XenMobile Service Sep 08, 2017 The Citrix Cloud XenMobile Service, previously called XenMobile Cloud, offers a XenMobile enterprise mobility management (EMM) environment for managing apps, devices, users, and groups of users. Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance, rapid response, and support. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses. Citrix Cloud Operations handles various infrastructure and monitoring tasks, freeing you to focus on the user experience and on managing devices, policies, and apps. The following table summarizes those responsibilities. Components and tasks Responsibility XenMobile Server nodes NetScaler Gateway initial integration and configuration NetScaler Load Balancer Database Citrix Cloud Connector software configuration SAML authentication integration with ShareFile XenMobile site monitoring: Instance, database, enterprise connectivity (LDAP), VPN Tunnel (if applicable), public SSL certificate, XenMobile licensing NetScaler Gateway management and updates (if NetScaler Gateway is on-premises) Machines where Cloud Connectors are installed LDAP/Active Directory DNS Customer ShareFile: Initial ShareFile configuration, on-premises StorageZone Controller installation, ShareFile updates 1999-2017 Citrix Systems, Inc. All rights reserved. p.1
XenMobile configuration: Policies, apps, actions, delivery groups, and so on You connect to XenMobile Service through Cloud Connector, which serves as a channel for communication between Citrix Cloud and your resource locations. Cloud Connector enables cloud management without requiring any complex networking or infrastructure configuration such as VPNs or IPsec tunnels. Resource locations contain the resources required to deliver services to your subscribers. For XenMobile Services, resource locations are your LDAP, DNS, and PKI servers. XenMobile Deployment Handbook: Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your XenMobile environment, including reference architecture diagrams for XenMobile Service, see the XenMobile Deployment Handbook. XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. Citrix notifies you when the What s new articles for XenMobile Service are updated for a new release. Note T he Remote Support client is not available in XenMobile Service versions 10.x for Windows CE and Samsung Android devices. XenMobile Service server-side components are not FIPS 140-2 compliant. Citrix does not support syslog integration in XenMobile Service with an on-premises syslog server. Instead, you can download the logs from the Support page in the XenMobile console. When doing so, you must click Download All to get system logs. For details, see View and analyze log files in XenMobile. Resource locations Place resource locations where they best meet your business needs, such as in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include: Proximity to subscribers Proximity to data Scale requirements Security attributes You can build any number of resource locations. For example, you might: Build a resource location in your data center for the head office based on subscribers and applications that require proximity to the data. Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers. Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations. 1999-2017 Citrix Systems, Inc. All rights reserved. p.2
Cloud Connector Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn't accept incoming connections. If you require a micro VPN, you must use an on-premises NetScaler with Cloud Connector. Cloud Connector, along with NetScaler Gateway and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with XenMobile Service and your on-premises NetScaler Gateway. The following diagram shows the basic architecture when using Cloud Connector with XenMobile Service. For more information, see Cloud Connector. Onboarding The following figure shows the onboarding steps. When you are evaluating or purchasing XenMobile Service, the XenMobile Service Operations team provides ongoing onboarding help. The Operations team also communicates with you to ensure that the core XenMobile Services are running and configured correctly. To sign up for a Citrix account and request a XenMobile Service trial, contact your Citrix Sales Representative. When you're ready to proceed, go to https://onboarding.cloud.com. After you log in, a screen similar to the following appears. Next to XenMobile Service, click Request Trial. 1999-2017 Citrix Systems, Inc. All rights reserved. p.3
The button then changes to Trial Requested. You receive an email to notify you when your trial becomes available. While waiting for the trial, be sure to prepare for your XenMobile Service deployment by reviewing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory. After you are authorized to access the trial, the button for XenMobile Service changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to XenMobile Service. The following diagram shows the first screen that you see when starting a trial. 1999-2017 Citrix Systems, Inc. All rights reserved. p.4
To complete the setup for Cloud Connector, you need: An available subnet address for the XenMobile Service network. At least two Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The wizard guides you through installing Cloud Connector on those machines. For more information, see Cloud Connector. Link an existing ShareFile account to Citrix Cloud If you have a ShareFile account that existed before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the ShareFile account. When you re ready to proceed, go to https://onboarding.cloud.com. After you log in, a screen similar to the following appears. 1999-2017 Citrix Systems, Inc. All rights reserved. p.5
In the ShareFile tile, choose Link Account. After we confirm your ShareFile account, the following page appears: 1999-2017 Citrix Systems, Inc. All rights reserved. p.6
Click Link Account to complete the process. You can immediately manage your ShareFile account from within Citrix Cloud. Port requirements To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following tables list the ports that must be open. Open ports for NetScaler Gateway to manage XenMobile Service Open the following ports to allow user connections from Citrix Secure Hub and Citrix Receiver through NetScaler Gateway to the following components: XenMobile StoreFront Other internal network resources, such as intranet websites 1999-2017 Citrix Systems, Inc. All rights reserved. p.7
For more information about NetScaler Gateway, see Configuration Settings for your XenMobile Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses. TCP port Description Source Destination 53 (TCP and UDP) Used for DNS connections. NetScaler Gateway DNS server 80/443 NetScaler Gateway passes the micro VPN connection to the internal network resource through the second firewall. NetScaler Gateway Intranet websites 123 (TCP and UDP) Used for Network Time Protocol (NTP) services. NetScaler Gateway NTP server 389 Used for insecure LDAP connections. NetScaler Gateway LDAP authentication server or Microsoft Active Directory 443 Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop. Internet NetScaler Gateway Used for connections to XenMobile for web, mobile, and SaaS app delivery. Internet NetScaler Gateway Used for Cloud Connector communication LDAP, DNS, PKI & Citrix Receiver enumeration Cloud Connector Servers https://*.citrixworkspacesapi.net https://*.cloud.com https://cwsproduction.blob.core.windows.net/downloads https://*.servicebus.windows.net 636 Used for secure LDAP connections. NetScaler Gateway LDAP authentication server or Active Directory 1494 Used for ICA connections to NetScaler XenApp or XenDesktop 1999-2017 Citrix Systems, Inc. All rights reserved. p.8
Windows-based applications in the internal network. Citrix recommends keeping this port open. Gateway 1812 Used for RADIUS connections. NetScaler Gateway RADIUS authentication server 2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. NetScaler Gateway XenApp or XenDesktop 3268 Used for Microsoft Global Catalog insecure LDAP connections. NetScaler Gateway LDAP authentication server or Active Directory 3269 Used for Microsoft Global Catalog secure LDAP connections. NetScaler Gateway LDAP authentication server or Active Directory 8443 Used for enrollment, XenMobile Store, and mobile app management (MAM). NetScaler Gateway XenMobile Secure Ticket Authority (STA) port used for Secure Mail authentication token NetScaler Gateway XenMobile 4443 Used for accessing the XenMobile console by an administrator through the browser. Access point (browser) XenMobile Open XenMobile ports to manage devices Open the following ports to allow XenMobile to communicate in your network. TCP port Description Source Destination 1999-2017 Citrix Systems, Inc. All rights reserved. p.9
443 Used for enrollment and agent setup for Android and Windows Mobile. Internet XenMobile Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client. Internal LAN and WiFi 5223 Used for APNs outbound connections from ios devices on Wi-Fi networks to *.push.apple.com. ios devices on WiFi networks Internet (APNs hosts using the public IP address 17.0.0.0/8) 8443 Used for enrollment of ios and Windows Phone devices. Internet LAN and WiFi XenMobile Port requirement f or Auto Discovery Service connectivity This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS. Note: ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server. If you want to enable certificate pinning, do the following prerequisites: Collect XenMobile Server and NetScaler certif icates. The certificates must be in PEM format and must be a public certificate and not the private key. Contact Citrix Support and place a request to enable certif icate pinning. During this process, you are asked for your certificates. Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll. To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses: FQDN IP address 54.225.219.53 54.243.185.79 1999-2017 Citrix Systems, Inc. All rights reserved. p.10
107.22.184.230 107.20.173.245 discovery.mdm.zenprise.com 184.72.219.144 184.73.241.73 54.243.233.48 204.236.239.233 107.20.198.193 XenMobile Service technical security overview Citrix Cloud manages the control plane for XenMobile environments, including the XenMobile Server, NetScaler load balancer, and a MySQL database. The cloud service integrates with a customer data center using Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage NetScaler Gateway in their data centers. The following figure illustrates the service and its security boundaries. Note T his information: 1999-2017 Citrix Systems, Inc. All rights reserved. p.11
Is intended to provide an introduction to and overview of the security functionality of Citrix Cloud. Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment. Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services. Data flow The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections. Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center. Data isolation The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials. Credential handling The service handles the following types of credentials: User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection. Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service. Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database. Deployment considerations Citrix recommends that you consult the published best practices documentation for deploying NetScaler Gateway within your environments. More information See the following resources for more security information: Citrix Security Site: http://www.citrix.com/security 1999-2017 Citrix Systems, Inc. All rights reserved. p.12
Citrix Cloud Documentation: Secure Deployment Guide for the Citrix Cloud Platform Secure Deployment Guide for NetScaler: http://support.citrix.com/article/ctx129514 1999-2017 Citrix Systems, Inc. All rights reserved. p.13
What's new Oct 10, 2017 A goal of Citrix is to deliver new features and product updates to XenMobile Service customers when they are available. New releases provide more value, so there's no reason to delay updates. Rolling updates to the XenMobile Service release approximately every three weeks. This release cadence began in August 2016. To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability. If you are a XenMobile Service customer, you also receive XenMobile Service updates and communications directly from the XenMobile Cloud Ops Team. Those updates keep you current with new features, known issues, fixed issues, and so on. For details about the service level goal for the XenMobile Service for cloud scale and service availability, see Service Level Goal. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard. XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. Citrix notifies you when the What s new articles for XenMobile Service are updated for a new release. XenMobile Service 10.7.1 The latest version of XenMobile has these new features and improvements: New restrictions for supervised devices running ios Support for Samsung Enterprise Firmware-Over-The-Air (E-FOTA) Other improvements Fixed issues in this release New restrictions for supervised devices running ios The following restrictions are now available for ios devices running in supervised mode. The minimum version supported for each restriction is noted. Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can't use the Classroom app to observe student screens remotely. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perf orm AirPlay and View Screen without prompting determines whether students receive a prompt to give the instructor permission. For supervised devices running ios 9.3 (minimum version). Allow the Classroom app to perf orm AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running ios 10.3 (minimum version). Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Of f. For supervised devices running ios 11 (minimum version). 1999-2017 Citrix Systems, Inc. All rights reserved. p.14
Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Of f. For supervised devices running ios 11 (minimum version). Allow AirPrint: If this restriction is set to Of f, users can't print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running ios 11 (minimum version). Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren't stored in the Keychain. The default setting is selected. For supervised devices running ios 11 (minimum version). Allow discovery of AirPrint printers by using ibeacons: If this restriction is unselected, ibeacon discovery of AirPrint printers is disabled. Disabling discovery prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running ios 11 (minimum version). Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running ios 11 (minimum version). Adding VPN configurations: If this restriction is set to Of f, users can't create VPN configurations. The default setting is On. For supervised devices running ios 11 (minimum version). Modif ying cellular plan settings: If this restriction is set to Of f, users can't modify cellular plan settings. The default setting is On. For supervised devices running ios 11 (minimum version). Removing system apps: If this restriction is set to Of f, users can't remove system apps from their device. The default setting is On. For supervised devices running ios 11 (minimum version). Setting up new nearby devices: If this restriction is set to Of f, users can't set up new nearby devices. The default setting is On. For supervised devices running ios 11 (minimum version). To configure those restrictions, go to Configure > Device Policies. For more information on setting restrictions, see Restrictions device policy. 1999-2017 Citrix Systems, Inc. All rights reserved. p.15
1999-2017 Citrix Systems, Inc. All rights reserved. p.16
Support for Samsung Enterprise Firmware-Over-The-Air Samsung Enterprise FOTA (E-FOTA) lets you determine when devices get updated and the firmware version to use. E-FOTA enables you to test updates before deploying them, to ensure that the updates are compatible with your apps. You can force devices to update with the latest firmware version available, without requiring user interaction. Samsung supports E-FOTA for Samsung KNOX 2.7.1 devices (minimum version) that are running authorized firmware. To configure an E-FOTA policy: 1. Create a Samsung MDM license key policy with the keys and license information you received from Samsung. XenMobile Server then validates and registers the information. ELM License key: This field contains the macro that generates the ELM license key. If the field is blank, type the macro ${elm.license.key}. Type the following information provided by Samsung when you purchased an E-FOTA package: Enterprise FOTA Customer ID Enterprise FOTA license Client ID Client Secret 2. Create a Control OS Update policy. 1999-2017 Citrix Systems, Inc. All rights reserved. p.17
Configure these settings: Enable Enterprise FOTA: Set to On. Enterprise FOTA License Key: Select the Samsung MDM License Key policy name that you created in Step 1. 3. Deploy the Control OS Update policy to Secure Hub. Other improvements New ios Setup Assistant Option: New f eature highlights. The ios Setup Assistant item, New f eature highlights, sets up these onboarding informational screens: Access the Dock from Anywhere and Switch Between Recent Apps. You can choose whether to omit those onboarding screens from ios Setup Assistant steps when users start their devices the first time. New Feature highlights is available for ios 11.0 (minimum version). The default for all items is unselected. The XenMobile console interface for macos VPP apps changed as follows: In Configure > Apps, you can filter apps by macos VPP. Portions of the interface that don't apply to a macos 1999-2017 Citrix Systems, Inc. All rights reserved. p.18
VPP app are now omitted. For example, the Store Configuration section doesn't appear because there is no Secure Hub for macos. The VPP keys import option no longer appears. In Manage > Devices, the User Properties include Retire VPP account. Control OS Update device policy for macos. You can now use the Control OS Update policy to deploy OS updates to macos devices that are supervised or that are deployed through Apple DEP. Option to allow multiple users to use a Samsung SAFE device. The Restrictions device policy now includes the hardware control option, Allow multiple users. This option, for MDM 4.0 and later, defaults to OFF. The Manage > Devices page now includes these additional device properties reported by Android devices: Carrier Code (reported only by devices running Samsung MDM 5.7 or higher) Model Number (reported only by devices running Samsung MDM version 2.0 or higher) Restrictions device policy now includes a policy to disable the camera on Android devices. To configure the policy, go to Conf igure > Device Policies, click Add, and click Restrictions. By default, camera use is enabled. To disable camera use, change the Camera setting to OFF. This feature requires Secure Hub 10.7.5 (minimum version). 1999-2017 Citrix Systems, Inc. All rights reserved. p.19
When creating an action based on device properties with a value type of integer: You now can choose between Greater or Equal and Lesser or Equal, in addition to the existing condition, Is. The device property values that have new conditions include: Available and total RAM, available and total storage space, screen dimensions, and screen resolution. Use the Configure > Actions page to create actions. Login/Logout Public API update. Citrix Cloud users can now log in to XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API. For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF. Fixed issues in this release The Lock security action fails on enrolled devices running macos High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-35731] If you send the Enable Lost Mode security action to a supervised ios device without Secure Hub, the Locate button doesn't appear on the device. [CXM-36106] On the Manage > Devices > Apps page, the inventory shows an incorrect version number for Boeing Toolbox Mobile Library. [CXM-37514] ios users can't update Citrix Receiver to version 7.2.3. When they click Check f or Update, the message "The app is up to date with the latest version" appears even when they have an older version. [CXM-38114] If an RBAC role doesn't have access to the App Wipe and App Lock actions: A user with that role and logged into the Self Help Portal can perform the App Wipe and App Lock actions. [CXM-38348] Local and Active Directory users with the RBAC permission "ADD/EDIT/DELETE local users and groups" can also delete admin accounts. When those users are logged in to the XenMobile Console, the Manage > Users page includes Edit and Delete buttons for admin accounts. [CXM-38350] A scheduled database cleanup fails due to many transaction logs exceeding disk space limits. [CXM-38439] If the trigger for an automated action is based on a null value for a device property, the action is performed for that device. For example, if an action is set to wipe a device if the platform is not ios, the action wipes ios devices. [CXM-38470] For administrators who have only the PKI Entities and Credential Providers roles in RBAC: The administrator gets logged out of the XenMobile console while adding a PKI Entity or Credential Provider. To work around this issue, add the Certificates permission to the RBAC role of the administrator. [CXM-38713] 1999-2017 Citrix Systems, Inc. All rights reserved. p.20
XenMobile Service 10.7.0 Important After an upgrade to XenMobile 10.7: If functionality involving outgoing connections stop working, and you haven't changed your connection configuration, check the XenMobile Server log for errors such as the following: Unable to connect to the VPP Server: Host name '192.0.2.0' does not match the certificate subject provided by the peer. If you receive the certificate validation error, disable hostname verification on XenMobile Server. By default, hostname verification is enabled on outgoing connections except for the Microsoft PKI server. If hostname verification breaks your deployment, change the server property disable.hostname.verification to true. T he default value of this property is f alse. The latest version of XenMobile has these new features and improvements: More macros for enrollment templates Public REST API changes Fixed issues in this release More macros for enrollment templates You can use these new macros when creating enrollment templates for device enrollment invitations: ${enrollment.urls} ${enrollment.ios.url} ${enrollment.macos.url} ${enrollment.android.url} ${enrollment.ios.platform} ${enrollment.macos.platform} ${enrollment.android.platform} ${enrollment.agent} These macros allow you to create enrollment templates that contain enrollment URLs for multiple device platforms. This example shows how to create a notification that includes enrollment URLs for multiple device platforms. The macro for the Message is: ${enrollment.urls} 1999-2017 Citrix Systems, Inc. All rights reserved. p.21
These examples show how to create messages for notifications that prompt the users to click the enrollment URL for their device platforms: Example 1: To enroll, click the link below that applies to your device platform: ${enrollment.ios.platform} - ${enrollment.ios.url} ${enrollment.macos.platform} - ${enrollment.macos.url} ${enrollment.android.platform} - ${enrollment.android.url} Example 2: To enroll an ios device, click the link ${enrollment.ios.url}. To enroll a macos device, click the link ${enrollment.macos.url}. To enroll an Android device, click the link ${enrollment.android.url}. 1999-2017 Citrix Systems, Inc. All rights reserved. p.22
Public REST API changes When using the XenMobile Public REST API to create enrollment invitations, you can now: Specify a custom PIN. If the enrollment mode requires a PIN, you can use a custom PIN instead of the one randomly generated by the XenMobile Server. The PIN length must match the setting configured for the enrollment mode. The PIN length defaults to 8. For example, a request might include: "pin": "12345678" Select multiple platf orms. Previously, you could use the REST API to specify only one platform for an enrollment invitation. The "platform" field is deprecated and replaced with "platforms". For example, a request might include: "platforms": ["ios", "MACOSX"] For the complete current set of available APIs, download the XenMobile Public API for REST Services PDF. Fixed issues in this release If a VPN Connection name has a space, or other non-alphanumeric characters, XenMobile doesn't deploy the policy to devices. [CXM-32538] The XenMobile REST API doesn't allow you to select multiple platforms when creating an enrollment invitation. [CXM- 35853] The Full Wipe security action fails on enrolled devices running macos High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-36397] The enrollment URL link in an enrollment invitation might fail to resolve to the enrollment URL. To prevent this issue, ensure that the template you choose contains macros compatible with the platforms you selected when creating the enrollment invitation. Use these new macros when creating enrollment URL templates: ${enrollment.urls}, ${enrollment.ios.url}, ${enrollment.macos.url}, ${enrollment.android.url}, ${enrollment.ios.platform}, ${enrollment.macos.platform}, ${enrollment.android.platform}, and ${enrollment.agent} The older ${enrollment.url] still works for enrollment invitations that have only one platform selected. [CXM-37513] After you use the XenMobile CLI to edit the proxy exclusion list and then restart the server, the list appears truncated in the CLI. This issue only affects the display of the list. [CXM-37812] When you submit a macro on the Troubleshooting and Support > Macros page, the "Failed to get macro information" message appears. [CXM-37940] Known issues in this release When you submit a macro on the Troubleshooting and Support > Macros page, the "Failed to get macro information" message appears. [CXM-37940] XenMobile Service 10.6.3 The latest version of XenMobile has these new features and improvements. Integrate with Apple Education features BitLocker device policy for Windows 10 Other improvements 1999-2017 Citrix Systems, Inc. All rights reserved. p.23
Fixed issues in this release Known issues in this release Integrate with Apple Education features You can use XenMobile Server as your mobile device management (MDM) solution in an environment that uses Apple Education. XenMobile supports the Apple Education enhancements introduced in ios 9.3, including Apple School Manager and Classroom app for ipad. The new XenMobile Education Configuration device policy configures instructor and student devices for use with Apple Education. The following video provides a quick tour of the changes you make to Apple School Manager and XenMobile Server. Citrix XenMobile Education Configuration: Integrate Apple Education f eatures with XenMobile You provide preconfigured and supervised ipads to instructors and students. That configuration includes: Apple School Manager DEP enrollment in XenMobile A Managed Apple ID account configured with a new password Required VPP apps and ibooks For details about integrating with Apple Education features, see Integrate with Apple Education features and Education Configuration device policy. 1999-2017 Citrix Systems, Inc. All rights reserved. p.24
BitLocker device policy for Windows 10 Windows 10 Enterprise includes a disk encryption feature called BitLocker. BitLocker provides extra file and system protections against unauthorized access of a lost or stolen Windows device. For more protection, you can use BitLocker with Trusted Platform Module (TPM) chips, version 1.2 or later. A TPM chip handles cryptographic operations and generates, stores, and limits the use of cryptographic keys. Starting with Windows 10, build 1703, MDM policies can control BitLocker. You use the BitLocker device policy in XenMobile to configure the settings available in the BitLocker wizard on Windows 10 devices. For example, on a device with BitLocker enabled, BitLocker can prompt users for: How they want to unlock their drive at startup How to back up their recovery key How to unlock a fixed drive. BitLocker device policy setting also configure whether to: Enable BitLocker on devices without a TPM chip. Show recovery options in the BitLocker interface. Deny write access to a fixed or removable drive when BitLocker isn't enabled. 1999-2017 Citrix Systems, Inc. All rights reserved. p.25
For more information, see BitLocker device policy. Other improvements The XenMobile console and the Self Help Portal are now available in Spanish. Filter enrollment invitations by macos. The Platform filter for Manage > Enrollment Invitations now includes 1999-2017 Citrix Systems, Inc. All rights reserved. p.26
macos. XenMobile now reports the Security patch level for Android devices. You can view the Security patch level on the Manage > Devices page and in Device details. You can also use Configure > Actions to create an action that the security patch level triggers. 1999-2017 Citrix Systems, Inc. All rights reserved. p.27
Restrictions policy setting to block users f rom using f ace recognition to unlock Samsung Galaxy S8+ devices. The Restrictions device policy for Samsung SAFE now includes the setting, Face Recognition. To block use of face recognition to unlock device access, go to Conf igure > Device Policies and edit the Restrictions policy to set Face Recognition to Of f. 1999-2017 Citrix Systems, Inc. All rights reserved. p.28
Fixed issues in this release Delivery groups might show a pending deployment status even though the apps associated with the devices in those delivery groups successfully install. [654162, CXM-21771] After you update the obfuscated APK file for some Android apps in the XenMobile console: The older version appears in the details and the updated version doesn't deploy to devices. [CXM-25629] In Manage > Devices, after saving edits to remove the Device Model property from an ios device and then clicking Export, the "500 Internal Error" message appears. [CXM-36495] Over-the-air enrollment for ios devices fails intermittently. The "Profile installation failed" message appears. [CXM-37001] Known issues in this release On ios 11, installed MDX apps begin to reinstall when the next deployment occurs. [CXM-34896] The Lock security action fails on enrolled devices running macos High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-35731] If you send the Enable Lost Mode security action to a supervised ios device without Secure Hub, the Locate button doesn't appear on the device. [CXM-36106] The Full Wipe security action fails on enrolled devices running macos High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-36397] RBAC administrators can assign the default admin role to new or existing users. Assigning the default admin role should be restricted to super admins. [CXM-37805] 1999-2017 Citrix Systems, Inc. All rights reserved. p.29
XenMobile Service 10.6.2 The latest version of XenMobile has these new features and improvements. Restart or shut down a supervised ios device You can use security actions to restart or shut down a supervised ios device (minimum version 10.3). Go to Manage > Devices, select the device, click Security, and then click Restart or Shut Down. A device restarts immediately when it receives the Restart command. Passcode-locked ios devices don't rejoin WiFi networks after restarting, so they might not communicate with the server. A device shuts down immediately when it receives the Shut Down command. Locate or ring a supervised ios device that's in lost mode After you place a supervised ios device in lost mode, you can use security actions to locate or ring the device. A "ring" is the lost mode sound that Apple defines for the device. 1999-2017 Citrix Systems, Inc. All rights reserved. p.30
To locate a device that's in lost mode: Go to Manage > Devices, select the device, click Security, and then click Locate. The Device details page provides a status of the location request. If the device is located, the Device details page includes a map. 1999-2017 Citrix Systems, Inc. All rights reserved. p.31
To ring a device that's in lost mode (minimum version ios 10.3): Go to Manage > Devices, select the device, click Security, and then click Ring. The next time that the device connects, it rings. To stop the ring, the user clicks the power button. To stop the ring from the XenMobile console, use the Disable Lost Mode security action. Other improvements Reboot a Windows 10 device. You can now send a security action, Reboot, to reboot a device. For Windows Tablet and PCs, the message "System will reboot soon" appears and then the reboot occurs in five minutes. For Windows Phone, there is no warning message to users and the reboot occurs after a few minutes. Improved perf ormance when importing many VPP licenses. This optimization uses multi-threading. A new XenMobile Server property, MaxNumberOf Worker, defaults to 3 (threads). If you need further optimization, you can increase the number of threads. However, with a larger number of threads, such as 6, a VPP import results in very high CPU usage. Configure > Apps now shows the Package ID for public app store apps and enterprise apps. 1999-2017 Citrix Systems, Inc. All rights reserved. p.32
1999-2017 Citrix Systems, Inc. All rights reserved. p.33
Alphabetized resource lists f or delivery groups. In Conf igure > Delivery Groups, all resource lists and search results appear in alphabetical order. On the Manage > Devices and Manage > Users pages, dates now appear in the 24-hour format, dd/mm/yyyy hh:mm:ss. Dates reflect the local time zone for devices and users. In the XenMobile console, all references to Mac OS X, OS X, OSX, MACOSX, and MacOS are now macos. 1999-2017 Citrix Systems, Inc. All rights reserved. p.34
Public REST API changes The XenMobile Public API for REST Services now includes the following APIs: Get Public Store App by container ID Add New Public Store App Update Public Store App Add Public Store App platform data Delete Public Store App platform data Update Public Store App platform data For the device notification REST services, you can now notify a device by using the device ID, without requiring XenMobile to send a token. For details, see XenMobile Public API for REST Services. Fixed issues in this release If you give the USER role any of the following RBAC permissions, the user can modify an administrator account: Local Users and Groups > Add/Delete Local Users Local Users and Groups > Edit Local User [#TRK0681955] When you click Export on the Manage > Users page: If there are more than 10,000 users, the download takes a very long time. [CXM-32425] You might have intermittent difficulties accessing the XenMobile Server console, because of high memory usage. [CXM- 35069] 1999-2017 Citrix Systems, Inc. All rights reserved. p.35
Cloud Connector prerequisites and administration Sep 05, 2017 Citrix uses Cloud Connector to integrate the XenMobile Service architecture into your existing infrastructure. For detailed reference architecture diagrams, see the XenMobile Deployment Handbook section, Reference Architecture for Cloud Deployments. Cloud Connector supports all XenMobile authentication types. For additional information, see Citrix Cloud Connector in the Citrix Cloud documentation. Prerequisites If you require a micro VPN, you must install an on-premises NetScaler Gateway that meets the requirements listed later in this article in "Configure NetScaler Gateway." Platform requirements specified in Citrix Cloud Connector Technical Details in the Citrix Cloud documentation. Proxy and firewall requirements specified in Cloud Connector Proxy and Firewall Configuration in the Citrix Cloud documentation. Administration The XenMobile Service setup wizard first prompts you to configure details such as a site name and IP address range for the cloud-hosted components. After you set up resource locations in the XenMobile Service setup wizard, the wizard guides you through the initial configuration of XenMobile Server, starting with LDAP. 1999-2017 Citrix Systems, Inc. All rights reserved. p.36
After you complete the wizard, Citrix Cloud Operations group integrates your XenMobile Service on Citrix Cloud. Meanwhile, you can start the process of preparing to support Android, ios, and Windows platforms. For more information, see Mobile platform support in XenMobile Service. The following sections describe more setup to perform when you can access the XenMobile console. Configure allowed URLs for resource locations To specify the allowed URLs for a resource location, go to Settings > Cloud Connector Whitelist, click Add, and choose a Resource Location. Then, specify the Allowed/Whitelisted URLs for that location. Allowed/Whitelisted URLs: Specify one URL per line. You can use the asterisk (*) or question mark (?) wildcards. 1999-2017 Citrix Systems, Inc. All rights reserved. p.37
Configure users and groups A User type column appears on the Manage > Users page of the XenMobile console. That column indicates whether each user is a local, Active Directory, or cloud user. For local users and AD users, you can perform all user management functions described in User accounts, roles, and enrollment. A cloud user is a special user account that Citrix Cloud creates and manages on the XenMobile Server. Citrix Cloud creates a cloud user account when an administrator is added to your Citrix Cloud customer account. A cloud user account uses the same user name as the administrator account. The cloud user account provides single sign-on and performs other administrative functions. For cloud users: You can change the roles and user properties of cloud users through the XenMobile console. 1999-2017 Citrix Systems, Inc. All rights reserved. p.38
You cannot change cloud user passwords through the XenMobile console. You can change a cloud user password from Identity and access management in Citrix Cloud. You cannot delete cloud users. You cannot give cloud users membership in a group. Configure delivery groups When you create a delivery group, you specify whether the user assignments are managed in XenMobile or in Citrix Cloud. You cannot change this specification after you create the delivery group. If you plan to use the delivery group to deliver other services available through Citrix Cloud, specify that the user assignments are managed in Citrix Cloud. Other services include XenApp and XenDesktop, Life Cycle Management, ShareFile, or Secure Browser Service. You can only add Active Directory users to these delivery groups. If you create a delivery group for users and apps that only need mobility management, specify that the user assignments are managed in XenMobile. Delivery groups with users managed in XenMobile are not visible Citrix Cloud. Therefore, you cannot use delivery groups managed in XenMobile to deliver other services. You can perform all XenMobile delivery group management functions through the XenMobile console, as described in Deploy Resources. To add a delivery group and specify how its user assignments are managed: 1. In the console, click Configure > Delivery Groups. 2. From the Delivery Groups page, click Add. The Delivery Group Information page appears. 1999-2017 Citrix Systems, Inc. All rights reserved. p.39
3. Enter a name and description for the delivery group and click Next. 4. At the User Assignments page, specify how to manage the delivery group user assignments. In XenMobile. Select this option if you plan to create a delivery group for users and apps that only need mobility management. Delivery groups whose user assignments are managed in XenMobile are not visible in Citrix Cloud and cannot be used to deliver other services. In Citrix Cloud. Select this option if you plan to use the delivery group to deliver other services, such as XenApp or ShareFile. 1999-2017 Citrix Systems, Inc. All rights reserved. p.40
Important You cannot change the Manage user assignments setting after the user group is created. 5. Add users to the delivery group and click Next. 6. Add optional resources to the delivery group, as described in Deploy Resources. 7. Review the Summary page. 8. Click Save to create the delivery group. Configure resource locations for PKI entity connections To use Cloud Connector for Microsoft Certificate Services entity connections, go to Settings > PKI Entities. When you add or edit a PKI entity, change Use Cloud Connector to ON. Then, specify a Resource Location and Allowed Relative Paths for those locations. 1999-2017 Citrix Systems, Inc. All rights reserved. p.41
Resource Location: Choose from the resource locations defined in Citrix Cloud Connector. Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard. Suppose that the resource location is http://www.serviceroot/certsrv. To provide access to all URLs in that path, enter * in Allowed Relative Paths. Configure resource locations for XenApp and XenDesktop connections To use Cloud Connector for XenApp and XenDesktop connections, go to Settings > XenApp/XenDesktop. Then, change Use Cloud Connector to ON and specify the following options for those locations. Resource Location: Choose from the resource locations defined in Citrix Cloud Connector. Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard. Suppose that the resource location is https://storefront.company.com and you want to provide access to the following URLs: https://storefront.company.com/citrix/pnagent/config.xml 1999-2017 Citrix Systems, Inc. All rights reserved. p.42
https://storefront.company.com/citrix/pnagent/enum.aspx https://storefront.company.com/citrix/pnagent/launch.aspx To allow all requests with the URL https://storefront.company.com/citrix/pnagent/*, enter this path: /Citrix/PNAgent/* XenMobile blocks all other paths. Configure an on-premises NetScaler Gateway for use with XenMobile Service To configure an on-premises NetScaler Gateway for use with XenMobile Service, you perform the following general steps, detailed in this section: 1. Download a script and related files from XenMobile Server. 2. Update the script for your environment. 3. Run the script on NetScaler. You can use the script to configure multiple NetScaler Gateways. The script configures these NetScaler Gateway settings required by XenMobile: NetScaler Gateway virtual servers needed for MDM and MAM Session policies for the NetScaler Gateway virtual servers 1999-2017 Citrix Systems, Inc. All rights reserved. p.43
XenMobile Server details Proxy load balancer for certificate validation LDAP server details The script includes comments about the LDAP configuration details. Traffic actions and policies for the proxy server Clientless access profile Static local DNS record on NetScaler Bindings: Service and traffic policy; CA certificate and service The script doesn't handle the following configuration: Exchange load balancing ShareFile load balancing ICA proxy configuration The rest of this section describes these general steps for using the script. See the readme file provided with the script for the latest detailed instructions. 1. Verify that your environment meets the prerequisites. 2. Download the script bundle, update the script placeholders with details from your environment, and then run the script. 3. Test the configuration. Prerequisites for using the NetScaler Gateway configuration script Domain (LDAP) authentication NetScaler 10.5 build 62.9 or above, with a Platform/Universal license For information, see the Citrix Support article, How to License a NetScaler Gateway Appliance. Public SSL Certificate For information, see the Citrix Support article, How to Add an SSL Certificate Bundle on the NetScaler Appliance. Unused public IP address for NetScaler Gateway Virtual Server Publicly resolvable Fully Qualified Domain Name (FQDN) for NetScaler Gateway Virtual Server Inbound port 443 access to the NetScaler Gateway public IP Outbound port 8443 access to Cloud-hosted XenMobile from the NetScaler Subnet IP (SNIP) Cloud-hosted XenMobile Intermediate and Root certificates (provided in the script bundle) Unused internal private IP address for the proxy load balancer IP Download the script bundle and update the script for your environment 1. To download the script bundle, go to the Settings > NetScaler Gateway page, select a NetScaler, click Export Configuration Script, and then click Download. 1999-2017 Citrix Systems, Inc. All rights reserved. p.44
The Export Configuration Script button also appears on the page where you add a NetScaler Gateway. The script bundle includes a: Readme file with detailed instructions Script that contains the NetScaler CLI commands used to configure the required components in NetScaler Public Root CA certificate and the Intermediate CA certificate Script that contains the NetScaler CLI commands used to remove the NetScaler configuration 2. Upload and install the certificate files (provided in the script bundle) on the NetScaler appliance in the /nsconfig/ssl/ directory. 1999-2017 Citrix Systems, Inc. All rights reserved. p.45
The following examples show how to install the root certificate. 1999-2017 Citrix Systems, Inc. All rights reserved. p.46
Ensure that you install both the root and intermediate certificates. 3. Edit the script (OfflineNSGConfigtBundle_CREATESCRIPT) to replace all placeholders with details from your environment. 4. Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example: /netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/offlinensgconfigtbundle_createscript.txt" 1999-2017 Citrix Systems, Inc. All rights reserved. p.47
When the script completes, the following lines appear. Test the configuration To validate the configuration: 1. Validate that the NetScaler Gateway Virtual Server shows a state of UP. 1999-2017 Citrix Systems, Inc. All rights reserved. p.48
2. Validate that the Proxy Load Balancing Virtual Server shows a state of UP. 3. Open a web browser, connect to the NetScaler Gateway URL, and attempt to authenticate. If the authentication succeeds, you are redirected to an HTTP Status 404 - Not Found message. 4. Enroll a device and ensure it gets both MDM and MAM enrollment. XenMobile Service administration The XenMobile Service is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, XenMobile administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and the XenMobile Service. By default, all Citrix Cloud administrators also are created as XenMobile administrators. You can always change a role by accessing the XenMobile console from the Citrix Cloud dashboard. For more information, see "To add, edit, or delete local user accounts" in User accounts, roles, and enrollment. You can change only the role and membership of a user. You cannot change user names or passwords, nor delete or edit local users, from the XenMobile console. Instead, make those changes within Citrix Cloud. 1999-2017 Citrix Systems, Inc. All rights reserved. p.49