White Paper

citrix.com

Protecting Mobile Apps with Citrix XenMobile and MDX

White Paper

citrix.com 2

Protecting Mobile Apps with Citrix XenMobile and MDX

Mobility is a top priority for organizations as more employees demand access to the apps and data that will make them productive. Employees want access from any mobile device, including their own personal devices. In addition, the apps that people need to get their jobs done have expanded beyond mobile email to include Windows, web and native mobile apps, both in the cloud and in the datacenter. Often, these apps are broadly distributed across different locations. However, allowing users to access all of their apps and data from untrusted devices raises significant security and network scalability concerns.

Depending upon their level of mobile adoption, enterprises have traditionally turned to either mobile device management (MDM) solutions to manage the devices. However, with the adoption of BYOD, most companies now require, Mobile Application Management (MAM) to protect application data. Enterprise Mobility Management (EMM) is the combination of MDM and MAM.

While there are many Enterprise Mobility Management (EMM) provides that provide MAM capabilities, vendors take different approaches to protecting application data. Some require device enrolment. This approach, particularly for BYO users is very intrusive as it requires the use of a device passcode.

Citrix’s EMM solution, XenMobile offers comprehensive MAM capabilities that no other EMM vendor can match in terms of features and scalability. As an example, some vendors offer a subset of XenMobile’s Mobile Application Management (MAM) policies or require such extensive re-writing of an application that they become difficult to implement and maintain. In addition, unlike many EMM vendors, XenMobile does not require the device be under management to protect application data. Citrix’s MDX Technology powers XenMobile’s MAM.

This paper will provide more details related to Citrix XenMobile and MDX.

White Paper

citrix.com 3

Protecting Mobile Apps with Citrix XenMobile and MDX

XenMobile and Multilayered ProtectionIn order to deliver secure, optimized, high-performance apps to any user at any location, EMM solutions also require the right network infrastructure. EMM solutions must take into account data protection at every single layer including rest on the device, data in transit over public networks, or data residing on servers sitting behind the firewall.

Only Citrix XenMobile combined with Netscaler, the world’s leading application delivery solution, provides a comprehensive, multi-layered mobile security solution that allows IT to deliver apps and data to any device with a secure and high performance user experience.

XenMobile includes and tightly integrates with many industry leading technologies like ShareFile for Enterprise File Share and Sync and NetScaler for connectivity. XenMobile leverages NetScaler to not only connect securely to resources behind the firewall but also to provide enterprise-ready features like GSLB and SSL Offloading freeing up resources on the XenMobile server that directly relate to higher scalability and allowing for easy intra-site HA and multi-site DR. Finally, XenMobile is controlled all from a single console allowing easy access to MDM and MAM policies, apps and reporting.

Figure 1: Multiple Layers of Protection

White Paper

citrix.com 4

Protecting Mobile Apps with Citrix XenMobile and MDX

Figure 2: End-to-End Data Protection

How XenMobile protects data at restThe mobile application management (MAM) capabilities in Citrix XenMobile enable complete management, security and control over native mobile apps and their associated data. The Worx App SDK, a simple and powerful SDK that “Worx-enables” any mobile app, leverages Citrix MDX app container technology to separate corporate apps and data from personal apps and data on the user’s mobile device. This allows IT to secure any custom developed, third-party or BYO mobile app with comprehensive policy-based controls, including mobile DLP and the ability to remote lock, wipe and encrypt apps and data.

Unlike many of the competitors in this space, XenMobile not only includes an extensive policy library (over 60 policies—see Appendix) but also includes app-level encryption. Other vendors force the use of device level encryption to protect data at rest, which requires the device PIN code to be set. XenMobile can separately encrypt data stored within any MDX enabled app without requiring a device PIN code or the device being under management to enforce the policy.

Using the Worx App SDK, IT can:

• Separate business and personal apps and data in a secure mobile container

• where they can be secured with encryption and other mobile DLP technologies and can be remotely locked and wiped by IT

• Enable seamless integration between “Worx-enabled” apps while also controlling all communication so IT can enforce policies, such as ensuring that data only is accessible by Worx-enabled apps

White Paper

citrix.com 5

Protecting Mobile Apps with Citrix XenMobile and MDX

• Provide granular, policy-based controls and management over all HTML5 and native mobile apps, including an application-specific micro VPN for accessing an organization’s internal network, preventing the need for a device-wide VPN that can compromise security

Figure 3: Example MDX App Restriction Policies

Beyond device and application policy control, the best way to safe guard data at rest is encryption. While most EMM vendors choose to simply enable the device’s default encryption mechanism, Citrix has taken an extra step and added an additional layer of encryption to any data stored in a “Worx-enabled” app. The MDX App SDK utilizes FIPS 140-2 compliant AES 256-bit encryption with keys stored in a protected Citrix Secret Vault.

MDX enables IT to require strong authentication and endpoint analysis before even permitting users to download and install applications on their devices. Once these apps are installed, Worx Home, a mobile app that provides access to desktops, apps and data, ensures that the desired policies are continuously enforced, always keeping IT in control of the enterprise content on users’ devices.

White Paper

citrix.com 6

Protecting Mobile Apps with Citrix XenMobile and MDX

How XenMobile protects data in transitMDX provides an application-specific VPN access to a company’s internal network via the Citrix NetScaler Gateway feature. When a user tries to access a company’s internal network remotely, an app-specific VPN tunnel is created for each of the enterprise mobile apps in use.

Consider the situation where an employee wants to access the following resources within the secure enterprise network from a mobile device: the corporate email server, an SSL-enabled web application hosted on the corporate intranet and documents stored on a file server or Microsoft® SharePoint®. MDX enables access to all these enterprise resources from any device through an application-specific MicroVPN. Each app has its own dedicated MicroVPN tunnel.

MicroVPN functionality does not require a device-wide VPN that can compromise security on untrusted mobile devices. As a result, the internal network is not exposed to malware or attacks that could infect the entire corporate system, and corporate mobile apps and personal mobile apps are able to co-exist on one device. MDX with MicroVPN technology fills a significant gap left by traditional secure remote access technologies.

In transit encryption methods and capabilities are defined using NetScaler and are typically configured as a SSL 3 or TLS connections utilizing FIPS 140-2 compliant AES 256-bit encryption. NetScaler can also be configured to provide SSL off-loading from the final destination source for greater scalability.

While all EMM vendors offer some capability of moving packets to and from behind the firewall, none can compete with XenMobile and NetScaler in terms of speed, scalability and enterprise readiness. Other EMM vendors utilize simple and non-scalable Windows or Linux based applications to route mobile packets and to terminate “per-app VPN” connections. NetScaler is the most scalable - offering hundreds of thousands of simultaneous FIPS 140 encrypted sessions and can easily scale further by simply adding additional appliances. None of the other EMM vendors offer enterprise level features like load balancing or SSL off-loading; requiring additional appliances to be purchased for these capabilities.

To offer even stronger levels of security, IT can configure MDX enabled apps with an “Alternate NetScaler Gateway.” This alternate gateway may require different levels of authentication depending on where the user and app are connecting. For example, if the user is running the app from a non-corporate WiFi connection, the app can be configured to utilize this alternate gateway. The gateway can be configured to require the user to utilize a two-factor token in addition to their normal AD username/password. This flexibility in connection allows IT to configure apps to require stronger authentication mechanisms when connecting from non-corporate networks.

In addition to security features, the MicroVPN also offers data optimization techniques including compression algorithms to ensure A) only minimal data is transferred and B) is done in the quickest time possible, improving user experience—a key success factor in mobile project success.

White Paper

citrix.com 7

Protecting Mobile Apps with Citrix XenMobile and MDX

Figure 4: Example MDX Policies for Authentication and Access

How XenMobile protects the infrastructure behind the firewallSecurity inside the company network is just as critical if not more so than on the mobile device. Citrix takes a number of measures to protect the mobile management infrastructure. The primary components of a XenMobile solution include NetScaler and the XenMobile Server (XMS).

Citrix has an independent security team that is not part of the XenMobile product group. This group continually performs penetration tests, evaluates the product source code (much like an external entity would) and flags security concerns. Concerns are prioritized with various severity levels of critical, high, medium and low. The product engineering teams with fix schedules, before the product is certified ready for release.

The NetScaler provides a secure, application firewall. NetScaler serves as the primary edge NetScaler Gateway/egress point. A vast number of security checks are performed at this point. For example, all logon input fields are protected against standard security threats—such as XSS or SQL Injection.

The XenMobile Server leverages a hardened Tomcat web server deployment customized for MDM and MAM management. XMS can be either deployed in the DMZ or behind the firewall, inside the secured company network.

White Paper

citrix.com 8

Protecting Mobile Apps with Citrix XenMobile and MDX

Database services are provided by Microsoft SQL Server or Postgres (eval/testing only). XMS is logically separated from the database. The database can reside anywhere. Best practice is to install the database behind the firewall, inside the secured company network. Thus, critical data, regardless of state is never sitting in the DMZ.

Competitor’s on-premises solutions require deployment of their servers in the corporate DMZ. While somewhat secure, most security minded people would rather have those servers and databases in a secure zone, behind the corporate firewall. XenMobile can be completely behind all corporate firewalls leaving only the security hardened NetScaler appliance in the DMZ to route traffic. This helps protect not only the XenMobile server and the configuration data, but also utilizing the NetScaler to provide SSL off-loading and load balancing for the other data sources like Exchange or SharePoint helps protect those servers from being attacked directly from the internet.

By placing the XenMobile server completely behind the firewall, access to other enterprise resources like Active Directory, or the highly available SQL cluster make the deployment much easier and more secure. In addition, XenMobile uses real-time look ups of AD information, rather than “synchronizing” thereby storing less critical information.

How to add XenMobile data protection to appsTo manage native mobile applications, over-the-air distribution files (.ipa files for iOS or .apk files for Android) must be “Worx-enabled” using the Worx App SDK. With a single line of code or using a wrapper, any developer or administrator can easily add enterprise capabilities to a mobile app. Once complete, security and usage policies are applied to each individual mobile app.

Unlike many competitors where wrapping or SDK integration yield a different set of features, or SDK implementation requires hundreds of lines of code, XenMobile offers exactly the same set of features whether wrapping or integrating via SDK. The wrapping process is so easy that it can become a IT roll-out process rather than being a burden on the app development team – freeing those resources to develop apps and features. The wrapping process is all done “in house” keeping your unique developer and deployment certificates safe rather than having to upload them to a “service” where the safeguarding of your critical development and deployment certificates fall upon a 3rd party.

In preparation for app distribution to mobile devices, the Worx-enabled applications are uploaded to the XenMobile Server. These Worx-enabled apps are then containerized with MDX. To prevent unauthorized usage, access rights to each application are managed by assigning user groups from Microsoft® Active Directory® to the application. Applications will not be visible to any user who is not part of the Active Directory user group(s) authorized within XenMobile to use the specified application. Additionally, as some apps could cost money, approval workflows can be added to allow multiple levels of management to approve a user’s request for the app.

ConclusionOnly Citrix delivers a comprehensive, highly scalable solution with multi-layered protection to that allows mobile users to have access to any device from any location. XenMobile with the

0915/PDF

Corporate HeadquartersFort Lauderdale, FL, USA

Silicon Valley HeadquartersSanta Clara, CA, USA

EMEA HeadquartersSchaffhausen, Switzerland

India Development CenterBangalore, India

Online Division HeadquartersSanta Barbara, CA, USA

Pacific HeadquartersHong Kong, China

Latin America HeadquartersCoral Gables, FL, USA

UK Development CenterChalfont, United Kingdom

About CitrixCitrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2015 Citrix Systems, Inc. All rights reserved. Citrix and XenMobile are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

White Paper

citrix.com 9

Protecting Mobile Apps with Citrix XenMobile and MDX

Worx App SDK and MDX technology gives IT the power to separate business and personal applications inside a secure mobile container. In this container, employees are free to be productive while on the go. More importantly, the container prevents security from being compromised. MDX provides granular, policy-based management and access controls over all native and HTML5 mobile apps along with (separate from device) FIPS 140-2 compliant encryption. IT can centrally control and configure policies based on users’ identity, device, location and connectivity type to restrict malicious usage of corporate content. In the event a device is lost or stolen, business applications and data can be disabled, locked or wiped remotely. The overall result is a solution that increases employee satisfaction and productivity, while ensuring security and IT control.

AppendixThe following appendix sections lists the MDX app policies for iOS, Android, and Windows Phone and for the Worx apps.

https://docs.citrix.com/en-us/mdx-toolkit/10/xmob-mobile-app-policy-defaults.html