined by Blacklistpolicies and the presence of blacklisted apps.

• Whitelisted Apps only. Allows or denies devices based on the Device List defined byWhitelist policies and the presence of non-whitelisted apps.

• Unmanaged Devices. Creates a Device List of all devices in the Device Managerdatabase. The Mobile Application Gateway needs to be deployed in a Block Mode.

• Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged asrooted and allows or denies based on rooted status.

• Out of Compliance Devices. Allows you to deny or allow devices that meet your owninternal IT compliance criteria. Compliance is an arbitrary setting defined by the deviceproperty named Out of Compliance, which is a Boolean flag that can be either True orFalse. (You can create this property manually and set the value, or you can useAutomated Actions to create this property on a device if the device does or does notmeet specific criteria.)

• Out of Compliance = True. If a device does not meet the compliance standards andpolicy definitions set by your IT department, the device is out of compliance.

• Out of Compliance = False. If a device does meet the compliance standards andpolicy definitions set by your IT department, the device is compliant.

• Noncompliant password. Creates a Device List of all devices that do not have apasscode on the device.

• Revoked Status. Creates a Device List of all revoked devices and allows or denies basedon revoked status.

• Inactive devices. Creates a Device List of devices that have not communicated withDevice Manager within a specified period of time and are thus considered inactive andallows or denies the devices accordingly.

• Anonymous Devices. Allows or denies those devices that are enrolled in Device Managerbut the user's identity is unknown. For example, this could be a user who was enrolledbut their Active Directory password is expired, or a user who enrolled with unknowncredentials.

• Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of theother filter rule criteria and allows or denies based on that list. The Implicit

Allow/Deny option ensures that the XenMobile NetScaler Connector status in theDevices tab is enabled and shows XenMobile NetScaler Connector status for yourdevices. The Implicit Allow/Deny option also controls all of the other XenMobileNetScaler Connector filters that have not been selected. For example, Blacklists Appswill be denied (blocked) by XenMobile NetScaler Connector, whereas all other filterswill be allowed because the Implicit Allow/Deny option is selected to Allow.

Choosing Filters for XenMobile NetScaler Connector

64

65

To simulate ActiveSync traffic

You can use the XenMobile NetScaler Connector to simulate what ActiveSync traffic willlook like in conjunction with your policies to test your configurations.

1. In the XenMobile NetScaler Configuration utility, select the Simulations tab.

• The results show you how you policies will apply according to the rules you haveconfigured.

66

Monitoring XenMobile NetScalerConnector

The XenMobile NetScaler Connector utility provides detailed logging that you can use toview all traffic passing through your Exchange sever that is either allowed or blocked bySecure mobile Gateway.

Use the Log tab to view history of the ActiveSync requests forwarded to XenMobileNetScaler Connector by NetScaler for authorization.

Also, to make sure the XNC web service is running, ou can load the following URL into abrowser on the XNC server http://<host:port>/services/ActiveSync/Version, and if thisreturns the product version as a string then this is an indication that the web service isresponsive.

67

XenMobile Mail Manager

The XenMobile Mail Manager (XMM) allows you to utilize XenMobile Device Manager (XDM) togain Dynamic Access Control for Exchange Active Sync (EAS) devices, to access EAS devicepartnership information provided by Exchange, to perform an EAS Wipe on a mobile device,to access information about Blackberry devices, and to perform control operations such asWipe and ResetPassword.

68



69



70

XenMobile Mail Manager 8.5

The XenMobile Mail Manager (XMM) provides the functionality that extends the capabilitiesof the XenMobile Device Manager (Device Manager) in the following ways:

• Dynamic Access Control for Exchange Active Sync (EAS) devices. Based on rules definedby XenMobile Device Manager and/or XenMobile Mail Manager, EAS devices can beautomatically allowed or blocked access to Exchange services.

• Provides the ability for Device Manager to access EAS device partnership informationprovided by Exchange. This allows Device Manager to view and manage EAS devices thathave never been enrolled in Device Manager.

• Provides the ability for Device Manager to perform an EAS Wipe on a mobile device.

• Provides the ability for Device Manager to access information about Blackberry devices,and to perform control operations such as Wipe and ResetPassword.

71

XenMobile Mail Manager Components

The XenMobile Mail Manager consists of three main components:

• Exchange ActiveSync (EAS) Access Control Management. This component communicateswith Device Manager to retrieve EAS policies from Device Manager, and then mergesthis policy with any locally defined policy to determine which EAS devices that shouldbe allowed or denied access to Exchange. Local policies allows extending the policyrules to allow access control by AD Group, User, Device Type, or Device User Agent(generally the mobile platform version).

• Remote Powershell Management. This component is responsible for scheduling andinvoking remote PowerShell commands to enact the policy compiled by EAS AccessControl Management. It periodically snapshots the EAS database to detect new orchanged EAS devices.

• Mobile Service Provider. This component provides a web service interface so thatDevice Manager can query EAS and/or Blackberry devices, and issue control operationssuch as Wipe against them. This capability was previously provided by the ZsmLite\ZMSPproducts.

Figure 1. XenMobile Mail Manager Components

72

XenMobile Mail Manager System andSoftware Requirements

The XenMobile Mail Manager (XMM) requires the following minimum system configuration:

Component Requirement

Computer andprocessor

Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III orhigher processor (recommended)

Operating system Windows Server 2008 R2 or 2012

Server software • Microsoft SQL Server 2008 or 2012, or Microsoft SQL ServerExpress 2008 or 2012, or Microsoft SQL Server 2012 ExpressLocalDB

• Microsoft .NET Framework 4.5

• Exchange Server 2010 SP2 or later

• Microsoft Office 365

• Blackberry Enterprise Service, version 5 (optional, if managingBlackBerry devices)

Server machinerequirements

• Windows Management Framework must be installed

• PowerShell V2 supported

• The PowerShell execution policy must be set to RemoteSignedby running Set-ExecutionPolicy RemoteSigned from thePowerShell command prompt

Memory 1 gigabyte (GB)

Hard disk NTFS-formatted local partition with 150 MB of available hard-diskspace

Other devices Network adapter compatible with the host operating system forcommunication with the internal network

Display VGA or higher-resolution monitor

73

Onsite Exchange Requirements

If you are using XenMobile Mail Manager (XMM) with an onsite instance of MicrosoftExchange, you will need to ensure your deployment meets the following requirements listedbelow.

Permissions

Exchange’s Role-Based Access Control (RBAC) is beyond the scope of this help topic;however, at a minimum the credentials specified in the Exchange ConfigurationManagement Console must be able to connect to the Exchange Server and be allowed toexecute the following Exchange-specific PowerShell cmdlets:

• Get-CASMailbox

• Set-CASMailbox

• Get-Mailbox

• Get-ActiveSyncDevice

• Get-ActiveSyncDeviceStatistics

• Clear-ActiveSyncDevice

As documented by Microsoft here, in order to establish a remote connection and run remotecommands, the credentials must correspond to a user that is an administrator on theremote machine.

Additionally, the Exchange server must be configured to support remote PowerShellrequests via HTTP. Typically, an administrator running the following PowerShell commandon the Exchange server is all that is required: WinRM QuickConfig.

Throttling Policy Considerations

Among the many Exchange throttling policies, one controls how many concurrentPowerShell connections are allowed per user. The default number of simultaneousconnections allowed for a user is 18 on Exchange 2010. Once the connection limit isreached, XMM will not be able to connect to the Exchange server.

While there are ways to change the maximum allowed simultaneous connections viaPowerShell, Citrix recommends that you investigate Exchange’s throttling policies asrelated to remote management with PowerShell that best suit the demands of yourExchange environment.

http://technet.microsoft.com/en-us/library/dd315349.aspx

74

Office 365 Exchange Requirements

If you are using XenMobile Mail Manager (XMM) with an onsite instance of MicrosoftExchange hosted through Office 365, you will need to ensure your deployment meets thefollowing requirements listed below.

Permissions

Exchange’s Role-Based Access Control (RBAC) is beyond the scope of this help topic;however, at a minimum the credentials specified in the Exchange ConfigurationManagement Console must be able to connect to the Exchange Server and be allowed toexecute the following Exchange-specific PowerShell cmdlets:

• Get-CASMailbox

• Set-CASMailbox

• Get-Mailbox

• Get-ActiveSyncDevice

• Get-ActiveSyncDeviceStatistics

• Clear-ActiveSyncDevice

The supplied credentials must have been granted the right to connect to the Office 365server through the remote Shell. By default, Office 365 online admin has the requisiteprivileges.

Throttling Policy Considerations

Among the many Exchange throttling policies, one controls how many concurrentPowerShell connections are allowed per user. The default number of simultaneousconnections allowed for a user is three on Office 365. Once the connection limit is reached,XMM will not be able to connect to the Exchange server.

While there are ways to change the maximum allowed simultaneous connections viaPowerShell, Citrix recommends that you investigate Exchange’s throttling policies asrelated to remote management with PowerShell that best suit the demands of yourExchange environment.

75

Installing XenMobile Mail Manager

The following conditions must be met before installing XenMobile Mail Manager:

• If .NET Framework 4.5 is not installed, download and install from www.Microsoft.com.

• If a Microsoft SQL Server is not installed or available remotely, install one of thefollowing:

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 SqlExpress

• Microsoft SQL Server 2012

• Microsoft SQL Server 2012 SqlExpress

• Microsoft SQL Server 2012 SqlExpress\LocalDBXMM 'One LDAP Per Domain' Caveat

XMM supports only one LDAP configuration per-installation. If you want to manage thetraffic of more than one LDAP configurtion (such as the root domain, sub domain, and soon), you will need need to install XMM for each domain.

You can set LDAP connection properties to use the Global Catalog Server, which will giveyou access to global groups across domains. To do this, you modify the connection stringfrom "LDAP:" to "GC:".

For example, instead of "LDAP://dc=citrix, dc=com", use "GC://dc=citrix, dc=com".

To install the XenMobile Mail Manager:

Once thes above conditions have been met, to install the XenMobile Mail Manager, clickingthe XmmSetup.msi file and following the onscreen instructions.

76

Configuring XenMobile Mail Manager

You can use the XenMobile Mail Manager Configuration utility to extend the capabilities ofXenMobile Device Manage to create access control rules that can either allow or blockExchange ActiveSync (EAS) devices from accessing Exchange services. You can builddynamic and static rules that enforce corporate email policies, allowing you to block thoseusers in violation of compliance standards. You can also use the utility to perform an EASwipe on out of compliance devices.

The XenMobile Mail Manager also provides the ability to access information aboutBlackberry devices and to perform control operations such as Wipe and ResetPassword.

77

To configure the Exchange Server

1. From the Start menu, launch XenMobile Mail Manager.

2. In the XenMobile Mail Manager utility, click the Configure > Exchange tab.

3. Select the type of Exchange server environment, either On premise or Office 365. If youselect On-premise, enter the name of the Exchange CAS server that will be used forRemote Powershell commands.

4. Enter the User name of a Windows identity that has sufficent rights on the Exchangeserver. For more information on permissions required for XMM to access the Exchangeserver, see Onsite Exchange Requirements and Office 365 Exchange Requirements

5. Enter the Password for the User.

6. Select the schedule for running Major snapshots. A major snapshot detects every EASpartnership.

7. Select the schedule for running Minor snapshots. A minor snapshot detects newlycreated EAS partnerships.

8. Next, select the if you want the XemMobile Mail Manager to take Deep or Shallowsnapshots. Shallow snapshots are faster and are sufficient to perform all the EAS AccessControl functions of XenMobile Mail Manager. Deep snapshots may take significantlylonger and are only needed is the Mobile Service Provider is enabled for ActiveSync(which allows Device Manager to query for unmanaged devices). If you are configuringXenMobile Mail Manager with a Mobile Service Provider(MSP) ActiveSync interface, forexample, to apply access control rules to unmanaged BlackBerry devices from a BESserver, you muse choose Deep snapshots. If MSP ActiveSync capability is not required,Citrix recommends using shallow snapshots for better performance.

9. Click Test Connectivity to check that a connection can be made to the exchange server.

10. Click Save. When prompted by a message asking if you would like to restart the service,click Yes.

78

To configure database properties

The first task in configuring the XenMobile Mail Manager requires configuring a connectionto the database it will be using to store data.


2. In the XenMobile Mail Manager utility, click the Configure > Database tab.

3. Enter the Server name of the SQL Server (defaults to localhost).

4. Let the Database name be set to the default (CitrixXmm).

5. In the Authentication field, from the drop-down, select the Authentication mode usedfor SQL:

a. SQL. If you choose this authentication, then enter the username and password of avalid SQL user.

b. Windows Integrated. If you choose this option, then the Logon credential of theXenMobile Mail Manager Service must be changed to a Windows account that iscompatible. To do this, launch Control Panel > Administrative Tools > Services,right-click on the XenMobile Mail Manager Service entry and select the Log On tab.

6. Click Test Connectivity to check that a connection can be made to the SQL server .

7. Click Save. When prompted by a dialog asking if you would like to restart the service,click Yes.

79

To configure a Mobile Service Provider

Configuring a Mobile Service Provider (MSP) is optional and needed only if the DeviceManager server is also configured to use the Mobile Service Provider interface to queryunmanaged devices; for example: BlackBerry devices from a BlackBerry Enterprise Server(BES).

Note: XMM manages BlackBerry devices from BES 4.1 and BES 5 servers, BB Z10 devicesand other ActiveSync devices from Exchange 2010. http/https protocols used should beconsistent between XMM and XDM.


2. Click the Configure > MSP tab

3. Set the Service Transport type (HTTP or HTTPS) for the MSP service

4. Set the Service port (typically 80 or 443) for the MSP service.

5. Set the Authorization Group or User. This sets the user or set of users that will be ableto connect to the MSP service from the Device Manager server.

6. Select Enable ActiveSync if you want to enable ActiveSync queries. Note: If ActiveSyncqueries are enabled for the Device Manager server then the Snapshot type for theExchange server(s) must be set to Deep. Be aware that this could have significantperformance costs for performing snapshots.

7. Click Save.

80

To configure the Mobile Service Providerhostname in Device Manager

Once you have configured the XMM to use the Mobile Service Provider web service interfaceto query unmanaged devices (if you want to manager ActiveSync traffic of BlackBerrydevices from the BES 5 server), then you need to configure the Device Manager server toconnect to the XMM server.

1. Log in to the Device Manager web console.

2. Click Options.

3. In the Options dialog, select Modules Configuration > Mobile Service Provider.

4. Enter the following information:

a. Web service URL. This is the hostname of the XMM server. For example:http://XmmServer/services/zdmservice.

b. Username. Username of the administrator account on the XMM server. For example:domain\admin.

c. Password. Password for the administrator account on the XMM server.

d. Enable automatic update of BlackBerry and ActiveSync devices connections. Selectthis option.

5. Click Check Connection to test the communication between XMM and Device Manager.

6. Click Close.

81

To configure Blackberry BES servers(optional)


2. Click the Configure > MSP tab

3. Under BlackBerry Configuration, click Add.

4. In the BES Properties dialog box, type the Server name of the BES Sql server

5. Type the database name of the BES Management database.

6. Next, select the Authentication mode for server access. If Windows Integratedauthentication is selected, the user account of the XenMobile Mail Manager service isthe account that is used to connect to the BES Sql Server. If SQL authentication isselected enter the user name and password.

7. Set the Sync Schedule. This is the schedule used to connect to the BES SQL server andcheck for any device updates.

8. Click Test Connectivity to check connectivity to the SQL server.

Note: If Windows Integrated is selected, this test uses the current logged in user andnot the XenMobile Mail Manager Service user and therefore does not accurately test SQLauthentication.

9. If you want to support remote Wipe and/or ResetPassword of BlackBerry devices fromDevice Manager, select Enabled. In the fields, enter the following information:

a. The BAS Server FQDN.

b. The BAS Server port used for the Admin web service.

c. The fully qualified User and Password required by the BES service.10. Click Test Connectivity to test the connection to the BES server.

11. Click Save.

82

XenMobile Mail Manager and Exchange'Quarantine' Mode

The Xenmobile Mail Manager can be indepensible when configured in conjunction withMicrosoft Exchange's “Quarantine” mode, which allows an Exchange admin to quarantine auser's device until that device can be determined to be compliant. (In Exchange quarantinemode, a user's email inbox is blocked, but the user can still see their calendar,appointments, and contacts.)

For example, when a user configures a corporate email account on their person device, assoon as the user connects to the Exchange server, the user's new device is placed intoquarantine mode. Exchange allows the administrator to have a mail sent to a new usertelling them they need to enroll their new device in XenMobile Device Manager.

When the new device is then enrolled in Device Manager, the Device Manager will thennotify the XenMobile Mail Manager to un-quarantine (or Allow) the device, provided thedevice is compliant with Device Manager policy. This policy is defined in Device Manager’sSMG Options dialog box.

83

Understanding XenMobile Mail ManagerAccess Rules

XenMobile Mail Manager allows you to configure three types of rules:

• Local

• XDM (from Device Manager)

• Default

Each rule contains and a desired access state (Allow or Block), and a criteria for matchingan ActiveSync device. The matching criteria may match a particular device or a set ofdevices.

Local Rules

Local rules are defined within XenMobile Mail Manager. Local rules can be configured toallow or block based on any of the following properties:

• ActiveSync Device Id. Uniquely identifies a specific device.

• Device Type. A set of devices, such as “iPad”, “WP8”, or “Touchdown”.

• User Agent. A set of devices identified by platform version, such as “iOS/6.1.2”.

• User. A specific user.

XDM (Device Manager) Rules

XDM rules are defined within XenMobile Device Manager. These product of these rules isdelivered to XenMobile Mail Manager and continuously updated in the background. XDMrules can identify devices by properties known to XDM, such as:

• Enrolled in Device Manager

• Jailbroken (iOS) or rooted (Android) devices

• Forbidden Apps are installed (blacklisted apps)

• Non-suggested apps are installed

• Unmanaged

• Out Of Compliance

• Non-Compliant Password

• Revoked status

• Inactive Device

• Anonymous status

Default Rules

The Default Rule matches the set of all devices. The Default Rule’s desired state may be setto Allow, Block, or Unchanged. If the latter is selected, the effect will be that XenMobileMail Manager will not modify the state of any devices that are not matched explicitly by aLocal or XDM rule.

Rule EvaluationFor each ActiveSync device known to the Exchange server, the rules are evaluated in order:first Local Rules, then XDM Rules, then the Default Rule. If a match is found it any rule, therule’s desired state is then enacted for the device and no further rules are evaluated forthe device.

Rule enactment results in a Powershell command being sent by XenMobile Mail Manager toExchange to change the access state. However, if the current known access state of thedevice is already equal to the desired state, no action is taken.

Whenever the rules, or the set of known devices changes, the rules are re-evaluated.

Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In thismode, Powershell commands are not issued to modify the access state. Instead, XenMobileMail Manager records in its database that such an action was simulated.

Note: the order in which Local and XDM rules are evaluated can be configured so thatXDM rules are evaluated before Local rules (this requires manual editing of config.xml).

Understanding XenMobile Mail Manager Access Rules

84

85

To configure Default access control rules

Default access control rules serve as a 'catch-all' rules that can be set to allow or deny adevice that does not meet the criteria of either XDM rules or local rules. For example, ifyou set the Default rules to Allow, then any device that does not meet the criteria set toblock a device in either XDM or Local rules will be allowed to connect to Exchange.


2. Click the Configure > Access Rules tab

3. Select the Default Access, either Allow or Block. This setting controls how all devicesother than those identified by explicit Device Manager or Local rules will be treated.

4. Next, select the ActiveSync Command Mode, either Powershell or Simulation. InPowershell mode, XenMobile Mail Manager will issue Powershell commands to enact thedesired access control. In Simulation mode, XenMobile Mail Manager will not issuePowershell commands, but will log the intended command and intended outcomes tothe database. In Simulation mode, the user can then use the Monitor tab to see whatwould have occurred if Powershell mode was enabled.

5. Click Save.

86

To configure XDM (Device Manager)rules

You can use XDM (from Device Manager) rules in XenMobile Mail Manager to work incombination with Local and Default rules. Device Manager rules provide control overdevices that do not meet your corporate device compliance standards, such as the ability toblock devices that have blacklisted apps, device that have been rooted or jailbroken, orthat meet some other condition.

Device Manager rules are configured in the Device Manager web console, in the Optionsdialog box.

Device Manager rules are evaulated by XenMobile Device Manager after Local rules, andbefore Default rules.



3. Click the XDM Rules tab.

4. Click Add.

5. Type a name for the XenMobile Device Manager (XMD) rules, such as “XDM”.

6. Modify the URL string to refer to the Device Manager server. For example, if the DeviceManager server name is “Xdm01” then you would enterhttp://Xdm01/zdm/services/MagConfigService.

7. Enter an authorized user on the Device Manager server.

8. Enter the password of the user.

9. Leave the Baseline Interval, Delta Interval, and Timeout values at the default settings.

10. Click Test Connectivity to check the connection to the Device Manager server.

11. Click OK.

87

To configure local rules

Local rules are those you create from and that are specific to the XenMobile Mail Managerutility, and provide an extra layer of filtering and control over your company email accesspolicies. When used in combination with Default access rules and Device Manager SecureMobile Gateway Rules (XDM rules), you can create useful combinations of filters to ensurethat you have control over email access according to company policy.

You can build local rules to allow or block access by device ID, Device Type (all Androiddevices, for example), specific user, Active Directory group, or even agent version (deviceplatform version).

In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, and thenfollowed by Default rules, from top to bottom as they are listed in the user interface.



3. Click the Local Rules tab.

4. If you want to build local rules that operate on AD Groups, click Configure LDAP andconfigure the LDAP connection properties.

5. From the drop-down list, select local rules to add based on ActiveSync Device ID,Device Type, AD Group, User, or device UserAgent.

6. Type text or text fragments in the text box. Optionally click the query button to viewthe entities that match the fragment. Note that for all types other than Group, thesystem relies on the devices that have been found in a snapshot. So, if you are juststarting and haven’t completed a snapshot, no entities will be available.

7. Select a text value in the results and then click Allow or Deny to add it to the Rule Liston the right side.

8. You can change the order of rules or remove them using the buttons to the right of theRule List. The order is significant because for a given user and device, rules areevaluated in the order shown, and a match on a higher rule (nearer the top) will causesubsequent rules to have no effect. For example, if you have a rule allowing all iPaddevices, and a subsequent rule blocking user “Matt”, then Matt’s iPad will still beallowed because the ”iPad” rule has a higher effective priority than the “Matt” rule.

9. To determine the effects of multiple rules with groups that have overlapping members,click View Expanded. This show the net result of the combination of groups.

10. Click Save.

88

Simulation vs Powershell Mode

Before you implement and activate your Access Control Rules with XenMobile Mail Manager,you can use 'Simulation' mode to test the rules out, as opposed to Powrshell mode, whichactually executes the rules in your live environment. The difference between the twomodes is as follows:

• In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, butwill log the intended command and intended outcomes to the database. In Simulationmode, the user can then use the Monitor tab to see what would have occurred ifPowershell mode was enabled.

• In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enactthe desired access control.

To choose between the two, in the XenMobile Mail Manager utility, click the Configure >Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab,select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.

89

Monitoring XenMobile Mail Manager

The Monitor tab in the XenMobile Mail Manager allows for browsing of the EAS andBlackBerry devices that have been detected, and displays the history of automatedPowerShell commands that have been issued.

There are 3 tabs under the Monitor tab:

• ActiveSync Devices

• Blackberry Devices

• Automation History

Also, the history of all snapshots is available under the Configure tab:

• In the Exchange tab, click the Info icon for the desired Exchange server.

• Under the MSP tab, click the Info icon for the desired Blackberry server. Snapshothistory shows when the snapshot took place, how long it took, how many devices weredetected and any errors that occurred.

90

To monitor ActiveSync devices

From the Monitor tab, you can view all BlackBerry devices that have been detected and ahistory of PowerShell commands issued by XenMobile Mail Manager.


2. Click the Monitor > ActiveSync Devices tab

3. From this tab, you can view a list of all devices discovered by the XenMobile MailManager, and using the drop down list, you can filter the list to see which devices havebeen allowed, which have been allowed, and you can filter by the these commandsaccording to those issues in the last hour, or the last day. You can also search the listby user or device ID.

4. To see more details on a specific command or device (or user), click the green(allowed) or red (blocked) icon next to the entry.

91

To monitor BlackBerry devices

From the Monitor tab, you can view all BlackBerry devices that have been deteced and ahistory of PowerShell commands issued by XenMobile Mail Manager.


2. Click the Monitor > BlackBerry Devices tab

3. From this tab, you can view a list of all BlackBerry devices discovered by the XenMobileMail Manager. You can search the list for a specific user by typing the user's emailaddress and then clicking Go.

4. To see more details on a specifc command or device (or user), click the green (allowed)or red (blocked) icon next to the entry.

92

To view snapshot history

You can view the history of snapshots take for your Exchange or BlackBerry servers byclicking the information icon (I) next to it.


2. Click the Configure > Exchange tab.

3. Click the small blue information icon next to the Exchange server to see the history ofsnapshots taken of the server's ActiveSync traffic.

4. To view the history of snapshots taken of a configured BlackBerry server, click theConfigure > MSP tab.

5. Click the small blue information icon next to the BlackBerry server to see the history ofsnapshots taken.

93

Installing App Controller

Citrix App Controller delivers access to web, SaaS, Android, and iOS apps, as well asintegrated ShareFile data and documents. Users access their applications through CitrixReceiver, Receiver for Web, or Worx Home.

With App Controller, you can provide the following benefits for each application type:

• SaaS applications. Active Directory-based user identity creation and management, withSAML-based single sign-on (SSO).

• Intranet web applications. HTTP form-based SSO by using password storage.

• iOS and Android apps. Unified store to which you can install MDX apps for iOS andAndroid devices, and security management for MDX policies, encompassing WorxMailand WorxWeb. You can wrap iOS and Android apps with the MDX Toolkit to create MDXapps.

• ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFileapplication that provides seamless SAML SSO, and Active Directory-based ShareFileservice user account management.

In This SectionThe topics in this section provide information about installing and configuring AppController 2.9.

94

Getting Ready to Install App Controller

The App Controller virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, orVMware ESXi. You can use XenCenter or vSphere management consoles to install AppController 2.9.

Before installing App Controller, you must do the following:

• Install XenServer or VMware ESXi on a computer with adequate hardware resources.

• Install XenCenter or vSphere on a separate computer. The computer that hostsXenCenter or vSphere connects to XenServer or VMware ESXi host through the network.

• Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, roleenabled, on a computer with adequate system resources. While installing the Hyper-Vrole, be sure to specify the network interface cards (NICs) on the server that Hyper-Vwill use to create the virtual networks. You can reserve some NICs for the host.

This section details the following steps for installing App Controller on XenServer, Hyper-V,or VMware:

• Installing the VM on XenServer and setting the properties for App Controller inXenCenter.

• Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardwarecomponents to App Controller, such as memory and virtual CPUs.

• Installing App Controller on Hyper-V.

• Configuring the IP address and subnet mask, default gateway, DNS servers, and NetworkTime Protocol (NTP) servers for App Controller by using the XenCenter or vSpherecommand-line console.

When you finish configuring App Controller network settings by using the command-lineconsole, you log on to the App Controller management console. Then, you configure thefollowing network settings:

• Active Directory configuration from which you obtain groups for App Controller

Note: After you complete the Configure wizard, you can configure settings foradditional Active Directory servers in your network.

• Administrator settings

• Workflow email settings

Optionally, you can change the settings you configured by using the command-line consolein the wizard. These settings include:

• App Controller system settings, such as IP address, subnet mask, and the defaultgateway

• NTP and DNS server settings and the time zone

After you configure App Controller system settings, to complete the configuration, AppController retrieves the groups and members of the groups from the specified Base DN inActive Directory. When the retrieval is complete, App Controller logs off. You can log onagain to continue configuring App Controller features.

Installing App Controller 2.9

95

96


The App Controller virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, orVMware ESXi. You can use XenCenter or vSphere management consoles to install AppController 2.9.

Before installing App Controller, you must do the following:

• Install XenServer or VMware ESXi on a computer with adequate hardware resources.

• Install XenCenter or vSphere on a separate computer. The computer that hostsXenCenter or vSphere connects to XenServer or VMware ESXi host through the network.

• Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, roleenabled, on a computer with adequate system resources. While installing the Hyper-Vrole, be sure to specify the network interface cards (NICs) on the server that Hyper-Vwill use to create the virtual networks. You can reserve some NICs for the host.

This section details the following steps for installing App Controller on XenServer, Hyper-V,or VMware:

• Installing the VM on XenServer and setting the properties for App Controller inXenCenter.

• Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardwarecomponents to App Controller, such as memory and virtual CPUs.

• Installing App Controller on Hyper-V.

• Configuring the IP address and subnet mask, default gateway, DNS servers, and NetworkTime Protocol (NTP) servers for App Controller by using the XenCenter or vSpherecommand-line console.

When you finish configuring App Controller network settings by using the command-lineconsole, you log on to the App Controller management console. Then, you configure thefollowing network settings:

• Active Directory configuration from which you obtain groups for App Controller

Note: After you complete the Configure wizard, you can configure settings foradditional Active Directory servers in your network.

• Administrator settings


Optionally, you can change the settings you configured by using the command-line consolein the wizard. These settings include:

• App Controller system settings, such as IP address, subnet mask, and the defaultgateway

• NTP and DNS server settings and the time zone

After you configure App Controller system settings, to complete the configuration, AppController retrieves the groups and members of the groups from the specified Base DN inActive Directory. When the retrieval is complete, App Controller logs off. You can log onagain to continue configuring App Controller features.


97

98

Installing App Controller on XenServer

After you download the virtual image (VM) from the Citrix web site, install App Controlleron XenServer. After installation, set the properties for App Controller in XenCenter.

To install App Controller on XenServer1. Start XenCenter on your computer.

2. In the navigation pane, click the name of the XenServer on which you want to installApp Controller and then connect.

3. On the File menu, click Import.

4. In the Import wizard, in Filename, browse to the location to which you saved the .xvaimage file and then click Open.

5. Follow the instructions in the wizard to import the App Controller image.

After you click Finish in the wizard, you can click the Logs tab to view the status of theimport process. When the import process is complete, you configure the initial settings forApp Controller by using the command-line console. For more information, see Setting theApp Controller IP Address for the First Time.

To set the properties for App ControllerWhen you import App Controller, the number of virtual CPUs (VCPUs) is set to 2. You cannotchange this setting. The default memory setting is 4096. You can leave the memory settingor change it by using the Memory tab in XenCenter.

Note: If the App Controller virtual machine acts as the cluster head, configure 4 VCPUs.

99

Installing App Controller by UsingVMware ESXi

To install App Controller on VMware ESXi, you must first install VMware on a computer withadequate hardware resources. To perform the App Controller installation, you use vSphere.You install vSphere on a remote computer that can connect to the VMware host through thenetwork. After you install App Controller, you can create virtual hardware components onVMware and then use vSphere to allocate them to App Controller.

When you install App Controller on VMware ESXi, you use the vSphere client. You select theOVF template to start the Deploy OVF Wizard. Follow the directions in the wizard to importthe App Controller OVA (.ova) file. You provide a name for App Controller and thenconfigure additional settings to import the file to VMWare ESXi.

After the import is complete, you set the App Controller properties in vSphere. Thesesettings include:

• Allow the virtual machine to start and stop automatically with the system.

• Set the startup order for App Controller.

• Set the memory size to 4096.

• Set the number of VCPUs to 2.

For more information about VMWare ESXi and the vSphere client, see the manufacturer'sdocumentation.

100

Installing App Controller on MicrosoftHyper-V

To install App Controller on Microsoft Hyper-V, you must first install Microsoft Server 2012with Hyper-V enabled or Microsoft Hyper-V Server 2012 on a computer with adequatehardware resources. To perform the App Controller installation, you use the Hyper-VManager, which is a Microsoft Management Console (MMC) snap-in. Hyper-V Manager isinstalled automatically when you enable the Hyper-V role.

You download a compressed ZIP file to install App Controller on Microsoft Hyper-V. Youextract the files and then use Hyper-V Manager to install App Controller.

Note: Make sure that you extract the files in the ZIP folder into a different folder beforeyou specify the path to the folder.

After you import the virtual machine, you need to configure the virtual network adapter byassociating the adapter to the virtual networks created by Hyper-V. App Controller 2.8requires one virtual network adapter.

In Hyper-V Manager, you select the server on which you want to install App Controller andthen import the virtual machine. When the import starts, your are prompted to specify thepath of the folder that contains the App Controller software files.

After the import is complete, you set the App Controller properties in Hyper-V Manager.These settings include:

• Allow the virtual machine to start and stop automatically with the system.

• Set the startup order for App Controller.

• Set the memory size to 4096.

• Set the number of VCPUs to 2.

For more information about Microsoft Hyper-V and the Hyper-V Manager, see themanufacturer's documentation.

101

Setting the App Controller IP Address forthe First Time

After importing the App Controller image, you need to configure the IP address. The IPaddress is the management address at which you can access App Controller through a webbrowser or by using a Secure Shell (SSH) client, such as PuTTY. You can access the AppController command-line interface through the XenCenter console to specify an IP address,subnet mask, default gateway, Domain Name Servers (DNS) and a Network Time Protocol(NTP) server. The default IP address for App Controller is 10.20.30.40.

To change the IP address for App Controller inXenCenter

1. In XenCenter, select the App Controller virtual machine and then click the Console tab.

2. At the console logon prompt, enter the administrator credentials.

The default user name for the console is admin and the default password is password.

3. At a command prompt, type 0 to select Express Setup.

4. Select the appropriate number to change the IP address, subnet mask, default gateway,DNS servers, and NTP server.

Note: Citrix recommends using an NTP server to set the date and time on AppController.

5. Press 5 to commit the changes.

When you commit the changes, you are prompted to restart App Controller. Review yoursettings and then type y to commit the changes. After App Controller restarts, you can thenaccess the management console by using the new IP address in a web browser. To open themanagement console, type https://App ControllerIPaddress:4443/ControlPoint in theaddress bar of the web browser. For example, type https://10.20.30.40:4443/ControlPoint. The user name is administrator and the password ispassword.

When you connect to App Controller, you must use HTTPS. If you attempt to connect withHTTP, the connection fails.

102

Configuring App Controller for the FirstTime

After you install the App Controller virtual machine (VM) and configure the initial settingsby using the command-line console, you can configure additional App Controller networksettings in the App Controller management console. When you log on to the managementconsole for the first time, the Configure wizard appears prompting you to configure settingsthat include the following:

• Administrator password

Note: Make sure that the email address is part of the base DN that you configure inthe Active Directory settings.

• App Controller host name, IP address, subnet mask, and default gateway

Note: You can also configure an IP address for App Controller if you want a differentIP address than what you configured by using the command-line console.

• Active Directory settings to one server

• Certificates

Note: In the Configure wizard, you can add, create, or remove certificates on theActive Directory page. The option to configure certificates from the Active Directorypage only appears when you configure App Controller for the first time in themanagement console. After you run the Configure wizard for the first time, you canthen manage certificates from the Settings tab in the management console.

• Network Time Protocol (NTP) server and time zone

• DNS server settings


Important: For workflows to work correctly, when you add users to Active Directory,you must enter the first name, last name, and email in the user properties. If you donot configure users in Active Directory with this information, App Controller cannotsynchronize these individuals. When users attempt to start an app, users receive amessage that they are not authorized to use the app.

After you configure and save the remaining network settings in the management console,App Controller retrieves users from Active Directory and then logs off. If you changed thepassword, log on again with the new password.

Important: If you have a large number of users or groups, it might take a few hours for App Controller to retrieve users. You cannot make any changes to App Controller until this process is complete. If you close the browser, interrupt the synchronization and then restart the Configure wizard in another web browser, your settings are not saved. Citrix recommends that you allow the Active Directory synchronization to complete. When you

configure the App Controller settings for the first time, you can enter a group domainname (DN) that speeds the synchronization of Active Directory membership with AppController.

If you need to make changes to system settings at a later time, you can access the Settingstab. You can configure or reconfigure the following on the Settings tab:

• Active Directory settings, such as IP address, administrator email and password, andbase DN

• Administrator settings that allows you to change the password for the managementconsole and the command line console

• Support options that allows you to configure GoToAssist user assistance settings.

• Branding that allows you to upload your own Portable Network Graphics (png) to mobiledevices

• Certificates where you can install root, intermediate, and server certificates on AppController

• Deployment settings for StoreFront or NetScaler Gateway

• Domain Name Server such as a DNS or WINS server

• GoToAssist settings for email or phone support

• Log transfer that sends logs to a server in your network

• Network connectivity that are the App Controller network settings

• NTP server that contains the settings for a Network Time Protocol server

• Receiver email template where you can send emails to your users to download Receiver

• Receiver updates

• Release management that allows you to upload software upgrades, patches, andapplication connectors

• Store credentials where you can save the user name, password, and device ID for theGoogle Play Store

• SysLog server settings

• Workflow email which is the administrator email settings for workflows

• XenMobile MDM where you configure connection settings to XenMobile Device Manager

Configuring App Controller for the First Time

103

To change App Controller settings1. In the App Controller management console, click Settings at the top of the page.

2. In the left pane, under System Configuration, click one of the options to configure thesettings.

After you complete App Controller configuration, you can configure roles, users,applications, and application categories for single sign-on (SSO). You can do the following:

• Refresh users from Active Directory.

• Add roles to map which Active Directory groups receive access to applications.

• Add web and SaaS applications to App Controller from the provided connector catalog.

• Upload mobile apps to App Controller.

• View a user device inventory in which you can erase and stop erasing application dataand documents from a device, lock and unlock a device, or delete a device from theinventory.

• Retrieve mobile app information by configuring mobile links.

• Add links to commonly used web sites including Internet and intranet sites.

• Create access to applications that are not in the catalog for SSO by using either HTTPFederated Formfill or SAML connectors.

• Download certificates for use with some SAML applications.

• Create user accounts automatically based on Active Directory group membership.

• Assign users to applications based on their role within the organization.

• Add categories to which you can add applications.

• Connect StoreFront to App Controller. When users connect with Citrix Receiver, theycan see the application list, subscribe to applications, and access applicationsseamlessly.

• Configure ShareFile settings for user data and documents.

• Download a CR (.cr) file that configures Receiver on the user device. You can send thisfile to users in an email. The .cr file contains all of the settings that Receiver needs toconnect to App Controller.

Configuring App Controller for the First Time

104

105

Icons in the AppController ManagementConsole

The AppController management console includes icons that users click to perform differenttasks. The following table defines each icon.

Icon

IconName

Definition

Enable Indicates that an app is disabled. When clicked, enables the app.

Disable

Indicates that an app is enabled. When clicked, disables the app.

Edit Used to edit a role or application.

Remove

Used to remove an application, remove an application from a role, or toremove a category, workflow, or user device.

Sync Used to synchronize application users with Active Directory for accountsthat are configured for user account management. Also opens a StorageZone dialog box in Roles to enable you to find a particular storage zoneand provide credentials.

Upgrade

Used to upgrade a mobile application with a new version.

Roledetails

In Roles, you can view the Active Directory groups that belong to aconfigured role or you can delete the role.

Lock Used to lock a user device.

Unlock Used to unlock a user device after you have locked it.

Erase Used to erase data and documents from a device.

Stoperasing

Used to stop the process of erasing data and documents from the device.

Apps In Workflows, shows the apps with which the workflow is associated, ifany.

Workflowdetails

In Workflows, lets you view the levels of manager approval andadditional approvers for a configured workflow.

User In Roles, lets you view members of the Active Directory groups.

106

Adding Active Directory Domains to AppController

App Controller uses Active Directory groups and users. You configure Active Directory in twoways:

• With the Configure wizard when you log on to the App Controller management consolefor the first time. This domain is considered the default domain.

• On the Settings tab where you can configure multiple Active Directory domains.

With Active Directory, you can:

• Create roles in App Controller that map to one or more Active Directory groups withinmultiple domains.

• Create and remove user application accounts based on their Active Directory groupmembership by using applications assigned to roles.

• Create workflows for manager approval of user accounts for applications.

Important: When you add users to Active Directory, you must enter the first name andlast name in the user properties. If you do not configure users in Active Directory withthis information, App Controller cannot synchronize these individuals. When usersattempt to start an app, users receive a message that they are not authorized to use theapp. The administrator account must be recognized by all corresponding Active Directorydomains you configure in App Controller.

When App Controller synchronizes with Active Directory, either after the first time youconfigure Active Directory in App Controller or if you manually synchronize with ActiveDirectory, the length of time it takes to synchronize depends on the size of ActiveDirectory. If you have a large number of users and groups, this process can take a fewhours. During this time, you cannot configure any other settings in Active Directory. If youenter a group DN when you first configure Active Directory, the synchronization occursmore quickly. For example, you enter cn=Users,dc=servername,dc=net, wherecn=users is the group base DN and servername is the name of the Active Directory server.When the initial synchronization is finished, App Controller logs off from the managementconsole and returns to the management console logon page.

Note: If you provide the root level base DN, such as dc=mycompany,dc=com, AppController retrieves users in child domains. To prevent retrieval of child domain users,provide specific user base DN paths that relate to the parent domain.

Configuring Multiple Active Directory DomainsAfter you configure one Active Directory domain by using the Configure wizard, you can addadditional Active Directory domains on the Settings > Active Directory tab in the AppController management console.

When you configure Active Directory domains, you provide the server information including:

• IP address

• Port

• Domain name

• Service account

• Password

• User base DN

• Group base DN

• SSL support

You can configure Active Directory domains in the following ways:

• One Active Directory instance per domain. You can specify multiple base DNs in eachdomain. Separate each base DN with a semi-colon (;).

• Two domains that belong to different Windows Server trees.

• Two domains that belong to different Windows Server forests.

For each domain, the service account you specify must be able to access the base DN foreach domain. App Controller does not maintain any internal relationship between manageddomains. You can manage multiple Active Directory domains as separate instances. Whenyou configure multiple Active Directory domains, Citrix recommends that you use the UserPrincipal Name (UPN) so you can include the domain name.

If you configure multiple domains, keep the following in mind:

• Default domain users only can log on directly to App Controller.

• Log on from users in other domains must be authenticated by NetScaler Gateway.

• Domains configured in App Controller and NetScaler Gateway must match.

• Domains configured in App Controller and StoreFront must match when StoreFront isused as the authentication server.

If StoreFront is used as the authentication server, the domain information must be includedin the token validation response from StoreFront. You can use sAMAccount (domain\username) or UPN (user@domain) for user logon.

Modifying and Deleting Active Directory DomainsYou can modify and delete Active Directory domains in App Controller. App Controllerretrieves users and groups when you add each domain. If you modify a domain, if youchange the user or group base DN, App Controller synchronizes with Active Directory.

Adding Active Directory Domains to App Controller

107

You can delete one domain at a time and you cannot delete the default domain. When youdelete a domain, App Controller marks all of the users in the domain as terminated users.These users lose access to role-based apps. App Controller also deletes pending workflowsand provisioning requests. User accounts reconciled to terminated users are processedaccording to the app configuration (ignore, disable, or delete).

Important: If you delete a domain, you cannot add the same domain to App Controlleragain.

Adding Active Directory Domains to App Controller

108

109

Adding and Synchronizing ActiveDirectory Domains

You can add multiple Active Directory domains to App Controller. After you add a domain,click the Sync icon to retrieve users and groups from the Active Directory domain.

To add Active Directory domains1. In the App Controller management console, click Settings at the top of the page.

2. In the left pane, under System Configuration, click Active Directory.

3. In the details pane, click Add.

4. In Server and Port, enter the IP address and port number of the Active Directory server.The default port number is 389.

5. In Domain name, add the Active Directory domain, such as mycompany.net. When youadd the domain name, User Base DN and Group Base DN populate automatically.

6. In User Base DN and Group Base DN enter any other parameters, such as cn=Users.

A warning appears if the base DN is a top-level domain.

7. In Service Account, add the email address of the administrator account. You can useeither the sAMAccountName, in which users log on with domain\user, or the UserPrincipal Name (UPN) in which users log on with [email protected].

Note: All Active Directory domains that you add to App Controller must recognize thisservice account.

8. Password and Confirm Password enter the password of the service account and thenclick Save.

When you configure settings and only configure the top-level domain, the Add Domaindialog box appears as in the following figure:

To remove the warning message, configure a subdomain as part of the base DN. Forexample, enter cn=Users, dc=mycompany,dc=net.

To manually synchronize with Active DirectoryApp Controller supports the following three types of Active Directory synchronization:

• Initial synchronization. When you log on to the management console for the first time,you configure Active Directory settings in the initial wizard along with network andemail settings. When you save the settings, App Controller synchronizes with ActiveDirectory.

• Periodic synchronization. App Controller contacts Active Directory every five minutes todetermine if there are any changes in Active Directory. App Controller looks for added,removed, and modified users in Active Directory. App Controller also looks for groupmembership changes and new and removed groups. This periodic synchronization startsfor domains that have previously retrieved users and groups. The earlier

Adding and Synchronizing Active Directory Domains

110

synchronization must successful for the periodic synchronization to run.

• Manual synchronization. You can synchronize with Active Directory at any time by usingthe synchronize icon next to the Active Directory domain in the App Controllermanagement console. When you synchronize, App Controller updates all users fromActive Directory for that domain and determines any changes to the user records. Thissynchronization can take as long as the initial synchronization and depends on the sizeof Active Directory. This synchronization also returns changes to users, including groupmembership. You can start synchronization for all managed domains. The AppController synchronization process runs in the background, one domain after another.When you manually synchronize, App Controller displays a progress bar so you can trackthe progress.

1. In the App Controller management console, click Settings at the top of the page.

2. In the left pane, under System Configuration, click Active Directory.

3. In the details pane, under Actions, click the Sync icon for the domain with which youwant to synchronize.

Adding and Synchronizing Active Directory Domains

111

112

Installing the MDX Toolkit

The Citrix MDX Toolkit is available from the Citrix web site. The MDX Toolkit runs on acomputer running Mac OS X Versions 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks).The tool is not supported on a Windows-based computer.

Important: You must update to the latest version of Worx Home 8.6 on Android and iOSdevices before you wrap apps with the 2.2.321 version of the MDX Toolkit. If not, whenyou try to open the apps in earlier versions of Worx Home, an incompatibility errormessage appears.

After you download the tool from the Citrix web site, you install the tool on your computer.When you install the tool, you are prompted for licensing, the location where you want toinstall the tool, and installation information.

The installation package includes a small utility for removing the MDX Toolkit. You can findthe utility at the following location on your computer:/Applications/Citrix/CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility tostart the uninstaller app and then follow the prompts. When you remove the tool, youreceive a message prompting you for your user name and password.

http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-enterprise-edition.html#

Documents

En.cloudgateway.xmob Install Config Xenmobile n Wrapper Con