Xenmobile Documentation Download

Copy and paste this link to your website, so they can see this document directly without any plugins.



Keywords

Device, that, Manager, click, device, then, user, Controller, with, your, from, configure, XenMobile, users, will, select, server, following, certificate, this, enter, NetScaler, name, devices, Click, citrix.com, When, policy, using, Android

Transcript

citrix.com 1
XenMobile 8.6
http://docs.citrix.com/content/docs/en-us/xenmobile/8-6.html
Jul. 01, 2015
Docs.Citrix.com
citrix.com 2
XenMobile 8.6
About this release
XenMobile Product Videos
How Do I...
Known Issues
Deploying XenMobile Components
Deploying NetScaler Gateway with App Controller and StoreFront
Deploying Device Manager
Deploying Other Citrix Products with XenMobile
Deploying the MDX Toolkit
Providing Access to Mobile Apps
XenMobile FIPS 140 Compliance
Gathering Information Before you Deploy XenMobile Components
Opening Ports for the XenMobile Solution
Gathering Network Information
Determining Your Hardware, Hypervisor, and Sizing Requirements
XenMobile Solution Pre-Installation Checklist
Downloading XenMobile Product Software
Installing Netscaler Gateway in Your Network
Installing XenMobile MDM Edition
Device Manager
XenMobile NetScaler Connector 8.5
XenMobile Mail Manager 8.5
App Controller 2.9
Configuring App Controller for the First Time
Adding Active Directory Domains to App Controller
citrix.com 3
Installing the MDX Toolkit
Configuring Device Manager
Configuring Device Manager to Connect to App Controller
Configuring High Availability on Device Manager
Managing Devices with the Dashboard
Workflow for Managing a Device
Defining Users and Groups
Managing Devices
Working with Apps
Adding Files
Creating Device Manager Policies
Creating Deployment Packages
Configuring Automated Actions
Configuring Notifications
Configuring General Device Manager Options
Configuring Macros
Viewing Reports
Managing Security and Identity
Configuring App Controller
Preparing Mobile Apps with the MDX Toolkit
Adding Apps
Configuring MDX Policies for iOS Apps in App Controller
Configuring MDX Policies for Android Apps in App Controller
Configuring Encryption Policies for Apps Running on Mobile Devices
Configuring Encryption Policies for Android Apps
Changing App Settings
Configuring High Availability
Creating a Cluster
Configuring a Web Proxy Server
Installing Certificates
Overview of the Certificate Signing Request
Adding Roles
Configuring Connections to ShareFile
Locking and Erasing Apps and Data
Enabling Connections Between Device Manager and App Controller
Maintaining and Monitoring App Controller
Choosing Your Authentication Method
User Experience with Client Certificate Authentication
Steps to Configure XenMobile Client Certificate Authentication
Gathering XenMobile Logs and Support Bundles
Obtaining App Controller Logs and Support Bundles
Collecting Logs
Enrolling Users and Devices
Enrolling iOS and Android Users with Worx Home
Show (11)
Show (12)
citrix.com 4
Enrolling Client Devices for Windows and Symbian
Configuring Enrollment Modes
To send enrollment notifications to iOS or Android devices
To configure a Notifications SMTP Server
To configure an SMS Notifications Gateway
To configure a notification template
Enrolling User Names with Special Characters
To enable two step enrollment for iOS devices
To enable auto discovery for client enrollment
To create custom terms and conditions for enrollment
To configure Self Help Portal enrollment
To check sent notifications logs
Requesting an APNS Certificate
Providing Access to Worx and Mobile Apps
System Requirements for Worx Apps
Microsoft IRM Support for WorxMail
Worx Home
WorxMail and WorxWeb
Evaluating XenMobile Effects on Device Battery Life
Connecting Users to Citrix Receiver
Sending App Controller Application Lists to Citrix Receiver
Configuring Connections to Applications Through Netscaler Gateway
Configuring Applications and Trust Settings for NetScaler Gateway
Configuring App Controller to Provide STA Tickets for WorxMail
Show (9)
citrix.com 5
About this release
Citrix XenMobile is a comprehensive solution that allows you to manage mobile devices, apps, and data. Users can
access all of their mobile, SaaS, web, and Windows-based apps from a unified app store, including seamlessly
integrated email, browser, data sharing, and support apps. XenMobile allows you to control mobile devices with full
configuration, security, provisioning and support capabilities. In addition, XenMobile securely delivers Worx mobile apps
that are built for businesses by using the Worx App SDK and found through the Worx App Gallery. With XenMobile, you
can meet your compliance and control needs while giving users the freedom to experience work and life their way.
The XenMobile solution consists of the following components:
NetScaler Gateway. NetScaler Gateway allows remote users to securely access internal network resources.
Users can connect with any device to access their applications, email, and file shares in the internal
network.
XenMobile MDM Edition. XenMobile MDM includes Device Manager that allows you to manage mobile
devices, set mobile policies and compliance rules, gain visibility to the mobile network, provide control over
mobile apps and data, and shield your network from mobile threats. Device Manager simplifies the
management of mobile devices.
XenMobile App Edition. XenMobile App Edition includes App Controller 2.9, the industry's first unified
service broker that aggregates, controls, and securely delivers Windows, web, and SaaS applications, iOS
and Android apps, integrated ShareFile-based data, and virtual desktops to any device, anywhere.
XenMobile App Edition gives users an intuitive single point of access and self-service for all of their business
applications on any device anywhere.
The MDX Toolkit is a software application that you can install on Mac OS X computers and use MDX Toolkit.
to convert unsigned iOS or Android mobile apps (.ipa or .apk) into signed MDX files. In the process of this
conversion, Citrix embeds a policy framework and default set of policies that enable you to configure,
securely distribute, and manage each prepared application by using App Controller.
Worx apps. Mobile users can connect with Worx Home to enroll their devices and access their mobile apps
from App Controller. Users can connect to the Worx Store and download Worx Home, WorxMail, and
WorxWeb.
ShareFile. ShareFile is a cloud-based file sharing service that enables users to easily and securely
exchange documents. ShareFile enables users to send large documents by email, securely handle
document transfers to third parties, and access a collaboration space from desktops or mobile devices.
ShareFile provides users with a variety of ways to work, including a web-based interface, desktop tools, and
integration with Microsoft Outlook.
What's New in XenMobile 8.6.1
The 8.6.1 release includes updates and enhancements to the following components: Worx Home, WorxMail, WorxWeb,
and the MDX Toolkit. You can also install and update for Device Manager to enable SSL offloading on NetScaler.
To download the XenMobile 8.6.1 release, as well an update for Device Manager, see the Citrix web site. To download
the latest MDX Toolkit and Worx apps, see the Citrix website.
Worx Apps
Improvements and stability enhancements. This release fixes issues that users occasionally experienced on
Android 4.3 devices with WiFI configurations and WorxWeb, and with WorxMail synchronization, airplane
mode, and logon behavior on all device types. The release also includes new methods of detection to
determine if a device is jailbroken or rooted. The new methods decrease the number of false positive
reports.
Battery life improvements. Battery retention has improved by approximately 15% in tests that simulate active
WorxMail use for 24 hours on an iPhone 5 running iOS 7.04. In the test, the connection occurred for 9 hours
over 4G and 15 hours over WiFi. For more information about battery life in XenMobile, see
.XenMobile Effects on Battery Life
ShareFile single sign-on (SSO) support. Users can now use SSO from Worx apps to access ShareFile.
Support for Android 4.4. XenMobile allows you to manage Android 4.4 devices.
Support for Samsung SAFE devices. You can now install Worx Home on Samsung SAFE devices running
Android 4.3 and later from Google Play.
Note:
It is a known issue that users cannot run CXM Web on a Samsung SAFE device that you manage
through Device Manager.
XenMobile
Evaluating
citrix.com 6
You need to deploy the built-in Samsung MDM license key (Samsung ELM key) policy to a device to
enable the Samsung SAFE APIs before deploying Samsung SAFE policies and restrictions.
Support for .wav and .mp3 attachments. Users can now open .wav and .mp3 audio attachments in WorxMail
on iOS devices. For details, see .
Support for map images. Users can include map images in WorxMail, in email message body and contacts
on iOS devices.
Device Manager
SSL offloading. The update for XenMobile Device Manager addresses an SSL connection to be offloaded from NetScaler to
Device Manager. SSL connections bound to Device Manager terminate on NetScaler. NetScaler initiates a new HTTP
connection to the Device Manager server. The new connection between NetScaler and Device Manager can either be clear
text on port 80, or can be reencrypted over SSL. Citrix recommends the latter encryption method.
Note: To enable this capability, you need to install the update for Device Manager from the Citrix website.
MDX Toolkit
Users can now wrap apps for Android 4.4 and can wrap the following files:
iAnnotate .ipa for iOS 7
MicroStrategy.ipa file for iOS 7.0.3
Installation Post-Requisites
After you install the XenMobile 8.6.1 release, Citrix recommends the following post-requisite steps:
You should use the latest version of the MDX Toolkit (Version 2.3.371) to wrap the latest versions of WorxMail,
WorxWeb, and other third-party apps that you plan to provision to users. If users continue to run an older version of
Worx Home, they will see the following message prompting them to upgrade the app: Incompatible App, please check
for an update to Worx Home and apply it. If the problem persists, you will need to remove this app and reinstall it.
Citrix also recommends that users update Worx Home to Version 8.6.1 .
For technical support from Citrix, you can create a support case with the Customer Center or call (888) 936-7747 and
reference XenMobile 8.6, MR1.
WorxMail Audio Formats
citrix.com 7
XenMobile Product Videos
The following product videos demonstrate how to use and understand some of the key features of XenMobile:
What's new and cool in WorxMail 1.3?
How to add apps to App Controller
How to add NetScaler Certificates
How to Wrap Android Apps using the MDX Toolkit and through the command line
Collecting Managed iOS App Logs using Unified Logging Feature of Worx Home
How to Upload App Controller Support Bundle to ShareFile FTP
Introduction to XenMobile Cloud Architecture
How to Collect XenMobile Device Manager Logs
How to Load Balance XenMobile Device Manager using the XenMobile Wizard on NetScaler
citrix.com 8
How Do I...
The following are links to topics that help you configure XenMobile components.
Device Manager
Gather logs from XenMobile components.
Know what to expect in terms of battery drain on a user device after deploying XenMobile.
Request an APNS certificate.
Create a credential provider using external PKI entities.
Create policies for Samsung SAFE devices.
Create and deploy MDM policies.
App Controller
Determine which apps support SSO through App Controller.
Configure high availability on App Controller.
Deploy StoreFront with App Controller to enable connections through Receiver or Worx Home.
Configure the Callback URL between NetScaler Gateway and App Controller.
Configure multiple Active Directory domains in App Controller.
MDX Toolkit
Prepare to wrap iOS and Android apps.
Collect log files for the MDX Toolkit from a Mac OS X computer.
Worx Apps
Configure STA for WorxMail.
NetScaler Gateway
Configure NetScaler Gateway to authenticate mobile device users.
Configure settings for connections from mobile users with the Quick Configuration wizard.
Understand the authentication types that are supported.
Learn about device certificates.
Know where to install device certificates.
Enroll users' iOS and Android devices in Device Manager.
Determine the prerequisites for deploying WorxMail.
citrix.com 9
1.
2.
3.
4.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Known Issues
The following are known issues for XenMobile in Version 8.6.1.
Worx Apps
When you configure a WiFi policy in Device Manager and users try to connect on a Samsung SAFE device, an
authentication error occurs unless users manually edit and save the setting. [#430721]
When split tunneling is enabled, single sign-on (SSO) through Secure Browse in WorxWeb is not supported on
Android devices. [#431158]
After users upgrade to Worx Home 8.6, the Worx Home app occasionally reports incorrectly that the Android device is
rooted. [#431611]
When users try to open Worx Home on an Android 2.3 device and are prompted for their Worx PIN, the keyboard
does not appear. [#433599]
The following are known issues for XenMobile in Version 8.6.
MDX Toolkit
On Android devices, the camera freezes while capturing video for upload and the user must tap the back button to exit
the frozen camera. To enable video capture from a MDX-wrapped app, set the Block mic record policy to . Off
[#539024]
To wrap apps for Android Version 4.3, you need to install the Java Development Kit (JDK) 1.7. You can download the
JDK from on the Oracle web site. The instructions for installing the JDK on
Mac OS X are on the web site.
If you upload a wrapped iOS app two times in App Controller with different file names, when users subscribe to both
apps and then delete on instance of the app from their device, the title shows as "GoogleGoogle." Do not upload the
same app with different names to App Controller. [#317912, #321386, #323986, #324436]
If you download an application from the Apple App Store, attempts to wrap the app fail. Wrapping apps from the App
Store is not permitted. [#320969]
When you upload a wrapped app to App Controller and set the in the dialog Maximum OS version Mobile App Details
box, App Controller allows users with a new version to start the app. You must set the maximum OS version when you
wrap the app. [#321389]
When you have a wrapped Office2HD app in App Controller with the same application ID as an unwrapped Office2HD
app, and you configure the policy for a WorkMail app as , when users open Document exchange (Open In) Restricted
a .docx attachment, an unwrapped Office2HD from the App Store appears as an option when only wrapped Open In
MDX apps should appear. [#328877]
For this release, using the MDX Toolkit for Microsoft Office Suite is not supported. [#341800]
The MDX Toolkit incorrectly allows the entry of the ampersand (&) character when completing the Minimum and
Maximum OS versions. As a result, if you enter an ampersand in the operating system versions for an app, no apps
appear in Receiver, including the app that you configured. [#342359]
If you set the block screen policy to to prevent users from taking screen shots on their Android device, some On
mobile apps continue to allow users to take screen shots. These apps use the Adobe AIR platform. Preventing screen
shots in these apps does not work. [#357240]
Some mobile apps require certificate checks when users start the app. If you wrap an app that requires a certificate
check, the app might not start on the user device. [#357368]
App wrapping technology is limited to standard Android applications that are written by using the Android Java SDK.
Wrapping, code interception, and data containment do not support or attempt to modify “native code― (low-level
code) within the application. Although it is possible that some applications make use of native code, not many do so.
This may impact the capability of being able to restrict certain application functionality by using data containment
policies. [#357811, #362211, #362749, #362750]
If a mobile app stores data or documents outside the application data area, when you erase the device, the data or
documents are not erased. [#358803]
App wrapping technology and data containment technology are limited to intercepting inside the main application’
s Dalvik Executable (DEX) file. DEX files are compiled Android Java code that run on the Android operating system.
Code that resides outside the main DEX file is not intercepted during wrapping. This may limit the ability to restrict
certain application functionality by using data containment policies. [#361404]
On an Android device, when you configure the policy as , when users start WorxWeb Initial VPN mode Secure browse
and do not use the app for approximately 30 minutes or longer and the app times out, when they try to open the app
again, the home page does not load and a "page not available" error appears. [#428381]
When users try to log on to WorxWeb with an Android device and authenticate through NetScaler Gateway, when you
set a policy to require users to log on each time the app opens, the maximum number of attempts they can make is
the default of five and a message appears, regardless of the policy you set in App Controller. [#424846]
Occasionally, when users try to log on through Worx Home to a Worx-enabled app and the Android device uses a
client certificate for authentication, Worx Home fails. [#428489]
If you edit the policy for Android apps to , when the Android device is connected to the Require internal network On
network, if users log off from Worx Home and then change their device to Airplane mode or turn WiFi off, if they try to
open an app, users are prompted to log on to the network and the app does not open. [#428540]
Java SE Development Kit 7 Downloads
ComputechTips
citrix.com 10
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
1.
App Controller
Important Notes
When you add users to Active Directory, you must enter the first and last name in the user properties. If you do not
configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When
users attempt to start an app, users receive a message that they are not authorized to use the app.
User account requests by using the workflow template with the App Controller workflow feature is not supported for
users who connect with Receiver for Web.
User account requests by using the subscription workflow template with the App Controller workflow feature is not
supported on Receiver for Mac 11.4. Users need to upgrade to Receiver for Mac 11.6 or 11.7.
The internal URL redirection feature, in which Receiver checks a keyword to determine if the URL requires a
connection with the NetScaler Gateway Plug-in, is not available with Receiver for Web. The feature is supported only
with Receiver for Windows Versions 3.1, 3.2, 3.3, or 3.4.
If you configure proxy servers to use both HTTP and HTTPS, App Controller uses the secure proxy server for all
application connectors. If you configure only HTTP, or only HTTPS, App Controller uses the configured proxy server
for all application connectors.
App Controller contains the management console. To open the management console, in a Web browser, enter https:
//:4443/ControlPoint where is the fully qualified domain name (FQDN)
or IP address of App Controller. The default user name is administrator and the password is password.
App Controller Known Issues
After you import a server certificate with the .pem format that contains the root certificates in the chain, only the server
certificate uploads successfully. The issue does not occur with the .pfx format. [#411328]
If you use the management console to configure App Controller log transfers instead of using the command-line
console, in , you must specify the home directory of the user on the SSH server. [#412802]Remote directory
When you take a snapshot of the App Controller configuration, if you configure a new instance of App Controller with a
different IP address and host name, and then if you import the snapshot and select the check Configuring only restore
box, after restarting App Controller, the host name from the snapshot is restored in error. To return to the original host
name, install the correct certificates.[#418002]
When users try to open Box through single sign-on (SSO) from Worx Home, SSO fails. To enable SSO to work in
subsequent logons, users must select the option in the app. [#418547]View Full Site
When users log on with Receiver for Web by using their user name and password and an invalid domain, such as
awswsws\ctx3, they can log on successfully. User authentication occurs with the configured domain and not the userprovided domain. If you configure multiple Active Directory domains, you should allow users to log on by using the
user principal name (UPN) format, such as username@domain.com. [#418608]
When users log on with the NetScaler Gateway Plug-in and try to open the Office365_SAML app, SSO fails and users
must enter their credentials. [#419290]
When users upgrade to App Controller 2.9, and view on the management console panel by using Beacons Settings
Internet Explorer, the option does not appear. Citrix recommends logging off and then clearing the Default store view
browser cache. [#423495]
When users try to open CentralDesktop through SSO from Worx Home, SSO fails and users must enter their
credentials. To enable SSO work for subsequent logons, when users log on, they must select the Switch to Full Site
option in the account settings for the app. [#424338]
SSO for the Groupon app does not work when users try to open the app from Worx Home. The following error
appears: "Oops! That page doesn't exist." To enable SSO to work for subsequent logons, users must select Switch to
in the app. [#424341]non-mobile version
When users try to open ShareFile through SSO from Worx Home, SSO fails and users must close and then reopen
the app to enable SSO to work for future logons. [#424579]
After you upgrade to App Controller 2.9, in a high availability configuration, occasionally the secondary node restarts
and changes to recovery mode. Citrix recommends that you upgrade the primary node to App Controller 2.9, and then
install a new virtual image of App Controller 2.9 on your hypervisor and join the node to the primary node. [#428132]
Device Manager
Important Note
To increase security in Worx Home on Android devices, the end user password is no longer cached after
enrollment. Consequently, you should not use the %EWPASSWORD% macro in device policy definitions. If
you used that macro to prepopulate the password field of an ActiveSync configuration policy, for instance,
you should edit the policy and remove the password macro. You can replace this type of configuration with a
certificate-based authentication to Exchange.
There is a known issue in iOS7 related to launching iOS apps from a web app in full screen mode. If you are using
iOS7 and Apple new Volume Purchase Program, do not configure the store webclip to be in full screen mode. To do
that, in XenMobile Device Manager, open the iOS Policy called "MyAppStore" and clear the check box. Full Screen
[#424876]
citrix.com 11
2.
3.
4.
1.
1.
2.
Amazon does not support “restrict profiles― in this XenMobile 8.6. This affects the Amazon Kindle version of
Worx Home. [#424930]
If you are using Cisco AnyConnect with XenMobile, the following file has a security breach caused by a bug in Cisco's
code. For more information, contact Cisco. [#421038] File name:
com/cisco/anyconnect/vpn/android/service/helpers/uri/FileRetriever.java 384
The Super Admin in Device Manager Role Based Access Control (RBAC) will lose super admin status when
upgrading to XenMobile 8.6. There is no loss of functionality but the privileges checkbox for super admin becomes
cleared after upgrade. To fix, in the Device Manager web console, click , and in the RBAC section, reassign Options
the privileges for the super admin role. [#428009]
XenMobile Mail Manager
XenMobile Mail Manager (XMM) can only allow\block by ActiveSyncDeviceId or user. It is the responsibility the
XenMobile Device Manager (XDM) device agent to properly detect the ActiveSyncDeviceId on a given device and to
report it to Device Manager so that Device Manager can then deliver it to XMM as policy. There are some devices for
which the device agent can't detect the ActiveSyncDeviceId, in which case Device Manager must, if the device is to be
allowed, sent policy to XMM that allows the user (all devices of the user). This can be mitigated by installing
Touchdown on the device because the Device Agent can detect the ActiveSyncDeviceId of Touchdown.
Worx Apps
In Worx Home on iOS, if you re-enroll, all the Citrix MDM configuration profile should be removed from the device.
This is a known issue in the XenMobile 8.6 release. To remove the profile on your iOS device, manually delete the
MDM configuration profile by going to > > . [#423535]Settings General Profiles
Devices running Android versions 4.3 and 4.4 are having some compatibility issues with Worx Home 8.6.
citrix.com 12
Deploying XenMobile Components
The XenMobile components you deploy are based on the device or app management requirements of your
organization. The components of XenMobile are modular and build on each other. For example, you want to give users
in your organization remote access to mobile apps and you need to track the device types with which users connect. In
this scenario, you would deploy NetScaler Gateway, XenMobile Device Manager, and App Controller.
This section discusses the different scenarios for deploying the XenMobile products in your network.
Deploying XenMobile Components
You can deploy XenMobile components to enable users to connect to resources in your internal network in the following
ways:
Connections to the internal network. If your users are remote, they can connect by using a VPN or Micro
VPN connection through NetScaler Gateway to access apps and desktops in the internal network.
Device enrollment in Device Manager. Users can enroll mobile devices in Device Manager so you can
manage the devices that connect to network resources.
Web, SaaS, and mobile apps from App Controller. Users can access their web, SaaS, and mobile apps from
AppController by using Worx Home.
Windows-based apps and virtual desktops. Users can connect with Citrix Receiver or a web browser to
access Windows-based apps and virtual desktops from StoreFront or the Web Interface.
To achieve some or all of these capabilities, Citrix recommends deploying XenMobile components in the following order:
NetScaler Gateway. You can configure settings in NetScaler Gateway to enable communication with App
Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. You must install App
Controller, StoreFront, or the Web Interface before using the Quick Configuration wizard in NetScaler
Gateway.
Device Manager. After you install Device Manager, you can configure policies and settings that allow users
to enroll their mobile devices.
App Controller. After you install App Controller, you can configure mobile, web, and SaaS apps. Mobile apps
can include apps from the Apple App Store or Google Play. Users can also connect to mobile apps you wrap
with the MDX Toolkit and upload to App Controller.
MDX Toolkit. You can wrap .ipa or .apk apps and Worx apps with the MDX Toolkit. After you wrap the apps,
you can upload the apps to App Controller.
StoreFront (optional). You can provide access to Windows-based apps and virtual desktops from StoreFront
through connections with Receiver.
ShareFile Enterprise (optional). If you deploy ShareFile, you enable enterprise directory integration through
App Controller or Security Assertion Markup Language (SAML). For more information about configuring
identity providers for ShareFile, see the .
If you install all of the XenMobile components in your network, the deployment may look like the following figure:
Figure 1. The XenMobile Solution
ShareFile support site
citrix.com 13
citrix.com 14
Deploying NetScaler Gateway with App Controller and StoreFront
You can deploy NetScaler Gateway at the perimeter of your organization's internal network (or intranet) to provide a
secure single point of access to the servers, applications, and other network resources that reside in the internal
network. In this deployment, all remote users must connect to NetScaler Gateway before they can access any
resources in the internal network.
You can deploy NetScaler Gateway with the following Citrix products:
XenMobile App Edition
StoreFront
XenApp
XenDesktop
Web Interface
Users can connect to resources in your internal network by using the following methods:
Worx Home for users who connect with mobile devices and need access to MDX mobile apps. Users must
connect with Worx Home on the mobile device to access MDX apps.
Receiver so users can access Windows-based applications and desktops hosted by XenApp or
XenDesktop. To allow users access to their Windows-based apps, you must deploy StoreFront or the Web
Interface. If users connect with Receiver on a Windows or Mac computer, MDX apps are not available to
users.
Optionally, users can also connect with the NetScaler Gateway Plug-in for full VPN access to the internal
network. Users can access email servers, files shares, and web servers with the NetScaler Gateway Plug-in
for Windows or the NetScaler Gateway Plug-in for Mac.
The way you deploy App Controller in your internal network depends on how users connect: with Worx Home or with
Receiver. In either scenario, you install NetScaler Gateway in the DMZ.
You can deploy the App Controller virtual machine (VM) on XenServer, VMware ESXi, or Microsoft Hyper-V located in
your internal network. Users can connect to App Controller from an external connection (the Internet) or from the
internal network. If users connect from the Internet or a remote location, the connection must route through NetScaler
Gateway. App Controller resides in the internal network behind the firewall.
Allowing Access to MDX Apps Through NetScaler Gateway
If users connect with Worx Home and you have MDX mobile apps installed on App Controller, you place StoreFront
behind App Controller in your internal network. Users can connect to App Controller through NetScaler Gateway in the
DMZ to obtain their web, SaaS, Android and iOS mobile apps, along with documents from ShareFile. StoreFront resides
behind App Controller to deliver Windows-based apps and virtual desktops as shown in the following figure:
Figure 1. Deploying NetScaler Gateway with MDX Apps
citrix.com 15
Deploying App Controller in a High Availability Configuration
You can deploy two App Controller virtual machines (VM) as a high availability pair. A high availability configuration
prevents downtime and ensures that the services provided by App Controller remain available, even if one App
Controller VM is not working.
The following figure shows a high availability deployment in which one App Controller VM is not receiving connections.
Figure 2. App Controller High Availability Deployment
citrix.com 16
citrix.com 17
Deploying Device Manager
In order to get your users' devices under management, users need to enroll their devices into Device Manager. To get
started, you install Device Manager in your network. Next, you connect to Active Directory to import users by using the
LDAP wizard. Then, you configure the following settings in Device Manager:
Enrollment
Policies
Apps
When you finish configuring Device Manager, you can send enrollment invitations to your users. The invitation contains
a link that allows users to download Worx Enroll, which then allows users to enroll their devices in Device Manager.
When users log on, Device Manager authenticates the user's identity and enrolls the device.
Citrix recommends that you deploy NetScaler or NetScaler Gateway for security. You deploy NetScaler or NetScaler
Gateway in the DMZ with Device Manager, as shown in the following figure. When you deploy NetScaler or NetScaler
Gateway, you can use the XenMobile NetScaler Connector (XNC) to control access to email, calendar, and contacts
from mobile devices. In this deployment, after enrollment, user devices connect to NetScaler or NetScaler Gateway to
access resources.
If users enroll their iOS devices, the devices and Device Manager must communicate with the Apple Push Notification
Service (APNS).
Figure 1. Deploying NetScaler or NetScaler Gateway and Device Manager
citrix.com 18
The preceding figure also shows the ports you need to open to enable the connections. You must open all of the ports
behind the firewall for each identified service. For details about the ports, see .
For details about the APNS server, also shown in the preceding figure, see in the
Device Manager documentation.
Opening Ports for the XenMobile Solution
Requesting an APNS Certificate
citrix.com 19
Deploying Other Citrix Products with XenMobile
XenMobile supports integration with other Citrix products, such as XenDesktop and Receiver. You can configure your
deployment solution to include the following:
Citrix StoreFront with NetScaler Gateway and App Controller
Citrix Receiver to allow access to HDX apps hosted in XenApp and XenDesktop
XenMobile Multi-Tenant Console is a web console that enables service providers and organizations to
administer several physical servers running XenMobile Device Manager from a single site.
Remote Support is a software program installed on a Windows-based computer that allows support
personnel to take remote control of Windows Mobile devices.
XenMobile NetScaler Connector (XNC) allows customers to send a list of compliant devices from XenMobile
Device Manager to NetScaler, which in turn controls which mobile devices are allowed to synchronize with
Exchange server.
XenMobile Mail Manager (XMM) allows you to utilize XenMobile Device Manager (XDM) to gain Dynamic
Access Control for Exchange Active Sync (EAS) devices
citrix.com 20
Deploying the MDX Toolkit
Mobile app management allows you to securely manage and deliver mobile apps to users. With the Citrix MDX Toolkit,
you can wrap iOS and Android apps to secure access and enforce policies. After you wrap the app, you can upload the
app to App Controller and configure MDX policies. Users can then download and install the app from Citrix Receiver.
They can subsequently open and work with the app from an icon on the home screen, on the mobile device, or from the
Receiver home page.
For more information about MDX policies for Android and iOS mobile apps in App Controller 2.9, see the following:
Configuring MDX Policies for Android Apps in App Controller
Configuring MDX Policies for iOS Apps in App Controller
How the MDX Toolkit Works
Citrix provides the MDX Toolkit so that you can wrap a mobile app for iOS or Android with Citrix logic and policies. The
tool can securely wrap an app that was created within your organization or a mobile app made outside the company.
When you install the MDX Toolkit, the Worx SDK libraries also install and appear in the MDX SDK folders on your
computer in the tool and data directories. The MDX SDK folders are required for the integration of wrapped iOS mobile
apps with Citrix Worx. When you wrap iOS apps that include the Worx SDK libraries, you can publish the apps in the
Apple App Store and the Worx Store. After the app is wrapped, you can upload then the app to App Controller.
After you download the MDX Toolkit from My Citrix on the Citrix Web site, when you run the tool, the tool prompts you to
follow basic steps. For both types of app, use the following guidelines:
Provide the app name and optional details about the app.
Provide a list of devices to exclude. The devices in the list cannot run the app.
Save the new MDX (.mdx) file that the tool creates to your computer. The MDX file is the wrapped app that
contains Citrix logic and policies.
When you run the MDX Toolkit, the app determines the application type and version. You can select the minimum and
maximum operating system versions.
After you complete wrapping the app, you then upload the MDX file to App Controller. You use the management
console to configure specific application details and policy settings that Citrix Receiver enforces. When users log on by
using Receiver, the app appears in the store. Users can then subscribe, download, and install the app on their device.
Deploying iOS Mobile Apps
To deploy iOS apps, you need to follow these basic steps:
Specify an iOS mobile app IPA file.
In the MDX Toolkit wizard, choose the option to deploy the app from XenMobile or to deploy the app from
the Apple App Store.
Choose the iOS Distribution Provisioning Profile and Distribution Certificate to sign the app for distribution.
Deploying Android Mobile Apps
For Android apps, you need to follow these basic steps:
Specify an Android mobile app APK file.
Choose the Java Development Kit (JDK) 1.7 on your computer for wrapping Android mobile apps.
Choose the Android Software Development Kit (SDK) on your computer for wrapping Android mobile apps.
Choose the Android APK Tool.
Choose the keystore for signing Android mobile apps.
citrix.com 21
Providing Access to Mobile Apps
You can provide access to iOS and Android mobile apps from Device Manager and App Controller.
In Device Manager, you can deploy apps to devices by using deployment packages for iOS and Android.
You can upload native, IPA, APK, and wrapped MDX files to App Controller 2.9 for publication to Worx Home and the
Worx Store. In addition, if users click an app in the Worx Store that requires payment, the Apple App Store or Google
Play store opens depending on the app type. Users can then pay for and then download and install the app to their
device.
Citrix provides the MDX Toolkit so that you can wrap a mobile app for iOS or Android with Citrix logic and policies. The
tool can securely wrap an app that was created within your organization or a mobile app made outside the company.
After you wrap the app, you can upload it to App Controller where you define settings and policies. You can also wrap
WorxMail and WorxWeb with the MDX Toolkit.
Users can access mobile apps from Citrix Receiver or Worx Home. If you deploy StoreFront in your network, you can
configure App Controller to send application lists to StoreFront. When users log on with Receiver, they can start,
download and install mobile apps onto the device.
Worx Home enables your users to enroll their devices into XenMobile for device management, and serves as both an
enterprise app delivery mechanism and a support tool (chat or email). When Worx Home is installed on the user device,
users have access to WorxMail, WorxWeb, and other mobile apps to which you provide access.
When you upload an app to App Controller, you can configure the following settings:
Excluded devices. If you exclude devices, you enter the manufacturer's name and the model of the device.
For example, you enter iPad, iPhone, or Samsung HTC Galaxy. You do not need to enter the version
number of the device, such as iPad 3.
Categories. When users log on by using Receiver, they receive a list of available applications. By using
categories, you can sort applications that allow users to access only the applications you want.
Roles. When you configure the app, you can use Roles to define the list of users who can use the app.
Workflows. When you enable a workflow for the app, you can select the individuals who need to approve the
application account.
MDX policies. You configure authentication, device security, encryption, app interaction and access, and
network access policies for MDX mobile apps.
You can configure a policy for an MDX app to specify that users authenticate through a particular
NetScaler Gateway appliance before they open the app. In doing so, users are asked to enter
additional credentials, such as a personal identification number from a token.
For more information, see the following:
Worx Mobile Apps
Enrolling iOS and Android Users with Worx Home
Mobile and MDX Apps
Configuring MDX Policies for iOS Apps in App Controller
Configuring MDX Policies for Android Apps in App Controller
citrix.com 22
XenMobile FIPS 140 Compliance
The Federal Information Processing Standard (FIPS), issued by the US National Institute of Standards and
Technologies, specifies the security requirements for a cryptographic module used in a security system. The MDX
Toolkit technology complies with the second version of this standard, FIPS-140-2. All references to FIPS imply FIPS140-2.
Citrix MDX Vault components and the associated MDX Toolkit is used for securing container-based data-at-rest on
mobile devices. Both components leverage existing NIST Validated Cryptographic Modules from OpenSSL (Cert#1747)
to achieve FIPS compliance. For more information regarding the NIST validated FIPS modules, see the
web site.Institute of Standards and Technology
National
citrix.com 23
Gathering Information Before You Deploy XenMobile Components
Before you install XenMobile components in your network, you need the right prerequisites. These prerequisites include:
Network settings. These settings include IP addresses, ports, DNS, Network Time Protocol (NTP) and
SMTP servers, and the IP address or fully qualified domain name (FQDN) of a load balancer.
Hardware and sizing requirements. These include Windows Servers, hypervisors, and NetScaler Gateway
requirements. The NetScaler Gateway appliance you select (VPX, MDX, or SDX) determines the maximum
number of user connections to your XenMobile deployment.
Certificates. These include server, root, intermediate, Apple Push Notification Service (APNS), and
certificates for wrapping mobile apps with the MDX Toolkit.
Licenses. Licenses are required for XenMobile MDM Edition and NetScaler Gateway.
Active Directory settings. These settings are required for XenMobile MDM Edition and for XenMobile App
Edition.
Before deploying XenMobile components, it's important to decide on an Authentication method
authentication method. For example, you should decide if you are implementing the Worx PIN that you
configure in App Controller. The Worx PIN caches Active Directory credentials and works with client
certificate authentication. Authentication settings can enable LDAP, RADIUS, one-time passwords, client
certificate authentication, and two-factor authentication. If users connect to internal web sites, you need to
configure authentication for NetScaler Gateway and SharePoint to allow single sign-on (SSO) to work.
Note: If you implement an authentication method for users and then change the method after users enroll,
users will need to enroll again.
Load balancers. Load balancers manage connections to your XenMobile deployment. You might also need
to plan for packet inspection appliances to monitor network traffic entering your internal network.
Email server and data synchronization settings These settings include Exchange Server and ActiveSync
configurations for XenMobile MDM Edition and WorxMail.
Databases. These databases include either Microsoft SQL Server or Postgres for XenMobile MDM Edition.
The Postgres database comes with XenMobile MDM Edition and installs when you install Device Manager.
Note: Citrix recommends that you use Microsoft SQL Server. You should only use PostgreSQL in test
deployments.
citrix.com 24
Opening Ports for the XenMobile Solution
To allow devices and apps to communicate with each XenMobile component, you need to open ports in your firewall.
The following tables define the ports you need to open.
Opening Ports for NetScaler Gateway and App Controller
You need to open the following ports to allow user connections from Worx Home, Receiver, or the NetScaler Gateway
Plug-in through NetScaler Gateway to App Controller, StoreFront, XenDesktop, the XenMobile NetScaler Connector
(XNC) and to other internal network resources, such as intranet web pages.
TCP
port
Description Source Destination
21 Open this port to send support bundles to an
FTP server.
App Controller FTP server
22 Transfer logs from App Controller and a
network server.
App Controller Network server
53 DNS. NetScaler Gateway DNS server
80 NetScaler Gateway passes the VPN
connection to the internal network resource
through the second firewall. Typically occurs if
users log on with the NetScaler Gateway Plugin.
NetScaler Gateway
Intranet web sites
80 or
8080
The XML and STA port that does enumeration,
ticketing, and authentication.
Citrix recommends using port 443.
XML network traffic StoreFront or Web Interface
STA - NetScaler
Gateway
XenDesktop or XenApp
443
443 Communication required for Callback URL. App Controller NetScaler Gateway
123 Network Time Protocol (NTP) services. NetScaler Gateway NTP server
389 Unsecure LDAP connections. NetScaler Gateway LDAP authentication server
or Active Directory
443 Connections to StoreFront from Receiver or
Receiver for Web that provides access to
Windows-based applications and virtual
desktops hosted in XenApp and XenDesktop.
Internet NetScaler Gateway
Connections to App Controller for web, mobile,
and SaaS application delivery.
Internet NetScaler Gateway
514 Connection between App Controller and a
syslog server.
App Controller Syslog server
636 Secure LDAP connections. NetScaler Gateway LDAP authentication server
or Active Directory
1494 Connections to Windows-based applications in
the internal network by using the ICA protocol.
Citrix recommends keeping this port open.
NetScaler Gateway XenApp or XenDesktop
1812 RADIUS connection. NetScaler Gateway RADIUS authentication
server
2598 Connections to Windows-based applications in
the internal network by using session reliability.
Citrix recommends keeping this port open.
NetScaler Gateway XenApp or XenDesktop
3268 Microsoft Global Catalog unsecure LDAP
connections.
NetScaler Gateway LDAP authentication server
or Active Directory
3269 Microsoft Global Catalog secure LDAP
connections.
NetScaler Gateway LDAP authentication server
or Active Directory
9080 NetScaler communicates with the XNC. This
port is for HTTP traffic.
NetScaler XNC
citrix.com 25
9443 NetScaler communicates with the XNC. This
port is for HTTPS traffic.
NetScaler XNC
9736 Communication between two App Controller
VMs deployed as a high availability pair.
App Controller App Controller
Opening XenMobile MDM Ports
You need to open the following ports to allow XenMobile MDM to communicate in your network.
TCP
port
Description Source Destination
25 By default, the Device Manager SMTP
configuration of the notification service uses
this port. If your SMTP server uses a different
port, make sure your firewall does not block
that port.
XenMobile MDM SMTP server
80 or
443
MDM server Enterprise App Store connection
to Apple iTunes App Store (ax.itunes.apple.
com) or to Google Play. Used for publishing
iTunes App Store or Google Play apps from the
available app store from within the Device
Manager web console and Citrix Mobile SelfServe on the iOS device or Worx Home for
Android. Citrix Mobile Self-Serve is available
when iOS devices enroll in Device Manager.
XenMobile MDM Apple iTunes
App Store
(ax.itunes.apple.com)
80 or
443
XenMobile Device Manager Nexmo SMS
Notification Relay outbound connection.
XenMobile MDM Nexmo SMS Relay Server
389 Unsecure LDAP connections. XenMobile MDM LDAP authentication server
or Active Directory
443 Enrollment and agent setup for Android and
Windows Mobile.
Internet XenMobile Device Manager
Server
Enrollment and agent setup for Android and
Windows Mobile, the Device Manager web
console, and MDM Remote Support Client.
Internal local area network
(LAN) and Wi-Fi
1433 Remote database server connection to a
separate SQL server (optional).
XenMobile MDM SQL Server
2195 Apple Push Notification Service (APNS)
outbound connection to gateway.push.apple.
com that is used for iOS device notifications
and device policy push.
XenMobile MDM Internet (Apple APNS
Service Hosts using the
public IP address 17.0.0.0/8)
2196 APNS outbound connection to feedback.push.
apple.com that is used for iOS device
notification and device policy push.
5223 APNS outbound connection from iOS devices
that connect through Wi-Fi networks to *.push.
apple.com.
iOS device on Wi-Fi network
service
Internet (Apple APNS
Service Hosts using the
public IP address 17.0.0.0/8)
8443 Enrollment for iOS devices only. Internet XenMobile MDM
LAN and Wi-Fi
citrix.com 26
Gathering Network Information
You need to identify the following network settings and configure appropriate server settings before you install the
XenMobile components in your network:
IP addresses for each XenMobile component. For example, for NetScaler Gateway, you need the system IP
(NSIP) and the subnet IP (SNIP) addresses.
Opening the appropriate ports in your firewall to allow network traffic to communicate with each component.
Domain Name Servers (DNS) for name resolution with users inside your network and users who connect
from remote locations. You might need different IP addresses for each DNS server.
Network Time Protocol (NTP) server. The NTP server synchronizes the time between all of your network
components. Citrix recommends that you use an NTP server for your XenMobile deployment.
SMTP server for email. When you configure an SMTP server, you need the fully qualified domain name
(FQDN) of the email server, such as mail.mycompany.com. You also need to identify the port, the email
addresses used for the send function, and user email addresses and passwords.
The XenMobile Pre-Installation checklist includes a section where you can write down all of your network settings. You
might need to coordinate with other team members to configure the ports and servers you need for the XenMobile
deployment. For more information about ports and to print the checklist, see:
XenMobile Solution Pre-Installation Checklist
Opening Ports for the XenMobile Solution
Obtaining and Installing Licenses
XenMobile MDM Edition and NetScaler Gateway require licenses. When you purchase a Citrix product, you receive an
email that contains a link for your licenses. You obtain your licenses by logging on to the Citrix web site and then
downloading your licenses.
Important: Citrix recommends that you retain a local copy of all license files you receive. When you save a backup copy of the
configuration file, all uploaded licenses files are included in the backup. If you need to reinstall XenMobile MDM Edition or
NetScaler Gateway appliance software and do not have a backup of the configuration, you will need the original license files.
For more information about NetScaler Gateway and Device Manager licenses, see on the Citrix
web site.
XenMobile Licensing
citrix.com 27
Determining Your Hardware, Hypervisor, and Sizing Requirements
Each XenMobile component has specific hardware, hypervisor, or sizing requirements:
User devices. This hardware requirement includes the number and types of devices that enroll when you
deploy Device Manager, such as iPads or Android phones.
Hardware or hypervisor. These requirements include the hardware resources to support your number of
users and devices. You install App Controller and NetScaler VPX on a hypervisor, such as XenServer. You
can also deploy the physical NetScaler or NetScaler Gateway appliance. The number of users who connect
determines the NetScaler Gateway appliance model you select, or the number of App Controller instances
you install on the hypervisor.
Your hypervisor, such as XenServer, must contain enough disk space and memory to support multiple
instances of App Controller or NetScaler VPX.
Sizing. The number of devices that connect to XenMobile components. For example, if Device Manager
supports 5,000 devices, the Device Manager server needs from 2 through 4 CPUs, a minimum of 4
gigabytes (GB) of memory, and 24 GB of disk space.
This section describes detailed hardware or hypervisor requirements for each XenMobile component.
NetScaler Gateway Requirements
To determine which of the following NetScaler Gateway models suit the needs of your organization, you need to
consider how many users will connect. You can use the following guidelines:
NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can
run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler
documentation in Citrix eDocs.
NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections.
NetScaler VPX - a virtual machine that can handle up to 875 user connections.
Device Manager System Requirements
You can refer to the following system requirements for installing Device Manager.
Windows Server
Microsoft Windows Server 2012 64-bit Standard or Enterprise Edition
Microsoft Windows Server 2008 R2 Standard or Enterprise Edition
Note: If you plan to use device certificate templates with Microsoft Certificate Services, the Windows Server running the
Active Directory Certificate Services must be running Microsoft Windows Server 2008 R2 SP1, Standard or Enterprise
Edition.
If you plan to use the SharePoint access management feature, you must have Microsoft Windows Server 2008 R2
Standard or Enterprise Edition with Service Pack 1 or with fix installed on the server.
Java Requirements
Oracle Java SE 7 JDK (JDK Download Edition) with a minimum of update 11
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
The Java Cryptography Extension (JCE) is an officially released Standard Extension to the Java Platform. JCE provides
a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code
(MAC) algorithms. For more information, see
on the Oracle web site.Files 7
Note: Oracle Java components all must be downloaded separately from the download web site. The JCE components must
be installed in the JDK's Java Runtime Environment in order to properly support enrollment of iOS devices. Please follow the
installation Read Me instructions that accompany the Java JCE download package on the Oracle web
site.
After you download and extract the JCE package, copy the files local_policy.jar and US_export_policy.jar to the \jre\lib\security folder and overwrite the existing files.
KB976217
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
Java SE Downloads
citrix.com 28
Server Hardware Requirements
Physical or virtual server host environment
Intel Xeon 3Ghz or AMD Opteron-1.8Ghz server class
4-GB RAM minimum recommended for 64-bit operating system
500-MB free disk space minimum
The Windows Server hardware needs to support the number devices that connect. You can use the following table for
guidance:
Number of devices Windows Server SQL Server
5,000 2 vCPU and 4GB of memory 2 vCPU and 6 GB memory
10,000 4 vCPU and 8 GB of memory 4 vCPU and 16 GB memory
20,000 8 vCPU and 16 GB of memory 16 vCPU and 24 GB memory
40,000 16 vCPU and 32 GB of memory 32 vCPU and 64 GB memory
Device Manager Database Requirements
The Device Manager Server repository requires one of the following databases:
Microsoft SQL Server 2005
SQL Server 2008
SQL Server 2008 R2
User Account Needed: For the database server, you will need a service account that has administrator rights to SQL
server, including the following access rights: Creator, Owner, and Read/Write permissions.
Windows Service Account Requirements
The Windows service accounts for the Device Manager Server and the database must be a Local Administrator of the
computer on which the Device Manager Server is installed.
Installation Requirements
When you install XenMobile, use the following guidelines:
Note: Domain membership is not required for the Device Manager server.
Do not install a new version of IIS, and uninstall IIS if it exists on this server.
Create an external DNS record for the Device Manager server, such mobile.yourcompany.com.
App Controller System Requirements
You can install App Controller on the following:
XenServer 6.2
XenServer 6.0
XenServer 6.1
XenServer 5.6 with a minimum of Service Pack 1
Microsoft Server 2012 with Hyper-V enabled
Microsoft Hyper-V Server 2012
VMware ESXi 5.0.1
VMware ESXi 5.1
VMware ESXi 4.x
XenServer, Hyper-V, and VMware ESXi must provide adequate virtual computing resources to App Controller as listed
in the following table.
XenServer and VMware ESXi Requirements
XenServer and VMware ESXi must provide adequate virtual computing resources to App Controller as listed in the
following table.
Memory 4 GB
citrix.com 29
Virtual CPU (VCPU) 2 VCPUs
Note: If App Controller is acting as the cluster head, Citrix recommends 4 VCPUs.
Virtual Network Interfaces 1
Microsoft Hyper-V Requirements
Microsoft Hyper-V must provide adequate virtual computing resources to App Controller as listed in the following table.
Disk space (this is maximum disk size to which the App Controller disk can increase) 50 GB
Memory 4 GB
VCPU 2
Virtual Network interfaces (available for each App Controller VM) 1
Active Directory
When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If
you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals.
When users attempt to start an app, users receive a message that they are not authorized to use the app.
citrix.com 30
XenMobile Solution Pre-Installation Checklist
You can use this checklist to note the settings and prerequisites for installing NetScaler Gateway, Device Manager, and
App Controller. Each task or note includes a column indicating the component or components for which the requirement
applies. The checklist has an extra column that you can use to check off each task as you complete it and to record
information.
For installation instructions for each XenMobile component, see the following:
Installing NetScaler Gateway 10.1 in Your Network
Installing Device Manager
Basic Network Connectivity
The following are the network settings you need for the XenMobile Solution.
Prerequisite description Configure on
component
Note the setting
Note the fully qualified domain name (FQDN) to
which remote users connect.
NetScaler
Gateway
Device
Manager
Â
Note the public and local IP address.
You need these IP addresses to configure the
firewall to set up network address translation
(NAT).
Device
Manager
NetScaler
Gateway
App
Controller
Â
Note the subnet mask. Device
Manager
NetScaler
Gateway
App
Controller
Note the DNS IP addresses. Device
Manager
NetScaler
Gateway
App
Controller
Â
Write down the WINS server IP addresses (if
applicable).
NetScaler
Gateway
Â
Identify and write down the NetScaler Gateway
host name.
Note: This is not the FQDN. The FQDN is contained
in the signed server certificate that is bound to the
virtual server and to which users connect. You can
configure the host name by using the Setup Wizard
in NetScaler Gateway.
NetScaler
Gateway
Â
Installing App Controller
citrix.com 31
Note the App Controller FQDN. App
Controller
Â
Note the IP address of App Controller.
Reserve one IP address if you install one
instance of App Controller.
Reserve three IP addresses if you configure
high availability on App Controller. There is one
virtual IP address and an IP address for each
node. If you configure a cluster, note all of the
IP addresses you need.
App
Controller
Â
Note the IP address or FQDN of the Network
Time Protocol (NTP) server.
NetScaler
Gateway
App
Controller
Â
One public IP address configured on
NetScaler Gateway
One external DNS entry for NetScaler
Gateway
NetScaler
Gateway
Â
Note the web proxy server IP address, port,
proxy host list, and the administrator user name
and password. These settings are optional if
you deploy a proxy server in your network (if
applicable).
Note: You can user either the sAMAccountName or
the User Principal Name (UPN) when configuring the
user name for the web proxy.
App
Controller
NetScaler
Gateway
Â
Write down the default gateway IP address. App
Controller
NetScaler
Gateway
Device
Manager
Â
Write down the system IP (NSIP) address and
subnet mask.
NetScaler
Gateway
Â
Write down the subnet IP (SNIP) address and
subnet mask.
NetScaler
Gateway
Write down the NetScaler Gateway virtual
server IP address and FQDN from the
certificate.
If you need to configure multiple virtual servers,
write down all of the virtual IP addresses and
FQDNs from the certificates.
NetScaler
Gateway
Â
Write down the internal networks that users can
access through NetScaler Gateway.
NetScaler
Gateway
Â
citrix.com 32
Example: 10.10.0.0/24
Enter all internal networks and network
segments that users need access to when they
connect with Worx Home or the NetScaler
Gateway Plug-in when split tunneling is set to
.On
Licensing
XenMobile requires you to purchase licensing options for NetScaler Gateway and Device Manager. For more
information about obtaining your license files, see .
Prerequisite description Configure on
component
Note the location
Obtain Universal licenses from the
. For details about installing NetScaler site
Gateway licenses, see
.Gateway Licenses
NetScaler
Gateway
Â
Obtain perpetual, annual, or hosted cloudbased server licensing. For details about
Device Manager licensing, see
.Device Manager
Device
Manager
Â
Certificates
Device Manager, App Controller, and Device Manager require certificates to enable connections with other Citrix
products and applications and from user devices. For more information about certificates, see the following topics:
Installing and Managing Certificates for NetScaler Gateway
Requesting an APNS Certificate for Device Manager
Configuring Certificates in App Controller
Note: For Device Manager, you need to install the required Java components, as noted later in this checklist, before you
install the APNS certificate.
Prerequisite description Configure on
component
Note the setting
Obtain and install required certificates.
You can create Certificate Signing Requests (CSRs)
by using Windows Server and Internet Information
Services (IIS). You can also create CSRs in
NetScaler Gateway and App Controller.
App Controller
Device
Manager
NetScaler
Gateway
Ports
You need to open ports to allow communication with the XenMobile components. For a complete list of all ports you
need to open for the XenMobile Solution, see .
Prerequisite description Configure on
component
Note the setting
Open ports for the XenMobile Solution App
Controller
Device
Manager
NetScaler
Gateway
Â
The Citrix Licensing System
Citrix web
Installing NetScaler
Installing
Opening Ports for the XenMobile Solution
citrix.com 33
Active Directory Settings
Important: When you add users in Active Directory for App Controller, you must enter the first name, last name, and email in
the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize
these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
Prerequisite description Configure on
component
Note the setting
Note the Active Directory IP address and port.
If you use port 636, install a root certificate from a CA on
Device Manager.
If you use port 636, install a root certificate from a CA on
App Controller.
App
Controller
Device
Manager
NetScaler
Gateway
Â
Note the Active Directory domain name. App
Controller
Device
Manager
NetScaler
Gateway
Â
Note the Active Directory service account.
The Active Directory service account is the account that
App Controller and Device Manager uses to query Active
Directory.
App
Controller
Device
Manager
NetScaler
Gateway
Â
Note the Base DN.
This is the directory level under which users are located; for
example, cn=users,dc=ace,dc=com. NetScaler Gateway,
App Controller, and Device Manager use this to query
Active Directory.
Note: If your Active Directory database is large, you can
configure multiple Base DNs to which App Controller or Device
Manager binds and in which the server searches to find user
objects. For example, you can use the following: ou=Finance,
dc=ace,dc=com; ou=Sales,dc=ace,dc=com
App
Controller
Device
Manager
NetScaler
Gateway
Â
Note the Group Base DN.
This is the directory level under which users are located.
You can use the same value that you used for Base DN.
NetScaler Gateway, App Controller, and Device Manager
use this to query Active Directory.
App
Controller
Device
Manager
NetScaler
Gateway
Note a user account for testing.
This is an Active Directory account that you can use to log
on and test single sign-on (SSO).
App
Controller
Device
Manager
NetScaler
Gateway
Â
citrix.com 34
Database Requirements for Device Manager
Prerequisite description Configure on
component
Note the setting
Note the SQL Server user accounts.
Configure a service account with administrator
rights to SQL Server, including the following
access rights: Creator, Owner, and Read/Write
permissions.
Device
Manager
Note the Windows Service Account.
This account is for the Device Manager Server
and the database. The account must be a Local
Administrator of the computer on which you
install Device Manager Server.
Device
Manager
Note the SQL Server FQDN or IP address. Device
Manager
Connections Between App Controller, Device Manager, and NetScaler
Gateway
You can configure Device Manager and App Controller to connect. Complete the following tasks that are indicated for
Device Manager if you deploy App Controller in your internal network. If users connect to App Controller from an
external network, such as the Internet, users must connect to NetScaler Gateway before accessing mobile, web, and
SaaS apps. If that is the case, complete the following tasks that are indicated for NetScaler Gateway.
Note: Configure App Controller settings on Device Manager first. Then, you can configure Device Manager settings in App
Controller.
Prerequisite description Configure on
component
Note the setting
Note the Device Manager host name. App Controller
Note the Device Manager port (80 or 443). App Controller
Note the shared key from Device Manager.
Enter the same shared key in Device Manager and App
Controller.
App Controller
Device Manager
Note if you want mobile devices to enroll in Device
Manager as a requirement before connecting to App
Controller.
App Controller
Note the App Controller host name. Device Manager
Write down the FQDN or IP address of App Controller. NetScaler
Gateway
Â
Identify web, SaaS, and mobile iOS or Android
applications users can access.
NetScaler
Gateway
Â
App Controller
citrix.com 35
Note the Callback URL to allow communication
between App Controller and NetScaler Gateway
User Connections: Access to XenDesktop, XenApp, the Web Interface, or
StoreFront
In NetScaler Gateway, you need to create two virtual servers. One virtual server allows user connections to App
Controller from Worx Home. Citrix recommends that you use the Quick Configuration wizard in NetScaler Gateway to
configure these settings.
You create a second virtual server to enable user connections from Receiver and web browsers to connect to Windowsbased applications and virtual desktops in XenApp and XenDesktop. Citrix recommends configuring the virtual server,
session and clientless access policies by using the NetScaler Gateway Policy Manager. For more information, see
.
Prerequisite description Configure on
component
Note the setting
Note the NetScaler Gateway host name and
external URL.
The external URL is the web address with which
users connect.
App Controller
Â
Note the NetScaler Gateway callback URL. App Controller
Â
Note the IP addresses and subnets masks for the
virtual servers.
NetScaler
Gateway
Note the path for Program Neighborhood Agent
or a XenApp Services site.
NetScaler
Gateway
App Controller
Â
Note the FQDN or IP address of the XenApp or
XenDesktop server running the Secure Ticket
Authority (STA) (for ICA connections only).
NetScaler
Gateway
Â
Note the public FQDN for Device Manager.
NetScaler
Gateway
Note the public FQDN for Worx Home.
NetScaler
Gateway
Devices
XenMobile MDM supports the following device platforms: iOS, Android, Windows Phone 8 and Windows Tablet,
Windows Mobile, and Symbian. For a list of platforms versions and the Device Manager features supported for each
platform, see .
Prerequisite description Configure on
component
Note the devices
Note the mobile device platforms in
your organization.
Device
Manager
Â
Configuring Access to StoreFront Through NetScaler Gateway
Feature Support by Device Platform
citrix.com 36
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
5.
6.
7.
8.
Downloading XenMobile Product Software
You can download product software from the . You need to log on to the site and then click the Downloads
link on the Citrix web page. You can then select the product and type you want to download. For example, the following
figure shows XenMobile product software drop-down list:
When you click , a page listing the available downloads appears with the most recent version at the top of the list:Find
You can select your software from the available list of options. For example, if you select XenMobile 8.6 Enterprise
, you can download the software for Device Manager, App Controller, NetScaler Gateway, and other XenMobile Edition
components as shown in the following figure:
To download the software for NetScaler Gateway
You can use this procedure to download the NetScaler Gateway virtual appliance or software upgrades to your existing
NetScaler Gateway appliance.
Go to the .
Click and log on.My Account
Click .Downloads
Under , select .Find Downloads NetScaler Gateway
In , select and then click . Select Download Type Product Software Find
You can also select to download NetScaler VPX. When you select this option, you receive a Virtual Appliances
list of software for the virtual machine for each hypervisor.
On the NetScaler Gateway page, expand .NetScaler Gateway or Access Gateway
Click the appliance software version you want to download.
On the appliance software page for the version you want to download, select the virtual appliance and then click
.Download
Follow the instructions on your screen to download the software.
To download the software for Device Manager
Go to the .
Click and log on.My Account
Click .Downloads
Under , select .Find Downloads XenMobile
In , select and then click .Select Download Type Product Software Find
On the XenMobile Product Software page, click .XenMobile 8.6 MDM Edition
Under , click next to .XenMobile Device Manager Download XenMobile Device Manager 8.6
Citrix web site
Citrix web site
Citrix web site
citrix.com 37
8.
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Follow the instructions on your screen to download the software.
To download the software for App Controller
Go to the .
Click and log on.My Account
Click .Downloads
Under , select .Find Downloads XenMobile
In , select and then click .Select Download Type Product Software Find
On the XenMobile Product Software page, click .XenMobile 8.6 App Edition
On the page, click the appropriate App Controller virtual image in order to install App XenMobile 8.6 App Edition
Controller on XenServer, VMware, or Hyper-V.
Follow the instructions on your screen to download the software.
To download the MDX Toolkit
You can run the MDX Toolkit for wrapping iOS and Android apps on Mac OS X Version 10.7 (Lion), Version 10.8
(Mountain Lion), or Version 10.9 (Mavericks).
Go to the .
Click and log on.My Account
Click .Downloads
Under , select .Find Downloads XenMobile
In , select and then click .Select Download Type Product Software Find
On the XenMobile Product Software page, click .XenMobile 8.6 Enterprise Edition
On the page, expand .XenMobile 8.6 Enterprise Edition Worx Mobile Apps
Locate .MDX Toolkit & SDK for iOS and Android Build 2.2.321
Click .Download
Follow the instructions on your screen to download the software.
Citrix web site
Citrix web site
citrix.com 38
Installing NetScaler Gateway 10.1 in Your Network
NetScaler Gateway allows remote users to securely access internal network resources. Users can connect with any
device to access their applications, email, and file shares in the internal network. You can deploy the following models in
your network:
NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can
run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler
documentation in Citrix eDocs.
NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections.
NetScaler VPX - a virtual machine that can handle up to 875 user connections.
Before you install either the physical appliance or the virtual appliance, complete the NetScaler information in the
. After you install the physical appliance by following the instructions in
, you turn on the appliance and perform the initial configuration. This includes
configuring:
NetScaler Gateway IP address (NSIP)
Subnet IP address (SNIP)
Default gateway
DNS servers
Host name
Licenses
Certificates that include the fully qualified domain name (FQDN)
For more information about NetScaler Gateway, see the following topics in Citrix eDocs:
About the NetScaler Gateway MPX Appliance
NetScaler Gateway Virtual Appliances
Performing the Initial Configuration of the MPX Appliance
Configuring NetScaler VPX for the First Time
NetScaler Gateway 10.1
XenMobile Solution Pre-Installation Checklist
Installing the Model MPX Appliance
citrix.com 39
Installing XenMobile MDM Edition
XenMobile MDM is a robust mobile device management solution that delivers role-based management, configuration,
and security for both corporate and employee-owned devices. Upon user device enrollment, IT can provision policies
and apps to devices automatically, blacklist or whitelist apps, detect and protect against jailbroken or rooted devices,
and wipe or selectively wipe a device that is lost, stolen, or out of compliance. Users can use any device they choose,
while IT can ensure compliance of corporate assets and secure corporate content on the device. With XenMobile MDM,
you can do the following:
Configure device settings, email and applications, policies, and device and application restrictions.
Distribute internally built and externally available apps to users' iOS, Android, Samsung, Samsung Knox,
HTC, Windows Phone 8, and Windows 8 devices.
Provision devices simply and rapidly by enabling user self-service enrollment and by distributing
configuration, policy, and application packages in an automated, role-based manner over-the-air.
Secure devices, applications, and data by setting authentication and access policies, blacklisting and
whitelisting applications, enabling application tunnels, and enforcing security policies at the gateway.
Support users by remotely locating, locking, and wiping devices in the event of loss or theft, as well as
remotely troubleshooting device and service issues.
Monitor devices, infrastructure, service, and telecom expenses.
Decommission devices by identifying inactive devices and wiping or selectively wiping devices upon
employee departure.
Run reports on user and device actions.
XenMobile MDM contains the following products:
XenMobile Device Manager allows you to manage mobile devices, set mobile policies and compliance rules,
gain visibility to the mobile network, provide control over mobile apps and data, and shield your network from
mobile threats. With a "one-click" dashboard, simple administrative console, and real-time integration with
Microsoft Active Directory and other enterprise infrastructure like PKI and Security Information and Event
Management (SIEM) systems, Device Manager simplifies the management of mobile devices.
The Secure Mobile Gateway provides access control for email and calendar services. You can configure
Secure Mobile Gateway to allow or block access to connection requests from devices based on device
status, app blacklists or whitelists, and a host of other compliance conditions. The status of requests blocked
by Secure Mobile Gateway can be immediately viewed on the Device Manager dashboard so that you can
take appropriate action.
XenMobile Multi-Tenant Console is a web console that enables service providers and organizations to
administer several physical servers running Device Manager from a single site.
XenMobile Remote Support application provides several tools to assist in the inspection, troubleshooting,
and modification of remotely controlled handheld devices.
XenMobile ZSM Lite is a component that enables access to query Blackberry and ActiveSync environments
and provides the device and user information to Device Manager through the XenMobile Mobile Service
Provider.
citrix.com 40
Device Manager
You can install Device Manager 8.6 on Windows Server. Before you install Device Manager, you must install the Java
components, which include:
Oracle Java SE 7 JDK (JDK Download Edition) update 11 and later
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
After you download Device Manager to the Windows Server, you run the installation program. This section describes the
selections available in the installation program and how to configure the settings.
Installing Patches for Device Manager
If a patch has been issued to resolve a problem that applies to your situation and Device Manager implementation, you
may download one or more appropriate patches for your system.
Patches follow the naming convention of 'a_patch_###_xxxx.jar' where ### signs are the version release number for
Device Manager and xxxx refers to the patch number.
To install the patch, copy the file 'a_patch_###_xxxx.jar' to the following directory %systemroot%\Program Files
or the directory in which (x86)\Zenprise\ZenpriseDevice Manager\tomcat\webapps\zdm\WEB-INF\lib
you installed Device Manager.
After you copy the file to the directory, restart the Device Manager service.
Choosing Device Manager Components to Install
If you are installing Device Manager on your computer for the first time, select . When you select this option, Full install
the following components are installed:
The Device Manager server
The Device Manager repository database (PostgreSQL) as well as the database and requisite tables
The integrated web application server hosting the Device Manager server
Note: If you install an Application Server prior to installing Device Manager, remove the Application Server before installing
Device Manager.
Installing Databases
Device Manager includes the PostgreSQL database server installation. If you installed a SQL database server on your
computer or another server, clear the check box in the list of components during the installation wizard. PostgreSQL
The install type switches automatically to . When using Microsoft SQL Server, refer to the Microsoft installation Custom
instructions. If you do not clear the check box, the PostgreSQL installation wizard appears with configuration
instructions.
If you install PostgreSQL, an installation wizard appears. The installation program automatically selects all of the default
PostgreSQL options required to install an Device Manager server. However, you can check additional options you want
to install. You can also change the installation location with the button.Browse
During installation of PostgreSQL, define the service account that runs the PostgreSQL server. The , Service name
, and fields are already completed. You need to enter a password for the service Account name Account domain
account.
If the user account does not exist, you receive a prompt to confirm creation of the account. In addition, if the password
you choose is not a strong password, you are prompted to replace the password with a strong password. Click in the No
message dialog box to keep the password you originally entered.
Installing License Files
After you configure the PostgreSQL database, you can then install licenses. If you are using a different SQL database
and did not install PostgreSQL, after choosing the initial components and installation location, you install the licenses.
citrix.com 41
Installing Device Manager
Before you install Device Manager, make sure you do the following:
Disable TCP/IP6 on the network adapter and in the registry. For more information, see
on the Microsoft website.version 6 or its specific components in Windows
Disable the setting in Control Panel.User Account Control
Caution: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating
system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry
Editor at your own risk.
The setup wizard includes several discrete tasks. You need to complete the all of the tasks in this topic in consecutive
order to complete the entire wizard. The installation tasks include:
Device Manager components
Installation location
Microsoft SQL Server database installation
Database cluster settings
Licenses
Device Manager and database communication
Crystal Reports keycode
HTTP and HTTPS connectors
Root and server certificates
Apple Push Notification Service (APNs) certificates
Remote support settings
Active Directory service account for managing users
To select Device Manager components
After you download the software package to your computer, navigate to the folder and then double-click the Device
Manager executable installation file to start the Setup Wizard.
When the wizard starts, you set the language and then read and accept the End User License Agreement. After these
two steps, on the page, click to clear to disable installation of the PostgreSQL Choose Components Database server
database.
Important: Citrix recommends that you use Microsoft SQL Server instead of the PostgreSQL database that comes with
Device Manager. The PostgreSQL database should be used for demonstration purposes only.
After you select your components, on the page, leave the default install location and then click Choose Install Location
. Citrix recommends that you use the default location to install Device Manager.Install
To install the license on Device Manager
Device Manager requires a license. For more information about licenses for Device Manager, see
. You upload the .crt license file from your computer. When the upload is complete, the license details Installing Licenses
appear in the dialog box.XenMobile Device Manager License
How to disable IP
Obtaining and
citrix.com 42
1.
2.
To test the connection to the database from Device Manager
You need to configure the Device Manager settings to connect to your database. In the Confgure database connection
dialog box, you select the SQL Server database. You provide the database name or use the default value. You need to
complete the following information, as shown in the following figure:
In , enter the fully qualified domain name (FQDN) or IP address of SQL Server.Host name or IP address
In , enter the port number. The default port number for SQL Server is 1433.Port
In , enter a user name for the database.User name
In , enter the password to connect to the SQL Server database.Password
In , enter the database name or leave the default value.Database name
After you configure the database connection, you then enter the keycode for Crystal Reports.
To configure and register Crystal Reports
With Crystal Reports, you can process the mobile device connection and session logs to generate activity reports online by
using the Device Manager web console, or offline from the Device Manager repository database. The reports include a
watermark with registration information. To remove the watermark, you need a Crystal Reports Developer Edition license and
a keycode for the product. If you did not enter a license serial number during installation, you can define it later by following
these steps:
Open the crconfig.xml configuration file located at in the Device Manager setup folder, which is typically %systemroot%
\Program Files\Xenmobile\tomcat\webapps\Device Manager\WEBINF\classes\crconfig.xml on a Windows Server.
Add your serial number by editing the element. For example, if your serial number is XXXXYYYY-ZZZZ, modify the line as follows:
XXXX-YYYY-ZZZZ
On the configuration page, to leave a watermark on the reports, leave the Crystal Report Java Reporting Components
blank. Or, to remove the watermark, enter your keycode for the product.keycode
citrix.com 43
To configure the server connectors
When you configure the connection between the Device Manager agent and the Device Manager server, you can
configure the following connectors, which require the same information but serve different purposes:
If you manage IOS devices, select . When you select the checkbox, the authentication code Enable iOS
appears automatically. In , enter a prefix that Device Manager Authentication code for applications/tunnels
uses to create authentication keys used by the software. Use a simple alphanumeric word or passphrase.
Use mixed case, numbers, and letters only. Then, record this value for use later when you configure the
system.
Important: You can only select during installation. If you do not select this option and you want to Enable iOS
enable the mode in the future, you must reinstall the application server.
HTTP connector that allows unsecure connections over port 80. You can configure this connector if
NetScaler Gateway is installed between the Device Manager server and mobile devices.
HTTPS connector for secure connections over port 443 with a certificate.
HTTPS connector that allows secure connections over port 8443 for device enrollment.
citrix.com 44
When you configure connectors, you set the following parameters:
Protocol for secure and unsecure connections (HTTP or HTTPS).
IP addresses.
Port settings for the connector. To allow connections over HTTPS and that use certificates for
authentication, you use port 443. For secure connections without certificates, use port 8443. For unsecure
connections use port 80.
Maximum concurrent connections defines the total amount of user connections that are allowed for each
connector.
To configure root and server certificates in Device Manager
Device Manager supports root, server, and APNs certificates. Root certificates enable Device Manager to communicate
with other XenMobile components. Server certificates enable secure communication between Device Manager and
devices.
The installation wizard prompts you to install a root certificate from a Certificate Authority (CA) first and then the server
certificate. For each certificate, you provide the following information:
Keystore file path is the certificate location on your computer. Do not change the default path. The server
configuration provides the file path automatically.
Keystore password and is for the private key. Enter the private password used Confirm keystore password
for each component of the local CA. Although you can use the same password for each CA keystore
component, Citrix recommends using separate passwords for the root, server, device, and Web Service
certificates. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII
symbol values. Passwords are case sensitive.
Organizational unit is an optional parameter. Enter a value typically given to the entity or group that has
management authority over the certificate.
Organization is an optional parameter. Enter a value typically given to the entity or organization that is the
parent that owns the certificate and its rights.
For root certificates, you need to provide the common name for the CA that issued the root certificate. Leave the default
name to associate it with the creation of the CA component and certificate. If you change this field, your devices may
not receive the proper chain of certificates and will not be able to enroll.
Note: The root certificate is used to issue and sign certificates for intermediate server and client-device certificates. The root
certificate is also used to regenerate intermediate certificates in the event of compromise. You can install root certificates in
the operating system as a trusted CA root certificate.
citrix.com 45
For secure server certificates, you need to include the IP address or FQDN that is in the certificate. Users connect by
using the IP address or FQDN contained within the certificate.
To install an APNs certificate in Device Manager
To allow users to connect from iOS devices, you must install an APNs certificate from Apple. When you install the
certificate on Device Manager, you enter the associated private key password used to generate the original Certificate
Signing Request (CSR) in the field in .Private key password
In path, specify the file system location of a pre-authenticated APNs certificate file that you download and Certificate file
convert to PKCS#12 format from the Apple iOS Developer for Enterprise portal.
Note: APNs certificates are provisioned by Apple, Inc. To obtain an APNs certificate, sign in to the
. When you log on, you can compare the information on the Apple web site with the values shown in the following Portal
figure:
Apple Push Certificates
citrix.com 46
Allowing Remote Support to Connect to Mobile Devices
On the page, define the port range used by remote support for Android Configure tunnel port(s) used by remote support
and Windows Mobile devices. The default is port 8081.
To designate the Device Manager administrator
To connect to the Device Manager web console, you need to configure an account with the administrator role.
On the page, you enter the administrator's name and password. After you enter the Extended management of the users
values, you can check the user name in Active Directory.
After you configure the administrator user and password, you can finish the installation wizard.
After you finish the wizard, you should do the following:
Log on to the administration console at https://serverfqdn/zdm to configure Device Manager.
On the console, user the first-time use wizard to configure LDAP and your first deployment package.
Note: If you want to add your own server certificate instead of the self-signed server certificate that is issued
during the installation, follow the steps in this topic,
.SSL
Configuring Active Directory on Device Manager
You use Active Directory with Device Manager to manage groups of users, not individual user accounts. Device
Manager supports the following sources of user account information:
You can configure Device Manager to read an LDAP-compliant directory, such as Active LDAP directory.
Directory to import groups, user accounts, and related properties.
Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts.
Provisioning file. You can develop a file outside of Device Manager containing user accounts and properties
and then import the file. Device Manager automatically creates objects and sets properties values.
Configuring an External Certificate Authority by Using
citrix.com 47
1.
2.
3.
4.
1.
You can perform the following actions in Device Manager for LDAP connections:
Create a new LDAP connection.
Edit an existing connection.
Set the default LDAP connection.
Activate or deactivate an LDAP connection.
When you create a new LDAP connection, you configure the LDAP directory settings and then you import a signed
secure certificate. When you define the connection parameters, you need to grant the following rights to the Search
User service account:
READALLUSERINFORMATION
READALLNETWORKPERSON
Note: In the field, the default is set to zero. However, Citrix recommends using a higher value, as well as a Lockout Limit
value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is configured to a
limit of five attempts before lockout, Citrix suggests that you enter a 3 or 4 in this field.
You can also map the LDAP directory attributes to the Device Manager Repository database. If you do not modify the
default settings, Device Manager binds automatically to the LDAP directory. You can specify the base DN that defines
the LDAP directory groups that are imported to Device Manager.
Upgrading Device Manager
You upgrade the Device Manager server through an in-place upgrade process. The XenMobile Device Manager Setup
wizard updates your existing Device Manager installation and database in one step.
XenMobile 8.6 supports direct upgrades from XenMobile 8.5 and XenMobile 8.0.1. To upgrade from Zenprise 7.1, you
must first upgrade to XenMobile 8.5.
Before starting the upgrade, back up the Device Manager database and core application directories.
For more information, see .
Ensure that you are running Java SE Development Kit 7 Update 11 or later and Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7 on your Device Manager server.
Run the Device Manager installation file as an administrator and follow the instructions in the XenMobile Device
Manager Setup wizard.
If you plan to deploy Samsung for Enterprise (SAFE) and Samsung KNOX policies to compatible devices, you must
manually create the configuration to generate the Samsung Enterprise License Management (ELM) key.
For more information, see .
Backing Up and Restoring Device Manager
Backing up your Device Manger server installation and core application file system directory is crucial to a good disaster
recovery or business continuity plan. This section describes backing up and restoring Device Manager.
You can back up Device Manager by using the following methods:
Stop all services and then make a copy of the entire application directory on the server.
Copy the application directories required for restoration and also perform a native SQL database server
backup by using the PostgreSQL utility called . You can also use Microsoft SQL Server pgAdmin
Management Studio for your version of Microsoft SQL Server.
If you want to restore Device Manager, you also use pgAdmin or Microsoft SQL Server Management Studio.
To perform a full manual backup of Device Manager server
A very simple method for backing up a default installation of the Device Manager server is to stop all services and make
a copy of the entire application directory on the server.
From the Services utility on the Device Manager server, stop the XenMobile Device Manager and the XenMobile
Device Manager Database - PostgreSQL 8.3 services. MS SQL database installations should follow the best practices
used for the particular type of SQL server installation. Online and Offline backups are acceptable as long as the
backup database and transaction logs are maintained together for restoration.
To perform a directory and native SQL backup of Device Manager server
Managing Samsung Configurations
citrix.com 48
2.
3.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Back up the XenMobile Device Manager database and application environment. This is accomplished by making a full
directory copy of the Device Manager application directory typically located at:C:\Program Files (x86)\Citrix\XenMobile
Device Manager
Save the full directory copy to a safe external location such as tape backup or external media storage system. This full
directory backup contains the Database, Application, PKI configuration and certificates, and all configuration and log
files.
To perform a directory and native SQL backup of Device Manager server
Another method of backup for Device Manager server is to copy the application directories required for restoration and
also perform a native SQL database server backup utilizing the default PostgreSQL utility pgAdmin. If utilizing a
Microsoft SQL Server database installation the Microsoft SQL Server Management Studio utility is used. The following
steps will guide you through the process using the default PostgreSQL pgAdmin III utility only.
From the Services utility on the Device Manager server, stop the XenMobile Device Manager service.
Start the pgAdmin III utility from . Start > All Programs > PostgreSQL 8.3 Database backup is performed using the
pgAdmin III utility if using the default PostgreSQL database. For a Microsoft SQL Server database installation use the
Microsoft SQL Server Management Studio application and follow the instructions provided by Microsoft or your
database administrator to back up your database according to your needs.
Enter the password for the default postgres administrator account for the database. This was recorded during
installation.
Expand the Databases branch of the servers tree in the pgAdmin utility, right-click on the xdm database object, and
then select .Backup
Enter a directory location and new filename for the backup file then click .OK
When completed the backup process will show the following message window. When finished, click . Done The
resulting backup file will be saved off to your predetermined location for archival and retrieval when a database restore
is necessary.
Next, while the Device Manager service is stopped, backup at least the following directories within the main
application folder:
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF
Verify the backed-up directory has a complete copy of the Tomcat configuration and PKI certificates. These files are
located under the parent directory: C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
Verify that the backup directory also contains the license file normally found at: C:\Program Files (x86)
\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF
The Device Manager application and database environment is now fully backed up and can be restored to the same
or different system host.
citrix.com 49
XenMobile NetScaler Connector 8.5
Citrix is introducing a new solution for controlling access to corporate email, calendar and contacts from mobile devices
– the XenMobile NetScaler Connector (XNC). XNC allows customers to send a list of compliant devices from the
XenMobile Device Manager to NetScaler, which in turn controls which mobile devices are allowed to synch with the
corporate Exchange server.
XenMobile MDM provides complete protection for your mobile applications, network, and data, and ensures end-to-end
security and compliance, NetScaler optimizes, secures, and controls the delivery of all enterprise and cloud services.
Together, these two products provide the ability to scale, ensure high availability for apps, and maintain security while
reducing mobility deployment and management costs.
XenMobile NetScaler Connector (XNC)
The XenMobile NetScaler Connector (XNC) provides a device level authorization service of ActiveSync clients to
NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol. Authorization is controlled by a combination
of policies defined within the XenMobile Device Manager and by rules defined locally by XNC.
Note: For information and documentation on how to deploy and configure the NetScaler for the XNC, contact your Citrix sales
representative and request the document named 'NetScaler and XenMobile Solution for Enterprise Mobility Deployment
Guide'.
XenMobile Device Manager provides whitelisting (approved) and blacklisting (forbidden) of devices based on
compliance with high-level policies such as detection of jailbroken devices or detection of specific apps. The XNC local
rules are typically are used to augment the XDM rules in cases where specific overrides are required; for example to
block all devices using a specific operating system version.
NetScaler
NetScaler delivers an extensive portfolio of essential datacenter security capabilities that are significant for mobile
users, their apps and data. NetScaler provides critically important application security, network/infrastructure security,
and identity and access management, which when combined with XenMobile MDM delivers a tightly coupled solution
that enables IT to support the security needs of mobile users and the enterprise.
About This Release
XenMobile NetScaler Connector 8.5 provides the following capabilities:
Filter-based rules to allow or block access. XenMobile NetScaler Connector evaluates a particular client
request routed through NetScaler against the organization's rules. The end result is a binary state of
allowed, in which the client is permitted to contact the Microsoft Exchange 2010 Client Access Server (CAS),
or blocked, in which the client request is dropped and access to the Exchange CAS is not permitted. Paired
with settings in the Device Manager console, you can prevent Exchange ActiveSync email access to device
users based on compliance criteria, such as when a blacklisted app is installed on the device, if the device is
jailbroken, and so on.
A two-tiered filter model. The first tier parses the incoming HTTP requests based on path-specific
information. The second tier filters based on user or device specific information. You can configure both
tiers.
Filter rules stored in configuration files. Specific filter rules pertaining to the user accounts and devices in
your organization are stored in the gateway's XML configuration files.
Requirements
Provides system requirements for XenMobile NetScaler Connector and for the XenMobile
NetScaler Connector Console.
Deploy Provides deployment information for XenMobile NetScaler Connector.
Install and
Setup
Provides information about how to install XenMobile NetScaler Connector on either its own
server or on the same server as Device Manager.
Manage Provides information on choosing a security model for your organization, creating block or
allow policies, setting static or dynamic filters, and connecting to Device Manager. This section
also provides information about enabling and understanding email attachment encryption.
System
citrix.com 50
Monitor Provides information about enabling XenMobile NetScaler Connector logging.
Key Features
The key features of XenMobile NetScaler Connector are:
. XenMobile NetScaler Connector can control the HTTP Access Control of HTTP ActiveSync requests
ActiveSync requests that mobile devices make of Exchange servers. You can build filters in XenMobile
NetScaler Connector that enable you to allow or block user devices based on rules and criteria that you
specify. When you set the rules in XenMobile NetScaler Connector, you can turn on and off the rules in
XenMobile Device Manager, which then manages the ability for devices to access email within the
organization.
Remote configuration. Device Manager controls the baseline and delta intervals used by XenMobile
NetScaler Connector.
Logging. On the Log tab of the XenMobile NetScaler Connector configuration utility, you can view when the
encryption is enabled for a given user device at the request level, in addition to devices that are allowed or
blocked. Remote configuration. Device Manager controls the baseline and delta intervals used by Secure
Mobile Gateway.
citrix.com 51
XenMobile NetScaler Connector System Requirements
The XenMobile NetScaler Connector communicates with NetScaler over an SSL bridge configured on the NetScaler
appliance that enables the appliance to bridge all secure traffic directly to XenMobile Device Manager.
XenMobile NetScaler Connector can be installed on its own server, or on the same server as the XenMobile Device
Manager and requires the following minimum system configuration:
Component Requirement
Computer and
processor
733 MHz Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher
processor (recommended)
NetScaler NetScaler Applicance with software version 10.
Memory 1 gigabyte (GB)
Hard disk NTFS-formatted local partition with 150 MB of available hard-disk space
Operating system Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 SP2 (recommended)
Other devices Network adapter compatible with the host operating system for communication
with the internal network
Display VGA or higher-resolution monitor
The host computer for XenMobile NetScaler Connector requires the following minimum available hard disk space:
Application. 10 -15 MB (100 MB recommended)
Logging. 1 GB (20 GB recommended)
citrix.com 52
1.
2.
3.
Deploying XenMobile NetScaler Connector
XenMobile NetScaler Connector allows you to use NetScaler to proxy and load balance Device Manager communication with
a XenMobile managed devices. XenMobile NetScaler Connector communicates periodically with Device Manager to
synchronize policies. XenMobile NetScaler Connector and Device Manager may be clustered, together or independently, and
load balanced by NetScaler.
Figure 1. XenMobile NetScaler Connector Deployment
XenMobile NetScaler Connector Components
XenMobile NetScaler Connector consists of the following four components:
XenMobile NetScaler Connector Service. This provides a REST web service interface that can be invoked
by NetScaler to determine if an ActiveSync request from a device is authorized.
XenMobile Configuration Service. This service communicates with Device Manager to synchronize Device
Manager policy changes with XenMobile NetScaler Connector.
XenMobile Notification Service. This service sends notifications of unauthorized device access to Device
Manager so that Device Manager can take appropriate measures such as notifying the user why the device
was blocked
XenMobile NetScaler Configuration. This application allows the administrator to configure and monitor
XenMobile NetScaler Connector.
Figure 2. XenMobile NetScaler Connector Components
Setting up listening addresses for the XNC web service
In order for the XenMobile NetScaler Connector to be able to receive requests from NetScaler to authorize ActiveSync traffic,
you need to specify the port on which the XenMobile NetScaler Connector will listen to NetScaler web service calls.
From the menu, select the .Start XenMobile NetScaler Configuration utility
Select the tab and type the listening addresses for the XenMobile NetScaler Connector web service. You Web Service
may select HTTP and/or HTTPS. If XenMobile NetScaler Connector is co-resident with Device Manager (installed on
the same server), select port values that do not conflict with Device Manager.
Once the values are configured click , then click to start the web service. Save Start Service
Configuring device access control policies
In this task, you will configure the access control policy you want to apply to your managed devices.
citrix.com 53
1.
2.
3.
4.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
In the XenMobile NetScaler Configuration utility, select the tab.Path Filters
Select the first row (“Microsoft-Server-ActiveSync― is for ActiveSync) and Click .Edit
From the Policy list, select the desired policy. For a policy that is inclusive of Device Manager policies, select “
Static + ZDM: Permit Mode― or “Static + ZDM: Block Mode―. These policies combine local (aka static) rules
with those from Device Manager. Permit Mode means that all devices not explicitly identified by the rules will be
permitted access to ActiveSync. Block Mode means that such devices will be blocked.
When you have set the pollicies, click . Save
Configuring communication with the Device Manager server
In this task, you will specify the name and properties of the XenMobile Device Manager server (also known as a 'Config
Provider') which you want to use with XenMobile NetScaler Connector and NetScaler.
Note: This deployment tasks assumes you have already installed and configured the Device Manager server.
In the XenMobile NetScaler Configuration utility, select the tab.Config Providers
Click .Add
Enter the name and URL to the Device Manager server you are using in this deployment. If you have multiple
XenMobile Device Manager servers deployed in a Multi-Tenant deployment, this this Name must be unique for each
server instance. For example, for Name, you could type XDM.
In Url, enter the Web address of the Device Manager GCP (GlobalConfig Provider), typically in the format https:
//DeviceManagerHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive.
In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
In Managing Host, enter the server name where you installed the XenMobile NetScaler Connector.
In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.
In Request Timeout, specify the server request timeout interval.
In Config Provider, select if the config provider server instance is providing the policy configuration.
In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Device Manager when a device is
blocked. This option is required if you are using Secure Mobile Gateway rules in any of your Device Manager
Automated Actions.
Once the server is configured, click Test Connectivity to test the connection to the Device Manager server.
When Connectivity has been established, click .Save
Deploying XNC for Redundancy and Scalability
If you want to scale your XNC and Device Manager deployment, you can install XNC instances on multiple Windows
servers, all pointing to the same XDM instance, and then load balance them using Citrix NetScaler.
There are two modes for XNC configuration: non-shared and shared.
In non-shared mode, each XNC instance communicates with an XDM server and keeps its own private copy
of the resulting policy. For example, if you had a cluster of Device Manager servers, you could run an XNC
instance on each XDM server and XNC would get policy from the local XDM.
In shared mode, one XNC node is designated the master and it communicates with Device Manager. The
resulting configuration is shared among the other nodes either by Windows network share or by Windows
(or 3rdparty) replication.
The entire XNC configuration is in a single folder (a few XML files). The XNC Connector process detects changes to any
file in this folder and automatically reloads the configuration. There is no failover for the master in shared mode. But the
system can tolerate the master being down for minutes (for example, to reboot) because the last known good config is
cached in the XNC Connector process.
citrix.com 54
1.
2.
1.
2.
Installing XenMobile NetScaler Connector
You can install the XenMobile NetScaler Connector on its own server, or on the same server where you installed
XenMobile Device Manager.
You might consider installing the XenMobile Netscaler Connector on its own server (separate from Device Manager) for the
following reasons:
If your Device Manager server is hosted remotely in the cloud (physical location).
If you do not want your XenMobile Netscaler Connector to be affected by reboots of the Device Manager
server (availability).
If you want a server's system resources to be devoted entirely to the XenMobile Netscaler Connector
(performance)
The CPU load that XNC puts on a server depends on how many devices are managed, but a general rule of thumb is to
provision for one additional CPU core if XNC is deployed on the same server as XDM. For large numbers of devices
(over 50 thousand), you may need to provision additional cores if you do not have a clustered environment. The
memory footprint of XNC in not significant enough to warrant additional memory.
To Install XenMobile NetScaler Connector
Run XncInstaller.exe under an administrator account. This will install XenMobile NetScaler Connector or allow for
upgrade or removal of an existing XNC.
Follow the onscreen instructions to complete the installation.
After the XNC install the two services XenMobile Configuration Service and the Notification Service must be restarted
manually.
Uninstalling XenMobile NetScaler Connector
Run XncInstaller.exe under an administrator account.
Follow the onscreen instructions to complete the uninstallation.
citrix.com 55
Managing XenMobile NetScaler Connector
You can use XenMobile NetScaler Connector to build access control rules to either allow or block access to ActiveSync
connection requests from managed devices based on device status, app blacklists or whitelists and a host of other
compliance conditions. Using the XenMobile NetScaler Connector utility, you can build dynamic and static rules that
enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also
set up email attachment encryption so that all attachments that pass through your Exchange server to managed devices
are encrypted and only viewable on managed devices by authorized users.
Configuring XenMobile NetScaler Connector
You can configure XenMobile NetScaler Connector to selectively block or allow ActiveSync requests based on the
following properties: Active Sync Service ID, Device type, User Agent (device operating system), Authorized user, and
ActiveSync Command.
The default configuration supports a combination of static and dynamic groups. You maintain by using the Static groups
SMG Controller Configuration utility. The static groups may consist of known categories of devices, such as all devices
using a given user agent. are maintained by an external source called a Gateway Configuration Dynamic groups
Provider and collected by XenMobile NetScaler Connector on a periodic basis. XenMobile Device Manager is Gateway
Configuration Provider and can export groups of allowed and blocked devices and users to XenMobile NetScaler
Connector.
A is an ordered list of groups where each group has an associated action (allow or block) and a list of group policy
members. A policy may have any number of groups. Group ordering within a policy is important because when a match
is found the action of the group is taken, and subsequent groups are not evaluated.
A defines a way to match the properties of a request. It can match a single property (such as device ID), or member
multiple properties (such as device type and user agent).
Choosing a Security Model for XenMobile NetScaler Connector
Establishing a security model is essential to a successful mobile device deployment for organizations of any size.
Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or
quarantined network control, it is not always a good practice. Every organization that manages IT security may have a
slightly different or tailored approach to security for mobile devices.
The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile
devices per user, and the array of operating system platforms and applications available make the very idea of using a
permissive model a weak choice. In most organizations the restrictive model will be the most logical choice. However, it
will involve some thinking to successfully roll-out the XenMobile NetScaler Connector security model. Although it is not
uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined
network control, it is not always a good practice
The configuration scenarios that Citrix allows for integrating XenMobile NetScaler Connector with XenMobile Device
Manager is as follows:
Permissive Model (Permit Mode)
The permissive security model operates on the premise that everything is either allowed or granted access by default.
Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model
is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive
controls to deny access where appropriate (when a policy rule is failed).
The Restrictive Model (Block Mode)
The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything
passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access
are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about
mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow
access have passed.
Configuring XenMobile NetScaler Connector Policy Modes
XenMobile NetScaler Connector can run in the following six modes:
citrix.com 56
1.
2.
1.
2.
Allow All. This policy mode grants access for all traffic passing through XenMobile NetScaler Connector. No
other filtering rules are used.
Deny All. This policy mode blocks access for all traffic passing through XenMobile NetScaler Connector. No
other filtering rules are used.
Static Rules: Block Mode. This policy mode executes static rules with an implicit deny or block statement at
the end. Devices that are not allowed or permitted via other filter rules are blocked by XenMobile NetScaler
Connector.
Static Rules: Permit Mode. This policy mode executes static rules with an implicit permit or allow statement
at the end. Devices that are not blocked or denied via other filter rules are allowed through XenMobile
NetScaler Connector.
Static + ZDM Rules: Block Mode. This policy mode executes static rules first, followed by dynamic rules
from Device Manager with an implicit deny or block statement at the end. Devices are permitted or denied
based on defined filters and Device Manager rules. Any devices that do not match on defined filters and
rules are blocked.
Static + ZDM Rules: Permit Mode. This policy mode executes static rules first, followed by dynamic rules
from Device Manager with an implicit permit or allow statement at the end. Devices are permitted or denied
based on defined filters and Device Manager rules. Any devices that do not match on defined filters and
rules are allowed.
The XenMobile NetScaler Connector process permits or blocks for dynamic rules based on unique ActiveSync IDs for
iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based
on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends
user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android
device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed
because Android devices cannot be definitively differentiated. The gateway can still be configured to statically block
these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user
agent.
To specify the policy mode, in the SMG Controller Configuration utility, do the following:
Click the tab and then click .Path Filters Add
In the dialog box, select a policy mode from the drop-down list and then click .Path Properties Policy Save
You can review rules on the tab of the configuration utility. The rules are processed on XenMobile NetScaler Policies
Connector from top to bottom. The Allow policies are displayed with green checkmark. The Deny policies are shown as
a red circle with a line through it. To refresh the screen and see the most updated rules, click . You can also Refresh
modify the ordering of rules in the config.xml file.
To test rules, click the tab. Specify values in the fields. These can also be obtained from the logs. A result Simulator
message will appear specifying or .Allow Block
Configuring static rules
You must enter static rules with values that are read by the ISAPI filtering of the ActiveSync connection HTTP request.
Static rules enable XenMobile NetScaler Connector to permit or block traffic by the following criteria:
User. XenMobile NetScaler Connector uses the authorized user value and name structure that was captured
during device enrollment. This is commonly found as domain\username as referenced by the server running
XenMobile Device Manager connected to Active Directory via LDAP. The tab within the XenMobile Log
NetScaler Connector configuration utility will show the values that are passed through XenMobile NetScaler
Connector if the value structure needs to be determined or is different.
Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. This value is commonly
found within the specific device properties page in the Device Manager web console. This value can also be
screened from the tab in the XenMobile NetScaler Connector configuration utility.Log
DeviceType. XenMobile NetScaler Connector can determine if a device is an iPhone, iPad or other device
type and permit or block based on that criteria. As with other values, the XenMobile NetScaler Connector
utility can reveal all connected device types being processed for the ActiveSync connection.
UserAgent. Contains information on the ActiveSync client that is utilized. In most cases, the value specified
corresponds to a specific operating system build and version for the mobile device platform.
The XenMobile NetScaler Connector utility running on the server always manages the static rules.
In the SMG Controller Configuration utility, click the tab and then click .Static Rules Add
In the dialog box, specify the values that you want to use as criteria. For example, you can Static Rule Properties
enter a user to allow access by entering the user name (for example, , and clearing the check AllowedUser Disabled
box.
citrix.com 57
3.
1.
2.
3.
1.
2.
3.
1.
2.
Click . Save The static rule is now in effect. Additionally, you can use regular expressions to define values, but you
must enable the rule processing mode in the config.xml file.
Configuring dynamic rules
Dynamic rules are defined by device policies and properties in XenMobile Device Manager and can trigger a dynamic
XenMobile NetScaler Connector filter based on the presence of a policy violation or property setting. The XenMobile
NetScaler Connector filters work by analyzing a device for a given policy violation or property setting and if the device
meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of
devices that meet the criteria defined. The following configuration options enable you to define whether you want to
allow or deny the devices in the Device List by using XenMobile NetScaler Connector.
Note: These dynamic rules must be configured on the Device Manager web console.
Open the Device Manager web console and then click from the console banner.Options
In the left-hand navigation, click and then click . Mobile Configuration XenMobile NetScaler Connector
In the column, select the check boxes for the filters that you want to enable and then select either the or Enable Allow
check box.Deny
Configuring custom policies by editing the XenMobile NetsScaler Connector
XML file
You can view the basic policies in the default configuration on the tab of the configuration tool. If you want to Policies
create custom policies, you can edit the XML configuration file (config\config.xml).
Find the PolicyList section in the file and add a new element.Policy
If a new Group is also required, such as an additional static group or to support an additional GCP, add the new Group
element to the GroupList section.
Optionally, you can change the ordering of Groups within an existing Policy by rearranging the elements.GroupRef
Configuring the XenMobile NetScaler Connector XML File
XenMobile NetScaler Connector uses an XML configuration file to guide its actions. Among other entries, the file
specifies the group files and associated actions the filter will take when evaluating HTTP requests. By default, the file is
named config.xml and can be found at the following location: ..\Program Files\Citrix\XenMobile NetScaler
Connector\config\.
GroupRef Nodes
The GroupRef nodes define the logical group names - by default, the AllowGroup and the DenyGroup.
Note: The order of the GroupRef nodes as they appear in the GroupRefList node is significant.
The id value of a GroupRef node identifies a logical container or collection of members that are used for matching
specific user accounts or devices. The action attributes specifies how the filter will treat a member that matches a rule in
the collection. For example, a user account or device that matches a rule in the AllowGroup set will "pass" (be allowed
to access the Exchange CAS), while a user account or device that matches a rule in the DenyGroup set will be
"rejected" (not allowed to access the Exchange CAS).
When a particular user account/device or combination meets rules in both groups, a precedence convention is used to
direct the request's outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top
to bottom. The GroupRef nodes are ranked in priority order. Thus, the nodes shown in the figure above (which depicts
the default order) are such that rules for a given condition in the Allow group will always take precedence over rules for
the same condition in the Deny group.
Group Nodes
Additionally, the config.xml defines Group nodes. These nodes link the logical containers AllowGroup and DenyGroup to
external XML files. Entries stored in the external files form the basis of the filter rules.
Note: In this release, only external XML files are supported.
The default installation implements two XML file in the configuration - allow.xml and deny.xml.
Importing a policy from Device Manager
In the XenMobile NetScaler Configuration utility, click the tab and then click .Config Providers Add
In the dialog box, in , enter a user name that will be used for basic HTTP authorization with the Config Providers Name
Device Manager web server and that has administrative privileges.
citrix.com 58
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
In , enter the Web address of the XenMobile Device Manager Gateway Configuration Service (GCP), typically in Url
the format https://xdmHost/xdm/services/MagConfigService. The MagConfigService name is case sensitive.
In , enter the password that will be used for basic HTTP authorization with the Device Manager web server.Password
Click to test gateway to configuration provider connectivity . Test Connectivity If the connection fails, check that your
local firewall settings allow the connection, or check with your administrator.
When a connection is successfully made, clear the check box and then click .Disabled Save
In , leave the default DNS name of the local host computer. Managing Host This setting used to coordinate
communication with Device Manager when multiple Forefront Threat Management Gateway (TMG) servers are
configured in an array.
After you save the settings, open the GCS.
Configuring a connection to XenMobile NetsScaler Connector
XenMobile NetScaler Connector communicates with XenMobile Device Manager and other remote configuration
providers through secure web services.
In the XenMobile NetScaler Connector utility, click the tab and then click .Config Providers Add
In the dialog box, in , enter a user name that will be used for basic HTTP authorization with the Config Providers Name
Device Manager web server and has administrative privileges.
In , enter the Web address of the Device Manager GCP, typically in the format https:Url
//ZdmHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive.
In , enter the password that will be used for basic HTTP authorization with the Device Manager web server.Password
In , enter the XenMobile NetScaler Connector server name.Managing Host
In , specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.Baseline Interval
In , specify a time period for when an update of dynamic rules is pulled.Delta interval
In , specify the server request timeout interval.Request Timeout
In , select if the config provider server instance is providing the policy configuration.Config Provider
In , enable this option if you want XenMobile NetScaler Connector to notify Device Manager when a Events Enabled
device is blocked. This option is required if you are using XenMobile NetScaler Connector rules in any of your Device
Manager Automated Actions.
Click and then click to test gateway to configuration provider connectivity . Save Test Connectivity If the connection
fails, check that the local firewall settings allow the connection or contact the Device Manager administrator.
When the connection succeeds, clear the check box and then click .Disabled Save
When you add a new configuration provider, XenMobile NetScaler Connector automatically creates one or more policies
associated with the provider. These policies are defined by a template definition contained in config\policyTemplates.xml
in the NewPolicyTemplate> section. For each Policy element defined within this section, a new policy is created. The
operator may add, remove, or modify policy elements provided that the policy element conforms to the schema
definition, and that the standard substitution strings (enclosed in braces) are mot modified. Next, add new groups for the
provider and update the policy to include the new groups.
Choosing Filters for XenMobile NetScaler Connector
XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting. If the device
meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of
devices that meet the criteria defined. The following filters are available for XenMobile NetScaler Connector within XenMobile
Device Manager.
Blacklisted Apps. Allows or denies devices based on the Device List defined by Blacklist policies and the
presence of blacklisted apps.
Whitelisted Apps only. Allows or denies devices based on the Device List defined by Whitelist policies and
the presence of non-whitelisted apps.
Unmanaged Devices. Creates a Device List of all devices in the Device Manager database. The Mobile
Application Gateway needs to be deployed in a Block Mode.
Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged as rooted and allows
or denies based on rooted status.
Out of Compliance Devices. Allows you to deny or allow devices that meet your own internal IT compliance
criteria. Compliance is an arbitrary setting defined by the device property named , which Out of Compliance
is a Boolean flag that can be either or . (You can create this property manually and set the value, True False
or you can use Automated Actions to create this property on a device if the device does or does not meet
specific criteria.)
Out of Compliance = True. If a device does not meet the compliance standards and policy definitions set
by your IT department, the device is out of compliance.
Out of Compliance = False. If a device does meet the compliance standards and policy definitions set by
your IT department, the device is compliant.
Noncompliant password. Creates a Device List of all devices that do not have a passcode on the device.
citrix.com 59
1.
Revoked Status. Creates a Device List of all revoked devices and allows or denies based on revoked status.
Inactive devices. Creates a Device List of devices that have not communicated with Device Manager within
a specified period of time and are thus considered inactive and allows or denies the devices accordingly.
Anonymous Devices. Allows or denies those devices that are enrolled in Device Manager but the user's
identity is unknown. For example, this could be a user who was enrolled but their Active Directory password
is expired, or a user who enrolled with unknown credentials.
Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of the other filter rule criteria
and allows or denies based on that list. The option ensures that the XenMobile Implicit Allow/Deny
NetScaler Connector status in the tab is enabled and shows XenMobile NetScaler Connector status Devices
for your devices. The option also controls all of the other XenMobile NetScaler Implicit Allow/Deny
Connector filters that have not been selected. For example, will be denied (blocked) by Blacklists Apps
XenMobile NetScaler Connector, whereas all other filters will be allowed because the Implicit Allow/Deny
option is selected to .Allow
Simulating ActiveSync traffic
You can use the XenMobile NetScaler Connector to simulate what ActiveSync traffic will look like in conjunction with your
policies to test your configurations.
In the XenMobile NetScaler Configuration utility, select the tab.Simulations
The results show you how you policies will apply according to the rules you have configured.
Monitoring XenMobile NetScaler Connector
The XenMobile NetScaler Connector utility provides detailed logging that you can use to view all traffic passing through
your Exchange sever that is either allowed or blocked by Secure mobile Gateway.
Use the tab to view history of the ActiveSync requests forwarded to XenMobile NetScaler Connector by NetScaler Log
for authorization.
Also, to make sure the XNC web service is running, ou can load the following URL into a browser on the XNC server
http:///services/ActiveSync/Version, and if this returns the product version as a string then this is an
indication that the web service is responsive.
citrix.com 60
XenMobile Mail Manager 8.5
The XenMobile Mail Manager (XMM) allows you to utilize XenMobile Device Manager (XDM) to gain Dynamic Access
Control for Exchange Active Sync (EAS) devices, to access EAS device partnership information provided by Exchange,
to perform an EAS Wipe on a mobile device, to access information about Blackberry devices, and to perform control
operations such as Wipe and ResetPassword.
The XenMobile Mail Manager (XMM) provides the functionality that extends the capabilities of the XenMobile Device
Manager (Device Manager) in the following ways:
Dynamic Access Control for Exchange Active Sync (EAS) devices. Based on rules defined by XenMobile
Device Manager and/or XenMobile Mail Manager, EAS devices can be automatically allowed or blocked
access to Exchange services.
Provides the ability for Device Manager to access EAS device partnership information provided by
Exchange. This allows Device Manager to view and manage EAS devices that have never been enrolled in
Device Manager.
Provides the ability for Device Manager to perform an EAS Wipe on a mobile device.
Provides the ability for Device Manager to access information about Blackberry devices, and to perform
control operations such as Wipe and ResetPassword.
citrix.com 61
XenMobile Mail Manager Components
The XenMobile Mail Manager consists of three main components:
Exchange ActiveSync (EAS) Access Control Management. This component communicates with Device
Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined
policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies
allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User
Agent (generally the mobile platform version).
Remote Powershell Management. This component is responsible for scheduling and invoking remote
PowerShell commands to enact the policy compiled by EAS Access Control Management. It periodically
snapshots the EAS database to detect new or changed EAS devices.
Mobile Service Provider. This component provides a web service interface so that Device Manager can
query EAS and/or Blackberry devices, and issue control operations such as Wipe against them. This
capability was previously provided by the ZsmLite\ZMSP products.
Figure 1. XenMobile Mail Manager Components
citrix.com 62
XenMobile Mail Manager System and Software Requirements
The XenMobile Mail Manager (XMM) requires the following minimum system configuration:
Component Requirement
Computer
and
processor
Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor
(recommended)
Operating system
Windows Server 2008 R2 or 2012
Server
software
Microsoft SQL Server 2008 or 2012, or Microsoft SQL Server Express 2008 or 2012,
or Microsoft SQL Server 2012 Express LocalDB
Microsoft .NET Framework 4.5
Exchange Server 2010 SP2 or later
Microsoft Office 365
Blackberry Enterprise Service, version 5 (optional, if managing BlackBerry devices)
Server
machine
requirements
Windows Management Framework must be installed
PowerShell V2 supported
The PowerShell execution policy must be set to RemoteSigned by running Setfrom the PowerShell command promptExecutionPolicy RemoteSigned
Memory 1 gigabyte (GB)
Hard disk NTFS-formatted local partition with 150 MB of available hard-disk space
Other
devices
Network adapter compatible with the host operating system for communication with the internal
network
Display VGA or higher-resolution monitor
Onsite Exchange Requirements
If you are using XenMobile Mail Manager with an onsite instance of Microsoft Exchange, you will need to ensure that
your deployment meets the following requirements:
Permissions
Exchange role-based access control (RBAC) is beyond the scope of this topic; however, at a minimum, the credentials
specified in the Exchange Configuration Management Console must be able to connect to Exchange Server and be
allowed to execute the following Exchange-specific PowerShell cmdlets:
Get-CASMailbox
Set-CASMailbox
Get-Mailbox
Get-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics
Clear-ActiveSyncDevice
As documented by , in order to establish a remote connection and run remote commands, the credentials must
correspond to a user who is an administrator on the remote machine.
Additionally, the Exchange Server must be configured to support remote PowerShell requests via HTTP. Typically, an
administrator running the following PowerShell command on the Exchange Server is all that is required: WinRM
.QuickConfig
Microsoft
citrix.com 63
Throttling Policy Considerations
Among the many Exchange throttling policies, one policy controls how many concurrent PowerShell connections are
allowed per user. The default number of simultaneous connections allowed for a user is 18 on Exchange 2010. When
the connection limit is reached, XenMobile Mail Manager cannot connect to Exchange Server.
Although there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends
that you investigate the Exchange throttling policies as related to remote management with PowerShell that best suit the
demands of your Exchange environment.
Office 365 Exchange Requirements
If you are using XenMobile Mail Manager (XMM) with an onsite instance of Microsoft Exchange hosted through Office
365, you will need to ensure your deployment meets the following requirements listed below.
Permissions
Exchange’s Role-Based Access Control (RBAC) is beyond the scope of this help topic; however, at a minimum the
credentials specified in the Exchange Configuration Management Console must be able to connect to the Exchange
Server and be allowed to execute the following Exchange-specific PowerShell cmdlets:
Get-CASMailbox
Set-CASMailbox
Get-Mailbox
Get-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics
Clear-ActiveSyncDevice
The supplied credentials must have been granted the right to connect to the Office 365 server through the remote Shell.
By default, Office 365 online admin has the requisite privileges.
Throttling Policy Considerations
Among the many Exchange throttling policies, one controls how many concurrent PowerShell connections are allowed
per user. The default number of simultaneous connections allowed for a user is three on Office 365. Once the
connection limit is reached, XMM will not be able to connect to the Exchange server.
While there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends
that you investigate Exchange’s throttling policies as related to remote management with PowerShell that best suit
the demands of your Exchange environment.
citrix.com 64
Installing XenMobile Mail Manager
The following conditions must be met before installing XenMobile Mail Manager:
If .NET Framework 4.5 is not installed, download and install from www.Microsoft.com.
If a Microsoft SQL Server is not installed or available remotely, install one of the following:
Microsoft SQL Server 2008
Microsoft SQL Server 2008 SqlExpress
Microsoft SQL Server 2012
Microsoft SQL Server 2012 SqlExpress
Microsoft SQL Server 2012 SqlExpress\LocalDB
XMM 'One LDAP Per Domain' Caveat
XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of more than one LDAP
configurtion (such as the root domain, sub domain, and so on), you will need need to install XMM for each domain.
You can set LDAP connection properties to use the Global Catalog Server, which will give you access to global groups
across domains. To do this, you modify the connection string from "LDAP:" to "GC:".
For example, instead of "LDAP://dc=citrix, dc=com", use "GC://dc=citrix, dc=com".
To install the XenMobile Mail Manager:
Once thes above conditions have been met, to install the XenMobile Mail Manager, clicking the XmmSetup.msi file and
following the onscreen instructions.
citrix.com 65
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
a. b. 6.
7.
1.
2.
3.
4.
5.
6.
7.
Configuring XenMobile Mail Manager
You can use the XenMobile Mail Manager Configuration utility to extend the capabilities of XenMobile Device Manage to
create access control rules that can either allow or block Exchange ActiveSync (EAS) devices from accessing Exchange
services. You can build dynamic and static rules that enforce corporate email policies, allowing you to block those users
in violation of compliance standards. You can also use the utility to perform an EAS wipe on out of compliance devices.
The XenMobile Mail Manager also provides the ability to access information about Blackberry devices and to perform
control operations such as Wipe and ResetPassword.
Configuring the Exchange Server
From the menu, launch .Start XenMobile Mail Manager
In the XenMobile Mail Manager utility, click the > tab.Configure Exchange
Select the type of Exchange server environment, either On premise or Office 365. If you select On-premise, enter the
name of the Exchange CAS server that will be used for Remote Powershell commands.
Enter the User name of a Windows identity that has sufficent rights on the Exchange server. For more information on
permissions required for XMM to access the Exchange server, see and
Exchange Requirements
Enter the Password for the User.
Select the schedule for running Major snapshots. A major snapshot detects every EAS partnership.
Select the schedule for running Minor snapshots. A minor snapshot detects newly created EAS partnerships.
Next, select the if you want the XemMobile Mail Manager to take or snapshots. Shallow snapshots are Deep Shallow
faster and are sufficient to perform all the EAS Access Control functions of XenMobile Mail Manager. Deep snapshots
may take significantly longer and are only needed is the Mobile Service Provider is enabled for ActiveSync (which
allows Device Manager to query for unmanaged devices). If you are configuring XenMobile Mail Manager with a
Mobile Service Provider(MSP) ActiveSync interface, for example, to apply access control rules to unmanaged
BlackBerry devices from a BES server, you muse choose Deep snapshots. If MSP ActiveSync capability is not
required, Citrix recommends using shallow snapshots for better performance.
Click to check that a connection can be made to the exchange server.Test Connectivity
Click . When prompted by a message asking if you would like to restart the service, click .Save Yes
Configuring database properties
The first task in configuring the XenMobile Mail Manager requires configuring a connection to the database it will be
using to store data.
From the menu, launch .Start XenMobile Mail Manager
In the XenMobile Mail Manager utility, click the > tab.Configure Database
Enter the Server name of the SQL Server (defaults to localhost).
Let the Database name be set to the default (CitrixXmm).
In the Authentication field, from the drop-down, select the Authentication mode used for SQL:
. If you choose this authentication, then enter the username and password of a valid SQL user.SQL
Windows Integrated. If you choose this option, then the Logon credential of the XenMobile Mail Manager
Service must be changed to a Windows account that is compatible. To do this, launch >Control Panel
> , right-click on the XenMobile Mail Manager Service entry and select the Administrative Tools Services Log On
tab.
Click to check that a connection can be made to the SQL server .Test Connectivity
Click . When prompted by a dialog asking if you would like to restart the service, click .Save Yes
Configuring a Mobile Service Provider
Configuring a Mobile Service Provider (MSP) is optional and needed only if the Device Manager server is also
configured to use the Mobile Service Provider interface to query unmanaged devices; for example: BlackBerry devices
from a BlackBerry Enterprise Server (BES).
Note: XMM manages BlackBerry devices from BES 4.1 and BES 5 servers, BB Z10 devices and other ActiveSync devices
from Exchange 2010. http/https protocols used should be consistent between XMM and XDM.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabConfigure MSP
Set the Service Transport type (HTTP or HTTPS) for the MSP service
Set the Service port (typically 80 or 443) for the MSP service.
Set the Authorization Group or User. This sets the user or set of users that will be able to connect to the MSP service
from the Device Manager server.
Select Enable ActiveSync if you want to enable ActiveSync queries. : If ActiveSync queries are enabled for the Note
Device Manager server then the Snapshot type for the Exchange server(s) must be set to Deep. Be aware that this
could have significant performance costs for performing snapshots.
Onsite Exchange Requirements Office 365
citrix.com 66
7.
1.
2.
3.
4.
a. b. c. d. 5.
6.
1.
2.
3.
4.
5.
6.
7.
8.
9.
a. b. c. 10.
11.
Click .Save
Configuring the Mobile Service Provider hostname in Device Manager
Once you have configured the XMM to use the Mobile Service Provider web service interface to query unmanaged
devices (if you want to manager ActiveSync traffic of BlackBerry devices from the BES 5 server), then you need to
configure the Device Manager server to connect to the XMM server.
Log in to the Device Manager web console.
Click Options.
In the Options dialog, select Modules Configuration > Mobile Service Provider.
Enter the following information:
. This is the hostname of the XMM server. For example: http:Web service URL
//XmmServer/services/zdmservice.
. Username of the administrator account on the XMM server. For example: domain\admin.Username
. Password for the administrator account on the XMM server.Password
. Select this option.Enable automatic update of BlackBerry and ActiveSync devices connections
Click to test the communication between XMM and Device Manager.Check Connection
Click .Close
Configuring Blackberry BES servers (optional)
From the menu, launch .Start XenMobile Mail Manager
Click the > tabConfigure MSP
Under BlackBerry Configuration, click .Add
In the BES Properties dialog box, type the Server name of the BES Sql server
Type the database name of the BES Management database.
Next, select the Authentication mode for server access. If Windows Integrated authentication is selected, the user
account of the XenMobile Mail Manager service is the account that is used to connect to the BES Sql Server. If SQL
authentication is selected enter the user name and password.
Set the Sync Schedule. This is the schedule used to connect to the BES SQL server and check for any device
updates.
Click to check connectivity to the SQL server. Test Connectivity
Note: If Windows Integrated is selected, this test uses the current logged in user and not the XenMobile Mail
Manager Service user and therefore does not accurately test SQL authentication.
If you want to support remote Wipe and/or ResetPassword of BlackBerry devices from Device Manager, select
Enabled. In the fields, enter the following information:
The BAS Server FQDN.
The BAS Server port used for the Admin web service.
The fully qualified User and Password required by the BES service.
Click to test the connection to the BES server.Test Connectivity
Click .Save
XenMobile Mail Manager and Exchange 'Quarantine' Mode
The Xenmobile Mail Manager can be indepensible when configured in conjunction with Microsoft Exchange's “
Quarantine― mode, which allows an Exchange admin to quarantine a user's device until that device can be
determined to be compliant. (In Exchange quarantine mode, a user's email inbox is blocked, but the user can still see
their calendar, appointments, and contacts.)
For example, when a user configures a corporate email account on their person device, as soon as the user connects to
the Exchange server, the user's new device is placed into quarantine mode. Exchange allows the administrator to have
a mail sent to a new user telling them they need to enroll their new device in XenMobile Device Manager.
When the new device is then enrolled in Device Manager, the Device Manager will then notify the XenMobile Mail
Manager to un-quarantine (or Allow) the device, provided the device is compliant with Device Manager policy. This
policy is defined in Device Manager’s SMG Options dialog box.
Understanding XenMobile Mail Manager Access Rules
XenMobile Mail Manager allows you to configure three types of rules:
Local
XDM (from Device Manager)
Default
citrix.com 67
1.
2.
3.
4.
5.
Each rule contains and a desired access state (Allow or Block), and a criteria for matching an ActiveSync device. The
matching criteria may match a particular device or a set of devices.
Local Rules
Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the
following properties:
ActiveSync Device Id. Uniquely identifies a specific device.
. A set of devices, such as “iPad―, “WP8―, or “Touchdown―.Device Type
User Agent. A set of devices identified by platform version, such as “iOS/6.1.2―.
User. A specific user.
XDM (Device Manager) Rules
XDM rules are defined within XenMobile Device Manager. These product of these rules is delivered to XenMobile Mail
Manager and continuously updated in the background. XDM rules can identify devices by properties known to XDM, such as:
Enrolled in Device Manager
Jailbroken (iOS) or rooted (Android) devices
Forbidden Apps are installed (blacklisted apps)
Non-suggested apps are installed
Unmanaged
Out Of Compliance
Non-Compliant Password
Revoked status
Inactive Device
Anonymous status
Default Rules
The Default Rule matches the set of all devices. The Default Rule’s desired state may be set to Allow, Block, or
Unchanged. If the latter is selected, the effect will be that XenMobile Mail Manager will not modify the state of any
devices that are not matched explicitly by a Local or XDM rule.
Rule Evaluation
For each ActiveSync device known to the Exchange server, the rules are evaluated in order: first Local Rules, then XDM
Rules, then the Default Rule. If a match is found it any rule, the rule’s desired state is then enacted for the device
and no further rules are evaluated for the device.
Rule enactment results in a Powershell command being sent by XenMobile Mail Manager to Exchange to change the
access state. However, if the current known access state of the device is already equal to the desired state, no action is
taken.
Whenever the rules, or the set of known devices changes, the rules are re-evaluated.
Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In this mode, Powershell commands
are not issued to modify the access state. Instead, XenMobile Mail Manager records in its database that such an action
was simulated.
Note: the order in which Local and XDM rules are evaluated can be configured so that XDM rules are evaluated before Local
rules (this requires manual editing of config.xml).
Configuring Default access control rules
Default access control rules serve as a 'catch-all' rules that can be set to allow or deny a device that does not meet the
criteria of either XDM rules or local rules. For example, if you set the Default rules to Allow, then any device that does
not meet the criteria set to block a device in either XDM or Local rules will be allowed to connect to Exchange.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabConfigure Access Rules
Select the Default Access, either Allow or Block. This setting controls how all devices other than those identified by
explicit Device Manager or Local rules will be treated.
Next, select the ActiveSync Command Mode, either Powershell or Simulation. In Powershell mode, XenMobile Mail
Manager will issue Powershell commands to enact the desired access control. In Simulation mode, XenMobile Mail
Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the
database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell
mode was enabled.
citrix.com 68
5.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Click .Save
Configuring XDM (Device Manager) rules
You can use XDM (from Device Manager) rules in XenMobile Mail Manager to work in combination with Local and
Default rules. Device Manager rules provide control over devices that do not meet your corporate device compliance
standards, such as the ability to block devices that have blacklisted apps, device that have been rooted or jailbroken, or
that meet some other condition.
Device Manager rules are configured in the Device Manager web console, in the Options dialog box.
Device Manager rules are evaulated by XenMobile Device Manager after Local rules, and before Default rules.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabConfigure Access Rules
Click the Rules tab.XDM
Click .Add
Type a name for the XenMobile Device Manager (XMD) rules, such as “XDM―.
Modify the URL string to refer to the Device Manager server. For example, if the Device Manager server name is “
Xdm01― then you would enter http://Xdm01/zdm/services/MagConfigService.
Enter an authorized user on the Device Manager server.
Enter the password of the user.
Leave the Baseline Interval, Delta Interval, and Timeout values at the default settings.
Click to check the connection to the Device Manager server.Test Connectivity
Click .OK
Configuring local rules
Local rules are those you create from and that are specific to the XenMobile Mail Manager utility, and provide an extra
layer of filtering and control over your company email access policies. When used in combination with Default access
rules and Device Manager Secure Mobile Gateway Rules (XDM rules), you can create useful combinations of filters to
ensure that you have control over email access according to company policy.
You can build local rules to allow or block access by device ID, Device Type (all Android devices, for example), specific
user, Active Directory group, or even agent version (device platform version).
In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, and then followed by Default rules,
from top to bottom as they are listed in the user interface.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabConfigure Access Rules
Click the tab.Local Rules
If you want to build local rules that operate on AD Groups, click and configure the LDAP connection Configure LDAP
properties.
From the drop-down list, select local rules to add based on ActiveSync Device ID, Device Type, AD Group, User, or
device UserAgent.
Type text or text fragments in the text box. Optionally click the query button to view the entities that match the
fragment. Note that for all types other than Group, the system relies on the devices that have been found in a
snapshot. So, if you are just starting and haven’t completed a snapshot, no entities will be available.
Select a text value in the results and then click Allow or Deny to add it to the Rule List on the right side.
You can change the order of rules or remove them using the buttons to the right of the Rule List. The order is
significant because for a given user and device, rules are evaluated in the order shown, and a match on a higher rule
(nearer the top) will cause subsequent rules to have no effect. For example, if you have a rule allowing all iPad
devices, and a subsequent rule blocking user “Matt―, then Matt’s iPad will still be allowed because the ―
iPad― rule has a higher effective priority than the “Matt― rule.
To determine the effects of multiple rules with groups that have overlapping members, click . This View Expanded
show the net result of the combination of groups.
Click .Save
Simulation vs Powershell Mode
Before you implement and activate your Access Control Rules with XenMobile Mail Manager, you can use 'Simulation' mode
to test the rules out, as opposed to Powrshell mode, which actually executes the rules in your live environment. The
difference between the two modes is as follows:
In mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended Simulation
command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor
tab to see what would have occurred if Powershell mode was enabled.
citrix.com 69
In mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access Powershell
control.
To choose between the two, in the XenMobile Mail Manager utility, click the > tab. Then, under Configure Access Rules
Activesync Access Control Rules on the tab, select either Simulation or Powershell from the ActiveSync Default Rule
Command Mode drop-down list.
citrix.com 70
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
4.
5.
Monitoring XenMobile Mail Manager
The Monitor tab in the XenMobile Mail Manager allows for browsing of the EAS and BlackBerry devices that have been
detected, and displays the history of automated PowerShell commands that have been issued.
There are 3 tabs under the Monitor tab:
ActiveSync Devices
Blackberry Devices
Automation History
Also, the history of all snapshots is available under the tab:Configure
In the tab, click the Info icon for the desired Exchange server.Exchange
Under the tab, click the Info icon for the desired Blackberry server. Snapshot history shows when the MSP
snapshot took place, how long it took, how many devices were detected and any errors that occurred.
Monitoring ActiveSync devices
From the Monitor tab, you can view all BlackBerry devices that have been detected and a history of PowerShell
commands issued by XenMobile Mail Manager.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabMonitor ActiveSync Devices
From this tab, you can view a list of all devices discovered by the XenMobile Mail Manager, and using the drop down
list, you can filter the list to see which devices have been allowed, which have been allowed, and you can filter by the
these commands according to those issues in the last hour, or the last day. You can also search the list by user or
device ID.
To see more details on a specific command or device (or user), click the green (allowed) or red (blocked) icon next to
the entry.
Monitoring BlackBerry devices
From the Monitor tab, you can view all BlackBerry devices that have been deteced and a history of PowerShell
commands issued by XenMobile Mail Manager.
From the menu, launch .Start XenMobile Mail Manager
Click the > tabMonitor BlackBerry Devices
From this tab, you can view a list of all BlackBerry devices discovered by the XenMobile Mail Manager. You can
search the list for a specific user by typing the user's email address and then clicking .Go
To see more details on a specifc command or device (or user), click the green (allowed) or red (blocked) icon next to
the entry.
Viewing snapshot history
You can view the history of snapshots take for your Exchange or BlackBerry servers by clicking the information icon (I)
next to it.
From the menu, launch .Start XenMobile Mail Manager
Click the > tab.Configure Exchange
Click the small blue information icon next to the Exchange server to see the history of snapshots taken of the server's
ActiveSync traffic.
To view the history of snapshots taken of a configured BlackBerry server, click the > tab.Configure MSP
Click the small blue information icon next to the BlackBerry server to see the history of snapshots taken.
citrix.com 71
App Controller 2.9
Citrix App Controller delivers access to web, SaaS, Android, and iOS apps, as well as integrated ShareFile data and
documents. Users access their applications through Citrix Receiver, Receiver for Web, or Worx Home.
This topic provides information about installing and configuring App Controller 2.9
With App Controller, you can provide the following benefits for each application type:
SaaS applications. Active Directory-based user identity creation and management, with SAML-based
single sign-on (SSO).
HTTP form-based SSO by using password storage.Intranet web applications.
iOS and Android apps. Unified store to which you can install MDX apps for iOS and Android devices, and
security management for MDX policies, encompassing WorxMail and WorxWeb. You can wrap iOS and
Android apps with the MDX Toolkit to create MDX apps.
ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFile application that
provides seamless SAML SSO, and Active Directory-based ShareFile service user account management.
Installing App Controller
The App Controller virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. You can use
XenCenter or vSphere management consoles to install App Controller 2.9.
Before installing App Controller, you must do the following:
Install XenServer or VMware ESXi on a computer with adequate hardware resources.
Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere
connects to XenServer or VMware ESXi host through the network.
Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a
computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network
interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve
some NICs for the host.
This section details the following steps for installing App Controller on XenServer, Hyper-V, or VMware:
Installing the VM on XenServer and setting the properties for App Controller in XenCenter.
Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardware components to
App Controller, such as memory and virtual CPUs.
Installing App Controller on Hyper-V.
Configuring the IP address and subnet mask, default gateway, DNS servers, and Network Time Protocol
(NTP) servers for App Controller by using the XenCenter or vSphere command-line console.
When you finish configuring App Controller network settings by using the command-line console, you log on to the App
Controller management console. Then, you configure the following network settings:
Active Directory configuration from which you obtain groups for App Controller
Note: After you complete the Configure wizard, you can configure settings for additional Active Directory
servers in your network.
Administrator settings
Workflow email settings
Optionally, you can change the settings you configured by using the command-line console in the wizard. These
settings include:
App Controller system settings, such as IP address, subnet mask, and the default gateway
NTP and DNS server settings and the time zone
After you configure App Controller system settings, to complete the configuration, App Controller retrieves the groups
and members of the groups from the specified Base DN in Active Directory. When the retrieval is complete, App
Controller logs off. You can log on again to continue configuring App Controller features.
Installing App Controller on XenServer
citrix.com 72
1.
2.
3.
4.
5.
After you download the virtual image (VM) from the Citrix web site, install App Controller on XenServer. After
installation, set the properties for App Controller in XenCenter.
Start XenCenter on your computer.
In the navigation pane, click the name of the XenServer on which you want to install App Controller and then connect.
On the menu, click . File Import
In the Import wizard, in , browse to the location to which you saved the .xva image file and then click .Filename Open
Follow the instructions in the wizard to import the App Controller image.
After you click in the wizard, you can click the tab to view the status of the import process. When the import Finish Logs
process is complete, you configure the initial settings for App Controller by using the command-line console. For more
information, see .
Setting the properties for App Controller
When you import App Controller, the number of virtual CPUs (VCPUs) is set to 2. You cannot change this setting. The
default memory setting is 4096. You can leave the memory setting or change it by using the tab in XenCenter.Memory
Note: If the App Controller virtual machine acts as the cluster head, configure 4 VCPUs.
Installing App Controller by Using VMware ESXi
To install App Controller on VMware ESXi, you must first install VMware on a computer with adequate hardware
resources. To perform the App Controller installation, you use vSphere. You install vSphere on a remote computer that
can connect to the VMware host through the network. After you install App Controller, you can create virtual hardware
components on VMware and then use vSphere to allocate them to App Controller.
When you install App Controller on VMware ESXi, you use the vSphere client. You select the OVF template to start the
Deploy OVF Wizard. Follow the directions in the wizard to import the App Controller OVA (.ova) file. You provide a
name for App Controller and then configure additional settings to import the file to VMWare ESXi.
After the import is complete, you set the App Controller properties in vSphere. These settings include:
Allow the virtual machine to start and stop automatically with the system.
Set the startup order for App Controller.
Set the memory size to 4096.
Set the number of VCPUs to 2.
For more information about VMWare ESXi and the vSphere client, see the manufacturer's documentation.
Installing App Controller on Microsoft Hyper-V
To install App Controller on Microsoft Hyper-V, you must first install Microsoft Server 2012 with Hyper-V enabled or
Microsoft Hyper-V Server 2012 on a computer with adequate hardware resources. To perform the App Controller
installation, you use the Hyper-V Manager, which is a Microsoft Management Console (MMC) snap-in. Hyper-V
Manager is installed automatically when you enable the Hyper-V role.
You download a compressed ZIP file to install App Controller on Microsoft Hyper-V. You extract the files and then use
Hyper-V Manager to install App Controller.
Note: Make sure that you extract the files in the ZIP folder into a different folder before you specify the path to the folder.
After you import the virtual machine, you need to configure the virtual network adapter by associating the adapter to the
virtual networks created by Hyper-V. App Controller 2.8 requires one virtual network adapter.
In Hyper-V Manager, you select the server on which you want to install App Controller and then import the virtual
machine. When the import starts, your are prompted to specify the path of the folder that contains the App Controller
software files.
After the import is complete, you set the App Controller properties in Hyper-V Manager. These settings include:
Allow the virtual machine to start and stop automatically with the system.
Set the startup order for App Controller.
Set the memory size to 4096.
Set the number of VCPUs to 2.
For more information about Microsoft Hyper-V and the Hyper-V Manager, see the manufacturer's documentation.
Setting the App Controller IP Address for the First Time
citrix.com 73
1.
2.
3.
4.
5.
Setting the App Controller IP Address for the First Time
After importing the App Controller image, you need to configure the IP address. The IP address is the management
address at which you can access App Controller through a web browser or by using a Secure Shell (SSH) client, such
as PuTTY. You can access the App Controller command-line interface through the XenCenter console to specify an IP
address, subnet mask, default gateway, Domain Name Servers (DNS) and a Network Time Protocol (NTP) server. The
default IP address for App Controller is 10.20.30.40.
To change the IP address for App Controller in XenCenter
In XenCenter, select the App Controller virtual machine and then click the tab.Console
At the console logon prompt, enter the administrator credentials.
The default user name for the console is and the default password is .admin password
At a command prompt, type to select .0 Express Setup
Select the appropriate number to change the IP address, subnet mask, default gateway, DNS servers, and NTP
server.
Note: Citrix recommends using an NTP server to set the date and time on App Controller.
Press to commit the changes.5
When you commit the changes, you are prompted to restart App Controller. Review your settings and then type to y
commit the changes. After App Controller restarts, you can then access the management console by using the new IP
address in a web browser. To open the management console, type https:// :4443/ControlPoint in App ControllerIPaddress
the address bar of the web browser. For example, type https:// 10.20.30.40:4443/ControlPoint. The user name is
and the password is .administrator password
When you connect to App Controller, you must use HTTPS. If you attempt to connect with HTTP, the connection fails.
citrix.com 74
1.
Configuring App Controller for the First Time
After you install the App Controller virtual machine (VM) and configure the initial settings by using the command-line
console, you can configure additional App Controller network settings in the App Controller management console. To
open the management console, type in the address bar of the web https://AppControllerIPaddress:4443/ControlPoint
browser. For example, type . The user name is administrator and the password is https:// 10.20.30.40:4443/ControlPoint
password. When you log on to the management console for the first time, the wizard appears prompting you Configure
to configure settings that include the following:
Administrator password
Note: Make sure that the email address is part of the base DN that you configure in the Active Directory
settings.
App Controller host name, IP address, subnet mask, and default gateway
Note: You can also configure an IP address for App Controller if you want a different IP address than what
you configured by using the command-line console.
Active Directory settings
Certificates
Note: In the wizard, you can add, create, or remove certificates on the Active Directory page. The Configure
option to configure certificates from the Active Directory page only appears when you configure App
Controller for the first time in the management console. After you run the wizard for the first time, Configure
you can then manage certificates from the tab in the management console.Settings
Network Time Protocol (NTP) server and time zone
DNS server settings
Workflow email settings
Important: For workflows to work correctly, when you add users to Active Directory, you must enter the first
name, last name, and email in the user properties. If you do not configure users in Active Directory with this
information, App Controller cannot synchronize these individuals. When users attempt to start an app, users
receive a message that they are not authorized to use the app.
After you configure and save the remaining network settings in the management console, App Controller retrieves users
from Active Directory and then logs off. If you changed the password, log on again with the new password.
Important: If you have a large number of users or groups, it might take a few hours for App Controller to retrieve users. You
cannot make any changes to App Controller until this process is complete. If you close the browser, interrupt the
synchronization and then restart the wizard in another web browser, your settings are not saved. Citrix Configure
recommends that you allow the Active Directory synchronization to complete. When you configure the App Controller settings
for the first time, you can enter a group domain name (DN) that speeds the synchronization of Active Directory membership
with App Controller.
If you need to make changes to system settings at a later time, you can access the tab. You can configure or Settings
reconfigure the following on the tab:Settings
Active Directory settings, such as IP address, administrator email and password, and base DN
Administrator settings that allows you to change the password for the management console and the
command line console
Support options that allows you to configure GoToAssist user assistance settings.
Branding that allows you to upload your own Portable Network Graphics (png) to mobile devices
Certificates where you can install root, intermediate, and server certificates on App Controller
Deployment settings for StoreFront or NetScaler Gateway
Domain Name Server such as a DNS or WINS server
GoToAssist settings for email or phone support
Log transfer that sends logs to a server in your network
Network connectivity that are the App Controller network settings
NTP server that contains the settings for a Network Time Protocol server
Receiver email template where you can send emails to your users to download Receiver
Receiver updates
Release management that allows you to upload software upgrades, patches, and application connectors
Store credentials where you can save the user name, password, and device ID for the Google Play Store
SysLog server settings
Workflow email which is the administrator email settings for workflows
XenMobile MDM where you configure connection settings to XenMobile Device Manager
To change App Controller settings
citrix.com 75
1.
2.
In the App Controller management console, click at the top of the page.Settings
In the left pane, under , click one of the options to configure the settings.System Configuration
After you complete App Controller configuration, you can configure roles, users, applications, and application categories
for single sign-on (SSO). You can do the following:
Refresh users from Active Directory.
Add roles to map which Active Directory groups receive access to applications.
Add web and SaaS applications to App Controller from the provided connector catalog.
Upload mobile apps to App Controller.
View a user device inventory in which you can erase and stop erasing application data and documents from
a device, lock and unlock a device, or delete a device from the inventory.
Retrieve mobile app information by configuring mobile links.
Add links to commonly used web sites including Internet and intranet sites.
Create access to applications that are not in the catalog for SSO by using either HTTP Federated Formfill or
SAML connectors.
Download certificates for use with some SAML applications.
Create user accounts automatically based on Active Directory group membership.
Assign users to applications based on their role within the organization.
Add categories to which you can add applications.
Connect StoreFront to App Controller. When users connect with Citrix Receiver, they can see the application
list, subscribe to applications, and access applications seamlessly.
Configure ShareFile settings for user data and documents.
Download a CR (.cr) file that configures Receiver on the user device. You can send this file to users in an
email. The .cr file contains all of the settings that Receiver needs to connect to App Controller.
Icons in the AppController Management Console
The AppController management console includes icons that users click to perform different tasks. The following table defines
each icon.
Icon Icon Name Definition
Enable Indicates that an app is disabled. When clicked, enables the app.
Disable Indicates that an app is enabled. When clicked, disables the app.
Edit Used to edit a role or application.
Remove Used to remove an application, remove an application from a role, or to remove a category,
workflow, or user device.
Sync Used to synchronize application users with Active Directory for accounts that are configured
for user account management. Also opens a Storage Zone dialog box in to enable Roles
you to find a particular storage zone and provide credentials.
Upgrade Used to upgrade a mobile application with a new version.
Role
details
In , you can view the Active Directory groups that belong to a configured role or you Roles
can delete the role.
Lock Used to lock a user device.
Unlock Used to unlock a user device after you have locked it.
Erase Used to erase data and documents from a device.
Used to stop the process of erasing data and documents from the device.
citrix.com 76
Stop
erasing
Apps In , shows the apps with which the workflow is associated, if any.Workflows
Workflow
details
In , lets you view the levels of manager approval and additional approvers for a Workflows
configured workflow.
User In , lets you view members of the Active Directory groups.Roles
citrix.com 77
Adding Active Directory Domains to App Controller
App Controller uses Active Directory groups and users. You configure Active Directory in two ways:
With the Configure wizard when you log on to the App Controller management console for the first time. This
domain is considered the .default domain
On the tab where you can configure multiple Active Directory domains.Settings
With Active Directory, you can:
Create roles in App Controller that map to one or more Active Directory groups within multiple domains.
Create and remove user application accounts based on their Active Directory group membership by using
applications assigned to roles.
Create workflows for manager approval of user accounts for applications.
Important: When you add users to Active Directory, you must enter the first name and last name in the user properties. If you
do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When
users attempt to start an app, users receive a message that they are not authorized to use the app. The administrator
account must be recognized by all corresponding Active Directory domains you configure in App Controller.
When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App
Controller or if you manually synchronize with Active Directory, the length of time it takes to synchronize depends on the
size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this
time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active
Directory, the synchronization occurs more quickly. For example, you enter , cn=Users,dc= ,dc=netservername
where is the group base DN and is the name of the Active Directory server. When the initial cn=users servername
synchronization is finished, App Controller logs off from the management console and returns to the management
console logon page.
Note: If you provide the root level base DN, such as dc=mycompany,dc=com, App Controller retrieves users in child domains.
To prevent retrieval of child domain users, provide specific user base DN paths that relate to the parent domain.
Configuring Multiple Active Directory Domains
After you configure one Active Directory domain by using the Configure wizard, you can add additional Active Directory
domains on the tab in the App Controller management console. > Settings Active Directory
When you configure Active Directory domains, you provide the server information including:
IP address
Port
Domain name
Service account
Password
User base DN
Group base DN
SSL support
You can configure Active Directory domains in the following ways:
One Active Directory instance per domain. You can specify multiple base DNs in each domain. Separate
each base DN with a semi-colon (;).
Two domains that belong to different Windows Server trees.
Two domains that belong to different Windows Server forests.
For each domain, the service account you specify must be able to access the base DN for each domain. App Controller
does not maintain any internal relationship between managed domains. You can manage multiple Active Directory
domains as separate instances. When you configure multiple Active Directory domains, Citrix recommends that you use
the User Principal Name (UPN) so you can include the domain name.
If you configure multiple domains, keep the following in mind:
Default domain users only can log on directly to App Controller.
Log on from users in other domains must be authenticated by NetScaler Gateway.
Domains configured in App Controller and NetScaler Gateway must match.
citrix.com 78
1.
2.
3.
4.
5.
6.
7.
8.
Domains configured in App Controller and StoreFront must match when StoreFront is used as the
authentication server.
If StoreFront is used as the authentication server, the domain information must be included in the token validation
response from StoreFront. You can use sAMAccount (domain\user name) or UPN (user@domain) for user logon.
Modifying and Deleting Active Directory Domains
You can modify and delete Active Directory domains in App Controller. App Controller retrieves users and groups when
you add each domain. If you modify a domain, if you change the user or group base DN, App Controller synchronizes
with Active Directory.
You can delete one domain at a time and you cannot delete the default domain. When you delete a domain, App
Controller marks all of the users in the domain as terminated users. These users lose access to role-based apps. App
Controller also deletes pending workflows and provisioning requests. User accounts reconciled to terminated users are
processed according to the app configuration (ignore, disable, or delete).
Important: If you delete a domain, you cannot add the same domain to App Controller again.
Adding and Synchronizing Active Directory Domains
You can add multiple Active Directory domains to App Controller. After you add a domain, click the Sync icon to retrieve
users and groups from the Active Directory domain.
To add Active Directory domains
In the App Controller management console, click at the top of the page.Settings
In the left pane, under , click .System Configuration Active Directory
In the details pane, click .Add
In and , enter the IP address and port number of the Active Directory server. The default port number is Server Port
389.
In , add the Active Directory domain, such as mycompany.net. Domain name When you add the domain name, User
and populate automatically.Base DN Group Base DN
In and enter any other parameters, such as cn=Users. User Base DN Group Base DN
A warning appears if the base DN is a top-level domain.
In , add the email address of the administrator account. Service Account You can use either the sAMAccountName, in
which users log on with domain\user, or the User Principal Name (UPN) in which users log on with user@mycompany.
com.
Note: All Active Directory domains that you add to App Controller must recognize this service account.
and enter the password of the service account and then click .Password Confirm Password Save
When you configure settings and only configure the top-level domain, the dialog box appears as in the following Add Domain
figure:
To remove the warning message, configure a subdomain as part of the base DN. For example, enter cn=Users,
dc=mycompany,dc=net.
citrix.com 79
1.
2.
3.
To manually synchronize with Active Directory
App Controller supports the following three types of Active Directory synchronization:
Initial synchronization. When you log on to the management console for the first time, you configure Active
Directory settings in the initial wizard along with network and email settings. When you save the settings,
App Controller synchronizes with Active Directory.
Periodic synchronization. App Controller contacts Active Directory every five minutes to determine if there
are any changes in Active Directory. App Controller looks for added, removed, and modified users in Active
Directory. App Controller also looks for group membership changes and new and removed groups. This
periodic synchronization starts for domains that have previously retrieved users and groups. The earlier
synchronization must successful for the periodic synchronization to run.
Manual synchronization. You can synchronize with Active Directory at any time by using the synchronize
icon next to the Active Directory domain in the App Controller management console. When you synchronize,
App Controller updates all users from Active Directory for that domain and determines any changes to the
user records. This synchronization can take as long as the initial synchronization and depends on the size of
Active Directory. This synchronization also returns changes to users, including group membership. You can
start synchronization for all managed domains. The App Controller synchronization process runs in the
background, one domain after another. When you manually synchronize, App Controller displays a progress
bar so you can track the progress.
In the App Controller management console, click at the top of the page.Settings
In the left pane, under , click .System Configuration Active Directory
In the details pane, under , click the Sync icon for the domain with which you want to synchronize.Actions
citrix.com 80
1.
2.
3.
4.
5.
Installing the MDX Toolkit
The MDX Toolkit runs on a computer running Mac OS X Versions 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks).
The tool is not supported on a Windows-based computer. To download the MDX Toolkit, do the following:
Go to the .
Click and then log on.My Account
Point to , and then under , select , select and then click .Downloads Find Downloads XenMobile Product Software Find
Expand and then click .XenMobile 8.6 XenMobile 8.6 Enterprise Edition
Expand and then next to , click .Worx Mobile Apps MDX Toolkit & SDK for iOS and Android Build 324 Download
Important: You must update to the latest version of Worx Home 8.6 on Android and iOS devices before you wrap apps with
the 2.2.321 version of the MDX Toolkit. If not, when you try to open the apps in earlier versions of Worx Home, an
incompatibility error message appears.
After you download the tool from the Citrix web site, you install the tool on your computer. When you install the tool, you
are prompted for licensing, the location where you want to install the tool, and installation information.
The installation package includes a small utility for removing the MDX Toolkit. You can find the utility at the following
location on your computer: /Applications/Citrix/CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility to start
the uninstaller app and then follow the prompts. When you remove the tool, you receive a message prompting you for
your user name and password.
Citrix website
citrix.com 81
1.
2.
Configuring Device Manager
XenMobile Device Manager system adminstration includes such tasks as importing users into Device Manager, creating
users and groups, applying Role Based Access Controls (RBAC) to groups, creating and configuring device policies,
deploying policy packages, reporting, viewing the dashboard, and more.
Logging on to the Device Manager web console
Start a Device Manager administrative session by entering one of the following Web addresses in a Web browser:
http:///zdm
https://:/zdm
Enter the logon credentials of the administrative user account created during Device Manager installation.
Note: If you configured LDAP authentication for Device Manager, be sure to use the account credentials of a user who
is a member of the administrative group.
After Device Manager validates the account, the main Device Manager window appears.
citrix.com 82
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Configuring Device Manager to Connect to App Controller
If you have purchased XenMobile Enterprise Edition and are using Device Manager with App Controller to provide apps
to your Worx Home users, you will need to configure the Device Manager server so it can communicate with the App
Controller server. Conversely, you also need to configure the App Controller server so it can communicate with the
Device Manager server.
For secure communication between the Device Manager and App Controller server, both servers should as a best
practice use public trusted certificates. When App Controller initiates communication with Device Manager, it must
validate the server certificate from Device Manager, and when Device Manager initiates communication with App
Controller, it needs to validate the server certificate from App Controller. This handshake will fail if the issuer of the
certificate is not trusted on both systems.
If you select in the App Controller web console interface, Device Manager communicates Allow Secure Communication
with App Controller on a secure port (for example: 443). This secure communication requires public certificates on both
servers, and requires that the ports are open in both directions.
The communication between Device Manager and App Controller are RESTful API calls (which can be fully inspected
by any inspector between App Controller and Device Manager) if the traffic is over port 80. The typical communication is
App Controller communicating to Device Manager that userX needs AppY because they subscribed to it on Worx Home,
or Device Manager calls App Controller to determine if App Controller exists and the user is registered on it, in order to
determine if the connecting device is in MDM-Only mode or MDM+MAM (enterprise) mode.
For information about how to add a public certificate to the Device Manager server, see
. For information about how to upload a public certificate to the App Controller from an External Certificate Authority
server, see .
Note: If you want device users to be able to access and install virtual desktops from Citrix XenDesktop or published apps
from Citrix XenApp, they must have Citrix Receiver installed on their devices.
Configure the Device Manager server to be able to communicate with the App Controller server. To do this, first log in
to the XenMobile Device Manager web console.
Click .Options
In the dialog box, select > AppC Webservice API, enter the name of the App Controller Options Modules Configuration
server, a shared key that you will use when you configure App Controller web console for XenMobile and then select
. Enable App Controller
Note: Do not click , until you have configured the XenMobile server connection in the App Controller Test Connectivity
management console.
Exit the Device Manager web console.
Log on to the App Controller management console.
Click -> and then configure the XenMobile Device Manager hostname and port.Settings XenMobile MDM
Enter the same shared key that you entered in the XenMobile Device Manager web console and then select the
check box if you want to enforce enrollment (recommended), which requires Require Device Manager Enrollment
users to enroll into Device Manager.
Select . Allow Secure Communication Device Manager communicates with App Controller on a secure port (for
example: 443). This secure communication requires public certificates on both servers, and requires that the ports are
open in both directions.
Log out of the App Controller management console.
Log on to the XenMobile Device Manager console again.
In the dialog box, select > and then click to Options Modules Configuration AppC Webservice API Check connection
establish communication between Device Manager and App Controller.
When the connection has been established, click .Close
Configuring an SSL Certificate
Installing Certificates
citrix.com 83
1.
2.
3.
4.
1.
2.
3.
4.
Configuring High Availability on Device Manager
You can deploy up to three instances of Device Manager to create a high availability pair, which is also called a . cluster
You configure one Device Manager instance as the primary role in the cluster and the other Device Manager instances
as the secondary role in the cluster. In this deployment, the primary Device Manager listens for requests, and serves
user requests. The secondary Device Manager synchronizes its data with the data on the primary. The two instances of
Device Manager work as an active-passive pair, in which only one instance of Device Manager is active at a time.
If the current primary Device Manager stops responding for any reason, the current secondary Device Manager takes
over and becomes the primary. The new primary Device Manager begins to serve user requests.
Device Manager in a cluster configuration requires a network load balancer to create a high availability pair as well as to
distribute the load between Device Manager servers.
You need to configure the following:
Windows Server 2008 R2. Install each Device Manager instance on a separate Windows server.
Configure the Windows servers as a cluster.
Virtual IP address or host name on the load balancer. Device Manager uses this information to route user
requests.
SSL session persistence for ports 443 and 8443 on the load balancer.
SQL Server database accessible from the Device Manager node(s) and user credentials to connect to the
database. Each node connects to the same database.
Network Time Protocol (NTP) server to synchronize time for all nodes and SQL DB server.
After you install Device Manager and configure the initial settings, there are some additional configuration steps. These
include:
Editing an xml file to replicate session information on all cluster nodes in the Tomcat cluster.
Enabling clustering on Device Manager.
Configuring properties on the Tomcat server.
Copy certificates from cluster node 1 to cluster node 2.
Stopping and starting the Device Manager Windows service.
You can also use the PostGRE SQL database for high availablity. If you use this database, you need to run a utility to
import database information to Device Manager.
Installing Device Manager on cluster node 1
Clear the check box if there is already a MS SQL server in your network.Database server
On the screen, create a Device Manager database on your MS SQL server.Configure database connection
Install Device Manager on Cluster Node 1.
On the certificate creation screen, use the public virtual IP address or FDQN of the hostname configured in the virtual
server configuration.
After Device Manager is successfully installed, open a web browser from the same host; for example, Device Manager
cluster node 1. Then, open http://localhost/zdm and verify that the Device Manager web console appears. Then, stop
the Device Manager Windows service.
Installing Device Manager on cluster node 2
Install Device Manager on Cluster Node 2 and clear . database install Remember to use the same database name as
that of Cluster Node 1.
Copy the following files from Cluster Node 1 in \tomcat\conf to the same place on Cluster Node 2.
https.p12
pki-ca-devices.p12
pki-ca-root.p12
pki-ca-servers.p12
pki-ca-root.crt.pem
Import the certificates; do not create new certificates. The installer prompts you to enter passwords with which
certificates were created (during installation of cluster node 1). Only the text box appears.Keystore password
Enter the same keystore password which was used in 'cluster node 1' for the following screens.
citrix.com 84
1.
2.
1.
After Device Manager is successfully installed, open a web browser from the same host - cluster node 2, go to http:
//localhost/zdm and then verify that the Device Manager web console appears. Stop the Device Manger Windows
service.
Configuring a Device Manager Tomcat Cluster
Tomcat clustering is used to replicate session information on all cluster nodes. In an event of a Tomcat server being
unavailable on a cluster node, device connections can fail over to Tomcat servers on other cluster nodes because the state is
being preserved across all nodes in the cluster.
Note: Make sure to update the configuration files/command to all cluster nodes.
Open file \tomcat\conf \server.xml in wordpad and add a section after the following
element: :

expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"/>

address="228.0.0.8"
port="45560"
frequency="500"
dropTime="3000"/>
address="auto"
port="4000"
autoBind="100"
selectorTimeout="5000"
minThreads="3"
maxThreads="6"/>








After copying the above contents, check for the following elements in server.xml:
Membership. Determines cluster membership. address: 228.0.0.8 (multicast address)
port. 45560 (multicast address and the port determine cluster membership)
frequency. 500 (broadcast ping send frequency. Must be smaller than )timeToExpiration
dropTime.3000
Receiver. Responsible for listening to session tomcat session replication messages
address. auto (listening address)
port. 4000 (port number used to listen for session replication messages)
autoBind. 100 (number of ports to try : 13000 to 13099)
selectorTimeout. 5000 (select operation selector timeout)
minThreads. 3 (work thread pool configuration)
maxThreads. 6 (work thread pool configuration)
Configuring the Device Manager Server
citrix.com 85
1.
2.
3.
4.
5.
Edit the ew-config.properties file (\tomcat\webapps\zdm\WEB-INF\classes).
Change the following line from to : false true
########################################################
#
# CLUSTERING
#
########################################################
cluster.everywan.enabled=false
To cluster.everywan.enabled=true
Add the following line: cluster.hibernate.cache-provider=com.opensymphony.oscache.hibernate.
Your cluster configuration should look like the following example:OSCacheProvider
########################################################
#
# CLUSTERING
#
########################################################
cluster.everywan.enabled=true
cluster.hibernate.cache-provider=com.opensymphony.oscache.hibernate.OSCacheProvider
For the DAO configuration, verify that the following properties exist. If not, add them.
For MS SQL. dao.configLocation=classpath:com/sparus/nps/dao/hibernate-native.
cfg.xml
For MySQL database. dao.configLocation=classpath:com/sparus/nps/dao/hibernatemysql-hilo.cfg.xml
For other databases: dao.configLocation=classpath:com/sparus/nps/dao/hibernatelhilo.cfg.xm
Please add the following properties in : ew-config.properties
# Everywan cluster shared secret for application connection
everywan.secret=everywan
# Everywan node name (used on load balancer front end)
cluster.everywan.nodeName=auto
# Everywan direct IP access (ex. used by remote support)
cluster.everywan.directAccess=auto
# Everywan broadcast
cluster.everywan.broadcast.address=228.0.0.8
cluster.everywan.broadcast.port=45561
Note: It is recommended that you change the to and rather cluster.everywan.nodeName=auto node1 node2
than leave as , as follows:auto
The following parameters are used:
cluster.everywan.nodeName. "node1" (or node2, node3. and so on).
cluster.everywan.directAccess. "auto" (search for the first IP address of the first network interface). If
you want to assign a specific IP address, use : "ip:192.168.1.251".
cluster.everywan.broadcast.address. " 228.0.0.8 " (UDP broadcast address).
cluster.everywan.broadcast.port. "45561" (UDP broadcast port).
Important: This broadcast address, " 228.0.0.8 :45561" must be different from the one used by
Tomcat server in server.xml.
For , you can use the following parameters:cluster.everywan.directAccess
Important: In order for Remote Support to work if the node has two or more nics, you might need to put the node IP
here.
eth1. Use the first IP address of eth1 interface.
ip:192.168.1.128. Use the specified IP address.
lo. Use the first IP address of the lo interface (127.0.0.1).
citrix.com 86
1.
2.
1.
1.
2.
1.
2.
1.
2.
3.
1.
2.
3.
Configuring Tomcat oscache.properties
File oscache.properties is located under \tomcat\webapps\zdm\WEB-INF\classes.
Use wordpad to open the file. At the end of the file, look for configuration. It looks like the following example: JGroups
cache.cluster.properties=UDP(mcast_addr=228.0.0.8;mcast_port=45566;diagnostics_addr=228.0.0.8;diagnostics_port=45567;mcast_send_buf_size=150000;mcast_recv_buf_size=80000):PING(timeout=1500;num_initial_members=2):MERGE2(min_interval=5000;max_interval=10000):FD_SOCK:VERIFY_SUSPECT(timeout=1000):pbcast.NAKACK(gc_lag=50;retransmit_timeout=300,600,1200,2400,4800;max_xmit_size=8192):UNICAST(timeout=300,600,1200,2400):pbcast.STABLE(desired_avg_gossip=20000):FRAG(frag_size=8096;down_thread=false;up_thread=false):pbcast.GMS(join_timeout=5000;join_retry_timeout=2000;shun=false;print_local_addr=true)
cache.cluster.multicast.ip=228.0.0.8
Check the following parameters:
mcast_addr= 228.0.0.8
mcast_port=45566
diagnostics_addr= 228.0.0.8
diagnostics_port=45567
cache.cluster.multicast.ip= 228.0.0.8
mcast_addrandmcast_port, diagnostics_addr and diagnostics_port are used to check the
Hibernate cache consistency among the cluster nodes. They must have the same values on all
the cluster nodes.
cache.cluster.multicast.ipmut have the same address as mcast_addr.
Configuring the Tomcat applicationcontext.xml file
Open applicationContext.xml file under \tomcat\webapps\zdm\WEB-INFand verify the following
values:




Running update-hilo-sql on all databases besides MS-SQL
Only for PostGres database, run the PostGres administrator utility pgadmin3.exe located under directory>\postgres\bin.
Open and thenconnect to the postgres database name/instance. > File Add Server
Open the query tool and then import update-hilo.sqllocated under \tomcat\webapps\zdm\sqlscripts\sql_update\PostgreSQL and then execute the same.
Overwriting the .pem file
Back up the following files:
cacerts.pem
cacerts.pem.jks
certchain.pem
https.crt.pem
https.p12.pem
Copy and overwrite the files from 'Cluster node 1' \tomcat\conf to 'Cluster Node 2'
\tomcat\conf.
Starting the Device Manager windows service
Start Device Manager windows service on both nodes.
Verify that individual instances are working. (For example, open browser with URL http://127.0.0.1/zdm).
Create a test user on any Device Manager instance.
Testing the cluster setup
The Virtual Server IP address (in this case, IP 172.30.1.221) should be reachable.
Verify that ports 80, 443, and 8443 are open on the virtual server IP address. You can telnet to the virtual server IP
address and port 80, 443 and 8443 or a port scanner utility.
Open a browser and go to URL http://172.30.1.221/zdm. This should redirect to one of the cluster nodes and
eventually open the Device Manager web console.
citrix.com 87
4. Open a browser and go to URL https://172.30.1.221/zdm. This should redirect to the one of the cluster nodes and
eventually open the Device Manager web console.
citrix.com 88
1.
2.
3.
4.
5.
Managing Devices with the Dashboard
The Device Manager Dashboard provides an interactive, high-level view of devices. Each section of the Dashboard
displays a unique view of the devices you manage. You can use the Dashboard to do the following:
Perform actions on devices. When you enable actions in a Dashboard widget, you can perform actions on
multiple devices represented in a chart; for example, sending notifications to a set of devices on a particular
platform.
View charts. Charts show representations of devices in your environment, enabling you to view different
groupings of the devices. For example, the Devices by Platform chart shows all of your managed devices by
platform type. When you click a section of the chart by platform, the chart changes to show different platform
versions for each operating system. If you want to view the devices that are running Android version 3.2 or
3, for example, you can click the slice that displays those operating system versions, and then the Devices
tab appears showing only those devices running that version. The chart types you can view are as follows:
Devices by platform. Displays managed and unmanaged device platforms.
Managed devices by platform. Displays device platforms for all devices that are managed by Device
Manager.
Unmanaged devices by platform. Displays devices that are not currently managed by Device Manager.
Unmanaged devices appear in this chart if, for example, you perform a revoke, wipe, or selective wipe on
the device; the device has an agent installed on the device the device is not enrolled, or; the device has
an agent installed on it but the user profile or corporate certificate has been removed.
Device by Secure Mobile Gateway status. Displays the number of devices by Secure Mobile Gateway
status: Blocked, Allowed or Unknown. You can click the bars to break down the data by platform.
Devices blocked by reason. Displays the number of devices blocked by Secure Mobile Gateway,
grouped by reason for the block, such as devices that have blacklisted apps installed, devices that have
been rooted, and so on. You can click the bars to break down the data by platform.
Device ownership. Displays the number of devices according to ownership, such as, corporate-owned,
employee-owned, or if the unknown ownership.
Android Touchdown license status. Displays the number of devices that possess a TouchDown
license.
Failed package deployments. Displays the total number of failed deployments per package. Only
packages with failed deployments appear.
Devices by carrier. Drilling down on the chart by clicking the bars provides a further breakdown by
platform.
To change the Dashboard chart type, click the gear icon on the lower-left of the report widget and then click
a view.
View Dashboard alerts. Alerts show you updates about the following device statuses:
New enrollments
Non-compliant devices
Inactive devices
Secure Mobile Gateway blocked devices
Number of full and selecting device wipes in the last 24 hours
Pending wipes
Send notifications. For example, you may want to notify specific device users about an Internet virus that
could affect some Android users.
You can customize the Dashboard to show exactly the information that is most relevant to your needs. You can create
up to four different Dashboard views. Each dashboard configuration is saved on a per-user basis. To view the
Dashboard, click on the Device Manager web console.Dashboard
To create custom Dashboards
You can create up to four custom dashboards, in addition to the default dashboard provided by Device Manager. You
can choose specific layouts and select the types of widgets to display, depending on your needs.
On the tab, click . Dashboard Dashboard Edit The Dashboard Customization dialog box opens.
To create a new custom Dashboard layout, select a .Dashboard
Select a .Layout Style
Click a widget from the list of available widgets and then drag the widget the left to add it the Dashboard. You can edit
existing Dashboard configurations by using a drag-and-drop operation to move Dashboard widgets over existing ones,
thereby replacing the existing widget. You cannot remove widgets from a Dashboard; you can only add widgets.
Click .Save and Apply
citrix.com 89
1.
2.
3.
4.
5.
6.
To send notifications from the Dashboard
On a Dashboard widget, click . Enable Actions The menu appears.Actions
Click one of the bars in the graph to select the devices represented in the display. For example, if you wanted send
notifications regarding a virus to all Android users, click the Android bar.
Click .Send Notifications
In the confirmation message, click .OK
In the notification dialog box, enter the message you want to send to users. To send quick notifications to select
groups of users, you can use the Ad Hoc template.
Click .Send
citrix.com 90
1.
2.
3.
4.
5.
Workflow for Managing a Device
To use Device Manager to manage a device, the typical workflow is as follows:
Create an LDAP connection to a user directory. Use the LDAP configuration wizard to enable a connection to a
database of users, such as Active Directory, in order to import the users into Device Manager.
Define users and groups. You define users on the tab. Organize your groups so that they match the User
configuration deployments you define. For instance, if you want to define Exchange push email for mobile users, you
may want to define at least two groups:
The VIP group. Users who are allowed to download email attachments.
The Standard users group. Users who are not allowed to download the attachments.
Create policies. Define the policies to be pushed to the devices. You use the Servers, App tunnels, Registry, XML,
and Files tabs to define resources.
Create deployment packages and deploy the packages.. Create the deployment packages that serve as the
containers of policies and apps.
Enroll users and devices. Enroll users so they can install the Device Manager agent software and MDM and user
profiles on their devices, to ensure secure communication between client and server.
citrix.com 91
1.
2.
3.
4.
5.
Defining Users and Groups
User account objects represent the users of the mobile devices managed by Device Manager. User accounts are associated
to devices by Device Manager as part of the authentication process. Maintaining an accurate roster of users improves mobile
device and service management. Groups are logical collections of users that serve as targets for management tasks, such as
applying settings, implementing policies, and deploying software.
Note: Device Manager manages group of users, not individual user accounts.
User Account Information
Device Manager supports the following sources of user account information:
LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active
Directory to import groups, user accounts, and related properties.
Note: Device Manager retains the source of user accounts. As a result, certain operations are not permitted
on user accounts that you source from LDAP directories.
Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts.
Importing a provisioning file. You can develop a file outside of Device Manager containing user accounts
and properties and then import the file. Device Manager automatically creates objects and sets properties
values.
User accounts appear in the user table within the main display area of the tab. The table depicts each user Users
account associated with the group that you select in the pane. The toolbar provides available tasks to Group User
perform on user accounts. You can manipulate the table appearance.
The groups in which a user account is a member appear in the column. Note that multiple groups appear as a Groups
multi-line entry. User accounts also appear in the table. The user associated with a particular device appears in Devices
the column. The user account shown in the column represents the user that enrolled on that device.User User
Group Information
The group structure in Device Manager is flexible. Users may belong to multiple groups, groups may be nested inside of
other groups, and the number of groups is not limited. You can create permanent or ad-hoc groups to suit any purpose.
Device Manager supports the following sources of group information:
LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active
Directory to import groups, user accounts, and related properties.
Manual entry. You can use group maintenance forms in Device Manager to quickly create groups.
Groups appear in the pane, the area to the left on the tab. The pane depicts groups in a hierarchical Group Users
arrangement with the number of members in each group given as a number in parenthesis after each group name. A
default group is automatically created during Device Manager installation to serve as the top-level node for the group
hierarchy; all other groups appear as children of this node. Groups imported from LDAP-compliant directories also
appear in the group hierarchy, with the LDAP directory name as the primary node. The individual groups of the LDAP
directory appear as children of the primary node.
Groups may be nested in the hierarchy without limit. Fully-qualified group names use periods as delimiters. For example, a
group of name Corporate.Sales.SalesSupport.Admin implies a nesting model based on organizational structure.
Note: User accounts may exist at any level. Thus, on a parent node, the count of group members represents the user
accounts associated with that discrete node, and not the sum of the accounts associated with the nodes children.
Groups also appear in the table. The groups a user belongs to appear in the column.User Groups
Creating an LDAP Connection to a User Directory
From the dialog box in Device Manager, you can perform the following actions for LDAP connections:Options
Create a new LDAP connection.
Edit an existing connection.
Set the default LDAP connection.
Activate or deactivate an LDAP connection.
To create a new LDAP connection, click .New
Select which type of directory (LDAP or LDAPS).
If you chose an LDAPS connection, enter the required parameters and then click .Import
After the SSL Certificate is successfully imported, click .Next
citrix.com 92
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
1.
2.
3.
1.
2.
1.
2.
3.
1.
2.
3.
Define the connection parameters.
Make sure that the Service Account has the following rights granted to it:Search user
READALLUSERINFORMATION
READALLNETWORKPERSON
Note: In the field, the default is set to zero. However, Citrix recommends using a higher value, as well as lockout limit
a value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is
configured to a limit of five attempts before lockout, Citrix suggests that you enter a 4 or a 3 in this field.
Click to test the connection with the LDAP or LDAPS directory. Check If the connection check with the directory is
successful, the following message appears: LDAP directory binding successful.
Click and then click to map the directory attributes to the Device Manager Repository database. OK Next You can
leave that step as it is and Device Manager will automatically bind the default fields.
Click to define the mapping between the LDAP groups and Device Manager roles. To add a new group, press Next
. Select a group and define the role you want to give to that LDAP group. Add a group
Note: Unlike the process for creating groups within the web console in a standalone manner in which roles are given
to users, here roles are given to an LDAP group.
Specify which LDAP or LDAPS directory groups are imported in the Device Manager Repository database and then
click . Next A window appears summarizing the directory connection configuration.
Click to save the parameters in the Device Manager database.Finish
Adding, editing, or deleting user accounts
You manage user accounts in Device Manager table toolbar or the context menu.User
To add a user account
In the group pane, select a group of which the user account will be a member.
Click from the toolbar or context menu. New user The window appears.Create a new user
Type a unique name for the user and a password.
Select an entry from the drop-down list. Role For more information about roles, see .
Optionally, on the tab, set user account attributes. Properties
To edit a user account
In the group pane, select the group of which the user account is a member.
Click the user account to edit and the click . Update The window appears.Update a user
Revise the user account data, then click to save the changes. Update
Note: If you edit the properties of accounts that you source from an LDAP directory, you do not change data in the
directory.
To delete a user account
In the group pane, select the group of which the user account is a member.
Click the user account to delete and click Delete on the toolbar and then click Yes to confirm the deletion.
Important: You cannot undo this operation.
Note: If you delete an account that you sourced from an LDAP directory, you only remove the account from the Device
Manage database; you do not change the account information in the directory.
Adding or deleting groups
You manage groups from the pane toolbar or context menu. Device Manager does not have a group edit Group
command, because the only accessible property of a group object is its name.
To add a group
Select the parent node of the group.
Click . New group The window appears.Create a new group
Type a name for the group and then click . Create The group name must be unique relative to its peers in the group
hierarchy. In addition, groups may not be added to group nodes that you import from LDAP-compliant directories.
To delete a group
Deleting a group has no affect on user accounts. You can only remove user accounts by using the Delete User
command.
Select the group to delete.
Click .Delete
Click to confirm the operation and remove the group. Yes
Important: You cannot undo this operation.
User Accounts and Roles
citrix.com 93
User Accounts and Roles
You manage user accounts in Device Manager by using the following commands from the table toolbar or context User
menu:
New user. Add a user account to Device Manager.
. Edit a user account.Update
. Maintain a user account’s membership in Device Manager groups, subject to certain Manage
limitations.
Delete. Remove a user account from Device Manager.
Import. Read a provisioning file containing user accounts or properties to automatically create user account
objects and update their attributes.
To search for a user account, on the tab, you use the Search tool. Type a search string into the field and then Users Search
click the search icon.
Note: Searches are not case-sensitive; search results display matching user accounts in a separate table that does not
include a "currently selected group" in the pane. (That is, no groups are selected.)Group
User Roles in Device Manager
Device Manager implements four default user roles to logically separate access to system functions, as shown in the
following table. The columns represent the roles and the rows represent the system functions.
Citrix recommends that you assign the Support role to Help desk staff who require the ability to implement remote
control sessions on mobile devices.
System function Administrator Support Provisioning User
Log into administration console X
  Â
Use remote support application X X
 Â
Use device provisioning application X
Â
X
Â
Use a mobile device X X X X
You can use role-based access control (RBAC) to create new user roles with permissions to access specific system
functions beyond the functions defined by the default roles as shown in the preceding table. You can create new roles in
Device Manager and then select specific features to which you want administrators to access. For example, you may
want to create roles for the following purposes:
To prevent some administrators from viewing or wiping the devices of specific users.
To allow specific users to only run reports.
To enable super users to have access to everything, including the ability to create and limit other user roles.
You can view details about users and groups, such as the dates you created and modified a user or group on the
tab.Reporting
Configuring Custom Roles with RBAC
You can use the feature in Device Manager to do the following:Role-Based Access Control
Create a new access control role (associate actions with roles)
Add groups to a role
Associate users with roles
To access the feature, in Device Manager, click in the upper-right corner, and then click Options Role Based Access
.Control
To create a new access control role
You need to create an access control role in order to enable role-based access control in Device Manager.
citrix.com 94
1.
2.
3.
1.
2.
3.
1.
2.
3.
In the panel, click .Role Based Access Control New
In the dialog box, enter a name for the role.Create an admin role
Select the features you want to enable for the role and then click .Create
To add groups to a role
When you create a new role, you can also associate a user group with the role as part of the role definition.
In the panel, select a role and then click .Role Based Access Control Edit
In the dialog box, in the list, select the feature access you want to associate with a role.Role Permissions
Under , select the group you want to have access to the role, and then click . Restrict Group Access Save The group
you select and the users in the group users receive access to the features you choose.
To associate users with a role
After you create a new role, you can associate users with the role.
In Device Manager, click the tab and then in the table, double-click a user or click .Users User New User
In the dialog box, enter the user name and password.New User
In the list, click the role you want to associate with a user and then click .Role Create
Role Based Access Controls (RBAC) Permissions
You can use role-based access control (RBAC) to create custom roles in Device Manager, beyond the default roles.
Custom roles grant permissions to user accounts to target specific functionality within Device Manager.
For example, you can create roles to allow the following capabilities:
To give limited access to devices for administrators whom you want to only perform basic device operations
and run reports. After the administrator logs on to Device Manager, only the and tabs Devices Reports
appear. When a user only has Report rights, then the Device tab will not appear for that user, but the About
tab will display, The About tab also will by default display for users who have no other rights at all.
To allow an administrator to view, add, locate, edit, and lock a device.
You can associate both user and groups with roles. For example, if you import Active Directory groups into Device
Manager, you can apply fine-grained access control to the Active Directory groups.
The following table describes the list of features and accessibility you can associate with a role:
Role Functionality
Super Admin Access to all functionality within Device Manager (all functionality listed in
this table).
Authorised Access
Access to the Admin console and/or the Self Help Portal, as well as device access
for remote support and remote support access:
Admin Console Access
Self Help Portal Access
Device Access (when Remote Support is enabled)
Remote Support
Dashboard Access to view all of the Device Manager Dashboard and the ability to
customize the Dashboard. In order to perform actions in the Dashboard,
however, such as send notification, wipe/selective wipe, revoke, locate, and
so on, a user must be granted those specific permissions. Also, if a user is
restricted from viewing specific groups, the devices that belong to users in
those blocked groups will not appear in the Dashboard.
Devices Access to the tab and the ability to perform general device Devices
management tasks, such as connecting to iOS devices, importing devices,
editing device properties, locating, locking/unlocking, revoking, wiping, and
selectively wiping a device. Specific permissions include:
Full wipe device
citrix.com 95
Selective wipe device
View locations - when selected, users can see location and
locate/track device. Includes:
Locate device
Track device
Lock device
Unlock device
Deploy to a Device - allows you to push a deployment package to a
device.
Edit device properties
Notification to a device - gives you the ability to select a notification
template, send ad-hoc notifications to a device or group of devices
from the devices tab using email, SMS, or agent push notifications.
Add/Delete device
Devices import
Revoke device
View Software Inventory - when selected, user is allowed to view a
device software inventory.
Users
Ability create users and groups. Includes the following permissions:
Add/delete groups
Add/delete users
Edit a user's property
Can manage admin users
Users import - ability to import list of users from a file
Enrollment
Access to the dialog all functionality related to enrollment, including Options
setting default enrollment modes, configuring enrollment notification servers
(SMTP/SMS Gateway), modifying and creating enrollment templates, and sending
enrollment notifications. Includes the following permissions:
Edit enrollment
Notify user
Policies
Access to the Policies tab and all features related to defining and implementing
policies, such as security and password policies, Exchange ActiveSync polies, app
tunneling (Windows and Android), server groups, registry configurations
(Windows), configurations, applications access (blacklist/whitelist), Sharepoint
policies, and more. Includes the following permissions:
Add/delete policy
Edit policy
Download policies
Apply policies (deploy polices in a deployment package)
Files
Access to the tab and adding, deleting, and downloading files. Includes the Files
following permissions:
Add/delete files
Edit files
Download files
Applications Allows access to the Applications tab, where you can upload and define
applications and create application categories to organize the apps you want to
deploy to users' devices. Includes the following permissions:
Add/delete applications
Edit applications
Application download
Manage category (create custom app categories for organization)
citrix.com 96
1.
2.
3.
Deployment
Access to the tab and all functionality related to device deployment, Deployment
such as the ability to create, edit, deploy, and delete packages. Includes the
following permissions:
Add/delete package
Edit package
Deploy packages
Reporting Access to the tab and the ability to run and view Device Manager Reporting
reports.
About
Access to the tab features:About
Edit and upload an APNS certificate
Edit XenMobile MDM license
Connections information - provides visibility into server related
information, such as security parameters, JVM information, and
system health.
Options The Options feature provides a user access to the dialog box and Options
the following features in the dialog box:Options
Role-Based Access Control
LDAP
Mobile Service Provider
ActiveSync Gateway
Network Access Control
AppC WebServices API
GoToAssist
PKI Entity
Scheduling
Security
General service parameters
Note: If you want this role to have access to the Remote-Based Access Control
feature, you need to specifically select the option in Remote-Based Access Control
the dialog box.
Restrict Group Access Allows you to associate groups with the current role. When a group is
associated with a role, users in that group can only see devices associated
with that group. If a user belongs to more than one group, and some of those
groups provide a range or permissions, all permissions related to all groups
are merged into the role.
Importing user accounts and properties from a file
You can import user accounts and properties from a specially developed file called a provisioning file, which you can create
manually.
Note: If you are importing users from an LDAP directory, use the domain name along with the user name in the import file.
For example, specify username@domain.com. This syntax prevents additional lookups that will slow the import speed. If
importing users to the Device Manager internal user directory, disable the default domain in order to speed up the import
process. You can reenable the default domain after the import of internal users completes.
After a provisioning file is prepared, use the icon on the toolbar to read the file by following this procedure:Import
From the tab toolbar, click . Users Import The window appears.Import a provisioning file
In , click or . If you click , you do not create an account.Provisioning file type Users User Properties User Properties
In , browse to the location of the file and then click .Provisioning file location Import
Provisioning File Formats
citrix.com 97
A provisioning file that you create manually and use to import user accounts and properties to Device Manager needs to
have the following format:
For a user provisioning file of a .csv file type, the field separator is the ';'. The fields are the following:
user;password;role;group1;group2
Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'
An example of a user provisioning file content is as follows:
user01;pwd\;01;USER;myGroup.users01;myGroup.users02;myGroup.users.users01
in which:
User: user01
Password: pwd;01
Role: USER
Note: Role can only be one of the following: USER, ADMIN, SUPPORT, or DEVICE_PROVISIONING .
Groups:
myGroup.users02
myGroup.users02
myGroup.users.users01
Note: The '.' character is used as a separator to create group hierarchy, and so this character is
forbidden in the groups name.
An example of the file format to provision user attributes is as follows:
user;propertyName1;properyValue1;propertyName2;properyValue2
Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'
An example of a user attributes provisioning file is as follows:
user01;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value
in which:
User: user01
Property 1:
name: propertyN
value: propertyV;test;1;2
Note: Property attributes must be lower case. The database is case-sensitive
Property 2:
name: prop 2
value: prop2 value
citrix.com 98
1.
2.
Managing Devices
You can manage devices by using the following:
Tagging devices to identify ownership of the device. You can tag devices with a script or by using the Device
Manager web console.
Adding devices to Device Manager either manually or by using the Device Provisioning tool.
Locking and unlocking devices by using the Device Manager web console.
Revoking device certificates to prevent devices from accessing Device Manager.
Wiping information from devices that includes removing some or all data on the device.
Adding a device to Device Manager manually
The Device Manager server repository database stores a list of mobile devices. Each mobile device is defined by a unique
serial number and/or IMEI. There are a number of methods to populate Device Manager with your devices:
Adding devices manually.
Import a list of devices from a file by using Device Provisioning tool (Windows Mobile and Symbian devices
only) or Device Auto Discovery (only available with the Secure Device option).
Click .New device
Select the device type.
Importing a list of devices by using a file
Develop a text file according to the following format by using a utility application such as a text editor, spreadsheet
application, or note taker.
Element Notes
Serial Number Device serial number (required if IMEI is not given)
IMEI Device IMEI identifier (required if serial number is not given)
Operating System Family Required to be , , or .WINDOWS ANDROID iOS
Property name 1 Optional
Property value 1 Optional
Property name (n) Optional
Property value (n) Optional
Many mobile operators or device manufacturers provide lists of authorized mobile devices, and you can utilize these to avoid
having to enter a long list of mobile devices manually. Device Manager supports an import file format that is common to all
three of the supported device types.
Note the following:
File charset must be UTF-8/
Semi-colon (;) is used as the field delimiter so it must be escaped if it is present in the data.
For iOS device import, Serial Number is mandatory. Serial Number is the identifier for iOS devices.
For example:
1050BF3F517301081610065510590391;15244201625379901;WINDOWS;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value
2050BF3F517301081610065510590392;25244201625379902;ANDROID;propertyN;propertyV$*&&ééétest
3050BF3F517301081610065510590393;35244201625379903;iOS;test;
4050BF3F517301081610065510590393;;iOS;test;
;55244201625379903;ANDROID;test.testé;value;
citrix.com 99
1.
2.
3.
Importing a task file
Click the tab.Import
Browse to the corresponding provisioning file.
Click .Import
Viewing the Device Properties
When you click a device name in Device Manager and click , you can view device overview information for a device Edit
type. The tabs that appear may differ slightly depending on the device.
The main tabs that appear and the information they contain are as follows:
General. On this tab, you can view device properties, such as the software inventory, the device serial
number, IMEI, as well as the Strong ID if the option is available in the license installed on the Secure Device
server. You can also display the status of the and commands:Device Lock Device Wipe
The statement , if no command was sent.No device lock/wipe
A description and the date and time at which the command was sent or carried out.
Properties. The hardware inventory appears on this tab. The list is updated automatically each time the
device connects to Device Manager. For devices that use the , additional tabs appear, Secure Device Option
such as and .Certificates Master Keys
Software. The software inventory appears on this tab. The list includes all applications and software
packages installed on a device, such as package name, author, size, installation date, and version of the
software. You must request an inventory if you want to display the applications deployed through Device
Manager as well as user-installed apps. To request an inventory, you need to configure a deployment from
the tab. Under , select .Deployment Resources to be deployed Software Inventory
Note: For Windows Mobile devices exclusively, only software programs available in the program Add/Delete
menu on the device appear on the tab.Software
iOS Profiles. You can view the profiles for an iOS device on the tab. Profiles may include web iOS Profiles
clips, mobile device management (MDM) configurations, access permissions, and more.
Note: When working with iOS configuration profiles generated with Apple’s iOS Configuration Utility
(IPCU), such as profiles for Exchange ActiveSync, WiFi, and VPN access with a certificate, Device Manager
cannot prompt the device unless you include the certificate password in the profile when you create the
certificate. You must include the certificate password in the IPCU steps, and then use Device Manager to
import the profiles with the certificates.
Certificates.
Deployment. You can view a complete real-time view of package deployment, on a per-device basis, on the
tab. You can view of all packages assigned to a device, and the status of the deployment.Deployment
Note: The status of is the same as . The status means that the package has not yet been pending remaining
deployed.
Connection. The tab displays the users who have authenticated against a device. It lists the Connections
user name, and last two authentication times.
MDM Status. On this tab, you can review the mobile device management (MDM) status for iOS devices. The
information that appears is as follows:
MDM status:
INACTIVE. The server does not expect the device to connect to it any time soon, nor does it consider it
necessary.
ENQUEUED. The server is attempting to communicate with the device, but a push notification has yet to
be sent to the Apple Push Notification service (APNs).
ACTIVE. The server is either currently handling a device request, or it expects the device to reply to a
previously sent command.
PENDING. The server is waiting for a connection from the device.
Last push initiation. The time of the most recent push notification initiated by Device Manager.
Last notification completion. The time of the most recent completed push notification to the device.
Note: The message "Completion of a Push notification attempt" means the notification payload was
successfully sent to the server running APNs and the server did not reply with an error (which would indicate
syntax errors and so on).
Last reply device time. The time that a device connected to Device Manager following a push
notification.
citrix.com 100
1.
Viewing Device Management Status
For each device you manage, Device Manager provides information on device management status, whether or not the
device has been jailbroken, device operating system and hardware information, serial number and IMEI/MEID number,
user of the device, device phone number, and so on.
Three of the most commonly used and important statuses for your device indicate whether or not a device is managed
or not: , , and .Jailbroken/Rooted SMG Status Managed
The following table describes the status information and colored icons that you see on the tab in Device Devices
Manager:
Status Explanation
Jailbroken/Rooted A green light means that the device is NOT jailbroken (iOS) or rooted (Android).
A red light means that the device has been jailbroken or rooted.
Secure Mobile
Gateway Status
A green light means that Secure Mobile Gateway recognizes the device as legitimate and
allows the device to access your Exchange email infrastructure.
A red light means that Secure Mobile Gateway recognizes the device as a potential threat
to your email Exchange email infrastructure and is blocking the device.
A gray light means that your instance of Device Manager does not have Secure Mobile
Gateway installed and configured.
Device Managed
A green light means that the device is managed by Device Manager, which means that the
device has the XenMobile agent installed on it and that it is enrolled (and can communicate)
with the server running Device Manager.
Note: In some cases, a device will appear as "managed" even though it does not have the
XenMobile agent installed. This means that the device has likely been recognized by Device
Manager through an ActiveSync connection. For example, if you import users into Device
Manager who own a BlackBerry or Palm device, or if they connect to their email server through
Active Sync, their devices will appear in Device Manager as "managed." Even though these
devices cannot have a Device Manager agent installed, their communication with Device
Manager Is limited, and they cannot have policies deployed to them, it is possible to issue an
ActiveSync or Blackberry wipe to them.
A red light means that the device is not currently being managed by Device Manager for
the following possible reasons:
If you perform a revoke, wipe, or selective wipe on a device.
If the device has an agent installed on it, but it was never enrolled.
If the device has an agent installed on it, but the user profile or corporate
certificate has been removed.
Anonymous Under the column, a status of Anonymous can occur if a user authentication fails User
(wrong credentials).
When this happens, Windows Mobile and Symbian devices switch to anonymous mode. It
can also happen if the user can no longer be used to authenticate from a device.
iOS and Android devices authenticate by using a client certificate, so those devices will
only become Anonymous if the user is deleted or disabled in Active Directory.
Searching for and editing device properties
From the tab in the Device Manager web console, you can search for a device in the list. You can also edit the Devices
device properties to add additional properties.
Searching for a device
The option under the tab is a free-form search field, in which you can search for a device by typing in Search Devices
information you know about a device and you can narrow your search within certain criteria as well.
citrix.com 101
1.
2.
1.
2.
3.
4.
1.
2.
3.
1.
2.
3.
Click the search icon and then specify one or more of the following criteria:
The name of one of the device’s users
The device serial number
The device IMEI
The model of the device
Device platform
Operating system version
Note: For each search criteria, you can enter the first letters or numbers of the item you are looking for.
To narrow the search to specific criteria, in the list, select one or more of the following check boxes:Search
IMEI/MEID
User
Model
Platform
OS version
Serial number
To restore the complete list of devices, click next to the field.x Search
Editing the device properties
After you have added one or more devices into the repository database, you can populate additional comprehensive
device data into the repository database. This ability allows administrators to maintain a detailed hardware inventory of
their field devices within Device Manager. This process mirrors that of adding additional user information, minimizing
training requirements.
Click the tab.Devices
Highlight the device to which you want to add additional hardware information and then click .Edit
Click the tab and then click .Properties New Property
Select either one of the included fields, or select to create a custom data field. This field is free form, and can Other
contain up to a maximum of 256 characters.
Showing or hiding device statuses
Under in the Device Manager web console, you can change the parameters of how the devices status System Configuration
appears. In the column, you can also choose which columns to show or hide.Devices
The following procedure describes how to show or hide the device status for jailbroken or rooted, Secure Mobile
Gateway, and Device Manager management statuses.
In Device Manager, click Options.
In the dialog box, click General.Options
Under General Parameters, you can click to enable or disable the following statuses:
Highlight "Jailbroken/Rooted" column
Highlight "SMG Status" column
Highlight "Managed" column
Enable device triangulation
Enable WebEAS for iOS
Adding or removing device status columns
Click the tab.Devices
Click the arrow in a status column to show a list of the possible columns that you can display. Each selected item
appears in the table.Devices
Clear a check box to hide a status column.
Locking a Device Remotely
If the device is lost, but you are not sure it was stolen, you can remotely "lock" the device. To do so, select the device in
Device Manager and then on the menu, click .Security Lock
For Android and Windows Mobile devices, the system will then generate a PIN code that will be set in the device if the
user had not set a PIN code already. To access the device, the user will have to type that PIN code.
When the device is found again, you can remove the lock by using the option.Cancel the lock
Selectively Wiping a Device
citrix.com 102
1.
2.
3.
4.
5.
You can perform a selective wipe in Device Manager if you only want to clear corporate data from the device while
retaining personal information and selected settings. A selective wipe removes the mobile device management (MDM)
profiles. All packages pushed by Device Manager to the device are also removed. The device can be re-enrolled at a
future time.
Select command from the tab > Security menu > Selective wipe. Selective to undo Selective Wipe Devices Cancel Wipe
the operation request.
Selective Wipe for iOS and Android Devices
Performing a selective wipe from the if you only want to clear corporate data from the device while retaining personal
information and selected settings. The MDM profiles and all packages pushed by Device Manager to the hand held are
removed. The device can be re-enrolled at a future time.
Note: Selectively wiping an Android devices does not completely disconnect the device from Device Manager and a user's
corporate network. In order to break the connection between the device and the corporate network, you also need to revoke
the Android device.
Selective Wipe for Windows 8 Devices
When you perform a selective wipe on a Windows 8 device from Device manager, it will remove all contents from the
currently logged on user’s profile folder.
Selective Wipe for Windows Phone 8 Devices
When you selective wipe a Windows Phone 8 device using Device Manager, the following is removed from the device:
The enterprise token that allows apps to be installed on the device by Device Manager.
All Device Manager certificates.
All Device Manager configurations that have been deployed to the device.
Requesting a Full Wipe for a Device
If a device is stolen or lost, you can send a request to have all data on a device be erased. For Android devices, this
also includes the option to include any memory cards.
To fully wipe a device, from the Devices tab inside the XenMobile Device Manager web console, select > .Secuirty Full Wipe
Note: Erasing a device may not complete in full if the "current holder" of the device has time to turn the device off before the
content of the memory card is completely deleted. As such, they may still have access to data on the device.
If the wipe of the device is not done and it is retrieved, you can cancel the wipe command by selecting the Cancel wipe
menu item.
For Android devices, you can choose to wipe only the device, which removes any internally stored data, or choose to
wipe the device, plus any externally connected storage data (memory cards).
For Windows Phone 8 Devices, a full wipe removes all MDM information plus all user data, including all personal
content such as apps, emails, contacts, and media files.
For Windows Mobile devices that are not running Windows Mobile 6 or later, after wiping, it may be required to send the
device back to the manufacturer to reload the original operating system and/or software.
Tagging User Devices Automatically
You can tag your users' devices as either corporate-owned or employee-owned to keep track of your company's Bring Your
Own Device (BYOD) program, either automatically with a script, or manually by using the Device Manager web console. To
enable employee and corporate device tagging, you will need to download a Microsoft PHP, add device IDs to a CSV file, and
execute the given XenMobile scripts that will automate the device tagging process. After setting up the device tagging, you
will schedule the script as a repeating Windows Task to run every minute.
Note: For on-premise deployments, the tagDevices.php script is located at C:\Program Files (x86)\Citrix\XenMobile Device
Manager\samples\WebServices.
Setting up device tagging
In a browser, go to the Windows PHP download site at http://windows.php.net/download/.
Download the installer package named php 5.3 (VC9 x86 Thread Safe (2012-Feb-02 21:56:19).
Install the package on your local system at c:\php5.
Copy the two files named tagDevice.php and devices.csv to c:\temp (this PHP script is host, location and platform
agnostic).
citrix.com 103
5.
6.
7.
1.
2.
3.
4.
Open the tagDevice.php file in a text editor and replace the default information (highlighted) with the following
parameters:
For an on-site Device Manager implementation:
$soap_url = "/zdm/services/EveryWanDevice?wsdl"
$client = new SoapClient(null, array(
'location' => $soap_url,
'url' => "",
'login' => "demo",
'password'=> "XXXXX"));
For example:
$soap_url = "mdm.zenprise.com/zdm/services/EveryWanDevice?wsdl"
$client = new SoapClient(null, array(
'location' => $soap_url,
'url' => "mdm.zenprise.com",
'login' => "demo",
'password'=> "XXXXX"));
where mdm.zenprise.com is the name of the Device Manager server and zdm is the Device
Manager instance name.
For a cloud deployment ​implementation:
$soap_url = ".zc.zenprise.com//services/EveryWanDevice?wsdl";
$client = new SoapClient(null, array(
'location' => $soap_url,
'url' => ".zc.zenprise.com",
'login' => "demo",
'password'=> "XXXXX"));
For example:
$soap_url = "abc.zc.zenprise.com/abc/services/EveryWanDevice?wsdl";
$client = new SoapClient(null, array(
'location' => $soap_url,
'url' => "abc.zc.zenprise.com",
'login' => "demo",
'password'=> "XXXXX"));
Edit the devices.csv file and add the serial numbers of all corporate devices, on separate lines.
Open a DOS command prompt and cd to c:\temp and run the following command as follows: tagDevice.php
c:\temp>c:\php5\php.exe tagDevice.php
device:7R043870A4S is a personal asset
device:82835PLWY7K is a personal asset
device:88025X9PA4T is a personal asset
device:880277VSA4S is a personal asset
device:99000052027603 is a personal asset
device:A1000013555FD9 is a personal asset
device:A10000138B2613 is a personal asset
device:A1000017B0A311 is a personal asset
device:C329030326CC33E is a corporate asset
device:GB0262YCETV is a personal asset
device:GB0289L3ETV is a personal asset
c:\temp>
To configure a device tagging script to run as a repeating task
Create a file named tagDevice.cmd under c:\temp (where you previously had copied tagDevice.php and devices.csv)
and add the following line: cd c:\temp && c:\php5\php.exe tagDevice.php
Create an MS Scheduled task to execute this command once every minute (/MO 1). For example: c:\> schtasks
/create /TN tagDevice c:\temp\tagDevice.cmd /MO 1
Query the tasks to verify that it exists by executing the following command: c:schtasks /query /TN
tagDevice
To delete the task, execute this command: c:schtasks /delete /TN tagDevice
citrix.com 104
Tagging User Devices Manually
There are three ways you can manually tag a device:
Tag the device during the invitation-based enrollment process (iOS-only).
Tag the device during the Self Help Portal enrollment process.
Tag the device by adding device ownership as a device property (any device).
When you enroll an iOS device. You have the option of tagging the device as either corporate- or employee-owned.
When using the Self Help Portal to self-enroll a device, you can also tag the device as either corporate- or employeeowned. You can also tag a device manually by adding a property to the device from the tab in Device Manager, Devices
creating the property named and choosing either or .Device Ownership Corporate Employee
citrix.com 105
Working with Apps
You can add apps and files to Device Manager that you want to deploy to Android, and Windows devices. You can add
proprietary apps apps you have developed ininterally for your users and then depeloy those apps to the Worx Store in a
deployment package. You can also add app defintions of publically available apps, so your users can access them from
the iTunes, Google Play, or Windows Phone app stores and install them on their devices.
Apps you deploy appear to the iOS and Android device users in the Worx Home 'Worx Store' inside the app. Windows
Phone 8 users access their apps from the Worx Home app.
citrix.com 106
1.
2.
3.
4.
a. b. 5.
1.
2.
3.
a. b. c. 4.
5.
6.
7.
8.
9.
10.
Adding iOS Apps
You can add iOS apps to Device Manager and make them available to your users. You can deploy apps to devices
using a deployment package. You can make iOS apps available either through the Connect app in the Applications
folder, or create an web clip application store to deploy to your iOS users' home screen.
You can add iOS apps in two ways:
Internally. Upload the application to the Device Manager database as an iOS .ipa file
Externally. Create an application definition that references the App data through a URL to the Apple iTunes
app store.
Adding an internal iOS app
If you have internally developed iOS apps (.ipa) or iOS apps that you have licensed to distribute, you can upload those
apps directly to the Device Manager database and then deploy those apps to users' devices.
In the Device Manager web console, select the Applications tab.
Click . > New New app
In the Import an application into the XenMobile MDM database dialog box, click .Choose File
In the iOS app parameters section, enter the following information:
Select the Remove App when MDM profile is removed (Application push only) is you want the app to be
removed from any devices you deploy it to if the XenMobile MDM profile is removed from the iOS device.
Select the Prevent backup App data (Application push only) option if you want to prevent the device user from
backing up the app to an external device or application.
Click .Import
Adding an external iOS app
For those iOS apps that are must have, or that you would like to recommend to your iOS users, you can define an iOS
app definition and then push the app to your users' devices. When your users open the Connect app on their device and
tap the Applications folder, they can down the app to their devices.
In order to add an external iOS app to Device Manager, you will need the complete URL to the app from the iTunes app
store.
In the Device Manager web console, select the Applications tab.
From the menu select .New > New External iOS App
In the Add an external iOS application dialog box, enter the following information:
Specify the URL with a link to the Apple App Store.
Click to validate the URL link and retrieve application information.Go
Next, you can optionally select one or both of these app security policies (under the app description):
Remove App When MDM Profile is Removed. To ensure that certain any external apps (those not
developed by your organization) are only installed on a devices that are managed by your IT
department, you can choose to remove a pushed app on iOS device if the user removes their MDM
profile.
Prevent App Data Backup. Before you push an iOS 5 app to an iOS device, you can select the
Prevent Backup of App Data setting, which will prevent allowing the user to backup a specified app
either on their computer (via iTunes) or through iCloud.
If the app is licensed by the Apple Volume Purchase Program (VPP), then you will see a second tab in the dialog
labeled VPP Licenses. To import your VPP license file for this app, select the VPP Licenses tab. (If the app you are
defining is not licensed by VPP, then you can skip to step 9.)
Click .Import a License File
In the dialog box, click to select your VPP license file for the app.Import a License File Choose File
Next, from the Country drop-down list, select a country code for the country where the app was developed or localized
to. For example, if the app was developed for a French audience, then choose France.
Next, click to import the file.Read a license file
Click .Confirm Import
Click . The external iOS app definition is added to Device Manager. You can add as many apps or app definitions Add
as you want to push to your users' devices. These apps can be pushed to users' devices when add them to a
deployment package
Updating new versions of custom iOS apps
citrix.com 107
1.
2.
3.
A custom app is an app that is not available on iTunes. When a new version of a custom app is available, you can
update the app by adding the new .ipa file to the tab in Device Manager. The next time the device connects to Files
Device Manager, the app is updated to the new version.
On the tab, click the iOS app you want to update and then click .Files Edit
To upload an iOS application with a .ipa extension, click and then browse for the app.Choose File
Click . Update The new version of the app is pushed to the device the next time the device connects with Device
Manager.
citrix.com 108
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
8.
Citrix Worx Store for iOS Apps (MDM-only)
If you are using XenMobile MDM edition (not the Enterprise solution), you can deploy apps to your users' iOS devices
using the Citrix Worx Store for iOS, preconfigured in XenMobile Device Manager as an iOS web clip, and included as
part of the iOS base package that gets deployed when a user enrolls into Device Manager. For more information about
the iOS base package, see .
When you install Device Manager for the first time, you need to add iOS apps to Device Manager, add apps to the Worx
Store Deployment Package and then deploy the package to users.
Adding apps to Worx Store for iOS
To add apps to the Citrix Worx Store app store for iOS, you need to to Device Manager, and then add those
apps to a deployment package and deploy that package to iOS users.
In the Device Manager web console, click the tab, and then click .Deployment > New Package New iOS Package
In the wizard, in the window, enter a name for the Self-service package and Create New Package Package Name
then click .Next
In the window, select the group you created earlier and then click .Groups of users Next
Under Enterprise Application Store, select the apps you want to add to the app store and then click the right arrow to
add them.
Click Next
In the window, select the option and then click .Deployment schedule If not deployed Start Now Next
In the page, click .Deployment rules Next
Click .Finish
To deploy theCitrix Worx Store app store for iOS, from the Deployment tab, click . To verify, check the device Deploy
os an iOS user you deployed the package to and look for the Self-serve app on the device Home screen.
Branding the Worx Store for iOS
You can change the default image used for the Worx Store. You may want to provide a corporate image or branded
logo, for example. You brand the Worx Store by creating a branding policy in which you upload your desired image and
then deploy that policy to your users' devices.
Note: Before you begin, make sure you have your custom image ready and accessible.
Follow these image sizing guidelines to ensure best usability across devices:
For retina displays, the suggested logo size is 218x36 pixels.
For regular displays, the suggested logo size is 109x18 pixels.
From inside the Device Manager web console, select the tab.Policies
From the left side of the console, under , select .MDM Policies Branding
Click .New Policy
In the dialog box, enter a name for the policy.Enterprise App Store Branding
Click to select an image to use for the branding.Browse
Click .Create
To deploy this package to users' iOS devices, you need to create a deployment package and deploy the package to
users' devices. For more information, see .
Creating a deployment policy for iOS apps
Select the tab, click and then click .Deployment New Package New iOS Package
In the wizard, in the window, enter a name for the package, such as iOS App Create New Package Package Name
Store, and then click .Next
On the window, select the group you created earlier and then click .Groups of users Next
On the window, under , scroll to the , Resources to be deployed Available Resources Enterprise Application Store
select the apps you want to add, click the right arrow button and then click .Next
On the window, select the option and then click .Deployment schedule If not deployed Start Now Next
On the page, click .Deployment rules Next
On the page, click .Package summary Finish
In the packages list, click .Deploy
How Base Packages Work
Adding iOS Apps
To create and deploy a deployment package
citrix.com 109
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
To push applications to iOS devices
You can push both external Apple iOS apps or apps that you developed internally within your organization to devices from
Device Manager. You can select apps you want to push from the tab and then deploy the apps in a package.Files
Device Manager provides two security policy settings that you can apply to applications before you push them:
Prevent App Backup. To ensure that certain external apps are only installed on devices that you manage,
you can choose to remove a pushed app on an iOS device if the user removes their Device Manager profile.
Remove App When MDM Profile is Removed. Before you push an iOS 5 app to an iOS device, you can
select the setting, which will prevent the user from backing up a specified app Prevent Backup of App Data
either on the user's computer (via iTunes) or through iCloud.
Note: Before you can push an iOS app to a device, the app file must already have been imported into Device Manager.
On the tab, select either an internal or external app and then click or double-click the app.Files Edit
In the dialog box, select:app properties
If you want the app to be removed if the user deletes the device's Device Manager profile.
if you want to prevent the app from being backed up by the user.
Click .Update
On the tab, on the menu, click .Deployment New Package New iOS package
On the page of the wizard, enter a name for the iOS app and then click .Package Name Create New Package Next
On the page, select the users whom you want to receive the app on their devices when you push the Groups of users
app and then click .Next
On the page, in , select the app you want to push, click the right arrow Resources to be deployed Available Resources
to add the app to the package and then click .Next
On the page, configure to push the app or at a specified time in the future and then click Deployment schedule Now
.Next
On the page, specify any deployment rules you want to associate with the app and its deployment Deployment rules
and then click .Next
On the page, review the package deployment configuration and then click .Package summary Finish
To deploy the package, select the package and then click . Deploy Connected devices receive the package as soon as
scheduling rules are met. Reconnecting devices receive the package as they reconnect, subject to other rule criteria.
When you push external apps to a store, the user is prompted to enter the user's Apple ID credentials in order to
install the app.
citrix.com 110
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
To remove an app from an iOS device
You can easily remove applications from iOS devices by creating an app removal policy and then deploying that policy to a
device. An app removal policy is based upon specifying an application's app bundle ID in the policy. In order to determine an
application's bundle ID, you must push a software inventory policy on to a device. Or, you can use the Apple's Xcode IDE
application tool called Bundle identifier to find an app's bundle ID.
Note: Removing an application will only work for applications distributed by Device Manager.
On the tab, click .Policies > iOS Configurations
On the menu, select .New Configuration Deletion Operations | Application Removal Operation
In the dialog box, select an App bundle ID for the app you want to remove.App Removal
Click . Create You created the new app removal policy.
To deploy the policy as a package, click the tab.Deployment
On the page of the wizard, enter a name for the app removal policy and then Package Name Create New Package
click .Next
On the page, select the users from whose devices you want to remove the app and then click .Groups of users Next
On the page, in , select the app removal policy you want to use for the Resources to be deployed Available Resources
package, click the right arrow button to add the resource to the package and then click .Next
On the page, configure to push the app or at a specified time in the future and then click Deployment schedule Now
.Next
On the page, specify any deployment rules you want to associate with the app and its deployment Deployment rules
and then click .Next
On the page, review the app removal package configuration and then click .Package summary Finish
To deploy the package and remove the app, click the package and then click . Deploy Connected devices receive the
package as soon as scheduling rules are met.
citrix.com 111
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Distributing iOS Volume Purchase Program Apps
The Apple Volume Purchase Program allows you to purchase iOS apps and books in volume and distribute them to
your employees, either as free apps or apps for purchase by using Device Manager.
Distributing apps purchased through the Volume Purchase Program requires following general steps:
Purchase apps by using your Volume Purchase Program account on the Apple Volume Purchase Program
website.
Download the Volume Purchase Program app purchase license spreadsheet containing the app license
redemption codes.
Add the app information and import the license spreadsheet into the Device Manager file repository.
Build an app package and deploy it to your users' devices.
Before you begin, make sure you have the following information about the Volume Purchase Program apps you want to
distribute with Device Manager:
App Store Web address for each purchased Volume Purchase Program app you want to distribute.
iOS 6 and previous: Licensing spreadsheet with redemption codes for the Volume Purchase Program apps
that will import into Device Manager. You can import license spreadsheets one time, or multiple times if you
purchase new licenses at a later date.
iOS 7: The license code for your Volume Purchase Program apps (one code). When you enter this code in
the Device Manager dialog box, the purchased app defintions will populate inside of the Device
Manager Apps tab, under iOS.
After you import Volume Purchase Program license codes, the codes are initially considered to be "Unused." Each code
is reserved and will switch to "Pending" status during deployment as they are sent to devices. The device can determine
the following:
The code is not necessary (for example, the app was already purchased by the specified iTunes account), in
which case the code status will be switched back to "Unused."
The device can determine that the code was invalid (for example, the code was already used for a
purchase), in which case the status switches to "Invalid."
Note: If an app installation fails because the code was invalid, the code is not sent to the device until the
next deployment.
The code is applied successfully to the purchase of the application, in which case the status goes to "Used."
Distributing Volume Purchase Program apps (iOS 6)
Click the tab and then on the menu, click .Files New New external iOS app
In the dialog box, enter the Web address of the Volume Purchase Program iOS app. new app This is the Web address
you used to purchase the app at the Apple app store.
Click Go Device Manager locates the Web address for the app and then populates the dialog box with the app details.
Click the tab and then click . VPP Licenses Import a license spreadsheet
Note: You can also update Volume Purchase Program license redemption codes by adding a new license
spreadsheets with new licenses at a later date. For example, if you first buy 100 licenses for an app and then
eventually have more target devices to deploy to, you can purchase more licenses at the Apple Volume Purchase
Program site and then add them to the existing Volume Purchase Program app definition in Device Manager.
Browse to the location on your system where you have saved the license spreadsheet and then click .OK
Click to complete the file configuration.Add
Next, you will create a deployment package so you can push the Volume Purchase Program apps to your users'
devices. Select the tab.Deployment
On the menu, click .New Package New iOS package
On the page of the wizard, enter a name for the iOS Volume Purchase Program Package Name Create New Package
app and then click .Next
On the page, select the users on whose devices you want to receive the Volume Purchase Program Groups of users
app when you push the app and then click .Next
On the page, in , select the Volume Purchase Program app from the Resources to be deployed Available Resources
list, click the right arrow button to add the app to the package and then click . External iOS Next
Note: With Volume Purchase Program app deployments, you can only choose to push these apps as External iOS
apps, and not as Enterpise App Store apps.
On the page, configure to push the app or at a specified time in the future and then click Deployment schedule Now
.Next
On the page, specify any deployment rules you want to associate with the app and its deployment Deployment rules
and then click .Next
Options
citrix.com 112
14.
15.
On the page, review the iOS Volume Purchase Program app packaged deployment and then click Package summary
.Finish
To deploy the iOS Volume Purchase Program app package, select the package and then click . Deploy Connected
devices receive the package as soon as scheduling rules are met. Reconnecting devices receive the package as they
reconnect subject to other rule criteria. When you push external apps to a store, the device user is prompted to enter
their Apple ID credentials in order to install the app. You will see a message after installation that the user account on
the device will not be charged for the app.
After you deploy the app, the purchased app becomes the property of the iTunes account entered on the device. The
owner of the account used to install the app on the device can later install the application on the device of their choosing
without having to pay for it.
Running a code inventory report on Volume Purchase Program apps
The Apple Volume Purchase Program code inventory report in Device Manager provides a detailed list of all of your
Volume Purchase Program app purchases, the number of purchased licenses for each app, whether or not the license
is being used by a device, the associated device ID, and more.
Click the tab and then click to run the report.Reporting AVPP code inventory
The code summary report results appear in a new tab.
citrix.com 113
1.
2.
3.
4.
5.
a. b. c. d. 6.
1.
2.
3.
a. b. 4.
a. b. c. d. e. f. 5.
Adding Android Apps
You can add Android apps to Device Manager and make them available to your users. You can deploy apps to devices
using a deployment package. You can make Android apps available either through the Connect app in the Applications
folder.
You can add Android apps in two ways:
Internally. Upload the application to the Device Manager database as an Android .apk file
Externally. Create an application definition that references the App data through a URL to the Google Play
or Amazon app store.
To add an internal Android app
If you have internally developed Android apps (.apk) or Android apps that you have licensed to distribute, you can
upload those apps directly to the Device Manager database and then deploy those apps
In the Device Manager web console, select the Applications tab.
Click . > New New app
In the Import an application into the XenMobile MDM database dialog box, click .Choose File
Select the file and click .Open
In the APK parameters section, enter the following information:
Select the Execute APK File option if you want the app to launch immediately after is it installed on the device.
Select After Installation if you want to prevent deleting the installation file from the device when the installation
is done.
In the Destination folder section, select the folder where you want to upload the installation file. Only Flash
Storage and Device Manager Installation folder are available as a path prefix for Android devices.
In the If the file already exists section, you can specify what to do if the file already exists. You can copy it if the
files are different or do not overwrite the existing one.
When you are finished, click Import. Once imported, the app can be added to deployment packages and pushed to
Android devices.
To add an external Android app
For those Android apps that are must have, or that you would like to recommend to your Android users, you can define
an Android app definition and then push the app to your users' devices. When your users open the Connect app on their
device and tap the Applications folder, they can down the app to their devices. In order to add an external Android app
to Device Manager, you will need the complete URL to the app from the Google Play or Amazon app store.
In the Device Manager web console, select the Applications tab.
From the menu select .New > New External APK App
In the Add an external Android application dialog box, enter the following information:
In the Application store drop-down, select either Google Play or Amazon and then specify the URL with a link
to the app store.
Click to validate the URL link and retrieve application information.Go
If for some reason the app URL is not recognized, you can click the button to authenticate with the Google Credentials
Play store so your managed devices will be recognized and you can add external Android apps to Device Manager.
You will need the device ID from an Android phone that is managed by XenMobile Device Manager.
To obtain an Android device ID from a managed Android phone, type *#*#8255#*#* on the Android device
phone number pad.
In the Add an external Android application dialog box, click .Credentials
In the Android Market Access Credentials dialog box, enter your Google username and password. This can be
the account ID from any valid Google account.
Enter the Android phone device ID you obtained in step a.
Select the Save in database option to store the authentication with Device Manager.
Click .Save
Click . The external Android app definition is added to Device Manager. You can add as many apps or app Add
definitions as you want to push to your users' devices. These apps can be pushed to users' devices when add them to
a deployment package
citrix.com 114
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
Citrix Worx Store for Android Apps (MDM-only)
You can provide your users a list of recommended or required apps on their Android devices. You can add external
(free or for cost) apps hosted on Google Play or Amazon Application Store as well as internal, in-house apps that your
team has developed. All apps appear inside the Citrix Worx Store for Android apps on your users' Android devices.
Populating the Citrix an Enterprise Application Store for Android requires performing the following tasks:
Add the custom-made or external apps from the Android Google Play or Amazon app store to Device
Manager.
Create and push a deployment package containing the apps to the device.
Brand the Citrix Worx store with your company logo or image (optional)
Users view the apps you deploy on their Android devices by opening the Citrix MDM Connect and then tapping the Apps
icon.
To add Android apps to Device Manager
To add external apps to Device Manager, you will need the app Web addresses. For example, you can distribute the
following apps to your users:
Nitrodesk TouchDown For Smartphones (if you have a phone). https://play.google.com/store/apps/details?
id=com.nitrodesk.droid20.nitroid&hl=en
Nitrodesk TouchDown HD for Tablets (if you have an Android tablet). https://play.google.
com/store/apps/details?id=com.nitrodesk.honey.nitroid&hl=en
Project Viewer. https://play.google.com/store/apps/details?id=cintelic.project.pro&hl=en
To add internal Android apps, you only need to upload Android app files with the .apk extension.
In Device Manager, select the tab, click and then click .Files New External APK App
Click to add your Google Play Market access credentials. Credentials Device Manager uses the credentials to access
the proper version of the app you will distribute to your employees.
Click .Save
In the dialog box, in , enter the app Web address and then click button to find Add an external APK application URL Go
the app data.
Click .Add
Repeat Steps 1 through 5 for the other apps. The apps appear on the tab in Device Manager.Files
To upload internal apps to Device Manager, click and then select .New New App or File
In the dialog box, click and then browse to select the Import a file to the Device Manager database Choose File
Android app file (.apk) to import.
Select from the following options:
Execute APK file. Select this option to execute the installation automatically when the file transfer is
done.
After installation. Select this option to avoid deleting the installation file from the device when the
installation is done.
Destination folder. Write down the folder where the file should be uploaded. Only Flash Storage and
Device Manager Installation folder are available as path prefix for Android devices.
If the file already exists. Copy it if the files are different or do not overwrite the existing one. You can
also decide to register a comment if needed.
Click .Import
To brand the Worx Store for Android
You can change the defaul image used for the Worx store, for example if you want to provide a corporate image or
branded logo. You brand the Worx store by creating a branding policy in which you upload your desired image, and then
deploy that policy to your users' devices.
Note: Before you begin, make sure you have your custom image ready and accessible.
Follow these image sizing guidelines to ensure best usability across devices:
For retina displays, the suggested logo size is 218x36 pixels.
For regular displays, the suggested logo size is 109x18 pixels.
From inside the Device Manager web console, select the tab.Policies
From the left side of the console, under MDM Policies, select .Branding
citrix.com 115
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
8.
Click .New Policy
In the Enterprise App Stor Branding dialog box, enter a name for the policy.
Next, click Choose File to select an image to use for the branding.
Click .Create
Now, to deploy this package to your users' Android devices, you need to create a deployment package and deploy it
to your user's devices. For more information, see .
To create a deployment package for Android apps
Select the tab, click and then click .Deployment New Package New Android Package
In the wizard, in the window, enter a name for the package, such as Android Create New Package Package Name
App Store, and then click .Next
On the window, select the group you created earlier and then click .Groups of users Next
On the window, under , scroll to the , select the Resources to be deployed Available Resources Enterprise App Store check boxes for the two external and two internal apps you want to add, click the right arrow button and then click Next
.
On the window, select the option and then click .Deployment schedule If not deployed Start Now Next
On the page, click .Deployment rules Next
On the page, click .Package summary Finish
In the packages list, click .Deploy
To create and deploy a deployment package
citrix.com 116
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
Adding Windows Phone 8 Apps
You can add Windows Phone 8 apps to Device Manager and make them available to your users. You can deploy apps
to devices using a deployment package.
Note: Makes sure that before you deploy apps to your users, that the app has been signed by the Microsoft app signing tool
(XapSignTool.exe) with a valid app certificate. For more information, see
.
You can add Windows Phone 8 apps in two ways:
Internally. Upload the application to the Device Manager database as an Windows .xap file
Externally. Create an application definition that references the App data through a URL to the Windows
Phone app store.
To add an internal Windows Phone 8 app
If you have internally developed Windows Phone 8 apps (.xap) or Windows Phone 8 apps that you have licensed to
distribute, you can upload those apps directly to the Device Manager database and then deploy those apps.
In the Device Manager web console, select the Applications tab.
Click . > New New app
In the Import an application into the XenMobile MDM database dialog box, click .Choose File
Select the file and click .Open
In the XAP parameters section, enter a description, and then click .Import
To add an external Windows Phone 8 app
For those Windows Phone 8 apps that are either must have, or that you would like to recommend to your users, you can
define a Windows Phone 8 app definition and then push the app to your users' devices. When your users open the
Company Store on their devicer, they can install the app on their devices. In order to add an external Windows Phone 8
app to Device Manager, you will need the complete URL to the app from the Windows Phone app store.
In the Device Manager web console, select the Applications tab.
From the menu select .New > New External Windows Phone App
In the Add an external Windows application dialog box, enter the URL to the app from the Windows Phone app store.
Click to validate the URL link and retrieve application information.Go
Click . The external Windows Phone app definition is added to Device Manager. You can add as many apps or Add
app definitions as you want to push to your users' devices. These apps can be pushed to users' devices when add
them to a deployment package
Configuring Apps for Windows Phone 8 Worx Home
Using Device Manager, you can deploy apps to your Windows Phone 8 users by creating an Enterprise Hub policy in
Device Manager and then deploying it to your users. On their devices, this policy will appear as the Windows Worx
Home app. Once deployed, you can then provide Windows Phone 8 apps for your users using deployment packages.
In order to provide Windows Phone 8 apps from the Windows Mobile app store or from your own development teams, you
need to perform the following setup tasks as described on the web site.
Note: Make sure that you follow these setup tasks in the order presented, and ensure that you build the Enterprise Hub and
add it to the Windows Phone 8 Base Package in Device Manager you enroll your Window Phone 8 users, or they will before
not receive the Worx Home app store and will have to re-enroll to receive it.
The general setup tasks are as follows:
Register a company account on Windows Phone Dev Center and acquire an enterprise certificate from Symantec.
Visit the Web site, and complete the required steps to acquire
an enterprise mobile code signing certificate.
You will receive an application enrollment token (AET) with the .aetx extension. This file will be used in the policy
created in Device Manager that you will deploy to your Windows Phone 8 devices.
Obtain the Citrix developed Worx Home app store app on the XenMobile Device Manager server at the following
location: \Citrix\XenMobile Device Manager\tomcat\webapps\zdm\CitrixWorxHome.xap.
Sign the Citrix Enterprise Hub app (CitrixWorxHome.xap) as well as any internally developed apps you want to
distribute, using the Microsoft app signing tool (XapSignTool.exe).
Using the Device Manager web console, and add the package to the
Windows Phone 8 base package located under the Deployment tab.
Enroll your Windows Phone 8 users.
Configuring Apps for Windows Phone 8 Worx Home
Microsoft Windows Phone 8 development center
Symantec Enterprise Mobile Code Signing Certificate
create a Windows Phone 8 Enterprise Hub policy
citrix.com 117
7. Optionally, you can add Windows Phone 8 apps you want to distribute to the base package package, or create a
separate package to deploy the apps. Apps can be from the Windows app store, or internal apps you develop inhouse. Note that for all internal apps, they must be signed with the certificate before you deploy them.
citrix.com 118
Adding Windows Mobile Apps
If you select a Windows Mobile app (.cab) to be uploaded, several options appear, as described below.
Note: This is possible only with signed applications. The installation will silently fail otherwise.
Execute CAB file: select this option to execute automatically the installation when the file transfer is done
Silent installation: select this option to silently install the application, without prompting the end user.
Frequently, for reasons of code signatures, messages may be generated asking the device user to confirm
installation of applications. Likewise, by default under Windows CE, messages ask where applications
should be installed. Device Manager allows applications to be installed in silent mode without the device
user having to reply to confirmation messages.
After installation: select this option to avoid deleting the installation file from the device when the installation
is done.
Destination folder: Write down the folder where the file should be uploaded.
Specify what to do if the file already exists: copy it if the files are different or do not overwrite the existing
one.
You can also decide to register a comment if needed.
citrix.com 119
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Configuring Applications Access Policies
When you deploy a software inventory package to a device, Device Manager maintains the list of apps. You can work
from those lists to configure Applications Access Policies, also known as application blacklists and whitelists to manage
your users' access to applications on their devices.
You can also use the Applications Access Policies in the following ways:
As triggers for Automated Actions. For example, if Device Manager detects that a device has an unapproved
app installed, you can configure an Automated Action that remotely wipes a device, or sends a notification to
the user that the user's device is out of compliance with the organization's policy.
To serve as device status flags for the Secure Mobile Gateway rules. For example, if Device Manager
detects that a device has an unapproved app installed, you can configure the Secure Mobile Gateway rules
to block the device from receiving email from the organization.
Applications Access Policies Types
You can create the following types of Applications Access Policies .
(blacklist)Forbidden . A list of apps that users cannot install on their devices. If even one app on device
matches an app in the Forbidden list in Device Manager, the device is considered to be in violation of the
policy.
(whitelist).Suggested A list of apps that you suggest to users. Users can have one or more of the apps from
the list installed and still be in compliance with the policy. However, if users install an app that is not listed in
the policy, the user's device is in violation of the policy.
(whitelist)Required . A list of apps that must be installed on the device to be in compliance with the policy.
Users must install all of the apps on the list. If users do not install any of the apps in the list, the device is in
violation of the policy.
App Definitions
You have the option in Device Manager of using the App bundle ID and App package name when you define iOS and
Android apps in your policies. Device Manager can identify apps more reliably, however, when you use these values.
In iOS, an App bundle ID is traditionally a reverse-domain-name style string used when a developer creates a new app.
For example, for Angry Birds (www.rovio.com/), the App bundle ID on iOS is 'com.rovio.angrybirds'. On Android, an App
package naming convention is similar to iOS, in which the developer identifies the app with a reverse-domain-name
style string. The last part of the name is the name of the App package, often with the file extension appended to the
end. For example, for Angry Birds, the App package name on Android is 'com.rovio.angrybirds.apk'.
To configure an Applications Access Policy
In the Device Manager web console, click the tab.Policies
On the left side of the console, under , .App Policies > Global Applications Access Policies
Click .New Applications Access Policy
In the dialog box, enter a name for the policy, such as, Forbidden iOS Apps Add a new Applications Access Policy
and then optionally enter a description.
In , click one of the following options:Access policy
Required (whitelist). Defines a list of apps that users are required to install on their device to be in
compliance with the policy. If any of the apps is not installed, the device is in violation of the policy.
Suggested (whitelist). Defines a list of apps that are suggested to users. Users can have one or more
of the apps from the list installed and still be in compliance with the policy. However, if the user
installs any apps that are not listed in the policy, the device is in violation of the policy.
Forbidden (blacklist). Defines a list of apps that users should not install on their devices. If any apps
on device match an app in the this list, the device is in violation of the policy.
In , select the device platform you want to associate with the policy.OS type
Click .New app
In the dialog box, enter the name of an app that you would like to add to the Applications Add a new application
Access Policy list. When you add an app, you can optionally enter the app bundle ID and app package name for iOS
and Android. If you configure these fields, Device Manager uses the values to identify the app.
Click . This will create the application in the list. Create The app appears in the list in the Add a new application dialog
box.
Click again to create the Application Access Policy. Once created, you can add this policy to a deployment Create
package and deploy to the devices you want to manage.
citrix.com 120
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Application Tunnels
Device Manager Application Tunnels (App Tunnels) are designed to increase service continuity and data transfer
reliability for your mobile apps. App Tunnels are used to define proxy parameters between the client component of any
mobile device app and the application server component.
Device Manager tunneling acts as a stream buffer to overcome inherent network issues, such as irregular latency or
network hopping. Tunneling also provides checkpoint restart capabilities, which is critical when bouncing between
cellular data points. Furthermore, Device Manager automatically applies on the fly data compression and AES
encryption to all data traffic transiting within each tunnel.
You can assign a tunnel channel dedicated to each mobile app and monitor the apps. For each App Tunnel you define,
Device Manager transmits and monitors the data streams in a separate tunnel.
App Tunnels provide the following benefits:
Security through encryption of data traffic.
Efficiency through compression of data traffic (can help reduce strain on your device data plan as well as
battery usage).
Reliability through buffering of data traffic. For example, if a device loses connectivity or switches from WiFi
to 3G, App Tunnels make sure data traffic is buffered until the connection is reestablished.
Note: Each application requires its own tunnel.
This section includes procedures for creating App Tunnels in Device Manager and for creating a remote support App
Tunnel specifically for the Remote Support help desk application.
To add an Application Tunnel
In the Device Manager web console, click the tab and then under , click the device type for Policies MDM Policies
which you want to add an Application Tunnel (App Tunnel).
Click and then click .Tunnels New tunnel
In the dialog box, in , enter the tunnel name. Create a tunnel Name Citrix recommends the format Application_Name.
Select the check box if the tunnel will be used for the Remote Support application. Remote Support If you select this
option, some of the options in the dialog box become unavailable. To complete the remote support tunnel
configuration, see .
Under , in , click if the connection is client-initiated or click Connection configuration Connection initiated by Device
if the connection is server-initiated. Server With the exception of Remote Support, App Tunnels are typically clientinitiated.
In , click or as the tunnel protocol.Protocol Generic TCP Active FTP
In , set the maximum connections, per device, per tunnel. (1 is recommended.)Max. connections per device
Optionally, set the connection timeout, in seconds. This option allows for App Tunnels to be closed cleanly, even if the
app fails.
Optionally, choose to use SSL encryption connection between the server running Device Manager and the desktop
running the Remote Support application.
Optionally, in , select the check box to block the traffic through that tunnel Secure Connection Use SSL connection
when the devices are in a roaming situation.
Under , click one of the following options to define the mobile application traffic Application device parameters
redirection:
Through application settings. If you choose this option, you must set 127.0.0.1 in the application
server field on the mobile device.
Using a local alias. The application on the mobile device will connect to the alias you enter; te alias
will be resolved to localhost and intercepted by Device Manager Client Agent. An alias can be any
name; for example: my_crm application, exchange server, and so on.
An IP address range. Specify a range of IP address targets for which the mobile application will try to
connect to in order to make Device Manager to tunnel the connection. For example:
From: 0.0.0.0 to 255.255.255.255. In that case, all the traffic from the mobile device is redirected
through Device Manager.
From: 88.10.10.10 to 88.10.10.10. In that case, only the traffic toward 88.10.10.10 is redirected
through Device Manager.
In , enter the port used by the application on the mobile device. This option is required.Client port
In Application server parameters, enter the application IP address or server name, and the server port number. These
options are required. In most cases, this is the same value as for .Client port
Click . Create
Note: To properly use an App Tunnel, you need to configure the device-based apps to connect to the Device Manager
server rather than to their own server. Usually, 127.0.0.1 (localhost) is specified as the server address. However,
To create a remote support App Tunnel
citrix.com 121
14.
1.
2.
3.
4.
1.
2.
3.
4.
5.
6.
7.
8.
some apps may not allow this type of configuration, or it may be preferable not to change the configuration of
applications already deployed. In such cases, check the Specify a local alias box and enter the server's name. This
name will be redirected automatically to 127.0.0.1 on the mobile devices.
To update or delete an App Tunnel
You can change the configuration settings of an existing tunnel in Device Manager but you cannot change the name of the
tunnel.
In the Device Manager web console, click the tab and then under , click the device type for Policies MDM Policies
which you want to update or delete the app tunnel.
In the list of tunnels in the center pane, select the check box for the tunnel you want to edit or delete.
Click to change the settings or click to remove the App Tunnel. Edit Delete
In the dialog box, change the settings and then click .Edit a tunnel Update
To create a remote support App Tunnel
You need to create a remote support Application Tunnel (App Tunnel) to support the Remote Support help desk application,
which allows for the remote control of mobile devices over-the-air through Device Manager.
In the Device Manager web console, click the tab and then under , click to expand the device Policies MDM Policies
type for which you want to configure a remote support App Tunnel.
Click and then click .Tunnels New tunnel
In the dialog box, in , enter a name for the remote support app tunnel.Create a tunnel Name
Select the check box.Remote Support
Optionally, under , in , select the check box and then enter a Connection configuration Connection time-out Define
value in seconds to indicate the interval in which the connection to the Remote Support application should time out.
In , select the check box if you want to configure a secure connection Secure Connection Use SSL connection
between the Device Manager server and the Remote Support application.
In , select the check box if you want to block the tunnel while While roaming Block cellular connections passing by
roaming.
Note: WiFi and USB connections are not blocked.
Click .Create
citrix.com 122
1.
2.
Adding Files
You can add script files Device Manager that perform certain functions for your users, or you can add document files
that you want your Android device users to be able to access on their devices. You can also specify when you add the
file the directory you want the file to be stored at on the device; for example if you want your Android users to receive a
company document or .pdf file, you can deploy the file to the device and let your users know where the file is located.
You can add the following file types on the tab in Device Manager:Files
Text-based files (.xml, .html, .py, and so on)
Any other file such as documents, pictures, spreadsheets, or presentations
Mortscript files (files with .mscr extension) on Windows Mobile devices
To add a file to Device Manager
To deploy a file to a device, you first need to upload the file into the Device Manager repository database. When you add the
files to deployment packages, you can deploy the files to users' devices. You can add file types, such as as documents,
images, videos, presentations, and .pdfs.
Note: You cannot add files to iOS devices.
In the Device Manager web console, click the tab and then click .Files New file
In the dialog box, browse to the file on your computer, click and Import a file to the XenMobile MDM database Open
then click Import
You can now deploy the file to a device in a deployment package.
Uploading Other Files
If you select a file type that has no ".cab" or ".mscr" extension, you will be presented with several options.
Macro must be replaced. Select this option if you want to search and replace the macros inside the scripts.
Destination folder. Write down the folder where the file should be uploaded.
Specify what to do if the file already exists. Copy it if the files are different or do not overwrite the existing
one.
Specify if you want to set the Read-Only option.
You can also decide to register a comment if needed.
citrix.com 123
Configuring Macro Substitution for Uploading Files
If you want to upload files and Mortscript script files, select the . When you select this check Macro must be replaced box
box, it indicates that the script file must be checked before deployment to substitute macros with dynamic values that
depend on the user and device.
An example of a macro in a Mortscript script is as follows:
result = Question( "Hello world, mail = %{ user.mail? | protect('"', '"') | encode('UTF8') }%!", "It’s a start!", "YesNo")
The macro is located between the %{...}% tags. The server does not detect in advance the file format or its encoding.
Instead, the files are analyzed in binary format. The “%―, “{“, ... are checked in ASCII format. Those are
compatible with most characters encoding (but not UTF-16).
The macros are made of several parts separated by the pipe character: xxx | yyy | zzz:
The first element indicates a property: user.xxx for a user property, or device.xxx for a device property. You
can use the ? character to indicate to use an empty string if the property is not defined.
The next elements are filters used to encode, transform and mostly protect the string so that it can enter the
file context.
In this example, the elements are: )user.mail? | protect('"', '"') | encode('UTF-8'
user.mail? : insert the “mail― property of the user. Use an empty string if it is empty or not defined.
protect(‘―’, ‘―’): protect the quote character by adding another quote before it. This
protection is specific to Mortscript that requires to double that character when one wants to define one. For
instance: “This is a quote “― in Mortscript―.
encode('UTF-8'): encode the string in UTF-8.
The last part is important since only a binary element can be inserted by Device Manager:
user.mail? : give a character string.
protect('"', '"'): takes a string in input and outputs a string.
encode('UTF-8'): takes a string in input and outputs a binary array.
Note: Use other encoding if necessary, like CP1252 in France if you want to use accentuated characters.
This other available functions are:
S64Encode: [binary => text] encodes a binary in S64.
S64Decode: [text => binary] decodes a S64 string to binary.
B64Encode: [binary => text] encodes a binary in Base64.
B64Decode: [text => binary] decodes a Base64 string to binary.
encode(encoding): [text => binary] encodes a string with a specific encoding.
decode(encoding): [binary => text] decodes a binary array to a string.
protect(searched_character, protection_character): [text => text] insert the protection_character before the
searched_character.
transform(searched_string, replacement_string): [text => text] replace searched_string by
replacement_string.
You can use the following user properties in the scripts:
cn company
companyname
property_country
department
description
displayname
distinguishedname
facsimiletelephonenumber
givenname
homecity
citrix.com 124
homecountry
homefax
homephone
homestate
homestreetaddress
homezip
ipphone
mail
middleinitial
mobile
officestreetaddress
pager
physicaldeliveryofficename
postalcode
postofficebox
telephonenumber
samaccountname
sn st streetaddress
title
userprincipalname
domainname
When users connect to an LDAP directory, most these properties are completed automatically. You can also manually
enter the properties in the user properties dialog.
You can use the following device properties:
ew_version
ew_revision
cpu_clock_speed
sim_id
memory
freedisk
tel_number
system_oem
system_platform
cpu_type
system_os_version
system_os_build
memory_available
total_disk_space
system_language
user_language
screen_width
screen_height
screen_nb_colors
main_battery_percent
backup_battery_percent
battery_charging
external_storage1_name
external_storage1_total_space
external_storage1_free_space
external_storage2_name
external_storage2_total_space
external_storage2_free_space
user_defined_1
user_defined_2
user_defined_3
You can also use any custom property defined for the device or user.
citrix.com 125
1.
2.
3.
a. b. c. 4.
Examples of Simple Mortscripts
Ask for Reboot Script Example
Result=Question("Your device needs to be rebooted. Do you want to reboot now?", "Hello %{ user.name? | protect('"',
'"') | encode('UTF-8') }%!", "YesNo")
If ( Result=YES)
Reset
EndIf
This script opens a dialog box with the Yes and No buttons. It asks for the user to reboot now or later. If Yes is pressed,
the device will reboot. If No is pressed, nothing happens except that the dialog is closed.
The title of this dialog displays the name of the user, as stored in a custom property of the user.
Data Upload Script
Here is an example of a Mortscript script used to upload a file to a FTP server:
FtpUpload("My Documents\test.zip", "incoming/file.zip", "ftp.mydomain.com", "test", "test", TRUE)
This simple script will upload the file test.zip, located in the directory “My Documents― of the device, to the server
ftp.mydomain.com, in the directory “incoming―. The file will be renamed file.zip. It will use the login “test―,
and password “test―, and use the passive mode of the ftp protocol.
The synopsis of the FtpUpload function is the following:
FtpUpload( source file, target file, server, [ user [, password [, passive? [, port] ] ] ] )
Note: In this Device Manager release, the FtpUpload function is not yet part of the standard Mortscript program but is only
available in the Device Manager release of MortScript.
To upload a MortScript file
You can add MortScript (.mscr) files to Device Manager to deploy to Windows Mobile devices. MortScript is a batch scripting
language that allows you to perform basic functions, such as opening or closing apps, running processes, creating
directories, establishing or closing network connections, and other basic device functions,
Click the tab and then click .Files New file
In the dialog box, browse to the MortScript file on your computer and Import a file to the XenMobile MDM database
then click Open.
Enter the following script parameters:
. Select this option to execute the script automatically when the file transfer is done.Execute script
. Select this option if you want to search and replace the macros inside the scripts.Macro must be replaced
. If the files are different, you can choose make a copy or to not Specify what to do if the file already exists
overwrite the existing one.
Note: You must encode MortScript files by using ANSI character set if possible. Unicode is also supported with
proper prefixes.
Click .Import
citrix.com 126
Creating Device Manager Policies
You create and configure Device Manager policies on the tab in the web console that you can push or make Policies
available to devices. You need to put the policies in a package for further deployment.
The way you configure the device policies depends on the device operating system. To create a policy, on the left-hand
menu, select the desired configuration option for a given platform. Then, click to create the new policies or New
configurations.
citrix.com 127
Scheduling Connections to Device Manager
Scheduling provides essential control over devices that are subject to compliance rules. The schedule feature directs the
device to automatically connect to the server running Device Manager at predetermined intervals. During these connections,
a policy audit automatically occurs and missing or modified policies are automatically reapplied. Additionally, scheduling
ensures that Device Manager has the most up-to-date device information available.
Note: Flexible scheduling is available on Android and Windows Mobile devices only. iOS devices use a predetermined
schedule defined by the iOS operating system.
The Scheduling Wizard is located in the Device Manager web console under the tab. Scheudling provides Policies
Registry keys for managing scheduled connections between a device and the server. This is useful for devices that
require the ability to connect back for data synchronization between a Line-of-Business, ERP, or CRM-type system.
To define an hourly range in the scheduling table, you can either click in a square or you can drag and drop with your
mouse to define a range. (First left-click on a square and then, keeping the button pressed, move the cursor over
another square and release the button.)
citrix.com 128
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
Managing SharePoint Configurations
Citrix data loss prevention (DLP) solution enables access from your mobile workforce to your SharePoint content. You
can apply access control rules to content to prevent unauthorized usage depending on document classification. In
XenMobile, you can use the DLP-SharePoint/Encrypted Email Attachment Viewing feature to manage Sharepoint
configurations. If the SharePoint configuration item is unavailable, your license does not include the SharePoint feature.
To check your license features, view the tab in the web console.About
If you are planning to use the Device Manager SharePoint access management feature, make sure your deployment
meets the following Windows requirements:
SharePoint 2010 or Office 365.
Windows 2008 R2 - SharePoint 2010 SP1 is required or KB976127.
Windows 2008 – Rest API calls will fail unless KB976217 is also installed.
Note: Make sure that your SharePoint folders on the SharePoint server do not use special characters such as commas (,),
semicolons (;), or periods (.), or those folders will not appear on your users' devices.
To configure a SharePoint resource configuration site in Device Manager
When you configure a SharePoint resource configuration site, you define the SharePoint server settings and specific
directories (folders) that you want to expose to the device user.
Note: Make sure that your SharePoint folders on the SharePoint server do not use special characters such as a comma(,),
semicolon(;), or period(.), or they will not appear on your users' devices.
In Device Manager, click the tab.Policies
Under , under , click .App Policies SharePoint Resource Configurations
Click .New Configuration
In the dialog box, on the tab, enter a name for the SharePoint site Create a resource configuration Site/Folder Config
and then configure the following:
Name. The name of the resource definition.
Description. A free text description describing the resource.
Site. Enter the SharePoint site Web address.
Doc Library/Folder. Enter the list of path relative to the base site that you want to publish.
Include Sub-folders. Enables the access to sub folders of the above defined path.
Document Control. Check all the document controls that are applied to the doc libraries.
In the dialog box, configure extra options you would like to apply to the SharePoint document folder on your Options
users' iOS devices, such as if the documents should be wiped from the device if the device is jailbroken, encryption
and annotation of documents, and so on and then click .Create
To configure a SharePoint document control policy
You can enable your users to securely access corporate SharePoint content. You apply access control rules, on the content
in order to prevent unauthorized usage or actions, depending on your company policy and document sensitivity. You can view
this content on the Connect agent on a device in the Documents -> Shared Docs folder. You create a SharePoint control
policy to define explicitly what a device user can and cannot do with documents in their secure document container on their
devices, such as whether or not documents can be printed, if a user can copy and paste to and from documents, if document
check in/check out is allowed, and so on.
Under , under , click .XenMobile Policies SharePoint Control Policy
Click .New Control Policy
In the dialog box , on the tab, enter a name for the policy.New Control Policy General
On the tab, you can set the control policies for all the documents in the folders specified in your Document Control
SharePoint resource configuration.
You can define the following controls that will be applied to the documents by selecting them. Any options left
unselected will not be allowed by document users.
Allowed features
Document synchronization. Allow the document to be synchronized to the device. If not checked,
the document is only accessible online.
Note: If you want to be able to annotate PDF files on your device, you need to make sure this
option is selected, since the PDF annotation tools only work with locally synced documents.
Copy/Paste of content. Allow copy/paste of document content .
Email link to document. Enable users to send a link to this document via email.
Email document. Allow users to send this document via email.
Print document. Allow users to print this document.
citrix.com 129
5.
6.
1.
2.
3.
1.
2.
3.
Document check in. Allow users to check in this document from SharePoint .
Document check out. Allow users to check out this document from SharePoint.
Open document in another application. Allow users to open this document in a third-party
application on the device. If not checked, only the internal viewer can be used.
Time expiration
Expires on a date. Specify a date after which the document is not be accessible. If on the device, it
will be deleted.
Expires after x Days. Specify the duration of validity of the document. After the specified period,
the document is not accessible.
Authentication expiration
Specify an authentication timeout. If the user does not authenticate regularly to SharePoint, the
documents become inaccessible.
Click .Create
Configuring SharePoint on Android Devices
To configure a SharePoint data loss prevention (DLP) connection for Android, you need to do the following:
Create an application tunnel that the SharePoint server will use to communicate securely with the device;
use a client port.
Create a SharePoint resource configuration that configures the SharePoint site server address; be sure to
use the client port configured in the application tunnel.
Create a SharePoint policy to configure the security and access parameters for the SharePoint site.
Deploy the policy to the device.
To create the application tunnel
On the tab, click , click and then click .Policies Android Tunnels New Tunnel
In the dialog box, enter the follow app tunnel parameters:Create a Tunnel
Name. Give the app tunnel a name that indicates it is going to be for a SharePoint connection.
Application Device Parameters Client Port. The port number that will be used by the XenMobile client
application on the device.
Note: You will need to use this same port when you configure the SharePoint resource.
Application Server Parameters
IP address or server name. Address of the SharePoint server.
Server Port. SharePoint server port.
Click .Create
To create a new SharePoint control policy
A SharePoint control policy defines a set of actions that the user will be able to execute on documents. Document
Control allows you to define all the features that will be applied to the documents:
On the lower-left, click and then click .Control Policies New Control Policy
In the dialog box, on the tab, enter a name such as "Android Employee SharePoint Create new control policy General
Documents."
On the tab, configure the following settings:Document Control
Allowed features
Document synchronization. Allow the document to be synchronized to the device. If cleared, the
document is only accessible online.
Note: If you want to be able to annotate PDF files on your device, you need to make sure this
option is selected, since the PDF annotation tools only work with locally synced documents.
Copy/Paste of content. Allow copy/paste of document content.
Email link to document. Enable the user to send a link to this document via email.
Email document. Allow the user to send this document via email.
Print document. Allow the user to print this document.
Document check in. Allow the user to check in this document from SharePoint.
Document check out. Allow the user to check out this document from SharePoint.
Open document in another application. Allow the user to open this document in a third-party
application on the device. If not selected, only the internal viewer can be used.
Time expiration
Expires on a date. Specify a date after which the document is not be accessible. If on the device, it
will be deleted.
citrix.com 130
3.
4.
5.
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Expires after x Days. Specify the duration of validity of the document. After the specified period,
the document is not accessible.
Authentication expiration
Specify an authentication timeout. If the user does not authenticate regularly to SharePoint, the
documents become inaccessible.
Click the tab to enable deeper integration to your SharePoint libraries by applying document controls Tag Mapping
based on already defined tags on your SharePoint documents.
Click .Create
To create a SharePoint resource configuration
A SharePoint resource configuration defines a SharePoint document library access and the control policies that are tied
to its documents.
Click the tab and then from the left side, click .Policies SharePoint Resource Configuration
Click .New Configuration
In the dialog box, enter a name and description of the SharePoint server connection.Create a Resource Configuration
Enter the SharePoint server name plus the port number you configured in your application tunnel for the Client Port
(2500, for example).
Under , select the Control Policy you created. Other options:Document Control
. Enables the access to sub-folders of the above defined path.Include Sub-folders
Document Control. Check all the document controls that are applied to the doc libraries.
Click . Create The new SharePoint server appears as a resource in Device Manager. Now the SharePoint server and
resource you configured is ready to be accessed by users.
To deploy the SharePoint resource to your device
To enable your client users to access the content in this SharePoint site, you need to create a deployment package that
contains the SharePoint resource and then push that deployment to your device. Once on your device, you can launch
the client application and access the documents folder to view the documents contained on the SharePoint server. Now,
you will create a deployment package and push the new Android SharePoint resource to your Android device.
Click the tab, click and then click .Deployment New Package New Android Package
In the wizard, in the window, enter a name for the SharePoint package (such as Create New Package Package Name
Android SharePoint Package) and then click .Next
In the window, select a group to which you want to deploy the SharePoint package to and then click Groups of users
.Next
In the window, under , scroll to the SharePoint folder, select the Resources to be deployed Available Resources
SharePoint Configuration you created in the last step and then click the right arrow to add the resource to the
deployment package.
Scroll in the list and then on the folder, click the application tunnel you created for your Available Resources Tunnels
Android SharePoint configuration.
Click the right arrow to add the resource to the deployment package and then click Next.
In the window, select the option and then click .Deployment schedule If not deployed Start Now Next
On the page, click .Deployment rules Next
On the page, click .Package summary Finish
From the Packages list, click .Deploy
When the deployment has finished, select the deployment package, and then click to see information about the Details
success of the package deployment. When the package shows as deployed, you can check the success of your
deployment. Select the deployment package, open the Connect client on the Android device and then tap the
Documents folder. From here, users can open documents from the SharePoint site.
citrix.com 131
1.
2.
3.
a. b. c. 4.
Managing iOS Configurations
You can create a variety of policy types and configurations for your iOS devices to help manage user and company data
security, including passcode policies, general iOS restrictions policies, App Tunnel configuration policies so your users
can securely access your company intranet, email policies so your users can seamlessly connect to corporate email
accounts, app distribution policies so you can make useful apps available to your users, app removal policies to revoke
unauthorized or out of date apps, and much more.
To configure automatic profile removal on iOS devices
For iOS 6 and above devices, you can configure automatic profile removal in Device Manager. You can configure profiles to
be removed automatically at a specified date, to be removed manually by the user with password authentication, or never to
be removed.
In the iOS profile dialog (e.g., APN configuration creation), at the bottom of the General tab, you can configure the
automatic profile removal settings:
Click and then click .New Configuration Profiles and Settings
Select a profile type; for example, .APN
In the iOS 6 profile dialog box, on the tab, configure the automatic profile removal settings as follows:General
In , select one of the following options: Allow profile removal operation
Always. Allows the profile to always be removable.
Authentication. Allows you to enter a required password that is used when profile is removed.
Requires a password.
Never. Prevents the profile from ever being removed.
Select the check box if you want to select a specific date on which to remove the Automatic Removal Date
profile.
Select the check box to specify a set a period of time after which the profile will Duration until removal (in days)
automatically be removed.
Click .Create
citrix.com 132
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
To create an iOS Restrictions policy
On the tab, under , click .Policies iOS Configurations
In the menu, click New Configuration > Profiles and Settings Restrictions
In , on the tab, enter a name for the policy.Restrictions Configuration Creation General
On the tab, enter the following information: Functionality
Tip: Any option for which you select means that the user can perform the operation or use the feature. For Allow
example:
Allow use of camera. If selected, the user is able to use the camera on their iOS device. If deselected,
the user cannot use the camera on their iOS device.
Allow screenshots. If selected, then the device user is able to take screenshots on the device. If
deselected, the user cannot take screenshots on their iOS device.
Note: Some of the iOS restrictions options apply only to specific versions of iOS (indicated under the option label), and
some options only apply if the device is placed in supervised mode. For example, the ability to allow or block AirDrop
is only supported on iOS 7 devices, whereas the ability to allow or block PhotoStream is supported on devices running
iOS 5 and above.
On the tab, enter restrictions you would like to set for iOS devices.Functionality
On the tab, enter restrictions you want to configure for Apple iCloud.iCloud
On the tab, enter any security restrictions.Security
On the tab, enter settings for the type of apps you want to restrict.Applications
On the tab, enter the settings for the types of media content you want to restrict.Media Content
Click . Create The new policy appears in the list.Policies
citrix.com 133
1.
2.
3.
4.
5.
To create an iOS Passcode policy
The iOS passcode policy allows you to configure device passcode policy according to the standards of your IT
department for your managed iOS devices.
On the tab, under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Passcode
In , on the tab, enter a name for the policy and then configure the policy removal settings.Passcode General
On the tab, configure your iOS passcode policy according to the standards of your IT department. The Policy
passcode policy options are as follows:
Option Description
Require a code
on the device
Enables passcode protection on the device. If cleared, the device does not require a
passcode on the device (unless the device user sets it manually).
Allow simple
values
Allows the use of a simple passcode, which is defined as a passcode containing repeated
characters, or increasing (bottom up) or decreasing (top down) characters (such as 123 or
CBA).
Require
alphanumeric
values
Requires that at least one character of the passcode is a letter.
Minimum length
codes
Allows you to set the minimum overall length (in characters) required for the passcode.
Allowed
minimum nonalphanumeric
characters
Allows you to set the minimum amount of numerical characters required of the passcode.
Maximum
passcode age (1730 days, or
none)
Allows you to specify the number of days for which the passcode can remain unchanged.
After the set number of days, the user is forced to change the passcode before the device is
unlocked.
Auto lock (1-5, 10
or 15 minutes or
none)
Allows you to specify the number of minutes for which the device can be idle (without being
unlocked by the user) before it gets locked by the system. When this limit is reached, the
device is locked and the user must enter the passcode.
Codes History (1
to 50 codes or
none)
Allows you to specify that when the user changes the passcode, it has to be unique within
the last N number of entries in the history.
Grace period
before device lock
Allows you to set the maximum grace period, in minutes, to unlock the phone without
entering a passcode. Default is 0, (no grace period), which requires a passcode immediately.
Maximum failed
attempts
Allows you to specify the number of allowed failed attempts to enter the passcode at the
device's lock screen. When this number is exceeded, the device is locked and must be
connected to its designated iTunes in order to be unlocked.
Click . Create The new policy appears in the list.Policies
citrix.com 134
1.
2.
3.
4.
5.
6.
To create an iOS AirPlay policy
Apple's AirPlay feature allows a user wirelessly stream content from an iOS device to a TV screen through Apple TV, or
mirror exactly what’s on a device display to a TV screen or another Mac computer.
With this iOS policy, you can select specific AirPlay devices (such as Apple TV or another Mac computer) to add to your
user's devices. If the device you are deploying this policy to is supervised, you can also select the Whitelist option,
which will only permit the device to connect to the AirPlay devices you specify.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings AirPlay Mirroring
In the Create an AirPlay Destination dialog box, enter a name and description for the policy.
Select the AirPlay Destinations tab, click .New AirPlay Destinations
In the Create an AirPlay Destination dialog box, enter the AirPlay device name and its password. Click .Create
Click again to create the policy. Create
citrix.com 135
1.
2.
3.
4.
5.
6.
7.
To create an iOS AirPrint policy
The iOS 7 AirPrint policy adds AirPrint printers to the device users ’s AirPrint printer list. This makes it easier to support
environments where the printers and the devices are on different subnets.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings AirPrint
Select the tab, click .AirPrint Destinations New AirPrint Destinations
In the dialog box, enter the IP address of the AirPrint compatible printer.Create an AirPrint Destination
Next, enter the Resource Path associated with the printer. This corresponds to the parameter of the _ipps.tcp Bonjour
record. For example, printers/Canon_MG5300_series or printers/Xerox_Phaser_7600.
Click .Create
Click again to create the AirPrint policy.Create
citrix.com 136
1.
2.
3.
4.
a. b. c. d. 5.
a. b. c. d. e. f. 6.
To create an iOS Cellular policy
The iOS cellular policy allows you to configure cellular network settings on an iOS device.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Cellular
In the dialog box, an Identifier, which is a unique string that is used to identify the profile in the console. Must Cellular
be unique and not used for any other iOS policy. You can also enter a Display Name, which is how the policy name
will be displayed to the device user. All other fields here settings here are optional, such as adding a description, or
setting .
Next, select the tab and enter the following information:Attach APN
. A name for this configuration.Name
. Must contain either CHAP (Challenge Handshake Authentication Protocol) or PAP Authentication type
(Password Authentication Protocol). Defaults to PAP.
. A user name used for authentication.Username
. A password used for authentication.Password
Next, select the tab and enter the following information:APN
. A name for the APN (Access Point Name) configuration.Name
. Must contain either CHAP (Challenge Handshake Authentication Protocol) or PAP Authentication type
(Password Authentication Protocol). Defaults to PAP.
. A user name used for authentication.Username
. A password used for authentication.Password
. The proxy server's network address.Proxy Server
. The proxy server's port.Proxy Server Port
Click .Create
automatic policy removal
citrix.com 137
1.
2.
3.
4.
a. b. c. d. e. f. g. h. i. j. k. l. m. 5.
To create an iOS SCEP profile
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings SCEP
In the dialog box, enter the policy identifier (name), display name, company name, and SCEP Configuration Creation
an optional comment. .
Next, select the tab and enter the following information:SCEP
. Enter the address of the SCEP server to define where SCEP requests will be sent, over HTTP or URL Base
HTTPS. Because the private key isn’t sent with the CSR, it may be safe to send the request unencrypted.
However, if the one-time password is allowed to be reused, you should use HTTPS to protect the password.
. Any string that is understood by the SCEP server. For example, it could be a domain name Instance Name
like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which
is required.
. The representation of a X.500 name represented as an array of OID and value. For Subject X.500 Name
example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [
OIDs can be represented as dotted ["O", "Apple Inc."] ], ..., [ ["1.2.5.3", "bar" ] ] ]
numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and
common name (CN).
. Select an alternative name type.Subject Aternative Name Type
. The SCEP policy can specify an optional alterative name type that provides Subject Aternative Name Value
values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each
key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email
values.
. Used if the devices is connecting to an NT networkNT Principal Name
Number of retries if user enters an incorrect password.Retries.
. Time interval after which the lockout after maximum number of retiries is exceeded.Retry Delay
. A pre-shared secret.Challenge
. The key size in bits, either 1024 or 2048Key Size
. This allows you to specify if you want the certificate to be used as a digital signature. If Use as digital signature
someone is using the certificate to verify a digital signature, such as verifying whether a certificate was issued
by a certificate authority, the SCEP server would verify that the certificate can be used in this manner prior to
using the public key to decrypt the hash.
. This allows you to specify if you want to certificate to be used for key encipherment. Use for key encipherment
If a server is using the public key in a certificate provided by a client to verify that a piece of data was encrypted
using the private key, the server would first check to see if the certificate can be used for key encipherment. If
not, it would fail the operation.
. If your CA uses HTTP, use this field to provide the fingerprint of SHA1/MD5 Fingerprint (hexadecimal string)
the CA’s certificate, which the device uses to confirm authenticity of the CA’s response during
enrollment. You can enter a SHA1 or MD5 fingerprint, or select a certificate to import its signature.
Click .Create
citrix.com 138
1.
2.
3.
4.
a. b. c. 5.
To create an iOS Credential policy
You can create an iOS credential policy to enable integrated authentication with your PKI configuration in Device
Manager, such as a PKI entity, a keystore, an a credential provider, or a server certificate. For more information on
configuring PKI integration with Device Manager, see .
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Credential
In the dialog box, enter the attribute setting identifier (name), display name, company Credential configuration creation
name, and an optional comment.
Next, select the tab, and enter the following information:Credential
. Select a credential type according to the PKI configuration you have set up for Device Credential Type
Manager, such as a certificate, a keystore, a server certifciate,or a credential provider.
. Provide a unique name for the credential.Credential name
, , or . Select the path or the name of the credential you Credential file path Server certificate Credential provider
are adding to the policy. If you are using a Keystore file, then you need to provider the keystore password.
Click .Create
About XenMobile PKI
citrix.com 139
1.
2.
3.
4.
a. b. c. d. e. f. 5.
To create an iOS Global HTTP Proxy profile
This profile allows you to specify global HTTP proxy settings for an iOS device. You can only deploy one of these
policies per device.
Note: This profile is only supported on supervised iOS devices running iOS 6.0 and later.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Global HTTP Proxy
In the dialog box, enter an Identifier, which is a unique string that is used to identify the profile in Global HTTP proxy
the console. Must be unique and not used for any other iOS policy. You can also enter a Display Name, which is how
the policy name will be displayed to the device user. All other fields here settings here are optional, such as adding a
description, or setting .
Next, select the tab. Enter the following information to cofigure the HTTP proxy server to be used:Proxy
. If you choose manual proxy type, you need the proxy server address including its port Proxy Configuration
and optionally a username and password into the proxy server. If you choose auto proxy type, you can enter a
proxy autoconfiguration (PAC) URL.
. The proxy server's neetwork address.Hostname/IP address for the proxy server
. Enter the proxy server's port number.Port for the proxy server
. Optional. The username used to authenticate to the proxy server.)Username
. Optional. The password used to authenticate to the proxy server.)Password
(iOS 7 only). Select if you want to allow the device to Allow by passing proxy to access captive networks
bypass the proxy server and be able to access captine networks.
Click .Create
automatic policy removal
citrix.com 140
1.
2.
3.
4.
a. b. 5.
a. b. c. 6.
7.
To create an iOS VPN and Per-App VPN profile
The iOS per-app VPN allows you to leverage a VPN profile to configure add-on VPN software at the app level (based
on an app attribute that you apply to the app). This profile is not to be confused with the standard iOS VPN profile. This
profile allows you to configure iOS 7 apps to automatically connect to VPN when they are launched. This policy ensures
that data transmitted by managed apps travels through a VPN that you specify and control, and that other data, such as
an employee's personal web browsing activity, does not.
When you create a per-App VPN policy, you need to also create an App Attribute policy for the app you want to use perApp VPN. The App Attribute policy adds Per-App VPN attribute to the app and then references the ID of the Per-App
VPN. Both policies must then be applied to the device.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click > .New Configuration Profiles and Settings VPN
In the dialog box, enter an Identifier, which is a unique string that is used to identify the profile in the console. VPN
Must be unique and not used for any other iOS policy. This Identifier will also be used when you create the App
Attribute policy that you will in with this policy to the specified app can use this VPN configuration. You can also enter
a Display Name, which is how the policy name will be displayed to the device user. All other fields here settings here
are optional, such as adding a description, or setting .
In the tab, enter the following VPN settings information:VPN
. Enter the name fo the VPN configuration as you want it to appear on the device Display Name on the Device
in the iOS Network Settings.
. Select a connection type and then, according to the VPN connection, fill out the connection Connection Type
parameters (server name or IP address, username, group, password, and so on).
Next, click the tab and enter the following information:Per-App VPN
. Select to enable this policy to enable a Per-App VPN for the app and device this policy ti Enable Per-App VPN
deployed to.
On demand app enabled. If selected, the Per-App VPN connection starts automatically when apps linked to
this Per-App VPN service initiate network communication. If not selected, the Per-App VPN connection must
be started manually by the user before apps linked to this Per-App VPN service can initiate network
communication.
Safari Domains. Click new Safari Domain to create enable the app to create a secure, Per-App VPN
connection through Safari.
Next, select the Proxy tab of you want this VPN connection to route through a proxy server. enter the proxy server
configuration here.
Click .Create
automatic policy removal
citrix.com 141
1.
2.
3.
4.
a. b. c. d. e. 5.
To create an iOS APN (Access Point Network) profile
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings APN
In the dialog box, enter the policy identifier (name), display name, company name, and an APN Configuration Creation
optional comment. .
Next, select the tab and enter the following information:LDAP
. Enter the name of the access point.Access Point Name
. This string specifies the user name for this APN. If it is missing, the device prompts for it during Username
profile installation.
. The password for the user for this APN. For obfuscation purposes, the password is encoded. If it is Password
missing from the payload, the device prompts for the password during profile installation.
.The IP address or URL of the APN proxy.Server proxy address
. The port number for the APN proxy.Server proxy port
Click the .Create
citrix.com 142
1.
2.
3.
4.
5.
6.
To create an iOS App Attributes profile
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings App Attributes
In the dialog box, enter the attribute setting identifier, display name, company name, and an App Attributes Settings
optional comment.
Next, select the tab, and enter the app bundle ID (for example, com.bestapps.notetaker) for the app App Attributes
you want to add attributes to. You can add a maximum of 50 app IDs.
Then, enter per-app VPN identifier (if the apps you are adding attributes to have a per-app VPN profile on them).
Click .Create
citrix.com 143
1.
2.
3.
4.
5.
6.
7.
8.
To create an iOS App Configuration policy
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings App Configuration
In the dialog box, enter the app setting identifier. App Configuration Setting
Next, select the tab.App Configuration
Enter the app bundle ID (for example, com.bestapps.notetaker) for the app you want to add configuration to. You can
add a maximum of 50 app IDs.
Next, you can enter (or paste) the app configuration dictionary content.
Click to validate the syntax.Check Dictionary
Click .Create
citrix.com 144
1.
2.
3.
4.
a. b. c. d. e. 5.
To create an iOS Organization Information profile
This profile allows you to specify your company's information for alert messages that are pushed from the Device
Manager server to the device.
Note: This policy is only supported on devices running iOS 7.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Organization Info
In the dialog box, enter the Setting Identifier for the policy.Organization Info
Next, select the tab and enter the following information to identify your company on device Organization Info
messages:
. Your company name.Organization Name
.Your company address.Organization Address
. Your company phone number.Organization Phone
. Your company email address.Organization Email
. This is a string that uniquely identifies various services that are managed by a single Organization Magic
organization.
Click .Create
citrix.com 145
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
To create an iOS Web Content Filter policy
The Web Content Filter policy allows you to whitelist and blacklist specific web URLs.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Web Content Filter
In the dialog box, enter the setting identifier (name) for the policy, a policy name (as it will Create a Web Content Filter
appear in the Device Manager), and an optional company name and description.
Next, select the tab.Web Content Filter
Select to enabled web content auto filtering mechanism.Auto Filter Enabled
Under Permitted URLs, click to add a URL that you want to allow the device users to be able to New permitted URL
visit. This optional only works if the Auto Filter option is not selected. Each entry contains a URL that is accessible
whether the automatic filter allows access or not.
Under Blacklisted URLs, click to enter a list of URLs you do not want the device user to be able New blacklisted URL
to visit. Access to the specified URLs is blocked.
Next, click tab. Bookmark Whitelist URLs that you create here are added to the browser’s Bookmark Whitelist
bookmarks, and the user is not allowed to visit any sites other than these.
Click . New Whitelist
In the Create Whitelist Bookmark dialog box, enter the URL, folder, a name for the bookmark, and then click .Create
Click again to create the policy.Create
citrix.com 146
1.
2.
3.
4.
a. b. c. 5.
6.
7.
To create an iOS Single Sign On (SSO) Account profile
This policy allows you to create a single sign on account for your iOS 7 users so they only have to log in once in order
access XenMobile and your internal company resources from various apps without the need to store any credentials on
the device. This Single Sign-On (SSO) Account enterprise user credentials can be used across apps, including apps
from the App Store. This iOS 7 policy is designed to work with a Kerberos authentication back-end.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings SSO Account
In the dialog box, enter the attribute setting identifier (name) display name, company Create a SIngle Sign On Account
name, and an optional comment.
Next, select the tab and enter the following information:SSO
. The name for the Kerberos SSO account as it will appear to the user.Account Name
. The Kerberos principal name. If not entered here, the user will prompted for one Kerberos Principal Name
during profile installation. This entry must be provided in order for the policy to be installed.
. The Kerberos realm name. This value should be properly capitalized.Kerberos Realm
Next, click and enter the URLs you want to require SSO sign on for when a user visits the URL in New Permitted URL
Safari browser on the iOS device. For example, when a device user tries to browse to a site in Safari and the website
throws a Kerberos challenge, if that site is not in the URL list configured by the administrator, then iOS will not attempt
SSO by providing the Kerberos token it might have cached on the device from a previous Kerberos logon. The match
has to be exact on the host part of the URL, for example: http://shopping.apple.com is OK, but http://*.apple.com is
not. Also, if Kerberos is not activated based on host matching it still falls back to a standard HTTP call. This could
mean almost anything including a standard password challenge or an HTTP error if it's only configured for SSO using
Kerberos.
Next, click the tab. Here, enter all app identifiers that are allowed to use this login. If this field missing, App Identifiers
this login matches all app identifiers.
Click .Create
citrix.com 147
1.
2.
3.
4.
5.
6.
To create an iOS Font policy
This policy allows you to add addtional fonts to an iOS device. The font you add here must have the font file extension
of TrueType (.ttf) or OpenType (.otf) format. Collection formats (.ttc or.otc) are not supported.
Note: This profile is only supported on iOS 7 devices.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Font
In the dialog box, enter the attribute setting identifier (name) and an optional commen for Create a Font configuration
the new policy.
Next, select the tab, and enter the name of the font as the user will see it on the device.Font
Next, select to select the font file, and then click .Choose File Open
Click .Create
citrix.com 148
1.
2.
3.
4.
a. b. c. d. e. f. g. 5.
To create an iOS Calendar (CalDAV) policy
This poicy allows you to add a CalDAV account to an iOS device. This policy requires a Username field when installed
on a supervised device.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Calendar
In the dialog box, enter the attribute setting identifier (name) display name, CalDAV account configuration creation
company name, and an optional comment.
Next, click the tab and enter the following information:CalDAV
. Account name and description. For example, this might be a work calendar specific to a Account Description
team or department.
. Calendar account hostname.Hostname
. Port number used for the connection.Port
. The base URL to the user's calendar.Principal URL
. Calendar account username.Username
. Calendar account username.Password
. Select if you want access to this calendar to be secure.Use SSL
Click .Create
citrix.com 149
1.
2.
3.
4.
a. b. c. d. e. 5.
To create an iOS Calendar Subscription policy
The calendar subscription policy adds a subscribed calendar to the user’s calendars list.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Subscribed Calendars
In the dialog box, enter the attribute setting identifier (name) display Creating a configuration of calendar subscription
name, company name, and an optional comment.
Next, click the tab and enter the following information:Calendar Subsctiption
. Calendar name.Description
. The base URL to the calendar.URL
. Calendar account username.Username
. Calendar account username.Password
. Select if you want access to this calendar to be secure.Use SSL
Click .Create
citrix.com 150
1.
2.
3.
4.
a. b. c. d. e. 5.
6.
7.
8.
9.
10.
11.
To create an iOS LDAP policy
The iOS LDAP policy provides information about an LDAP server to use, including account information if required, and a
set of LDAP search policies to use when querying that LDAP server.
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings LDAP
In the dialog box, enter the policy identifier (name), display name, company name, and LDAP Configuration Creation
an optional comment. .
Next, select the tab and enter the following information:LDAP
. Description of the LDAP account.Account description
. The LDAP username.Account username
. Use only with encrypted profiles.Account password
.LDAP Hostname
. Designates whether the LDAP server uses SSL.Use SSL
Next, click the tab. You can have several of these for one account. Should have at least one for the Search Settings
account to be useful. Each search string represents a node in the LDAP tree to start searching from, and tells what
scope to search in (the node, the node plus one level of children, or the node plus all levels of children).
Click New Search to create a new search string.
In the dialog box, enter a decryption.Create a settings search
In the Scope field, enter what recursion to use in the search.
In the Search Base field, enter the path to the node to start a search at. Can be one of the following 3 values:
: Just the immediate node pointed to by SearchBase. LDAPSearchSettingScopeBase
: The node plus its immediate children. : The LDAPSearchSettingScopeOneLevel LDAPSearchSettingScopeSubtree
node plus all children, regardless of depth.
Click .Create
Click again to create the profile.Create
citrix.com 151
1.
2.
3.
4.
a. b. c. d. e. 5.
a. b. c. d. e. f. 6.
a. b. c. d. e. f. g. 7.
a. b. c. d. 8.
To create an iOS Mail policy
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings Mail
In the dialog box, enter the policy identifier (name), display name, company name, and Email Configuration Creation
an optional comment. .
Next, select the tab and enter the following information:Email
. A user-visible description of the email account, shown in the Mail and Settings Account description
applications.
. Allowed values are POP and IMAP. Defines the protocol to be used for that account.Account type
. If you selected IMAP as the account type, enter INBOX or whatever the path prefix is for your Path prefix
IMAP mail account.
. The full user name for the account. This is the user name in sent messages, an so on.User display name
. Designates the full email address for the account. If not present in the payload, the device Email address
prompts for this string during profile installation.
Next, click the tab and enter the following information:Incoming Mail
. The incoming mail server host name (or IP address).Email server hostname
. The incoming mail server port number. If no port number is specified, the default port for a Email server port
given protocol is used.
. Designates the user name for the email account, usually the same as the email address up to the Username
@ character. If not present in the policy, and the account is set up to require authentication for incoming email,
the device will prompt for this string during profile installation.
. Select the authentication scheme for incoming mail.Authentication type
. The incoming email server's account password.Password
. Designates whether the incoming mail server uses SSL for authentication.Use SSL
Next, select the Outgoing email tab and enter the following information:
. The incoming mail server host name (or IP address).Email server hostname
. The incoming mail server port number. If no port number is specified, the default port for a Email server port
given protocol is used.
. Designates the user name for the email account, usually the same as the email address up to the Username
@ character. If not present in the policy, and the account is set up to require authentication for incoming email,
the device will prompt for this string during profile installation.
. Select the authentication scheme for incoming mail.Authentication type
. Password for the Outgoing Mail Server. Use only with encrypted profiles.Password
. Select the both incoming and outgoing email passwords are the same.Outgoing password same as incoming
. Designates whether the incoming mail server uses SSL for authentication.Use SSL
Next, click the tab and select any of the following options:Policy
s. If not selected, then messages may not be moved out of this email Authorize email move between account
account into another account. Also prevents forwarding or replying from a different account than the message
was originated from.
. If selected, then only the iOS mail application can send email.Sending email only from Mail application
. If selected, this account is excluded from address Recents syncing.Disable mail Recents syncing
. If selected, this account supports S/MIMEEnable S/MIME
Click .Create
citrix.com 152
1.
2.
3.
4.
a. b. c. d. e. 5.
To create an iOS Wi-Fi profile
In the Device Manager web console, on the tab under , click .Policies iOS Configurations
In the menu, click .New Configuration > Profiles and Settings WiFi
In the dialog box, enter an Identifier, which is a unique string that is used to identify the Wi-Fi Configuration creation
profile in the console. Must be unique and not used for any other iOS policy. You can also enter a Display Name,
which is how the policy name will be displayed to the device user. All other fields here settings here are optional, such
as adding a description, or setting .
Next, select the tab and choose the following options:Wi-Fi
.Network Type
.Service Set Identifier (SSID)
. Enable this option if the target network is not open or broadcasting.Hidden Network
. Automatically join the configured wireless Network. Available in iOS 5.0 and later.AutoJoin
. Select a security type and then enter the authentication (password).Security Type
Click .Create
automatic policy removal
citrix.com 153
1.
2.
3.
4.
5.
6.
To configure an iOS Exchange policy
Important: In this release of Device Manager, Citrix strongly recommends that you do not create and deploy more than one
email attachment encryption policy, or conflicts will occur for users. If you deploy more than one policy and the policies are
not identical, the rules of the policy will conflict with users to whom you have deployed either one of the policies.
To configure an Exchange ActiveSync policy
On the tab, under , click .Policies iOS Configurations
On the menu, click .New Configuration > Profiles and Settings Exchange ActiveSync
On the tab, enter a name and description for the policy.General
On the tab, enter the Exchange ActiveSync configuration details for your organization as Exchange ActiveSync
follows:
Option Description
Exchange
ActiveSync
account name
Name of the Exchange account.
Exchange
ActiveSync host
The Exchange server host name (or IP address).
Use SSL. Optional. Specifies whether the Exchange server uses Secure Sockets Layer
(SSL) for authentication.
Domain Domain under which the Exchange server resides.
User The user name for the Exchange account.
Email address
Specifies the full email address for the account.
Note: For the preceding user name and email address, Citrix used Device Manager system
macros, ${user.username} and ${user.mail}, which will automatically look up specific users
and their email accounts based on the format listed.
Password Optional. The password of the account. Use only with encrypted profiles.
Mail last days to
synchronize
The time the range in the past from which to synchronize the email account.
Identity
credential
(Keystore or PKI
credential)
Optional. An identity credential type.
On the tab, enter the following information:Exchange ActiveSync Policy - Policy
Authorize email move between accounts. Select if you want to authorize moving emails between two
or more accounts. (Available only in iOS 5 and iOS 6.)
Sending email only from Mail application. Select if you want to enforce that emails from the account
can only be sent from the mail application (and no other mail clients). (Available only in iOS 5 and iOS
6.)
Disable mail Recents syncing. Select if you want to prevent recently used email addresses from being
synced with other devices through iCloud. (Available only in iOS 6.)
Enable S/MIME. Select if you want your email server to use S/MIME public key encryption.
Click .Create
citrix.com 154
1.
2.
3.
4.
5.
To create an iOS App Lock ('Kiosk') policy
App lock, or , enables to you set an iOS device to only run a single application. When pushed to a device, the Kiosk Mode
policy runs only the app that is specified, disables the home button, returns the device to the specified application
automatically upon wake or reboot.
Note: This feature works on devices running iOS 6 and above and requires that the device to be placed into Supervised mode
with the Apple Configurator.
On the tab, enter the Identifier of the policy, the display name, and a description.General
In , click on of the following options:Allow profile removal operation
Always: This option allows the profile to always be removable.
Authentication: Allows you to enter a required password that is used when profile is removed.
Requires a password
Never: Prevents the profile from ever being removed.
Select the check box to specify a date you want to remove the profile.Allows you to select a specific date
Select the to enable you to set a period of time after which the profile will Duration until removal (in days) check box
automatically be removed.
On the tab, enter the app bundle identifier of the app you want to use and then click .App Lock - Configuration Create
citrix.com 155
1.
2.
3.
4.
To create an iOS Profile Removal policy
If you want to remove an application profile for iOS from a user's device, you need to create a profile removal policy in
Device Manager and then deploy the policy to the device.
On the tab, click .Policies > iOS Configurations
On the menu, click .New Configuration New Configuration | Deletion Operations | Profile Removal
In , enter the of the app profile. This is found in the profile's General tab. Add a profile removal operation Profile ID You
can find the profile ID on the profile tab.General
Click .Create
Deploy the policy to a device.
citrix.com 156
1.
2.
3.
4.
5.
6.
1.
2.
To configure an iOS Geo-tracking policy
If the iOS devices you manage in Device Manager have a location services policy applied and you configure geo-tracking,
you can view the locations of the device over the time you configured in the location services policy. Geo-tracking enables
you to track an iOS device over periods of up to six hours at a time. You can view the geographical location of a device and
its movement and you can view the device location on Google Maps. If you want to specify individual parameters for your
GPS tracking (as opposed to just activating it), you need to deploy a geo-tracking policy. If you choose to keep the default
values, you can enable tracking immediately.
Click the Policies tab and then click . > iOS Configurations
On the menu, click and then click .New Configuration Profiles and Settings Location Services
In the dialog box, enter the following information: Locations Services - Configuration creation
Name. Enter a name for the location services policy.
Description. Provide an optional description for the policy.
Location fix timeout. Enter the time Device Manager waits before timing out if the device location
cannot be fixed. If nothing is set, Device Manager attempts to locate the device according the Poll
you specify.interval
Tracking duration. Enter the period of time that the device will be tracked after an Enable Tracking
command is sent to the device. The maximum setting is six hours.
Poll interval. Enter a value for how often Device Manager will attempt to fix a location on the device. If
the device cannot be located, the attempt to locate the device will time out according to the Location
setting.fix timeout
Accuracy. Set the accuracy of the location point from the device.
Report if location services are disabled. Select to enable the device to report that GPS is disabled to
Device Manager and Device Manager will display the status of the device.
Note: You must enable the setting if you are using Automated Actions to trigger an action based upon
a location-based trigger, such as Location Perimeter Breach or Location Services Disabled. Also, the
device must be contacted for its location to trigger the action.
Click .Create
To enable tracking of the device according to this configuration, you need to deploy the package to the devices you
want to track. Next, deploy the package to the iOS device users to implement the policy.
To track the device, do one of the following:
On the Devices tab, select the device, right click, and select Security -> Enable Tracking.
Select the device and from the Security button click Enable Tracking.
To view a device's geo-tracking
On the tab, select the device you want to view and then click .Devices Edit
Click the tab. Geo-tracking Each point on the map indicates when Device Manager fixed the location of the device. A
green point indicates the first location point when tracking started. A red point indicates the last device location point
captured before tracking ended. You can mouse over each point to see more detailed geographical information. To
see a longer range of tracking points, for example, if the device was tracked several times, you change the Display
date range and then click .Points From Filter
citrix.com 157
1.
2.
3.
4.
5.
To create an iOS Geo-fencing policy
Geo-fencing in Device Manager allows you to define a geographic perimeter for an iOS device. You can then perform a
selective or full wipe upon the breach of the perimeter you set. The policy also notifies Device Manager and the device user
when the device has moved beyond the defined radius of the policy. You have the option of setting a delay before the device
is wiped, which can give the user time to return to the allowed GPS location perimeter.
On the tab, under , click .Policies iOS Configurations
In , click , and then click .New Configuration Profiles and Settings Location Services
In the dialog box, on the tab, enter a name for the new profile Location Services - Configuration Creation General
configuration and configure the following settings:
Name. Enter a name for the location services policy.
Description. Provide an optional description for the policy.
Location fix timeout. Enter the time Device Manager will wait before timing out if device location
cannot be fixed. If nothing is set, Device Manager attempts to locate the device according the defined
.Poll interval
Tracking duration. The period of time that the device will be tracked once an Enable Tracking
command has been sent to the device. Maximum is six hours.
Poll interval. Enter a value for how often Device Manager will attempt to fix a location on the device. If
the device cannot be located, the attempt to locate will time out according to the Location fix timeout
setting above.
Accuracy. Enter the accuracy of the location point from the device.
Report if location services are disabled. Select if you want the device to report that GPS is disabled to
Device Manager and the server will show the status of the device.
Click the tab and then set the following parameters:Geo-fencing
Radius. Select this option to define the radius of the geo-fence. The default value represents the
smallest allowable radius for this feature, which is approximately 164 feet, or 50 meters. Enter a small
value; for example, 150 feet.
Center Point Latitude. For example, 37.787454.
Center Point Longitude. For example, 122.402952.
Device Notification on perimeter breach. Select this option so that the device user is notified when the
device has breached (has gone outside of) the defined perimeter radius.
Delay on Wipe. Enter 2 minutes as the time allowed before the device becomes wiped of its corporate
data and apps.
Click Create.
After you create the policy, you need to deploy it to your iOS devices. In the tab, when you click , the following Devices Deploy
actions take place:
All deployment packages targeting the device are deployed.
Device inventory, properties, and usage data is refreshed.
citrix.com 158
1.
2.
3.
To store iOS user password
If you want to ensure that iOS users have their passwords stored for ongoing authentication, even if they log out of the
Connect agent, you can configure that setting in the dialog box in the Device Manager console.Options
When enabled, Device Manager securely stores a users' password that may be used for ongoing authentication with the
Device Manager server, such as if the user logs out of the agent.
When disabled, Device Manager will not store users' passwords and will use a certificate for all ongoing authentication
with Device Manager. Note that when this setting is enabled, you may still allow users to register and authenticate with a
domain password since an enrollment invitation will override this setting when other enrollment modes are configured.
Click on the dialog box in the Device Manager console.Options
In the left pane, click .iOS
Click .Store User password settings
citrix.com 159
1.
2.
3.
4.
a. b. c. 5.
To place a device in supervised mode by using the Apple Configurator
In order to use the Apple Configurator, you will need an Apple computer running OS X 10.7.2 or later.
Some iOS 6 features required that you place your iOS 6 device into supervised mode by using the Apple Configurator.
Important: Placing a device into supervised mode will install the selected version of iOS on the device, completely wiping the
device of any previously stored user data or apps.
Install the from iTunes.
Connect the iOS device to your Apple computer.
Start the Apple Configurator. The Configurator shows that you have a device to prepare for supervision.
To prepare the device for supervision:
Switch the control to . Supervision On Citrix recommends that you choose this setting if you intend to maintain
control of the device on an ongoing basis by reapplying a configuration regularly.
Optionally, provide a name for the device.
In iOS, click , for the latest version of iOS you want to install.Latest
When you are ready to prepare the device for supervision, click .Prepare
After you prepare the device, you can now enroll the device into Devce Manager and start deploying policies to manage
the iOS device.
Apple Configurator
citrix.com 160
Managing Android Configurations
You can create a variety of policy types and configurations for your Android devices to help manage user access
company data security, including App Tunnel configuration policies so your users can securely access your company
intranet, TouchDown Exchange email configurations so users can seamlessly connect to corporate email accounts, app
monitoring policies to block unauthorized apps that violate company policy, and a selection of Samsung SAFE device
configurations.
citrix.com 161
Configuring Policies for Android Devices
You can configure various policies for Android devices in Device Manager so you can more easily manage and ensure
consistency across Android device deployments. You can configure the following settings:
Basic options
Agent uninstallation
Password policies (including Encryption for Android 3.0)
WiFi configurations
GPRS access point network configurations
TouchDown email policies
Security Certificates
Configurations specific to Samsung SAFE devices
HTC Exchange ActiveSync configurations
To manage the configuration settings for an Android device, click in the Policies > Android section in the Configurations
Device Manager web console and then click to open the wizards menu. On the wizards menu, you New configuration
can choose the setting you want to configure.
citrix.com 162
1.
2.
3.
4.
5.
6.
7.
To configure basic options for Android devices
You can configure some of the agent parameters for Android devices in Device Manager.
Click from the menu.XenMobile Options New Configurations
In the dialog box, enter a name to the configuration and optionally enter a comment.XenMobile Options
Select the check box, if you want the tray icon to be visible in the traybar.Hide traybar icon
In , set the connection time-out for the device's connection to the Device Manager server, in Connection time-out
seconds. If the device does not connect, cancel the connection attempt.
In , set the frequency that the device will ping the server, in order to keep the connection alive.Keep-alive interval
Specify the degree to which the device user will be notified of support actions initiated remotely.
Click .Save
citrix.com 163
1.
2.
3.
To uninstall Device Manager on an Android device
On the menu, click .New Configurations Uninstall XenMobile
Enter a name for the configuration and optionally enter a comment.
Select the check box and then click .Uninstall XenMobile from devices Save
citrix.com 164
1.
2.
a. b. c. d. 3.
To create an Android credential policy
You can create an Android credential to enable integrated authentication with your PKI configuration in Device
Manager, such as a PKI entity, a keystore, an a credential provider, or a server certificate. For more information on
configuring PKI integration with Device Manager, see .
You can configure an security certificate policy to use for WiFi configurations, TouchDown email configurations,
Samsung Exchange ActiveSync configurations, Samsung VPN configurations, and Android SharePoint configurations.
In the Device Manager web console, click the tab, click to expand and then click .Policies Android Configurations
In the Add a credential dialog box, enter the following information:
. Provide a unique name for the credential.Credential name
. Optionally, you can type a description for the credential.Description
. Select a credential type according to the PKI configuration you have set up for Device Credential Type
Manager, such as a certificate, a keystore, a server certifciate,or a credential provider.
, , or . Select the path or the name of the credential you Credential file path Server certificate Credential provider
are adding to the policy. If you are using a Keystore file, then you need to provider the keystore password.
Click . Now you can access this credential in Android WiFi configurations, TouchDown email configurations, Add
Samsung Exchange ActiveSync configurations, Samsung VPN configurations, and Android SharePoint configurations.
About XenMobile PKI
citrix.com 165
1.
2.
3.
4.
5.
To create an Android location services policy (geo-locate and geo-fence)
Geo-fencing in Device Manager allows you to define a geographic perimeter for an Android device. You can then perform a
selective or full wipe upon the breach of the perimeter you set. The policy also notifies Device Manager and the device user
when the device has moved beyond the defined radius ("geo-fence") of the policy. You have the option of setting a delay
before the device is wiped, which can give the user time to return to the allowed GPS location perimeter.
On the tab, under , click .Policies Android Configurations
Click > > .New Configuration General Location Services
In the dialog box, on the tab, enter a name for the new profile Location Services - Configuration Creation General
configuration and configure the following settings:
Name. Enter a name for the location services policy.
Description. Provide an optional description for the policy.
Poll interval. Enter a value for how often Device Manager will attempt to fix a location on the device.
Report if location services are disabled. Select if you want the device to report that GPS is disabled to
Device Manager and the server will show the status of the device.
Click the tab and then set the following parameters:Geo-fencing
Radius. Select this option to define the radius of the geo-fence. The default value represents the
smallest allowable radius for this feature, which is approximately 164 feet, or 50 meters. Enter a small
value; for example, 150 feet.
Center Point Latitude. For example, 37.787454.
Center Point Longitude. For example, 122.402952.
Device Notification on perimeter breach. Select this option so that the device user is notified when the
device has breached (has gone outside of) the defined perimeter radius.
Delay on Wipe. Enter 2 minutes as the time allowed before the device becomes wiped of its corporate
data and apps.
Click Create.
After you create the policy, you need to deploy it to your iOS devices. In the tab, when you click , the following Devices Deploy
actions take place:
All deployment packages targeting the device are deployed.
Device inventory, properties, and usage data is refreshed.
citrix.com 166
1.
2.
3.
4.
5.
6.
7.
a. b. c. d. 8.
9.
10.
11.
12.
To create a Samsung Kiosk policy
The Samsung Kiosk policy allows you to specify that only a specific app or apps can be used on an Android device. This
policy is useful for those corporate devices designed to only run a specific type or class of apps. This policy also allows you to
choose the device wall paper and homescreen to be shown when the device is in Kiosk mode.
Note: For Kiosk mode to work, the apps you choose to enable in Kiosk mode must already be installed on the device.
In the Device Manager web console, select the tab.Policies
Under , click and then click > > .Android Configurations New Configuration Samsung Kiosk
In the New Samsung Kiosk configuration dialog box, tab, enter a name and description for the configuration.General
Next, select Enable under Kiosk Mode, which activated Kiosk mode on the device.
If you want to use a custom launcher to enable to user to launch the Kiosk app or apps, enter the full name of the
launcher application package next to Launcher Package. Unless you have developed your own, in-house launcher,
Citrix recommends you leave this field blank
Next, enter an optional emergency phone number, which can be used if someone finds the device after it has been
lost, for example.
You can also choose to allow (checked) or disallow (unchecked) the following IU features to be viewable and
accessible by the device user when the device is in Kiosk mode:
Allow navigation bar
Allow Status Bar
Allow system bar
Allow task manager
If you have set a general passode policy across all Samsung SAFE devices, then enter that password in the common
SAFE passcode field. For more information, see .
Next, select the tab. Here, you can choose to use a custom image for the desktop and lock screen.Wallpapers
Last, select the tab. To add an app to the Kiosk mode, click .Applications New application
In the New application to add dialog box, enter the full name of the application (such as, com.android.calenda) or
select an app from the drop down list. Note that for Kiosk mode to work, the app must be installed on the device.
Click and then click again to create the policy. Now the policy is ready to be deployed to your managed Create Create
Samsung devices.
Configuring Policies for Samsung SAFE Devices
citrix.com 167
1.
2.
3.
4.
5.
To configure a policy to schedule connections for Android devices
In Device Manager, click the tab and then under MDM Policies, click .Policies Android
Click , click and then click .Configurations New Configuration Scheduling
In the dialog box, enter a name for the configuration and optionally, a comment.Scheduling
Under , click one of the following options:Scheduling configuration parameters
Do not define a connection schedule. The device does not reconnect unless the user clicks
in Device Manager.Connection
Keep the connection permanently live. If the connection is permanent, Device Manager on the mobile
device attempts to reconnect automatically to the server running Device Manager after a network
connection loss. In addition, Device Manager monitors the connection by transmitting control packets
at regular intervals.
Note: This configuration consumes more battery charge and generates more network traffic.
However, the setting ensures that all commands are executed in real time and completed immediately
when they are sent to the device. For more information, see
.Battery Usage
Force a connection every. When you click this option, you also enter a value in minutes. Device
Manager on the device forces a connection to the server running Device Manager at every interval
you configure.
Define a permanent and/or occasional connection schedule within a given time range. Device
Manager keeps the connection live during the time range that you configure by selecting one or both
of the following check boxes:
Keep connection alive during this time period. Device Manager on the device attempts to
reconnect to the server running Device Manager after a network connection loss and monitors the
connection by transmitting control packets at regular intervals. In the time line, click to select either
specific times or time ranges for each day of the week when you want the Device Manager server
to connect to the device. Each time segment is in 30-minute increments according to a 24-hour
clock. For example, if you want Device Manager to connect between 3 A.M. and 4 A.M. every
night of the week, you click the two squares between 3 and for each day of the week, Monday
through Sunday.
Force one connection during the time range below. The connection automatically shut downs after
updates have taken effect. This option forces a scheduled, one-time connection to the server, in
particular to check for the availability of new deployments. To avoid a connection peak at the
beginning of the selected range, the relevant devices connect randomly during the defined range.
Device Manager on the device only reconnects after a network connection loss if an operation was
in progress. The server running Device Manager will likewise terminate the connection after an
inactive period.
Note: Each of the preceding options includes an option to synchronize the schedule to the local
device clock time rather than to Coordinated Universal Time (UTC).
Click .Create
How Scheduling Policies Affect Android
citrix.com 168
How Scheduling Policies Affect Android Battery Usage
When you create a scheduling policy in Device Manager for Android devices, the way you create the scheduling policy can
affect battery usage. For example, compared to a device that does not have an XenMobile client agent running on the device,
the following may occur:
If you create a scheduling policy that is set to permanently alive, with app monitoring enabled and basic
MDM policy, tests reveal an additional 4 percent battery drain per hour.
If you create a scheduling policy that is set to permanently always alive, without app monitoring, but with
basic MDM policies, tests reveal a 2.5 percent battery drain per hour.
Policy and connection conditions Effect on Android device battery over
time
You do not configure an app control policy, but configure thefollowing
policies: password policy, TouchDown Email policy, and scheduling policy
8-9 percent over 5 hours equaling
approximately 1.6 percent battery drain per
hour
You configure an app control policyd, but do not configure a scheduling
policy
10-12 percent over 5 hours equaling
approximately 2.4 percent battery drain per
hour
You do not configure an app control policy, but you configure the following
policies:
Password policy
Software inventory policy
WiFi configuration policy
Credentials policy
SharePoint configuration
TouchDown Email policy
Scheduling policy of permanently alive with a default
connection timer set
10-13 percent over 5 hours equaling
approximately 2.6 percent battery drain per
hour
You configure the following policies:
App control policy (a type of blacklist policy)
Password policy
Software inventory policy
WiFi configuration policy
Credentials policy
SharePoint configuration
TouchDown Email policy
Scheduling policy of permanently alive with a default
connection timer
12-20 percent over 5 hours equaling
approximately 4 percent battery drain per
hour
For more information, see .Configuring App Monitoring for Android Apps
citrix.com 169
1.
2.
3.
4.
5.
6.
7.
8.
To define password requirements and enable encryption on Android device
You define the requirements for Android device passwords and enable encryption on Android 3.0 devices on the Password
window in Device Manager.Policy
On the menu, click .New Configurations Password Policy
In the dialog box, enter name for the policy and optionally, a description.Password policy configuration creation
To establish a password policy, click the tab.Password policy
Select and then complete the configuration parameters.Require a code on the device
To enable an encryption policy for Android 3.0 devices, click the tab.Encryption
Select . Enable device storage encryption
Note: This option is available for Android 3.0 and later. The Android 3.0 encryption operation will prompt the user to
accept the action. It also requires the device to be plugged in and the device will not be usable for up to an hour while
the encryption operation takes place. This is a function of the Android 3.0 encryption capability.
For Samsung SAFE Devices, you have the option of setting a single password for multiples users on a device. Select
the check box to enable this option.Use same password across all users
Click .Create
citrix.com 170
1.
2.
3.
To configure WiFi settings for Android devices
You can use the WiFi configuration wizard in Device Manager to deploy Wi-Fi configurations to users. The users will not be
aware of details, such as the WEP encryption key. Fill in the required fields according to your configuration and specifically
the fields as follows.
On the page, in , enter an name for the policy, and optionally enter a Create a WiFi configuration Configuration name
description.
In , click one of the following options:Authentication
Open
Shared
WPA
WPA-PSK
WPA2
WPA2-PSK
802.1x EAP (WPA Enterprise)
For the 802.1x EAP configuration, you can specify user identity through the Device Manager
macro named ${user.username} to auto-populate in the configuration. Citrix recommends that
you leave the password field blank, so the device user can enter the WiFi password from their
device.
Click .Create
citrix.com 171
1.
2.
3.
To declare a GPRS access point in an Android device
You can use the APN (Assess Point Name) configuration creation wizard to declare a specific General Packet Radio Service
(GPRS) access point for Android devices, like an enterprise private APN.
On the tab, enter a name and optionally a description.General
Specify the APN resource, account credentials and type of authentication.
Optionally, specify proxy settings and then click .Create
citrix.com 172
Configuring App Monitoring for Android Apps
Android app monitoring in Device Manager provides a secure application-browsing environment on Android devices.
You can define blacklisted or whitelisted applications and take action on applications, such as preventing the
applications from opening or, in real time, selectively allowing applications to run.
You can define blacklisted or whitelisted applications in an XML file that you package and push to Android devices.
Sample XML files are available for reference under /XenMobile Device
Manager/samples/appmon/. For example, the default Android app monitoring policy XML file is located at: directory>/XenMobile Device Manager/samples/appmon/appControlPolicyConfiguration.xml. The configuration tags that
you can include in the XML file are as follows:
and . These tags define applications to be blocked or allowed by package name.
Some sample native application package names are as follows:
Camera. com.android.camera
. Browser com.android.browser
. or Email com.android.email com.htc.android.mail
. This tag allows customized message to appear as part of the block screen to a user
and when a blacklisted or non-whitelisted application opens.
. This tag allows you to add a custom image to your app block display message
when a user is prevented from installing an app. When this element is set to , the custom logo appears. true
You must name the custom image appControlPolicyLogo.png and upload the file to Device Manager and
then deploy the image file to the device on which you want to display the image.
and . These tags enforce applications through or
tags. In case both these tags are set to , applications defined in a whitelist XML file take precedence, true
and the blacklisted applications are ignored.
. This tag allows you to block a user from uninstalling the Citrix Mobile Connect app from
their device. When set to , a user cannot uninstall the app from their device.true
Note: If you set this option to , you will not be able to uninstall any other apps from the device.true
. This tag allows a device to access blacklisted or non-whitelisted applications by using an
administrator-defined passcode. There are no restrictions on the length or type of characters in the
passcode. You can choose to not include this tag as part of the XML file. As a result, the user cannot enter
the passcode in a text box. Instead, block screen appears with a custom company logo file (optional),
customized text that you define by using the tag, and a button that users tap to close
the block screen.
. This tag defines if the application control service should be running or not running on the
device. If set to , the service does not run on the device.false
Multiple Configuration Files
You can define​ multiple Android app monitoring policy files. For ​example, you can create a blacklist or a whitelist
policy for different groups in your organization, such as a policy for your engineering group, a separate policy for your
finance group, sales group, and so on. In order to create multiple app list configuration files, you need to retain the string
in the file name. You can, however, modify the other part of the file name to help indicate appControlPolicyConfiguration
the purpose of the file. For example:
appControlPolicyConfigurationOff.xml. An app monitoring policy in which certain apps cannot to run on the
device, such as the camera.
appControlPolicyConfigurationDisable.xml. An app monitoring policy in which certain apps are blacklisted
and cannot be installed on the phone.
appControlPolicyConfigurationEnable.xml. An app monitoring policy in which certain apps are whitelisted
and can run on the device.
Example XML Syntax for Blacklisting and Whitelisting Policies
The following code samples illustrate how to use App Monitoring to create application whitelists and blacklists for your
Android devices. . Block an native email app on Android devices that are running operating Blacklisting app use case
systems Version 3.0 and earlier.




org.mozilla.firefox
citrix.com 173
1.
2.
3.
4.


com.android.email


This application has been blacklisted and blocked by your Mobile System Administrator. For further inquiries, please contact your IT department.
true
false
true
P@ssw0rd

Whitelisting app use case. Only allow a XenMobile app to run on the Android device, and block all other applications




com.citrix
com.android.launcher
com.android.launcher2
com.htc.launcher


com.android.email


This application has been blacklisted and blocked by your Mobile System Administrator. For further inquiries, please contact your IT department.
true
false
true
P@ssw0rd

To add a logo to a customized block screen on an Android device
In Device Manager, you can customize the block screen that appears on an Android device by using the
XML tag defined in an App Monitoring policy. The screen can also include a company logo.
Save the logo file as appControlPolicyLogo.png on your computer.
In the dialog box, import the logo file and then save the file to a Import a file to the Device Manager database
destination folder on the device.
Note: Make sure you use the following format to name the destination folder has the following format: %XenMobile
folder%\files.
Add the following line to your appControlPolicyConfiguration.xml (/XenMobile Device
Manager/samples/appmon/appControlPolicyConfiguration.xml) file after the end of tags:
true
Create a deployment package that includes the application monitoring policy XML file, as well as an optional company
logo file.
Common Issues with the App Monitoring Policy Implementation
With the App Monitoring feature, you might encounter the following issues:
If you notice that XenMobile is not blacklisting an application you have define as forbidden, you can try the following
tasks to remedy situation:
Check the XML file name; it should be appControlPolicyConfiguration.xml.
Make sure the package containing appControlPolicyConfiguration.xml policy is deployed to the device, and
the device is connected to the server.
Check the package name for the blacklisted application. Use XenMobile Remote Support to verify native
application package names under "Task Manager".
Validate your appControlPolicyConfiguration.xml file XML syntax with a validator, such as .
If you can verify the preceding information, but the issue persists, open a support case and attach the XML file as well
as device logs. You can share device logs by using alogcat, a free Android marketplace application.
If you notice that your Company Logo is not included as part of the block screen, Verify that logo PNG file is saved as
appControlPolicyLogo.png and is saved under %XenMobile folder%\files.
XML Validation
citrix.com 174
If you Need to reset an application passcode, Modify the XML tag value to include the new passcode.
If you are not sure if the App Mon service is running, please note that the service is not running by default. You must
push the XML policy file (appControlPolicyConfiguration.xml) to the device.
If you need to revoke device access to blacklisted applications, you can modify the XML tag value to
include the new passcode. The user needs to obtain and enter the new passcode.
citrix.com 175
Configuring Touchdown for Android Devices
Device Manager leverages NitroDesk TouchDown technology to enable you to push Exchange email configurations and
security policies to Android devices using the ActiveSync protocol. It enables device administrators to install TouchDown
software on Android devices, configure device email settings, and apply corporate security policies to Android devices
managed by Device Manager. Before you configure policies, download the NitroDesk TouchDown binary from the
following locations:
http://nitrodesk.com/tddownloads/nitroid-droid.apk (Smart phones running Android 2.x or 4.x)
http://nitrodesk.com/tddownloads/nitroid-honey.apk (Tablets running Android 3.x)
You can download the TouchDown app from the Android Market or from the server running Device Manager. Before
downloading the TouchDown software to your Android device, ensure that you have either an internal or external SD
card. Then, enable the following setting before attempting the download: > > .Settings Applications Unknown Sources
Policy Combinations for Touchdown on Android Devices
The following policies combinations are common and useful ways to manage your Android devices with TouchDown.
License TouchDown App and Add Encryption Policy
License Key
RequireDeviceEncryption = true
RequireStorageCardEncryption = true
Require Passcode for TD App
DevicePasswordEnabled = true
MaxInactivityTimeDeviceLock =
MinDevicePasswordLength =
SuppressApplicationPIN = true
Prevent Attachments Download to SD Card
AllowStorageCard = false
Roaming and Custom Signature
RequireManualSyncWhenRoaming = true
SetSignature = Zenprise Protected Tablet
Update Device Type
DeviceTypeString = TouchDown
XenMobile-Certified TouchDown Policies
The following is a list of XenMobile-certified TouchDown policies that you can use with your Android device. Device
Manager provides several other policies that are available but not officially certified.
Email Data Encryption Policies
The following two TouchDown policies are required to enable secure email data encryption:
. If , email attachments downloaded to an SD card will be RequireStorageCardEncryption = true True
encrypted. Also, the policy disallows moving a TouchDown profile/database to the SD card. Note that
attachments prior to this policy will continue to remain in plain text, and all attachments after this
policy is activated will be encrypted on the SD card.
RequireDeviceEncryption = true. If encrypts Contacts, Calendar and Email content; i.e., header True
as well as body, but not attachments.
TouchDown License Policy
LicenseKey = . String value that specifies license key for the TouchDown application.
Individual Security Policies
SuppressApplicationPIN = true. If , the application will not show a PIN prompt and if you do not True
want the Exchange ActiveSync PIN to be enforced by TouchDown. This is useful if Device Manager
decides to enforce a device level PIN. If set to , then TouchDown will prompt for pin/passcode False
only once. To change that behavior, set this policy to and add the policy named false
, which prompts the user for a pin/passcode after a period of inactivity.MaxInactivityTimeDeviceLock
MaxInactivityTimeDeviceLock. Integer value (in seconds) that defines maximum inactivity time period
before device auto locks.
citrix.com 176
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
7.
8.
DevicePasswordEnabled = true. If this field is not present, TouchDown will honor the PIN policies that
Exchange ActiveSync sends. If this field is present then . = True = Enable PIN prompting False
TouchDown will not prompt for PIN (even if EAS policies require it). Please make sure to add the
policy named MinDevicePasswordLength along with this policy.
MinDevicePasswordLength = 1,2,3...14. Integer value that defines minimum password length for
device passwords. Please make sure to add policy: along with this policy.DevicePasswordEnabled
AlphaNumericDevicePasswordRequired = true|false. , if you want TouchDown application to True
enforce alphanumeric codes for device passwords. Make sure to add policies:
and along with this policy.DevicePasswordEnabled MinDevicePasswordLength
AllowSimpleDevicePassword = true|false. If , allows simple device passwords. Make sure to add True
policies: and along with this policy.DevicePasswordEnabled MinDevicePasswordLength
AllowStorageCard = true|false. If , prevents downloading of attachments to the SD card. Also, false
disallows moving of TouchDown profile/database to the SD card.
AttachmentsEnabled = true|false. , ability to send/receive email attachments via TouchDownTrue
RequireManualSyncWhenRoaming = true|false (to reduce data roaming charges). If , ability to True
manually sync email when device is roaming thereby limiting data roaming charges.
DisableCopyToPhoneBook = true (for data loss prevention purposes). If , this will cause True
TouchDown to never copy contacts to the device phone book.
To configure a TouchDown policy to install and configure Exchange email
accounts
You can use TouchDown in Device Manager to install and configure Exchange email accounts for users for your Android
device users.
Note: For each TouchDown policy that you create, be sure to add the TouchDown license key to the policy, or the policy will
not work
Click the tab and then under , click .Policies Android Configurations
Click and then click .New Configuration TouchDown Email
In the configuration dialog box, enter a configuration name for the policy (such as Add a TouchDown Email
TouchDown Email) and then enter your Exchange email parameters.
Important: While deploying this policy, XenMobile behaves as though the NitroDesk TouchDown application is already
being installed from Android Marketplace. You can leave the password field blank, which will prompt the user to enter
a password.
Add the license key to the policy, so you can be sure you are deploying valid software. Click the Policies and
tab, click and then click .Applications Settings New Configuration Policy
In the dialog box, in , click and then, in the , enter the TouchDown license New Configuration Name LicenseKey Value
string.
Click and then click .Create Add
After you deploy the policy, the user needs to log in the Android agent and authenticate the users' credentials in order
activate the policy.
To create a deployment package for the TouchDown policy
In order to push the TouchDown email configuration policy to your Android devices, you need to create, configure, and run a
deployment package in Device Manager to the devices you want to use the policy.
Click the tab, click and then click .Deployment New Package New Android Package
In the wizard, define and deploy the TouchDown email package. On the page, enter a Create New Package Name
name for the email policy, such as TouchDown Email.
On the page, select a group or groups to be the recipient of this package. Or, you can choose to create an Groups
anonymous deployment. Any users unable to authenticate themselves to the server can be connected in anonymous
mode and still receive packages.
On the page, in the list, select the TouchDown Email policy you want to deploy and Resources to be deployed Policies
then click the right arrow to add the policy to the package.
In , select the appropriate Android and TouchDown software to add to the package, depending on if Installation Files
you are deploying to an Android tablet or a phone.
In the page, choose a time to run the deployment, or click to run the deployment Deployment schedule Now
immediately.
On the page,Deployment rules
When you have configured the deployment package and are ready to deploy, click .Finish
After you deploy the policy, the user needs to log in on the Android agent to authenticate the user's credential in order
activate the policy.
citrix.com 177
To initiate a selective wipe of email data by using a TouchDown API
You can initiate a selective wipe of email data (emails and attachments) on an Android device by using a TouchDown
application programming interface (API). You can initiate an elective wipe on the tab. Status updates are available Security
on a per-device basis on the tab.General
If a device user saved an email attachment to a location outside of the TouchDown default attachments folder,
TouchDown won't be able to detect the action. XenMobile won't, therefore, delete the data as part of the selective wipe.
This is a limitation with the use of the TouchDown API.
Configuring Deployment Rules for an Android Device Size
You can use Device Manager deployment rules to differentiate between a smartphone and a tablet based on the size of
the Android device, and then deploy the policies based on size of the target device. The screen size rules enable you to
apply specific policies based on whether or not the device is a tablet or a smartphone. Because some deployment
resources are tablet-specific, using the screen size property will ensure accurate deployments of tablet- or phonespecific policies.
You can create the rules, for example, if you want to deploy a TouchDown Android policy on all Android tablets except
the Amazon Kindle, and you want to ensure that these policies do not get deployed to any smartphones that may
happen to be running the same version of Android that the tablets are running. Conversely, you may want to deploy a
similar Android package, but for smartphones.
You set the rules in the wizard, in rules, on the or tabs.Edit package Deployment Simple Advanced
List of TouchDown Policies for Android Devices
AllowHTMLEmail
Type: Boolean
If , TouchDown will allow the device to receive email that uses HTML format.True
AllowSimpleDevicePassword
Type: Boolean
If , allows simple device passwords.True
Please be sure to add the following policies in combination with this policy:
DevicePasswordEnabled
MinDevicePasswordLength
AllowStorageCard
Type: Boolean
If , prevents downloading of attachments to a device's SD card. Also, this policy disallows moving a False
TouchDown profile/database to an SD card.
AlphaNumericDevicePasswordRequired
Type: Boolean
If , TouchDown will enforce alphanumeric codes for device passwords. Please be sure to add the following True
policies in combination with this policy:
DevicePasswordEnabled
MinDevicePasswordLength
AttachmentsEnabled
Type: Boolean
If , allows you to send/receive email attachments via TouchDown.True
DevicePasswordEnabled
Type: Boolean
If this field is not present, TouchDown will honor the PIN policies that EAS sends. If this field is present, and if
you set to , PIN prompting is enabled and a PIN will be required to access the device. If , TouchDown True False
will not prompt for a PIN, even if the Exchange ActiveSync (EAS) has policies set that require a PIN. Please be
sure to add the policy along with this policy.MinDevicePasswordLength
DevicePasswordExpirationDays
Type: Integer
Value that defines when a device's password is about to expire, measured in days. 0 = no expiration.
citrix.com 178
DevicePasswordHistoryCount
Type: Integer
Value that defines device password where 0 = no history.
DisableCalendarWidget
Type: Boolean
If , the Calendar widget will not show any data.True
DisableChangeSignature
Type: Boolean
If true, TouchDown disallows user from changing email signature line.
DisableCleanup
Type: Boolean
If , the user will be prevented from being able to wipe configuration settings on the device.True
DisableCopyPaste
Type: Boolean
If , users will not be able to copy data from email or paste data into email when composing messages.True
DisableCopyToPhoneBook
Type: Boolean
If , this will prevent the user from ever being able to copy contacts to the device phone book.True
DisableDatabaseBackup
Type: Boolean
If , the user cannot backup data to an SD card.True
DisableEasyPINRecovery
Type: Boolean
If , the user cannot use PIN Reset by entering a Microsoft Exchange account password.True
DisableEmailWidget
Type: Boolean
If , email widget will not display any data.True
DisableExportTo3rdPartyWidgets
Type: Boolean
If , device cannot export data to external content provider widgets.true
DisableReconfiguration
Type: Boolean
Reconfiguration of device is disabled except through the MDM client.
DisableSettigsBackup
Type: Boolean
If , user cannot back up device settings to an SD card.True
DisableSpeecNotification
Type: Boolean
If , notifications will not be read out loud.True
DisableTaskWidget
Type: Boolean
If , task widgets will not display any data.True
DisableUniversalWidget
Type: Boolean
If , Universal widget will not display any data.True
HideCalendarInfoOnNotificationBar
Type: Boolean
If , notifications will not show calendar data indicating which appointment is scheduled.True
HideEmailInfoOnNotificationBar
Type: Boolean
If , notifications will not show Email data.True
HideTaskInfoOnNotificationBar
Type: Boolean
If , notifications will not show Task data.True
hideWidgetDataWhenLocked
Type: Boolean
If , PIN lock will hide data in widgets.True
License Key
Type: String
String value that specifies license key that enables running the TouchDown application.
Note: Configuring the policy is required in order to use TouchDown Android policies in Device Manager.LicenseKey
MaxAttachmentSize
Type: Integer
Integer value that defines maximum size of attachments.
MaxCalendarAgeFilter
Type: Integer
Integer value specifying maximum range of past events to sync.
Valid values are as follows:
citrix.com 179
0 = unlimited, 4 = 2 weeks, 5 = 1month, 6 = 3months, 7 = months
Note that this will not impact the currently set values by the user if the current values are more restrictive than
this value.
MaxDevicePasswordFailedAttempts
Type: Integer
Integer value that defines maximum failed attempts to enter a correct device passcode before locking the user from
accessing the device.
MaxEmailAgeFilter
Type: Integer
Integer value specifying maximum range of past emails to sync.
MaxEmailBodyTruncationSize
Type: Integer
Integer values that determines the maximum sized of an email body before it is truncated.
Valid values:
0 - No Body is fetched
1-4k
2-5k
3-7k
4-10k
5-20k
6-50k
7-100k
8 - unlimited
Raw integral values representing the size in bytes may also be used. For example, if you set to 3000 (above 8),
TouchDown will limit to the closest kilobyte unit shown above. Also note, this ONLY limits the upper limit the user
chooses, and does not enforce the exact value. For example, if you set the value to 7, the user can then choose
to limit to any value less than 100k.
MaxInactivityTimeDeviceLock
Type: Integer
Integer value (in seconds) that defines maximum inactivity time period before device auto locks.
MinDevicePasswordComplexCharacters
Type: Integer
Specifies the number of complex characters required in a device password.
MinDevicePasswordLength
Type: Integer
Defines minimum password length for device passwords.
Please make sure to add the policy along with this policy.DevicePasswordEnabled
PhoneBookCopyFields
Type: Integer
Comma-separated list of fields that can be copied to phone book.
The following fields can be entered in this string, delimited by commas, without any spaces:
org
photo
note
title
location
dept
wphone
wphone2
hphone
hphone2
mphone
ofax
hfax
assistantphone
radiophone
citrix.com 180
carphone
pager
compphone
email1
email2
email3
homeaddress
workaddress
otheraddress
RequireDeviceEncryption
Type: Boolean
If , encrypts Contacts, Calendar and Email content, such as header as well as body, but not attachments.True
RequireStorageCardEncryption
Type: Boolean
If , email attachments downloaded to the SD card will be encrypted. Also, disallows moving of True True
TouchDown profile/database to the SD card.
Please note that attachments prior to this policy will continue to remain in plain text, and after this policy is
activated all attachments will be encrypted on the SD card.
SetPlainTextSignature
Type: String
String values that specify the signature on the application to be used with plain text email.
SetSignature
Type: String
String value that sets the signature on the application.
SetSupressions
Type: String
String value that specifies a list of suppression codes to apply to TouchDown. To prevent TouchDown from
displaying certain options to the end user. The list of codes should be comma separated, with at least one
comma in the string.
SupressApplicationPIN
Type: Boolean
Set to if you do not want the application to show a PIN prompt, and you do not want the Exchange True
ActiveSync (EAS) PIN to be enforced by TouchDown. This is useful if the MDM decides to enforce a device level
PIN. If , TouchDown will prompt for pin/passcode only once.False
To change that behavior, set this policy to and add the policy named , which False MaxInactivityTimeDeviceLock
prompts the user for a pin/passcode after a period of inactivity.
List of TouchDown Application Settings for Android Devices
AlwaysBCCSelf
Type: Boolean
If , sends a copy (BCC) of all outgoing emails to the configured email address.True
AppointmentRemindersAtNonPeakTime
Type: Boolean
If , reminds user of all appointments even if the appointment occurs during off hours or if the reminder is set to True
occur during off hours.
CalendarAllDayInWidget
Type: Boolean
If , this option will show all-day events in the TouchDown Calendar Widget.True
CalendarCustomWeekView
Type: Boolean
This option gives two additional options:
Week starts on
Week ends on
Using these options the user can change the and options to select the start and Week starts on Week ends on
end dates for the week.
Selecting a custom week start and end days will change the way the week view is shown. It will not affect the
month view unless your Week start day is before the weekend day (Monday to Saturday).
CalendarDefaultPrivacy
citrix.com 181
Type: String
Automatically places the same privacy status for each new event unless otherwise specified by the user.
CalendarDefaultReminder
Type: Integer
Automatically places the same reminder length for each new event unless otherwise specified by the user.
CalendarDefaultStatus
Type: String
Automatically places the same availability status for each new event unless otherwise specified by the user.
CalendarEnableResources
Type: Boolean
If , gives the ability to specify a resource field when creating new meetings. The user may use the resources field True
to specify non-attendees such as conference room resources or equipment which are available using an email
address.
CalendarFirstWeekday
Type: Integer
Specifies the first day of the week to show in the calendar.
CalendarLastWeekday
Type: Integer
Specifies the last day of the week to show in the calendar, where 1 - 7 represents Sunday - Saturday. For example, 1
= Monday, 2 = Tuesday, and so on.
CalendarLightTheme
Type: Boolean
If , the day and week Views will be shown with a light theme.True
CalendarOverdueTasksInAgenda
Type: Boolean
If , shows overdue tasks in the agenda.True
CalendarShowUpcomingOnly
Type: Boolean
If , in the TouchDown Agenda view only current appointments that have not already passed for the current day True
are shown.
CalendarSyncHistory
Defines date range of appointments to synchronize.
Values:
-1 = All
4 = 2 Weeks
5 = 1 Month
6 = 3 Months
7 = 6 Months
CalendarTasksInAgenda
Type: Boolean
If , shows the calendar tasks in the agenda.True
CalendarWorkEnd
Type: String
Species the end of the work day.
CalendarWorkStart
Type: String
Specifies the start of the work day.
CalnedarZoom
Type: Integer
Indicates zoom size for showing the day and week views in larger size and fonts. A good recommended zoom size for
high resolution devices is 150%.
CleanSDCardonRemoteWipe
Type: Boolean
Removes data from SD card when a remote wipe command is issued.
If , will delete the entire SD card on remote wipe.True
If , remote wipe will delete only the TouchDown folder.False
CopyToPhoneNameFormat
Defines how to copy TouchDown Exchange contacts to the phone book as First Last name or as Last First name.
Values:
0 = First Middle Initial Last
1 = Last First Middle Initial
2 = File As
citrix.com 182
DeferServerUpdates
Type: Boolean
Selected changes are deferred and batched to the server. This is selected by default and improves response time of
the application as well as reduce the number of server updates.
DeviceTypeString
Type: String
Default is . Once this value is set, it should not be changed.Android
DisableSmartreplies
Type: Boolean
If , Smart Replies are turned off. This option should only be selected if the server does not allow True SmartReplies
and . If forwards and replies are not working, then turn this option to determine if it works.SmartForwards ON
DisableTabletMode
Type: Boolean
If , disables tablet mode even if it has detected that the user is working on a tablet. This option is specifically for True
tablet users who prefer the classic TouchDown view.
EmailAfterDeleteGoto
This option lets the user select the behavior when viewing a message and selecting to delete the message. Options
include:
Email List. Go to the email list.
Next Email. Open the next email in the list. If none, go back to the email list view
Previous Email. Go to the previous email in the list. If none, go back to the email list view.
EmailAlwaysExpandFolders
Type: Boolean
If , then when the user opens or taps the email folder bar to change folders, the folder tree will True Choose Folders
always appear uncollapsed until the user manually collapses them.
EmailBodyStyle
Type: String
Specifies different fonts, sizes, colors and styles to be used when composing new messages in HTML mode.
EmailConfirmDeletes
Type: Boolean
If , prompts user with a message each time the user deletes an email to confirm that the email should be deleted.True
EmailDownloadSize
Defines the download size of the email messages from the server during synchronization. Zimbra users should set this
to a value less than or equal to 10 KB.
1=4KB
2=5KB
3=7KB
4 =10KB
5 = 20 KB
6 = 50 KB
7 = 100 KB
8=Full
10 = No body
EmailFetchEmbeddedImages
Type: Boolean
If , if using ActiveSync connection mode and HTML emails are enabled, embedded images within emails will True
automatically be downloaded and displayed. Note that this may cause some refreshing of the email message after
each image is fetched and shown.
EmailHighlightSender
Type: Boolean
If True, makes the name of email sender of any email item larger and bold (as opposed to the subject).
EmailHighlightUnread
Type: Boolean
If , any read items in the email list will appear grey, without subject or sender in bold, leaving only unread emails True
fully lit and bold.
EmailMoveToAny
Type: Boolean
If , when the user selects to move email messages to other folders, the user is able to move messages to folders True
that have not been selected for synchronization. If this is , then the user can only move emails to folders that False
have already synchronized.
EmailMultiSelectors
Type: Boolean
citrix.com 183
If , each email message in the email list view will show a circle on the right side. The user can place a check mark True
against each message by tapping the circle. Once selected the user could perform operations like Delete, Mark as
Read, Mark as Unread and Move to Folder on all the selected items at once by tapping the Menu button on the device
and selecting the option from the menu that opens.
EmailPreviewAttachments
Type: Boolean
If , view a sample thumbnail of email attachments after download but before attachments are opened with an True
attachment viewer.
EmailSearchAsYouType
Type: Boolean
If , when the user searches for messages using the Menu/ Search option in the email list view, the messages are True
filtered according to the search string as typed. If this is , the user must tap the green arrow next to the search False
string to perform the search.
EmailShowSummary
Type: Boolean
If , displays an email summary.True
EmailSyncHistory
Type: Integer
Defines a date range of emails to synchronize. Default is 14 days.
EmailTextViewSize
Select the text size to use when viewing email messages. This can be set to 1 of 5 levels: smallest, smaller, normal,
larger or largest.
EmailToolBarMode
Select how to display the toolbar. Values:
0 = Always show
1=Hide
2 = Toggle on shake
EnableHTMLEmail
Type: Boolean
If , TouchDown will attempt to download and display emails in HTML format. If , emails will be retrieved as True False
plain text.
Note: If using a server other than Exchange server, this option is not recommended.
ExcludeAttachmentsFromGallery
Type: Boolean
If , ensures that media files are not scanned by the Android Gallery application when it scans the SD card for True
media files.
FilteredTasksOnHomeScreenAndWidgets
Type: Boolean
If , displays tasks on the home screen window and on the task widget when they are viewed on the TouchDown True
Tasks Screen.
HonorBackgroundDataSetting
Type: Boolean
If , honors the user's preference in the Android operating system if user has decided to turn off Background Data True
in device settings under the Accounts & Sync heading.
IncludePhoneContactsInPickList
Type: Boolean
If , lists contacts from the Android Phone Book as contact options for new email or SMS items.True
ManualSyncWhenRoaming
Type: Boolean
If , supresses push and polling when on a roaming network.True
NoDeleteOnServer
Type: Boolean
If , deleting emails on the device will not remove them from the server.True
NoMarkReadOnServer
Type: Boolean
If , reading emails or marking them as read/unread on the device will not mark them as read/unread on the True
server.
NormalizePhoneNumbers
Type: Boolean
If , changes contact phone numbers as follows:True
X and x, and extension will be replaced by a ; (semicolon)
P and p will be replaced with a ; (semicolon)
W and w will be replaced with a , (comma)
NotifyAppointments
Type: Boolean
citrix.com 184
If , shows a notification for reminders.True
NotifyFailedPolling
Type: Boolean
If , sends a notification when a periodic data refresh fails.True
NotifyNewEmail
Type: Boolean
If , sends a notification when new messages are received.True
NotifyPasswordFailure
Type: Boolean
If , sends a notification when an entered password is incorrect.True
NotifySuccessfulPolling
Type: Boolean
If , sends a notification when a successful data refresh is received.True
OffPeakPollInterval
Type: Integer
Defines off-peak polling interval. Any integer >=0, which specifies the polling minutes if polling is enabled during
off peak hours.
PollAtOffPeak
Type: Integer
If , TouchDown will periodically poll for changes even during off peak times.True
PollingFrequency
Type: Integer
Defines the frequency to check for changes from the server. An ideal value is 15 minutes. Keep in mind that smaller
polling intervals can increase battery drain. (Note: This only applies if Push is not enabled.)
PushEnabled
Type: Boolean
If , push email is enabled.True
ReminderRepeat
Type: Integer
Allows you to set interval of reminder repeats. Values:
0 = No repeat reminders
X>0 = repeat after X minutes
X<0 = Repeat X minutes before appointment
ShowEmailsOnStartup
Type: Boolean
If , TouchDown will always open and display your email list.True
Supressions
Type: Integer
Comma-separated codes which will specify which fields to suppress.
UpdateContactChangesToPhone
Type: Boolean
If , updates contact information on the device when detected on the server.True
citrix.com 185
1.
2.
3.
To update a new version of a custom Android app
Before you can update a custom app to a new version, the app must meet the following requirements:
The new app package name must be the same as the previous version.
The app version number must be later than the previous version.
The app revision number must be higher than the previous version.
When a new version of a custom Android app (not available on Google Play) is available, you can update the app by adding
the new .apk file to the tab. The next time the device connects to the server running Device Manager, the app will be Files
updated to the new version.
Note: The app file name can be the same or different and doesn't affect the new version update.
On the tab, select the Android app you want to update and then click .Files Edit
To upload an Android application with a .apk extension, click and then browse for the app.Choose File
Click .Update
citrix.com 186
Configuring Exchange ActiveSync Policies for HTC devices
Device Manager supports Exchange ActiveSync policy configurations for Android HTC devices. Device Manager
supports HTC API version 0.5.0.
To access the HTC Exchange ActiveSync policy, in the Device Manager web console, select tab. Under Policies
Android, click and then click .Configurations New Configuration > HTC Exchange ActiveSync Configuration
HTC Exchange ActiveSync Control Configuration
The HTC Exchange Active Sync configuration allows you to remotely configure Exchange Email settings, such as server
configuration and advanced mail server settings (SSL, synchronize contacts, synchronize calendar, make default email
account).
Note: In order to push an ActiveSync policy to an HTC device, you need be running the Citrix Connect agent on an HTC
device.
In the dialog box, you configure settings on the following tabs:Create an HTC Exchange ActiveSync configuration
Configuration Name. Type a name for the Exchange ActiveSync email configuration policy so it is easily
identifiable in Device Manager.
Description. Type an optional description.
Configuration Display Name. Type a unique name for the email account configuration as it will appear on the
device .
Server Address name. Server address of the Exchange ActiveSync server.
User ID. Type the email account user name.
Password. Type the email account user password.
Domain. Type the domain for the Exchange ActiveSync server.
Email address. Type the user's email address.
Note: In this field, you can use Device Manager system macros ${user.username} and ${user.mail}, which
will automatically look up specific users and their email accounts based on the format listed.
citrix.com 187
Configuring Policies for Samsung SAFE Devices
Device Manager supports policy configurations for Samsung SAFE devices so that you can successfully manage your
Samsung Android devices. Device Manager Samsung SAFE configurations are compatible with Samsung API Levels
Version 2 and 3.
You can access all of the new Samsung configurations on the tab. Under , click and then Policies Android Configurations
click .New Configuration
Restrictions Configuration
The Android Restrictions policy allows you to or the following on Samsung device configurations:Allow Disallow
Common Apps/App Store. YouTube, Browser, Google Play Marketplace, Non-Google Play App Install
Hardware controls. Factory reset, backup, OTA, clipboard, camera, power off, screenshot capture, SD
card, and so on.
Network settings. Bluetooth, BT tethering, WiFi, WiFi tethering, cellular data , roaming, and so on.
USB settings. Debugging, mass storage, tethering, and so on.
In the dialog box, you configure settings on the following tabs:New Samsung restriction configuration
General. On this tab, you enter a name and description for the configuration.
Applications. This tab allows you to block or allow specific apps and app marketplaces. When you
select an option, the app or app store will be allowed on the device. You clear the option if you do not
want the device user to be able to access these apps or app stores.
Hardware controls. This tab allows you to block or allow user control of specific hardware settings on
the device. When you select an option, the device user will be able to change the hardware settings.
You clear the option if you do not want the device user to be able to change these settings.
Network. This tab allows you to block or allow user control of specific network settings on the device.
When you select an option, the device user will be able to change the network settings. You clear the
option if you do not want the device user to be able to change these settings.
USB. This tab allows you to block or allow user control of specific USB controls on the device. When
you select an option, the device user will be able to change the USB controls. You clear the option if
you do not want the device user to be able to change these settings.
Exchange ActiveSync Control Configuration
The Samsung Exchange Active Sync control configuration allows you to remotely configure Exchange Email settings,
such as server configuration and advanced mail server settings (SSL, synchronize contacts, synchronize calendar,
make default email account).
Note: In order to push an ActiveSync policy to a SAFE device, you need a SAFE device that is running the XenMobile
for Samsung agent.
In the configuration dialog box, you configure settings on the following Edit a Samsung Exchange ActiveSync
tabs:
General. On this tab, you can define your Exchange Active Sync configuration you want your
Samsung devices to use.
.On the tab, you can select or clear the following Exchange Active Sync settings:Advanced Advanced
Use SSL
Is default account
Synchronize contacts
Synchronize calendar
Firewall Configuration
The Samsung Firewall configuration allows you to remotely configure firewall settings for your Samsung devices.
In the dialog box, you configure settings on the following tabs:Edit Samsung firewall configuration
General. On this tab, you enter a name and description for the configuration.
. The tab allows you to enter IP Allow/Deny Hosts (Blacklisting/Whitelisting) Allow/Deny Hosts
addresses or host names you want to either allow (whitelist) or block (blacklisting) from allowing the
device to access.
Proxy Configuration. Allows you to remotely configure proxy settings for the device.
. Allows you to configure proxy reroute configurations for your devices.Re-route Configuration
App Uninstall Configuration
citrix.com 188
The App uninstall configuration allows you to block or permit specific apps from being uninstalled from a Samsung
device. You can choose from a prepopulated list of apps derived from all software inventories taken from all managed
Samsung devices.
In the dialog box, you configure settings on the following tabs:Edit Samsung App Uninstall Restriction
General. On this tab, you enter a name and description for the configuration.
Application. The list of apps that you are blocking or allowing to be uninstalled from an Android
device. Click to add a new app to the list.New Application
Password Policy
The Password Policy configuration allows you to optionally enforce a single device to use the same password for any
user accessing the device plus complex flexible password parameters: numeric/alpha numeric restrictions, length
requirements, expiration, wipe device after X number of failed attempts, plus encryption for device storage
In the dialog box, you configure settings on the following tabs:Password policy configuration update
General. On this tab, you enter a name and description for the configuration.
Password complexity. This tab give you great flexibility in configuring password complexity
parameters for Android devices.
Encryption. You can choose to enable encryption on the Android devices storage.
Note: Available for Android 3.0 and later. The Android 3.0 encryption operation will prompt the user to
accept the action. It also requires the device to be plugged in and the device will not be usable for up
to an hour while the encryption operation takes place. This is a function of the Android 3.0 encryption
capability.
Samsung SAFE. This setting allows you to set a single password for multiples users on a device.
Silent App Un-Installation Configuration
The Silent App UnInstall configuration allows you to initiate software un-installation without requiring user
intervention. You can choose from the list of apps derived from all software inventory of all managed Samsung
devices in your network. When you deploy the policy, the apps selected will be uninstalled quietly and
seamlessly.
Selective Wipe for SAFE Devices
You can use Selective Wipe on Samsung SAFE devices to remove email data, document data, and application data.
citrix.com 189
1.
2.
3.
4.
5.
Managing Samsung Configurations
XenMobile supports and extends both Samsung for Enterprise (SAFE) and Samsung KNOX policies. SAFE is a family
of solutions that provide security and feature enhancements for business use through integration with mobile device
management solutions. Samsung KNOX is a solution within the SAFE program that provides a more secure Android
platform for enterprise use.
You must enable the SAFE APIs by deploying the built-in Samsung Enterprise License Management (ELM) key to a
device before you can deploy SAFE policies and restrictions. To enable the Samsung KNOX API, you also need to
purchase a Samsung KNOX license using the Samsung KNOX License Management System (KLMS) in addition to
deploying the Samsung ELM key. The Samsung KLMS provisions valid licenses to mobile device management
solutions to enable them to activate Samsung KNOX APIs on mobile devices. These licenses must be obtained from
Samsung are not provided by Citrix.
For devices running Android 4.3 and later, you must deploy Worx Home along with the Samsung ELM key to enable the
SAFE and Samsung KNOX APIs. Devices running Android 4.2 or earlier require Worx Home for Samsung to
successfully deploy SAFE policies. You can verify that the SAFE APIs are enabled by checking the device properties.
When the Samsung ELM key is deployed, the setting has a value of .Samsung MDM API available True
Note: With versions of XenMobile prior to XenMobile 8.6, SAFE policies can be deployed to devices running Android 4.2 or
earlier with Worx Home for Samsung without deploying the Samsung ELM key. However, the Samsung ELM key is required
for devices running Android 4.3 and later, and this key is only available with XenMobile 8.6 and later.
If you upgraded from a previous version of XenMobile, you must manually create the configuration to generate the
Samsung ELM key.
To create a Samsung MDM license key configuration
Using a web browser, navigate to http[s]:// [: ]/zdm, where is the fully qualified domain serveraddress port serveraddress
name (FQDN) or IP address of your Device Manager server and is the optional port number if you changed the port
default setting. Log on to the Device Manager web console using an account with administrative permissions.
Click the tab and, in the left pane under , click > .Policies MDM Policies Android Configurations
In the results pane, click > > .New Configuration Samsung MDM License Key
Give the license key configuration a name that will help you to identify it and, optionally, a description.
In the box, enter the following macro to generate the Samsung ELM key.MDM license key
${elm.license.key}
citrix.com 190
1.
2.
3.
a. b. c. d. e. f. g. h. 4.
5.
To create a Samsung Knox Exchange ActiveSync configuration
The Samsung Knox Exchange ActiveSync configuration allows you to remotely configure Exchange Email settings,
such as server configuration and advanced mail server settings (SSL, synchronize contacts, synchronize calendar,
make default email account).
In the Device Manager web console, select the tab.Policies
Under Android, click and then click > -> Configurations New Configuration Samsung Exchange ActiveSync
.Configuration (Available for Samsung Knox)
In the dialog box, General tab., enter the following information:Create an HTC Exchange ActiveSync configuration
. Type a name for the Exchange ActiveSync email configuration policy so it is easily Configuration Name
identifiable in Device Manager.
. Type an optional comment for the policy.Comment
. Server address of the Exchange ActiveSync server.Server Address name
. Type the email account user name.User ID
. Type the email account user password.Password
. Type the domain for the Exchange ActiveSync server.Domain
. Type the user's email address. In this field, you can use Device Manager system macros Email address
${user.username} and ${user.mail}, which will automatically look up specific users and their email accounts
based on the format listed.
. If an identity server has been configured with Device Manager, then you can select the Identify Credential
identify certificate or credential type here.
Next, select the tab and select the advanced settings you want to be activated for the policy: Use SSL, Is Advanced
default account, Synchronize contacts (between device client and server), Synchronize calendar.
Click .Create
citrix.com 191
1.
2.
3.
4.
5.
6.
To create a Samsung KNOX password policy
The Samsung KNOX password policy lets you configure a device passcode policy according to the standards of your IT
department.
In the Device Manager web console, click the tab.Policies
Under , click and then click > -> .Android Configurations New Configuration Samsung Samsung Knox Password Policy
In the dialog box, on the tab, enter a name and optional New Samsung Knox Password Policy Configuration General
description for the policy.
On the tab, select the password requirements you want to enforce. You can configure such settings as the Policies
maximum number of characters allowed, maximum allowed failed attempts (before user is locked out of their
Samsung device), minimum number of complex characters (non-alphanumeric), expiration (in days) before password
expires, and so on. When an option is selected, the policy is enforced.
In the tab, click and then select in the field to enter a string you want to Forbidden Strings New Forbidden String
prohibit from being used in a password. For example, you may want to prevent common unsecure password strings
that are easy to guess, such as password or welcome or 123, and so on.
Click .Create
citrix.com 192
1.
2.
3.
a. b. c. d. e. f. 4.
To create a Samsung Knox browser configuration
The Samsung Knox browser configuration allows you to control behavior of the Knox browser on the Samsung device,
such as blocking the browser from being used, enabling or disabling JavaScript, disable cookies or pops ups, disable
auto-fill, and forcing the browser fraud warning.
In the Device Manager web console, select tab.Policies
Under Android, click and then click > -> Configurations New Configuration Samsung Browser Configuration (Available
.for Samsung Knox)
In the New Samsung Browser Configuration dialog box, select the security settings you want to enforce on the device
browser:
Disable Browser
Disable Popup
Disable JavaScript
Disable Cookies
Disable Autofill
Force Fraud Warning
Click . Create
citrix.com 193
1.
2.
3.
4.
a. b. c. d. e. f. g. h. i. j. k. l. 5.
6.
7.
To create a Samsung Knox enterprise VPN configuration
The Samsung Knox enterprise VPN configuration allows you to specify corporate VPN settings so apps launched from inside
the Knox secure container (such as the browser) use a secure connection. The Samsung KNOX container is an on-demand
FIPS-certified VPN client called per-app VPN. Per-app VPN allows you to configure, provision, and manage the use of VPN
on a per-application basis. So you can create the Samsung Knox VPN strong IPSec VPN encryption, including support for
Suite B cryptography.
In the Device Manager web console, select tab.Policies
Under Android, click and then click > -> .Configurations New Configuration Samsung Enterprise VPN
In the New Samsung Knox Enterprise VPN configuration dialog box, tab, enter a name and option description General
for the policy.
In the tab, enter the following information:VPN
Connection name
Hostname
Enable backup server. (If configured on the VPN server.) If a backup server is connected, then complete the
backup server configuration.
Backup VPN server name
Username
Password
Groupname
IPsec group Id type
IKE version
Authentication Method
Identity Credential
CA Certificate
Select the tab and select any additional VPN parameters you want to configure for the connection.Others
Select the tab and click Forward Routes to enter a new forwarding routes if your corporate VPN Forward Routes
server supports multiple route tables.
Click .Create
citrix.com 194
1.
2.
3.
4.
5.
6.
7.
8.
To create a Samsung Knox app restriction policy
The Samsung Knox app restriction policy allows you to configure app blacklists of apps you want to block from being
installed in the Knox Container. You can also specify on a per-app basis those apps you want to allow users to install
(whitelist).
In the Device Manager web console, select tab.Policies
Under Android, click and then click > -> .Configurations New Configuration Samsung Samsung Knox App Restriction
In the New Samsung Knox App. Restriction Policy dialog box, tab, enter a name and optional descripton for General
the policy.
Select the tab, and then click .Applications New Application
In the New user an an application to deny or allow dialog box, enter an application name, or from the drop down list
select an app that has already been added to Device Manager.
Once you have a select an app, choose either Deny or Allow.
Click .Create
You can add as many apps as you wish. When you are done adding apps, click to create the policy.Create
citrix.com 195
1.
2.
3.
4.
5.
To create a Samsung Knox app uninstall configuration
The Samsung Knox app uninstall configuration olicy allows you to perform silent app removal from the Knox Container.
In the Device Manager web console, select tab.Policies
Under Android, click and then click > -> .Configurations New Configuration General App UnInstall
In the App UnInstall dialog box, enter a name for the configuration and optional description.
In the Applications to be uninstalled section, enter or select the name of the app you want to uninstall.
Click .OK
citrix.com 196
1.
2.
3.
4.
5.
To create a Samsung Knox Remote Support policy
You can create a Samsung Knox remote support policy if you have purchased and install the XenMobile MDM Remote
Support product. You will need to perform the following setup in order to enable remote support for Samsung Knox devices:
Install XenMobile Remote Support application in your environment.
Configure a Remote Support app tunnel.
Configure a Samsung Knox remote support policy (this topic).
Deploy both the Remote Support app tunnel and the Samsung remote support policy to a user's device.
There are two kinds of remote support you can enable for a Samsung Knox device:
Basic Support. This allows you to view diagnostic information about the device such as system information,
processes that are running, task manager (memory and CPU usage), installed software folder contents, and
so forth.
Advanced Support. This option allows you remote control over the device’s screen, including control
with colors, in either the main window, or in a separate, floating window, establishment of a Voice-over-IP
session (VoIP) between the helpdesk and the user, configuration of settings, and establishment of a chat
session between the helpdesk and the user.
In the Device Manager web console, select the tab.Policies
Select > , and then click > > Android Configurations New Configuration Samsung Premium Remote Support
.Configuration
In the New Samsung Premium Remote Support configuration dialog box, enter a name for the policy.
Select either Basic Support or Advanced Support.
Click .Create
citrix.com 197
1.
2.
3.
4.
To perform a selective wipe on a Samsung Knox device
A selective wipe will remove all XenMobile policies and packages that have been deployed to the device (including the
Samsung Knox container), as well as any corporate data, while retaining personal information and selected settings. The
device can be re-enrolled at a future time.
Note: Selectively wiping an Android devices does not completely disconnect the device from Device Manager and a user's
corporate network. In order to break the connection between the device and the corporate network, you also need to revoke
the Android device.
From inside the Device Manager, select the Devices tab.
From the Devices tab, select the Samsung Knox device you want to selectively wipe.
From the Security menu, select Selective Wipe.
Confirm that you want to selectively wipe the device.
citrix.com 198
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
5.
Managing Amazon Kindle Configurations
In this release of XenMobile, you can now apply the following MDM policies for Worx Home on Amazon Kindle devices:
. This policy allows you to define a list of applications that you do not want a user to App Uninstall Restriction
be able to uninstall. You can also specify a list of apps that a user can uninstall.
Amazon Kindle Restrictions Policy. This policy allows you to apply certain security restrictions for your Worx
Home for Kindle users, such as the ability to allow or disallow non Amazon apps to be installed, device
factory reset, social networks, cellular networks, and more.
To create an Amazon App Uninstall Restriction policy
This policy allows you to determine a list of apps you do not want a user to be able to uninstall from an Amazon Kindle
device. You can also specify a list of apps that a user is able to uninstall.
In the Device Manager web console, on the tab under , click .Policies Android Configurations
In the menu, click .New Configuration > Amazon App Uninstall Restriction
In the dialog box, enter a name and description for the policy.New App Uninstall Restriction
Next, select the tab.Applications
Click .New Application
In the New application uninstallation to allow/deny dialog box, enter an application name or select one from the list.
For the app, select a rule that uninstallation is allowed or denied.
Click . Repeat for as many apps as you want to add to this policy.Create
Click to create the policy.Create
To create an Amazon Restrictions policy
This policy allows you to apply certain security restrictions for your Worx Home for Kindle users, such as the ability to
allow or disallow non Amazon apps to be installed, prevent device factory reset, block specific social networks or cellular
networks, and more.
In the Device Manager web console, on the tab under , click .Policies Android Configurations
In the menu, click .New Configuration > Amazon Restrictions
In the dialog box, enter a name and description for the policy.New Amazon restriction configuration
Next, select the tab. Here, you can choose the restrictions you want to enforce on managed Amazon Restrictions
Kindle devices. If an option is selected, then the function or setting is allowed. If an option is de-selected, then the
function or setting is not allowed.
When finished, click .Create
citrix.com 199
1.
2.
3.
4.
5.
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
Managing Windows Phone 8 Configurations
You can create a variety of policy types and configurations for your Windows Phone 8 devices to help manage user and
company data, including Windows Phone app distribution through the Enterpise Hub Company store, storage policies
(to encrypt stored data and the ability to prevent storage card usage), password policies, Exchange ActiveSync email
policies so your users can seamelessly connect to corporate email accounts, as well as your own custom policies.
To create an Enterprise Hub policy for Windows Phone 8 devices
Before create and deploy the Enterprise Hub policy for Windows Phone 8 devices, make sure you have obtained your
AET (.aetx file )signing certificate from Symantec and that you have obtained and signed the Citrix Company Hub app
(CitrixCompanyStore.xap) using the Microsoft app signing tool (XapSignTool.exe). For more information, see
.external Windows Phone 8 app
Note: Before you deploy the Enterprise Hub policy to devices, ensure that your users have been enrolled into Device
Manager, or the policy will not work.
In the Device Manager web console, select the Policies tab.
Under MDM Policies on the left, select > > > .Windows Phone 8 Configurations New Configuration Enterprise Hub
In the Create an AET cert and/or enterprise app store configuration dialog box, enter a name for the policy.
Next, click on the Choose file buttons to upload the AET file and the signed Citrix CitrixCompanyStore.xap to the
policy.
Click . Create To deploy the package to your Windows Phone 8 devices, you need to add this policy to a deployment
package and deploy it a specified user group. For more information on creating and deploying policies in a
deployment package, see .
To access apps on the Windows Phone 8 Work Home App Store
When apps have been deployed through XenMobile to a user's Windows Phone 8 device, the apps can be access
through the Windows Phone 8 Worx Home app store. To access the app store, on your Windows Start Screen, tap the
Worx Home tile.
In the Worx Home login screen, enter your Device Manager (or for XenMobile user name and password (the same
one uses when you enrolled), and then tap the arrow button. (Authentication is only required once.)
In the Available Apps screen, you can scroll to the app you want to install. To install an app, tap it and install it.
To create a Windows Phone 8 app deployment package
In order for your Windows Phone 8 users to receive apps through the Company Store, you need to add those apps to
Device Manager and deploy them to your users. In addition, you need to make sure you deploy the
policy as well. You can deploy both the apps and the Enterprise Hub policy using a Device Manager deployment
package.
Select the tab, click and then click .Deployment New Package New Windows Phone 8 Package
In the wizard, in the window, enter a name for the package, such as Android Create New Package Package Name
App Store, and then click .Next
On the window, select the group you created earlier and then click .Groups of users Next
On the window, under , scroll to the and select Resources to be deployed Available Resources Enterprise App Store
the Windows Phone 8 apps you want to add, click the right arrow button and then click . Next If you haven't yet
deployed the policy, you can add it here.
On the window, select the option and then click .Deployment schedule If not deployed Start Now Next
On the page, click .Deployment rules Next
On the page, click .Package summary Finish
In the packages list, click .Deploy
To perform a selective wipe on a Windows Phone 8 device
When you selective wipe a Windows Phone 8 device using Device Manager, the following is removed from the device:
The enterprise token that allows apps to be installed on the device by Device Manager.
All Device Manager certificates.
All Device Manager configurations that have been deployed to the device.
From inside the Device Manager web console, select the Devices tab.
To find the Windows Phone 8 device you want to selectively wipe, sort the list using the OS filter.
Select the check mark next to the device you want to selectively wipe.
From the menu, choose . Security Selective Wipe
To add an
To create and deploy a deployment package
Enterprise Hub
Enterprise Hub
citrix.com 200
1.
2.
3.
a. b. 4.
a. b. c. d. e. 5.
a. b. c. 6.
1.
2.
3.
4.
To configure Windows Phone 8 Exchange ActiveSync policies
You can use this policy to preconfigure and deploy your corporate Exchange ActiveSync configuration to Windows
Phone 8 device users. Note, however, that the policy does now allow you to set the user password. The device user will
need to set that parameter from the device after the policy is pushed.
On the tab, under , click .Policies Windows Phone 8 Configurations
In the menu, click .New Configuration > New Configuration Exchange ActiveSync
In the dialog box, on the tab, enter the following Create a new Exchange ActiveSync configuration General
information:
. Type a name for the policy.Configuration Name
. Type an optional description.Description
In the section, enter the following information:Email parameters
. Enter the name of the Exchange ActiveSync account.Account name
. Type the account user name.User name
. Type the domain for the Exchange ActiveSync server.Domain
. Type the user's email address. In this field, you can use Device Manager system macros Email address
${user.username} and ${user.mail}, which will automatically look up specific users and their email accounts
based on the format listed.
. Type the name of the Exchange ActiveSync server.Server name
Click the tab and enter the following information:Advanced
. Select the frequency with which you want the email account on the device to sync Synchronization Frequency
with the Exchange Server. This setting specifies how often any new data from the server will be sent to the
device.
. Select the items you want to be synced, such as email, contacts, calendar, and so on.Synchronization Items
. Specify the level of detail for logging of Exchange activity (or no logging).Logging
Click .Create
To configure Windows Phone 8 password policies
On the tab, under , click .Policies Windows Phone 8 Configurations
In the menu, click .New Configuration > new Configuration Password Policy
In the dialog box, on the , enter a name for the policy and a brief description.Create a password policy General
In the section, configure your Windows Phone 8 password policy according to the standards of your IT Policies
department. The password policy options are as follows:
Option Description
Require a
password
on the
device
Enables password protection on the device. If cleared, the device does not require a password on
the device (unless the device user sets it manually).
Allow
simple
password
Allows the use of a simple password, which is one consisting only of repeated "2222" or sequential
“abcd" characters.
Password
complexity
Alphanumeric: Requires that at least one character of the password is a letter.
Alphanumeric or Numeric: Requires that the password contain either at least one
letter or one number (but not both).
Alphanumeric, Numeric, or none: Password can contain both alphanumeric and
numeric characters.
Minimum
password
length
Allows you to set the minimum overall length (in characters) required for the password.
Minimum
password
complex
characters
Allows you to the number of characters that are required to be present in the password. The
characters are defined as: lower case alphabetical characters, upper case alphabetical characters,
numbers, non-alphanumeric characters. For example, if the value is 2, a password with both upper
case and lower case alphabetical characters would be sufficient, as would a password with lower
case alphabetical characters and numbers.
Password
expiration
(in days)
Allows you to specify the number of days for which the password can remain unchanged. After the
set number of days, the user is forced to change the password before the device is unlocked.
Password
history
Allows you to specify the number of previously used passwords to store. When a user creates a new
password, the user can't reuse a stored password that was previously used.
Inactivity
before
Allows you to specify the length of time that the phone can be inactive before the password is
required to reactivate it. You can specify any interval between 30 seconds and 1 hour. The default is
citrix.com 201
4.
5.
1.
2.
3.
4.
a. b. 5.
1.
2.
3.
device
lock (in
minutes)
15 minutes. The format of the setting is hh.mm:ss; for example, 15:00 = 15 minutes.
Click . Create The new policy appears in the list.Policies
To create Windows Phone 8 storage policies
In the Device Manager web console, click the tab, click to expand and then click Policies Windows Phone 8
.Configurations
In the menu, click .New Configuration Storage Policy
In the Create a storage policy configuration dialog box, General section, type a name for the policy.
Next, select one or both of the policy options:
. Select if you want all data stored on the device to be encrypted. Selecting this Require Device Encryption
option ensures that no one will be able to access the data without the PIN code, even if the device is cracked
and the chip is removed.
. Select if you want to prevent a user from storing data on an external storage card.Disable Storage Card
Click .Create
To configure Windows Phone 8 custom policies
On the tab, under , click .Policies Windows Phone 8 Configurations
In the menu, click .New Configuration > New Configuration Custom Policy
Enter your own custom XML configuration for Windows Phone 8, and then click .Validate
citrix.com 202
1.
2.
3.
4.
5.
6.
a. b. c. 7.
Creating Windows 8 Tablet Registry Configurations
You can create Windows 8 Tablet registry configurations to allow for a single point for device registry management. A
set of registry keys can only exist in a configuration. You can create different settings and then deploy them selectively
to some or all of the mobile devices under management. Once you create the registry settings, you can then deploy
them to your Windows 8 devices using a Device Manager .
To create a Windows 8 tablet registry configuration
In the Device Manager web console, on the tab, under , click .Policies Windows 8 Tablet Registry Configurations
Click > .New Configuration
In the New registry configuration dialog box, type a name and then click . This will create a default, blank Create
registry value set, for which you can create custom registry entries to suit your requirements.
To create a new registry key, select a registry folder and click > . Type a name for the new key and then click New Key
.Create
To enter a registry key value, click .New Value
In the Create a new registry value dialog box, enter the following information:
Name. Type a name for the registry key.
Type. Choose the registry type, such as String, DWORD, Expandable String, or Executable.
Value.
Click .Create
deployment package
citrix.com 203
1.
2.
3.
4.
5.
1.
2.
1.
2.
1.
2.
3.
4.
5.
Managing Windows Mobile Configurations
You can create several types of device management policies and configurations for your Windows Mobile devices such
as App Tunnels for secure connections to your corporate network at the app level, registry setting configurations, server
settings policies and custom XML configuration policies.
About the Windows Mobile Server Collection
The Servers collection in Device Manager is used to both administer existing and to add new servers to your Device
Manager deployment. A default server configuration is created during the Device Manager installation.
In the Server Groups collection for Windows Mobile, you can add new access points to the server and create backup
servers. You can also configure server groups. You can use server groups to do the following:
Create one or more backup servers (valid only if strong authentication is not enabled for the product).
Define several access points for connection to the server running Device Manager.
Provide logical grouping for multiple deployment locations.
To add a new server in the Windows Mobile server collection
To create other servers running Device Manager, you first need to create a new server group. To do so, click New group
. After you create at least one group, you can then create a new server.
If a device cannot connect to the selected server, the device will attempt to connect through other servers in the same group,
one after the other, following the defined order, through to the default server. To change the order in which servers are listed,
you right-click a server and then click (or click ).Options Down
Click .New server
Enter a display name for the server.
Enter the IP address or fully qualified host name (FQDN) of the server.
Enter the host port.
Choose optional settings of SSL, use a proxy server, or use as the default server.
To edit or delete a server
Click the server whose settings you want to modify and then click .Update
Modify the settings and then click .Update
To delete a server
Click the server whose settings you want to modify and then click .Delete
When prompted, click to confirmation the deletion.
To configure device IP address ranges
By design, devices connect to the default server running Device Manager at the provided host name or IP address. For
situations in which you have a LAN, WiFi, or USB connection, you can specify IP address ranges. If the Windows Mobile
device has an IP address within this range, the device will connect to the server running Device Manager. Specifying IP
address ranges is useful when uploading new software because you can lower data charges.
Click an existing server create a new server.
Click .Update
Click the tab.Device IP ranges
Click .New IP address range
Enter the starting and ending IP addresses and then click . Create When you select a server, you can also update the
server settings, such as the IP address, default server, and IP address ranges.
You must also deploy a server group to a user group on the tab.Deployment
citrix.com 204
About the Registry Collection for Windows Mobile
The Registry collection is used to configure the Windows Mobile or Windows CE registry base of the mobile devices,
thus allowing for a single point for device registry management. Device Manager includes a series of step-by-step
wizards, allowing for rapid setup and deployment of registry configurations.
In addition to configuring both new and existing registry values, either for the operating system or installed third-party
applications, you can manage the Device Manager client configuration options. This allows for multiple client backup
settings, and control over network connectivity, and is included with a dedicated wizard.
A set of registry keys can only exist in a configuration. You can create different settings and then deploy them
selectively to some or all of the mobile devices in the fleet. You can create a new registry configuration either manually
or via the wizard. The configuration wizard includes pre-configured options for the following applications:
Device Manager options
Uninstall Device Manager client from a device
Scheduling
Connect on SMS reception / Connect on call
MS Exchange configuration for MS Outlook
Security rules
Note: This feature is available only with the Device Manager Secure Device option.
Configure devices when roaming
Configuring Registry Keys by Using the Device Manager Options Wizard
Device Manager uses registry keys to store its own data in each mobile device. You can configure these options by
using the Device Manager Options wizard.
Device Manager configuration backup. Device Manager client settings can be stored on the removable memory card in
the mobile device. If a mobile device has to be hard reset, it will automatically retrieve the settings required to
reconstruct the configuration, such as Device Manager agent, registry keys, Device Manager-related security
certificates, and network configuration. For devices with more than one memory card, you can also configure a backup
to a specific card.
Connect to these networks. Device Manager is authorized, if necessary, to activate connections as defined in Network
on the mobile device:Management
User-defined Office
User-defined Internet
Built-in Office (My Work Network connection)
Built-in Internet (My ISP connection)
The operating mode depends on the status of the mobile device's current network connection at any given time:
Authorized and Active
connection
If the server running Device Manager is accessible through this network, the Device Manager
agent connects to the server running Device Manager.
Unauthorized but
Active connection
The mode is the same as for .Authorized and Active connection
Authorized and
Inactive connection
The Device Manager agent will activate the connection and then connect to the server running
Device Manager.
Unauthorized but
Active connection
The Device Manager agent will not attempt to activate the network connection.
Device Manager icon. This option hides or displays the Device Manager icon in the mobile device's traybar.
Connection time-out. This option sets the connection time-out for the device's connection to the server
running Device Manager, in seconds. If the device does not connect, cancel the connection attempt.
Keep-alive interval. This option sets the frequency that the device will ping the server, in order to keep the
connection alive.
Ask the user before allowing remote control. When a connection is established with the helpdesk, the
remote device prompts the user to allow the helpdesk to take remote control over the mobile device through
a confirmation dialog box.
citrix.com 205
1.
2.
Ask the user before allowing file transfer by the remote control tool. File transfers from a device to the server
can be configured for anonymous mode on the Device Manager web console, with user confirmation of the
request or with only presentation of a message to inform the user.
To uninstall Device Manager from a Windows Mobile device
It is preferable to create a special group, such as UninstallGroup, on the tab to uninstall Device Manager and Users
then create a package of Device Manager option registry keys containing the uninstall option. You can then deploy this
package to on the tab. Thereafter, you can add a user to the UninstallGroup in order to UninstallGroup Deployment
uninstall Device Manager from the remote device.
Select .Uninstall XenMobile from devices
On the tab, deploy this configuration to selected users.Deployment
Configuring a Connection to Device Manager on SMS Reception or Call
This feature allows for Windows Mobile devices to be forced to connect back to the server running Device Manager
when either a call or SMS from a preconfigured number is received by the device. To enhance security, a keyword must
be included within the SMS message. This is particularly useful if a device is lost or stolen, and needs to be remotely
disabled or wiped.
To use this feature, in the dialog box, select to either connect to server Connect On SMS reception / Connect on Call
when receiving a SMS message or phone from a specific number.
Configuring Exchange Server for Windows Mobile Devices
Using the MS Exchange configuration for MS Outlook wizard in Device Manager, you can configure mobile email
settings easily and automatically across your entire fleet of devices. These settings will generate the appropriate registry
keys to synchronize with an Exchange server:
Exchange server name
Settings for receive emails and attachments
Calendar settings
Other settings
On the tab, elect the appropriate device operating system type because different configuration options are General
available depending on the operating system release. For instance, tasks synchronization is available for Windows
Mobile 6 devices but not for Windows Mobile 2003 or Windows Mobile 5.
If you create an Exchange tunnel, the value you enter in has to be the same as the value you enter in Server address
on the tab, if you specified an alias. The server running Device Manager manages and Specify a local alias Tunnel
optimizes the data stream and communication between the Exchange server and the mobile device.
Configuring Windows Mobile Devices for Roaming Situations
The roaming settings in Device Manager for Windows Mobile devices will generate the appropriate registry keys for a better
control of the wireless communications costs while traveling abroad and using other mobile operator networks than your
default mobile operator (for example, the name of the mobile operator stored on the SIM card of the mobile device). In
roaming situations, when the device has a cellular connectivity setup, the device will connect to the server running Device
Manager according the following settings:
Note: You can select more than one setting.
Use on demand connection only. The device will only connect to the Device Manager Server if the end-user
manually triggers the connection using the Device Manager Agent screen on his device, or if a mobile
application requests a forced connection (such as a push mail request if the Exchange server has been set
accordingly). Note that this option temporarily disables the default device connection schedule policy as
defined in the Scheduling wizard within the Registry tab.
Block all cellular connections except the ones managed by Device Manager. except for the data traffic
officially declared in a Device Manager application tunnel or other Device Manager device management
tasks, no other data will be sent or received by the device. For example this option will disable all
connections to the Internet via device web browser (Pocket IE).
Block all cellular connections managed by Device Manager. All "application" data transiting through a Device
Manager tunnel will be blocked (including the Device Manager Remote Support application). However the
data traffic related to pure "device management" (such as the deployment of a new Device Manager
package) will not be blocked.
citrix.com 206
1.
2.
1.
2.
3.
1.
2.
Block all cellular connections to the Device Manager Server. In this case, until the device is either
reconnected via USB, Wi-Fi or via its default mobile operator cellular network, there will be no traffic
transiting between the device and the Device Manager Server.
In the tab, you can also configure rule to avoid deploying a specific package (say "XYZ") when roaming. In Deployment
this case, if the option has been selected, all packages Block all cellular connections managed by Device Manager
except "XYZ" will still be deployed even in roaming situations.
In the tab, a given application tunnel can be forced to block all data traffic when roaming. For example, if the Tunnel
option has been selected, the "CRM_App" Block all cellular connections except the ones managed by Device Manager
data traffic will still be blocked although it is managed as a Device Manager tunnel.
To configure a new registry manually
Click .New configuration
Enter a name. This will create a default, blank registry value set, for which you can create custom registry entries to
suit your requirements.
To delete a registry key configuration
Select the registry configuration to be deleted.
Click .Delete
When prompted, click to confirm the deletion.
To use the schedule wizard to configure connections for Windows Mobile
devices
On the tab, click , and then on the menu, click .Policies Registry Configurations Wizard Scheduling
In , select the following options:Scheduling configuration parameters
Do not define connection policy. The device will not reconnect unless the user clicks in Connection
Device Manager.
Keep connection permanently live. If the connection is permanent, Device Manager on the mobile
device will attempt to reconnect automatically to the server running Device Manager after a network
connection loss and will monitor the connection by transmitting control packets at regular intervals
(This configuration is not recommended because it consumes more battery charge and generates
more network traffic.)
Define a permanent and/or occasional connection schedule within a given time range. Keep the
connection live during the following time range:
Define a period in which the device will stay connected to the server. Device Manager on the
device will attempt to reconnect to the server running Device Manager after a network connection
loss and will monitor the connection by transmitting control packets at regular intervals.
Force one connection during the time range below. The connection will automatically shut down
once updates have taken effect. This option forces a scheduled, one-time connection to the
server, in particular to check for availability of new deployments. To avoid a connection peak at
the beginning of the selected range, the relevant devices will connect randomly during the defined
range. Device Manager on the device will only reconnect after a network connection loss if an
operation was in progress. The server running Device Manager will likewise terminate the
connection after an inactive period.
Note: Both of the preceding options include an option to see the schedule to the local device clock
or to UTC time.
citrix.com 207
Creating Symbian Configuration Profiles
Symbian devices configuration in Device Manager is done by sending OMA Device Management commands to the
devices. The list of supported commands can be found from the web site. A search for the "OMA
Device Management" keywords in the document section of web site will return a number a documents describing
Device Description File (DDF) for features that can be controlled using OMA-DM.
OMA DM will allow control of Symbian devices by:
Defining Wifi or GPRS Access Points.
Defining Mail for Exchange parameters.
Encrypting device and/or SD cards.
Customizing devices.
Configuring VoIP parameters.
That list is not an exhaustive list of what can be configured on Symbian devices, and features may depends on the
device model. For instance, device encryption was supported on S60 3.2 devices only on the E-Series devices.
Device Manager support , , and OMA-DM commands.
The following example will display the message "Management in progress..." on the user device during 30 seconds.

_cmdid_
1100

MINDT=30


Management in progress...


The structure of an command must always contain a command ID. In this case, the command ID is interpreted OMA-DM
on the fly. It is then replaced by the placeholder . The following example will configure the Mail for Exchange "_cmdid_"
client.
_cmdid_
./MailForExchange/Server
webmail.mycompany.com


./MailForExchange/UseDefaultPort
True

./MailForExchange/UseSSL
True

./MailForExchange/ToNapID
BearerManagementSNAP/SNAP4097

./MailForExchange/Roaming
2

./MailForExchange/UserName
$user.samaccountname


./MailForExchange/Domain
$user.domainname


./MailForExchange/Email/Addr
$user.mail

./MailForExchange/Schedule/OffPeakSchedule
1

Note that this is just an example; a lot more options are available to configure in the Mail for Exchange client. As you
can see, several commands can be chained in the same command block. User attributes can be used using $user.
attributename macro. Those macro will be replaced on the fly by the actual user data.
Special config can be created to enforce configuration on Symbian devices. Those configurations will have the following
format.
Nokia Developer
citrix.com 208
1.
2.
3.
_cmdid_
am_policy

The parameter can be set with the following values:
am_policy / am_policy_del: This will set or remove the application management policy enforcement to
control application installation and removal.
ap_policy / ap_policy_del: This will set or remove the Access Points policy management enforcement.
custo_policy / custo_policy_del: This will set or remove the device customization policy management
enforcement.
ds_policy / ds_policy_del: This will set or remove the Data Synchronization policy management
enforcement.
email_policy / email_policy_del: This will set or remove the Email policy management enforcement.
im_policy / im_policy_del: This will set or remove the Instant Messaging policy management enforcement.
wlan_policy / wlan_policy_del: This will set or remove the WLAN Access Points policy management
enforcement.
To create a new Symbian configuration profile, on the tab, click in the Configurations section Policies New configuration
of Symbian.
To use the schedule wizard to configure connections for Symbian devices
On the tab, click , and then on the menu, click .Policies Configurations New Configuration Scheduling
In the dialog box in Device Manager, enter a name for the configuration and optionally, a description.Scheduling
In , select the following options:Scheduling configuration parameters
Do not define connection policy. The device will not reconnect unless the user clicks in Connection
Device Manager.
Keep connection permanently live. If the connection is permanent, Device Manager on the mobile
device will attempt to reconnect automatically to the server running Device Manager after a network
connection loss and will monitor the connection by transmitting control packets at regular intervals
(This configuration is not recommended because it consumes more battery charge and generates
more network traffic.)
Define a permanent and/or occasional connection schedule within a given time range. Keep the
connection live during the following time range:
Define a period in which the device will stay connected to the server. Device Manager on the
device will attempt to reconnect to the server running Device Manager after a network connection
loss and will monitor the connection by transmitting control packets at regular intervals.
Force one connection during the time range below. The connection will automatically shut down
once updates have taken effect. This option forces a scheduled, one-time connection to the
server, in particular to check for availability of new deployments. To avoid a connection peak at
the beginning of the selected range, the relevant devices will connect randomly during the defined
range. Device Manager on the device will only reconnect after a network connection loss if an
operation was in progress. The server running Device Manager will likewise terminate the
connection after an inactive period.
Note: Both of the preceding options include an option to see the schedule to the local device clock
or to UTC time.
citrix.com 209
1.
2.
3.
4.
5.
Creating Deployment Packages
You can remotely deploy a package of settings to a mobile device from the tab in the web console. You can use Deployment
the Package building wizard to build out packages by using preconfigured objects. Connected devices receive the package
as soon as scheduling rules are met. Reconnecting devices receive the package as they reconnect subject to other rule
criteria.
Packages are compilations of previously created resources, prepared into configurations for the various user groups.
Packages include the following:
A package name
Groups of users
Resources, which, depending on the operating device, are a combination of the following:
A server group
App tunnels
Registry configurations
XML configurations
Software inventory
Applications
Files
Deployment schedule
Deployment rules
How Base Packages Work
Device Manager contains pre-configured base deployment packages that automatically deploy to devices as soon as a
user enrolls the device in Device Manager. The base packages are important for enabling basic device management.
The base packages in Device Manager contain the following policy configurations, categorized by device platform:
iOS. Software inventory and MyAppStore (Citrix Worx Home web clip) policies, plus the following Citrix
apps:
Citrix ShareFile
Citrix Receiver
Citrix Podio
Citrix GoToMeeting
Android. Scheduling policies for connections to XenMobile, remote support tunnel, and software inventory
policies, plus the following Citrix apps:
Citrix Receiver
Citrix GoToMeeting
Windows Phone 8. Passcode policy.
Windows 8 Tablet. Software inventory policies.
Symbian. Passcode policy.
Windows Mobile. Remote Support tunnel, scheduling, passcode, client config policies.
For more information about configuring policies, see .
To create a software inventory package
A software inventory policy in Device Manager enables you to check the following apps and software packages installed on a
device:
iOS: All non-default apps
Android: All non-default apps
Windows: All apps installed by the XenMobile system
A software inventory policy exists inside of a Device Manager package. You can deploy the policy to any user group for any
device platform.
Click the tab and then click .Deployments > New Package New package
On the page of the wizard, enter a name for the policy and then click .Package Name Create New Package Next
On the page, select the users whose devices you want to inventory and then click .Groups of users Next
On the page, in , select the , click the right arrow to Resources to be deployed Available Resources Software Inventory
move into the column and then click .Software Inventory Resources to Deploy Next
Creating Device Manager Policies
citrix.com 210
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
On the page, configure the package to push or at a specified time in the future and then Deployment schedule Now
click .Next
On the page, specify any deployment rules you want to associate with the package and its Deployment rules
deployment and then click .Next
On the page, review the configuration and then click .Package summary Finish
To deploy the package, select the package and then click . Connected devices receive the package as soon as Deploy
scheduling rules are met.
To create and deploy a deployment package
In the Device Manager management console, click the tab.Deployment
On the menu, select .New Package New package
On the page of the wizard, enter a name for the app removal policy, and then Package Name Create New Package
click .Next
On the page, select the users from whose devices you want to remove the app and then click Next.Groups of users
On the , in , select the app removal policy you want to use for the Resources to be deployed page Available Resources
package, and then click the right arrow button to add the resource to the package.
Click .Next
On the , configure to push the app no or at a specified time in the future.Deployment schedule page
Click .Next
On the page, specify any deployment rules you want to associate with the app and its deployment. Deployment rules
For more detailed information, see Deployment Rules.
Click .Next
On the page, review the app removal package configuration and then click . Package summary Finish
Click in the toolbar.Deploy
All connected devices receive all configured packages as soon as scheduling rules are met. Reconnecting devices receive
the package when they connect subject to other rule criteria.
Configuring Deployment Rules
You can set any number of parameters that will affect the deployment outcome of a package.
For example, your package deployment could be based on a specific operating system version, on a particular
hardware platform, or some other combination. In this wizard, you will find both a Simple and Advanced rule editor, with
the Advanced view being a free-form editor.
Simple Deployment Rules
Simple deployment rules are comprised of pre-defined tests and resulting actions. Where ever possible, the results are
pre-built into the example tests. For example, when basing a package deployment on a hardware platform, all existing
known platforms are populated into the resultant test, drastically reducing your rule creation time, and limiting possible
errors.
Click on New rule to add a rule to the package.
Note: The rule builder includes further information, specific to each test.
To create a new rule, you select a rule template, select the condition type, and then customize the rule. Customizing the
rule includes modifying the description. When you finish configuring settings, you add the rule to the package.
You can add as many rules as you want. The package is deployed when all of the rules match.
Advanced Deployment Rules
If you click on the Advanced tab, the Advanced Rule Editor appears.
In this mode, you can specify what relationship is set between the rules. The operators AND, OR, and NOT are
available.
Configuring Deployment Schedules
The Deployment schedule allows you to define when to deploy a package.
You can schedule the deployment for:
A future time (Do not deploy).
citrix.com 211
A single deployment (one time).
A permanent deployment to make sure that the devices always have the package content (On every
connection). This is designed to ensure the devices initially and continue to comply with your application
policies.
The available options might change depending on the platform type.
You can configure the schedule to make sure that a package is only deployed one time. For example, if users change
deployment settings, the package will not deploy again.
The windows differ by device type; for Windows Mobile devices the window appears as follows:
Important: Some devices may not observe the schedule. When selecting a precise date for the deployment, the targeted
devices receive the information to try to reconnect during that time frame, even if they do not have a connection scheduling in
place during the specified time frame. However, if the device does not connect or connects later than the configured time
frame, the device does not receive the package.
Configuring Package Hierarchy and Relationship Rules
Hierarchy rules apply to assignments between packages and sub-packages. The following table shows how user group
and package structures work.
User Group Structure Package Structure
ABC (Group parent)
Marketing (Group child)
R&D (Group child)
Admin (Group child)
XYZ
Marketing
RD
Admin
Scenario 1: If the assignment was made at the parent package level but not at that of the sub-package, the latter
inherits its parent package’s assignments. The conditions are:
The XYZ package is not assigned to a specific group.
The Marketing, R&D and Admin sub-packages are assigned to the ABC.Marketing, ABC.RD, and ABC.
Admin subgroups, respectively.
The result is that the ABC Marketing, ABC RD, and ABC Admin subgroups inherit from the XYZ package solely because
this package is not assigned.
Scenario 2: If the assignment was made at the parent package level as well as at that of the sub-package, the latter
retrieves its own assignments alone. The conditions are:
The XYZ package is assigned to the ABC group.
The Marketing, R&D and Admin sub-packages are assigned to the ABC.Marketing, ABC.RD, and ABC.
Admin subgroups, respectively.
The result is that the ABC. Marketing, ABC RD and ABC Admin subgroups do not inherit from the XYZ package.
Note: You can restrict the deployment of a package to a subset of devices within the selected user group by defining rules.
citrix.com 212
Configuring Automated Actions
With Automated Actions, you can configure Device Manager to perform actions based on user or device properties,
events, or the existence of applications on devices.
For example, you can configure the following Automated Actions:
You can automatically notify users whose iOS or Android devices is jailbroken or rooted that they are in
violation of company policy and that the device will be selectively wiped if the device is not brought into
compliance.
You can automatically enforce a geo-fencing policy whereby if a user's device leaves a defined geographical
perimeter, the device is blocked from accessing your organization's email, is selectively wiped, or is
revoked.
You can alertusers automatically when mobile devices are roaming domestically or internationally and that
they may be charged extra for the service.
You can wipe a user's device automatically when the user leaves the company, and can disable the user's
Active Directory account, so that the user can no longer access your organization's data.
You can place a user's device into an Out Of Compliance state automatically if the user installs a blacklisted
app, and you can send the user a notification informing them that they have broken the organization's
mobile app policy.
Note: Before you can use Automated Actions to send automated notifications, make sure you have configured notification
servers for SMTP and SMS so that Device Manager can send the message. For details, see
and .Server
Configuring SMTP Notification
Configure SMS Notification Gateway
citrix.com 213
How Automated Actions Work
You can configure Automated Actions in Device Manager to trigger an event when a user device is out of compliance.
You configure the following settings when you configure Automated Actions:
Trigger. The state that must exist to cause the event. .
Condition. The setting that defines the trigger explicitly.
Action. The result that occurs if the trigger conditions are met.
Options. The ability to delay an action to notify users of the policy violation and allow time for users to
remedy the condition.
Before you start using Automated Actions, consider the following:
If devices are shared between two users and you want to re-enroll the device to the second user, make sure
that you delete the device entry from the Device Manager tab before enrolling the second user.Devices
Automated Actions are only triggered when a device connects to Device Manager. For example, a
notification is not sent to a device until the device attempts a connection back to the server, Likewise, if any
of the managed devices are currently blocked by Secure Mobile Gateway, notifications are not sent to those
devices until users initiate an Active Sync activity, such as receiving email or if the device synchronizes with
Exchange.
You can deploy Automated Actions to anonymous devices if you deploy the package to anonymous users.
You cannot perform Notify (SMTP/SMS) Automated Actions on anonymous (unauthenticated) users.
The only Automated Actions you can perform on unmanaged devices - that is, on devices that are revoked,
have been selectively wiped, or are not enrolled -are the and actions.Notification Set as Out Of Compliance
The action keeps a device in that state until another action explicitly changes the state of Out Of Compliance
the property.Out of Compliance
You cannot set the Secure Mobile Gateway block notification cannot on a device that is not enrolled.
If you are using an Automated Action to detect when users disable their location servers on an iOS device
and you want to send a notification, wipe, or revoke the device, you must enable Report if location services
when you configure an iOS geo-tracking policy. For details, see are disabled
.tracking policy
If you want to create an Automated Action based upon a user whose Active Directory account is disabled,
you can use the Event Trigger named .'AD Disabled User'
If you create custom notification templates of the following type - and - Out of Compliance AD Disabled User
you cannot select the templates when you configure an Automated Notification.
There is a default one-hour waiting period for event-based triggers. Recurring notifications may be delayed
due to the original event that causes the notification to be sent. For example, if you configure Device
Manager to send a recurring notification every hour, but users do not receive the notifications. The reason
for the delay is due to the fact that recurring notifications are not sent until the configured trigger occurs
again after the time expires. .Repeated Wait
To configure an iOS Geocitrix.com 214
Choosing Automated Actions Trigger Types
Triggers are the states, events or properties that cause an automated action to occur. There are four categories of
triggers: Device Property, User Property, Applications, Event. Each trigger can contain multiple types.
The following table provides a few examples of triggers and trigger events.
Trigger Examples
Device Property Useful device properties you can use as triggers for automated actions:
Jailbroken or Rooted. If users jailbreak their device, you can set an action to notify
the user and if the user does not undo the jailbreak in a given amount of time,
selectively wipe the device.
Out Of Compliance. If a device is put into a state of being out of compliance, you
can block that device from the SMG (and thus corporate email) and notify the
user.
Passcode compliant. If this trigger's condition is false, then you can set the device
to Out Of Compliance or selectively wipe the device.
Perimeter Breach. If the device leaves the geo-perimeter defined in an iOS geofencing policy, this condition can set and used to notify the user, wipe the device,
and so on.
Many more: Look in the Automated Actions dialog to view all user properties.
User Property Useful user properties you can use as triggers for automated actions:
Active Directory failed login attempts. If an Active Directory user attempts to log in
more times that allowed, you can notify the user that they will have to wait a
certain time period before they can try to log in again.
Applications This trigger allows you to specify whether or not an app is installed on a device, by name, and
then set an appropriate action such as notify or set the device as out of compliance.
Event The following system events can be used as triggers in automated actions:
Secure Mobile Gateway block. A user's device has been blocked by the Secure
Mobile Gateway and the device lost access to your organization's email.
Device unmanaged. The device lost its ability to connect to and communicate with
(and thus be managed by) the Device Manager server.
Device jailbroken. A user broke the iOS user agreement and warranty in order to
install unauthorized software.
Device not blacklist or whitelist app compliant. A user's device breaks an app
blacklist or whitelist policy, you can choose an action to perform.
Device revoked. The device has lost ability to connect to the Device Manager
server.
Device international roaming. A user's device is roaming internationally.
Device domestic roaming. A user's device is roaming domestically.
Location perimter breach. A user's device has gone outside of a defined
perimeter.
Location services disabled. The location services on a user's device is disabled.
Active Directory disabled. If you disable a user's Active Directory account, such as
when an employee leaves a company.
Types of Automated Actions
The following list details the types of actions you can configure to occur automatically based on trigger type.
Selective Wipe. Clears organizational data from the device while retaining personal information and selected
settings. The MDM profiles and all packages pushed by Device Manager to the device are removed. The
device can, however, be re-enrolled at a future time.
citrix.com 215
1.
2.
3.
a. b. 4.
Revoke. Revoking a device prohibits any further connection from the device. If the device attempts to
connect to Device Manager, the MDM profile and all packages deployed to the device are removed. The
device is barred from re-enrollment unless it is re-authorized by an administrator.
Set as Out Of Compliance. The device is given a property named and the property is set Out of Compliance
to . When a device is out of compliance (has this property set to true), then it appears in the True Out of
widget.Compliance on the Dashboard Alerts
Configuring Location Services Triggers
In the dialog box, select and then Location Services - Configuration creation Report if location services are disabled
click .Create
In the dialog box, do the following:New automated actions
In , type a name for the automated action.Name
Under , in , select and in , select .Trigger Trigger type Event Event Location services disabled
Click .Create
citrix.com 216
1.
2.
3.
4.
5.
a. b. c. 6.
1.
2.
3.
4.
5.
6.
7.
8.
a. b. 9.
10.
Automated Actions Example: Notifications for Blacklisted Apps
This topic is an example procedure that illustrates using Device Manager Automated Actions to set up an automatic
notification to inform users when they install a forbidden (also known as "blacklisted") app on their device. You can
manage user devices to make sure that a work device installs the approved list of apps only, and that the device does
not have any forbidden apps installed.
This example shows the following tasks:
Configure the notification template you want to send.
Create an Applications Access policy to designate an iOS app named Word with Friends for Free as
forbidden (blacklisted).
Create an Automated Action that sends a notification when a device violates a forbidden Applications
Access policy.
Deploy the Automated Action and Applications Access policy to your device in a deployment package.
Install the Words with Friends for Free on your iOS device.
Receive the Notification.
To configure a notification template
When users install a forbidden app on their device, you can send the correct notification by using a template for the
message that is sent when the non-compliant blacklist or whitelist trigger is correctly configured.
By default, all notification templates are configured to use the macro, which uses the email address of ${user.mail}
the device owner who receives the notification. If you want notification emails to be sent to an administrative user; for
example, to notify an administrator that a device has been jailbroken, you can enter the administrator email address in
the field.To
In Device Manager, click .Options
In the dialog box, in the left pane expand .Server Options Notification Templates
In the right pane, under , click .Notification Templates Non Compliant Blacklist / Whitelist
In the dialog box, on the tab, in , select the channels of communication Edit a Notifications Template Settings Channels
you want to use.
Click the tab and do the following:SMTP
In , enter the name or email address from whom the notification is sent. From This is not a mandatory field,
however Citrix recommends adding the name or email address.
In , leave the command . To $({user.mail} If you modify the field, the email might not be sent correctly.To
In , you can modify the message except for the macros Message ${firstnotnull(device.TEL_NUMBER,
and . device.serialNumber)} ${outofcompliance.reason(whitelist_blacklist_apps_name)}
If you modify or remove the macros, the email might not be sent correctly.
Click . Update When you click the template is ready for the Automated Action.Update
Next you will create a blacklist for an app, so you can use the blacklisted app as a trigger for your automated action
later. This example uses the Words with Friends Free app.
To create an Applications Access policy for a forbidden app
In the Device Manager web console, click the tab.Policies
On the left side of the console, under , .App Policies > Global Applications Access Policies
Click .New Applications Access Policy
In the dialog box, type Words with Friends for Free.Add a new Applications Access Policy
In , click (blacklist).Access policy Forbidden
In , select the iOS.OS type
Click .New app
In the dialog box, enter the following:Add a new application
In App Name, type the name of the app. For example, type Words with Friends Free.
In App bundle ID, type the bundle name of the app. For example, type com.zynga.WordsWithFriendsFree.
Click . This will create the application in the list. Create The app appears in the list in the Add a new application dialog
box.
Click again to create the Application Access Policy. Once created, you can add this policy to a deployment Create
package and deploy to the devices you want to manage.
Next, you create an Automated Action that sends a notification email to users when they install a blacklisted app on
their device.
To create an Automated Action
citrix.com 217
1.
2.
3.
a. b. c. d. e. f. g. 4.
1.
2.
3.
4.
5.
6.
7.
8.
9.
In Device Manager, click the tab.Policies
In the left pane, under , click and then in the right pane, click .Global Automated Actions New
In the dialog box, do the following:New automated action
In , enter Blacklist Notify.Name
Under , in , select and in , select .Trigger Trigger Type Applications Name Installed
Under , in , select and then in , enter WordsWithFriendsFree.Condition Condition Is Value
Under , in , select .Action Action Notify
Under , in , select .Action Template Non Compliant Blacklist / Whitelist
Under , select and then configure 10 minutes.Options Delay
Under , select and configure one hour. Options Repeat wait This option allows you to delay sending the
notification message in the event that there is a communication failure between the device and Device
Manager.
Click .Create
In the last task, you will create a deployment package that contains Automated Actions and then push that deployment
to user devices.
To deploy automated action and Applications Access policy to devices
Once on your device, you install the blacklisted app to trigger both the notification message that your device is out of
compliance, and to trigger the Secure Mobile Gateway block on the server.
Citrix recommends that you create separate deployment packages for your Automated Actions and deploy them
separately from other packages. Additionally, make sure you configure in the Deploy to anonymous users Groups of
page of the package, to include those users who may have removed their agents, or who have had their Active users
Directory account disabled.
You run the wizard to deploy packages. During the wizard, you select the following:Create New Package
Groups to which the policy is deployed.
Resources that include the Automated Actions you created and the Software Inventory resource.
In Device Manager, click the tab, and then click .Deployment > New Package New iOS Package
In the wizard, in the window, enter a name for the package and then click .Create New Package Package Name Next
In the Groups of users window, select a group you want to deploy this policy to and then click Next.
In the Resources to be deployed window, under Available Resources expand the Automated Actions section and
select the two Automated Actions you previously created in the last step. Then, click the right arrow to add the
resource to the deployment package.
Next, in the Available Resources list, under Applications Access Policy, select the Forbidden policy you previously
created and click the right arrow button to add it to the package. Click Next.
In the Deployment schedule window, select the If not deployed Start Now option. Click Next.
In the Deployment rules page, click .Next
In the Package summary page, click .Finish
When the wizard is complete, in Device Manager, click to deploy the packages.Deploy
When Device Manager finishes the deployment, select the deployment package, and then click the button to see Details
information about the success of the package deployment. When the package shows as deployed, then you can move
on to the next and step and install the blacklisted app on you iOS device.
When the users targeted in the deployment install the blacklisted app on their iOS device, Words with Friends Free,
users receive a notification message that the app is not allowed.
citrix.com 218
1.
2.
3.
Changing Device Compliance with Automated Actions
Automated actions allow you to change the status of a device from a state of compliance to a state of non-compliance
based upon specific conditions. For example, you can set an Automated Action to change a device to a state of Out Of
Compliance=True if the device has been jailbroken or rooted, if the user disabled location services on the device, or if
the user installs a blacklisted application.
In a cases where a user's device is put into an out of compliance state, and then the user fixes the device so that the
device is in compliance, you will need to configure a policy to deploy a package that resets the device into a compliant
state.
For example, let's say you want to define the following three compliance policies in your organization by using Device
Manager Automated Actions:
Location Services Policy. This policy states that if a user disables location services on their device, then the
Automated Action should then set the device property Out of Compliance to True.
Blacklisted App Policy. This policy states that if a user installs a blacklisted app on their device, then the Automated
Action should then set the device property Out of Compliance to True.
Jailbreak Policy. This policy states that if a user jailbreaks their device, then the Automated Action should then set the
device property Out of Compliance to True.
Naming and Setting the Order of Deployment Packages
Device Manager deploys packages to target devices. When you create your Automate Action compliance policies, you
need to name your policies in a very specific way, so that they are run in the correct order.
Device Manager deploys packages according to their name, deploying those packages in an alphanumeric order. Thus,
you want to make sure that you deploy your Compliance Reset Automated Action package first and that it does not
reset any of the other Automated Action packages that are designed to track compliance device compliance.
When you name your policies, make sure that the global compliance reset policies deploy first and then deploy your
Automated Action compliance deployment packages.
In the example above, you might want to create three packages to track device compliance, the Geo-fence, Blacklist,
and Jailbreak polices. Automated Actions tracks the devices and sets the devices to Out of Compliance=False when the
user violates the policy. You also want to be able to reset the devices when the user brings the device back into
compliance.
For example, you want to reset the device property when the Device Manager detects that the device is out of
compliance. You want this policy to run before any other policy. You can provide the name so that it aaa-OOC-Reset
will run before the policies that can set a device out of compliance.
You can create an Automated Action by setting the device property to out of compliance if users disables location
services on the device. If you want this policy to run after the reset policy, you can give the policy the name aab-location. You can then set the delay for a specific number of minutes so this policy runs after the compliance services-disabled
reset Automated Action that runs before this policy.
You can also create an Automated Action that sets the device property to out of compliance if users install a blacklisted
app on their device. You can give the policy the name and set the delay for four minutes so it runs aac-blacklisted-app
after the two policies preceding this one.
You can create an Automated Action to set the device property to out of compliance if users jailbreak or root their
device. You can give the policy the name and set the delay to five minutes so it runs after the three aad-jailbreak
policies preceding this policy.
Setting the Order of Compliance Packages
Your last step to make sure that your compliance policies run in the correct order. To do so, create Deployment
Packages and use the same names you used for the Automate Actions. You follow the same principles in naming that
you use for Automated Actions. When you use this naming conventions, you can make sure that the packages deploy in
the same order as the Automated Actions.
citrix.com 219
1.
Showing Automated Actions That Have Run
You can view all of the automated actions that have run from inside of Device Manager at any time.
In Device Manager, click the tab and then select . Policies Show Executions
citrix.com 220
Troubleshooting Automated Actions
To check whether or not automated notification was sent to a user, you can try a few things:
Check the Deployment of the package that contained your Automated Action to make sure is actually
deployed.
Check the Device Manager Device Event Log and see what if any of the events specified in your automated
actions have run.
Check the Device Manager Device Sent Notications Log and see which notifications have been sent, which
have failed, who received them, when they were sent, and more.
citrix.com 221
1.
2.
3.
a. b. c. d. e. 4.
5.
6.
7.
8.
1.
2.
3.
Configuring Notifications
You can user notifications in Device Manager to do the following:
Communicate with select groups of users easily from the tab, such as all iOS device users, users Device
whose devices are Out Of Compliance, all users with employee-owned devices, or all users with
unmanaged devices, and so on.
Enroll users and their devices into Device Manager.
Automatically notify your users (through Automated Actions) when certain conditions are met, such as when
a user's device is about to be blocked from corporate access due to compliance policy violations, or when a
user's device has been jailbroken or rooted.
Notifications are used to send messages over three different channels: SMTP, SMS, and Agent Push (currently iOS
only).
Before you can send notifications, you must configure a notifications server and a SMS gateway and carrier SMS
gateway. Also, you must select a notification channel in the notification template.
Note: Port 25 must be opened from the Device Manager server located in your DMZ to point back to the SMTP server on
your internal network for notifications to be sent successfully.
Sending Ad-Hoc Notifications
You can send a one time, ad-hoc notifications in Device Manager to single or multiple users directly to their devices using
SMTP (email), SMS, or Agent Push.
On the tab, select a single or select multiple devices. Devices You can choose to filter the list of devices depending on
your purpose. For example, you might want to send a message to all users who have jailbroken devices, or send a
message to all users whose devices are listed as Out Of Compliance.
Select the devices to which you want to send notifications and then click .Notification
In the dialog box, enter the following information:Notifications
. Enter who you want to be shown as the sender of the notification (optional).From
. The users associated with the devices you selected will automatically be added to the notification recipient To
list. If you want to add other users beyond the list of devices you selected, you can enter the user's email
address as known by Device Manager (case sensitive) and then click the plus icon to add the user.
. You can choose a template to fit the purpose of your notification. For example, if you want to notify Template
users whose devices have been jailbroken and are out of compliance, you can select a custom ad hoc
notification template built for this purpose.
. You can enter text, or if you choose a notification template, this field is populated with the text from Message
the template.
. Select the communication channel you want to use to send the message, SMTP (email). SMS, or Channel
Agent Push (iOS only).
Before you send the notification, if you are sending the message via SMS, and you do not have a Nexmo subscription
or SMS gateway server configured in Device Manager, click the button to check if the recipients Detailed Device List
you have selected can be contacted through the Notification mechanism.
In the dialog box, you can troubleshoot any of the devices that show red lights, which indicate Detailed Device List
channels of communication that are not currently working to send notification. The red lights indicate the recipients
who may not receive the notification unless you add a carrier SMS gateway and address to use for sending the
notification. The green lights in the SMTP column indicate that the SMTP server is functioning and will send the
notification via email.
To manually enter an SMS carrier gateway and address, select the recipient and fill out the appropriate information.
When you are finished adding the SMS information, click .Close
Click to send the notification. Send Device Manager either delivers the message or queues it for sending. If the
message is queued, the Sent Notification Log report indicates the results. Queuing occurs because either the system
is busy (sending automated action notifications)) or SMS sending has bandwidth restrictions. Only one SMS per
second is supported.
To create a custom notification template in Device Manager
Click .Options
Click and then click .Notification Templates New
In the dialog box, on the tab, enter the following information for your template:Create a Notification Template Settings
Name. Enter a name for the template that indicates its use and purpose. For example, if this is a
warning message regarding banned apps, you could name it Banned App Notification.
Description. Enter a brief description of this notification's purpose.
Notification Type. Determines the Automated Action event type the template is used with.
citrix.com 222
3.
4.
5.
6.
7.
Channel. Select the channels through which you want to send the notification. Agent push is currently
for iOS only.
Click the tab and then enter the following information:SMTP
From. (Optional) Name used in the email field. Only enter a value here if you do not want to use From
the default value from the Notification Server definition.
To. An email address, system macro, or list (delimited by semicolons). System macros are used when
sending automated action notifications. The system macro ${user.email} is the default field.To
Subject. Enter a generic subject line for the message.
Message. Enter message text. If you want to use system macros in your custom notification template,
open one of the predefined notification templates and borrow one of the commonly used macros,
such as the macros used for users or devices.
Click the tab and then enter the following information:SMS
To. A system macro or mobile number. There are two system macros for use in enrollment templates
and non-enrollment templates. For enrollment templates, use ${user.mobile}. For non-enrollment
templates, use ${firstnotnull(device.TEL_NUMBER,user.mobile)} .
Message. Enter a message text that the user will see when the message is received.
Click the tab and then enter the following information to be used for agent push notifications (iOS only):Agent
To. Enter the following variable - - for the device's token ID, which is used to ${device.TOKEN}
identify and communicate with the device via agent push notification.
Message. Enter a message text that the user will see when the message is received.
Sound File. Select a sound file to be played when the user receives the push notification on their
device.
When you are finished, click .Create
Using Notification Templates
You can use notification templates in Device Manager when you do the following:
Send enrollment invitations inviting users to enroll their devices.
Send ad hoc notifications notifying users their devices are jailbroken or letting users know important IT
information, without using a template.
Configure Automated Actions to send notifications, such as an automatic notification when a user's device
has a blacklisted app or has moved beyond an organization-defined geo-fencing policy.
Device Manager comes with a set of predefined templates that reflect the capabilities of the Automated Actions feature.
Each template reflects a distinct type of event that Device Manager automatically responds to for each and every device
in the system.
You can modify a pre-defined notification template, but you cannot delete one. Citrix recommends that you do not edit
or modify the macros (for example, ${user.mail}) used inside of pre-defined templates, or they may not work.
The following table describes the predefined notification templates that come with Device Manager:
Template name Description
Android
Download Link
Provides a download link Web address for users who are enrolling their Android devices
into Device Manager.
Enrollment Provides a Web address to the Device Manager server that allows users to enroll their
devices.
Enrollment URL Provides a special enrollment Web address that allows users to enroll their devices
securely, combined with other forms of authentication, depending on the chosen enrollment
mode.
Enrollment PIN Provides a one-time generated PIN that is used in PIN based enrollment modes
iOS Download
Link
Provides a download link Web address for users who are enrolling their iOS devices into
Device Manager.
Jailbroken
Device
Provides a message indicating that a specific device has been jailbroken.
citrix.com 223
Location
Perimeter
Breach
Provides a message informing a user that the device has gone outside of a predefined geofencing perimeter and thus could be blocked from corporate access.
Location
Services
Disabled
Provides a message informing a user that the device has had its location services turned
off and thus could be blocked from corporate access.
Non-Compliant
Blacklist/Whitelist
Provides a message informing a user that their device has an app installed that violates a
corporate blacklist or whitelist policy.
Revoked Device Provides a message informing a user that the device has been revoked and that any
further connection from the device to Device Manager is prohibited. The device is barred
from reenrollment unless it is reauthorized by an administrator.
Roaming
Domestic
Provides notification when device is roaming domestically across carrier network, indicating
both device and user name associated with the device.
Roaming
International
Provides notification when device is roaming internationally across carrier network,
indicating both device and user name associated with the device.
SMG Blocked Provides a message stating that a specific user's device has been blocked because it has
violated a specific compliance policy.
Unmanaged
Device
Provides a message indicating that a specific user's device has become unmanaged
(possible due to un-installation of Device Manager agent or certificates) and must be
reenrolled by a specific date or the device will no longer have access to corporate email.
System Macros in Device Manager Notification Templates
Notification templates in Device Manager use the following system macros when you use the Automated Actions feature
for automated sending. Citrix recommends that you do not modify macros in templates or else the notifications may not
work.
Notifications are sent to the correct SMTP recipient address. For example, ${user.mail}.
Enrollment invitation Web addresses use the proper syntax to ensure secure authentication. For example,
${enrollment.url}.
Enrollment PINs can be generated. For example., ${enrollment.pin}.
The correct Device Manager server host name is used. For example, http://${zdmserver.hostPath}/enroll.
The correct user device (ID, name, and so on) is used when sending notifications. For example, ${firstnotnull
(device.TEL_NUMBER,device.serialNumber)}.
The cause of a automated notification is given to the user. For example, ${outofcompliance.reason
(smg_block)}.
citrix.com 224
1.
Configuring General Device Manager Options
You can use General Options to set general Device Manager device display settings, device access relative to number
of users per device, device triangulation enablement, and the Enterprise App Store availability for iOS.
Inactivity Days Threshold. Defines a time period in days within which a device must communicate back to
the Device Manager server before changing the device status to "inactive".
Note: If you are using Cisco ISE (or other NAC appliance) in conjunction with the Device Manager server to
filter device access to your network, and if the value changes, restart the Device Inactivity Days Threshold
Manager service on the Device Manager server for the changes to take effect.
Number of Devices per User. Maximum number of devices a user can enroll. If you want to prevent device
sharing, you can restrict the number of users per single mobile device, as well as restrict the number of
devices that a single user can register and enroll. If you set the value to zero that means a user can own any
number of devices. When a device or user limit is exceeded, the users receive an error that indicates that a
connection or license limit is reached, which prevents the additional user or device from enrolling.
Number of Users per Device. Maximum number of users that can share a single device. The default value is
zero, which means an unlimited amount of users can share the device.
Highlight Jailbroken or Rooted column, SMG Status column, Managed column. When enabled, these
options provide status 'lights" to indicate a device status. When disabled, the status lights (red or green) will
not display and text will be used to indicate status. .
Enable Device Triangulation. Provides the ability to reconcile Android ActiveSync IDs with hardware
manufacturer identifiers to provide a common identity for Android devices.
Send Android Domain Users to Secure Mobile Gateway. When enabled, this option ensures that Device
Manager sends Android device information to Secure Mobile Gateway in the event that Device Manager
does not have the Android device user's ActiveSync identifier (ID).
Configuring Device Manager Security Options
The dialog box allows to customize the security features of the service. By default, when Secure Device security options
is included in the license, it is automatically activated during installation, with a strong level of security. If you need to
change those parameters, use that dialog box.
Enforce SSL. Forces devices to communicate by using an SSL transport. All HTTP (unsecure) requests
from devices will be rejected.
Strong Authentication. Enables strong authentication by generating a Strong ID for devices that is then used
as a second method of authentication during the enrollment process.
Strong ID Valid Once. Allows Strong ID passcodes to only be used once. When the Strong ID is used once
to generate a device certificate, it cannot be reused. The device has to be revoked and re-authorized.
Certificate Renewal. Sets the renewal time for certificates used in Strong Authentication mode. A setting of
zero disables the certificate renewal process.
Always Add Device. Registers devices automatically into Device Manager even when Secure Device is
activated.
Block Rooted Android and iOS Enrollment. Enabling this function blocks rooted or jailbroken devices from
enrolling.
8 Char Strong ID. Enables a Strong ID character string that is limited to 8 characters.
Enable SHP Console for Users. Enables or disables the Self-Help Console for user management of devices.
XDM/SHP console max inactive interval. The time (in minutes) between client requests before the server
invalidates a log on session. If you set the value to zero, log on sessions do not timeout. For example, if the
console max timeout value is set to 1 (one minute) and a user logs on and does not interact with the UI for
over one minute, then the user is logged off. The console might still appear as if the user is logged on until
the user attempts to interact with the UI, but then the console will be refreshed and the user will see the log
on page.
iOS agent auto logout (minutes). Length of time before an iOS agent user is logged off due to inactivity.
Enable client cert authentication for iOS. If enabled, iOS enrollment agent uses certificate authentication. If
disabled, iOS enrollment agent uses session-based authentication.
To enable Strong ID
Strong ID is a form of 2 factor authentication used to provide an extra layer of extra security when enrolling a device.
Devices cannot enroll until the device's serial number or IMEI is known. When you enable Strong ID, Citrix recommends
enabling the character string to be 8 characters in length.
citrix.com 225
1.
2.
1.
2.
3.
1.
2.
3.
4.
1.
2.
3.
In the Device Manager console, click . > Options Security
You can add the devices manually or import the devices from the tab by using the serial number of IMEI, Devices
which generates a Strong ID for the device.
When users are ready to enroll their device, users need to call support personnel and give the serial number or IMEI.
Support personnel can then proved the Strong ID from the device properties.
Configuring Role-Based Access Control
Updated: 2013-05-25
You can configure the following settings for role-based access control:
Access Role Based Access Control Settings
Create a New Access Control Role (Associate Actions with Roles)
Add Groups to a Role
Associate Users with Roles
To configure role-based access control
In the Device Manager console, in the left pane, expand and then click Options Access Control Role Based Access
.Control
In the right pane, click .New
In the dialog box, enter a name for the role, select the features you want to enable for the role and then Create a Role
click .Create
To add groups to a role
When you create a new role, you can also associate a user group with the role as part of the role definition.
In the Device Manager console, in the left pane, expand and then click Options Access Control Role Based Access
.Control
In the right pane, select a role and then click .Edit
In the dialog box, select the feature access you want to associate with a role, and then select the group you Edit a role
want to have access to the role. Any group, and the group's users, that you select receives access to the selected
features.
Click to save the changes.Update
To associate users with a role
When you create a new role, you can associate users with the role.
Select the tab and double-click a user in the user table. Or, click .Users New User
In the dialog box, enter the user name and password, and then in , select the role you want to New User Role
associate with the user.
Click .Create
Configuring System Settings for iOS
The following systems settings apply to your iOS Devices only:
Store User Password. Provides the following options:
Enable. If you select Enable, a user's password on the iOS Connect app is securely stored and used for
ongoing authentication with the Device Manager. On the user's device Connect app, the logon/logout
button will be enabled, and the user will be required to log in again if the user manually logs out.
Disable. If you select Disable, Device Manager does not store a user's passwords and uses a certificate
for all ongoing authentication with Device Manager. On the user's device Connect app, the logon/logout
button will not display, and the user will never be logged out.
Note: Note that when this setting is selected, you can allow users to register and authenticate with a
domain password because an enrollment invitation overrides this setting when other enrollment modes
are configured.
User property for VPP country mapping. The mapping used to choose the property pool of the Apple Volume
Purchase Plan. This code allows a user to download apps from app stores specific to country based on this
mapping. For example if your user property is US, you will not be able to download the apps if the VPP code
for the app is distributed in the UK.
VPP company token. This is the VPP service token generated when you buy an app on the Apple App Store
through your corporate account, and is used to validates your VPP license. After you log in to the iTunes
citrix.com 226
App Store using your company's corporate account log in, purchase the app and then click to Download
obtain the token, and enter here. It may take a few minutes for Device Manager to connect to the Apple VPP
server. Once validated, this populates the purchased apps in the Applications tab of the Device Manager,
which can then be deployed to managed devices.
Scheduling Option for Hardware and Software Inventory
The Scheduling option enables you to globally enforce hardware inventory and software deployments for those devices
that are always connected to Device Manager.
You may want your devices configured to always be connected to Device Manager ('Always On' or 'Permanently Alive');
for example, you may want a device to be always connected to Device Manager in the event you need to remotely wipe
the device in case of a data security breach. Using policies, you can configure your devices to always be connected to
Device Manager.
Using this option allows you to set the time interval (in minutes) that a hardware inventory and a software deployment
runs.
For more information, see .Configuring Deployment Schedules
citrix.com 227
Configuring Macros
Device Manager provides powerful macros that provide a method to populate user or device property data within the
text field of any profile or policy or notification/enrollment templates (for some automated actions), to name a few
usages. With macros, an administrator can configure a single policy and deploy it to a large user base and have userspecific values appear for each targeted user. For example, an administrator could pre-populate the mailbox value for a
user in an Exchange profile across thousands of users.
This section provides an overview on the use of macros in Device Manager.
This feature is currently only available in the context of configurations and templates for iOS and Android devices.
Defining User Macros
The following user macros are always available:
loginname (username + domainname)
username (loginname minus the domain, if any)
domainname (domain name, or the default domain)
The following administrator-defined properties may be available:
c cn company
companyname
department
description
displayname
distinguishedname
facsimiletelephonenumber
givenname
homecity
homecountry
homefax
homephone
homestate
homestreetaddress
homezip
ipphone
l mail
middleinitial
mobile
officestreetaddress
pager
physicaldeliveryofficename
postalcode
postofficebox
telephonenumber
samaccountname
sn st streetaddress
title
userprincipalname
domainname (overrides property described above)
Additionally, if the user is authenticated by using an authentication server, such as LDAP, all the properties associated
with the user in that store are available.
Macro Syntax
citrix.com 228
A macro can take the following form:
${type.PROPERTYNAME}
${type.PROPERTYNAME ['DEFAULT VALUE'] [ | FUNCTION [(ARGUMENT1, ARGUMENT2)]}
As a general rule, all syntax following the dollar ($) sign must be enclosed in curly brackets ({ }).
Qualified property names reference either a user property, a device property or a custom property.
Qualified property names consist of a prefix, followed by the actual property name.
User properties take the form .${user.[PROPERTYNAME] (prefix="user.")}
Device properties take the form .${device.[PROPERTYNAME] (prefix="device.")}
For example, populates the username value in the text field of a policy. This is useful for ${user.username}
configuring Exchange ActiveSync profiles and other profiles used by multiple users.
For custom macros (properties that you define), the prefix is . You can omit the prefix.${custom}.
Note: Property names are case-sensitive.
citrix.com 229
Viewing Reports
The Device Manager server repository database keeps a log of connections and data exchanges between each mobile
device and the Device Manager server (Logs). Device Manager reporting provides detailed information such as by
tunnel or by user. Device Manager reports are available through an integrated set of reports.
The collection provides the following reports that assist you understand and manage your mobile Display a Report
device asset base:
Session report (connection logs)
Administrator options
Groups, users and roles summary
Device Software Report
Hardware inventory
Deployment Rule Report per device
Deployment Rule Report per package
Jailbroken or rooted devices
Inactive devices
Device enrollment
Distribution of devices
Blacklist / Whitelist application compliance report
Device Events
Terms and Conditions
You can also export reports to a Microsoft Excel CSV file and delete reports from Device Manager by using the Manage
Historical Data Collection. When you export the report to a CSV file, Device Manager creates a text file containing all of
the activity report data for the specified range of dates.
The Delete option removes data logged before a specified date from Device Manager. Use this option carefully; it
cannot be undone.
Navigating Reports
Each report uses a navigation bar to aid in moving through the report and its sections. The navigation bar allows you to
export the report data, print the report, hide/reveal subsections of the report, page throughout the report, search for a
specific string, and set a zoom level for the rendered data.
Many Device Manager reports present data by using a summary page, followed by one or more subsections that
provides additional detailed information. You can use the Group Tree icon in the report navigation bar to view the
subsections and open that subsection's page.
Additionally, you can use the drop-down list in the navigation bar to go to a particular subsection.
Some Device Manager reports require parameters to run; parameters are supplied to a report from pop-up windows.
Report Types
You can view the following report types in Device Manager.
Session Reports (Connection Logs)
This report is a summary of mobile device activity. It includes total usage per user and overall data compression ratio.
The connection logs can contain a large amount of data. The date is created over a period of time by the Device
Manager server and it is stored in the Device Manage repository database. Citrix recommends that you limit the use of
connection logs to processing of small datasets to avoid impacting the performance of the Device Manager server.
Content reports, which are part of session reports, provide a summary of total data usage for a specified period of time.
You create this report by using a custom date range. The report includes:
List of users connected to the Device Manager server. You can view details of a specific user in the list.
Real volume passing through this Device Manager server.
Data traffic optimized by the Device Manager server.
Percentage of data compression achieved by the Device Manager server or Agent software for all data
streams (incoming raw data as opposed to actual data transmitted over-the-air).
citrix.com 230
1.
2.
3.
4.
5.
6.
Other Reports
In addition to session reports, you can also view the following reports:
Administrator operations. Summarizes administrator activity, including insertions, updates and deletions of
any resources in database.
Groups, users, and roles summary. Summarizes the list of groups, roles and users defined in the Device
Manager server, and reports the modification and creation dates of these elements. This report provides an
administrative overview of all users, roles and groups creation and modification data, and is meant to assist
in the administrative side of your mobile IT infrastructure.
Device software report. Provides a summary of the installed applications within the mobile device
environment.
Hardware inventory report. This report summarizes the mobile device asset base by hardware property such as operating system, operating system version, platform, or device type.
Deployment rule report per device. This report summarizes package deployments for each device. State
refers to the deployment state; specify , , , , or .All states Pending Successful Failed Not applicable
Deployment rule report per package. This report summarizes package deployments for each package. State
refers to the deployment state; specify , , , , or .All states Pending Successful Failed Not applicable
Jailbroken or rooted revices. Lists jailbroken iOS devices and rooted Windows, Android, and Symbian
devices.
Inactive devices. Lists devices that are inactive.
Device enrollment. Lists devices enrolled during a specified period of time.
Device distribution. List of devices owned by employees or by your organization.
Blacklist and whitelist application compliance report. This report provides three options for device
compliance reporting:
Blacklisted apps shows devices with apps that are not allowed and are installed on the user device.
Non-whitelisted apps shows devices with apps installed on the device that are not on the whitelist.
Missing whitelisted apps shows devices that do not have all the whitelisted apps present.
Adding User-Defined Reports
Reports must be in Crystal Report report format (file with a .rdp extension).
When you configure the reports, the property fields can have the following values:
reportFilename. “My_report.rpt― is the personalized report in the Crystal Report.
format name is the text that appears on the Device Manager Administration Console tab when you click on
the link .Click here for my report
linkLabel is the hypertext used to generate the report.
description is the help that appears below the hypertext.
The link of the new user-defined report appears under the section on the tab in Device User-defined reports Reports
Manager web console.
To add user-defined reports
Stop the Device Manager Server service.
Open the WEB-INF/classes/external-reports.xml file with a text editor that can read and write UTF-8 files, such as
Notepad.
In the file, locate the tags and add the following parameters:






Save the file in UTF-8 format.
Add the custom reports (.rpt) to the following location on the Device Manager server: C:\Program Files (x86)
\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\reportsRestart the Device Manager server service.
citrix.com 231
Managing Security and Identity
In Device Manager, you use certificates to create secure connections and authenticate users.
To establish a secure connection, a server certificate is required at one end of the connection. A root certificate of the
Certificate Authority (CA) that issued the server certificate is required at the other end.
Server certificate. A server certificate certifies the identity of a server. Device Manager requires this type of
digital certificate.
Root certificate. A root certificate identifies the CA that signed the server certificate. The root certificate
belongs to the CA. The user device requires this type of digital certificate to verify the server certificate.
You can submit certificates for signing to a CA who signs the certificate and returns it to you.
In addition to certificates, you can configure security and identity in Device Manager in the following ways:
Configure Device Manager by using Microsoft Certificate Services to generate user certificates for certificatebased authentication with WIFI, VPN, and Exchange ActiveSync profiles. You can also configure Device
Manager as the CA to generate requests and to issue device identity certificates with Microsoft Certificate
Services.
Configure your own SAML service and identify provider in Device Manager. The SAML-based infrastructure
can authenticate users and their mobile devices.
Include Secure Device in your license that is activated automatically when you install Device Manager.
Secure Device provides a strong level of security for user devices.
Enable Strong ID that is a form of two-factor authentication. This provides extra security when enrolling
devices in Device Manager.
Configure filters in Device Manager that work with Network Access Control. Filters set users devices to be
either compliant or not compliant. If a device is not compliant, the device is blocked from accessing the
internal network.
citrix.com 232
1.
2.
3.
4.
5.
Server Certificates
Server certificates are certificates used functionally by the XenMobile server that are uploaded into the Device Manager
web console in the PKI integration section of the Options dialog box. They include CA (Certificate Authority) certificates,
RA (Registration Authority) certificates, certificates for client authentication with other components of your infrastructure.
In addition, you may use it as a storage for certificates you wish to deploy to devices. This will especially apply to CAs
used to establish trust on the device.
XenMobile may or may not possess the private key for a given certificate. For some certain usages, XenMobile will
require the private key, whereas for others, it will not. Each certificate you upload will be represented by an entry in the
Server Certificates table, summarizing its contents. Later on, when you configure PKI integration components that
require a certificate, you will be prompted to choose from a list of those Server Certificates that satisfy the contextdependent criteria.
For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the
Microsoft CA should be authenticated using a client certificate.
You can upload the CA certificate (without the private key) the CA will use to sign requests, and an SSL client certificate
(with the private key) client authentication. When configuring the Microsoft CA entity, you need specify the CA
certificate, which you can then select from a drop-down list with all Server Certificates that are CA certificates (contextdependent criterion). Likewise, when configuring client authentication, you can select from a drop-down list with all the
Server Certificates for which XenMobile has the private key (context-dependent criterion).
About XenMobile PKI
The XenMobile Public Key Infrastructure (PKI) Integration feature allows you to manage the distribution and life-cycle of
security certificates used on your devices with great flexibility.
The main feature of the system is the PKI Entity. A PKI entity models back-end component for PKI operations. That
component may be either local to XenMobile (internal) or a part of your corporate infrastructure (external, such as a
Microsoft, RSA, or OpenTrust PKI). The PKI entity handles the back-end certificate issuance and revocation. It is the
authoritative source for the certificate’s status. The XenMobile configuration will normally contain exactly one PKI
Entity per back-end PKI component.
The second feature is the Credential Provider. A Credential Provider is a particular configuration of certificate issuance
and life-cycle. It will control things like the certificate’s format (subject, key, algorithms) and the conditions for its
renewal or revocation, if any. The Credential Providers delegate operations to the PKI Entities. In other words, while
Credential Providers control when and with what data PKI operations are undertaken, PKI Entities control how those
operations are performed. The XenMobile configuration will normally contain many Credential Provider per PKI Entity.
The third feature of the system are Server Certificates. Server Certificates are X.509 certificates used functionally by the
PKI Entity or the Credential Provider configurations.
To import a server certificate
XenMobile supports the following input formats for certificates:
PEM or DER-encoded certificate files
PEM or DER-encoded certificate files with associated PEM or DER-encoded private key file
PKCS#12 key stores (P12; also known as PFX on Windows)
Java Key Store (JKS) and Extended Java Key Store (EJKS)
Key stores, by design, can contain multiple entries, so when you loading from a key store, you will be prompted to
specify the entry alias identifying the entry you wish to load. If you do not specify an alias, the first entry from the store
will be loaded. Since PKCS12 files usually contain only one entry, you should leave the alias empty for those files.
When importing a certificate, either from a file or a key store entry, XenMobile will attempt to construct a certificate chain
from the input, and will import all certificates in that chain (creating a Server Certificate entry for each). This will only
work if the certificates in the file or key store entry really do form a chain, such as if each subsequent certificate in the
chain is the issuer of the previous one. You can add an optional description for the imported certificate for heuristic
purposes. The description will only be attached to the first certificate in the chain (you can update the description of the
remainders later on).
From the Device Manager web console, click .Options
In the dialog box, from the left side select .XenMobile Server Options PKI > Server Certificate
Click to import a certificate.Upload Certificate
From the Certificate Type list, select either Certificate or Keystore.
citrix.com 233
5.
6.
7.
Next, click to select a certificate.Choose File
Next, click to select a private key file for the certificate.Choose File
Enter an optional description, and then click . Upload
Updating a Certificate
XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a
certificate for the same key pair as an already imported one, you will be presented with the option to either replace the
existing entry or to delete it.
To most effectively update your certificates, simply upload the new one in the Device Manager web console's Options
dialog box, under . When a Server Certificate entry is updated, components that were using the PKI > Certificates
previous one will automatically switch to using the new one. Likewise, if you have deployed the Server Certificate on
devices, it will automatically be updated on the next deployment.
citrix.com 234
PKI Entities
A XenMobile Public Key Infrastructure (PKI) Entity configuration represents a component performing actual PKI
operations (issuance, key escrow, revocation, status information). These components may either by internal to
XenMobile, in which case they’re called discretionary, or external to it, if they are part of your corporate
infrastructure.
XenMobile supports the following three types of PKI entities:
Discretionary CAs
Generic PKIs (GPKI)
Microsoft Certificate Services
Common PKI Concepts
Regardless of its type, every PKI Entity is said to have a subset of the following capabilities:
sign Issuing a new certificate, based on a Certificate Signing Request.
fetch Recovering an existing certificate and key pair.
revoke Revoking a client certificate.
Table 1. PKI Capabilities
PKI Type Capability
Discretionary Sign
PKI The adapter is capable of taking Certificate Signing Requests, transmitting them to the
PKI and returning newly signed certificates.
Microsoft Sign
About CA Certificates
When configuring a PKI entity, you will have to inform XenMobile which CA certificate is going to be the signer of
certificates issued by (or recovered from) that entity. One and the same PKI entity may return (fetched or newly signed)
certificates signed by any number of different CAs; the certificate of each of these CAs will have to be provided as part
of the PKI entity configuration, by uploading it to the Server Certificates repository and then referencing them in the PKI
entity. For discretionary CAs, this will implicitly be the signing CA certificate, but for external entities, you will have to
specify it manually.
Note: XenMobile will verify that the actual issuer of a certificate newly obtained through a sign or fetch operation matches the
purported, configured issuer. An error will be raised if this is not the case.
Discretionary CAs
A Discretionary CA is created by providing XenMobile with a CA certificate and the associated private key. XenMobile
will handle certificate issuance, revocation, and status information internally, according to the parameters you specify.
However, XenMobile will never store the private keys of issued certificates, and so will not offer escrow services. Status
information for certificates issued by a discretionary CA.
When configuring a Discretionary CA, you will have the option to activate OCSP support for that CA. If, and only if,
OCSP support is enabled, the CA will add an id-pe-authorityInfoAccess extension to the certificates it issues, pointing to
XenMobile ’s internal OCSP Responder located at:
https://[server]/[instance]/ocsp
When configuring the OCSP service, you will have to specify an OCSP signing certificate for the Discretionary Entity in
question. You can use the CA certificate itself as the signer. If you wish to avoid the unnecessary exposure of your
CA’s private key (recommended), you will have to create a delegate OCSP signing certificate, signed by the CA
certificate and including an id-kp-OCSPSigning extendedKeyUsage extension.
The XenMobile OCSP Responder service supports Basic OCSP responses and the following hashing algorithms in requests:
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
citrix.com 235
Responses are signed with SHA-256 and the signing certificate’s key algorithm (DSA, RSA or ECDSA).
Generic PKI (GPKI)
The Generic PKI (GPKI) protocol is a proprietary XenMobile protocol running atop a SOAP Web Service layer for purposes of
uniform interfacing with various PKI solutions. The GPKI protocol defines three fundamental PKI operations:
sign The adapter is capable of taking Certificate Signing Requests (CSR), transmitting them to the PKI and
returning newly signed certificates.
fetch The adapter is capable of retrieving (recovering) existing certificates and key pairs (depending on input
parameters) from the PKI.
revoke The adapter is able to cause the PKI to revoke a given certificate.
The receiving end of the GPKI protocol is the GPKI Adapter. The adapter translates the fundamental operations to the
specific type of PKI for which it was built (in other words, there is a GPKI Adapter for RSA, another for OpenTrust, and
so on).
Figure 1. GPKI Communication Overview
The GPKI Adapter, being a SOAP Web Services endpoint, publishes a self-describing WSDL. Creating a GPKI PKI
Entity amounts to providing XenMobile with that WSDL, either through a URL or by uploading the file itself.
Support for each of the PKI operations in an adapter is optional. If an adapter supports a given operation, it is said to
have the corresponding capability (sign, fetch or revoke). Each of these capabilities may be associated with a set of
user parameters.
User parameters are parameters that are defined by the GPKI adapter for a specific operation and for which you need
to provide values to XenMobile. Which operations the adapter supports (which capabilities it has) and which parameters
it requires for each of them is determined by XenMobile by parsing the WSDL. The connection between XenMobile and
the GPKI Adapter may optionally be secured using SSL client authentication.
Microsoft Certificate Services
XenMobile interfaces with Microsoft Certificate Services through its web enrollment interface. It only supports issuing
new certificates through that interface (the equivalent of the GPKI sign capability).
To create a Microsoft CA PKI Entity in XenMobile , you must specify the base URL of the Certificate Services web
interface. The connection between XenMobile and the Certificate Services web interface may optionally be secured
using SSL client certificate authentication.
Note: This integration method is historical and limited. It will be migrated to the GPKI protocol in the future.
Migrating Previous PKI Configurations
Since the new XenMobile PKI integration capabilities have been significantly enhanced, migrating to the new system is
not automatic. If you had used PKI configurations in previous versions, you will be able to continue to use these in 8.0
without changes, but if you wish to make use of the new capabilities, you will have to manually upgrade existing PKI
entities.
Your pre-8.0.1 PKI entities (Microsoft CA or GPKI) will appear in the list of PKI entities, but will be marked as not ready
to be used, indicated by a red icon in the Valid column in the Options dialog box, under PKI > Entities.
To ready the entity for 8..10 usage, edit the entity and provide the missing settings (the system will indicate which
settings are missing when you try to save the configuration). This process requires providing the CA certificate(s) for the
entity.
citrix.com 236
Credential Providers
Credential Providers are the actual configurations you will use in the various parts of the XenMobile system. They define
the sources, parameters, and life-cycles of your certificates, whether these are part of device configurations or standalone, that is pushed as is, to the device.
Figure 1. Certificates Lifecycle
The certificates’ life-cycle is constrained by the device enrollment. That is, no certificates are issued before
enrollment, although some may indeed be issued as part of enrollment, and all certificates issued within the context of
one enrollment are revoked when the enrollment is revoked; that is, no certificate remains valid after the management
relationship. the enrollment, has been terminated.
One Credential Provider configuration may be used in multiple places, to the effect that configuration may govern any
number of certificates at the same time. The unicity, then, is on the deployment resource and the deployment: if the
Credential Provider P is “deployed― to device D as part of the configuration C, then P’s issuance settings will
determine the certificate that is deployed to D, its renewal settings will apply when C is updated, and its revocation
settings will apply when C is deleted or D is revoked.
With the aforementioned in mind, the Credential Provider configuration:
Determines the source of certificates — that is, which PKI Entity certificates will be obtained from
Determines the method using which certificates are obtained — signing a new certificate or fetching
(recovering) an existing certificate and key pair
Determines the parameters for the issuance or recovery (for example, CSR parameters such as key size,
key algorithm, distinguished name, certificate extensions, and so on)
Determines the manner in which certificates are delivered to the device
Determines revocation conditions. While all certificates are revoked when the management relationship is
severed, the configuration may specify an earlier revocation, for instance when the associated device
configuration is deleted. In addition, under some conditions the revocation of the associated certificate in
XenMobile may be sent to the back-end PKI; that is, its revocation in XenMobile may cause its revocation on
the PKI
Determines renewal settings. Certificates obtained through a given Credential Provider may be automatically
renewed when they near expiration, or, separately from that, notifications may be issued when that
expiration approaches.
To what extent various configuration options are available will mainly depend on which type of PKI Entity and issuance
method are selected for a Credential Provider.
Methods of Certificate Issuance
There are two fundamental methods of obtaining a certificate, which in this context shall be called methods of issuance:
SIGN. With this method, the issuance involves creating a new key pair, creating a Certificate Signing
Request (CSR) for the key pair, and submitting it to a CA for signature.
FETCH. With this method, the issuance (from the point of view of XenMobile) is in actuality a recovery of an
existing certificate and key pair.
citrix.com 237
A Credential Provider uses exactly one of these methods; which method is selected impacts which configuration options
are available. Notably, CSR configuration and distributed delivery are only available if the issuing method is sign. If the
certificate is fetched, it is always sent as a pkcs#12 to the device (equivalent to centralized delivery mode for the sign
method).
Which issuing methods are available for a Credential Provider will depend on the capabilities the PKI Entity it uses
supports.
Certificate Delivery
An important notion is the delivery mode of certificates. The delivery is independent of the issuance, although it only
applies when the issuing mode is newly issued [sign], not recovered [fetch] from the PKI).
Two modes of certificate delivery are available: and . Distributed mode uses the SCEP protocol centralized distributed
and is only available in situations where the client supports the protocol, and is even mandatory in some situations.
For a Credential Provider to support distributed (SCEP-assisted) delivery, a special configuration step is necessary:
setting up Registration Authority (RA) certificates. Those are required because when using the SCEP protocol,
XenMobile acts like a delegate (a registrar) to the actual CA, and must prove to the client that it has the authority to act
as such. That authority is established by providing XenMobile with the aforementioned certificates.
Two distinct certificate roles are required (although one and the same certificate can fulfill both): RA signature and RA
encryption. The constraints for these roles are as follows:
The RA signing certificate must have the X.509 key usage digital signature.
The RA encryption certificate must have the X.509 key usage key encipherment
To configure the Credential Provider’s RA certificates, you must first upload them to the Server Certificates
repository, and then link to them in the Credential Provider.
A Credential Provider is considered to support distributed delivery if, and only if, it has a certificate configured for each
of the aforementioned roles. Each Credential Provider can be configured to either prefer centralized mode, to prefer
distributed mode, or to require distributed mode. The actual result will depend on the context: if the context does not
support distributed mode, but the Credential Provider requires it, deployment will fail. Likewise, if the context mandates
distributed mode, but the Credential Provider does not support it, deployment will fail. In all other cases, the preferred
setting will be honored.
Table 1. SCEP Distribution Availability
Context SCEP supported SCEP required
iOS Profile Service yes yes
iOS MDM enrollment yes no
iOS configuration profiles yes no
SHTP    enrollment no no
SHTP configuration no no
Windows Phone enrollment no no
Windows Phone configuration no no
Certificate Revocation
There are three separate aspects to a certificate’s revocation, three types of revocation: internal revocation, externally
propagated revocation and externally induced revocation.
Internal revocation Internal revocation affects the certificate’s status as maintained by XenMobile (in its
database). This status is taken into account when XenMobile evaluates a certificate presented to it, or when
it has to provide OCSP status information for some certificate). The Credential Provider configuration
determines how this status is affected under various conditions. For instance, the Credential Provider may
specify that certificates obtained through it should be (flagged as) revoked when they have been deleted
from the device.
Externally propagated revocation Also known as “Revocation from XenMobile―, this type of revocation
applies to certificates obtained from an external PKI, and means that the certificate will be revoked on the
PKI when it is internally revoked by XenMobile (under the conditions defined by the Credential Provider
configuration). The call to perform the revocation requires a revoke-capable GPKI Entity.
citrix.com 238
1.
2.
3.
a. b. c. 4.
a. b. c. d. e. 5.
6.
Externally induced revocation Also known as “Revocation from PKI―, this type of revocation also only
applies to certificates obtained from an external PKI, and means that whenever XenMobile evaluates a given
certificate’s status, it will query the PKI as to that status, and, if the PKI returns that the certificate is
revoked, will internally revoke it. This mechanism uses the OCSP protocol.
These three types are not exclusive, but rather apply together: the internal revocation is caused either by an external
revocation or by independent findings, and in turn it potentially effects an external revocation.
Certificate Renewal
A certificate renewal is the combination of a revocation (of the existing certificate) and an issuance (of another
certificate).
Note that XenMobile will first attempt to obtain the new certificate before revoking the previous one, in order to avoid
discontinuation of service if the issuance fails. If distributed (SCEP-supported) delivery is used, the revocation will also
only happen once the certificate has been successfully installed on the device; otherwise, the revocation will occur
before the new certificate is sent to the device and independently of the success or failure of its installation.
The revocation configuration requires that you specify a certain duration (in days); when the device connects, the server
verifies whether the certificate’s NotAfter date is later than the current date minus the specified duration. If it is, a
renewal is attempted.
To create a credential provider using discretionary CA entities
Configuring a Credential Provider varies mostly as a factor of which issuing entity and which issuing method are
selected for it. You can distinguish between Credential Provider using an internal entity, such discretionary, and those
using an external entity, such as Microsoft CA or GPKI.
This task shows you how to create a discretionary entity. The issuing method for a discretionary entity is always , sign
meaning that with each issuing operation, Device Manager will sign a new key pair with the CA certificate selected for
the entity whether the key pair is generated on the device or on the server will depend on the selected distribution
method.
In the Device Manager web console, click .Options
In the Options dialog box, select > .PKI Credential Provider
In the dialog box, on the tab, enter the following information Define a new credential provider General
. Type a unique name for the new provider configuration. This name will be used Credential Provider name
subsequently to refer to the configuration in other parts of the administration console.
. An optional description for the configuration.Description
. The method that the system should obtain certificates from the configured entity. Select a Issuing method
discretionary entity.
On the tab, you configure the parameters for the key pair that will be created during issuance, as well as the CSR
parameters of the new certificate. Enter the following information:
. The key algorithm for the new key pair. Available values are RSA, DSA and ECDSA.Key algorithm
. The size, in bits, of the key pair. Note that which values are permissible depends on the type of key Key size
(for instance, the maximum size for DSA keys is 1024 bits). To avoid false negatives (which will be dependent
on the underlying hardware and software), Device Manager will not enforce key sizes. You should always test
Credential Provider configurations in a test environment before activating them in production.
. The signature algorithm for the new certificate. Values are dependent on the key Signature algorithm
algorithm; in this case, Device Manager will limit your choices to matching values.
. The Distinguished Name (DN) of the new certificate’s subject. For example: Subject name CN=${user.
username}, OU=${user.department}, O=${user.companyname}, C=${user.c}\endquotation
. X.509 subject alternative names. To create a new entry, click on Subject alternative names New alternative
and then click on the first column to select the type of alternative name from those available. Last, enter name
a value in the second column. Note that as for the subject DN, you can use Device Manager macros in the
value field.
Next, click on the tab. Distribution Because the Credential Provider uses a Discretionary CA Entity, the CA certificate
for the Credential Provider will always be the CA certificate configured on the entity itself; it will be presented here for
mere consistency with configurations that use external entities.
The second element on this tab is the configuration of certificate delivery. If you have defined RA certificates at
the entity level, they will be filled by default here, but you can change them if you desire (but that the constraints
on RA certificates still apply).
You can then select the delivery mode for certificates obtained from this entity. If you select the Prefer
centralized delivery mode, RA certificates are optional; otherwise, they’re mandatory.
Next, click on the tab. Revocation In this tab, you can configure under what conditions Devce Manager should
(internally) flag certificates issued through this provider configuration as revoked. You can also instruct the system to
send a notification when it flags a certificate as revoked. Do this by selecting a template for the event type Certificate
citrix.com 239
6.
7.
a. b. 8.
1.
2.
3.
a. b. c. 4.
a. b. c. d. 5.
revoke. Device Manager will create a default template for that type, but you can edit it or create others).Note that the
revocation configured here will be what determines the responses from the Device Manager OCSP Responder for
certificates created with this configuration, if OCSP support is enabled for the PKI Entity.
Next, click on the tab. In this tab, you can configure the renewal of certificates obtained through this Renewal
configuration. Two basic operations can be configured:
Renewing the certificate, optionally sending a notification when this is done (notification on renewal), and
optionally excluding already expired certificates from the operation. Note that "already expired" in this case
means that their NotAfter date is in the past; not that they already have been revoked. Device Manager will not
renew certificates once they have been internally revoked.
Issuing a notification for certificates that near expiration notification before renewal).
To have notifications sent for either case, simply specify a Notification Template for the appropriate event
type. The event type for the former is Certificate is renewed; for the latter, Certificate will expire. Device
Manager will create default Notification Templates for both these event types, but you can modify them or
create new ones.
Note that renewal takes precedence over notification before renewal. That is, if at a given moment Device
Manager determines that a certificate must be renewed, it will not also send a notification before renewal
(instead, the notification on renewal, if any configured, will be used). You should configure a greater
period for the notification before renewal if you imperatively need both to be sent. Notifications before
renewal will only be sent at most once for a given certificate.
Click .Create
To create a credential provider using external PKI entities
When you create a Credential Provider using an external (Microsoft or GPKI) entity, the main difference in configuring the two
is the issuing method for the provider; which methods are available depends on the capabilities of the selected PKI entity:
If you opt for using a Microsoft CA entity for your Credential Provider, your choice of issuing method will be
limited to . The method of issuance involves creating a new key pair, creating a Certificate Signing sign sign
Request (CSR) for the key pair, and submitting it to a CA for signature. (You will be prompted to select
which certificate template to use for issuance). You must choose a value from those you have defined during
the creation of the PKI entity. This is the template name that will be sent to the Microsoft CA along with the
Certificate Signing Request during issuance. A Credential Provider can only use one template. If you want to
issue certificates based on different templates, create a Credential Provider configuration for each of them.
If you opt for using a GPKI entity for your Credential Provider, your choice of issuing method will depend on
which capabilities are supported by the adapter. If the GPKI adapter defines user parameters for the
selected capability, you will be presented with an interface to specify values for each of those. The
parameters are specific to a capability; different capabilities have different sets of user parameters.
Note: For information on configuring Microsoft Certificate Services to work with Device Manager, see
.Manager with Microsoft Certificate Services
In the Device Manager web console, click .Options
In the Options dialog box, select > .PKI Credential Provider
In the dialog box, on the tab, enter the following information Define a new credential provider General
. Type a unique name for the new provider configuration. This name will be used Credential Provider name
subsequently to refer to the configuration in other parts of the administration console.
. An optional description for the configuration.Description
. The method that the system should obtain certificates from the configured entity. Select a Issuing method
Microsoft of GPKI entity.
On the tab (sign method only), you can configure the parameters for the key pair that will be created during CSR
issuance, as well as the parameters of the new certificate:
. The key algorithm for the new key pair. Available values are RSA, DSA and ECDSA. Key size Key algorithm
The size, in bits, of the key pair. Note that which values are permissible depends on the type of key (for
instance, the maximum size for DSA keys is 1024 bits). To avoid false negatives (which will be dependent on
the underlying hardware or software), Device Manager will not enforce key sizes. You should always test
Credential Provider configurations in a test environment before activating them in production.
. The signature algorithm for the new certificate. Values are dependent on the key Signature algorithm
algorithm; in this case, Device Manager will limit your choices to matching values.
. The Distinguished Name (DN) of the new certificate’s subject. The format the system Subject name
expects is as described in [5]. Note that you can use for the the DN field values. For
example: CN=${user.username}, OU=${user.department}, O=${user.companyname},
C=${user.c}\endquotation
. names X.509 subject alternative names. To create a new entry, click on “New Subject alternative
alternative name―; then click on the first column to select the type of alternative name from those available;
and finally enter a value in the second column. Note that as for the subject DN, you can use Device Manager
macros in the value field.
Configuring Device
Device Manager macros
citrix.com 240
5.
6.
a. b. c. d. e. 7.
8.
Next, click the tab. Distribution Here, you are required to specify the issuer CA of the certificates returned by the PKI
entity in the configuration you have selected. You will be offered to choose one of the CA certificates defined on the
entity. If the issuing method for this Credential Provider is , you will also be able to configure the delivery method, sign
since the method retrieves the key pair from the PKI server and hence there is no key generation involved at all, fetch
distributed key generation is not available with that method.
Next, select the tab. On this tab, you can configure the conditions and actions for the internal Revocation XenMobile
revocation of certificates. You can opt to have certificates revoked under the following conditions:
When they are removed from the device, that is, either when the system detects that they have been removed
from the device without server interaction, or when the server has removed them subsequent to the scheduling
of a removal command.
When they are updated on the device, that is, when they are replaced with a newer certificate for the same
function.
When the enrollment is revoked by the administrator.
When the device is deleted.
Or any combination of these.
You can further opt to have a notification sent when the revocation action is undertaken; to do so, simply
configure a notification template for the appropriate event type ('Certificate revoke').
In addition to these conditions, since the certificates obtained through this configuration will have come from an
external source, you can opt to propagate the revocation status externally (the common case would be to
propagate it to the PKI that issued the certificates, but your choice is not restricted in that matter). The
propagation is achieved using a GPKI entity with the revoke capability; the interface will propose you the list of
revoke-capable GPKI entities that exist in the system. If the selected entity defines user-parameters for the
revoke operation, you will be prompted to enter values for them. You can use Device Manager macros for the
values.
Next, select the tab. Revocation PKI
In this tab, you can configure the system to perform external certificate status checks for certificates issued
through this CredentialProvider configuration. The checks are performed using the OCSP protocol [1] and take
place when a deployment is initiated. For the checks to occur, the back-end PKI must insert corresponding
OCSP responder address extensions (ASN.1 OID: 1.3.6.1.5.5.7.1.1) in the certificates it issues. If that is not the
case, the setting will be silently ignored
As part of the OCSP protocol, the initiator of the OCSP request (in this case, XenMobile) must be able to validate
the OCSP responder’s (likely your PKI server) signing certificate. To that effect, as part of the external
revocation check configuration, you must specify the CA certificate of your PKI’s OCSP Responder’s
signing certificate. The CA certificate must be uploaded to the Server Certificates repository so that you can
select it in the drop down. Its private key is not required for this purpose.
Note that OCSP Responder certificates are usually either the CA certificate itself (that is, the CA that signed the
certificate the status of which is queried), or a certificate signed directly by that CA. It that sense, specifying that
CA certificate in this section will usually be adequate.
You can further define what actions XenMobile should undertake in the event that the OCSP verification yields a
status indicating that the certificate in question was revoked. If that is the case, you can opt to:
Do nothing.
Remove the corresponding configuration from the device, that is, the configuration the certificate in
question was deployed as part of.
Revoke the enrollment and wipe the device.
In addition to the action you opt for, you can choose to have a notification sent in that case, by selecting a
notification template for the appropriate event type (Certificate revoked by PKI). The external revocation and the
internal revocation configured in the tab before are complementary, in the sense that if the external revocation
check yields a revoked status and you have opted, for instance, to revoke the entire enrollment in that case, then
the settings you have specified in the Revocation XenMobile tab will apply to all other certificates present on the
device. The same thing goes for all certificates that were part of the same configuration if you have merely
chosen to remove the configuration the certificate was deployed as a part of.
Next, select the tab. Renewal
On this tab, you can configure the renewal of certificates obtained through this configuration. Two basic operations
can be configured:
Renewing the certificate, optionally sending a notification when this is done (notification on renewal),
and optionally excluding already expired certificates from the operation. Note that 'already expired' in
this case means that their NotAfter date is in the past; not that they already have been revoked.
XenMobile will not renew certificates once they have been internally revoked.
Issuing a notification for certificates that near expiration (notification before renewal).
citrix.com 241
8.
9.
To have notifications sent for either case, simply specify a Notification Template for the appropriate event type.
The event type for the former is Certificate is renewed; for the latter, Certificate will expire. XenMobile will create
default Notification Templates for both these event types, but you can modify them or create new ones.
It is important to note that renewal takes precedence over notification before renewal. That is, if at a given
moment XenMobile determines that a certificate must be renewed, it will not also send a notification before
renewal (instead, the notification on renewal, if any configured, will be used). You should configure a greater
period for the notification before renewal if you imperatively need both to be sent. Notifications before renewal
will only be sent at most once for a given certificate.
Click . Create
citrix.com 242
1.
2.
Configuring a SAML Service Provider
Device Manager supports configuration of your own Security Assertion Markup Language (SAML) service and identity
provider and SAML-based infrastructure to authenticate users and their mobile devices. With your own SAML
configuration, you do not need to pre-provision user account information in Device Manager, such as user names, group
association, or other directory attributes. SAML implementations allow network administrators to provide single sign on
access to servers, web sites, and apps.
SAML Use Cases
Initial Registration of Mobile Device
The Device Manager agent should be able to register the device with the Device Manager server using the SAML
token. No pre-provisioning of the user name, group association, or other directory attributes in the Device Manager
server should be required.
Ongoing Authentication and Authorization for Policy Updates and Device Controls
Once the mobile device manager (MDM) agent registers the device and receives the initial policy updates, the mobile
device must be able to re-authenticate with the IDP server each time the SAML token expires to receive policy
updates and allow for security actions, such as lock, revoke, wipe devices, and so on, including know when the user
has changed groups that might impact MDM policies, or proper authorization.
Single Sign-On With Other SAML-Enabled Applications
After the mobile device registers with the SAML token, other SAML-enabled applications should be able to
authenticate the user without prompting for the corporate credential to provide a single sign-on user experience. It
needs to be determined whether all SAML-enabled applications, including popular ones, such as SF.com, Google
Apps, Microsoft365, Box.net, and so on can be supported or only applications that are managed by Device Manager
or written to the App SDK.
Decommissioning Devices and Removing Users
When a user is removed from the corporate directory; for example, the user leaves the organization, there must be a
mechanism to deactivate users and decommission the devices in the Device Manager server.
SAML Test Requirements
Establish a "relying party trust" between the iDP server and the Device Manager Service Provider server,
including required certificates for the trust relationship.
Develop claim attribute mapping with User ID, Group Membership, Email Address, and other directory
attributes.
Device Manager agent requests the SAML token from the customer iDP server and redirects back to Device
Manager server for mobile device registration.
SAML token on mobile device is presented to Device Manager server for device registration; Device
Manager server validates the SAML token and extracts directory attributes; the device is registered and the
user identity is created properly.
Device configuration appears as expected in the Device Manager console; for example, as the software
inventory.
All reports list devices and inventory properly.
Lock and revoke device using the Device Manager console security commands.
Change the users group association from Group A to Group B. Push out different Device Manager policy
updates to the devices for Group A and Group B. Verify that device gets the proper (Group B) policy
updates.
Access other SAML-enabled applications using HTML-based mobile apps to determine if user is prompted
for corporate directory credentials to issue a separate SAML token.
Access other SAML-enabled application using native mobile apps to determine if user is prompted for
corporate directory credentials to issue a separate SAML token.
Remove user from directory, ensure device state is changed to inactive, and user is removed automatically.
User is able to reactivate by re-registering the device using the same SAML-based process for initial
registration.
To add a SAML service provider
Click .Edit
In the dialog box, click the tab and then enter the following information:Service Provider Configuration General
Entity ID. Enter the ID of the SAML Service Providers Entity ID (globally unique name given to a
SAML entity). An entity ID is typically rooted in the organization's Primary DNS Domain.
Base URL. URL of the SAML Service Provider.
Organization name. The name of your company (optional).
Organization Description. Description of your company (optional).
citrix.com 243
2.
3.
4.
5.
6.
1.
2.
3.
Organization URL. The URL of your company (optional).
On the tab, select the following options:Main Parameters
Supported Bindings
SAML Redirect. Select if your SAML server has implemented a URL redirect binding.
General
Sent SAML Request must be signed.
Reserved Assertion must be signed.
Received assertion must be encrypted.
Passive mode enabled (anonymous connection).
On the tab, you can enter the email addresses for the technical, support, and administrative contacts in your Contacts
organization.
On the tab, you can enter upload a certificate for the SAML connection, as well as the Keystore password Certificates
for SAML server authentication.
Click .Save
To configure a SAML identity provider
In the tab, click .Identity Providers New
In the dialog box for the SAML Identity Provider, enter the following information:General
Metadata URL. Web address used to access the SAML service provider metadata.
User domain. Domain under which the SAML metadata URL resides.
Click Create.
citrix.com 244
1.
2.
3.
4.
5.
6.
To enable Entrust PKI as an external Credential Provider
After you deploy XenMobile Device Manager, you can enable Entrust PKI Credential Provider so your users can request user
identity and device identity certificates.
Note: Before you begin, ensure that you have obtained the Entrust.war file from your Citrix Sales Engineer.
To create and edit the Entrust PKI properties file
On the server where the Entrust adapter is installed, drop the Entrust.war file to the path where Tomcat server has
been installed. For example:
C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps
The .war package will automatically unpack and create the follow folder structure: C:\Program Files (x86)\Apache
Software Foundation\Tomcat 7.0\webapps\Entrust\...
Create the 'custom_entrust_adapter.properties' file to in a known location, such as: C:
/zenprise/custom_entrust_adapter.properties
In the Entrust directory, edit the following file: C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0
\webapps\Entrust\WEB-INF\classes\entrust_adapter.properties
Make sure that the following value points to the location of the 'custom_entrust_adapter.properties' file. For example:
CustomProperties=c:/zenprise/custom_entrust_adapter.properties
Configure the rest of the values in custom_entrust_adapter.properties as needed according to your server setup.
To configure Entrust as an external PKI credential provider
To configure the Entrust PKI as an external PKI credential, see the following topic:
.external PKI entities
To create a credential provider using
citrix.com 245
1.
2.
3.
Configuring General Security Options
You can configure security in the Options dialog box to customize the security features of the service. By default, when
Secure Device is included in the license, it is automatically activated during installation, with a strong level of security. If
you need to change those parameters, use that dialog box.
Enforce SSLForces devices to communicate using an SSL transport. All HTTP requests from devices will be
rejected.
Strong Authentication. Enabling Strong Authentication generates a Strong ID for devices that is then used as
a second factor of authentication during the enrollment process.
Strong ID Valid Once. Allows Strong ID passcodes to only be used once. When the Strong ID is used once
to generate a device certificate, it cannot be reused. Device has to be revoked and re-authorized.
Certificate Renewal. Sets the renewal time frame for certificates used in Strong Authentication mode. '0'
disables the certificate renewal process.
Always Add Device. Allow to automatically register devices into Device Manager even when Secure Device
is activated.
Block Rooted Android and iOS Enrollment. Enabling this function will block rooted or jailbroken devices from
enrolling.
8 Char Strong ID. Enables a Strong ID character string that is limited to 8 characters.
SHP Console for Users. Enables or Disables the Self-Help Console for user management of devices.
XDM/SHP console max inactive interval. The time (in minutes) between client requests before the server will
invalidate a session. 0 means that a session will never timeout.
iOS agent auto logout (minutes). Length of time before an iOS agent user is logged due to inactivity.
Enable client cert authentication for iOS. If enabled, iOS enrollment agent will use certificate authentication.
If disabled, iOS enrollment agent uses session based authentication.
To enable Strong ID
Strong ID is a form of 2 factor authentication used to provide an extra layer of extra security when enrolling a device.
Enable Strong ID from the menu on the tab in the Device Manager web console. Citrix also Options Security
recommends that you enable 8 Char Strong ID). At this point, no devices will be able to enroll until the device's serial
number or IMEI is known.
Add the devices manually (or import) from the tab using the device's serial number or IMEI, which will Devices
generate a Strong ID for the device.
When a user is ready to enroll, the user needs to call their administrator and give their Serial/IMEI, so the
administrator can provide the Strong ID from the device properties.
citrix.com 246
Configuring Network Access Controls
If you have a Network Access Control (NAC) appliance set up in your network (such as a Cisco ISE), you can enable
filters to set devices as compliant or not compliant for NAC-based on rules or properties. If a Device Manager managed
device does not meet the specified criteria , and thus is marked Not Compliant, the device will be blocked on your
network by the NAC appliance.
To set unmanaged devices as not compliant, enable the associated filter and set to "Not Compliant". The "Implicit
Compliant / Not Compliant" filter sets the default value only on devices that are managed by XenMobile. For example,
any devices that have a blacklisted app installed and/or are anonymous (not enrolled) are marked as Not-Compliant and
will be blocked from your network by the NAC appliance.
The NAC compliance filters are as follows:
Blacklisted Apps. Device has a blacklisted app installed.
Rooted Android/Jailbroken iOS Devices
Revoked Status. Device has been revoked.
Unmanaged Devices. Device is in an unmanaged state.
Suggested Apps Only. Device has "suggested" app installed.
Inactive Devices. Device is in an inactive state.
Anonymous Devices. Device is anonymous.
Out of Compliance Devices. Device has property of Out of Compliance set to .True
Encryption. The device has disk encryption enabled.
Implicit Compliant/Non-Compliant. Indicates that if none of the above filters match, return device to be
compliant or not (according to the option selected).
citrix.com 247
1.
2.
3.
4.
5.
1.
2.
3.
4.
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
Configuring Device Manager with Microsoft Certificate Services
You can configure Device Manager with Microsoft Certificate Services to generate user certificates for certificate-based
authentication with WIFI, VPN, and Exchange ActiveSync profiles. You can also configure Device Manager as a
Registration Authority to generate requests and to issue device identity certificates with Microsoft Certificate Services.
In addition, you can configure Device Manager to use external SSL server certificates and digital signature certificates from
other PKI-trusted certificate authorities.
Caution: Changing the digital signature certificate or the SSL certificate authority will disable the management of currently
enrolled devices and require a re-enrollment across all devices.
Device Manager can make certificate requests to Microsoft Certificate Services through web enrollment to enable
certificate-based authentication for WIFI, VPN, and Exchange ActiveSync profiles. Device Manager does this by acting
as a client to Microsoft Certificate Services and requesting certificates on behalf of users with enrolled devices. This
section describes how to create a Microsoft Certificate Server entity and configure Device Manager to request
certificates for users enabling certificate-based authentication.
Prerequisites
Microsoft Certificate Services running on Microsoft Windows 2008 Server R2 Standard or Enterprise Edition
SP1.
Port 443 (default) open from Device Manager to Microsoft Certificate Services server.
Microsoft KB 980436 patch needs to be installed on Microsoft Certificate Services server.
Microsoft KB 272175 - Guidelines for configuring client certificate authentication mode for IIS 6.
Microsoft KB 953461 patch needs to be installed on Microsoft Certificate Services server on Windows 2008
Server Enterprise.
Web enrollment for Microsoft Certificate Services needs to be enabled.
SSL enabled on Microsoft Internet Information Services (IIS).
IIS configured to accept client certificate authentication.
The client certificate in .p12 format which is used to authenticate against Microsoft Certificate Services
should be copied to the Device Manager server and made accessible.
To enable Web enrollment for Microsoft Certificate Services
In , click .Administrative Tools Server Manager
Under , check to see if Certificate Authority Web Enrollment is installed.Active Directory Certificate Services
Select to install Certificate Authority Web Enrollment, if needed.Add Role Services
Select and then click .Certificate Authority Web Enrollment Next
Click or when the installation is complete.Close Finish
To enable IIS Web services
Go to and click .Administrative Tools Server Manager
Select Server Roles on the left side.
Select the Active Directory Certificate Services role and the Web Server IIS role, and click Install.
Close the Server Manager.
To configure Microsoft Internet Information Services for self-signed or
external certificates
Go to and click .Administrative Tools Server Manager
Under , under , select the host or top of the root and then click Web Server (IIS) Internet Information Services (IIS)
.Server Certificates
Create a self-signed certificate or import an external certificate.
To configure Microsoft Internet Information Services
In , select .Administrative Tools Server Manager
Under , under , verify that Client Certificate Mapping Authentication and IIS Client Web Server (IIS) Role Services
Certificate Mapping Authentication are installed. If not, install these role services.
In , click .Administrative Tools Internet Information Services (IIS) Manager
In the left-hand pane of the window, select the server running the IIS instance for web enrollment and IIS Manager
then click .Authentication
Make sure is .Active Directory Client Certificate Authentication Enabled
Click and then in the right pane, click .Sites Bindings
citrix.com 248
7.
8.
9.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
a. b. c. Add an HTTPS binding if one does not exist.
Go to > > > Web Server (IIS) Sites Default Web Site CertSrv
Click and then click .SSL Settings Accept for Client Certificates
To create a certificate template for XenMobile certificate requests
Open the an MMC Console with a domain administrator account and then add a Snap-In for Certificate Templates.
Open .Certificate Templates
Right-click the template and then click .User Duplicate Template
Select for the template type and then click .Windows 2003 Server OK
In , enter a certificate. Note the actual Template Name because you will need it later in the Template Display Name
configuration.
Optionally, select .Publish certificate in Active Directory
Click the tab and then specify .Request Handling Signature and Encryption
Enable or disable .Allow private key to be exported
Select .Enroll subject without requiring any user input
Select .Supply in the request
Click on the warning window.OK
Click the tab.Security
Grant Enroll permissions to a user account that will be making the certificate requests from Device Manager.
Open MMC and add a Snap-In for Certification Authority. Expand the CA server and right-click .Certificate Templates
Make sure that User template as shown in the screenshot below exists within Certificate Templates. Make sure that
User template exists, otherwise the server will be unable to issue a user certificate.
Click and then click . Select the certificate template you created in the preceding New Certificate Template to Issue
steps.
To generate the XenMobile client certificate
You can request certificate from any system in the domain; however, make sure to logon using domain service account
credentials. The domain account must have local administrator rights to the system requesting a certificate from the
Certificate Server.
Either Run As a Domain User or initiate a Remote Desktop session to a system using Domain User credentials.
Open a web browser and open the web enrollment page for Microsoft Certificate Services. This page is usually https:
//server.company.com/certsrv (certsrv is case-sensitive).
Click .Request a Certificate
Click and the click .User Certificate Submit
Click . Install the Certificate
To export the client certificate
The client certificate that you request must be exported as a .p12 or PKCS12 certificate and copied to the Device Manager
server.
Export the certificate as a .p12 or PKCS12 certificate from the web browser used or from the Certificates console on
the CA server.
Open an MMC Console and add the Certificates Snap-in.
Right-click the certificate that you requested and then click .All Tasks and Export
In the Certificate Export window, click .Next
Click to export the private key.Yes
Enter a password for the exported certificate. You will need to remember this password.
Enter a file name for the certificate export and then click . Next
Note: The file name cannot contain spaces.
Click .Finish
Copy the filename.pfx or filename.p12 to the Device Manager server and specify a location.
To configure a Microsoft certificate server entity
In the Device Manager web console, click .Options
In the dialog box, from the left side select > Options PKI Entities.
Click > .New New MsCertSrv entity
In the dialog box, on the tab enter the following information:Add a MsCertSrv entity General
. Type a name for your new entity, which you’ll use later on to refer to that entity. Entity names Entity name
must be unique.
. The base URL of your Microsoft CA’s web enrollment service; for example, https://192.Service root URL
168.2.113/certsrv/ (the URL may use plain HTTP or HTTP-over-SSL).
. The name of the certnew.cer page, if you have renamed it for some reason. If not, certnew.cer page name
then you can leave this field empty.
citrix.com 249
4.
d. e. 5.
6.
7.
8.
1.
2.
3.
4.
a. b. c. d. e. f. g. 5.
a. b. 6.
. The name of the certfnsh.asp page, if you have renamed it for some reason. If not, certfnsh.asp page name
leave this field empty.
. Select No authentication, HTTP-Basic Authentication or SSL client certificate Authentication type
authentication. For the latter, you will have to upload the SSL client certificate to the repository (with its private
key) and select it here
Next, select the tab. On this tab, you will need to list the Certificate templates for your Microsoft CA. Note Templates
that those must be the internal names, not the display names.
Next, select the tab. On this tab, you can specify custom parameters that XenMobile Custom HTTP parameters
should inject in the HTTP request to the Microsoft Web Enrollment interface. This will only be useful if you have
customized scripts running on the CA.
Next, select the tab. On this tab, you will be required to inform XenMobile of the signers of the CA Certificates
certificates the system will obtain through this entity. When your CA certificate is renewed, all you need to do is update
it in the repository and then the change will be effected to the entity transparently.
Click .Create
To configure a Microsoft certificate services policy
Before you can configure a Microsoft certificate services policy, you need to configure a Microsoft CA credential provider
in the Device Manager Options dialog box. Once the Microsoft CA credential provider has been configured, then you
can create the policy that references the provider. For instructions, see
.PKI entities
Click the tab in the Device Manager console.Policies
On the left-hand pane, under , click .iOS Configuration profiles
Click . > New Configuration Profiles and Settings > Credentials
In the dialog box, on the General tab, enter the following information:Credential configuration creation
. Type a name for the profile that identifies it uniquely to the user. This name must be unique and not Identifier
in use by any other profile, or if this name matches the name of another policy, the first policy will be
overwritten.
. Type a name of the profile as it will appear in the Device Manager web console.Display name
. Type your company or organization name.Organization
. Type an optional description to describe the policy.Description
In the Allow Profile Removal section, choose one of the following:
Always. Allows the profile to always be removable.
Authentication. Allows you to enter a required password that is used when profile is removed.
Requires a password.
Never. Prevents the profile from ever being removed.
Select the check box if you want to select a specific date on which to remove the Automatic Removal Date
profile.
Select the check box to specify a set a period of time after which the profile will Duration until removal (in days)
automatically be removed.
Next, select the tab, and configure the following settings:Credential
. Select .Credential Type Credential Provider
. Select the Microsoft CA credential provider you previously configured in the Device Credential Provider
Manager dialog box.Options
Click Create.
This policy can now be deployed to iOS devices. For information, see
To create a credential provider using external
Creating Deployment Packages
citrix.com 250
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
1.
2.
3.
4.
5.
6.
7.
8.
Configuring an OpenTrust PKI Adapter for Device Manager
XenMobile OpenTrust Adapter was validated with OpenTrust PKI Version 4.7.1 (r131349).
The XenMobile OpenTrust Adapter is a web application running on Tomcat:
Windows 2008 R2
Java 1.6.0_29 or above, 32 bits version
Apache Tomcat 7.0.27
Note: You only need Tomcat core features, not the manager or the documentation, unless you need it. After installation, you
can also delete the directory /webapps/ROOT.
The XenMobile OpenTrust Adapter provides an interface that allows Device Manager to submit certificate requests for a
signature to an OpenTrust Certificate Manager server. Device Manager submits a request to the OpenTrust adapter to sign a
certificate. The OpenTrust Certificate Manager receives the request, signs the certificate and returns it to Device Manager.
Device Manager makes these certificate requests in order to generate device identity for mobile device management mutual
authentication, or user credential certificates to be used in conjunction with WiFi, VPN, and Exchange ActiveSync profiles for
iOS devices. XenMobile recommends that the OpenTrust Adapter is installed on a separate server from the Device Manager
host, using its own instance of Tomcat 7.0.
To install OpenTrust Adapter
Copy the provided WAR file to the Tomcat webapps directory. You can change the WAR file name to fit the usage of
this adapter instance (wifi_certificate, exchange_certificate, and so on).
Start Tomcat. It will automatically expand and install the web application in its directory.
To check that the adapter is properly running, connect to: http://:/ SOAP services page appears.
To obtain an authentication certificate from OpenTrust PKI
The authentication between the OpenTrust Adapter is secured by using a client certificate that needs to be generated from
OpenTrust PKI server.
Log in to the OpenTrust PKI server, browse to and then click .Enrollment Entity Request a Certificate
Select and then click .Other Next
Select and then click .Authentication Next
Enter the required parameters and then click .Next
You now need to validate the certificate request. Navigate to > > Registration Authority Enrollment List Certificate
.Requests
Select your certificate request and then click .Process selected requests
Click .Approve
You now need to retrieve the certificate. Navigate to .> > Enrollment Entity Search for a Certificate Enrollment
Enter your search criteria and then click .Search
Find your certificate and then click the name.
Click .Integrate this certificate into your browser (or smartcard)
Open the certificate store of your web browser. For example, with Firefox, navigate to , click the tab Options Encryption
and then click .View Certificates
In the Certificate Manager, click the tab.Your Certificates
Select your certificate and then click .Backup
Enter the password and save the resulting p12 file. You will need the file and password when you configure the
adapter.
To set up access rights on OpenTrust PKI
You need to provide the required access rights to the generated identity.
Navigate to .Access Control
Select your User.
If you already have a group defined to allow SOAP access to the Registration Authority, you can add this user to this
group. Select the group and then click .Save
To give individual rights to that user, click the tab.Rights on Modules
Select the check box to give access rights to the Registration Authority.Execute
Click the tab.Rights on Zones & Profiles
For each profile you want the user to be able to control, next to , select the check box.Enrollment Execute
Click .Save
citrix.com 251
1.
1.
2.
3.
4.
5.
1.
2.
3.
4.
a. b. c. d. 5.
6.
7.
8.
a. b. c. To configure the OpenTrust adapter
Open the file opentrust_adapter.properties in tomcat/webapps//WEB_INF/classes and edit it
accordingly:
Key Value
OpenTrust.RA.Url Web address used to access the SOAP interface of the OpenTrust PKI server
Enrollment.Profile OpenTrust Profile name used by this instance
KeyPair.FileName Path to the keypair used to authenticate to OpenTrust PKI SOAP interface
KeyPair.Psw Password of the above mentioned keypair
To set the connection to the adapter
To configure Device Manager with your adapter, on the menu, click .Options PKI Entity
Click and then enter the required information: New
Parameter Value
Entity Name Name your adapter connection.
URL Enter the URL of the adapter web services interface: http://:
//GpkiAdapter?wsdl
Certificate
path
If you are using an authenticated HTTPS connection, select your client cert (p12).
Certificate
password
Enter the password for the above p12.
Click to initiate the connection with the adapter.Load
Click to check the connectivity.Ping
Click to save the adapter configuration.Create
To configure an iOS profile to deliver certificates to iOS devices
To deliver certificates to iOS devices, you need to configure an iOS profile in Device Manager. For more information on
configuring PKI integration with Device Manager, see .
Click the tab.Policies
On the left side, under , click .iOS Configurations
Create a new policy for the PKI authority that you installed by clicking > > New Configuration Profiles and Settings
.Credentials
On the tab, enter the following information:General
Identifier. Enter a unique identifier to distinguish the certificate policy.
Display name. Enter a name that will be used to label the policy on the device.
Organization. Enter your company name here.
Descriptions. Type an optional description.
In , click on of the following options:Allow profile removal operation
Always: This option allows the profile to always be removable.
Authentication: Allows you to enter a required password that is used when profile is removed.
Requires a password
Never: Prevents the profile from ever being removed.
Select the check box to specify a date you want to remove the profile.Allows you to select a specific date
Select the to enable you to set a period of time after which the profile will Duration until removal (in days) check box
automatically be removed.
Next, on the tab, enter the following information:Credential
. Provide a unique name for the credential.Credential name
. Optionally, you can type a description for the credential.Description
About XenMobile PKI
citrix.com 252
8.
c. d. 9.
1.
2.
3.
4.
5.
6.
7.
1.
. Select a credential type according to the PKI configuration you have set up for Device Credential Type
Manager, such as a certificate, a keystore, a server certificate, or a credential provider.
, , or . Select the path or the name of the credential you Credential file path Server certificate Credential provider
are adding to the policy. If you are using a Keystore file, then you need to provider the keystore password.
Click .Create
To configure an OpenTrust adapter to use HTTP by using a self-signed
certificate
If you want the adapter to be accessible using HTTPS, you need to configure the Tomcat connector accordingly. You
can configure the adapter by using a self-signed certificate. This process uses openssl and java keytool.
Create a directory called certs. In that directory, create another directory called ca.
Create a root CA. You need to adapt the subject name and passwords to fit your needs. In the certs directory, issue
the following commands:
openssl genrsa -aes256 -passout pass:zenprise -out ca/ca.key 1024
openssl req -new -x509 -passin pass:zenprise -key ca/ca.key -out ca/ca.pem -days 3650 -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN=ZenTestCA/emailAddress=none@zenprise.com"
openssl x509 -inform PEM -in ca/ca.pem -outform DER -out ca.crt
Create an HTTPS certificate using that CA. Change at least the CN to fit the XenMobile OpenTrust Adapter server
name. For example:
openssl genrsa -aes256 -passout pass:zenprise -out server-key.pem 1024
openssl req -new -passin pass:zenprise -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN="MyServerName.zenprise.com"/emailAddress=none@zenprise.com" -days 3650 -key server-key.pem > server.csr
openssl x509 -req -passin pass:zenprise -in server.csr -out server-crt.pem -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial -CAserial ca.srl
Create a p12 containing your key and certificate.
openssl pkcs12 -export -in server-crt.pem -inkey server-key.pem -out MyServerName.p12 -name server
Create a java keystore containing that PKCS12 file.
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore MyServerName.p12 -srcstoretype PKCS12 -alias server
Modify the Tomcat server.xml file to create the HTTPS connector. The file needs to reference the keystore previously
created.
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Zenprise\Apache Software Foundation\Tomcat 7.0\conf\keystore.jks" keystorePass="changeit"/>
Import the root cert in the java keystore of DeviceManager so that this server certificate can be trusted. On the Device
Manager server, issue the following command:
ke​ytool -import -trustcacerts -alias root -file ca.crt -keystore cacerts
The keystore file used by Java (cacerts) is usually located in: C:\Program Files\Java\jdk1.6.0_22\jre\lib\security
To configure Device Manager to generate identity certificates from OpenTrust
adapter
You will need to generate a certificate from OpenTrust with the following keyUsage:
keyEncipherment
digitalSignature
Furthermore, you will need an OpenTrust root certificate and a CA certificate.
Caution: This procedure will invalidate all certificates used previously by Device Manager. All devices using a certificate to
authenticate, such as iOS and Android, Symbian, and Windows Mobile using Strong Authentication mode will need to be reenrolled.
citrix.com 253
1. Modify pki.xml. This file is located in tomcat/webapps/zdm/WEB-INF/classes. Open it with a text editor, and modify it
as follows (the modified parts are in bold text). Keep in mind the following considerations:
Path to the certificates.
keyUsage of the certs.
Name of the OpenTrust connector in the console.
The CSR template that has to match your profile definition on the OpenTrust PKI Server.

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
">
p:certificateFilePath="${ios.mdm.pki.ca-root.certificatefile}"
p:publiclyTrusted="false"
/>
p:keyStoreType="${ios.mdm.pki.ca-mdm.keystoretype}"
p:keyStorePath="${ios.mdm.pki.ca-mdm.certificatefile}"
p:entryAlias=""
p:keyStorePass="${ios.mdm.pki.ca-mdm.privatekey.password}"
p:publiclyTrusted="false"
p:issuerParams-ref="legacyRoot"
/>

p:keyStoreType="${secure.device.keystore.type}"
p:keyStorePath="${secure.device.certificate.file}"
p:entryAlias="${secure.device.alias}"
p:keyStorePass="${secure.device.private.key.password}"
p:publiclyTrusted="false"
p:issuerParams-ref="legacyRoot"
/>
citrix.com 254
1.

p:keyStoreType="${ios.mdm.pki.ssl.keystoretype}"
p:keyStorePath="${ios.mdm.pki.ssl.certificatefile}"
p:entryAlias=""
p:keyStorePass="${ios.mdm.pki.ssl.privatekey.password}"
p:publiclyTrusted="false"
/>
p:certificateFilePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otroot.cer"
p:publiclyTrusted="false"
/>
p:certificateFilePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otinter.cer"
p:publiclyTrusted="false"
p:issuerParams-ref="OT_Root_cert"
/>
p:keyStoreType="PKCS12"
p:keyStorePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otadmin.p12"
p:entryAlias=""
p:keyStorePass="opentrust"
p:issuerParams-ref="OT_CA_cert"
/>



This CA's certificate.
WARNING! In order for tomcat to accept clients presenting identities
citrix.com 255
1.
issued by this CA, tomcat's truststore has to be modified accordingly
(e.g. installing in it the certificate referred to here).







This is the GPKI entity name as defined in the console.




If the adapter defines user parameters (i.e., non-injected parameters),
then they can be defined here. EMC adapter currently does not define
any parameters.











RA encryption cert. MUST be issued by the certificate referred to
in property caCertificate, i.e. the CA certificate, i.e. the certificate
that will sign device identities.
This cert MUST have keyUsage: keyEncipherment.
RA encryption cert may be the same one as RA signing cert.


citrix.com 256
1.





RA signing cert. MUST be issued by the certificate referred to
in property caCertificate, i.e. the CA certificate, i.e. the certificate
that will sign device identities.
This cert MUST have keyUsage: digitalSignature.
RA signing cert may be the same one as RA encryption cert.








Template for the CSR.
WARNING! Macros have to be specified using '%{...}', instead
of '${...}', in XML files.




The following are samples. Remove or add others as you like.








citrix.com 257
1.


The following are samples. Remove or add others as you like.











The ZdmCertificateFactory builds public key certificate objects
from either PublicCertFileParams, PrivateCertFileParams or
KeyStoreParams; and private key certificate objects (public
key + private) from PrivateCertFileParams and KeyStoreParams.
Factory method for the former is: buildPublic; for the latter: buildPrivate.





citrix.com 258
1.
1.
2.
























To add certificates to the Device Manager keystore
You now need to add the intermediate and root ca certificates to the Device Manager keystore.
Use the java keytool command (adapt the path to your environment): "C:\Program Files\Java\jdk1.6.0
_23\jre\bin\keytool" -importcert -trustcacerts -alias "externalCA" -file "C:\Program Files\Zenprise\Zenprise Device
Manager\tomcat\conf\mycert.cer" -keystore "C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\cacerts.
pem.jks" -storepass notMeaningFul
Restart the Device Manager service to activate the new PKI usage.
To activate logging on Device Manager for the adapter
Logs from the adapter can be found in the tomcat/logs directory of the adapter.
citrix.com 259
1.
2.
3.
Add a new logger in the log4j configuration to ensure proper error handling and auditing. In Internet Explorer, navigate
to the following URL based on your installation: http:////log.jsp
Navigate to the bottom of the table and in , add an entry for the com.sparus.nps.pkiAdd New Logger
Set the logging level to .TRACE
citrix.com 260
1.
2.
3.
4.
5.
6.
7.
Configuring the XenMobile RSA Adapter
The XenMobile RSA Adapter provides an interface that allows Device Manager to submit certificate requests for a
signature to an RSA Certificate Manager server. Device Manager submits a request to sign a certificate to the RSA
adapter. The RSA Certificate Manager receives the request and uses the RSA Xuda Libraries to sign the certificate. The
Certificate Manager returns the signed certificate to Device Manager.
Device Manager makes the certificate requests in order to generate device identity for mobile device management
(MDM) mutual authentication, or to generate user credential certificates to be used in conjunction with WiFi, VPN, and
Exchange ActiveSync profiles for both iOS and Android devices.
Prerequisites
Citrix recommends the following prerequisites:
Install the RSA Adapter on its own server, separate from the server running Device Manager and that you
use a 32-bit instance of Tomcat 6.0.
Device Manager Versions 7.0, 7.1, or 8.0.1.
JAVA SDK 1.6 or later.
XenMobile RSA Adapter Certificate Manager Requirements
To install the XenMobile RSA Adapter, the following RSA Certificate Manager configurations are required. For the
proper settings, consult your RSA Certificate Manager Installation Guide.
RSA Certificate Manager Installable Elements
RSA CA Manager version 6.8 build 519 or later
RSA Certificate Authority Version 6.8 Build 519 or later
No special OSI-level privileges
RSA Certificate Manager Configurable Elements
Configuration of CRL publishing: N/A
Configuration of OCSP responder: N/A
Configuration of certificate publishing: N/A
Partner Product Installable Elements
Tomcat 6.0 or later, 32 bit
Java SDK 1.6 or later
Partner Product Configurable Elements
CRL checking mechanism: N/A
OCSP checking mechanism: N/A
Trust validation: N/A
Enrollment: N/A
General modifications to the partner product: N/A
Installing and Configuring the XenMobile RSA Adapter
The XenMobile RSA Adapter provides a mechanism for Device Manager to sign and revoke certification against an RSA
Certificate Authority Version 6.8. The RSA Adapter enables device identity for mobile device management (MDM)
mutual authentication and user credential certificates for use in conjunction with WiFi, VPN, and Exchange ActiveSync
profiles. You perform the following tasks to install the RSA Adapter:
Set the Java SDK path on the Windows-based computer where you will install the RSA Adapter.
Configure the correct port (80) on your Tomcat server
Copy the RSA Adapter installation and configuration files into a target installation directory.
Edit the RSA Adapter properties file with values obtained from the RSA Certificate Authority Manager Console.
Copy the RSA Certificate Authority Manager .cert and .key files to the installation computer.
Execute the RSA Adapter installation executable to install the software.
Verify the installation in a browser.
citrix.com 261
1.
2.
3.
4.
1.
2.
a. b. 3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
You perform the following tasks to configure the RSA Adapter:
Create and configure a PKI entity profile in Device Manager to be able to connect to the RSA Web Services
Description Language (WSDL).
Create an iOS profile to enable use of the Certificate Authority.
Add a new logger in the log4j configuration to ensure proper error handling and auditing.
Configure the new PKI profile so it can be deployed to an iOS device and validated.
To install the RSA Adapter on Windows Server
Make sure you have access to the zenadapter.war file that is included as part of the RSA Adapter product distribution.
On the Windows server where you are installing the RSA Adapter, set the path to include the JAVA SDK 1.6+. For
example, \Program Files (x86)\Java\jdk1.6.0_29\bin.
Next, configure the Tomcat server to run on port 80, instead of the default port of 8080:
Navigate to %TOMCAT_HOME%/conf directory.
Edit the server.xml file as follows:
Change non-SSL to:


On the installation computer, create a new directory named C:\zenprise.
Unzip and copy the entire contents of the RSA Adapter zip package to the directory named C:\zenprise.
Create a passphrase file that stores a passphrase that will be used by the RSA Adapter. Before you execute this
command, make sure you are logged in as the Service Account user. The Service Account user you log in as must be
the same Service Account that the Tomcat server runs as.
Open the Windows command prompt and change directories to the location of the C:\zenprise folder.
From this directory, execute the following command: java -jar WinDPHarness

Note: Note the file path name used in this command , because you will need it when you
edit the prop.txt file in the following step.
Open the C:\zenprise\prop.txt file in a text editor and set the following attributes in the file, for example:
ldapport=636
ldaphost= rsa1.kqe.zenprise.com
camd5= a2064dd584c7025f03ceb0443ca0fe9e
keyfile=C:\\zenprise\\admin.key
certfile=C:\\zenprise\\admin.cert
protectFlag=0
juriID=fe109c4d64430faf6d614c08b75312b0b7e31226
passphrasefile=C:\\zenprise\\passcode.txt
profileflag-1
profileID=AC1E02D427C3D8
keepldapopen=1
Note: These properties are available in your RSA Certificate Authority Manager console. Refer to your RSA Certificate
Authority Manager guide for instructions on where to access these properties.
From the RSA Certificate Authority Manager server, copy the two RSA CA Manager files - .cert and .key - to the C:
\zenprise folder on the computer where you are installing the RSA Adapter.
Copy the zenadapter.war file to the %TOMCAT_HOME%\webapps folder.
From your command prompt, execute the following commands:
cd %TOMCAT_HOME%\webapps
run jar xvf zenadapter.war
Stop Tomcat
Start Tomcat
Verify that the installation was successful. In Internet Explorer (8 or later), navigate to http://HOST
WITH_ADAPTER_TOMCATINSTANCE/zenadapter.war. A page with the adapter WDSL and link should appear.
citrix.com 262
1.
2.
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
To configure the RSA Adapter in the Device Manager web console
To configure the RSA adapter in the Device Manager web console, you first configure a new PKI entity. Next, you create a
new iOS profile to enable use of the Certificate Authority.
To configure a new PKI entity
Log on to the Device Manager web console and then click Options.
In the dialog box, under , click .XenMobile Server Options PKI Entities
In the screen, click and then click .PKI entities configuration New New generic PKI entity
Enter a name and then enter a URL for the WSDL that you installed when you finished the RSA Adapter installation.
For example: http://zdm.zenprise.com/gpki/sample.
If the adapter is available over HTTPS/SSL, upload the SSL client certificate. If you are not using SSL, skip to the next
step.
Click .Load
Test the connection to the adapter. Click the tab and then click . Capabilities Ping A "Ping Successful" message should
appear.
To create a new iOS profile
Click the tab, click to expand and then click .Policies iOS Configurations
Create a new policy for the PKI authority that you installed by clicking .New Profile
On the same server running Device Manager, add a new logger in the log4j configuration to ensure proper error
handling and auditing. In Internet Explorer, navigate to the following Web address based on your installation: http:
////log.jsp
Navigate to the bottom of the table and add a new logger entry for the com.sparus.nps.pki.
Set the logging level to .TRACE
Test the deployment profile on a new iOS device by moving the new PKI package into the Resources to Deploy
section so you can deploy the package to an iOS device.
Register a new device that is targeted with the package and verify that you see the new certificate on the iOS device.
If the package does not deploy, check the log file and then contact IT support.
citrix.com 263
1.
2.
3.
4.
5.
6.
7.
Configuring an SSL Certificate from an External Certificate Authority
Before you configure an external Certificate Authority (CA) by using SSL, the following files should be on the Device
Manager server and accessible by the Device Manager server:
An external SSL certificate file in .p12 format issued by a trusted CA that includes the root and intermediate.
The file name, externalSsl.p12, is used as an example in this procedure.
A password for the .p12 certificate file should be known by the installing party.
You need to configure two XML files: The pki.xml file located in the \..\tomcat\webapps\zdm\WEB-INF\classes directory and
the server.xml file located in the \..\tomcat\conf directory.
Locate the pki.xml file in \..\tomcat\webapps\zdm\WEB-INF\classes.
To configure the external SSL certificate, add an "externalSslCert" bean to the file as shown in the following example.
Modify the bold fields appropriately. The should reference the .p12 certificate file located on the keyStorePath
server. The should contain the password for the .p12 file. keyStorePass
p:keyStoreType="PKCS12"
p:keyStorePath=" " C:\ExternalSSL_Cert\qamdm01\externalSsl.p12
p:entryAlias=""
p:keyStorePass=" " xxxxxxx
p:publiclyTrusted="true"
/>
Set as the property. Replace the highlighted line with the proper bean name you externalSslCert sslCertificate
specified in the preceding step.
Locate the server.xml file located in the \..\tomcat\conf directory.
Locate the Connector port=" 443 " and modify the following two parameters for this connector to bind the external SSL
certificate to this port. The should point to the .p12 certificate file located on the server. The keystoreFile keystorePass
parameter should contain the password for the .p12 file.
Locate the Connector port="8443" as shown in the following example. The should point to the .p12 keystoreFile
certificate file located on the server. The parameter should contain the password for the .p12 file.keystorePass
Restart the Device Manager server.
citrix.com 264
1.
2.
3.
4.
5.
6.
7.
8.
Configuring a Certificate Services Entity by Using XML
Find the sample entity in the file. It will be located in a bean similar to the bold text in the following example.


…. QA-CertSrv-On-SCEP-ClientCertAuth


Rename the entity to a name for your organization (for example, Company-MS-CA). This name appears in Device
Manager.
Uncomment the bean for the entity by deleting the comment characters before and after the bean. For example, <-including the exclamation and the ending comment -->.
Specify the value in the file which should be the certificate server URL to make a certificate request (for serverBaseUrl
example, https://cert-server.company.com/certsrv).
: The default values may be used unless the Microsoft Certificate Server is certFinishPageName/certNewPageName
configured to use non-default pages.
Specify the Client Certificate Authentication file, which is the certificate export file that you copied when you exported
the client certificate. Modify the following values shown in bold.


C:\client-certificate-name.pfx

xxxxxxx


Specify a template name to be used for making user certificate requests from Device Manager. The name should
match the certificate template name you created for certificate requests. For details, see
. Do not use the template display names. For example, "iPhone Encryption" template for XenMobile certificate requests
is the display name whereas "iPhoneEncryption" is the template name. Use the template name without any spaces.
The properties dialog box of the template should include both display name and the actual template name.


CertificateTemplateName
Save the file and then restart the Device Manager server.
To create a certificate
citrix.com 265
Configuring App Controller
After you install and set up App Controller, you can configure the following features to enable you to manage apps,
users, and documents:
High availability
Clustering
Web proxy
Certificates
Roles from Active Directory groups
Categories to manage applications, stores, and web links
Applications, including MDX, mobile, Web & SaaS, and enterprise
Applications that require extra parameters
SAML or HTTP Federated Formfill connectors
Applications for user account creation and management, including workflows
Roles and categories
ShareFile for user data and documents, including Storage Zones
Lock and erase applications and data
Web links
Connections between Device Manager and App Controller
citrix.com 266
Preparing Mobile Apps with the MDX Toolkit
Citrix provides the MDX Toolkit so that you can wrap a mobile app for iOS or Android with Citrix logic and policies. The
tool can securely wrap an app that was created within your organization or a mobile app made outside the company.
The Worx App SDK libraries install in the Citrix/MDXToolkit/data/MDXSDK and MDXSDK_Android folders. The
MDXSDK folder is required for the integration of wrapped iOS mobile apps with Citrix Worx. When you wrap iOS apps
that include the Worx SDK libraries, you can publish the apps in the Apple App Store and the Citrix Worx Store. After
the app is wrapped, you can upload then the app to App Controller. For more information about the Worx App SDK,
such as an overview for ISVs, and to download the SDK, see on the Citrix web site.
Prerequisites
The MDX Toolkit requires the Java Development Kit (JDK) 1.7. You can download the JDK 1.7 from
on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the Development Kit Downloads
web site.
Before you wrap an iOS app, download and install the iOS Distribution Provisioning Profile and Distribution Certificate to
your computer. The provisioning profile signs the app for distribution.
Wrapping Android Mobile Apps
For Android apps, you need to follow these basic steps:
Specify an Android mobile app APK file. When you click , the MDX Toolkit validates the Android SDK Next
path. If the tool cannot validate the path, you can browse to the SDK on your computer.
Choose the JDK on your computer for wrapping Android mobile apps. If the JDK is not installed on your
computer, the tool prompts you to install the tool. When you click , the tool locates the tool on the Web Install
and then installs the JDK on your computer. Make sure you install version 1.7.
Choose the Android Software Development Kit (SDK) on your computer for wrapping Android mobile apps
and choose the Android APK tool.
Choose the keystore for signing Android mobile apps. When you wrap the app, you must provide the
keystore that was created when the app was developed. The Android operating system requires that all
installed mobile apps be digitally signed with a certificate with a private key that is held by the developer.
The certificate does not need to be signed by a Certificate Authority. Android mobile apps can use selfsigned certificates. For more information about signing Android mobile apps, see the
.web site
When you wrap the mobile app with the MDX Toolkit, you can select the option . This option allows Use debug keystore
you to sign the mobile app if the release keystore is not available during development. To create an Android app that
users install on their devices, you must create a retail build of the app and disable Use debug keystore so you can sign
the package with a real key. A keystore can contain multiple private keys, in most cases it will be only one key. If the
keystore contains multiple private keys, when you wrap the app, you can select the key alias. When the MDX Toolkit
finishes wrapping the app, the app file name includes _andr. The file type is .mdx.
Wrapping iOS Mobile Apps
For iOS apps, you need to following these basic steps:
Specify an iOS mobile app IPA file.
In the MDX Toolkit wizard, choose the option to deploy the app from XenMobile or to deploy the app from
the Apple App Store.
Choose the iOS Distribution Provisioning Profile and Distribution Certificate to sign the app for distribution.
When the MDX Toolkit finishes wrapping the app, the app file name includes _iOS. The file type is .mdx.
When you run the MDX Toolkit, the app determines the application type and version. You can select the minimum and
maximum operating system versions.
Uploading the Wrapped App and Configuring Policies
After you complete wrapping the app, you then upload the MDX file to App Controller. You use the App Controller
management console to configure specific app details and policy settings that Citrix Receiver or the Worx Store
enforces. When users log on, the app appears in the store. Users can then subscribe, download, and install the app on
their device. For more information about configuring the app details and policy settings in App Controller, see
.Apps
Worx App SDK
Java SE
Computech Tips
Android developers
Adding
citrix.com 267
1.
2.
System Requirements for Wrapping Mobile Apps
The following are system requirements for wrapping iOS and Android mobile apps.
The MDX Toolkit requires the Java Development Kit (JDK) 1.7. You can download the JDK 1.7 from
on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the Development Kit Downloads
web site.
Operating System
You can run the MDX Toolkit for wrapping iOS and Android apps on Mac OS X Versions 10.7 (Lion), 10.8 (Mountain
Lion), or 10.9 (Mavericks).
Tools for Wrapping iOS Mobile Apps
You must obtain the iOS Distribution Provisioning Profile from Apple that allows Apple to sign the app. For more
information about obtaining provisioning profiles, see the .
Any app that runs on a physical iOS device (other than apps in the Apple App Store) needs to be signed with a
provisioning profile and a corresponding certificate. There are two kinds of profiles: Enterprise and Ad Hoc.
The Enterprise profile allows you to run the app on unlimited devices
The Ad Hoc profile allows you to run the app on up to about 100 devices
To wrap apps, Citrix recommends using the Enterprise profile. You can purchase the profile from the .
Note: If you are running Apple Xcode 4.5 or later versions, you also need to install the Xcode command-line tools from the
web site. The Mac OS X Mavericks 10.9, for example, does not install the command line tools
automatically. To install the tools, do the following:
In , click to use the Mac command-line interface. > Applications Utilities Terminal
Type the following command:
xcode-select --install
Be sure to include two hyphens before the word in the command.install
Tools for Wrapping Android Mobile Apps
To wrap Android mobile apps, you must install the following on your computer before running the MDX Toolkit:
Android Software Development Kit (SDK).
Digitally signed certificate whose private key is held by the application's developer. For more information
about the certificate, see on the Android Developers web site.
You must sign your applications with a key that meets the following guidelines:
1024 bit keysize
DSA key algorithm (keyalg)
SHA1with DSA signing algorithm (sigalg)
You need to add the Android SDK path in the PATH environment variable on your computer. You can also provide the
PATH variable in the MDX Toolkit during the wrapping process. You also need to add the APK Tool installation path in
the PATH environment variable.
Java SE
Computech Tips
Apple Web site
Apple web site
Xcode Apple Developer
Signing Your Applications
citrix.com 268
Integrating the Worx SDK into iOS Mobile Apps
The MDX Toolkit supports Apple App Store deployment by including the Worx SDK. When you install the MDX Toolkit,
the Worx framework files also install and appear in the MDX SDK folders on your computer in the tool and data
directories. The MDX SDK folders are required for the integration of wrapped iOS mobile apps with Citrix Worx. For
example, third-party Independent Software Vendors (ISVs) can use the MDX Toolkit to enable their apps with Worx
capabilities and deploy them directly from the Apple App Store. They can publish iOS apps that include the Worx
framework in the Apple App Store and the . After users install these apps on their devices, IT
administrators can manage the apps in XenMobile App Edition.
When you send the files that include the Worx SDK to Citrix for approval, you can then upload the app to the Apple App
store and send the URL to Citrix. The app is updated with the final app URL and is added to the app catalog hosted by
the Citrix App Gallery.
Worx SDK Dual-Mode App Behavior
When you run the MDX Toolkit, the inclusion of the Worx SDK allows for the choice of the following two modes:
Unmanaged mode. Apps that are integrated with Worx SDK can run independently of Worx. Apps that are
not associated with a XenMobile store are considered to be running in . These apps can unmanaged mode
transition to managed mode when certain conditions are met.
Managed mode. Apps that are integrated with the Worx SDK with can run in when they are managed mode
bound to the Worx Store. When the apps are in managed mode, the MDX policies set by the IT
administrator for the apps are enforced. An app can transition from unmanaged to managed mode, as
described in the following section.
Third-party developers can either develop two versions of an app, one that is unmanaged and one that is managed, or
they can develop a single app for both independent use and for inclusion in Worx.
Transitioning an App from Unmanaged to Managed Mode
An app can silently transition to managed mode if all of the following conditions are met:
Worx Home is installed on the user device.
A user logs on to Worx Home at least one time and has permissions to install the app.
The user subscribes to the app.
Note: An app cannot transition from managed mode back to unmanaged mode.
Citrix App Gallery
citrix.com 269
1.
2.
3.
4.
5.
a. b. c. d. e. 6.
7.
8.
9.
10.
11.
Wrapping Android Mobile Apps
Before you wrap an Android mobile app, download and install the following items:
Java Development Kit (JDK) Version 1.7
Android Software Development Kit (SDK)
Android APK Tool
If you do not install the JDK on your computer, when you attempt to wrap an app, you receive a message prompting you
to install or enable the JDK.
Note: If you upgrade the MDX Toolkit, ensure you save a copy of the android_settings.txt file to avoid reconfiguring after the
upgrade.
To wrap Android mobile apps
In your computer, open and then click the MDXToolkit icon to open the MDX > > Applications Citrix MDXToolkit
Toolkit.
On the page, choose one of the following options and then click .Deployment Next
For IT administrators. Deploy from XenMobile to upload a .mdx file intended for IT administrators to
manage with XenMobile App Edition.
For Independent Software Vendors (ISVs). Deploy app from App Store to upload an .apk file intended
for inclusion as unmanaged apps in an app store.
If you chose to deploy the app from the app store, on the page, browse to a file on your Deploy from App Store
computer depending on the following conditions and then click .Next
Browse to an .apk file if you want to deploy the app from Google Play Store.
Browse to an .mpx file if you are running the tool to change the app URL in the MDX package
metadata.
If you do not have the JDK and the Android SDK or APK tool installed, you are prompted to install or enable these
tools before the next screen appears.
On the page, under , choose one of the following options and then click .User Settings App Transition Next
MDX apps to automatically manage apps without notifying users.
App Store apps to prompt users before transitioning an unmanaged app to a managed app.
On the page, complete the following fields:Verify Apps Details
In , type a name for the mobile app. This step is required.App Name
(Optional) In , type a description.Description
(Optional) In , view the minimum operating system version on which the app can run. Minimum OS version
Important: Citrix recommends that you leave the value as it appears in the tool. If you change the value to a
lower number, for example, the app may not function correctly.
(Optional) In , type the maximum operating system version on which you want to allow Maximum OS version
the app to run.
(Optional) In , type the devices on which you do not want to allow the app to run. Excluded devices For Android
devices, enter the manufacturer and model name, such as Samsung Galaxy Tab. The tool does not support
version numbers for these devices. Separate device names by using a comma, such as Samsung Galaxy Tab,
Motorola HTC.
Click .Next
On the page, do one of the following:Keystore selection
Select and then click .Use debug keystore Create
In , click and then navigate to the keystore file on your computer.Location Browse
On the page, in , select the key and then click .Key alias selection Alias Create
In , enter the password for the keystore and then click .Key password Create
In , enter the name of the mobile app and in , select the location on your computer to save the Save MDX Where
wrapped app.
The MDX Toolkit appends the name of the app automatically with _andr. Citrix recommends that you leave this
designation for the app.
Click and then click when the app is wrapped successfully. Create Finish A status bar appears that shows the tool is
signing the app. The MDX Toolkit generates the wrapped MDX (.mdx) file. You can then upload the file to XenMobile
App Edition and configure settings in the App Controller management console.
Important: If an error appears, you can identify the error by viewing the logs.
citrix.com 270
1.
2.
3.
4.
5.
a. b. c. d. e. 6.
7.
8.
9.
Wrapping iOS Mobile Apps
Before you wrap an iOS app, download and install the iOS Distribution Provisioning Profile and Distribution Certificate to
your computer.
The MDX Toolkit also requires the Java Development Kit (JDK) 1.7. You can download the JDK 1.7 from
on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the Development Kit Downloads
web site.
When you use the MDX Toolkit wizard to generate an MDX app, you need to supply your profile and certificate in the
wizard. This process generates an MDX file that you can upload to XenMobile App Edition.
Any device on which you want to install the MDX app needs to have the provisioning profile on device. You can be
distribute the profile to user devices by using an email attachment. Users can add the profile on their iOS device by
clicking the attachment.
To wrap an iOS app with the MDX Toolkit
In your computer, open and then click the MDXToolkit icon to open the MDX > > Applications Citrix MDXToolkit
Toolkit.
On the page, choose one of the following options and then click .Deployment Next
For IT administrators. Deploy from XenMobile to upload an .mdx file intended for IT administrators to
manage with XenMobile App Edition.
For Independent Software Vendors (ISVs). Deploy app from App Store to upload a file intended for
inclusion as an unmanaged app in an app store. These app extensions can be an .app or .ipa file for
iOS devices that have the Worx SDK embedded.
If you chose to deploy the app from the app store, on the page, browse to a file on your Deploy from App Store
computer depending on the following conditions and then click .Next
Browse to an .app or .ipa file that has the embedded Worx App SDK if you want to deploy the app
from the Apple App Store.
Browse to an .mpx file if you are running the tool to change the app URL in the MPX package
metadata.
On the page, under , choose one of the following options and then click .User Settings App Transition Next
MDX apps to automatically manage apps without notifying users.
App Store apps to prompt users before transitioning an unmanaged app to a managed app.
On the page, complete the following fields:Verify Apps Details
In , type a name for the mobile app. This step is required.App Name
(Optional) In , type a description.Description
(Optional) In , view the minimum operating system version on which the app can run. Minimum OS version
Important: Citrix recommends that you leave the value as it appears in the tool. If you change the value to a
lower number, for example, the app may not function correctly.
(Optional) In , type the maximum operating system version on which you want to allow Maximum OS version
the app to run.
(Optional) In , type the devices on which you do not want to allow the app to run. Excluded devices If you enter
iOS devices, use iPad or iPhone. The tool does not support version numbers for these devices. Separate
device names by using a comma, such as iPad, iPhone.
Click .Next
On the page, choose an iOS Distribution Provisioning Profile and Distribution Certificate from Create Citrix Mobile App
your computer that is used in the signing by the MDX Toolkit in order to authorize you to distribute the app.
Provisioning files and certificates may differ depending on the app. For details about the kinds of profiles and
certificates Apple may require for a particular app, see the .
Click Create.
In , choose a file name for the wrapped mobile app, specify a location on your computer where you want to Save MDX
create the app and then click . Create The MDX Toolkit generates the wrapped MDX (.mdx) file. You can then upload
the file to XenMobile App Edition and configure settings in the App Controller management console.
Important: If an error appears, you can identify the error by viewing the logs.
Selecting the Correct Provisioning Profile
When you wrap a mobile iOS app, you might receive a warning indicating that the app was wrapped successfully, but
may contain errors. Errors might occur if the provisioning profile you choose is different than the provisioning profile the
app originally used.
The MDX Toolkit can alert you about certain provisioning profile issues. For example, your app may require one or more
of the following functions:
Java SE
Computech Tips
Apple Web site
citrix.com 271
1.
2.
iCloud app that enables the use of iCloud data storage for your iOS app
Push notification that uses the Apple push notification service to deliver messages to the iOS device
Special keychain-access-groups entitlement to access the keychain item for another app
App errors appear in the MDX Toolkit logs. To understand the error, you may need to refer to the app requirements.
The logs show the missing key and value pairs for the app. For each key and value pair, you can decide if you want to fix the
error or not. If you do not fix the error, the app may not function correctly. Also, depending on the key and value pair, you
need to check if you can fix your provisioning profile. Occasionally, you might not be able to fix the provisioning profile and
can release the app with the defect.
Note: You must have administrator rights to view the MDX Toolkit logs.
For more information about provisioning profiles, see the Web site.
To identify iOS app wrapping errors
If you encounter an error when wrapping an iOS application, you can use the MDX Toolkit logs to identify the error.
When you run the MDX Toolkit, the tool automatically saves a log file to the following location: > > Applications Citrix
. By default, the tool saves warnings and errors in the log. If an error occurs, a command > > MDXToolkit Logs Citrix.log
line with arguments appears at the end of the log. You can copy the command line and run it in .Terminal
When you use the command-line tool to run the wrapping process, you can specify the log file location, log display level,
and log write level in the command line. You can also specify verbose logging level and a different log file in the
command line. The command line provides more troubleshooting options than the MDX Toolkit.
Note: The command-line tool supports iOS apps only.
You can use the following steps to look for and resolve problems with wrapping iOS apps.
In , click . > > > Applications Citrix MDXToolkit Logs Citrix.log
In , click to use the Mac command-line interface to evaluate the command. > Applications Utilities Terminal You may
need to refer to the app requirements to evaluate the error.
Apple Developer
citrix.com 272
Adding Apps
App Controller supports multiple application types, including:
Mobile and MDX
Web and SaaS
Enterprise
Public App Store
Web Links
Worx App Gallery
How Mobile and MDX Apps Work
App Controller supports iOS and Android apps, including Worx apps, such as Worx Home, WorxMail, and WorxWeb,
and the use of MDX policies. You can upload mobile apps to App Controller and then deliver the apps to user devices.
In addition to the Worx apps, you can add the following types of mobile apps to App Controller:
Apps you develop for your users.
Apps in which you want to allow or restrict device features by using MDX policies.
Citrix provides the MDX Toolkit that wraps mobile apps for iOS or Android with Citrix logic and policies. The tool can
securely wrap an app that was created within your organization or a mobile app made outside the company.
The section on mobile and MDX apps includes details on how to:
Upload Android and iOS mobile apps
Configure settings for iOS and Android mobile apps.
Configure MDX policies for iOS and Android mobile apps.
Configure encryption policies for MDX apps.
Upgrade a mobile app in App Controller.
Retrieve mobile app names and descriptions.
Configure Worx authentication settings by using a personal identification number (PIN).
Configure GoToAssist settings for Worx apps.
Configure Google Play settings.
Add your own logo on devices.
How Web and SaaS Apps Work
App Controller comes with a set of , which are templates that you can configure for single sign-on application connectors
(SSO) to web and Software as a Service (SaaS) applications, and in some cases for user account creation and
management as well. App Controller includes Security Assertion Markup Language (SAML) connectors and HTTP
Federated Formfill connectors. SAML connectors are used for web applications that support the SAML protocol for SSO
and user account management. App Controller supports SAML 1.1 and SAML 2.0. When users log on to a Formfill
application, their credentials are automatically entered on the application’s logon page.
You can also build your own enterprise, SAML, and HTTP Federated Formfill application connectors in App Controller.
For details, see .
This section on Web and SaaS apps includes the following information:
List of all application connectors indicating the type (SAML or HTTP Federated Formfill)
Steps to configure SSO by using application connectors
List of application connectors that require you to configure additional parameters
Steps for building your own SAML or HTTP Federated Formfill connectors
Steps for creating and managing user accounts for applications and configuring workflow settings
Steps for configuring connectors to enable users to change an application password in their HTTP
Federated Formfill apps or to recover their passwords.
How Enterprise Apps Work
You can create your own application connector in App Controller. This type of application typically resides in your
internal network. Users can connect to the apps by using Receiver or Worx Home. When you add an enterprise app,
you create the application and the Formfill connector at the same time.
Enterprise Apps
citrix.com 273
How the Public App Store Works
You can configure settings to retrieve mobile app names and descriptions from the Apple App Store and Google Play.
When you retrieve the app information from the store, App Controller overwrites the existing name and description.
How Web Links Work
A Web link is a web address to an Internet or intranet site. A web link can also point to a web application that doesn't
require single sign-on (SSO).
You can configure web links from the Apps & Docs tab in App Controller. When you finish configuring the web link, the
link appears as an icon in the store in App Controller. When users log on with Citrix Receiver or Worx Home, the link
appears with the list of available apps and desktops.
How the Worx App Gallery Works
The Worx App Gallery allows you to certify and publish your mobile apps for use in XenMobile. You can wraps apps by
using the MDX Toolkit and the Worx App SDK. The Worx App Gallery eliminates the need for you to go through the timeconsuming effort of procuring and verifying mobile apps. All Worx-enabled mobile apps are enterprise-ready with
security, policy, and provisioning controlled by XenMobile. When your app is verified, it appears in the Worx App Gallery
on Citrix.com. Other administrators can download your apps from the gallery and then upload the app to App Controller.
When users log on to Worx Home or Receiver, they can download and install the apps on their device.
.
citrix.com 274
Mobile and MDX Apps
App Controller supports iOS and Android apps, including Worx apps, such as WorxMail and WorxWeb, and the use of
MDX policies. In addition to the Worx apps, you can add the following types of mobile apps to App Controller:
Apps you develop for your users
Apps in which you want to allow or restrict device features by using MDX policies
You can wrap mobile apps with the MDX Toolkit and then upload the apps to App Controller. When you upload the app,
you can configure the following settings:
Details of the app, including version and URL
Approval workflow for the app
Approvers for the app if you create a workflow
MDX policies
You can add native apps to App Controller for Android and iOS. as opposed to web apps, are apps that are Native apps
locally installed and are programmed to be compatible with the language and operating system of the user device on
which the app is installed.
You can also allow secure user access to HTML5 apps through Citrix Receiver to data stores in the internal network.
When users log on with Receiver from an Android, iPad, or iPhone device, they can download and install the selected
app on their device. This provides users with access to the business applications they need at any time.
You use the Citrix MDX Toolkit to create MDX mobile apps. The MDX Toolkit inserts logic and policies into each mobile
app. When you upload a mobile app to XenMobile App Edition, the app is validated during installation. You can upload
mobile apps that have the extension .mdx.
When the installation is complete, you can then configure specific application details and policy settings in the App
Controller management console. Receiver enforces the policies that the MDX Toolkit configured and that you set in App
Controller. You can run the MDX Toolkit on Mac OS X Version 10.7 (Lion) and Version 10.8 (Mountain Lion) only.
You configure application details and policy settings in the management console from the tab.Apps & Docs
After you configure the app details and policy settings, the mobile app appears on the page in the Apps & Docs Android
or tabs in the left pane. The mobile apps also appear in in the left pane. The apps are then available for iOS All Apps
authorized users to download and install on their device.
citrix.com 275
How Mobile Apps Work
When users log on by using Worx Home or Citrix Receiver from a mobile device, if they are allowed to use a particular
mobile app, the mobile app appears in the store.
You can set policies for mobile apps in the App Controller management console. Application policies for Android or iOS
apps fall into the following three main categories:
Information security. These policies are designed to protect app data and documents. The policies dictate
how information can be exchanged between apps. You can configure settings for the app to allow or prevent
user access to such operations as printing, email, text messaging, and use of the device camera.
Application access. These policies determine the logon requirements users must meet in order to open an
app. You can configure authentication methods, settings to prevent apps from running on a jailbroken, or
rooted, device, network connection requirements, and conditions for locking or erasing app data.
Network. These policies determine the network settings for traffic to and from the app. You can configure
the following settings: allow unrestricted access to the internal network, redirect traffic through XenMobile
App Edition by using a VPN tunnel specific to each app, or block all traffic from accessing the internal
network.
The following list defines the policies that appear in the management console when you configure or edit an Android or
iOS app.
Installing Mobile Apps on the Mobile Device
In the store, users tap the app to add it to the Worx Home or Receiver home page. The app icon appears and then the
app starts downloading to the device. The device operating system uses the built-in installer to simultaneously install the
app on the home screen of the device.
Next, users receive prompts to install the app. When installation starts, the device switches to the home screen. When
installation is complete, users can start the app from the home screen like any other app, or they can start the app from
within Worx Home or Receiver.
Connecting Users on Android or iOS Devices
When users start the app on their Android or iOS device, the Worx Home or Receiver logon page appears. Receiver
starts and users can enter their user name and password. When their credentials are accepted, the app starts. When
users authenticate to the app, users are not asked for their credentials again until the authentication time (set by policy)
expires.
When users start Worx Home or Receiver on their device, Receiver continues to run in the background for as long as
the application policy permits. If users start an app that requires a service from Receiver and it is not running or in a
suspended state, the Receiver web page appears. When Receiver is running again, users can start and use the app.
Updating Mobile Apps on the Device
If you update the app and then upload the new version to XenMobile App Edition, you can define a grace period in the
App Controller management console that sets a time limit for users to upgrade the app. The grace period duration gives
users a specific amount of time from which they must upgrade the app. If users allow the grace period to expire, the
application locks and users must download the new version.
You can disable the app to make changes to the settings. When you are finished changing the settings, you can then
enable the app.
When the upgrade is published to the Applications catalog in App Controller, users receive a message about the
upgrade when they start the app. Also, users receive a message every time the app starts, prompting them to upgrade.
If you publish a critical patch or security update, you can set the grace period to zero, which forces users to update the
app before starting the app.
Configuring Mobile App Settings in App Controller
After you upload a mobile app to XenMobile App Edition, the dialog box appears in the management Mobile App Details
console. You can then configure the following settings for the app:
On the page, the following app details appear. When the app is wrapped, the person wrapping the app defines Details
some settings, some of which you cannot change and others that Citrix recommends you do not change.
citrix.com 276
App name. The name of the app. Citrix recommends that you do not change this field unless you are
creating a second instance of the app. In that case, you must give the app a different name.
Description. The description of the app. Citrix recommends that you do not change this field.
Application type. The platform on which the app can run. You cannot change this field.
Application version. The internal version number of the app. You cannot change this field.
Minimum OS version. The minimum operating system version on which the app can run. Citrix recommends
that you do not change this field.
Maximum OS version. The maximum operating system version on which the app can run. Citrix
recommends that you do not change this field.
Excluded devices. Device types on which the app cannot run. You must define iPhone or iPad and not the
specific version of the device, such as iPad 3 or iPhone 4S. For Android devices, you need to specify the
manufacturer and phone model, such as Samsung HTC or Motorola Droid Razr M. Separate device names
with a comma.
Category. Defines where the app appears in Receiver.
Assigned role. The role assigned to the app. The role defines the Active Directory groups from which users
are obtained. You must leave the AllUsers default role or select a role.
On the page, you can either create a new workflow or select a workflow you configured by using the Workflow Workflows
tab in the management console. If you use an existing workflow, when you click , the page appears. If you Next Policies
are creating a new workflow, when you click , the page appears where you can configure the Next Manage Approvals
levels of approvers and additional approvers.
On the page, you can select or specify policy settings. Information about configuring MDX policies for iOS and Policies
Android apps are in this section.
citrix.com 277
1.
2.
1.
2.
a. b. 3.
4.
1.
a. b. c. d. e. 2.
3.
a. b. 4.
a. b. 5.
6.
Connecting to the Worx App Gallery
Citrix hosts the Worx App Gallery on the Citrix web site. The Worx App Gallery provides information for vendors who
want to partner with Citrix to provide enterprise-ready mobile apps. The Worx App Gallery also contains a marketplace
of Worx-enabled mobile apps for Android and iOS 6 or iOS 7 devices. You can request a demonstration for some listed
apps. Others are wrapped and ready to download to your computer as .mdx files.
When you download the MDX mobile app from the Worx App Gallery, you save it to your computer, and then you
upload the app to App Controller where you can then configure settings and policies for the app.
You can access the on Citrix.com or from within the App Controller management console.
To connect to the Worx App Gallery from App Controller
In the App Controller management console, click the tab.App & Docs
Under , click . APPS App Marketplace
The Worx App Gallery opens in a browser window.
To upload Android and iOS mobile apps
When you receive an Android or iOS mobile app, you can upload it to App Controller. After you upload the app, you can
configure app details and policy settings in App Controller to define when and how users download and start the
wrapped app.
In the App Controller management console, click the tab.Apps & Docs
In the left pane, under , do one of the following: > Apps & Docs APPS
Click and then in the right pane, click the plus (+) sign.Android Apps
Click and then in the right pane, click the plus (+) sign.iOS Apps
In the dialog box, under , click .Upload Mobile App Select an MDX or APK file to upload Browse
Navigate to the app file on your computer, click and then click .Open Next
App Controller validates the installation. When App Controller is finished, the dialog box opens and allows Mobile App Details
you to configure details and policy settings for the app.
To configure settings for iOS mobile apps
After you upload the iOS mobile app to XenMobile App Edition, the dialog box appears. You can Mobile Apps Details
use the following procedure to configure the settings.
On the page, configure the following:Details
In , entering the device operating system that is excluded from using the app. This is an Excluded devices
optional field. If you enter the device, use either iPad or iPhone. Do not use device-specific names, such as
iPad 3 or iPhone 4S.
In , select the category in which the app appears in Citrix Receiver. This is an optional field.Category
In , select the role that applies to the app. This is a mandatory field. The default role is AllUsers. Assigned role
Important: Citrix recommends that you do not change the default settings on the page.Details
Select to install the app on the user device.Require app installation
Select if users purchase the app from the Apple App Store. Paid through public app store
Note: When you enable this setting, when users try to install the app, they are redirected to the public app
store, where they can purchase and install the app. Also, App Controller disables the Require app installation
setting.
Click .Next
If the application requires approvals for users, on the page, click and then do one of the Workflow Requires approval
following:
If you are creating a new workflow, in , type a name for the workflow and then click .Workflow name Next
If you are using an existing workflow, in , and then select the workflow.Create new workflow
If you are creating a new workflow, on the page, do the following:Manager Approvals
Under , in , select how many levels of approvals that are Manager Approvals Levels of manager approval
required for user account management.
Under , in , type a name and then select the individual Additional Approvers Enter additional required approvers
from the list that appears. Click the green plus (+) sign to add the approver and then click . Next Adding
additional approvers is an optional step.
On the page, configure the settings that appear. For definitions of the policy settings, see the iOS Mobile App Policies
policies topic in this section.
Click .Save
Worx App Gallery
citrix.com 278
1.
a. b. c. d. 2.
3.
a. b. 4.
a. b. 5.
6.
1.
2.
3.
4.
5.
6.
To configure settings for Android mobile apps
After you upload the Android mobile app to App Controller, the dialog box appears. You can use Mobile Apps Details
the following procedure to configure the settings.
On the page, configure the following:Details
In , entering the device operating system that is excluded from using the app. This is an Excluded devices
optional field. If you enter the device, use the manufacturer name and model, such as Samsung HTC. Do not
use the Android operating system version.
In , select the category in which the app appears in Citrix Receiver. This is an optional field.Category
In , select the role that applies to the app. This is a mandatory field. The default role is AllUsers.Assigned role
Select to install the app on the user device.Require app installation
Click .Next
If the application requires approvals for users, on the page, click and then do one of the Workflow Requires approval
following:
If you are creating a new workflow, in , type a name for the workflow and then click .Workflow name Next
If you are using an existing workflow, in and then select the workflow.Create new workflow
If you are creating a new workflow, on the page, do the following:Manager Approvals
Under , in , select how many levels of approvals that are Manager Approvals Levels of manager approval
required for user account management.
Under , in , type a name and then select the individual Additional Approvers Enter additional required approvers
from the list that appears. Click the green plus (+) sign to add the approver and then click . Next Adding
additional approvers is an optional step.
On the page, configure the settings that appear. For details about Android policies, see the topic Mobile App Policies
in this section.
Click .Save
To edit mobile app settings
You can edit the settings for mobile apps at any time in App Controller.
In the management console, click the tab.Apps & Docs
In the navigation pane, click or .Android Apps iOS Apps
In the right pane, click the mobile app.
In the dialog box, click the pencil icon to edit the settings.
In the dialog box, change the settings you want and then click to edit the policy settings.Mobile Apps Details Next
Finish changing your settings and then click .Save
citrix.com 279
Configuring Worx PIN Options
When users install Worx Home, you can required them to log on by using a personal identification number (PIN). You
can configure the settings for the Worx PIN requirement in App Controller. This feature simplifies the user authentication
experience when logging on.
When you enable this feature, it works as follows: When users log on to Worx Home for the first time, they enter their
user name and password. In addition, when they log on, the Active Directory credentials or client certificate is saved on
the user device. Then, Worx Home prompts the user to enter a PIN. When users log on again, instead of requiring a
user name and password or a token, they type in the PIN and can access their Worx apps. The following figure shows
the screen where users enter their Worx PIN on an iPad.
Figure 1. Entering the Worx PIN on an iPad
You configure Worx PIN settings on the page in App Controller. You can configure the > Settings Support Options
following settings:
Enabling Worx PIN. The default is false.
Enabling password caching. The default is false.
Configuring the PIN complexity to require alphanumeric or numeric characters. The default is numeric.
Configuring the length of the PIN. The default is 6 characters.
Configuring the length of time in days before users need to change their PIN. The default is 0 days.
You can configure the following combinations for the PIN:
Numeric that are numbers only
Alphanumeric that contain at least one letter with numbers
Complex that contain at least one letter, number, and a symbol
After you configure a Worx PIN, each of these settings appears on the page as shown in the following Support Options
figure. You can click the pencil icon for each item to edit the settings to match your requirements.
Figure 2. Configuring Worx PIN Options
citrix.com 280
1.
2.
3.
4.
a. b. c. 5.
To edit Worx PIN settings
In the App Controller management console, click .Settings
In the navigation pane, under , click .System Configuration Support options
In the details pane, select an item and then click the pencil icon.
In the dialog box, do the following:Add Property
In , type the value for the item.Value
In , type a name for the item.Name
In , type a description for the item.Description
Click .Save
citrix.com 281
1.
2.
3.
4.
5.
6.
Upgrading a Mobile App in App Controller
If a new version of a mobile app becomes available, you can upload the new version to App Controller. When you
receive the updated app, disable the app in App Controller and then upgrade the app by clicking the upgrade icon in the
app dialog box.
To upgrade a mobile app
In the management console, click the tab.Apps & Docs
In the navigation pane, select or .Android Apps iOS Apps
In the right pane, click the mobile app and then in the dialog box, click the green disable button. When you click the
button, App Controller disables the app and the button turns gray.
Click the mobile app and then in the dialog box, click the upgrade icon.
In the dialog box, under , click .Upgrade Mobile App Select an MDX or APK file to upload Browse
Navigate to the app on your computer, click and then click . Open Next The app uploads to App Controller.
When App Controller is finished, the dialog box opens and allows you to configure details and policy Mobile App Details
settings for the app. These settings are the same as the settings you configure when you upload the app for the first
time. After you configure and save the settings, click the mobile app and then click the gray enable button. App
Controller enables the app and users receive a message to upgrade the app on their device.
citrix.com 282
1.
2.
3.
a. b. c. d. e. f. g. h. 4.
Retrieving Mobile App Names and Descriptions
You can configure settings to retrieve mobile app names and descriptions from the Apple App Store and Google Play.
When you retrieve the app information from the store, App Controller overwrites the existing name and description.
You can configure public app store settings from the tab in App Controller. When you finish configuring the Apps & Docs
mobile link, the link appears as an icon in the store in App Controller. When users log on with Citrix Receiver, the app
appears with the name and description from the App Store or Google Play.
In the App Controller management console, you provide the following information:
Name for the link
Description of the link
Web address
Type of mobile link as iOS or Android
Category
Role
Image, in .png format (optional)
To retrieve app information
In the App Controller management console, click the tab.Apps & Docs
In the navigation pane, under , click and then click the plus sign (+) in the > Apps & Docs APPS Public App Stores
details pane.
In the dialog box, complete the following:Configure App
In , type a name for the link.App Name
In , type a description of the link.Description
In , enter the full Web address of the mobile app, such as https://www.amazon.com/gp/kindle/kcp/tos.URL
html#stos-bookmark.
In select or . Type iOS Android
If you select , you can retrieve app details from the App Store by clicking .iOS Fetch Details
In , select the category in which the link appears in Citrix Receiver.Category
In , select the role. This is a mandatory field.Assigned Role
To install the link to the public app store, select .Require app installation
In , select to use the default Citrix logo or select to add your own logo to the logon Image Use default Upload
page.
If you want to upload your own logo, click and then navigate to the logo on your device.Browse
Note: The graphic you upload must be the type PNG. You cannot upload a GIF or JPEG graphic. You can
upload a custom graphic when you create a mobile link. After you save the mobile link, you cannot change the
graphic.
Click .Save
citrix.com 283
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
1.
2.
3.
4.
a. b. Configuring GoToAssist Settings for Worx Apps
App Controller and Citrix GoToAssist integrate to provide continuous technical support for mobile device users who are
using WorxMail or WorxWeb. When you configure settings, you can add an email address, phone number, chat
information, and ticket information. If the user needs assistance, they can tap a chat button on their mobile device and
the GoToAssist web page opens.
To get started, you need to do the following:
After you purchase XenMobile, you receive a promotion code for GoToAssist.
Note: The promotion enables a one-year subscription to GoToAssist that allows one Help desk support personnel to
log on to the management console and support an organization's users. You must renew the subscription each year.
Log on to the web site.
Create a new service for integrating GoToAssist with XenMobile.
When you do these steps, GoToAssist generates the email address that users can use to create a support ticket. This
also creates an integration key that you enter in the App Controller management console.
When users start GoToAssist from their mobile device, the Worx app provisions XenMobile App Edition and GoToAssist
accounts. GoToAssist sends an account key (token) to XenMobile App Edition which is then sent to the Worx app.
Users can use GoToAssist to receive technical support in the following ways:
Enter a valid email address to allow support personnel to contact them.
Use chat to contact support personnel.
Note: When users log on to chat from their device, the XenMobile App Edition and Worx app logs are
bundled together and sent to support personnel.
Create an incident form by clicking . If support personnel are not available through chat, Create Incident
GoToAssist redirects users to the incident form automatically.
When you configure GoToAssist in App Controller, the settings appear on the page in . On this Support Options Settings
page you can view the settings for phone, chat, and ticket options. In , you can do the following:Support Options
Edit existing GoToAssist settings for phone, chat, or the ticket.
Add email or key support options.
Delete an option.
On the page, you can add the following support information, however Citrix recommends using the Support Options
page in to configure support settings.GoToAssist Settings
Phone numbers
Email addresses
Chat settings
Ticket settings
Custom key settings
To configure GoToAssist settings in App Controller
In the App Controller management console, click the tab.Settings
In the navigation pane, under , click .System Configuration GoToAssist
In the details pane, next to , click .GoToAssist Configuration Edit
In , enter the email address for support personnel. Support email Users can choose to use the email address to
contact support personnel instead of GoToAssist.
In , enter the phone number for users to use to contact support personnel.Support phone
In leave the default token number or enter one of your own. GoToAssist chat When users request a chat session, this
token is sent to the Worx app.
In , enter the email address that you can use to differentiate GoToAssist support requests and then GoToAssist ticket
click .Save
To edit support settings
In the App Controller management console, click the tab.Settings
In the navigation pane, click .Support Options
In the details pane, next to an item, under , click the pencil icon.Actions
In the dialog box, do the following:Add Property
In , change the value for the support option type. Value For example, if you are editing the chat option, enter the
new key in this field.
GoToAssist
citrix.com 284
4.
b. c. 5.
1.
2.
3.
4.
a. b. c. d. e. 1.
2.
3.
4.
In , change the name of the value.Name
In , add a description for the option.Description
Click Save The changes appear in the details pane.Support Options
To add support information by using Support Options
You can add a support email address or a custom key.
In the App Controller management console, click the tab.Settings
In the navigation pane, click .Support Options
In the details pane, click .Add
In the dialog box, do the following:Add Property
In , select either or .Key SUPPORT_EMAIL Custom Key
If you select , enter a name of the custom key you want to add in the blank field that appears. Keys Custom Key
have two parts: key name and the value, such as GTA_PHONE=5551212.
In , add the value for the support option type. Value For example, if you are editing the chat option, enter the
new chat key in this field.
In , add a name of the value.Name
In , add a description for the option and then click .Description Save
To remove a support option
In the App Controller management console, click the tab.Settings
In the navigation pane, click .Support Options
In the details pane, click an option and then under click the X icon.Actions
To confirm, click .Yes
citrix.com 285
1.
2.
3.
4.
5.
Configuring Google Play Settings
You can enter users' Google Play store credentials in order to display an app description and icon in the management
console and in the Worx Store. Google store credentials are mandatory when you configure App Controller to connect
to Device Manager and when you configure an app for an Android mobile link in the management console.
You can enter any value for the user name and password. You need to enter the device ID that is associated with the
account. The device ID is only used to download the information to Device Manager.
On your Android device, you can obtain the device ID by entering *#*#8255#*#* on your phone pad.
To configure Google Play settings
In the App Controller management console, click the tab.Settings
In the navigation pane, click .Store Credentials
In the details pane, next to , click .Google play store Edit
In and , enter the credentials.User name Password
In , enter the ID number and then click .Device ID Save
citrix.com 286
1.
2.
3.
4.
Adding Your Own Logo on Devices
You can upload your own logo pages to mobile phones and tablets. You must put the files in a compressed zip file. The
files must meet the following requirements:
Graphic files must be in .png format with a pure white logo or text with a transparent background set to 72
dpi.
Logos must be 170 pixels x 25 pixels (1x) + 340 pixels x 50 pixels (2x). The logo cannot exceed this height
or width.
Note: Select 1x if the graphic is for an iOS device. Select 2x if the device has retina display (high resolution
screen).
Name the files Header.png and Header@2x.png
To add logo files to App Controller
In the App Controller management console, click the tab.Settings
In the navigation pane, click .Branding
In the details pane, click or .for phone for tablet
Click to navigate to the zip file on your computer and then click .Browse Upload
citrix.com 287
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Web & SaaS Apps
With App Controller, you can provide users with single sign-on (SSO) to your mobile, enterprise, web, and SaaS
applications. You can enable applications for SSO by using the application connector templates found in the App
Controller catalog. You can also enable some applications for user account management.
An application in App Controller is either a simple or complex application. If you configure a simple application, you can
edit the label or accept the default name. If you are running multiple instances of the application in your network, you
must change the label to make it easier to identify the application. With some applications, you can activate an
application connector for SSO more than one time with different names. For example, you can configure the application
named Box twice with the names as Box1 and Box2. If you have already configured an application, rename the
application before you configure another connector.
If you add a complex application, you can edit the application name and the logon web address. If the application is an
SaaS application, you do not need to change the web address. If the application is a hosted application in your internal
network, you change the web address to match the deployed application.
You configure an application connector by providing the following parameters:
Different names (optional). For example, you configure two instances of the Box application connector, each
with a unique name. Not all applications allow you to configure multiple instances.
Description of the application.
Web address by using the fully qualified domain name (FQDN), such as https://app.bill.com.
Location of the application, either on the Internet or in your internal network.
Credentials for SSO. Users can use the application credentials or Active Directory credentials.
Category for the application. Categories allow you to organize applications in Citrix Receiver. When users
log on, they can double-click the category and then start the application.
A group of users to which you want to assign the application.
Workflow approval settings for all applications that includes specifying the individuals who can approve the
user account.
Application policies for each app you configure in App Controller.
If an application is available for SSO only, when you finish configuring the preceding settings, you save the settings and
the application appears on the tab in the App Controller management console. If an application is Apps & Docs
available for user account management, you select the check box to enable user management and then configure
additional settings. The settings include:
Service account
Automatic account creation
User name and password rules
For more information about creating user accounts for an application, see Configuring Applications for User Account
Management in this section.
To activate an application connector in App Controller for SSO only
In the management console, click the tab.Apps & Docs
Under , click and then in the right pane, click the plus (+) symbol. > Apps & Docs APPS Web & SaaS
From the catalog, click an application.
In the dialog box, in , keep the default name or enter one of your own.Configure App App Name
In , keep the default description for the application or choose one of your own.Description
If applicable, in , type the Web address of the application or keep the default address.URL
Select if the application is running on a server in your internal network. App is hosted in internal network
Note: If users connect from a remote location to the internal app, they must connect through NetScaler Gateway.
Selecting this check box adds the VPN keyword to the application and allows users to connect through NetScaler
Gateway.
Select . Use Active Directory for SSO When you select this option, users Active Directory credentials are used
automatically for logging on.
Select if users connect to the app from a mobile device. Require app installation When you select this option, when
users connect from an iOS or Android device, the app downloads and then installs on the device.
In , select a category.Category
In , select the role to which you want to assign the application.Assigned role
Click .Next
If the application requires approvals for users, in , click . Workflow Requires approval You can either create a new
workflow or use an existing workflow.
To use an existing workflow, in , select the workflow, and then click .Create new workflow Next
citrix.com 288
15.
16.
To create a new workflow, in type a name for the workflow and in , type a description of Workflow name Description
the workflow. Click .Next
On the page, configure the policies and then click .Policies Save
citrix.com 289
List of Application Connector Types
The following table lists the connectors and the types of connectors that are available with App Controller. The table
also indicates if the connector supports user account management, which enables you to create new accounts
automatically or by using a workflow.
Connector name SSO
Formfill
SSO
SAML
Supports user account management
AccessGateway Y Â Â
AmericanAirlines Y Â Â
AmericanExpress Y Â Â
Ameritrade Y Â Â
Ariba Y Â Â
AtTask Y Â Â
Basecamp Y Â Â
Bill Y Â Â
Birst Y Â Â
Box Y Â Â
Bugzilla Y Â Â
Campfire Y Â Â
CentralDesktop Y Â Â
Ceridian Y Â Â
CitrixAccessGateway Y Â Â
CitrixWebInterface Y Â Â
ConcurSolutions Y Â Â
eBay Y Â Â
EchoSign Y Â Y
EchoSign_SAML N Y Y
Egnyte Y Â Â
eLeaP Y Â Â
Epocrates Y Â Â
Evernote Y Â Â
Expedia Y Â Â
Fidelity Y Â Â
Fieldglass Y Â Â
Force Y Â Y
Globoforce_SAML N Â Â
GoogleApps_SAML N Y Y
GoogleApps_SAML _IDP N Y Y
GoToMeeting Y Â Y
GoToMyPC Y Â Y
GoToTraining Y Â Y
GoToWebinar Y Â Y
Groupon Y Â Â
HelpSpot Y Â Â
citrix.com 290
Jira Y Â Y
Kayak Y Â Â
LinkedIn Y Â Â
LogMeInRescue Y Â Â
LotusLive Y Â Â
Marketo Y Â Â
Medgate Y Â Â
Medscape Y Â Â
MyAtlassian Y Â Â
MySpace Y Â Â
NetDocuments Y Â Â
Office 365_SAML
Oracle10g Y Â Â
OracleCRM Y Â Â
Orbitz Y Â Â
OWA Y Â Â
Pandora Y Â Â
Pearson Y Â Â
PeopleclickAuthoria Y Â Â
PivotalTracker Y Â Â
Postini Y Â Â
QualysGuard Y Â Â
Rackspace Y Â Â
RallySoftware Y Â Â
Recover_Password
Reset_AppPassword Y Â Â
Responsys Y Â Â
RightScale Y Â Â
RingCentral Y Â Â
Salary Y Â Â
Salesforce Y Â Y
Salesforce_SAML N Y Y
Salesforce_SAML_SP N Y Y
SandBox_SAML N Y
SAP Y Â Â
ShareFile Y Â Y
ShareFile_SAML N Y Y
ShareFile_SAML_SP N Y Y
Skype Y Â Â
SlideRocket Y Â Â
Smartsheet Y Â Â
SoftLayer Y Â Â
SouthwestAirlines Y Â Â
SuccessFactors Y Â Â
citrix.com 291
SuccessFactors_SAML N Y Â
SugarCRM Y Â Â
SugarSync Y Â Â
SurveyMonkey Y Â Â
Syncplicity Y Â Â
Webex Y Â Y
WebEx_SAML_SP N Y Y
WebMD Y Â Â
Webtrends Y Â Â
YahooMail Y Â Â
Yammer Y Â Â
Zendesk Y Â Y
Zoho Y Â Â
citrix.com 292
Configuring Additional Parameters in Application Connectors
Most application connector templates contain a predefined URL. When you add the application, you can choose to save
the default settings. The application is then configured for SSO.
Some connectors require you to configure the following additional parameters:
URL that contains a domain or subdomain name.
For example, when you configure the AtTask application connector, the URL appears as
$$url$$/attask/home.cmd. You replace $$url$$ with the subdomain name. This is the URL with which
users log on.
URL and subdomain name.
You need to add the URL and subdomain name for an application connector, such as the Basecamp
application.
Cookies domain that contains the name of the cookie for the application.
You must know where to locate the name of the cookie to enter the name in this field.
Some application connectors require configuration in App Controller and in the application. One example is Google
Apps. When you configure Google Apps in App Controller, you need to download a SAML certificate from App
Controller and install the certificate in Google Apps. You also need to configure SSO settings in Google Apps to work
with App Controller.
This section contains information to help you configure additional parameters for applications, such as Google Apps, to
work with App Controller.
List of Application Connectors with Additional Parameters
The following is a list of applications that require additional parameters. Some applications require that you download a
SAML certificate from App Controller and then upload the certificate to App Controller.
AccessGateway
Users can log on to NetScaler Gateway by using one of the following three methods: NetScaler Gateway Plug-in,
clientless access, or Citrix Receiver. When you configure this connector, it connects to the Web Interface by using an
ICA connection. If you use this connector, configure Web Interface settings on NetScaler Gateway. When users log on
with Receiver, NetScaler Gateway establishes an ICA connection to the XenApp or XenDesktop server. Users receive
a list of applications or desktops in the web browser. When they click an application and open the application, the ICA
connection is established.
In , enter the web address used to log on to NetScaler Gateway. The web address is: https:URL
///vpn/index.html
AtTask
URL: $$url$$/attask/home.cmd
In $$url$$ enter the subdomain name for the AtTask logon web site.
Basecamp
Basecamp is an application for project management and online collaboration.
In , enter the domain name that hosts Basecamp.subdomain
In , enter the web address to which users connect.URL
Bugzilla
Bugzilla is an application that you host in your internal network.
In , enter the web address that you use to log on to Bugzilla.URL
For example, enter http:///index.cgi
Campfire
In , enter the domain name that hosts Campfire.subdomain
In , enter the fully qualified domain name (FQDN) of Campfire.URL
CentralDesktop
CentralDesktop is collaboration software and online project management for business.
In , enter the web address that you use to log on to CentralDesktop.URL
CitrixAccessGateway
NetScaler Gateway provides secure user access to network resources in the internal network. If users log on with the
NetScaler Gateway Plug-in or clientless access, use the CitrixAccessGateway connector.
You must enter the web address used to log on to NetScaler Gateway in .URL
You can use the following web address for NetScaler Gateway: https://.
CitrixWebInterface
citrix.com 293
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
The Web Interface provides secure user access to published applications from XenApp and virtual desktops from
XenDesktop.
In , enter the Web Interface domain name.Cookies Domain
In , enter the web address to which users connect.URL
Echosign_SAML
In , enter the subdomain name for Echosign. This application requires the SAML certificate. For more information URL
about configuring Echosign, see the .
Egnyte
In , enter the web address used to log on to Egnyte.URL
In and , enter the domain names.Cookies Domain subdomain
URL: https://
Example web address: https://..com
Example Domain Name: .com
Example SubDomain Name:
eLeaP
In , enter the domain name.Cookies Domain
In , enter the web address used to log on to eLeaP.URL
For example, https://
Example: https://.2leap.com
Example Domain Name: .2leap.com
Globoforce_SAML
Globoforce is software that allows organizations to recognize their employees.
In , enter the web address to which users connect.URL
GoogleApps_SAML
When you configure a connector for Google Apps, use the token $$domain$$ for the web address. This token is
substituted with the Google Apps domain name. You provide the domain name in .Domain Name
URL: https://www.google.com/a/
Example: https://www.google.com/a/citrix.com
Important: You must use HTTPS for the Google Apps web address.
To configure App Controller for SSO to Google Apps
In the management console, click the tab.Apps & Docs
Under , click . > Apps & Docs APPS web & SaaS
In the right pane, click the plus (+) sign and then click .GoogleApps_SAML
In , type a name for the application.App name
In , type a description for the application.Description
In , type the domain name that you configured in Google Apps.Cookies Domain
In , enter the URL preceded with http or https.URL
Select if the app is running on a server that resides in your internal network.App is hosted in internal network
Configure the remaining optional settings to configure categories, and roles for the application and then click
.Next
Configure the settings for user account management and workflows.
Click when you are finished configuring the application.Save
After you configure Google App settings in App Controller, you then need to configure Google Apps for SSO. First,
you download the SAML certificate from App Controller. Then, you log on to Google Apps, configure the SSO settings,
and upload the certificate to Google Apps.
To configure Google Apps, follow these guidelines:
Enable SSO in Google Apps.
Provide the sign-in page URL. For example, type https://appc-johndoe-151.agsag.
com/samlsp/websso.doaction=authenticateUser&app=GoogleApps_SAML&reqtype=1 .
Provide the sign-out page URL.
This is the web address that appears when users log off. For example, type https://appc-johndoe151.agsag.com/mywebapps
Provide the URL that users can access to change their password.
For example, type https://appc-johndoe-151.agsag.com/mywebapps
Upload the SAML certificate from App Controller to Google Apps.
Note: When users log on to Google Mail, they are automatically signed on to all features by using SSO. To log on, use
the format http://mail.google.com/a/.com
GoogleApps_SAML_IDP
You can use this connector to configure Google Apps as an Identity Provider. The settings are the same as for
GoogleApps_SAML.
HelpSpot
In , enter the web address that users use to log on.URL
Echosign web site
citrix.com 294
1.
2.
3.
4.
In , enter the HelpSpot domain name.Cookies Domain
URL: http:// :< port number>/helpspot/admin.php
The default web address is $$url$$/helpspot/admin.php
Example URL: http://mycompany.helpspot.com:8089/helpspot/admin.php
Example domain name: mycompany.helpspot.com
JIRA
JIRA is an application you host in your internal network.
In , enter the web address used to log on to JIRA.URL
Example URL: http:// : /secure/Dashboard.jspa
Office 365
Microsoft Office 365 is cloud-based solution for e-mail, collaboration, instant messaging, and web conferencing.
Before you configure Office 365, make sure you have the following prerequisites:
Windows Azure
Public domain name that can be reached from the Internet
Microsoft Online Service Module to connect to the Azure database
Active Directory
Directory Synchronization tool that is used to synchronize Active Directory objects (users, groups, and
contacts) to the cloud. This is also called .directory sync
In , enter the Office 365 domain name.Cookies Domain
In enter the web address used to log on to Office 365. The default URL is https://login.microsoftonline.com.URL
On the tab, in the left pane, click .Settings Certificates
After you configure Office 365 settings in App Controller, you need to configure Office 365 for SSO. First, you
download the SAML certificate from App Controller. When you run the cmdlets in the following procedure, you enter
the SAML certificate path or copy the certificate into the location from where you run the cmdlets. The following
procedure enables the trust relationship between Windows Azure and App Controller. This allows SAML-based SSO.
When you configure the domain name ( ), use the Active Directory domain.$dom
To configure Office 365
Log on to Windows Server 2008 R2 or Windows Server 2008.
Open Power Shell.
At the command prompt, type . Enter Microsoft online service user name and Connect-MsolService
password when prompted.
At the command prompt, enter the following cmdlets:
$dom = ""
$fedBrandName = "AppC"
$url = "https://< AppC FQDN>/samlsp/websso.do?action=authenticateUser&app=Office365_SAML"
$uri = "AppController.example.com"
$logoutUrl = "https:///samlsp/websso.do?action=logout&app=Office365_SAML"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("certificate.pem")
$certData = [system.convert]::tobase64string($cert.rawdata)
Set-MsolDomainAuthentication –DomainName $dom –federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP
After you configure these settings, users can log on to Office 365 from Receiver or by using the Office 365 URL in a
web browser.
Oracle10g
In enter the web address used to log on to Oracle10g.URL
In , enter the Oracle10g domain name.Cookies Domain
URL syntax: http://:/apex
Example URL: http:// ..com:8080/apex
Example domain name: .com
In the Oracle10g application in App Controller, change the default Redirection URL to the FQDN of App Controller. For
example, if the App Controller FQDN is appcontroller.citrix.com; the Redirection URL must be "https://appcontroller.
citrix.com".
OWA (Outlook Web Access)
In , enter the web address that is used to access Outlook Web Access.URL
In , enter the domain name of Outlook Web Access.Cookies Domain
URL: https://
Example URL: https://..com
Example domain name: ..com
The Outlook Web Access connector does not support NTLM-based authentication. Outlook Web Access only supports
form-based authentication.
PeopleclickAuthoria
In , enter the web address used to log on to Peopleclick Authoria.URL
In , enter the domain name.Cookies Domain
URL: https://
Example URL: https://./loginAction.action
Example domain name: ..com
citrix.com 295
Note: Authoria connector is for an enterprise hosted application and not for a web-based application.
Recover_Password
In , enter the App Controller FQDN, such as https://AppController.example.com/recoverpasswordportal.URL
Reset _AppsPassword
In , enter the App Controller FQDN, such as https://.URL
Salesforce
When you open the connector for Salesforce, the contains a web address. If the default web address is different URL
than the web address that your organization uses, enter the correct web address.
Default : https://login.salesforce.comURL
Example: Your organization’s URL: https://my.salesforce.com
Salesforce_SAML
URL: https://login.salesforce.com
When you open the connector for Salesforce, the contains a web address. If the web address is different from URL
the web address that your organization uses, enter the correct web address.
This application requires the SAML certificate from App Controller. Follow the procedures in Salesforce_SAML_SP to
upload the SAML certificate to the Salesforce server.
Salesforce_SAML_SP
URL: https://login.salesforce.com
When you enable user management and enter the user name and password, you need to use the password you use
to log on to Saleforce along with the token. For example, ZDMn6tx5Rf9l1bLdKrgwNuviM.password
You need to download the certificate from App Controller and then upload the certificate to the Salesforce application.
For more information about uploading the certificate to Salesforce, see .
In the Salesforce application, specify the IdP URL in SAML settings as https://appc-johndoe-151.agsag.
com/samlsp/websso.doaction=authenticateUser&app=Salesforce_SAML_SP&reqtype=1.
SAP
In , enter the web address used to log on to SAP.URL
In , enter the SAP domain name.Cookies Domain
URL: http://
Example: http://.mydomain.com
Example domain name: .mydomain.com
ShareFile
In , enter the domain name that hosts ShareFile.Cookies Domain
ShareFile_SAML
In , enter the web address used to log on to ShareFile_SAML.URL
In , enter the domain name that hosts ShareFile.Cookies Domain
ShareFile_SAML_SP
In , enter the web address used to log on to ShareFile.URL
In , enter the domain name that hosts ShareFile.Cookies Domain
SuccessFactors
SuccessFactors requires the parameter . Enter your organization’s name in App Controller.Company Id
URL: https://performancemanager4.successfactors.com/login
Company ID:
Note: is case sensitive. Please enter the Company ID that you registered with SuccessFactors.Company Id
SuccessFactors_SAML
The SuccessFactors technical support team configures SAML settings. Contact SuccessFactors when you are ready
to configure these settings. You need to provide a .csv file to technical support. The .csv file must have a password
column that is the same as the user ID.
SuccessFactors requires the Company ID parameter which is your organization’s name. Enter your
organization’s name in .Cookies Domain
Domain Name:
Note: is case sensitive. Please enter the Company Name that you registered with SuccessFactors.Company Name
Webex
In , enter the web address used to log on to WebEx. In , type your organization’s domain URL Cookies Domain
name. In , enter your organization’s name.Company Name
Example: https://.webex.com/mw0306lc/mywebex/default.do?siteurl= &service=10
Example domain name: citrix.webex.com
Example company name:
Note: Domain Name and Company Name are case sensitive.
WebEx_SAML_SP
In , enter the web address used to log on to WebEx SAML.URL
URL: https://.webex.com/dispatcher/SAML2AuthService?siteurl=
This application requires the SAML certificate from App Controller. For more information about uploading the
certificate to WebEx, see .
In the WebEx application, specify the IdP URL in SAML settings as https://appc-johndoe-151.agsag.
com/samlsp/websso.doaction=authenticateUser&app=WebEx_SAML_SP&reqtype=1.
Webtrends
When you configure a Webtrends connector, you must enter the account name provided by Webtrends when you
registered App Controller.
Account:
Example Account name: mycompany
Note: Account is case sensitive.
Configuring SAML Settings for Single Sign-On
Single sign-on Configuration in the Cisco WebEx Administration Tool
citrix.com 296
URL: https://ondemand.webtrends.com/login.asp
Zendesk
In , enter the web address used to log on to Zendesk.URL
In , type the domain name for Zendesk.Cookies Domain
URL: https://
Example URL: https://.zendesk.com
Example domain name: mycompany.zendesk.com
citrix.com 297
1.
2.
3.
4.
5.
6.
7.
8.
1.
Configuring Applications for User Account Management
When you configure an application for SSO, you can also configure some application connectors to enable user account
creation and management. When you enable user account management, you can configure settings to create new user
accounts automatically or by using a workflow. You must select one or the other option. If you use a workflow, the
workflow settings specify the correct number of approvals that are necessary to create user accounts. When all the
approvals are received, App Controller creates the user account.
If an application is available for user account management, after you configure the URL and licenses, you click to Next
configure the settings for creating user accounts, including workflow settings. If an application is not available for user
account management, the check box does not appear when you configure the URL and license information.
After you configure the application to enable user account creation and management, you can synchronize the
application accounts with Active Directory. When you synchronize application accounts, App Controller uses the users'
Active Directory credentials for SSO to the application.
Configuring Workflows for User Account Management
You can use workflows to manage the creation and removal of user accounts. Before you can use a workflow, you need
to identify individuals in your organization who have the authority to approve user account requests. Then, you can use
the workflow template to create and approve user account requests.
When you configure App Controller for the first time, you configure workflow email settings. You must configure
workflow email settings to use workflows. You can change workflow email settings at any time by using the System
panel in App Controller. These settings include the email server, port, email address, and whether the Configuration
request to create the user account requires approval or not.
You can configure workflows in two places in App Controller:
On the tab in the App Controller management console. On the tab, you can configure Workflows Workflows
multiple workflows for use with application connectors. When you configure workflows from this tab, you can
select the workflow when you configure the application.
When you configure an application connector. In the application, you provide a workflow name and then
configure the individuals who can approve the user account request.
You can assign up to three levels for manager approval of user accounts. If you need other individuals to approve the
user account, you can search and select additional approvers by using the person's name or email address. When App
Controller finds the individual, you then add the person to the workflow. All individuals in the workflow receive emails to
approve or deny the new user account.
To create and manage workflows in the management console
In the App Controller management console, click the tab.Workflows
On the tab, in the details pane, click .Workflows Add Workflow
In , type a name for the workflow.Workflow name
Optionally, in , type a description for the workflow and then click . Description Next
This is an optional field.
Under , in , select the number of levels required for manager approval Manager Approvals Levels of manager approval
of the user account.
Under , in , enter the name of the approver. Additional Approvers Enter additional required approvers
Approver names are from Active Directory.
When the approver's name appears in the text field, click the name and then click the plus (+) symbol.
The approver's name and email address appears in .Selected Approver
Click . Save
The workflow appears in the management console.
After you create the workflow, you can view the workflow details, view the apps associated with the workflow, or delete
the workflow. You cannot edit a workflow after you create the workflow. If you need a workflow with different approval
levels or approvers, create a new workflow.
To view details of the workflow
citrix.com 298
1.
2.
3.
1.
2.
3.
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
a. b. 8.
1.
2.
3.
4.
a. b. c. d. e. f. g. h. i. 5.
6.
a. In the App Controller management console, click at the top of the page.Workflows
On the tab, in the details pane, select a workflow and then under , click the workflow details icon. Workflows Actions
The details of the workflow appears.
Click .Close
To view applications assigned to a workflow
In the App Controller management console, click at the top of the page.Workflows
On the tab, in the center pane, select a workflow and then under , click the apps icon. Workflows Actions
The apps associated with the workflow appear.
Click .Close
To delete a workflow
In the App Controller management console, click at the top of the page.Workflows
On the tab, in the center pane, select a workflow and then under , click the icon.Workflows Actions X
Click to delete the workflow.OK
To configure workflow email settings
In the App Controller management console, click the tab.Settings
In the navigation pane, under , click .System Configuration Workflow Email
In the details pane, next to , click .Workflow Email Edit
In , type the name of the email server where user email accounts reside.Email server
In , type the port number. Port
The default is port 25.
In , type the email address of the service account and then click . Email Save
The service account is the administrative account you use to log on to Active Directory.
Optionally, select if approvers must log on to the email server before sending workflow email Authentication required
and then enter the following:
In , type the approver's user name.Login name
In and , type the approver's password.Password Confirm Password
Click .Save
To configure settings to create user accounts
When you configure an application connector to create user accounts, you select a checkbox that allows you to define
how the user name and password appears, as well as who approves the new user account.
Some applications do not support the creation of new user accounts. If the check box Enable user management for
appears on the page of the dialog box, you can create user accounts for the provisioning Details Configure App
application.
In the management console, click the tab.Apps & Docs
Under , click . > Apps & Docs APPS Web & SaaS
In the right pane, click the plus (+) sign and then select an application from the catalog.
On the first page of the dialog box, configure the following:Configure App
In , accept the default name or type a name of your choice.App name
In , accept the default description or type one of your own.Description
In , type the web address for the application. URL
Note: Some SAML applications might require additional parameters, such as subdomain and cookies domain
names. For more information, see .
Select if the app is running on a server in your internal network.App is hosted in internal network
Select to obtain user names and passwords from Active Directory.Use Active Directory for SSO
Select if the application is used on a mobile device.Require app installation
In , select a category for the application. This is an optional parameter and defines categories in Citrix Category
Receiver that contain applications.
In , select the role for the application. You must select a role to which to assign the application.Assigned Roles
Select and then click . Enable user management for provisioning Next
Note: If you enable this setting, App Controller disables the setting .Use Active Directory for SSO
Click .Next
On the page of the dialog box, do one of the following:Service Account Configure App
Under , in and , type the service account credentials for the application. Service account User name Password
List of Application Connector Types
citrix.com 299
6.
a. b. i. ii.
7.
a. b. c. 8.
9.
10.
11.
a. b. c. 12.
a. b. c. d. 13.
1.
2.
3.
This is the account that you use to log on to the application as an administrator. You must enter the user
name and password.
To automatically create new users accounts, under , do the following: User Accounts
Select .Create account automatically
In , select what happens to user accounts if the user's status changes and When user entitlement ends
then click .Next
On the page of the dialog box, under , select the following:User Names Configure App User Name Rule
In , select the parameters for the user name. The default is .User attribute Email address
In , enter the number of characters from the user attribute to include in the user name. The Length (characters)
default is .All
Repeat Steps a and b for each parameter you want to include in the user name. The field is automatically Rule
populated. The default is $EMAIL.
Under , in , type the number of characters required for user passwords.Password Requirement Length
Under , in , type the number of days the password is valid. Password Expiration Validity (days)
You must type a value from 0 through 90. Passwords are valid for a maximum of 90 days.
Select to change user passwords automatically and then click . Automatically reset password after it expires Next
If you do not select this check box, when user passwords expire, users cannot access the app.
On the page of the dialog box, do the following:Workflow Configure App
Select and then select a workflow or click .Requires Approval Create New Workflow
If you select , in , enter a name for the workflow.Create New Workflow Workflow name
Optionally, in , describe the workflow purpose and then click .Description Next
On the page of the wizard, do the following:Manager Approvals Configure App
Under , in , select the number of levels required for user account Manager Approvals Levels of approval needed
approval.
You can select up to three levels of managerial approvers. Approval goes through the workflow according
to the managers identified in Active Directory. If you do not need managerial approval, you can select Not
. If you select this setting, you must add approvers in . You must select at needed Additional Approvers
least one workflow approver.
Under , add the people whom you would also like to approve the user account. Additional Approvers
You can search by using the person's full or partial name. You can add a total of five approvers to the list.
When the person's name appears in the text box, select the name and then click the plus (+) sign.
Click .Next
On the page of the wizard, configure the network and security policies for the app and then Policies Configure App
click .Save
To synchronize application users with Active Directory
After you configure an application connector to enable user account creation and management, you need to
synchronize the users who have application accounts with the users in Active Directory.
When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If
you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals.
When users attempt to start an app, users receive a message that they are not authorized to use the app.
Note: The Sync icon only appears when you select an application that is configured for user account management.
In the App Controller management console, click the tab.Apps & Docs
In the details pane, click an application.
In the dialog box that appears, click the Sync icon.
citrix.com 300
1.
2.
3.
4.
1.
2.
3.
Searching for Applications
You can search the web, SaaS and mobile application catalog to locate the application you want to add to App
Controller.
There are two ways you can search for applications on the tab:Apps & Docs
From the tab. This option searches all applications configured in App Controller.All Apps
From application catalog on the tab. This option searches for applications in the catalog.Web & SaaS
When you start to enter the search string next to the magnifying glass icon in the details pane or the application catalog,
App Controller displays a list of apps the either start with or contain the letters you type.
For the applications you have added to App Controller, if you configure roles and assign applications to a role, on the
tab, you can search for the app in the role. You can quickly see which role the app is assigned to and make any Roles
necessary changes.
To search for an application in the catalog
In the App Controller management console, click the tab.Apps & Docs
In the navigation pane, click .Web & SaaS
In the details pane, click the plus (+) sign.
In , in , type the search string and then click the app to configure settings.Catalog Search catalog
To search for applications assigned to roles
In the App Controller management console, click the tab.Roles
In the navigation pane, under , click a role.Roles
In the details pane, in , type the search string. Search apps The app appears in the right pane.
citrix.com 301
1.
2.
3.
4.
a. b. c. d. e. f. g. h. i. 5.
6.
a. b. Enterprise Apps
You can create your own application connectors in App Controller. You can create either a Security Assertion Markup
Language (SAML) connector or an HTTP Federated Formfill connector.
When you build a connector, you use the logon web address for the URL. For example, you want to add LinkedIn to
your application list. Go to http://www.linkedin.com and then click . When the logon page appears, copy the web Sign in
address and then paste the web address in the field in the Configure App wizard in App Controller.URL
Building SAML Connectors
App Controller enables you to build either a SAML 1.1 or SAML 2.0 connector. SAML connectors are used for web
applications that support the SAML protocol for SSO. The Generic SAML connector enables you to create your own
SAML connector for applications that support the SAML protocol. App Controller supports the identity provider (IdP)
SSO for SAML applications.
Building HTTP Federated Formfill Connectors
App Controller can use Formfill to automatically enter user credentials in the application’s logon page. When users
connect to a SaaS application, the web browser displays the logon form and then redirects users to the SaaS
application. When you to add a new Formfill connector to the existing catalog, you must provide information about the
application that you want to add. After you successfully configure the connector, you can then configure the connector
for SSO. The Formfill connector supports applications that:
Obtain the user name and password and submit the credentials to the application without verifying the
information again.
Set the application cookies when users request the logon page. The cookies set the attributes that change
for each logon request for the application.
Building Enterprise Applications
You can create enterprise application connectors from the tab in the App Controller management console. Apps & Docs
When you create an enterprise app, you create the app and the Formfill connector at the same time.
Users log on to enterprise apps by using SSO. You can also configure user account management for enterprise
applications, as well as policies for the connector.
To create an enterprise application
In the management console, click the tab.Apps & Docs
Under , click and then click the plus (+) sign in the right pane. > Apps & Docs APPS Web & SaaS
In the catalog, click .New enterprise app
On the page, complete the following:Details
In , type a name for the app.App name
In , enter a description for the app. Description
Note: If you want to configure a second app with the same web address, you must give the app a different
name.
In , type the web address for the app. Precede the web address with http or https.URL
Select if the app is running on a server that resides in your internal network.App is hosted on internal network
To obtain user credentials from Active Directory, click .Use Active Directory for SSO
Select if users connect to the app from a mobile device. This setting requires users to Require app installation
download and install the app to their device.
In , select the category from the list.Category
In , select the role. This is a mandatory field.Assigned role
In , select the default Citrix logo or select to add your own logo to the logon page and then click Image Upload
. Next
If you want to upload your own logo, click and then navigate to the logo on your device.Browse
Note: The graphic you upload must be of the type PNG. You cannot upload a GIF or JPEG graphic. When you
add a custom graphic, you cannot change it at a later time.
Click .Next
On the page, configure the following if you need approval for creating user accounts:Workflow
Select and then either create a new workflow or select an existing workflow.Requires Approval
If you create a new workflow, in , enter a name for the workflow and then click . Workflow name Next If you
choose not to add or configure a workflow, click and go to Step 7.Next
citrix.com 302
6.
c. d. e. 7.
8.
a. b. c. d. 9.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
1.
2.
3.
4.
5.
6.
7.
Under , in , select the number of levels required for manager Manager Approvals Levels of manager approval
approval of the user account.
Under , in , enter the name of the approver. Additional Approvers Enter additional required approvers
Approver names originate from Active Directory.
When the approver's name appears in the text field, click the name and then click the plus (+) symbol.
The approver's name and email address appears in .Selected Approver
Click .Next
On the page, configure any of the following:Policies
Under , in , click the toggle to to allow this app to work on a Device Security Block jailbroken or rooted Off
compromised mobile device.
The default is , which does not allow the app to work on a compromised mobile device.On
Under , enable or disable .Network Requirements WiFi required
Enable or disable .Internal network required
In , enter one or more Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access Internal WiFi networks
(WPA) keys, separate by commas.
Click .Save
To build a SAML connector
In the App Controller management console, click the tab.Settings
In the left pane, under , click and then click .Quick Links Add connector SAML connector
In the dialog box, in , type a name for the application.Add a SAML Connector Name
In , describe the application.Description
In , enter the logon web address for the application. Logon URL
You must include http:// in the web address.
In , select the version.SAML version
In , enter the identity for the SAML application.Entity ID
In , enter the web address for the SAML application. Relay State URL
The relay state URL is the response URL from the application.
In , select from the options in the list. The default is .Name ID format Email Address
In , enter the assertion consumer service of the identity provider or service provider. ACS URL
The AssertionConsumerServiceURL (ACS URL) provides single sign-on (SSO) capability for users.
In , select to use the default Citrix logo or select to add your own logo to the logon page. Image Use default Upload
If you want to upload your own logo, click and then navigate to the logo on your device.Browse
Note: The graphic you upload must be the type PNG. You cannot upload a GIF or JPEG graphic. When you add a
custom graphic, you cannot change it at a later time.
Click .Save
To build an HTTP Federated Formfill connector
In the App Controller management console, click the tab.Settings
In the left pane, under , click and then select .Quick Links Add connector Formfill connector
In the dialog box, in , type a name for the connector.Add a Formfill connector Name
In , enter a description for the connector.Description
In , enter the logon web address for the connector.Logon URL
In , select the default Citrix logo or select to add your own logo to the logon page. Image Upload
If you want to upload your own logo, click and then navigate to the logo on your device.Browse
Note: The graphic you upload must be the type PNG. You cannot upload a GIF or JPEG graphic. When you add a
custom graphic, you cannot change it at a later time.
Click .Save
citrix.com 303
1.
2.
3.
a. b. c. d. e. f. g. h. 4.
Web Links
A is a web address to an Internet or intranet site. A web link can also point to a web application that doesn't Web link
require single sign-on (SSO).
You can configure web links from the tab in App Controller. When you finish configuring the web link, the Apps & Docs
link appears as an icon in the store in App Controller. When users log on with Citrix Receiver or Worx Home, the link
appears with the list of available apps and desktops.
In the App Controller management console, you provide the following information:
Name for the link
Description of the link
Web address (URL)
Category
Role
Image, in .png format (optional)
To configure a Web link
In the App Controller management console, click the tab.Apps & Docs
In the left pane, under , click and then click the plus sign (+) in the details pane. > Apps & Docs APPS Web Link
In the dialog box, complete the following:Configure App
In , type a name for the link.App Name
In , type a description of the link.Description
In , enter the full Web address of the site, such as http://www.citrix.com.URL
If applicable, select the check box.App is hosted in the internal network
If applicable, select if users save the link on their device.Require app installation
In , select the category in which the link appears in Citrix Receiver.Category
In , select the role. This is a mandatory field.Assigned Role
In , select to use the default Citrix logo or select to add your own logo to the logon Image Use default Upload
page.
If you want to upload your own logo, click and then navigate to the logo on your device.Browse
Note: The graphic you upload must be the type PNG. You cannot upload a GIF or JPEG graphic. You can
upload a custom graphic when you create a web link. After you save the web link, you cannot change the
graphic.
Click .Save
citrix.com 304
Configuring MDX Policies for iOS Apps in App Controller
You can configure the following policies in App Controller 2.9 for apps that run on iOS devices.
Authentication
Authentication
Determines if the app requires network logon to run. The default is .Offline challenge only
Options:
Network logon. Requires network logon to securely use the app, and users can only run the app while
online. If you set the policy to require network logon, when users try to open an app, the following
message appears: Sign on to Worx Home to securely use this app.
Offline access permitted after challenge. The app prompts for enterprise logon when possible, but
allows offline use after the password challenge.
Important: This option is deprecated.
Offline challenge only. Allows the app to run with an offline password challenge.
Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, users must log on to Worx Home regardless of the policy
setting.
Maximum offline period (hours)
Defines the maximum period an app can run offline without requiring a enterprise logon for the purpose of entitlement
and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between Receiver logons in order reconfirm entitlement
and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5
minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to , this setting is ignored with no offline access allowed.Network logon
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts
for logon each time the app is started or reactivated.
NetScaler Gateway address
The external NetScaler Gateway address to which users connect. Example: gateway.MyCorp.com. Default value is
empty.
Device Security
Block jailbroken or rooted
The app is locked when the device is jailbroken (iOS) or rooted (Android). Default is .On
Options:
On. The app is locked when the device is jailbroken or rooted.
Off. The app can run on a jailbroken or rooted device.
Network Requirements
Require WiFi
Determines if the device requires a WiFi connection in order for an app to run. Default is .Off
Options:
On. The app is locked when the device is not connected to a WiFi network.
Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a
LAN connection.
Require internal network
The app requires a connection to a network within the organization. Default is .Off
Options:
On. The app is blocked when the device is not connected to an internal network.
citrix.com 305
Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier
(SSID) with commas. The default is an empty list, which indicates that any internal WiFi network can be used. If users
log on from an external network (or they are not logged on), this policy is not enforced.
Miscellaneous Access
App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is
available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without
warning, from using a running app until they download and install the update. This could lead to a situation in which
users are forced to exit the app and potentially lose work.
Auth failures before lock
Locks app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5
failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials.
Erase app data on lock
Erases data and resets the app when the app is locked. Default is .Off
Options:
On. App data is automatically erased when the app is locked.
Off. App data is not erased automatically when the app is locked.
An app can be locked for any of the following reasons:
Loss of app entitlement for the user
Removal of app subscription
Removal of Worx Home account
Too many application authentication failures
Jailbroken device and policy restricting the app to run on such a device
Other administrative action to lock device
Active poll period (minutes)
When an app starts, the MDX framework polls App Controller to determine current app and device status. Assuming
App Controller can be reached, the framework returns information about the lock and erase status of the device and
the enable or disable status of the app. Whether App Controller can be reached or not, a subsequent poll is scheduled
based on the active poll period interval. After the period expires, a new poll is again attempted.
Important: Only set this value lower for high-risk apps or performance may be affected.
Encryption
Encryption keys
Enables secrets used to derive encryption keys to be persisted on the device. Default is .Offline access permitted
Options:
Online access only. Secrets used to derive encryption keys may not be persisted on the device.
Instead, the device must be recovered the keys from the key management service of App Controller
each time they are needed.
Note: If you select , the authentication policy is assumed to be Online access only Network logon
regardless of the authentication policy setting that you configured for the app.
Offline access permitted. Secrets used to derive encryption keys may be persisted on the device.
Note: If you select , Citrix recommends that you set the policy Offline access permitted Authentication
to enable a network logon or an offline password challenge in order to protect access to the encrypted
content.
Enable encryption
Determines if the data held in local database files is encrypted. Default is .On
Options:
On. The data is encrypted in local database files.
citrix.com 306
Off. The data is not encrypted in local database files.
Database encryption exclusions
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific
database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches
the database file name used by the app, that database is not automatically encrypted. For example, if the database to
be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the
database contents from being encrypted. Default is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry
to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then
that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions
syntax. The pattern matching is case insensitive. Example: \.log$,\.dat$ excludes any file path name that ends with
either ".log" or ".dat". The syntax will match the file unencrypteddoc.txt in the */Documents/unencrypteddoc.txt
Documents folder. The syntax will match all files that contain the path */Documents/UnencryptedDocs/*
/Documents/UnencryptedDocs/. Default value is empty.
App Interaction
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose , the copied Restricted
Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is .Restricted
Options: , , or Unrestricted Blocked Restricted
Paste
Blocks, permits, or restricts Clipboard paste operations for the app. When you choose , the pasted Restricted
Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default is .Unrestricted
Options: , , or Unrestricted Blocked Restricted
Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose , documents can Restricted
be exchanged only with other MDX applications. Default is .Restricted
Options: , , or Unrestricted Blocked Restricted
App URL schemes
Mobile iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes, such
as http://. This feature enables an app to pass requests for help to another app. The App URL schemes policy serves
to filter the schemes that are actually passed into the app for handling (that is, inbound URLs). Default is All registered
.app URL schemes are blocked
Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus
Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a
match is found, the prefix dictates the action as follows:
A Minus Sign (-) prefix. Blocks the URL from being passed into the app.
A Plus Sign (+) prefix. Permits the URL to be passed into the app.
No prefix. Assumes the URL can be passed into the app.
If an inbound URL does not match any pattern in the list, the URL is blocked.
The following table contains examples of App URL schemes:
Scheme App that requires the URL
scheme
Purpose
ctxmobilebrowser WorxWeb Permit WorxWeb to handle HTTP: URLs
from other apps.
ctxmobilebrowsers WorxWeb Permit WorxWeb to handle HTTPS:
URLs from other apps.
ctxmail WorxMail Permit WorxMail to handle mailto: URLs
from other apps.
citrix.com 307
COL-G2M GoToMeeting Permit a wrapped GoToMeeting app to
handle meeting requests.
Allowed URLs
Filters the outbound URLs that are passed from this app to other apps for handling. By leaving the setting blank, all
URLs are blocked, except for the following:
http:=ctxmobilebrowser:
https:=ctxmobilebrowsers:
+citrixreceiver: +tel:
Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus
Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a
match is found, the prefix dictates the action as follows:
A Minus Sign (-) prefix. Blocks the URL from being passed to another app.
A Plus Sign (+) prefix. Permits the URL to be passed to another app.
No prefix. Assumes the URL can be passed into another app.
The following table contains examples of allowed URLs:
^mailto:=ctxmail: All mailto: URLs open in WorxMail.
^http:=ctxmobilebrowser: All HTTP URLs open in WorxWeb.
^https:=ctxmobilebrowsers: All HTTPS URLs open in WorxWeb.
^tel: Allows user to make calls.
-//www.dropbox.com Blocks Dropbox URLs dispatched from managed apps.
+^COL-G2M: Permits managed apps to open the GoToMeeting client app.
-^SMS: Blocks the use of a messaging chat client.
App Restrictions
Block camera
Prevents an app from directly using the camera hardware. Default is .On
Block mic record
Prevents an app from directly using the microphone hardware for recording. Default is .On
Block dictation
If , prevents an app from directly using dictation services. Default is .On On
Block location services
Prevents an app from using the location services components (GPS or network). Default is .On
Block SMS compose
Prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default is .On
Block email compose
Prevents an app access to email (compose). Default is .On
Block iCloud
Prevents the use of iCloud features for Cloud-based backup of app settings and data. Default is .On
Block AirPrint
Prevents access to printing by using AirPrint features to print to AirPrint-enabled printers. Default is .On
Block application logs
If , prohibits an app from using the Worx App diagnostic logging facility. If , application logs are recorded and On Off
may be collected by using the Worx Home email support feature. Default is .Off
WorxMail Email Settings
You can configure the following policies for WorxMail on both Android and iOS devices:
WorxMail Exchange Server. The fully qualified domain name (FQDN) for Exchange Server. Default is empty.
citrix.com 308
WorxMail user domain. The default Active Directory domain name for Exchange users. Default is empty.
Background network services. The FQDN of the ActiveSync server, such as . This might be servername:443
an Exchange Server, either in your internal network or in another network that WorxMail connects to, such
as . If you configure this policy, set the policy to mail.mycompany.com:4443 Network access Tunneled to the
. This policy takes affect when you configure the network access policy. In addition, use this internal network
policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway
to proxy the connection to the internal Exchange Server.
Background ticket expiration. The time period that a background network service ticket remains valid. When
WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller
issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting
determines the duration that WorxMail can use the token without requiring a new token for authentication
and the connection to the Exchange Server. When the time limit expires, users must log on again to
Receiver to generate a new token. Default value is 168 hours (7 days).
Background network service gateway. This is the NetScaler Gateway FQDN and port number with which
WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler
Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to
the virtual server. For more information about configuring the STA in NetScaler Gateway, see
. The default value is empty, implying that an alternate the Secure Ticket Authority on NetScaler Gateway
gateway does not exist. If you configure this policy, set the policy to Network access Tunneled to the internal
. This policy takes affect when you configure the network access policy. In addition, use this policy network
when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to
proxy the connection to the internal Exchange Server.
Export contacts. If , prevents the one-way synchronization of WorxMail contacts to the device and Off
prevents the sharing of WorxMail contacts (as vCards). Default is .Off
. If , WorxMail accepts all SSL certificates (valid or not) and allows access. If Accept all SSL certificates On Off
, WorxMail blocks access when a certificate error occurs and displays a warning. Default is .Off
Network Access
Network access
Prevents, permits, or redirects app network activity. App blocks network use or restricts it to an applicationspecific tunnel gateway. Default is .Blocked
Options:
Unrestricted. Allows unrestricted access to the internal network.
Blocked. When blocked, the app behaves as if the device has no network connection. All network
access is blocked.
Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal
network is used for all network access.
Note: This setting requires Receiver logon.
Certificate label
You can enter a label to identify the certificate for this app. When a certificate is required in order for HTTP traffic to
meet a server authentication challenge, the label enables the micro VPN code to acquire the appropriate certificate.
Default is empty.
Initial VPN mode
Sets the initial mode for connections that tunnel to the internal network. is recommended for Full VPN tunnel
connections that employ client certificates or end-to-end SSL to a resource in the internal network. is Secure browse
recommended for connections that require single sign-on (SSO).
Application Logs
Default log output
Determines which output mediums are used by Worx app diagnostic logging facilities by default. Possibilities are , file
, or both . Default value is .console file,console file
Default log level
Controls default verbosity of Worx app diagnostic logging facility. Each level includes levels of lesser values. Range of
possible levels includes:
0 - Nothing logged
1 - Critical errors
2 - Errors
3 - Warnings
Configuring
citrix.com 309
4 - Informational messages
5 - Detailed informational messages
6 through 15 - Debug levels 1 through 10
Default is level 4 (Informational messages).
Max log levels
Limits the number of log files retained by the Worx app diagnostic logging facility before rolling over. Minimum is 2.
Maximum is 8. Default value is 2.
Max log file size
Limits the size in megabytes (MB) of the log files retained by the Worx app diagnostic logging facility before rolling
over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
WorxWeb Application Settings
You can configure the following policies for WorxWeb on both Android and iOS devices:
Allowed or blocked websites
WorxWeb normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked
sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list.
Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the
patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as
follows:
A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web
server address could not be resolved.
A plus (+) prefix allows the URL to be processed normally.
If neither + or - is provided with the pattern, + (allow) is assumed.
If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a Minus Sign followed by a Hyphen (-*). For example:
The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.
com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all
other URLs.
The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in
Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google,
Hotmail, and so on, regardless of protocol.
Default value is empty (all URLs allowed).
Preloaded bookmarks
Defines a preloaded set of bookmarks for the WorxWeb browser. The policy is a comma-separated list that include
folder name, friendly name, and web address. Each triplet should be in the syntax of . Folder and name folder,name,url
may need to be enclosed in double quotes (") if a space exists.
For example, the following policy values define three bookmarks:
,"Mycorp, Inc. home page",http://www.mycorp.com,"MyCorp Links","Account logon",
https://www.mycorp.com/Accounts,"MyCorp Links/Investor Relations","Contact us",
http://www.mycorp.com/IR/Contactus.aspx
The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a
folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations'
subfolder of the "MyCorp Links" folder and displayed as "Contact us"."
Default value is empty.
Home page URL
Defines the website that WorxWeb loads when started. Default value is empty (default start page).
Browser user interface
Dictates the behavior and visibility of browser user interface controls for WorxWeb. Normally all browsing controls are
available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy
to restrict the use and visibility of some of these controls. Default value is .All controls visible
Options:
All controls visible. All controls are visible and users are not restricted from using them.
Read-only address bar All controls are visible, but users cannot edit the browser address field.
Hide address bar Hides the address bar, but not other controls.
citrix.com 310
Hide all controls Suppresses the entire toolbar giving a frameless browsing experience with no
browser chrome.
citrix.com 311
Configuring MDX Policies for Android Apps in App Controller
You can configure the following policies in App Controller 2.9 for apps that run on Android devices.
Authentication
Authentication
Determines if the app requires network logon to run. Default is .Offline challenge only
Options:
Network logon. Requires network logon to securely use the app, and users can only run the app while
online. If you set the policy to require network logon, when users try to open an app, the following
message appears: Sign on to Worx Home to securely use this app.
Offline access permitted after challenge. The app prompts for enterprise logon when possible, but
allows offline use after the password challenge.
Important: This option is deprecated.
Offline challenge only. Allows the app to run with an offline password challenge.
Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, Worx Home requires logon regardless of the policy setting.
Maximum offline period (hours)
Defines the maximum period an application can run offline without requiring a enterprise logon for the purpose of
entitlement and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between Receiver logons in order reconfirm entitlement
and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5
minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to , this setting is ignored with no offline access allowed.Network logon
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts
for logon each time the app is started or reactivated.
NetScaler Gateway address
The external NetScaler Gateway address to which users connect. Example: gateway.MyCorp.com Default value is
empty.
Device Security
Block jailbroken or rooted
The app is locked if the device is jailbroken (iOS) or rooted (Android). Default is .On
Options:
On. The app is locked when the devices is jailbroken or rooted.
Off. The app can run on a jailbroken or rooted device.
Require device encryption
If , the managed app is locked if the device does not have encryption configured. If , the app is allowed to run On Off
even if the device does not have encryption configured. Default is Off.
Important: This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to prevents an app from On
running on older versions.
Require device pin or password
If , the managed app is locked if the device does not have a PIN or password configured. If , the managed app On Off
is allowed to run even if the device does not have a PIN or password set. Default is Off.
Important: This policy is supported only on Android 4.1 (Jellybean). Setting the policy to prevents an app from On
running on older versions.
Require device pattern screen lock
If , the managed app is locked if the device does not have a pattern screen lock configured. If , the managed On Off
app is allowed to run even if the device does not have a pattern screen lock set. Default is Off.
Note: This policy is only enforced if the setting is .Require device pin or password Off
Network Requirements
Require WiFi
Determines if the device requires a WiFi connection in order for an app to run. Default is .Off
citrix.com 312
Options:
On. The app is locked when the device is not connected to a WiFi network.
Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a
LAN connection.
Require internal network
The app requires a connection to a network within the organization. Default is .Off
Options:
On. The app is blocked when the device is not connected to an internal network.
Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier
(SSID) with commas. The default is an empty list. If the list is empty, users can connect to any WiFi network. If users
log on from an external network (or they are not logged on), this policy is not enforced. Default is empty.
Miscellaneous Access
App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is
available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without
warning, from using a running app until they download and install the update. This could lead to a situation in which
users are forced to exit the app and potentially lose work.
Auth failures before lock
Locks the app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5
failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials.
Erase app data on lock
Erases data and resets the app when the app is locked. Default is .Off
Options:
On. App data is automatically erased when the app is locked.
Off. App data is not erased automatically when the app is locked.
An app can be locked for any of the following reasons:
Loss of app entitlement for the user
Removal of app subscription
Uninstallation of Worx Home.
Too many app authentication failures
Rooted device and policy restricting the app to run on such a device
Other administrative action to lock device
Active poll period (minutes)
When an app starts, the MDX framework polls App Controller to determine current app and device status. Assuming
App Controller can be reached, the framework returns information about the lock and erase status of the device and
the enable or disable status of the app. Whether App Controller can be reached or not, a subsequent poll is scheduled
based on the active poll period interval. After the period expires, a new poll starts.
Important: Only set this value lower for high-risk app or performance may be affected.
Encryption
Encryption keys
Enables secrets used to derive encryption keys to be persisted on the device. is the only Offline access permitted
available option. Citrix recommends that you set the policy to enable a network logon or an offline Authentication
password challenge in order to protect access to the encrypted content.
File encryption version
Specifies the encryption version for public and private file encryption. Citrix recommends to provide the Current
maximum security, especially in the case of a new app deployment. If you select , note that users must Current
reinstall any apps that include a previous encryption version, such as , or else they may lose data. Default Legacy
value is .Current
citrix.com 313
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/appname and
/mnt/sdcard/Android/data/appname. Default is .Application
Options:
Disabled. Private files are not encrypted.
SecurityGroup. Encrypts private files by using a key shared by all MDX apps in the same security
group.
Application. Encrypts private files using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that
should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Access limits for public files
Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files
matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the
first matching path is used to set the access limit. Default value is empty. This policy is enforced only when Public file
is enabled (changed from the option to the or option). This policy is encryption Disable SecurityGroup Application
applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write
.(WO/RW)
Public file encryptions
The option means public files are not encrypted. The option encrypts public files by Disabled SecurityGroup
using a key shared by all MDX apps in the same security group. The option encrypts public files by Application
using a key unique to this app.
Default value is .SecurityGroup
Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that
should not be encrypted. The file paths are relative to the default external storage and to any device specific external
storage.
Public file migration
This policy is enforced only when you enable (changed from to or Public file encryption Disabled SecurityGroup
). This policy is applicable only to existing, unencrypted public files and specifies when these files are Application
encrypted.
Options:
Disabled. Does not encrypt public files.
Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write
access.
Any. Encrypts the existing files when they are opened in any mode.
Note: New files or existing unencrypted files that are overwritten encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other apps that do not have the same
encryption key.
App Interaction
Security Group
Leave this field blank if you want all mobile apps managed by App Controller to exchange information with one
another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or
Human Resources).
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose , the copied Restricted
Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is .Restricted
Options: , , or Unrestricted Blocked Restricted
Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose , documents can Restricted
be exchanged only with other MDX apps. Default is .Restricted
Options: , , or Unrestricted Blocked Restricted
Open In exclusions
When you set to , enter Android intents that serve as exceptions. As such, Document exchange (Open In) Restricted
these intents are allowed to be passed to unmanaged apps.
App Restrictions
citrix.com 314
Block camera
Prevents an app from directly using the camera hardware. Default is .On
Block mic record
Prevents an app from directly using the microphone hardware. Default is .On
Block location services
Prevents an app from using the location services components (GPS or network). Default is .On
Block SMS compose
Prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default is .On
Block screen capture
Prevents user-initiated screen captures while the app is running. Default is On.
Block device sensor
Prevents an app from using the device sensors, like accelerometer, motion sensor, or gyroscope. Default is On.
Block application logs
If , prohibits an app from using the Worx App diagnostic logging facility. If , application logs are recorded and On Off
may be collected using the Worx Home email support feature. Default is .Off
Network Access
Network access
Prevents, permits or redirects app network activity. App blocks network use or restricts it to an application-specific
tunnel gateway. Default is .Blocked
Options:
Unrestricted. Allows unrestricted access to the internal network.
Blocked. When blocked, the app behaves as if the device has no network connection. All network
access is blocked.
Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal
network is used for all network access.
Note: This setting requires Receiver logon.
Certificate label
When used with the StoreFront certificate integration service, this label identifies the specific certificate required for
this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default
value is empty (no certificate used).
Initial VPN mode
Sets the initial mode for connections that tunnel to the internal network. is recommended for Full VPN tunnel
connections that employ client certificates or end-to-end SSL to a resource in the internal network. is Secure browse
recommended for connections that require single sign-on (SSO).
Enable secure browse
When you enable , this policy enables a local proxy with forwarding to NetScaler tunneling to the internal network
Gateway. This supports SSO by allowing NetScaler Gateway to respond to authentication challenges.
WorxMail Email Settings
You can configure the following policies for WorxMail on both Android and iOS devices:
WorxMail Exchange Server. The fully qualified domain name (FQDN) for Exchange Server. Default is empty.
WorxMail user domain. The default Active Directory domain name for Exchange users. Default is empty.
Background network services. The FQDN and of the ActiveSync server, such as . This servername:443
might be an Exchange Server, either in your internal network or in another network that WorxMail connects
to, such as . If you configure this policy, set the policy to mail.mycompany.com:4443 Network access
. This policy takes affect when you configure the network access policy. In Tunneled to the internal network
addition, use this policy when the Exchange Server resides in your internal network or if you want to use
NetScaler Gateway to proxy the connection to the internal Exchange Server.
Background ticket expiration. The time period that a background network service ticket remains valid. When
WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller
issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting
determines the duration that WorxMail can use the token without requiring a new token for authentication
and the connection to the Exchange Server. When the time limit expires, users must log on again to
Receiver to generate a new token. Default value is 168 hours (7 days).
Background network service gateway. This is the NetScaler Gateway FQDN and port number with which
WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler
citrix.com 315
Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to
the virtual server. For more information about configuring the STA in NetScaler Gateway, see
. The default value is empty, implying that an alternate the Secure Ticket Authority on NetScaler Gateway
gateway does not exist. If you configure this policy, set the policy to Network access Tunneled to the internal
. This policy takes affect when you configure the network access policy. In addition, use this policy network
when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to
proxy the connection to the internal Exchange Server.
Export contacts. If , prevents the one-way synchronization of WorxMail contacts to the device and Off
prevents the sharing of WorxMail contacts (as vCards). Default is .Off
. If , WorxMail accepts all SSL certificates (valid or not) and allows access. If Accept all SSL certificates On Off
, WorxMail blocks access when a certificate error occurs and displays a warning. Default is .Off
Application Logs
Default log level
Controls default verbosity of Worx App diagnostic logging facility. Each level includes levels of lesser values. Range of
possible levels includes:
0 - Nothing logged
1 - Critical errors
2 - Errors
3 - Warnings
4 - Informational messages
5 - Detailed informational messages
6 through 15 - Debug levels 1 through 10
Default is level 4 (Informational messages).
Max log levels
Limits the number of log files retained by the Worx App diagnostic logging facility before rolling over. Minimum is
2. Maximum is 8. Default value is 2.
Max log file size
Limits the size in megabytes (MB) of the log files retained by the Worx App diagnostic logging facility before rolling
over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
Redirect system logs
If , intercepts and redirects system or console logs from an application to the Worx App diagnostic facility. If , On Off
application use of system or console logs is not intercepted. Default is .On
WorxWeb Application Settings
You can configure the following policies for WorxWeb on both Android and iOS devices:
Allowed or blocked websites
WorxWeb normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked
sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list.
Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the
patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as
follows:
A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web
server address could not be resolved.
A plus (+) prefix allows the URL to be processed normally.
If neither + or - is provided with the pattern, + (allow) is assumed.
If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example:
The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.
com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all
other URLs.
The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in
Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google,
Hotmail, and so on, regardless of protocol.
Default value is empty (all URLs allowed).
Configuring
citrix.com 316
Preloaded bookmarks
Defines a preloaded set of bookmarks for the WorxWeb browser. The policy is a comma-separated list of tuples that
include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder
and name may optionally be enclosed in double quotes (").
For example, the policy values ,"Mycorp, Inc. home page",http://www.mycorp.com, "MyCorp Links",Account
logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact us",http://www.mycorp.
com/IR/Contactus.aspx define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc.
home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The
third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact
us"."
Default value is empty.
Home page URL
Defines the website that WorxWeb loads when started. Default value is empty (default start page).
Browser user interface
Dictates the behavior and visibility of browser user interface controls for WorxWeb. Normally all browsing controls are
available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy
to restrict the use and visibility of some of these controls. Default value is .All controls visible
Options:
All controls visible. All controls are visible and users are not restricted from using them.
Read-only address bar All controls are visible, but users cannot edit the browser address field.
Hide address bar Hides the address bar, but not other controls.
Hide all controls Suppresses the entire toolbar giving a frameless browsing experience with no
browser chrome.
citrix.com 317
Configuring Encryption Policies for Apps Running on Mobile Devices
You can configure encryption policies for apps running on iOS and Android mobile devices. This topic lists the
encryption policies that apply to each device type.
Policies for Encryption for iOS Apps
This section describes the policies you can configure in App Controller for apps that run on iOS devices. For a complete
list of the policies you can configure for iOS devices, see the topic,
.Controller
Encryption keys
Ensures that access to keys and the associated encrypted content. Default is .Offline access permitted
Options:
Online access only. Secrets used to derive encryption keys may not persist on the device. Instead,
the device must recover the keys from the key management service of XenMobile App Edition each
time they are needed.
Note: If you select , the authentication policy is assumed to be Online access only Network logon
regardless of the authentication policy setting that you configured for the app.
Offline access permitted. Secrets used to derive encryption keys may persist on the device.
Note: If you select , Citrix recommends that you set the authentication policy Offline access permitted
to in order to protect access to the keys and the associated encrypted content.Offline challenge only
Enable encryption
Determines if the data held in local database files is encrypted. Default is .On
Options:
On. The data is encrypted in local database files.
Off. The data is not encrypted in local database files.
Database encryption exclusions
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific
database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches
the database file name used by the app, that database is not automatically encrypted. For example, if the database to
be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the
database contents from being encrypted. Default is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry
to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then
that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions
syntax. The pattern matching is case insensitive. Example: \.log$,\.dat$ excludes any file path name that ends with
either ".log" or ".dat". The syntax */Documents/unencrypteddoc.txt will match the file unencrypteddoc.txt in the
Documents folder. The syntax */Documents/UnencryptedDocs/* will match all files that contain the path
/Documents/UnencryptedDocs/. Default value is empty.
Policies for Encryption for Android Apps
This section describes the policies you can configure in App Controller for apps that run on Android devices. Before you
configure encryption policies for Android apps, to understand how file storage and encryption works on Android devices,
see the topic, Configuring Encryption Policies for Android Devices. For a complete list of the policies you can configure
for Android devices see .
Require device encryption
If , the managed app is locked if the device does not have encryption configured. If , the app is allowed to run On On
even if the device does not have encryption configured. Default is .Off
Important: This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to prevents an app from On
running on older versions.
Encryption keys
Ensures that access to keys and the associated encrypted content. Default is .Offline access permitted
Option:
Configuring MDX Policies for iOS Apps in App
Configuring MDX Policies for Android Apps in App Controller
citrix.com 318
Offline access permitted. Android devices permit offline access only. Secrets used to derive
encryption keys may be persisted on the device.
Note: If you select , Citrix recommends that you set the authentication policy Offline access permitted
to in order to protect access to the keys and the associated encrypted content.Offline challenge only
File encryption version
Specifies the encryption version for public and private file encryption. Citrix recommends to provide the Current
maximum security, especially in the case of a new app deployment. If you select , note that users must Current
reinstall any apps that include a previous encryption version, such as , or else they may lose data. Default Legacy
value is .Current
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/ and appname
/mnt/sdcard/Android/data/ . Default is .appname Application
Options:
Disabled. Encryption is turned off.
SecurityGroup. Encrypts private files by using a key shared by all MDX applications in the same
security group.
Application. Encrypts private files by using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that
should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Non-standard external storage locations
Contains a comma-separated list of non-standard external storage. Different devices may use different paths for SD
cards and so on. The standard external storage location for Android (typically, /mnt/sdcard) is automatically
recognized and does not need to appear on this list.
Access limits for public files
Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files
matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the
first matching path is used to set the access limit. Default value is empty.
Public file encryption
The option means public files are not encrypted. The option encrypts public files by using a Disabled SecurityGroup
key shared by all MDX apps in the same security group. The option encrypts public files by using a key Application
unique to this app. Default value is .Security group
Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that
should not be encrypted. The file paths are relative to the default external storage and to any explicitly listed external
storage.
Public file migration
This policy is enforced only when public file encryption is enabled (changed from the option to the Disable
option). This policy is applicable only to existing, unencrypted public files and specifies SecurityGroup/Application
when these files are encrypted. Default value is .Write(WO/RW)
Note: New files or overwriting existing unencrypted files encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other applications that do not have the same
encryption key.
Options:
Disabled. Does not encrypt existing files.
Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write
access.
Any. Encrypts the existing files when they are opened in any mode.
citrix.com 319
Configuring Encryption Policies for Android Apps
App Controller supports the following encryption features for Android devices and apps:
Private or public data to be encrypted through the use of a security group
The ability to prevent data sharing by using an application key to encrypt files
The ability to prevent applications from being made public by using access limits for public files that defines
what the app can do with storage, such as Read Only or Read Write access.
No encryption
Before you configure encryption policies for apps that run on Android devices, you need to understand how file storage
and encryption work on Android devices.
Storing Files on Android Devices
On Android devices, files may be read or written in the following locations:
Internal storage
External storage
Vendor-specific external storage
How Internal Storage Works
Internal storage is a private sandbox for a specific application. The storage path is /data/data/ , where appname appname
is the name of the application. Directory permissions can prevent other applications from accessing the files in the
specified path.
How External Storage works
External storage is a partition that is shared by all applications. On Android devices, external storage can use internal
memory. Older devices might use an SD card for external storage.
External storage is often located at /mnt/sdcard. Within that directory, there are subdirectories. These include:
Android/data/ that is a private sandbox, similar to what exists for internal storage.appname
Alarms, DCIM, Download, Movies, Music, Notifications, Pictures, Playlists, and Podcasts that are well known
directories for specific types of content.
Anything else that is available to the application. The application can access files in the root external storage
directory or any subdirectory. The application can also create new subdirectories.
How Vendor-Specific External Storage Works
Android devices might support external storage devices, such as memory cards. When users insert the memory card
into the device, the path is defined by the device manufacturer. For example, on the Samsung Galaxy Tab 2, the path is
/mnt/extSdCard. The Android operating system does not manage this storage.
Configuring File Application Policies
You can use application policies to control transparent file encryption. The policies apply to public and private files and
other areas on Android devices.
Private files. A vault that contains internal storage and the sandbox area for external storage.
Public files. A vault that contains standard external storage and any vendor-specific external storage.
Other. A category that you can use for key management and access limit policies.
Encryption uses the concept of inclusion prefixes and exclusion filters. Inclusion prefixes are used to indicate whether a
file is in a particular vault. Each vault has a list of inclusion prefixes. Exclusion filters are POSIX extended regular
expressions which then cause particular files or directories to be omitted from a vault. When determining if a path is in a
vault, the path must first begin with a prefix associated with the vault. If the prefix exists, the path must also NOT match
any of the exclusion filters. If both conditions pass, the path is considered to be part of the vault.
Some applications use unsupported access modes like memory mapping. Others may try to use encrypted files before
the encryption key is available. If application issues are encountered, the logcat log may be used to search for error
messages on the ctxtfe component. This may lead to possible paths/files that should be excluded.
citrix.com 320
The following are examples of inclusion prefixes, exclusion filters, and paths:
Inclusion Prefixes
/data/data/com.foo
/mnt/sdcard/Android/data/com.foo
Exclusion Filters
^app_dx/
\.jpg$
Paths
If a vault is defined by the above inclusion prefixes and exclusion filters, the following example paths may or may not
appear in the vault:
data/data/com.foo/files/myfile.doc
Located in the vault.
/data/data/com.bar/files/myfile.doc
Not in the vault because there are no inclusion prefixes that match.
/data/data/com.foo/app_dx/generated23423.jar
Does not reside in the vault because of the ^app_dx/ exclusion. The prefix is removed from the path,
leaving the path app_dx/generated23423.jar. The exclusion entry that contains the caret (^) symbol
means that the match must occur at the beginning of the string. The next characters "app_dx/" must
match exactly. The remainder of the path can be anything. You can use this pattern to exclude
everything under a specified directory name.
/mnt/sdcard/Android/data/com.foo/files/mypic.jpg
Does not reside in the vault because of the \.jpg$ exclusion. The "\." indicates a match with a dot. The
backslash is necessary because the dot is a special regular expression character. The "jpg" extension
is a literal match. The "$" means match at the end of the line. This matches any path that ends in ".jpg".
When you configure encryption in App Controller for Android devices, users are permitted offline access only which
allows secrets used to derive encryption keys to be persisted on the device.
Note: If you select , Citrix recommends that you set the authentication policy to Offline access permitted Offline challenge only
in order to protect access to the keys and the associated encrypted content.
For a complete list of the policies that you can configure for Android devices, including the encryption policies, see
Configure MDX Policies for Android Apps in App Controller, in this section.
Configuring Private and Public File Encryption
You can configure two types of encryption that can be applied to either the private or public files. You can select the key
type to balance between higher security and the ability to share data. You can use both key types with apps wrapped
with the MDX Toolkit and apps that are not wrapped with the toolkit. The two keys are:
that encrypt public files by using a key available to all MDX apps in the same security Security Group Key
group. Using the security group key allows sharing of data between applications. However, the level of
security is lower.
that encrypt public files by using a key only available to the specific MDX app. The Application Key
application key offers the highest security. If you use the application key, it prevents data from being
accessed by other MDX apps. For example, if users in the health industry have radiology files that cannot be
compromised, when you upload the app to App Controller, the files are encrypted and cannot be shared.
You can also configure access limits for public files to block data from being moved to less secure locations, such as
removable storage. Access limits are independent of encryption.
citrix.com 321
1.
2.
3.
4.
5.
6.
Changing App Settings
If you need to make changes, you can disable the following applications, links, and stores in App Controller:
Web or SaaS applications. You can change the URL, category or role.
Android or iOS mobile apps. You can edit and save the settings, and you can upgrade the app. If you
upgrade a mobile app, you can also configure when users must upgrade the app on their device. You can
force users to upgrade immediately or you can provide warnings indicating how long users have until they
have to upgrade.
Web links. You can change the URL, category or role.
Public app stores. You can change the URL, category, assigned role, or require installation.
If you need to change the settings of an application, web link or store, you can disable and then edit the settings, which
puts the application, web link, or store in maintenance mode. For example, you might want to add a workflow or change
policy settings. You can disable the app to prevent users from connecting to the app while you are making changes. It is
not required, however, that you put applications, web links, or stores in maintenance mode to make changes.
You can disable any store, web link or web, mobile, or SaaS application. When you disable any of these items in App
Controller, the application or link becomes unavailable on the user device. If users connect with Worx Store, the item is
not available. If users connect with Worx Home, the app, store, or web link appears on the user device. Users, however,
cannot open the item when it is disabled. When you change settings, save your changes, and then enable the item, it
becomes available again on the user device. If users are logged on when you disable the store, application, or web link,
they can continue to use item even though it is in maintenance mode. If users log off, they cannot start the item again
until you enable the item in App Controller.
When you enable the application or web link after making changes, the new settings are applied the next time users
start the application.
To disable or enable an application, web link, or store
You can disable an application, store or web link to change settings. For iOS and Android apps, you can also disable
the app to upload an upgrade and change settings.
If an app, store, or web link is enabled, the Enable or Disable icon appears green. When you disable an app, store, or
web link, the icon turns gray.
In the App Controller management console, click the tab.Apps & Docs
In the navigation pane, under , click one of the following: > Apps & Docs APPS
Android Apps
iOS Apps
Public App Store
Web & SaaS
Web Link
In the details pane, click an item and then click the Enable or Disable icon. The application, store, or web link icon
turns gray to show it is disabled.
Click the application, store, or web link and then click the pencil icon to edit the application.
Change the settings and then click .Save
Click the application, store, or web link and then click the Enable or Disable icon.
Allowing Users to Reset or Recover Application Passwords
Users can change HTTP Federated Formfill app passwords saved in App Controller by using the reset application
password ( ) connector. When you configure , the connector appears in Reset_AppPassword Reset_AppPassword
Receiver as an application. If users change the application password in the app, the user can use Reset_AppPassword
to update the password in App Controller. This allows users to continue using SSO for HTTP Federated Formfill SSO
apps.
When users click the application in Receiver, a web page starts and a list of apps that have saved passwords appears.
Users can then change the password for the apps in the list.
If you do not configure , users cannot update the password in App Controller. As a result, If users Reset_AppPassword
change the password in the app, when they start the app in Receiver, they will need to log on.
You can also allow users to recover their passwords. To do so, you configure the recover application password (
) connecter.Recover_AppPassword
citrix.com 322
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
1.
2.
3.
To configure the reset application password connector
In the App Controller management console, click at the top of the page.Apps & Docs
Under , click .APPS Web & SaaS
In the details pane, click the plus (+) sign, and then click in the category list.Reset_AppPassword
In the dialog box, in , leave the default name or type one of your own.Configure App App Name
In , leave the default description or type one of your own.Description
In , type the web address to the password reset web page.URL
Optionally, select the and .Category Role
Click to configure settings on subsequent pages and then click .Next Save
To configure the recover application password connector
In the App Controller management console, click at the top of the page.Apps & Docs
Under , click .APPS Web & SaaS
In the details pane, click the plus (+) sign, and then click in the category list.Recover_AppPassword
In the dialog box, in , leave the default name or type one of your own.Configure App App Name
In , leave the default description or type one of your own.Description
In , type the web address to the password recovery web page.URL
Optionally, select the and .Category Role
Click to configure settings on subsequent pages and then click .Next Save
Configuring Categories to Manage Applications, Stores, and Web Links
App Controller enables users to access different types of applications, web links, and stores. When users connect with
Citrix Receiver or Worx Home, they can view all of their applications, web links, and stores and then select what they
want to open.
When users log on by using Receiver or Worx Home, they receive a list of applications, web links, or stores. By using
categories, you can sort items that allow users to access only the applications, stores, or web links that you want. For
example, you can have a Finance category and add applications that only pertain to finance. Or, you can configure a
Sales category to which you assign sales applications. You can also configure an Apple category for the App Store.
You configure categories on the page in App Controller. When you configure or edit a store, web link, or Apps & Docs
application connector, such as Box, during the configuration steps, you can select the category. For more information
about adding categories to an application, see .
To add a category
In the management console, click the tab.Apps & Docs
In drop-down box, click the plus sign (+).All categories
In the dialog box, in , type a name for the category.Add Category Name
In , add a description for the category and then click . Description Save The new category appears in the drop-down
list.
To delete a category
In the management console, click the tab.Apps & Docs
In the drop-down box, hover over the category and then click the X next to the category.All categories
Click to confirm the category deletion.Yes
Web & SaaS Apps
citrix.com 323
Configuring High Availability
If you deploy two App Controller virtual machines (VM), you can deploy them in a high availability configuration. You
configure one App Controller VM as the primary role and the other VM as the secondary role. In this deployment, the
primary App Controller VM listens for requests, and serves user requests. The secondary VM synchronizes its data with
the data on the primary App Controller VM. The two VMs work as an active-passive pair, in which only one VM is active
at a time.
If the current primary App Controller VM stops responding for any reason, the current secondary App Controller VM
takes over and becomes the active VM. The new primary App Controller begins to serve user requests.
You configure each instance of App Controller with an individual IP address. Each App Controller in the pair is also
assigned with the same virtual IP address, which is used by the active App Controller. Users connect to the primary App
Controller VM by using a fully qualified domain name (FQDN) that resolves to the virtual IP address.
In App Controller, you use the tab in XenCenter or a Secure Shell (SSH) client, such as PuTTY, to prepare two Console
App Controller VMs for high availability. When you configure high availability, you configure the following settings:
Select the role preference that defines the primary and secondary VM.
Select the virtual IP address (primary only) and peer IP address along with a shared key.
Enable or disable high availability.
Show the status of each VM in the pair.
Force failover to the secondary VM from the current primary VM.
How App Controller High Availability Works
When you configure App Controller for high availability, the two virtual machines (VMs) communicate by using port
9736. Each VM in an App Controller high availability pair generates a heartbeat message at one second intervals. You
can view the status of the VMs by using the App Controller command line. The heartbeat service running on the two
VMs monitors the health of each App Controller system and the health of the high availability pair.
If the primary App Controller VM fails for any reason, the secondary VM immediately takes over as the primary VM. If
the active VM does not respond or reports a failure, the passive VM acquires the virtual IP address and becomes active.
When the failed VM comes back online, it joins with the current active VM and becomes the passive VM. The passive
VM then synchronizes with the data from the active VM.
Configuring High Availability
Before you configure an high availability pair, do the following:
Install the same build version for each App Controller virtual machine (VM).
Install both VMs in the same network subnet.
Assign IP addresses from the same subnet to each VM in the pair.
The basic steps for configuring high availability are as follows:
Identify which VM is the primary role and which VM is the secondary role.
Configure the virtual IP address, the peer IP address, and shared key on the primary VM.
When you finish configuring high availability on the primary VM, configure the peer IP address and shared
key on the secondary VM.
To prepare each VM for high availability in App Controller, you use the command-line console to configure the settings.
You can log on to the command-line console by using the tab in XenCenter or vSphere. You can also log on to Console
App Controller by using a command-line tool, such as PuTTY. You must enable SSH in App Controller to use PuTTY.
Configuring the Primary and Secondary App Controller Virtual Machines
When you configure high availability, each App Controller virtual machine (VM) must be running the same version and
build. You configure the primary VM first with the following settings:
Virtual IP address
Peer IP address
Shared key
citrix.com 324
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
1.
2.
3.
1.
2.
3.
4.
5.
You need to configure the primary and secondary VM. After you configure these settings, you enable high availability on
each VM.
If you need to make changes to the primary App Controller, you can force failover to the secondary App Controller. The
primary VM has the option to force failover. When you force failover to the secondary VM, the option to force failover
appears on the new primary VM and disappears from the new secondary VM.
To configure the primary App Controller
Log on to the primary App Controller by using the command line.
At the command prompt, press 1 to enter high availability and then press ENTER.
At the command prompt, press 1 and then press ENTER to set the VM role preference as the primary.
At the command prompt, press 2 and then press ENTER to set the virtual IP address (on the primary only), peer IP
address, and shared key.
Press y to commit the changes.
At the command prompt, press 3 and then press ENTER to enable high availability.
To configure the secondary App Controller
Log on to the secondary App Controller by using the command line.
At the command prompt, press 1 to enter high availability and then press ENTER.
At the command prompt, press 1 and then press ENTER to set the VM role preference as the secondary.
At the command prompt, press 2 and then press ENTER to set the peer IP address and shared key. Make sure the
shared key matches with the one configured for the primary.
Press y to commit the changes.
At the command prompt, press 3 and then press ENTER to enable high availability.
When you configure high availability on for the primary App Controller VM, the option to force failover to the secondary
VM appears.
To force failover to the secondary appliance
Log on to the primary App Controller by using the command line.
At the command prompt, press 1 and then press ENTER.
At the command prompt, press 5 and then press ENTER to force failover to the secondary App Controller.
Migrating a High Availability Pair to App Controller 2.9
You can upgrade two App Controller virtual machine (VMs) in a high availability pair from App Controller 2.8 to App
Controller 2.9. You can migrate each VM by using one of two methods:
Upgrading each VM in the pair.
Installing two new instances of App Controller on your hypervisor.
App Controller provides 50 gigabytes (GB) of disk space. If you upgrade each VM in the pair, each instance has 50 GB
of disk space.
If you install new instances of App Controller, you can use the same IP addresses that you used for AppController 2.6 or
App Controller 2.8. When you install new instances, you install and configure the VM by using the instructions in
. Then, you can use the command-line console to create the high availability pair with App
Controller 2.9.
To upgrade App Controller in a high availability pair
In this procedure, the primary node is called A and the secondary node is B.
Shut down node B in the high availability pair.
Upgrade node A by using the instructions in .
When the upgrade is finished, restart node A and then shut down node A.
Start node B, repeat Step 2 for node B and then restart node B. When you restart node B, it becomes the primary
node.
Start A node. When you start node A, it becomes the secondary node.
After you upgrade and restart both nodes, the VMs automatically join to create the high availability pair.
Backing Up and Restoring Snapshots in an High Availability Pair
Installing App Controller
Updating App Controller
citrix.com 325
1.
2.
3.
4.
5.
6.
a. b. c. d. e. f. g. h. i. j. k. 7.
You can back up and restore snapshots in a high availability pair. To do so, you need to make sure the configuration on
both App Controller virtual machines (VMs) is the same. You export the snapshot from the current, primary App
Controller. Then, you shut down the secondary App Controller. Then, you import the snapshot to the primary node and
restart App Controller.
To back up and restore snapshots in a high availability pair
Export the snapshot from the current primary node in the pair.
For more information, see .
Shut down the secondary node in the pair.
Import the snapshot to the single master node.
For more information, see .
Restart App Controller.
On the primary App Controller, log on to the command-line console and verify that the IP address is correct. If the IP
address is correct, proceed to Step 7. If not, perform Step 6 and then Step 7.
Disable high availability by using the command-line console.
At the command prompt, type 1 to enter high availability.
At the command prompt, type 3 and then press ENTER to disable high availability.
Type y to confirm you want to disable high availability.
At the command prompt, type 0 and then press ENTER to return to the main menu.
At the command prompt, type 0 and then press ENTER to enter Express Setup.
At the command prompt, type 1 and then press ENTER to configure the IP address and subnet mask.
At the command prompt, type 5 and then press ENTER to save your changes.
When you press ENTER, App Controller restarts. Log on to the command-line console again to complete
the following steps.
At the command prompt, type 0 and then press ENTER to return to the main menu.
At the command prompt, type 1 and then press ENTER to enter high availability.
At the command prompt, type 3 and then press ENTER to enable high availability.
Type y to confirm you want to enable high availability.
Start the secondary App Controller.
When you start the secondary App Controller, both nodes in the high availability pair are synchronized.
Creating Snapshots of the App Controller Configuration
To import a snapshot
citrix.com 326
Creating a Cluster
You can install multiple instances of the App Controller virtual machine (VM) to create a cluster. One App Controller VM
acts as the cluster head. This App Controller is considered to be the host and, as such, hosts the database for all of the
VMs in the cluster.
Note: The App Controller cluster head requires 4 VCPUs.
All other App Controller VMs in the cluster are called service nodes. Each service node has a local database that is
used by the service node only. Updating user information from the service node to the cluster head requires writing to
the database. A service node connects to the database on the cluster head by using a secure channel.
App Controller VMs deployed as service nodes obtain their configuration from the App Controller that acts as the cluster
head. Citrix recommends deploying two App Controller VMs in a high availability pair. With high availability, one of the
paired VMs serves as the primary node, acting as the cluster head, while the other is the secondary node, monitoring
the primary. If the primary fails, the secondary assumes the role of the cluster head.
You use the command-line console to configure App Controller clustering. You can create a cluster, join an App
Controller VM to a cluster, and remove a VM from the cluster.
When you add an App Controller service node to the cluster and then log on by using the management console, only
the Dashboard and the home page appear.
Configuring Load Balancing for an App Controller Cluster
As shown in the following figure, App Controller works with NetScaler to provide load balancing to all of the service
nodes in the cluster. All VMs run behind a load balancer that is responsible for terminating SSL connections from Citrix
Receiver. You install certificates for App Controller on the load balancer.
Figure 1. Deploying App Controller with NetScaler in a Cluster
Citrix recommends that you configure the following three virtual servers on NetScaler for load balancing:
One virtual server as a Content Switching load balancer
One virtual server for rule-based load balancing
One virtual server for custom serverID persistence load balancing
You configure the Content Switching load balancer to route requests with the session ID in the URL to go through the
custom serverID load balancer. All other requests go through the rule-based load balancer. You need to configure
cookie (LB1) and serverID (LB2) persistency policies on the virtual servers. If the session ID parameter is not in the
request URL, the request is sent to LB1 for cookie persistency. If the session ID is present, the request is sent to LB for
serverID persistency.
The load balancer needs to query the cluster node to determine if the cluster is running, to obtain information about the
load, or to perform health checks by sending user requests to App Controller VMs that are working correctly. Health
checks provide greater application availability by ensuring user requests are directed only to correctly behaving servers.
When user connections go through the load balancer to an App Controller service node, the cluster uses HTTP
connections. You can use HTTPS if you want additional security.
Note: App Controller clustering uses TCP port 9737
Creating a Cluster
citrix.com 327
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
1.
When you create a cluster in the command-line console, the cluster node identifier, the current App Controller role, and
a prompt to enter the shared key appear. You create the shared key on the cluster head and then use the same shared
key for each VM in the cluster.
You must configure the host name on the cluster head. This information is replicated to the service nodes automatically
as part of configuration sharing. The host name appears in the request URLs to be distributed in the cluster. Each
service node in the cluster must also have the same shared key to establish secure tunnels. If the shared key on the
cluster head and service node do not match, the two VMs cannot communicate.
The shared key must be eight characters with at least one uppercase letter, one lowercase letter, one numeric, and one
special character that includes one of the following symbols: [!#$&].
After you enter the shared key, you restart App Controller. After App Controller restarts and you log on again to the
command-line console, a message appears that states that the App Controller VM is now the cluster head.
If you have two App Controller VMs in a high availability pair, use the virtual IP address when you configure the service
node. Both VMs function as a cluster head. For example, if the primary VM in the high availability pair fails for any
reason, the secondary VM takes over and serves user requests.
Adding Service Nodes to the Cluster
When you join an App Controller VM to a cluster, you provide the IP address and shared key of the cluster head. After
you enter this information, you restart App Controller. When App Controller restarts, you can use the command-line
console to show the following cluster information:
Cluster node ID
Current role as the service node
Cluster head IP address
Shared key
Adding and Removing App Controller Nodes in a Cluster
To join App Controller virtual machines (VMs) together in a cluster, you first designate one VM as the cluster head. To
do so, you use the command-line console to create the cluster. Then, you can add other VMs to the cluster. These VMs
are designated as service nodes. You can log on to the command-line console in one of the following ways:
XenCenter tab.Console
vSphere tab.Console
Hyper-V Powershell.
Secure Shell (SSH) connection, such as from PuTTY.
To create the cluster head
Log on to the App Controller command-line console.
In the main menu, type 2 and then press ENTER.
Type 3 and then press ENTER.
In , enter the shared key for the cluster and then press ENTER. Cluster Shared Key
The shared key must be eight characters with at least one uppercase letter, one lowercase letter, one numeric,
and one special character that includes one of the following symbols: [!#$&].
When prompted, type y to restart App Controller.
After you create the cluster head, you can join other App Controller VMs to the cluster.
To join a node to a cluster
Log on to the App Controller command-line console.
In the main menu, type 2 and then press ENTER.
Type 4 and then press ENTER.
In , type the IP address of the App Controller VM that is acting as the cluster head.Cluster Head IP Address
In , enter the shared key for the cluster and then press ENTER.Cluster Shared Key
When prompted, type y to restart App Controller.
To remove a node from a cluster
You can remove an App Controller VM from the cluster at any time.
citrix.com 328
1.
2.
3.
4.
5.
Log on to the App Controller command-line console.
In the main menu, type 2 and then press ENTER.
Type 5 and then press ENTER.
In , press y and then press ENTER.Do you want to leave the cluster
When prompted, type y to restart App Controller.
citrix.com 329
1.
2.
3.
4.
Configuring a Web Proxy Server
You can configure a web proxy server from the App Controller command-line console to allow access to the Internet
from App Controller. To configure the web proxy server, you configure the IP address, port, and optionally, a non-proxy
host list, user name, and password. When you commit the changes, App Controller restarts. After you configure the web
proxy server, when you use the management console to manage user accounts from the tab for SaaS Apps & Docs
apps or for ShareFile, App Controller uses the proxy server settings for outbound connections.
When you configure the web proxy server, you configure the settings for an unsecure (HTTP) web proxy server. When
configuration of these settings is complete, you then configure the settings for a secure (HTTPS) web proxy server.
Note: The web proxy does not work with Google Apps or the Salesforce application if you configure the web proxy with
authentication.
To configure a web proxy server
In XenCenter or vSphere, select the App Controller virtual machine, click the tab and then log on to App Console
Controller.
In the main menu, type to open the System menu and then press ENTER.3
In the system menu, type to select Web Proxy Server and then press ENTER.7
Enter the following web proxy information:
IP address
Port
Proxy host exclusion list (optional)
User name
Note: When you configure the web proxy, you can use either SAMAccount or the User Principal
Name (UPN) as the format for the user name. App Controller supports special characters in the user
name.
Password
citrix.com 330
1.
2.
3.
4.
Installing Certificates
App Controller requires root and server certificates to communicate in the following ways:
Between App Controller and the App Controller management console
Between applications and App Controller
Between App Controller and StoreFront
Note: You can only install Privacy Enhanced Mail (PEM) and Personal Information Exchange (.pfx) certificate files on App
Controller.
You need to install multiple certificates on App Controller to facilitate secure communication. Each certificate serves a
specific communication purpose.
App Controller requires the following three certificates:
Secure SSL server certificate that is used for secure connections to the management console and for
communicating with StoreFront
Secure SSL server certificate for communicating between App Controller and applications that require an
SSL certificate for user account management
Secure SSL certificate for communication between App Controller and SAML applications that require an
SSL certificate
If you configure a SAML application in App Controller, such as Google Apps, you might need to upload a SAML
certificate to App Controller. For more information about SAML certificates, see the application documentation.
Installing a Signed Server Certificate and Private Key on App Controller
App Controller includes a server certificate that is not signed by a trusted Certificate Authority (CA). You need to install
on App Controller a digital X.509 server certificate that belongs to your company and is signed by a CA. Your company
can operate as its own CA, or you can obtain a digital signed server certificate from a commercial CA, such as VeriSign
or Thawte.
App Controller accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64
encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN
and lines that indicate the type of content that is being encoded.END
You can install a secure digital certificate and private key on App Controller in the following two ways:
Generate a Certificate Signing Request (CSR) by using the App Controller management console.
When App Controller generates the CSR, App Controller creates a certificate and private key. The private
key remains on App Controller and the certificate contents are copied and submitted to a CA web site for
signing. When the signed certificate is returned, you install the certificate on App Controller. During
installation, the signed certificate is paired with the password-protected private key. Citrix recommends that
you use this method to create and install secure certificates.
Install a PEM certificate and private key from a Windows-based computer. By using this method, you
upload a signed certificate and private key together. The certificate is signed by a CA and is paired with the
private key.
To install a certificate and private key from a Windows-based computer
If you are using a load balancer or you have a signed digital certificate with a private key that is stored on a Windowsbased computer, you can upload the certificate to App Controller. If the App Controller virtual machine (VM) is not
located behind a load balancer, the certificate must contain the fully qualified domain name (FQDN) of App Controller. If
the App Controller VM is located behind a load balancer, each appliance must contain the same certificate and private
key.
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Click and then select .Import Server (.pfx)
In the dialog box, click , navigate to the certificate and then click . Import a certificate Browse Open When you upload
the certificate to App Controller, you are asked for a password to encrypt the private key.
citrix.com 331
1.
2.
3.
4.
Overview of the Certificate Signing Request
Before you can upload a certificate to App Controller, you need to generate a Certificate Signing Request (CSR) and
private key. You generate the CSR in the dialog box that you open from the Certificate Signing Request Certificates
panel in the App Controller management console. After you create the .csr file, you copy the certificate contents and
submit them to the Certificate Authority (CA) web site for signing. The CA signs the certificate and returns it to you at the
e-mail address you provided. When you receive the signed certificate, you can install it on App Controller.
To provide secure communications by using SSL or TLS, App Controller requires a server certificate. A summary of the
steps for obtaining and installing a server certificate on App Controller are as follows:
Generate a CSR in the management console.
Important: When you create the CSR, do not create another CSR. There is a private key associated with the
CSR that you send to the CA for signing. If you create another CSR, the private key for the first CSR is
erased and you will not be able to install the signed certificate on App Controller. When you install the
signed certificate, App Controller automatically pairs it with the private key.
Copy the certificate contents and submit them to a CA Web site for signing.
When you receive the signed certificate file from your CA, upload the certificate on the panel in Certificates
the management console. The certificate is automatically converted to the Privacy Enhanced Mail (PEM)
format, which is required by App Controller.
Password-Protected Private Keys
Private keys that are generated with the CSR are stored in an encrypted and password-protected format on App
Controller. When creating the CSR, you are asked to provide a password for the private key. The password is used to
protect the private key from tampering and is also required when restoring a saved configuration to App Controller.
Passwords are used whether the private key is encrypted or unencrypted.
To create a CSR
To provide secure communication by using SSL or TLS, a server certificate is required on App Controller. Before you
can upload a certificate to App Controller, you need to generate a CSR and private key. You configure settings as
shown in the following figure.
In the App Controller management console, click the tab.Settings
In the left panel, under , click .System Configuration Certificates
In the panel, click and in , type the required information: Certificates New Certificate Signing Request
In (required), select the encryption strength.Key Length
In (required), type the host name or the fully qualified domain name (FQDN) of App Common name
Controller as it appears on the panel.Network Connectivity
In , type the email address for the contact person at your company.Email
In , type a description for the CSR.Description
In , type the name of your company or organization.Company name
In , type the name of the department that will use the certificate.Department name
In , type the name of the city in which your company or organization is located.City
In , type the full name of the state where your company is located.State
In (required), select the code for your country, such as United States.Country Code
citrix.com 332
4.
5.
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
4.
Click . Save
App Controller creates the CSR. A dialog box that contains the contents of the CSR opens.
Copy the certificate contents from the dialog box and then paste the content into the appropriate area on the
Certificate Authority web site.
The certificate provider returns a signed certificate to you by e-mail. When you receive the signed certificate,
install it on App Controller.
You can create up to three CSRs. You can view or delete existing CSRs, and you can also choose to sign a CSR so
that you can use the certificate immediately.
To import a signed server certificate to App Controller
When you receive the signed certificate from the Certificate Authority (CA), you can upload the certificate to App
Controller. The file can be a Privacy Enhanced Mail (PEM) or Personal Information Exchange (PKCS#12) file, which
includes both a server certificate and its password-protected private key.
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Click and then select to import a CA signed root certificate.Import Server (.pem)
In the dialog box, click , navigate to the certificate and then click .Upload Browse Open
Installing Root Certificates on App Controller
After the Certificate Authority (CA) signs your server certificate, the CA returns it to you. If the CA provides the server
certificate in PEM format, the CA might also send the root certificate. You need to install the root certificate on App
Controller along with the server certificate.
You might also need to install root certificates for applications you configure on App Controller. Each root certificate
must match the fully qualified domain name (FQDN) of the server running the application.
To install a root certificate
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Click and then select to import a CA-signed root certificate.Import Trusted (.pem)
In the dialog box, click , navigate to the certificate and then click .Upload Browse Open
To view the details of a certificate
If you encounter any problems with a certificate, you might want to verify the issuer of the certificate. You can see this
information, as well as other details about every certificate you install on App Controller, in the App Controller
management console.
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Under , select a certificate and then click .All Certificates Details
In the dialog box that opens, view certificate details, subject name, and issuer name for the selected certificate and
then click .Close
To export a certificate
You might need to export certificates when migrating to a new App Controller VM, backing up an App Controller VM,
and sharing certificates between a pair of App Controller VMs used for high availability. You can export an existing
server certificate and its corresponding password-protected private key to a file. You can only export certificates in
Privacy Enhanced Mail (PEM) format. You can also export a SAML certificate for use with applications that required an
App Controller SAML certificate, such as Google Apps.
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
In the table, select the certificate to export and then click .Export
In the dialog box, in and , type the password that will be used to Export Certificate Password Confirm Password
encrypt the exported certificate and then click .OK
Configuring Certificates for SAML Applications
citrix.com 333
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
Some SAML applications, such as ShareFile, Google Apps, and Echosign, require a certificate to communicate with
App Controller. After you add the application in App Controller and configure application settings, you download a SAML
certificate from App Controller. When you configure settings in the SAML application, you upload the certificate to the
application. By doing so, you ensure secure connections between the application and App Controller.
App Controller supports installation of one SAML certificate on App Controller. When you first install App Controller, a
SAML certificate is created and appears in the panel.Certificates
The SAML certificate is called . If you want to use a custom SAML certificate, you need to AppController.example.com
upload a .pem certificate that contains only the certificate and private key.
Important: Do not include any chain certificates with the SAML certificate.
When you install the new SAML certificate, App Controller removes any previously installed certificates, including the
AppController.example.com SAML certificate created during App Controller installation. Only one SAML certificate can
reside on App Controller.
You can download a SAML certificate by using one of the two following methods:
If you download the SAML certificate for backup, Citrix recommends creating a password to encrypt the
certificate with a private key.
If you download the SAML certificate for use with SaaS applications, do not include the password. Private
keys should not be included with the certificate in this instance.
To download a SAML certificate
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Under , select the SAML certificate and then click . > Certificates All Certificates Export
In the dialog box, in and , enter the password for the certificate. Export Certificate Password Confirm Password
Only supply the password if you are backing up the certificate and storing it on your computer.
To export the private key with the certificate, click and then click to save the certificate to Export with private key OK
your computer.
Select this option only if you are backing up the certificate.
Navigate to the location on your computer where you want to save the certificate and then click .Save
To install a certificate for an application
To allow users to establish communication with an application that communicates over SSL, such as Active Directory
over secure LDAP, you need to install a root certificate on App Controller and then associate the certificate with the
application. The root certificate validates the application server's identity and allows users to access the application. You
must install a root certificate for each application you add to App Controller.
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Certificates
Click and then click .Import Saml (.pem)
In the dialog box, click , navigate to the certificate on your computer, and then click .Upload Browse Open
citrix.com 334
1.
2.
3.
Adding Roles
A is a group of users to which you assign applications. You can use roles to assign groups from Active Directory in role
App Controller. After you add Active Directory groups to a role, you then assign applications to the role. The basic steps
for adding a role in App Controller are as follows:
Assign a name to the role.
Provide a description for the role.
Select one or more groups that exist within the domain you chose and add them to the role.
If users are members of multiple groups, you can choose if users must be members of all of the defined
groups or if users can belong to some of the groups. For example, you have JohnD in the Sales,
Finance, and Marketing Groups. To access apps and data, you can require JohnD to be a member of
all three groups. You can also allow JohnD to be a member of any of the groups to gain access to apps
and data.
Select the ShareFile Storage Zone to which users have access.
You can assign web, SaaS, and mobile applications to a role. You can also assign web links to a role and add roles to
ShareFile settings.
Note: You must configure Roles before you configure ShareFile settings. You cannot use the AllUsers role for ShareFile.
After you configure roles, you configure the applications for single sign-on (SSO). You can then assign one or more
applications to the roles. For example, you configure Sales, Marketing, and Finance roles in App Controller. After you
configure the Salesforce and GoToMeeting application connectors, you might assign the Salesforce application to the
Sales role and you might assign GoToMeeting to all three roles.
Adding or Removing Roles
When you add a role, you assign one or more Active Directory domain or groups to the role. For example, you have two
domains: mydepartment and financedepartment. You want to add groups from each domain to the role. App Controller
shows the domain and groups on the page in the dialog box as shown in the following figure:Membership Role
You must have an active connection from App Controller to Active Directory to add a role. After you add domains and
groups to the role, you then assign applications to the role.
Note: You can only use the link on the tab when you create a role. You can also assign an app to Assign Apps to Role Roles
a role by using the App dialog box. Configure
When you configure a role and add multiple Active Directory groups, you can require users to be a member of all groups
or you can require membership in at least one of the selected groups.
When you delete a role, the role is removed from App Controller. If you need the role again, you need to configure a
new role.
To add a role
In the App Controller management console, click the tab.Roles
Under , click .Roles Add Role
citrix.com 335
3.
4.
5.
6.
7.
a. b. 8.
9.
1.
2.
3.
1.
2.
3.
1.
2.
3.
4.
5.
1.
2.
3.
a. b. c. 4.
In the dialog box, in , type a name for the role.Add Role Role name
In , enter a description of the role.Role description
Optionally, under , in , select the storage zone for the role. ShareFile Configuration Storage Zone
Storage Zone only appears if you configure ShareFile in App Controller. If ShareFile is not configured, you can
click the Sync icon to add the domain, user name, and password for ShareFile. When you click , App Discover
Controller retrieves the ShareFile Storage Zone. The Sync icon does not appear if you configure ShareFile in
App Controller.
Click .Next
In , do one of the following:Group membership
Click to require role membership from all groups in order to access apps.AND
Click to require role membership in any of the selected groups in order to access apps.OR
Under , select the groups that you want to add to the role and then click the chevron (>) to move the groups to Group
.Member
Click .Save
To delete a role
In the App Controller management console, click the tab.Roles
In the navigation pane, under , click the wrench icon for the role and then in the dialog box, click the X icon.Roles
Click to delete the role.Yes
To edit a role
When you edit a role, you can change the name of the role, update the description, or add or remove groups.
In the management console, click the tab. Roles
In the left pane, under , click the wrench icon for a role and then in the dialog box that appears, click the pencil Roles
icon.
In the dialog box, make your changes and then click . Edit Role Save
Note: You cannot change the role name.
Viewing Members of Active Directory Groups
After you add Active Directory groups to a role, you can view the members of the Active Directory group.
To view Active Directory group membership
In the App Controller management console, click the tab.Roles
Under , click a role and then click the wrench icon to the right of the role name.Roles
In the pop-up dialog box, click the pencil icon.
In the dialog box, click and then click the users icon next to the group name. Edit Role Next
The list of users appear in the dialog box. You can also view the details when you add View Group Members
groups to a role.
Click and then click if you made changes to the role. Otherwise, click .Close Save Cancel
To assign applications to roles
You can add one or more applications to a role. Roles allow you to control who has access to applications in your
organization. You can add a role when you configure the app or from the panel. When you create a role, you Roles
assign users and then you assign apps. You must create one or more roles before you assign an application to a role.
You cannot assign an application to the default AllUsers role.
In the management console, click the tab.Roles
In the navigation pane, under , select a role and then at the bottom of the left-hand menu, click Roles Assign apps to
.role
In the dialog box, do one of the following:Assign Apps to Role
To add one application, under , select the application and then click the single chevron (>) to Available Apps
move the application to .Apps assigned to Role
To add two or more applications, under , press the CTRL key, select the applications and then Available Apps
click the single chevron to move the applications to .Apps assigned to Role
To add all applications in the list, under select the applications and then click the double Available Apps
chevron (>>) to move all of the applications to .Apps assigned to Role
Click . Save
citrix.com 336
4.
1.
2.
3.
You can view applications assigned to roles on the page. When you click a role, the applications appear Roles
under . If you configure multiple roles, click the role to see the assigned Applications Assigned to
apps.
To remove applications from a role
In the App Controller management console, click the tab.Roles
In the navigation pane, under , click the role.Roles
Under , hover over an application and then click the X in the upper-right corner.Applications assigned to < >roleName
citrix.com 337
1.
2.
3.
1.
2.
3.
4.
5.
6.
a. b. 7.
Configuring Connections to ShareFile
ShareFile is a cloud-based file sharing service. The service provides a custom-branded, password-protected space
where users can easily and securely exchange their data and documents.
ShareFile enables users to send large files by email, securely handle file transfers to third parties, and access a
collaboration space from desktops or mobile devices. ShareFile provides users with a variety of ways to work, including
a Web-based interface, desktop tools, and integration with Microsoft Outlook.
When you configure ShareFile in App Controller, you configure settings to connect to the ShareFile account and
administrator service account for user account management. Then, you can connect to ShareFile from the App
Controller management console to configure administrator settings.
App Controller supports ShareFile StorageZones, which extend the ShareFile Software as a Service (SaaS) cloud
storage by providing your ShareFile account with private data storage. ShareFile StorageZones also provides users with
secure access to SharePoint sites and network file shares through StorageZone Connectors. For more information
about ShareFile StorageZones, see the documentation in eDocs.
Users connect to their documents and files by using the ShareFile application. To allow user access, you must configure
the ShareFile application in App Controller.
The following steps enable user access to ShareFile:
Upload a SAML certificate to App Controller. For details, see .
Configure the ShareFile administrator settings from the tab in the App Controller management console.Apps & Docs
Configure the ShareFile application on the tab in the App Controller management console. For more Apps & Docs
information about configuring ShareFile application connectors, see
.Parameters
When you configure ShareFile application in App Controller, you can configure the following:
ShareFile domain, such as mycompany.sharefile.com
Roles for users from Active Directory
Workflows for user account management
Service account for user account management
If you have not created one or more roles in App Controller, when you configure ShareFile, you can select Not Assigned
. After you create roles, you can add the role to the ShareFile settings.
Important: The role you select should contain the same number of members for which you obtain licenses. For example, if
you have 100 licenses, the role should contain the same amount of users. If you use the AllUsers role, which might have
more Active Directory accounts than licenses, synchronizing accounts in ShareFile and App Controller might fail. If you
previously selected the AllUsers role or a role with too many Active Directory accounts, you must manually remove the role
from ShareFile and then add the new role.
To configure ShareFile administrator settings in App Controller
In the App Controller management console, click the tab.Apps & Docs
Under , click . > Apps & Docs DOCS ShareFile
In the details pane, next to , click .ShareFile Configuration Edit
In , enter your Sharefile domain name, such as sharefile.com. Domain acmesharefile. You must enter the full domain
name for Sharefile, such as mysharefile.sharefile.com.
In , select the role to which you want to assign ShareFile. Assigned role
Note: You must select a role. Citrix recommends that you do not use the AllUsers role for ShareFile. For more
information, see .
Under , configure the following settings for user account management:Service Account for Provisioning
In , type the email address of the ShareFile service account. User name The service account is the ShareFile
administrator account.
In , type the password of the ShareFile service account.Password
Click .Save
After you configure ShareFile settings in App Controller, you can then configure settings on the ShareFile server by
connecting to the ShareFile administrative account. These settings include:
User accounts
Administrators and super groups
ShareFile
Configuring Certificates for SAML Applications
List of Application Connectors with Additional
Adding Roles
citrix.com 338
1.
2.
3.
Super groups contain individuals who have administrative access and can change ShareFile settings.
These individuals are referred to as .super users
Distribution groups
Folders
ShareFile accounts on devices
For more information about configuring these settings, see the .
The link only appears after you configure ShareFile in the App Controller management console.Advanced Configuration
To connect to the ShareFile administrative account
In the management console, click the tab.Apps & Docs
Under , click . > Apps & Docs DOCS ShareFile
In the right pane, next to , click . ShareFile Configuration Advanced Configuration
The ShareFile settings page opens in a new browser window.
ShareFile documentation
citrix.com 339
1.
2.
Locking and Erasing Apps and Data
When users install Citrix Receiver on their device, when they log on for the first time, App Controller registers the device.
Then, the device is included in the App Controller inventory and appears on the tab in the App Controller Devices
management console. The inventory displays all devices that connect to App Controller from Receiver. For each device, the
list provides the following information:
Type of device with which the user logs on
Operating system of the user device
Model of the user device
Name of the user device
User ID of the person who owns the device
Last time the user logged on with Receiver
Action you can take on the device
For each device in the list, you can perform the following actions for each device:
Erase application data and documents from the device. If users lose an iOS or Android device and do not
locate the device in a specified period of time, or if the user leaves the organization, you can erase
application data and ShareFile documents from the user device.
Stop erasing data and documents the device. If you determine that the device is safe, you can stop erasing
the data and documents on the device. Users can access their apps and ShareFile documents when you
stop erasing.
Lock and unlock the device. If users lose an iOS or Android device, you can lock applications on the device
that App Controller delivers, which prevents unauthorized access to the applications. You can later unlock
the same applications.
Delete the device. You can delete a device as a part of device inventory maintenance, if, for example, the
device is lost or destroyed.
The lock and erase functions take effect after Receiver polls App Controller. The polls occur every 60 minutes by
default.
An erased or locked device continues to appear in the inventory in the management console. If users do not need
access to the device, you can remove the device from the inventory. When you erase application data from the device,
the device listing appears in and . If you lock a device, the listing appears in and . All Devices Erased All Devices Locked
These lists allow you to see at a glance the devices that are currently active and the devices that might be
compromised.
The following table shows the icons that you can use to perform the preceding actions for all devices, including devices
that are connected to App Controller:
Icon Icon name Definition
Delete Used for deleting a user device from the inventory.
Lock Used to lock a user device.
Unlock Used to unlock a user device after you have locked it.
Erase Used to erase application data and documents from the user device.
Stop erasing Used to stop erasing application data, and documents on the user device.
Locking and Unlocking Applications on User Devices
You can lock and unlock user devices in the App Controller management console. This action prevents users from
connecting to applications in Citrix Receiver.
To lock applications on a user device
In the App Controller management console, click the tab.Devices
citrix.com 340
2.
3.
1.
2.
3.
4.
1.
2.
3.
1.
2.
3.
4.
1.
2.
3.
In the center pane, hover over a user device and then under , click the lock icon.Actions
Click to confirm that you want to lock the device. Yes The user device appears in the and lists.All devices Locked
To unlock applications on a user device
In the App Controller management console, click the tab.Devices
In the left pane, click .Locked
Hover your mouse over the user device and then under , click the unlock icon.Actions
Click to confirm that you want to unlock the device. Yes The user device is removed from the list.Locked
Erasing Application Data and Documents on the User Device
If a user device is compromised in any way, you can erase application data and ShareFile documents from the user
device. When you erase the data from the user device, users can no longer access the applications or documents. You
can also stop erasing data from the user device. If you stop erasing, you cannot restore the data and documents to the
user device.
To erase application data and documents from a user device
In the App Controller management console, click the tab.Devices
In the details pane, hover over a user device and then under , click the erase icon.Actions
Click to confirm that you want to erase application data and documents from the device. Yes The user device appears
in the and lists.All devices Erased
To stop erasing application data and documents on the user device
In the App Controller management console, click the tab.Devices
In the navigation pane, click .Erased
In the details pane, hover your mouse over the user device and then under , click the stop erasing icon.Actions
Click to confirm that you want to stop erasing application data and documents from the user device. Yes The user
device is removed from the list.Erased
To delete a user device from App Controller
You can delete a user device from App Controller to maintain your current inventory. You might need to delete a device
for the following reasons:
The individual left the company and returned the device.
The device is lost or damaged.
In the App Controller management console, click the tab.Devices
In the details pane, hover over a device and then click the delete icon.
Click to confirm the deletion.Yes
Configuring Connections to XenMobile MDM
You can configure settings in App Controller to communicate with XenMobile MDM. The settings specifically enable a
connection between App Controller and the XenMobile MDM component, Device Manager. Device Manager enables
you manage mobile devices, set mobile policies and compliance rules, gain visibility to the mobile network, provide
control over mobile apps and data, and shield your network from mobile threats. App Controller works with Device
Manager to help provide managed apps to your unified app store. To configure connections to Device Manager, you
need to configure App Controller settings in Device Manager first.
Before you test the connection, you configure the following settings in App Controller:
Device Manager IP address or fully qualified domain name (FQDN)
Port on which App Controller and Device Manager communicate
Shared key that you configured on Device Manager
Instance path with is the path for service providers that use the Multi-Tenant Console or XenMobile MDM
Cloud Edition. The default path is /zdm.
You can make the connections between App Controller and Device Manager secure. You can also require user device
enrollment with Device Manager.
After you configure settings in App Controller, test the connection in App Controller and Device Manager.
To configure connections to Device Manager
citrix.com 341
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
In the App Controller management console, click the tab.Settings
In the navigation pane, click .XenMobile MDM
In the details pane, next to , click .XenMobile Device Manager Configuration Edit
In , enter the Device Manager IP address or FQDN.Host
In , leave the default of 80 or enter your own.Port
In , enter the key you configured on Device Manager.Shared Key
Select to secure the connection between App Controller and Device Manager.Allow secure access
Select to require that all user devices are enrolled and managed by Device Require Device Manager enrollment
Manager.
Click to test the connection to Device Manager. Test Connection
If the test fails, make sure your settings in App Controller and Device Manager match.
Click .Save
citrix.com 342
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
Enabling Connections Between Device Manager and App Controller
If you are using Device Manager with App Controller to provide apps to your Worx Home users, you will need to
configure the Device Manager server and App Controller to communicate.
For secure communication between Device Manager and App Controller, install secure signed certificates. App
Controller needs to initiate communication with Device Manager and App Controller must validate the server certificate
from Device Manager. When Device Manager initiates communication with App Controller, it needs to validate the
server certificate from App Controller. This handshake fails if the issuer of the certificate is not trusted on both systems.
If you select in the App Controller management console, Device Manager communicates Allow Secure Communication
with App Controller on a secure port (for example: 443). This secure communication requires public certificates on both
servers, and requires that the ports are open in both directions.
The communication between Device Manager and App Controller are RESTful API calls if the traffic occurs over port 80.
The typical communication is App Controller communicating with Device Manager that the user needs an application
from Worx Home. Device Manager could also contact App Controller to find out if App Controller exists and if the user is
part of an Active Directory group that synchronized with App Controller.
Note: To allow users to connect to Windows-based apps or virtual desktops, users must have Citrix Receiver installed on
their devices.
After you configure Device Manager and App Controller to communicate, you can then test the connection.
To configure Device Manager to connect to App Controller
Important: You must configure settings in Device Manager before configuring settings in App Controller.
Log in to the XenMobile Device Manager web console.
Click .Options
In the dialog box, in select > , enter the App Controller fully Options Modules Configuration AppC Webservice API
qualified domain name (FQDN) and a shared key.
You will enter the same shared key in App Controller.
Select . Enable App Controller
Note: Do not click until you have configure Device Manager settings in the App Controller Test Connectivity
management console.
Click .Save
To configure App Controller to connect to Device Manager
In the App Controller management console, click the tab.Settings
In the navigation pane, click .XenMobile MDM
In the details pane, next to , click .XenMobile Device Manager Configuration Edit
In , enter the Device Manager IP address or FQDN.Host
In , leave the default of 80 or enter your own.Port
In , enter the key you configured on Device Manager.Shared Key
Select to secure the connection between App Controller and Device Manager.Allow secure access
Select to require that all user devices are enrolled and managed by Device Require Device Manager enrollment
Manager.
Click to test the connection to Device Manager. Test Connection
If the test fails, make sure your settings in App Controller and Device Manager match.
Click .Save
To test the connection between Device Manager and App Controller
When you finish configuring the connection in App Controller, you need to test the connection from Device Manager.
In the Device Manager web console, in the dialog box, select > , Options Modules Configuration AppC Webservice API
and then click to test communication between Device Manager and App Controller.Check connection
When Device Manager establishes the connection, click .Close
citrix.com 343
Maintaining and Monitoring App Controller
App Controller provides a panel that allows you to create and modify App Controller settings. System Configuration
When you configure App Controller in the management console for the first time, you configure additional network
settings, such as the administrator password and email address, host name, IP address, subnet mask, default gateway
and Domain Name Server (DNS) settings, Active Directory, Network Time Protocol (NTP) server, certificates, and
workflow email settings.
Note: You initially set the App Controller IP address, default gateway, DNS server, and NTP server by using the command
line. When the dialog box opens, you can changes these settings.Configure
At a later time, you can access the panel to configure or reconfigure the following settings:System Configuration
Overview allows you to view the current system configuration of App Controller.
Deployment allows you to configure StoreFront or NetScaler Gateway settings for Citrix Receiver
deployments.
XenMobile MDM allows you to establish communication between App Controller and XenMobile Device
Manager by configuring a host, port, and shared key. You can also require that users enroll in Mobile Device
Manager. For details on how to generate the shared key, see the Device Manager documentation in eDocs.
GoToAssist integrates with App Controller to provide users with email, phone, or chat assistance.
Active Directory allows you to configure or edit Active Directory settings.
Certificates allows you to upload, export, and delete certificates. You can create a Certificate Signing
Request (CSR) and download trusted (.pem), server (.pem or .pfx), and SAML (.pem) certificates.
Branding allows you to add a custom logo for the organization that appears on the Worx Store or Worx
Home on devices running Receiver for iPhone or Receiver for iPad.
Network Connectivity allows you to change the App Controller host name, IP address, subnet mask, default
gateway, to , which enables or disables Secure Shell (SSH) access, and to enable SSL Allow support access
offloading to move SSL encryption and decryption tasks to terminate on a NetScaler Gateway virtual server
that you configure in the DMZ.
Domain Name Server allows you to configure up to two DNS servers and provide the domain names. If you
enter multiple domain names, use a comma to separate the names.
NTP Server allows you to configure an NTP server for the date, time, and time zone.
Workflow Email allows you to configure an email server, port, and email address, and to require user
authentication to approve user requests to applications.
Administrator allows you to change the App Controller administrator password. When you change the
password, it is changed in the management console and in the command-line console.
Release Management allows you upgrade to a new software version, install patches, and new application
connectors.
Receiver Email Template allows you to use a template to send to users that indicates where they can
download Citrix Receiver. You can automatically send the email to users, or you can manually send the
email to users. When you send the email, you can also send a CR (.cr) file that contains all the settings that
Receiver needs to connect to App Controller.
Store Credentials if you deploy App Controller with XenMobile Device manager, you must enter a user
name, password, and Android device ID for Google Play store.
Log Transfer allows you to transfer App Controller log files to a server in your network, to indicate the
frequency with which the files are transferred and archived, and to specify the type of log you want to
transfer.
Syslog allows you to transfer log files to remote syslog servers.
Receiver Updates allows you to configure how plug-ins are updated on the Windows-based device. You can
select Citrix (citrix.com) or Citrix Merchandising Server, or you can indicate that you do not want to check for
updates.
GoToAssist support options that allows you to configure and modify GoToAssist support information.
To open the panel, click the tab.System Configuration Settings
Configuring System Settings by Using the Command-Line Console
You can also use the command-line console to configure some system settings. You can:
Configure the App Controller IP address, subnet mask, default gateway, DNS servers, and NTP server.
Configure high availability for primary and secondary App Controller virtual machines (VMs).
Configure an App Controller cluster. For more information, see .
Reset the App Controller server certificate.
Creating a Cluster
citrix.com 344
Enable or disable SSH access.
Import or export the App Controller configuration.
Configure a web proxy server.
Use network utilities to troubleshoot App Controller.
Create a support bundle to send to support personnel.
Restart or shut down App Controller.
citrix.com 345
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
Creating Snapshots of the App Controller Configuration
A configuration snapshot represents all the App Controller settings and certificates at a specific time. If you saved a
snapshot from an earlier version of App Controller, you cannot import the snapshot to a more recent version of App
Controller. You can only import snapshots for the same version. For example, if you upgrade from App Controller 2.8 to
App Controller 2.9, you cannot import the Version 2.8 snapshot to Version 2.9.
When you install App Controller for the first time, App Controller creates a snapshot of the configuration automatically.
Then, you can take snapshots at different periods of time, such as after you add and configure apps, roles, categories
and workflow settings.
You can import a snapshot to App Controller. You can also export a snapshot and save it to your local computer.
When you export a snapshot, the name is generated automatically. The file type is BIN (.bin).
A benefit of the snapshot feature is that you can easily restore your configuration settings if, for example, you need to
reinstall App Controller. You can export a snapshot to your computer and then import the snapshot back to App
Controller. If the snapshot you import has a different network configuration, such as IP address, you can use the
command-line console to run Express Setup to change network settings.
You can use Release Management on the tab in the management console to import and export snapshots. Settings
You can also use the command-line console to import and export snapshots.
To export a snapshot
In the App Controller management console, click the tab.Settings
Under , click System Configuration Release Management.
In the details pane, under , select a snapshot.Updates
In the lower-right corner, click .Export
Click to save the file.OK
To import a snapshot
In the App Controller management console, click the tab.Settings
Under , click .System Configuration Release Management
In the lower-right corner, click .Import
In the dialog box, click , navigate to the snapshot and then click .Import snapshot Browse Open
Click . Upload
The snapshot uploads to App Controller and then App Controller restarts.
citrix.com 346
1.
2.
3.
4.
5.
6.
Updating App Controller
When new versions of the App Controller software are available, you can upgrade to a new version. You can also
update App Controller with new application connectors or a system patch.
Software updates can include the following:
New version of App Controller
App Controller service pack
App Controller system patch
Note: Before you install an App Controller update, take a snapshot of your system configuration. This allows you to restore
your settings if an issue occurs during the upgrade.
App Controller ships with a standard set of single sign-on (SSO) connectors that are included in the application
connector library. In addition to the standard set of connectors that are delivered as part of App Controller, you can
install connector library updates by installing connector packs. The connector pack can include application connectors
for new applications added to App Controller or modifications to existing connectors. Connectors can also be released
as part of a service pack, system patch, or a new release of App Controller.
You can install new versions of the App Controller software, new application connectors, or system patches by using the
option in the App Controller management console.Release Management
Important:
If your database is large, it can take a long time (10 minutes or more) for App Controller to restart. During
this time, do not restart App Controller as this might corrupt your database and require you to install a new
instance of App Controller.
If you deploy App Controller as a high availability pair, you upgrade the primary virtual machine (VM) first
and then the secondary VM. For more information, see .
When you install an upgrade, a patch, or you update the application connectors, and then you want to install
another patch, you must restart App Controller before installing the second patch.
To update App Controller
You can use this procedure to upgrade your existing App Controller deployment with new versions of the software,
install new application connectors, and install system patches that become available for App Controller.
In the management console, click the tab.Settings
Under , click .System Configuration Release Management
In the table, click Release Management Upgrade.
In the dialog box, click and then navigate to the installation package on your computer.Upgrade Browse
Click and then click . Open Upload
The file uploads to App Controller.
If prompted, restart App Controller.
App Controller might not require a restart after the update installs. In this case, a message indicates that the
update installation is successful.
Configuring High Availability
citrix.com 347
1.
2.
3.
4.
a. b. c. 5.
1.
2.
3.
4.
5.
6.
Managing Citrix Receiver Updates
You can configure App Controller to update Citrix Receiver on Windows-based devices and Mac OS X computers. You
can configure Receiver updates by using the following methods:
Do not check for updates. Update services are not provided.
Citrix. Updates Receiver from the Citrix update service on Citrix.com. You can also select other plug-ins to
update from Citrix. These include:
NetScaler Gateway Plug-in
ShareFile for Outlook
ShareFile Sync
Citrix Merchandising Server. Updates all plug-ins installed on the user device from the Merchandising Server
that you specify.
If you configure StoreFront in , you cannot configure Receiver updates.Trust Settings
To configure Receiver updates
In the management console, click the tab.Settings
Under , click .System Configuration Receiver Updates
In the details pane, next to , click .Manage Receiver Updates Edit
In , do one of the following:Get updates from
To prevent Receiver updates, click . Do not check for updates
This is the default setting.
Click . Under , in , select the plug-ins for updates.Citrix (citrix.com) Citrix Update Options Include plug-ins
Click . Under , in , enter the fully qualified Citrix Merchandising Server Merchandising Server Option Server
domain name (FQDN) of the Merchandising Server.
Click .Save
To change the administrator password
When you log on to the App Controller management console for the first time, you enter the user name administrator
and the password, which is . You can change the administrator password in the dialog box when password Configure
you first log on by using a web browser.
You can also change the administrator password at a later time from the panel.System Configuration
Note: When you change the administrator password in the management console, the password also changes in the
command-line console.
Log on to the management console and then click the tab.Settings
Under , click .System Configuration Administrator
In the details pane, next to , click .Administrator Edit
In , type the current password.Old password
In and , type the new password.New password Confirm password
Click .Save
Changing System Settings by Using the Command-Line Console
You manage some system settings by using the App Controller command-line console. You can use the command-line
console from the tab in either XenCenter or in vSphere. If you enable Secure Shell (SSH) access, you can also Console
open any command prompt, such as PuTTY, and log on to App Controller. The following sections appear in the App
Controller command-line console:
Express Setup
With Express Setup, you can configure the basic network settings to enable App Controller to work within your network.
These settings include:
The App Controller IP address and subnet mask
The default gateway
The Domain Name Server (DNS)
The Network Time Protocol (NTP) server
citrix.com 348
For more information about using these settings, see .
Clustering
You can install multiple instances of the App Controller virtual machine (VM) to create a cluster. One App Controller VM
acts as the cluster head. All other App Controller VMs in the cluster are called service nodes. Each service node has a
local database that is used by the service node only. Updating user information from the service node to the cluster
head requires writing to the database. A service node connects to the database on the cluster head by using a secure
channel.
Citrix recommends deploying two App Controller VMs in a high availability pair. Each VM is a cluster head. If one VM
fails, the secondary VM can act as the cluster head. Citrix also recommends using the gateway proxy to establish a
secure connection between the service node and the cluster head.
When you create the cluster head, you enter a shared key for the cluster. When you join additional VMs to the cluster,
you enter the shared key. For more information about clustering, see .
Note: Configure 4 VCPUs on the App Controller virtual machine that runs as the cluster head. You can set the VCPUs by
using properties in XenCenter, vSphere, or Hyper-V.
High Availability
With high availability, you configure the settings for the primary and secondary App Controller VMs. These settings
include:
The App Controller role (primary or secondary)
The IP address and shared key of the other App Controller VM
The option to start and stop the App Controller VM
The option to view the status of the App Controller VM
The option to enable or disable high availability
For more information about configuring high availability, see .
System Menu
With the System Menu, you can configure or view basic system settings that include:
The system date and time
The system disk usage
The option to enable or disable SSH access
The option to reset the test certificate
The option to import or export an App Controller configuration file
The option to configure a web proxy server
The option to restart and shut down App Controller
Troubleshooting
With Troubleshooting, you can access three tools that help you view network settings, view logs, and create a support
bundle that you can send to technical support. In , you can do the following:Network Utilities
View network information, including the loopback address.
Show the network routing table.
Show information from the Address Resolution Protocol (ARP) table.
Ping a network IP address or web site.
Display the network route and transit delay of packets by using traceroute.
Show DNS information by using DNS lookup.
Capture a network trace.
You can configure logs by using the menu. In the menu, you can:Logging
Set class and group logging levels to include any of the following information:
Info
Warn
Debug
Fatal
Error
Setting the App Controller IP Address for the First Time
Creating a Cluster
Configuring High Availability
citrix.com 349
1.
2.
3.
1.
2.
3.
1.
2.
3.
4.
a. b. 1.
2.
3.
4.
1.
2.
3.
4.
5.
Reset the logging level to the App Controller default setting.
Create a new log file.
Show the log file.
You can also create a support bundle to send to technical support staff for evaluation.
To view the App Controller date and time
You can view the date and time in App Controller.
Note: Citrix recommends using a Network Time Protocol (NTP) server to set the date and time on App Controller.
Log on to the command-line console.
In the menu, type and then press ENTER to open the menu.Main 3 System
In the menu, type and then press ENTER. System 1
The day, date, time, time zone, and year appear.
To view the system disk usage
When you install App Controller, 50 GB of disk space is allocated in XenServer for the App Controller VM. You can use
the command-line console to view how much disk space App Controller is using.
Log on to the command-line console.
In the menu, type and then press ENTER to open the System menu.Main 3
In the menu, type and then press ENTER. System 2
The system disk usage statistics appear.
Enabling or Disabling SSH Access
You can enable Secure Shell (SSH) access by using the command-line console. When you enable SSH access, you can log
on to App Controller from an application that supports SSH, such as PuTTY. You can also enable or disable SSH access
from the App Controller management console.
To enable or disable SSH access by using the command-line console
Log on to the command-line console.
In the menu, type and then press ENTER to open the menu.Main 3 System
In the menu, type and then press ENTER.System 3
Do one of the following:
If SSH access is disabled, type and then press ENTER to enable SSH access.y
If SSH access is enabled, type and then press ENTER to disable SSH access.y
To enable or disable SSH access in the management console
In the App Controller management console, click the tab.Settings
In the left pane, under , click .System Configuration Network Connectivity
In the right pane, next to , click .Network Connectivity Edit
Click and then click .Allow support access Save
To reset the App Controller server certificate
You can use the command-line console to change the default server certificate in App Controller. When you reset the
certificate, App Controller removes the passphrase and the new certificate file overwrites the old certificate file. When
you reset the default certificate, you must restart App Controller.
Log on to the command-line console.
In the menu, type and then press ENTER to open the menu.Main 3 System
In the menu, type and then press ENTER.System 4
When appears, type and then press ENTER. Reset Certificate y
The certificate resets.
Restart App Controller.
To restart or shut down App Controller by using the command-line console
You can restart or shut down App Controller by using the command-line console.
citrix.com 350
1.
2.
3.
a. b. Log on to the command-line console.
In the menu, type and then press ENTER to open the menu.Main 3 System
Do one of the following:
To restart App Controller, in the menu, type and then press ENTER.System 8
To shut down App Controller, in the menu, type and then press ENTER.System 9
citrix.com 351
Monitoring App Controller
The App Controller Dashboard displays a summary of application and user access in App Controller. The Dashboard
refreshes information every minute. You can also refresh the data manually at any time.
You can review the following information:
Total number of users who logon by Receiver type
Total number of sessions
Total number of configured applications in App Controller
Total number of applications started by users
The counter shows data from the previous 24 hours. If you delete applications, the number of applications Apps Used
configured might not be the same as the number of applications started. For example, if you configure 10 applications
and users start all 10, and then you delete 3 applications, all within 24 hours, the Dashboard shows 7 applications used,
but still shows 10 apps started. Refreshing the Dashboard does not affect this counter. App Controller removes deleted
applications automatically from the counter 24 hours after the last time users started the application.
You can configure App Controller to send log files to either a syslog server or to a server in your secure network. You
configure log settings in the App Controller management console as part of the system settings.
You can also use the command-line console to configure logs to troubleshoot issues that may arise with App Controller.
You can revert back to the default log level control, create a new log, or display the current log.
You can transfer information and audit logs to a syslog server or file server in your network. You can also transfer the
counters log to a file server in your network. If you select , all logs are sent to the syslog server or file server. Audit Audit
logs contain a chronological record of system activities for App Controller.
Administrator logs are stored in the file AdminAuditLogFile.txt. User logs are stored in the file UserAuditLogfile.txt.
If you deploy App Controller with StoreFront, the following user activities do not appear in the audit logs:
Subscribing to applications
Unsubscribing from applications
Logon
Logoff
Monitoring App Controller by Using the Dashboard
The App Controller Dashboard displays a summary of:
Total number of user logons. When you click the icon, you can see a list of Receiver types and Total Logons
the number of users who are currently logged on with each type. This counter does not show unique users.
For example, if a user logs on two times, both logons are shown in the total number. This counter shows
user logons from the following Receiver types:
Receiver for iOS
Receiver for Android
Receiver for Windows
Receiver for Mac
Receiver for Web
Total number of connected user sessions. This shows the total number of connected, active sessions. For
example, if a user logs on with Receiver for Web, the user session is shown in this section. The arrow next
to the total number shows if sessions are going up or down. This section does not contain any additional
information.
The number of apps in use per the total number of configured apps. When you click the icon, Apps Used
you see a list of all app types, such as Android, iOS, web and SaaS, web links, and ShareFile. This counter
shows the total number of apps started and the total number of configured apps. You can also see the
number of individual applications and how many times users started the app. When you click an individual
app icon, a table appears that shows the number of times users started the app.
The Dashboard refreshes every minute. This provides current information about App Controller in your network.
If you configure App Controller to transfer logs to a server in your network, you can also configure the log to contain the
counters from the Dashboard. App Controller logs the counters every hour.
citrix.com 352
1.
2.
To view the Dashboard
Log on to the App Controller management console.
Click the tab.Dashboard
citrix.com 353
Choosing Your Authentication Method
Before you install XenMobile components, you need to determine what authentication types you use to authenticate
users. XenMobile supports several authentication types. It is important to choose the authentication method you want to
configure before you deploy XenMobile; if you implement an authentication method for users and then change the
method after users enroll or you implement Worx PIN, they will need to enroll again.
XenMobile supports the following authentication types:
Active Directory or LDAP
Client certificate
Worx PIN
Two-factor authentication
You can configure the following authentication types for two-factor authentication:
Active Directory and Worx PIN
Active Directory and client certificate authentication
XenMobile 8.6 introduces support for client certificate authentication. Users can now authenticate their devices
seamlessly to XenMobile using client certificates, giving administrators the choice of authenticating their users using
Active Directory credentials or client certificates. By using client certificates, users will only need to use their own chosen
PIN number to log on with single sign-on (SSO) to any of the Worx-enabled apps.
Worx PIN also simplifies the user authentication experience. Worx PIN is used to secure a client certificate or save
Active Directory credentials locally on the device. If you configure Worx PIN settings in App Controller, when users start
Worx Home for the first time, they receive a prompt to enter a PIN, which caches the Active Directory credentials. When
users subsequently start Worx Home, WorxMail, or WorxWeb, they enter the PIN and log on. This simplifies the logon
process on the mobile device. For more information about configure Worx PIN, see .
Citrix recommends using two-factor authentication for the highest security and recommends that you combine Worx PIN
with Active Directory and client certificate authentication, which allows for the security of two-factor authentication while
maintaining a streamlined user experience.
The XenMobile architecture supports the following authentication combinations:
Domain only (Worx PIN supported)
Security token only
Domain and security token (Worx PIN supported)
Client certificate only
Client certificate and domain (Worx PIN supported)
Client certificate and security token
Configuring Worx PIN Options
citrix.com 354
1.
2.
3.
4.
5.
6.
User Experience with Client Certificate Authentication
When you deploy client certificate authentication in your XenMobile environment, as shown in the following figure, users
take the following consecutive steps:
Users install Worx Home from the App Store or Google Play.
Worx Home opens, and then users enter their user name and password or one-time PIN (OTP) and the system
validates the credentials with the XenMobile auto-discovery service.
Worx Home enrolls with Device Manager by using the user credentials, and the user certificate is installed to the
device.
Worx Home authenticates with NetScaler Gateway by using the user certificate.
Authentication is passed to App Controller.
NetScaler Gateway passes authentication to StoreFront.
citrix.com 355
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
5.
6.
Steps to Configure XenMobile Client Certificate Authentication
The topics in this section outline the eight procedures you need to follow consecutively to configure client certificate
authentication in your XenMobile environment.
Set up a Certificate Authority (CA) if the organization does not currently have a CA. The XenMobile infrastructure was
tested with the Microsoft Certificate Services.
Create a certificate template for XenMobile certificate requests on the Microsoft CA server.
Generate the XenMobile client certificate.
Create the XenMobile Microsoft CA payload configuration on the Device Management server.
Configure Device Manager to provide a user certificate to App Controller.
Configure NetScaler Gateway to accept client certificates.
Configure App Controller.
Configure StoreFront.
Set Up a Certificate Authority
The first procedure you need to complete to configure client certificate authentication in your XenMobile environment is to set
up a certificate authority (CA) if your organization does not currently have a CA.
Prerequisites
Microsoft Certificate Services running on Microsoft Windows 2008 Server R2.The XenMobile infrastructure
was tested with the Microsoft Certificate Services.
Port 443 (default) open from XenMobile Device Manager to the Microsoft Certificate Services server.
Microsoft KB 980436 patch installed on the Microsoft Certificate Services server.
Microsoft KB 953461 patch installed on Microsoft Certificate Services server on Windows 2008 Server
Enterprise.
Web enrollment for Microsoft Certificate Services enabled.
SSL enabled on Microsoft Internet Information Services (IIS).
IIS configured to accept client certificate authentication.
The client certificate in .p12 format which is used to authenticate.
To enable web enrollment for Microsoft Certificate Services
Go to and select on the server to host the Certificate Authority.Administrative Tools Server Manager
Under , check to see if Certificate Authority Web Enrollment is installed.Active Directory Certificate Services
Select to install Certificate Authority Web Enrollment, if necessary.Add Role Services
Select and then click . Certificate Authority Web Enrollment Next
Click or when the installation is complete.Close Finish
Configure Microsoft IIS
Go to and then click .Administrative Tools Server Manager
Under , look under and then verify that Client Certificate Mapping Authentication and Web Server (IIS) Role Services
IIS Client Certificate Mapping Authentication are installed. If not, install these role services.
Go to and then click .Administrative Tools Internet Information Services (IIS) Manager
In the left-hand pane of the window, select the server running the IIS instance for web enrollment and IIS Manager
then click .Authentication
Make sure shows the status of and then click .Active Directory Client Certificate Authentication Enabled Sites
In the right-hand pane, click and then add a site binding of the type if one does not exist.Bindings https
Go to the .Default Web Site Home
Click and then click .SSL Settings Accept for Client Certificates
In the next topic, follow the steps to create a certificate template for XenMobile certificate requests.
Create the Certificate Template for XenMobile Certificate Requests
The second procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
create a certificate template for XenMobile certificate requests. You configure the template on the Microsoft CA server.
Open the MMC Console on the Microsoft CA server.
Add a Snap-In for .Certificate Templates
Open .Certificate Templates
Right-click the template and then click .User Duplicate Template
Select for the template type and then click .Windows 2003 Server, Enterprise Edition OK
citrix.com 356
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
In Template display name, enter a template name.
Note: Save the name that appears in because you need it later in the configuration.Template name
Click the tab and then, in , specify .Request Handling Purpose Signature and encryption
(Optionally) enable or disable the check box.Allow private key to be exported
Click .Enroll subject without requiring any user input
Click the tab and then click .Subject Name Supply in the request
In the notification dialog box, click .OK
Click the tab and then, under , select to give permissions to a user Security Permissions for Administrator Enroll
account that will be making the certificate requests from Device Manager.
Open MMC and add a Snap-In for .Certification Authority
Expand the CA server and then right-click .Certificate Templates
Click and then click . Select the certificate template you created in the preceding New Certificate Template to Issue
steps.
In the next topic, follow the steps to generate the XenMobile client certificate.
Generate the XenMobile Client Certificate
The third procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
generate the XenMobile client certificate. You can request a certificate from any system in the domain. The domain account
must have local administrator rights to the system requesting a certificate from the Certificate Server.
Click and then click to open the command-line console.Start Run
Type .MMC
Click . > File Add/Remove Snap-in
In the , click as shown in the following figure. Snap-in list Certificates
Click , click and then click .Add OK Finish
Expand the option in the left window pane.Certificates – Current User
Expand the Personal folder.
Right-click and then click .Certificates All Tasks
Click .Request New Certificate
On the screen, click .Certificate Enrollment Next
Click again.Next
Scroll to the bottom of the list and then select the check box in the lower left-hand corner.Request Certificates User
Click and then click . Enroll Finish The certificate is now created. Next, you need to import the certificate into the
Device Manager server.
Right-click , select and then click .Certificate All Tasks Export
Click , export the private key and then click .Yes Next
Click , select Personal Information Exchange – PKCS #12 (.PFX) Include all certificates in the certification path if
, select and then click as shown in the following figure. possible Export all extended properties Next
To protect the security of the private key for the certificate, enter a password and then click .Next
citrix.com 357
18.
19.
1.
2.
3.
4.
a. b. c. d. 5.
6.
7.
8.
a. b. c. 9.
10.
11.
12.
13.
14.
15.
a. b. c. Browse to a location where you want to save the certificate with the extension .pfx and then click .Next
Click and then click .Finish OK
In the next topic, follow the steps to create the XenMobile Microsoft CA payload configuration.
Create the XenMobile Microsoft CA Payload Configuration
The fourth procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
create the XenMobile Microsoft CA payload configuration on the Device Manager server.
Open the XenMobile admin console and then browse to .XenMobile Server Options
Expand the section and then click as shown in the following figure. PKI Server certificates
Click .Upload a certificate
On the page, enter the following:Upload a Certificate Type
: Keystore.Certificate Type
: PKCS#12.Keystore type
: Upload a .pfx or .p12 certificate that was exported to the server.Keystore file
: The password created with the certificatePassword
Click . Upload The certificate is now loaded into the XenMobile server.
Under , click .PKI Entities
Click and then click as shown in the following figure. New New MS CertSrv entity
The wizard menu opens. Enter the following:
: CA Server nameEntity name
: Client certificateAuthentication type
: Select the client certificate that was uploaded.SSL client certificate
Click the tab.Templates
Enter the template name from the Microsoft CA server.
Click the tab.CA Certificates
Click and then select the certificate. Use if available; if not, choose and then click .Add intermediate default CA Add
Click the tab again and then click . CA Certificates Update This opens the screen for the XenMobile Server Options
option.PKI entities
Under , click and then click .PKI Credential providers New credential provider
Click the tab and then complete the following settings:CSR
The must match the key length specified in the template that was created in the second procedure in Key Size
the client authentication configuration.
In , specify .Subject Name CN=$user.username
In , click and then specify the User Principal Name and a value Subject Alternate Names New alternative name
of as shown in the following figure. $user.userprincipalname
citrix.com 358
15.
c. 16.
17.
18.
19.
1.
2.
a. b. c. d. e. 1.
2.
3.
4.
5.
6.
7.
8.
In , select the CA that is issuing the certificate and in , click .Issuer Distribution mode Prefer centralized
Click the tab.Renewal
Select when they expire.Renew certificates
Enter the number of days within renewal before expiration and then click .Add
The credential provider is now created. Next, you need to configure Device Manager to provide a user certificate to App
Controller.
Configure Device Manager to Provide a User Certificate to App Controller
The fifth procedure you need to complete to configure client certificate authentication in your XenMobile environment is
configure Device Manager to provide a user certificate to App Controller.
In the Device Manager admin console, in , expand and then click XenMobile Server Options Modules Configurations
.App Controller
Complete the following settings:
of App Controller.Host Name
.Shared Key
Select .Enable App Controller
Select .Deliver user certificate for authentication
In , select the provider you created in the fourth procedure in the client certificate authentication Provider
configuration.
Next, you need to configure NetScaler Gateway to accept client certificates.
Configure NetScaler Gateway to Accept Client Certificates
The sixth procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
configure NetScaler Gateway to accept client certificates.
Open . > NetScaler Configuration
Go to . > NetScaler Gateway Virtual Servers
Select the NetScaler Gateway virtual server that you want to configure and then click .Open
To import the CA certificate, click the tab. Certificates A list of the certificates appears in the left-hand column.
Select the root certificate that was added to NetScaler Gateway from the third-party CA, click and then click Add As CA
to add the CA to the list on the right-hand side.Configured
Click .SSL Parameter
In the dialog box, select .Configure SSL Params Client Authentication
In , select and then click as shown in the following figure. Client Certificate Mandatory OK
citrix.com 359
8.
9.
10.
11.
12.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Next, configure a policy to use the client certificates. Click > > NetScaler Gateway Policies Authentication/Authorization
.> > Authentication CERT
Click to add the authentication server.Add
In , make sure to use the to get the UPN delivered and then click .User Name Field SubjectAltName:PrincipalName OK
Create a second authentication policy for Active Directory credentials with a lower priority.
Next, you need to configure App Controller.
Configure App Controller Connections to NetScaler Gateway
The seventh procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
configure App Controller connections to NetScaler Gateway.
In the App Controller management console, click the tab.Settings
Under , click .System Configuration Deployment
In the details pane, under , click .NetScaler Gateway Edit
In , select to Configure authentication from NetScaler Gateway if devices need to access App Controller remotely Yes
allow remote users to connect.
Note: If this is the first NetScaler Gateway or virtual server you are configuring, this setting moves to Yes
automatically. If this is not the first NetScaler Gateway or virtual server you are configuring, you must manually select
.Yes
Click the plus (+) symbol to add an appliance. When you click the plus symbol, the fields in the next several steps
appear.
In , type a name that is easily recognizable.Alias
In , type the NetScaler Gateway name.Display name
In and , enter the NetScaler Gateway web address. For example, enter https:Callback URL External URL
//mynetscalergateway.com.
You can specify the port number in the web address, such as https://mynetscalergateway.com:443.
When you add the web address to , App Controller appends the URL automatically with the Callback URL
NetScaler Gateway authentication service URL. For example, the URL appears as https://
/CitrixAuthService/AuthService.asmx.NetScalerGatewayFQDN
Optionally, in , select one of the following: Logon type
Domain only. This setting requires users to enter their Active Directory credentials.
Security token only. This setting requires users to enter the code from a security token, such as an
RSA token.
Domain and security token. This setting requires users to enter domain credentials and the code from
a security token.
Certificate. This settings requires a client certificate for authentication.
Certificate and Domain. This setting requires a client certificate and users to enter their Active
Directory credentials.
Certificate and security token. This setting requires a client certificate and for users to enter the code
from a security token, such as an RSA token.
Optionally, select the check box if you do not want to require users to enter a password.Do not require passwords
Optionally, select to make this NetScaler Gateway the default appliance. Set as default
Note: You cannot delete the default NetScaler Gateway. You can either disable NetScaler Gateway entirely or make
another NetScaler Gateway the default appliance.
Click .Save
In the left-hand menu, click and then ensure that you imported the root CA for your client certificates as Certificates
shown in the following figure.
In the next topic, follow the steps to configure StoreFront settings in NetScaler Gateway.
Configure StoreFront Settings in NetScaler Gateway
The last procedure you need to complete to configure client certificate authentication in your XenMobile environment is to
configure StoreFront settings in NetScaler Gateway. To ensure a unified experience when you deploy StoreFront in
citrix.com 360
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
conjunction with XenMobile, you need to configure an additional NetScaler Gateway virtual server for devices that run Citrix
Receiver. NetScaler Gateway uses the STA token provided in the ICA file. No other authentication methods are necessary.
You simply configure the appropriate authentication policies for the environment (such as LDAP and RADIUS) in the newly
created virtual server. This implementation will allow the use of the second virtual server for additional items.
Prerequisites
An additional port is required through the firewall. This configuration uses port 8081. (You can also use an
entirely different address depending on your environment.)
StoreFront points at the virtual server configured for this purpose.
StoreFront does not require knowledge of the certificate-enabled virtual server.
You must configure STA servers on both virtual servers.
This configuration assumes client certificate authentication is already configured on a separate virtual
server.
Log on to NetScaler Gateway by using type.Gateway Deployment
On the dashboard in the upper-right corner, click .Create New NetScaler Gateway
In , enter a name for the new virtual server.Name
In , enter a temporary placeholder. IP Address In this example, the IP address is used when the configuration is done.
If you are using a separate IP address for the virtual server, you can enter the address here.
In , enter the port number to be used in production for the virtual server.Port
Click , select a certificate for NetScaler Gateway and then click .Choose Certificate Continue
In select an authentication type. Primary Authentication In this case, we are unbinding this policy. Adjust the settings
as appropriate for your environment. To allow only STA traffic, however, you can configure other policies for web
traffic.
In , enter the fully qualified domain name (FQDN) from the XenMobile infrastructure and then App Controller FQDN
click .Done
Click to edit the appliance settings.Configure NetScaler Gateway Appliances
In , modify the IP address of the new StoreFront virtual server to match the IP address of your client IP Address
certificate virtual server, click and then click .OK Save
In , modify your operating system session policy to match your single sign-on (SSO) domain Single Sign on Domain
(for example, ) and then click . Citrite OK
citrix.com 361
Gathering XenMobile Logs and Support Bundles
If you experience issues with XenMobile components, such as App Controller, Device Manager, the MDX Toolkit, or
with wrapped IOS or Android apps and policy enforcement, as well as user access to the apps, you can follow the
advice in this section and in the to gather logs and support bundles to send to Citrix
tech support for evaluation.
This section includes topics about the following:
Obtaining App Controller support bundles from the command line.
Gathering logs from NetScaler Gateway.
Collecting MDX Toolkit warnings and errors on Mac OS X computers.
Gathering logs on iOS and Android devices.
Configuring logging policies in App Controller for the Worx App diagnostic logging facility.
XenMobile Logs Collection Guide
citrix.com 362
Obtaining App Controller Logs and Support Bundles
App Controller provides tools to help you gather information to solve issues that may arise with your deployment. You
can use the command-line console to obtain logs and support bundles.
From the Troubleshooting menu from the Main Menu in the command-line console, you can use the following tools:
[0] Back to Main Menu. Return to the main command-line menu.
[1] Network Utilities. View routing tables, network information, and use traceroute and the PING command to
check network connections.
[2] Logs. Configure log levels and download log reports to your computer.
[3] Support Bundle. Create a support bundle that contains system information, logs, database information,
core information, trace files, and the latest configuration information for App Controller. You can select either
the Secure Copy protocol (SCP) or the File Transfer Protocol (FTP) to transfer the support bundle to the
remote server for your support personnel.
citrix.com 363
1.
2.
3.
4.
Capturing Network Settings for Troubleshooting
You can use the command-line console to view the following network details:
Network information for each network adapter on App Controller
The App Controller routing table that lists routes to network destinations
The Address Resolution Protocol (ARP) table information for App Controller
Detection of other networks by using the PING command
Network routes by using traceroute
The DNS name associated with an IP address by using DNS lookup
A network trace to provide to technical support personnel
To view network information for App Controller
In the command-line console, on the menu, type and then press ENTER to open the menu.Main 4 Troubleshooting
In the menu, type and then press ENTER to open the menu. Troubleshooting 1 Network Utilities
In the menu, select one of the following options: Network
Type to obtain network information about App Controller.1
Type to view the App Controller routing table.2
Type to view the Address Resolution Protocol (ARP) table.3
Type to open the ping utility.4
Type to trace the network route of an IP address.5
Type to find the DNS name associated with an IP address.6
Type to obtain a network trace.7
Follow the command prompts for the selected option.
To return to the menu, type .Troubleshooting 0
citrix.com 364
1.
2.
3.
4.
1.
2.
3.
Creating a Support Bundle for App Controller
If you have a problem with App Controller, you can create a support bundle to send to technical support staff for
evaluation. The support bundle contains the following information:
System information
App Controller logs
App Controller database information
App Controller core information
Trace files
App Controller most recent snapshot
To create a support bundle
In the App Controller command-line console, type and then press ENTER to open the menu. 3 Troubleshooting
In the menu, type and then press ENTER to open the menu. Troubleshooting 3 Support Bundle
In the menu, type , press ENTER and then follow the command prompts.Support Bundle 1
To encrypt the existing support bundle, type , press ENTER and then follow the command prompts.2
When App Controller finishes creating the support bundle or overwriting a support bundle you previously created, you
receive a message that contains the name of the support bundle. The name contains the date and time stamp, and the
internal IP address of the appliance. The support bundle has the extension .support. For example, you might see the
following as the name of the file: . The section 20100823 is the date, 20100823150921_10.199.240.168.support
150921 is the time, and 10.199.240.168 is the IP address. When you create a support bundle, you can then use the
Secure Copy protocol (SCP) or the File Transfer Protocol (FTP) menu options to upload the bundle to a remote server
for review by technical support staff.
To upload a support bundle by using either SCP or FTP
In the App Controller command-line console, type and then press ENTER to open the menu.4 Troubleshooting
In the menu, type and then press ENTER to open the menu.Troubleshooting 3 Support Bundle
In the menu, type either or , press ENTER and then follow the command prompts.Support Bundle 3 4
citrix.com 365
1.
2.
3.
Configuring Logs by Using the Command-Line Console
You can use the command-line console to configure logs to troubleshoot issues that may arise with App Controller. You
can revert back to the default log level control, create a new log, or display the current log.
If you need to troubleshoot an issue, you can create logs for debugging by using class and group log levels. You set
these parameters with Citrix Technical Support personnel.
To configure logs by using the command-line console
In the command-line console, in the menu, type and then press ENTER to open the menu. Main 4 Troubleshooting
In the menu, type and then press ENTER to open the menu. Troubleshooting 2 Logs
In the menu, do one of the following:Logs
Type to restore the default log level control, which is level 4.3
Type to create a new log file.4
Type to display the current log. When you select this option, you can then select how many lines 5
(from 1 through 1,000) of the log you want to view.
citrix.com 366
1.
2.
3.
4.
To configure logging policies in App Controller
When you configure or edit policies for iOS and Android devices, you can configure the following set of logging policies.
Default log output
This policy applies to iOS apps. Determines which output mediums are the default Worx app diagnostic logging
facilities. Possibilities are , , or both . Default value is .file console file,console file
Default log level
Controls the default verbosity of the Worx App diagnostic logging facility. Each level includes levels of lesser values.
Range of possible levels includes:
0 - Nothing logged
1 - Critical errors
2 - Errors
3 - Warnings
4 - Informational messages
5 - Detailed informational messages
6 through 15 - Debug levels 1 through 10
Default is level 4 (Informational messages).
Note: After changing this option users will have to reinstall the app to update the MDX policy.
Max log levels
Limits the number of log files retained by the Worx app diagnostic logging facility before rolling over. Minimum is 2.
Maximum is 8. Default value is 2.
Max log file size
Limits the size in megabytes (MB) of the log files retained by the Worx app diagnostic logging facility before rolling
over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
To configure logging policies for an app
In the management console, click the tab.Apps & Docs
In the navigation pane, click or .Android Apps iOS Apps
In the right pane, click the mobile app for which you want to configure the logging settings.
In the dialog box, click the pencil icon to edit the settings.
citrix.com 367
4.
5.
6.
In the dialog box, change the settings you want and then click to edit the policy settings. Mobile Apps Details Next
Finish changing your settings and then click .Save
citrix.com 368
1.
2.
3.
4.
5.
6.
7.
To configure a syslog server in App Controller
In the App Controller management console, click the tab.Settings
In the navigation pane, under , click . You may need to scroll.System Configuration SysLog
In the details pane, next to , click .SysLog Edit
In , enter the path to the server where you want to store the log files. Server
You can use either the host name or the IP address.
In , accept the default port number of 514 or enter the port number for your syslog server.Port
In , select the number to correspond with the part of the system from which the message originates.Facility
Select either or logs or select both options and then click . Info Audit Save
Info logs are actions taken by App Controller. This level is useful for troubleshooting problems.
Audit logs contain a chronological record of system activities for App Controller.
Note: If you select both options, the logs contain all of the App Controller action information, as well as the
chronological record of system activities.
citrix.com 369
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
To transfer logs to a network server
In the App Controller management console, click the tab.Settings
In the navigation pane, under , click . System Configuration Log Transfer
In the details pane, next to , click .Log Transfer Edit
In , type the path to the server in your network on which you want to store the logs.Server
In , enter the email address of the administrative account of the log server.User name
In and , type the password for the administrative account.Password Confirm password
In , select the network protocol with which to transfer the logs.Transfer protocol
In , enter the port number for the server in your network.Port
In , type the path to the directory of the server on which you want to store the logs.Remote Directory
In and , enter the number of hours between log transfers.Archive Frequency (hours) Transfer Frequency (hours)
Select to transfer the files to the server automatically.Transfer archived log files automatically
In , select one, some, or all of the following options: Log Type
Audit
Counters
Info
Note: If you select , the Counters and Info logs are also sent to the network server.Audit
Click .Save
citrix.com 370
1.
2.
1.
2.
Collecting Logs
You can configure audit logs on NetScaler Gateway to collect information about events that generate a message, a time
stamp, message type, and predefined log levels and message information. You can also acquire compression statistics
for NetScaler Gateway if you configure TCP compression. For details, see .
To enable NetScaler Gateway Plug-in logging to log all errors to text files that are stored on user devices and where to
locate the files, see .
Gathering Logs for the MDX Toolkit on Mac OS X Computers
When you run the MDX Toolkit, the tool automatically saves a log file to the following location: Applications > Citrix >
MDXToolkit > Logs > Citrix.log. By default, the tool saves warnings and errors in the log. If an error occurs, a command line
with arguments appears at the end of the log. You can copy the command line and run it in Terminal. When you use the
command-line tool to run the wrapping process, you can specify the log file location, log display level, and log write level in
the command line. You can also specify verbose logging level and a different log file in the command line. The command line
provides more troubleshooting options than the MDX Toolkit.
Note: The command-line tool supports iOS apps only.
You can use the following steps to look for and resolve problems with wrapping iOS apps.
In , click Citrix.log > > > Applications Citrix MDXToolkit Logs
In , click Terminal to use the Mac command-line interface to evaluate the command. > Applications Utilities You may
need to refer to the app requirements to evaluate the error.
Gathering Logs on iOS and Android Devices
Logs can help you troubleshoot issues with apps. In most cases, you collect the logs and then email the files as a .zip file to
Citrix support, or to your help desk or technical support representative so they can debug the issue and find a solution. This
section provides steps for collecting logs from iOS and Android devices.
Collecting App Logs on iOS Devices
On iOS devices, you collect logs for an app from within Worx Home.
Log on to Worx Home and then tap the > icon.
On the screen, tap the mail icon. Support
Configuring Auditing on NetScaler Gateway
Enabling NetScaler Gateway Plug-in Logging
citrix.com 371
2.
3. In , select the app with which you need help. Choose App
citrix.com 372
3.
4.
Important: If you choose a managed MDX app, you must have a native email client installed in order to send logs for
the app.
In , enter the email address to which you want to send the attached logs.zip file and then Request Help from Support
tap . Send
When the email arrives, if you selected an MDX app, the email contains two attachments:
Logs.zip. This attachment contains logs related to Worx Home.
.zip. This attachment contains logs related to the MDX app.
citrix.com 373
1.
2.
3.
4.
1.
2.
3.
4.
1.
a. b. Collecting App Logs on Android Devices
On an Android device, you can collect logs from Worx Home or from the command line. Then, you can send the files to
Citrix support for help with troubleshooting a problem with an app.
To collect logs from Worx Home
Open Worx Home.
Tap the > icon on the top-right of the screen.
Tap the Support Email icon.
Click the app for which you want to send logs and then click the email application to send the file. When the email
arrives, it should contain two attachments, WorxHome.zip and .zip, where is the name of the
app you selected.
To collect logs from the command line
Install the from the Android Developer web site.
Enter the following command to clear existing logs: "adb logcat -c"
Reproduce the issue.
Enter the following command to capture the logs in a file: adb logcat -d > Name_of_Log_File.txt
Collecting App Failure Logs for iOS Devices
When you experience a problem with an app on your iOS device, you can use iTunes on your computer to gather the failure
logs, or you can gather the logs directly from your device. You can then email the files to Citrix support.
To collect failure logs from iTunes
On a Mac OS X computer, do the following:
Open iTunes and then under , in the screen, click . Devices Summary Sync
In Finder, navigate to ~/Library/Logs/CrashReporter/MobileDevice/ where “~― is your
Home folder.
Android Debug Bridge
citrix.com 374
1.
b. 2.
a. b. 1.
2.
On a Windows-based computer, do the following:
Click , click and then in , type: Start Run Open %userprofile%
where \AppData\Roaming\AppleComputer\Logs\CrashReporter\MobileDevice\
is the name of your device; for example, ipad-bddd0852b.
Note: The AppData folder is hidden by default on a Windows-based computer.
Select all *.crash files for the problematic app, archive and then email the files to Citrix Support for further
analysis.
To collect failure logs from the device
On your iOS device, in , tap and then tap . Settings General About
Tap . Diagnostic & Usage Data
citrix.com 375
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
7.
Tap LatestCrash.plist to open the log.
Note: You may need to gather related crash logs for Worx Home, WorxMail, Citrix Receiver and so on in order to
investigate the issue.
Double tap the LatestCrash.plist log, tap and then tap to copy the log. Select All Copy
Note: The option is not available on iOS 7 or later.Select All
Open WorxMail or the native email app on the device and then paste in the log by double tapping the message
content area.
Tap the button to email the log. Send
Collecting System Logs on iOS Devices
You an collect system logs on iOS devices either by using iPhone Configuration Utility tool or Xcode. You can then
email the files to Citrix support for help troubleshoot issues with apps.
To use a Configuration Utility tool to collect system logs on iOS devices
Download and install the iPhone Configuration Utility tool from Apple. You can use the tool on both the iPhone and
IPad.
Ensure that your device meets the system requirements and supported languages.
Run the installer and follow the prompts to complete the wizard.
Open the Configuration Utility tool.
Under , click your device.Devices
Click and then click to clear existing logs.Console Clear
Reproduce the issue, click and then attach and email the logs to support.Save Console As
To use Xcode to collect logs on iOS devices
citrix.com 376
1.
2.
3.
4.
5.
Download Xcode from the Apple store to your Mac OS X computer.
Connect your iOS device to your computer and then open Xcode.
Click and then click . Window Organizer
In the window, click . Organizer Devices
Under , click to view the console logs. iPad Console
Note: The pane in the Organizer contains information about app failures. You might have to unplug your Device Logs
device and plug it again to refresh the list.
citrix.com 377
5.
6.
7.
8.
1.
2.
3.
4.
5.
6.
7.
1.
Click to clear existing logs. Clear
Reproduce the issue.
Click to save the log and then email the attachment to support. Save Log As
Collecting Advanced Debugging Logs for iOS and Android Devices
You can use iExplorer on your computer to collect advanced logs for your iOS device. To collect the logs for an Android
device, you can use the device itself.
To collect advanced debugging logs for an iOS device
Install the iExplorer tool on your computer.
Connect your device to the computer and then open the tool.
In the left-hand menu, click to expand .Apps
Select the required app for which you need the logs, browse to the /tmp folder and then upload the file “CitrixMAM.
config― file into the /tmp folder.
Reproduce the issue.
In iExplorer, right-click the /tmp folder, click and then close and reopen the /tmp folder.Refresh
Export the CtxMAM.log file from the /tmp folder and then email the file to support.
To collect advanced debugging logs for an Android device
Log on to Worx Home and then tap the > icon.
citrix.com 378
1.
2.
3.
4.
Tap the menu icon at the top-left of the screen.
Optionally, switch to . Advanced Logs On
On the screen, tap the mail icon. Support
citrix.com 379
4.
5.
6.
Select an email client.
Enter the email address to which you want to send the logs.
After debugging is complete, switch to to avoid slower app response times.Advanced Logs Off
citrix.com 380
citrix.com 381
Enrolling Users and Devices
In order to get users' devices under management, you need to enroll the devices into Device Manager. You first install
the Device Manager client software on the user device, authenticate the user's identity, and then install Device Manager
and user's profile, so you can manage the device remotely and securely. After the devices are enrolled, you can perform
device management tasks, such as applying policies, deploying applications, pushing data to the device, locking,
wiping, locating lost or stolen devices, and more.
To enroll users, you must first add users to Device Manager if you have not yet established an Active Directory
connection. The topics in this section describe the subsequent required steps for enrolling users:
Configure enrollment modes - Default, SHP.
Configure notification servers - SMTP and SMS.
Configure the enrollment notification template.
Send enrollment notification.
Note: Before you can enroll iOs device users, you need to request an APNs certificate. See
for more information.
Requesting an APNS Certificate
citrix.com 382
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
Enrolling iOS and Android Users with Worx Home
In order to use XenMobile Device Manager to manage user devices remotely and securely, the devices need to be
enrolled into Device Manager. Users first install Worx Home on their device and authenticate their user credentials. After
the devices are enrolled, you can perform device and app management tasks, such as applying policies, deploying
apps, pushing data to the device, locking, wiping, locating lost or stolen devices, and more.
This section describes the steps for enrolling users with iOS or Android devices. For information about enrolling users
with other platforms, such as Windows Phone 8, Windows 8, Windows Mobile, and Symbian.
Note: Before you can enroll iOS device users, you need to request an APNS certificate.
To install Worx Home and enroll an iOS device
Download the Worx Home app from the Apple iTunes App Store on the device and then install the app on the device.
On the iOS device Home screen, tap the Worx Home app to start it.
When the Worx app opens, enter your corporate credentials, such as the name of your company’s Device
Manager server name, User Principal Name (UPN), or your email and then click .Next
Type your user name and password. A browser launches to begin the enrollment process.
Tap to install the Citrix Profile Service.Install
Tap if prompted with a warning message.Install Now
If your device is configured with a passcode, you will be prompted to enter your passcode to install the profile.
Tap .Install
When the profile installation finishes, tap to complete the Company profile installation process.Done
When Worx Home appears, tap to allow Worx Home to use your current location.Yes
Depending on the way XenMobile is configured, you may be asked to create a Worx PIN, which you can use to sign
on to Worx Home and other Worx-enabled apps, such as WorxMail, WorxWeb, ShareFile, and more. You will need to
enter your Worx PIN twice. Worx Home opens. You can then access the Worx Store to view the apps you can install
on your iOS device.
Tap to open the enterprise app store.Worx Store
If your administrator has configured XenMobile to automatically push apps to your device after enrollment, messages
appear prompting you to install the apps. Tap to install the apps.Install
To unenroll and re-enroll an iOS device
When a device is re-enrolled, it is first unenrolled. During the period in which the device is unenrolled but not yet re-enrolled,
the device is not managed by Device Manager, although it continues to appear in the device inventory list. The device cannot
be tracked and its compliance cannot be monitored when it is not being managed by Device Manager.
Tap to open the Worx Home app.
Tap the icon in the upper left of the app window.Settings
Tap . Re-Enroll A message appears to confirm you want to re-enroll your device.
Tap . Yes This causes your device to be unenrolled.
Follow the on-screen instructions to re-enroll your device.
To install Worx Home and enroll an Android device
Go to the Google Play or Amazon App store on your device and download the Citrix Worx Home app. Tap the app to
open it.
When prompted to install the app, click and then click .Next Install
After Worx Home installs, tap .Open
Enter your corporate credentials, such as the name of your company’s Device Manager server name, User
Principal Name (UPN), or email address and then click .Next
In the screen, tap .Activate device administrator Activate
Enter your corporate password and then tap .Sign On
Depending on the way XenMobile is configured, you may be asked to create a Worx PIN, which you can use to sign
on to Worx Home and other Worx-enabled apps, such as WorxMail, WorxWeb, ShareFile, and more. On the Create
screen, enter a PIN consisting of any series of six numbers.Worx PIN
Reenter the PIN. You are now enrolled. Tap the Worx Store to access your corporate app store, as well as Worxenabled apps, such as WorxMail, WorxWeb, ShareFile, and more.
To unenroll and re-enroll an Android device
When a device is re-enrolled, it is first unenrolled. During the period in which the device is unenrolled but not yet reenrolled, the device is not managed by Device Manager, although it continues to appear in the device inventory list. The
device cannot be tra