November, 2013 XenMobile 8.6 App Edition Mobile Application Management Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford Lead Support Readiness

November, 2013

XenMobile 8.6 App EditionMobile Application Management

Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford

Lead Support Readiness Specialist

© 2013 Citrix | Confidential – Do Not Distribute3

Objectives

At the end of this course, you will be able to :

• Module 1: Deploy WorxMail 1.3 ᵒ Configure and test some of the new WorxMail 1.3 features on iOS or Android devices

• Module 2: Deploy WorxWeb 1.3 ᵒ Configure and verify ability to create blacklist/whitelist of URLsᵒ Configure and verify ability to set a Homepage for WorxWeb

• Module 3: Deploy Native iOS (.IPA) or Android (.APK) appsᵒ Configure and verify ability to upload .IPA or .APK files to XenMobile App Controllerᵒ Verify mobile users can access and download native apps from XenMobile App

Controller


Objectives

• Module 4: Deploy Public Stores apps to iOS and Android devicesᵒ Configure and verify ability to publish iOS free and paid apps available from the App

Storeᵒ Configure and verify ability to publish Android free and paid apps available from the

Google Play

• Module 5: Deploy XenMobile App Controller in a Multi-Windows Domain Environmentᵒ Configure XenMobile App Controller to authenticate users from two independent

Windows domainsᵒ Configure and test NetScaler Gateway 10.1.e to allow remote users access

resources from either domain


Objectives

• Module 6: Deploy XenMobile App Controller with Multiple NetScaler Gatewaysᵒ Configure and test XenMobile App Controller with multiple NetScaler Gateways (2)

to allow remote users access resources from either Gateway


Assessment

There would be an assessment at the end of the course, covering the following modules:

• Module 1: Deploy WorxMail 1.3

• Module 2: Deploy WorxWeb 1.3

• Module 3: Deploy Native iOS (.IPA) or Android (.APK) apps

• Module 4: Deploy Public Stores apps to iOS and Android devices

• Module 5: Deploy XenMobile App Controller in a Multi-Windows Domain Environment

• Module 6: Deploy XenMobile App Controller with Multiple NetScaler Gateways

Module 1:Deploy WorxMail 1.3

© 2013 Citrix | Confidential – Do Not Distribute

What is WorxMail?

Mail, calendar, contactsEnterprise class security

Beautiful native experienceFull inter-app integration

MDX-secured

• ActiveSync email client for iOS/Android• Secure email body and attachment• “Open in” control to provide data leak

protection• No Exchange server exposure to internet• Send email with ShareFile attachments• Integrated calendars and Exchange GAL


ActiveSync Policy Support

• Control Sync settings for WorxMailᵒ Limit email sizeᵒ Allow Direct Push when roamingᵒ Allow attachments to be downloadedᵒ Allow HTML-formatted emailsᵒ Define maximum attachment size


Fast Join and Fast Dial

• Join GoToMeeting sessions right from WorxMail

• Dial-in right from the event details

• Running late option to quickly notify attendees via email


Fast Join and Fast Dial


Out of Office

• Out of Office option

• Configure time period

• Configure inside/outside my organization


Secure Photo Sharing From WorxMail


Info Rights Management – Android WorxMail

Module 2:Deploy WorxWeb 1.3


WorxWeb

Secure browserInternal web app accessFull inter-app integration

Consumer experienceMDX-secured

• iOS and Android device intranet web

browsingo Easy access to SharePoint, Intranet Portal etc

• Similar look/ feel as native browsero Safari on iOS; Chrome on Android

• Single sign-on via NetScalero Respond to HTTP 401


Secure Mobile Web Browser

• Full-featured consumer-like browser

• Secure access to internal, external and HTML5 web apps

• URL whitelisting and blacklisting

• Access to enterprise resources with a Micro VPN

WorxWeb


What’s New in 1.3 ?

• iOS 7 Support

• New policies supportᵒ Homepageᵒ Hide function (URL, Toolbar, etc)ᵒ Web links filtering


Module 3:Deploy Native iOS (.IPA) or Android (.APK) apps


.IPA and .APK file support

• Support to publish both .ipa and .apk applications




• Applications are not in .mdx format, no policies are applied

• Only details tab available in “edit” properties of applicationᵒ Cannot be included as part of a workflow






• No distinction between .ipa/.apk files and .mdx files in Apps/Docs view






• No distinction between .ipa/.apk files and .mdx files in Apps/Docs view

• Available as part of Worx store

Module 4:Deploy Public Stores apps to iOS and Android devices


Features

• Publish iOS apps from App Store ᵒ FREE appsᵒ Paid apps

• Publish Android apps from Google Play store ᵒ FREE appsᵒ Paid apps


Public Store – iOS and Android apps


Public Store – iOS apps

• Publish iOS App Store links on XM App Controller

• XM App Controller will automatically determine if app is free or paid

• XM App Controller downloadsᵒ App nameᵒ Descriptionᵒ Icon


Public Store – iOS apps

• Publish iOS App Store links on XM App Controller

• XM App Controller will automatically determine if app is free or paid

• XM App Controller downloadsᵒ App nameᵒ Descriptionᵒ Icon


Public Store – Android apps

• Publish Android apps links from Google Play store on XM App Controller

• XM App Controller will not automatically determine if app is free or paid

• IT Admin needs to enter app infoᵒ App nameᵒ Descriptionᵒ Paid or freeᵒ Image (icon)

Module 5:Deploy XenMobile App Controller in a Multi-Windows Domain Environment


Multiple Domain Support

• First domain specified in initial configuration is default domainᵒ Default domain cannot be deleted

• The domains may belong to different forestsᵒ As long as service account can access base DN

• In forest deployment each domain will need to specified as separate instanceᵒ Internal relationship between domains will not be consideredᵒ Trusts between domains will not be considered

• Nested groups will not be supported ᵒ Only users in specified group will be included in roleᵒ Users in a group within a specified group will not be included in role


App Controller Configuration

• Modify Domain settingᵒ Configuration data can be edited by Administratorᵒ Changes to user/group DN will require AppC to re-syncᵒ No further configuration changes can be completed during a re-sync


App Controller Configuration

• Modify Domain settingᵒ Configuration data can be edited by Administratorᵒ Changes to user/group DN will require AppC to re-syncᵒ No further configuration changes can be completed during a re-sync

• When multiple domains are configured on AppCᵒ Direct login only allowed for default domain usersᵒ All other domain authentication only supported through NetScaler Gateway

• Group membership across domainsᵒ Global or Universal groups are not supported


Master User List

• Master user list may be used to confirm that the additional domains synchronized correctly


NetScaler Gateway Configuration

• To support authentication from multiple domains, users need to gain access through NetScaler Gateway

• Add LDAP policy for each additional domain to Authentication tab within Enterprise gateway configuration


NetScaler Gateway Configuration

• To support authentication from multiple domains, users need to gain access through NetScaler Gateway

• Add LDAP policy for each additional domain to Authentication tab within Enterprise gateway configuration

• Same priority can be given to all the LDAP policies configured

• Within each LDAP policy, Server Logon Name is configured to UserPrincipalName

Module 6:Deploy XenMobile App Controller with Multiple NetScaler Gateways


Problem with XenMobile 8.5

• For XenDesktop deployment in multiple sites, one NSG is involved in each site

• App Controller supported only a single NSG to be configured

• App Controller needs to handle when all the NSGs use the same FQDN in GSLB case


How it worked previouslyAppController 2.8 and lower

Enable• Gateway in front of AppC

Callback URL

External URL• VIP on the NetScaler

Logon type• Domain only• Security token only• Domain & Security token


Approach

• ControlPoint allows multiple NSGs to be configured

• Each NSG has its own configurationsᵒ FQDN (for Account Service Record)ᵒ Callback URL (for AGESSO)

• App Controller AuthService uses two headers to reach back to the right NSGᵒ X-Citrix-Via (indicating NSG FQDN)ᵒ X-Citrix-Via-VIP (indicating NSG VIP)


Multi-NSG

AppController

NetScaler GW 2

NetScaler GW 1

NetScaler GW 3

X-Citrix-Via: NSG1_FQDNX-Citrix-Via-VIP: NSG1_VIP



AGESSO Callback


Detail

• ControlPointᵒ NSG configuration table where each row represents one NSG

• For GSLB NSGs, only a single row is configured• Otherwise there could be multiple rows

• AuthServiceᵒ If X-Citrix-Via-VIP header is present in the request

• Use X-Citrix-Via value as the SSL endpoint (for certificate validation against FQDN)• Use X-Citrix-Via-VIP as TCP endpoint

ᵒ If X-Citrix-Via-VIP header is not present• Use current behaviour by doing callback to X-Citrix-Via value• If there is a static host entry for that NSG FQDN, use it instead of doing DNS lookup

(OPTIONAL but requested by customers)


Multiple Callback URLs

• Each NetScaler Gateway will support multiple callback URLs (compared to before, it supported only one)

• Can have zero, one, or many callback URLs for each NetScaler Gateway

• When there are one or more callback URLs defined, AppController will choose the first URL on the list and failover to the next only if the first try times out and so on


Piggy Back Features

• Internal Beacon configurationᵒ Currently App Controller uses its own FQDN as the internal beacon and it is not

modifiableᵒ Making this field modifiable makes it easier to enforce clients to always go through

NSG

• (Optional) External Beacon configurationᵒ Currently App Controller uses the NSG it is configured with for external beaconᵒ If possible, we should also make these modifiable


Review

• Module 1: Deploy WorxMail 1.3 ᵒ Configure and test some of the new WorxMail 1.3 features on iOS or Android devices

• Module 2: Deploy WorxWeb 1.3 ᵒ Configure and verify ability to create blacklist/whitelist of URLsᵒ Configure and verify ability to set a Homepage for WorxWeb

• Module 3: Deploy Native iOS (.IPA) or Android (.APK) appsᵒ Configure and verify ability to upload .IPA or .APK files to XenMobile App Controllerᵒ Verify mobile users can access and download native apps from XenMobile App

Controller


Review

• Module 4: Deploy Public Stores apps to iOS and Android devicesᵒ Configure and verify ability to publish iOS free and paid apps available from the App

Storeᵒ Configure and verify ability to publish Android free and paid apps available from the

Google Play

• Module 5: Deploy XenMobile App Controller in a Multi-Windows Domain Environmentᵒ Configure XenMobile App Controller to authenticate users from two independent

Windows domainsᵒ Configure and test NetScaler Gateway 10.1.e to allow remote users access

resources from either domain


Review

• Module 6: Deploy XenMobile App Controller with Multiple NetScaler Gatewaysᵒ Configure and test XenMobile App Controller with multiple NetScaler Gateways (2)

to allow remote users access resources from either Gateway

Work better. Live better.

Documents

November, 2013 XenMobile 8.6 App Edition Mobile Application Management Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford Lead Support Readiness