Documente Academic
Documente Profesional
Documente Cultură
2013-12-19 18:22:26 UTC 2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
Installing XenMobile Components ......................................................................... Downloading XenMobile Product Software ................................................... Installing NetScaler Gateway 10.1 in Your Network ........................................ Installing XenMobile MDM Edition.............................................................. Installing Device Manager ................................................................. Device Manager 8.6 ................................................................... Installing Patches for Device Manager ........................................ Choosing Device Manager Components to Install ........................... Installing Device Manager ...................................................... Configuring Active Directory on Device Manager ...................... Upgrading Device Manager to Version 8.6 ................................... Backing Up and Restoring Device Manager................................... To perform a full manual backup of Device Manager server To perform a directory and native SQL backup of Device Manager server ........................................................................ XenMobile NetScaler Connector .......................................................... XenMobile NetScaler Connector..................................................... XenMobile NetScaler Connector 8.5 .......................................... About This Release ......................................................... Key Features ........................................................... XenMobile NetScaler Connector System Requirements Deploying XenMobile NetScaler Connector ............................. To set up listening addresses for the XNC web service To configure device access control policies ...................... To configure communication with the Device Manager server Deploying XNC for Redundancy and Scalability Installing XenMobile NetScaler Connector.............................. To install XenMobile NetScaler Connector ........................ To uninstall XenMobile NetScaler Connector
5 6 10 11 13 14 15 16 17 31 32 33 34 35 36 37 38 39 40 41 42 44 45 46 47 48 49 50
Managing XenMobile NetScaler Connector.............................. Configuring XenMobile NetsScaler Connector Choosing a Security Model for XenMobile NetScaler Connector .............................................................. Configuring XenMobile NeScaler Connector Policy Modes To configure static rules ....................................... To configure dynamic rules .................................... To configure custom policies by editing the XenMobile NetsScaler Connector XML file ................................ Configuring the XenMobile NetScaler Connector XML File To import a policy from Device Manager.......................... To configure a connection to XenMobile NetsScaler Connector .............................................................. Choosing Filters for XenMobile NetScaler Connector To simulate ActiveSync traffic ...................................... Monitoring XenMobile NetScaler Connector ............................ XenMobile Mail Manager ................................................................... XenMobile Mail Manager.............................................................. XenMobile Mail Manager ........................................................ XenMobile Mail Manager 8.5 .............................................. XenMobile Mail Manager Components.............................. XenMobile Mail Manager System and Software Requirements Onsite Exchange Requirements ............................... Office 365 Exchange Requirements Installing XenMobile Mail Manager ................................. Configuring XenMobile Mail Manager............................... To configure the Exchange Server ............................ To configure database properties............................. To configure a Mobile Service Provider To configure the Mobile Service Provider hostname in Device Manager .................................................. To configure Blackberry BES servers (optional) XenMobile Mail Manager and Exchange 'Quarantine' Mode Understanding XenMobile Mail Manager Access Rules To configure Default access control rules To configure XDM (Device Manager) rules To configure local rules ................................... Simulation vs Powershell Mode Monitoring XenMobile Mail Manager................................
51 52 53 54 56 57 58 59 60 61 63 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 85 86 87 88 89
To monitor ActiveSync devices ................................ To monitor BlackBerry devices ................................ To view snapshot history ....................................... Installing App Controller ........................................................................ Installing App Controller 2.9 .............................................................. Getting Ready to Install App Controller ........................................... Installing App Controller on XenServer ....................................... Installing App Controller by Using VMware ESXi............................. Installing App Controller on Microsoft Hyper-V ............................. Setting the App Controller IP Address for the First Time.................. Configuring App Controller for the First Time............................... Icons in the AppController Management Console...................... Adding Active Directory Domains to App Controller........................ Adding and Synchronizing Active Directory Domains ................. Installing the MDX Toolkit.......................................................................
NetScaler or NetScaler Gateway. Device Manager. XenMobile NetScaler Connector (XNC). App Controller. StoreFront (optional). For details, see the StoreFront documentation in eDocs. ShareFile (optional) For details, see the ShareFile documentation in eDocs.
After you install the XenMobile components, you can use the MDX Toolkit to wrap .ipa and .apk files. Then, you can upload the MDX files to App Controller for users to download and install. This section includes installation information about the following:
XNC
MDX Toolkit
When you click Find, a page listing the available downloads appears with the most recent version at the top of the list:
You can select your software from the available list of options. For example, if you select XenMobile 8.6 Enterprise Edition, you can download the software for Device Manager, App Controller, NetScaler Gateway, and other XenMobile components as shown in the following figure:
Downloading XenMobile Product Software 5. In Select Download Type, select Product Software and then click Find. You can also select Virtual Appliances to download NetScaler VPX. When you select this option, you receive a list of software for the virtual machine for each hypervisor. 6. On the NetScaler Gateway page, expand NetScaler Gateway or Access Gateway. 7. Click the appliance software version you want to download. 8. On the appliance software page for the version you want to download, select the virtual appliance and then click Download. 9. Follow the instructions on your screen to download the software.
NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler documentation in Citrix eDocs. NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections. NetScaler VPX - a virtual machine that can handle up to 875 user connections.
Before you install either the physical appliance or the virtual appliance, complete the NetScaler information in the XenMobile Solution Pre-Installation Checklist. After you install the physical appliance by following the instructions in Installing the Model MPX Appliance, you turn on the appliance and perform the initial configuration. This includes configuring:
NetScaler Gateway IP address (NSIP) Subnet IP address (SNIP) Default gateway DNS servers Host name Licenses Certificates that include the fully qualified domain name (FQDN)
For more information about NetScaler Gateway, see the following topics in Citrix eDocs:
About the NetScaler Gateway MPX Appliance NetScaler Gateway Virtual Appliances Performing the Initial Configuration of the MPX Appliance Configuring NetScaler VPX for the First Time NetScaler Gateway 10.1
10
Configure device settings, email and applications, policies, and device and application restrictions. Distribute internally built and externally available apps to users' iOS, Android, Samsung, Samsung Knox, HTC, Windows Phone 8, and Windows 8 devices. Provision devices simply and rapidly by enabling user self-service enrollment and by distributing configuration, policy, and application packages in an automated, role-based manner over-the-air. Secure devices, applications, and data by setting authentication and access policies, blacklisting and whitelisting applications, enabling application tunnels, and enforcing security policies at the gateway. Support users by remotely locating, locking, and wiping devices in the event of loss or theft, as well as remotely troubleshooting device and service issues. Monitor devices, infrastructure, service, and telecom expenses. Decommission devices by identifying inactive devices and wiping or selectively wiping devices upon employee departure. Run reports on user and device actions.
XenMobile Device Manager allows you to manage mobile devices, set mobile policies and compliance rules, gain visibility to the mobile network, provide control over mobile apps and data, and shield your network from mobile threats. With a "one-click" dashboard, simple administrative console, and real-time integration with Microsoft Active Directory and other enterprise infrastructure like PKI and Security Information and Event Management (SIEM) systems, Device Manager simplifies the management of mobile devices. The Secure Mobile Gateway provides access control for email and calendar services. You can configure Secure Mobile Gateway to allow or block access to connection requests from devices based on device status, app blacklists or whitelists, and a host of other compliance conditions. The status of requests blocked by Secure Mobile Gateway can be immediately viewed on the Device Manager dashboard so that you can take appropriate action.
11
XenMobile Multi-Tenant Console is a web console that enables service providers and organizations to administer several physical servers running Device Manager from a single site. XenMobile Remote Support application provides several tools to assist in the inspection, troubleshooting, and modification of remotely controlled handheld devices. XenMobile ZSM Lite is a component that enables access to query Blackberry and ActiveSync environments and provides the device and user information to Device Manager through the XenMobile Mobile Service Provider.
12
Oracle Java SE 7 JDK (JDK Download Edition) update 11 and later Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
For more information about the Java requirements for Device Manager, see System Requirements. After you download Device Manager to the Windows Server, you run the installation program. This section describes the selections available in the installation program and how to configure the settings.
13
14
15
The Device Manager server The Device Manager repository database (PostgreSQL) and automatic creation of the database and requisite tables The integrated web application server hosting the Device Manager server
Note: If you install an Application Server prior to installing Device Manager, remove Application Server before installing Device Manager.
Installing Databases
Device Manager includes the PostgreSQL database server installation. f you installed a SQL database server on your computer or another server, clear the PostgreSQL check box in the list of components during the installation wizard. The install type switches automatically to Custom. When using a Microsoft SQL server please refer to the installation instructions provided by Microsoft for the SQL server installation. If you do not clear the check box, the PostgreSQL installation wizard appears with configuration instructions. If you install PostgreSQL, an installation wizard appears. The installation program automatically selects all the default PostgreSQL options required to install an Device Manager server. However, you can check any additional options you want to install. You can also change the installation location with the Browse button. During installation of PostgreSQL, define the service account that runs the PostgreSQL server. The Service name, Account name, and Account domain fields are already completed. You need to enter a password for the service account. If the user account does not exist, you receive a prompt to confirm creation of the account. In addition, if the password you chose is not a strong password, then you are prompted to replace the password with a random strong password. Click No in the message dialog box to keep the password you originally entered.
16
Disable TCP/IP6 on the network adapter and in the registry. For more information, see How to disable IP version 6 or its specific components in Windows on the Microsoft web site. Disable the User Account Control setting in Control Panel.
Caution: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. The setup wizard includes several discrete tasks. You need to complete the all of the tasks in this topic in consecutive order to complete the entire wizard. The installation tasks include:
Device Manager components Installation location Microsoft SQL Server database installation Database cluster settings Licenses Device Manager and database communication Crystal Reports keycode HTTP and HTTPS connectors Root and server certificates Apple Push Notification Service (APNS) certificates Remote support settings Active Directory service account for managing users
Installing Device Manager Database server to disable installation of the PostgreSQL database. Important: Citrix recommends that you use Microsoft SQL Server instead of the PostgreSQL database that comes with Device Manager. The PostgreSQL database should be used for demonstration purposes only.
After you select your components, on the Choose Install Location page, leave the default install location and then click Install. Citrix recommends that you use the default location to install Device Manager.
18
In Host name or IP address, enter the fully qualified domain name (FQDN) or IP address of SQL Server. In Port, enter the port number. The default port number for SQL Server is 1433. In User name, enter a user name for the database. In Password, enter the password to connect to the SQL Server database. In Database name, enter the database name or leave the default value.
19
After you configure the database connection, you then enter the keycode for Crystal Reports.
20
Installing Device Manager On the Crystal Report Java Reporting Components configuration page, to leave a watermark on the reports, leave the keycode blank. Or, to remove the watermark, enter your keycode for the product.
If you manage IOS devices, select Enable iOS. When you select the checkbox, the authentication code appears automatically. In Authentication code for applications/tunnels, enter a prefix that Device Manager uses to create authentication keys used by the software. Use a simple alphanumeric word or passphrase. Use mixed case, numbers, and letters only. Then, record this value for use later when you configure the system. Important: You can only select Enable iOS during installation. If you do not select this option and you want to enable the mode in the future, you must reinstall the application server.
21
HTTP connector that allows unsecure connections over port 80. You can configure this connector if NetScaler Gateway is installed between the Device Manager server and mobile devices.
HTTPS connector for secure connections over port 443 with a certificate.
22
HTTPS connector that allows secure connections over port 8443 for device enrollment.
23
Protocol for secure and unsecure connections (HTTP or HTTPS). IP addresses. Port settings for the connector. To allow connections over HTTPS and that use certificates for authentication, you use port 443. For secure connections without certificates, use port 8443. For unsecure connections use port 80. Maximum concurrent connections defines the total amount of user connections that are allowed for each connector.
Keystore file path is the certificate location on your computer. Do not change the default path. The server configuration provides the file path automatically. Keystore password and Confirm keystore password is for the private key. Enter the private password used for each component of the local CA. Although you can use the same password for each CA keystore component, Citrix recommends using separate passwords for the root, server, device, and Web Service certificates. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII symbol values. Passwords are case sensitive. Organizational unit is an optional parameter. Enter a value typically given to the entity or group that has management authority over the certificate. Organization is an optional parameter. Enter a value typically given to the entity or organization that is the parent that owns the certificate and its rights.
For root certificates, you need to provide the common name for the CA that issued the root certificate. Leave the default name to associate it with the creation of the CA component and certificate. If you change this field, your devices may not receive the proper chain of certificates and will not be able to enroll. Note: The root certificate is used to issue and sign certificates for intermediate server and client-device certificates. The root certificate is also used to regenerate intermediate certificates in the event of compromise. You can install root certificates in the operating system as a trusted CA root certificate.
25
For secure server certificates, you need to include the IP address or FQDN that is in the certificate. Users connect by using the IP address or FQDN contained within the certificate.
26
27
28
29
After you configure the administrator user and password, you can finish the installation wizard. After you finish the wizard, you should do the following:
Log on to the administration console at https://serverfqdn/zdm to configure Device Manager. On the console, user the first-time use wizard to configure LDAP and your first deployment package. Note: If you want to add your own server certificate instead of the self-signed server certificate that is issued during the installation, follow the steps in this topic, Configuring an External Certificate Authority by Using SSL.
30
LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties. Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts. Provisioning file. You can develop a file outside of Device Manager containing user accounts and properties and then import the file. Device Manager automatically creates objects and sets properties values.
You can perform the following actions in Device Manager for LDAP connections:
Create a new LDAP connection. Edit an existing connection. Set the default LDAP connection. Activate or deactivate an LDAP connection.
When you create a new LDAP connection, you configure the LDAP directory settings and then you import a signed secure certificate. When you define the connection parameters, you need to grant the following rights to the Search User service account: READALLUSERINFORMATION READALLNETWORKPERSON Note: In the Lockout Limit field, the default is set to zero. However, Citrix recommends using a higher value, as well as a value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is configured to a limit of five attempts before lockout, Citrix suggests that you enter a 3 or 4 in this field. You can also map the LDAP directory attributes to the Device Manager Repository database. If you do not modify the default settings, Device Manager binds automatically to the LDAP directory. You can specify the base DN that defines the LDAP directory groups that are imported to Device Manager.
31
7.1.0 -> 8.5.0 -> 8.6.0 8.0.1 -> 8.6.0 8.5.0 -> 8.6.0
Note: If you are running Device Manager version 8.0.1, you should already have the correct version of Java on your server. If you do not, make sure that you are running Oracle Java SE 7 JDK (JDK Download Edition) update 11 and above and Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7. For more information, see Device Manager System Requirements. Before you upgrade: Before upgrading, make sure that you perform a backup of your Device Manager database and application directory as described here: To perform a full manual backup of Device Manager server
32
Stop all services and then make a copy of the entire application directory on the server. Copy the application directories required for restoration and also perform a native SQL database server backup by using the PostgreSQL utility called pgAdmin. You can also use Microsoft SQL Server Management Studio for your version of Microsoft SQL Server.
If you want to restore Device Manager, you also use pgAdmin or Microsoft SQL Server Management Studio.
33
34
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF 8. Verify the backed-up directory has a complete copy of the Tomcat configuration and PKI certificates. These files are located under the parent directory: C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
9. Verify that the backup directory also contains the license file normally found at: C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF 10. The Device Manager application and database environment is now fully backed up and can be restored to the same or different system host.
35
NetScaler
NetScaler delivers an extensive portfolio of essential datacenter security capabilities that are significant for mobile users, their apps and data. NetScaler provides critically important application security, network/infrastructure security, and identity and access management, which when combined with XenMobile MDM delivers a tightly coupled solution that enables IT to support the security needs of mobile users and the enterprise.
36
37
38
Filter-based rules to allow or block access. XenMobile NetScaler Connector evaluates a particular client request routed through NetScaler against the organization's rules. The end result is a binary state of allowed, in which the client is permitted to contact the Microsoft Exchange 2010 Client Access Server (CAS), or blocked, in which the client request is dropped and access to the Exchange CAS is not permitted. Paired with settings in the Device Manager console, you can prevent Exchange ActiveSync email access to device users based on compliance criteria, such as when a blacklisted app is installed on the device, if the device is jailbroken, and so on. A two-tiered filter model. The first tier parses the incoming HTTP requests based on path-specific information. The second tier filters based on user or device specific information. You can configure both tiers. Filter rules stored in configuration files. Specific filter rules pertaining to the user accounts and devices in your organization are stored in the gateway's XML configuration files. Contains information about this release, including XenMobile NetScaler Connector features, components, what's new, and known issues. Provides system requirements for XenMobile NetScaler Connector and for the XenMobile NetScaler Connector Console. Provides deployment information for XenMobile NetScaler Connector. Provides information about how to install XenMobile NetScaler Connector on either its own server or on the same server as Device Manager. Provides information on choosing a security model for your organization, creating block or allow policies, setting static or dynamic filters, and connecting to Device Manager. This section also provides information about enabling and understanding email attachment encryption. Provides information about enabling XenMobile NetScaler Connector logging.
System Requirements
Manage
Monitor
39
Key Features
The key features of XenMobile NetScaler Connector are:
Access Control of HTTP ActiveSync requests. XenMobile NetScaler Connector can control the HTTP ActiveSync requests that mobile devices make of Exchange servers. You can build filters in XenMobile NetScaler Connector that enable you to allow or block user devices based on rules and criteria that you specify. When you set the rules in XenMobile NetScaler Connector, you can turn on and off the rules in XenMobile Device Manager, which then manages the ability for devices to access email within the organization. Remote configuration. Device Manager controls the baseline and delta intervals used by XenMobile NetScaler Connector. Logging. On the Log tab of the XenMobile NetScaler Connector configuration utility, you can view when the encryption is enabled for a given user device at the request level, in addition to devices that are allowed or blocked. Remote configuration. Device Manager controls the baseline and delta intervals used by Secure Mobile Gateway.
40
Network adapter compatible with the host operating system for communication with the internal network
Display VGA or higher-resolution monitor The host computer for XenMobile NetScaler Connector requires the following minimum available hard disk space:
41
XenMobile NetScaler Connector allows you to use NetScaler to proxy and load balance Device Manager communication with a XenMobile managed devices. XenMobile NetScaler Connector communicates periodically with Device Manager to synchronize policies. XenMobile NetScaler Connector and Device Manager may be clustered, together or independently, and load balanced by NetScaler. Figure 1. XenMobile NetScaler Connector Deployment
XenMobile NetScaler Connector Service. This provides a REST web service interface that can be invoked by NetScaler to determine if an ActiveSync request from a device is authorized. XenMobile Configuration Service. This service communicates with Device Manager to synchronize Device Manager policy changes with XenMobile NetScaler Connector. XenMobile Notification Service. This service sends notifications of unauthorized device access to Device Manager so that Device Manager can take appropriate measures such as notifying the user why the device was blocked XenMobile NetScaler Configuration. This application allows the administrator to configure and monitor XenMobile NetScaler Connector.
42
43
44
45
46
In non-shared mode, each XNC instance communicates with an XDM server and keeps its own private copy of the resulting policy. For example, if you had a cluster of Device Manager servers, you could run an XNC instance on each XDM server and XNC would get policy from the local XDM. In shared mode, one XNC node is designated the master and it communicates with Device Manager. The resulting configuration is shared among the other nodes either by Windows network share or by Windows (or 3rdparty) replication.
The entire XNC configuration is in a single folder (a few XML files). The XNC Connector process detects changes to any file in this folder and automatically reloads the configuration. There is no failover for the master in shared mode. But the system can tolerate the master being down for minutes (for example, to reboot) because the last known good config is cached in the XNC Connector process.
47
If your Device Manager server is hosted remotely in the cloud (physical location). If you do not want your XenMobile Netscaler Connector to be affected by reboots of the Device Manager server (availability). If you want a server's system resources to be devoted entirely to the XenMobile Netscaler Connector (performance)
The CPU load that XNC puts on a server depends on how many devices are managed, but a general rule of thumb is to provision for one additional CPU core if XNC is deployed on the same server as XDM. For large numbers of devices (over 50 thousand), you may need to provision additional cores if you do not have a clustered environment. The memory footprint of XNC in not significant enough to warrant additional memory.
48
49
50
51
52
53
Allow All. This policy mode will grant access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used. Deny All. This policy mode will block access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used. Static Rules: Block Mode. This policy mode will execute static rules with an implicit deny or block statement at the end. Devices that are not allowed or permitted via other filter rules will be blocked by XenMobile NetScaler Connector. Static Rules: Permit Mode. This policy mode will execute static rules with an implicit permit or allow statement at the end. Devices that are not blocked or denied via other filter rules will be allowed through XenMobile NetScaler Connector. Static + ZDM Rules: Block Mode. This policy mode will execute static rules first, followed by dynamic rules from Device Manager with an implicit deny or block statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are blocked. Static + ZDM Rules: Permit Mode. This policy mode will execute static rules first, followed by dynamic rules from XenMobile Device Manager with an implicit permit or allow statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are allowed.
The XenMobile NetScaler Connector process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed since Android devices cannot be definitively differentiated. The gateway can still be configured to statically block these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user agent. To specify the policy mode, in the SMG Controller Configuration utility, do the following: 1. Click the Path Filters tab and then click Add. 2. In the Path Properties dialog box, select a policy mode from the Policy drop-down list and then click Save.
54
Configuring XenMobile NeScaler Connector Policy Modes You can review rules on the Policies tab of the configuration utility. The rules are processed on XenMobile NetScaler Connector from top to bottom. The active policy is displayed with green checkmark, while the rules that are not active show a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. The ordering of rules can be modified in the config.xml file. To test rules, click the Simulator tab. Specify values in the fields. These can also be obtained from the logs. Click Simulate. A result message will appear specifying Allow or Block.
55
User. XenMobile NetScaler Connector uses the authorized user value and name structure that was captured during device enrollment. This is commonly found as domain\username as referenced by the server running XenMobile Device Manager connected to Active Directory via LDAP. The Log tab within the XenMobile NetScaler Connector configuration utility will show the values that are passed through XenMobile NetScaler Connector if the value structure needs to be determined or is different. Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. This value is commonly found within the specific device properties page in the Device Manager web console. This value can also be screened from the Log tab in the XenMobile NetScaler Connector configuration utility. DeviceType. XenMobile NetScaler Connector can determine if a device is an iPhone, iPad or other device type and permit or block based on that criteria. As with other values, the XenMobile NetScaler Connector utility can reveal all connected device types being processed for the ActiveSync connection. UserAgent. Contains information on the ActiveSync client that is utilized. In most cases, the value specified corresponds to a specific operating system build and version for the mobile device platform.
The XenMobile NetScaler Connector utility running on the server always manages the static rules. 1. In the SMG Controller Configuration utility, click the Static Rules tab and then click Add. 2. In the Static Rule Properties dialog box, specify the values that you want to use as criteria. For example, you can enter a user to allow access by entering the user name (for example, AllowedUser, and clearing the Disabled check box. 3. Click Save. The static rule is now in effect. Additionally, you can use regular expressions to define values, but you must enable the rule processing mode in the config.xml file.
56
57
To configure custom policies by editing the XenMobile NetsScaler Connector XML file
You can view the basic policies in the default configuration on the Policies tab of the configuration tool. If you want to create custom policies, you can edit the XML configuration file (config\config.xml). 1. Find the PolicyList section in the file and add a new Policy element. 2. If a new Group is also required, such as an additional static group or to support an additional GCP, add the new Group element to the GroupList section. 3. Optionally, you can change the ordering of Groups within an existing Policy by rearranging the GroupRef elements.
58
GroupRef Nodes
The GroupRef nodes define the logical group names - by default, the AllowGroup and the DenyGroup. Note: The order of the GroupRef nodes as they appear in the GroupRefList node is significant. The id value of a GroupRef node identifies a logical container or collection of members that are used for matching specific user accounts or devices. The action attributes specifies how the filter will treat a member that matches a rule in the collection. For example, a user account or device that matches a rule in the AllowGroup set will "pass" (be allowed to access the Exchange CAS), while a user account or device that matches a rule in the DenyGroup set will be "rejected" (not allowed to access the Exchange CAS). When a particular user account/device or combination meets rules in both groups, a precedence convention is used to direct the request's outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRef nodes are ranked in priority order. Thus, the nodes shown in the figure above (which depicts the default order) are such that rules for a given condition in the Allow group will always take precedence over rules for the same condition in the Deny group.
Group Nodes
Additionally, the config.xml defines Group nodes. These nodes link the logical containers AllowGroup and DenyGroup to external XML files. Entries stored in the external files form the basis of the filter rules. Note: In this release, only external XML files are supported. The default installation implements two XML file in the configuration - allow.xml and deny.xml.
59
60
62
Blacklisted Apps. Allows or denies devices based on the Device List defined by Blacklist policies and the presence of blacklisted apps. Whitelisted Apps only. Allows or denies devices based on the Device List defined by Whitelist policies and the presence of non-whitelisted apps. Unmanaged Devices. Creates a Device List of all devices in the Device Manager database. The Mobile Application Gateway needs to be deployed in a Block Mode. Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged as rooted and allows or denies based on rooted status. Out of Compliance Devices. Allows you to deny or allow devices that meet your own internal IT compliance criteria. Compliance is an arbitrary setting defined by the device property named Out of Compliance, which is a Boolean flag that can be either True or False. (You can create this property manually and set the value, or you can use Automated Actions to create this property on a device if the device does or does not meet specific criteria.)
Out of Compliance = True. If a device does not meet the compliance standards and policy definitions set by your IT department, the device is out of compliance.
Out of Compliance = False. If a device does meet the compliance standards and policy definitions set by your IT department, the device is compliant. Noncompliant password. Creates a Device List of all devices that do not have a passcode on the device.
Revoked Status. Creates a Device List of all revoked devices and allows or denies based on revoked status. Inactive devices. Creates a Device List of devices that have not communicated with Device Manager within a specified period of time and are thus considered inactive and allows or denies the devices accordingly. Anonymous Devices. Allows or denies those devices that are enrolled in Device Manager but the user's identity is unknown. For example, this could be a user who was enrolled but their Active Directory password is expired, or a user who enrolled with unknown credentials. Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies based on that list. The Implicit
63
Choosing Filters for XenMobile NetScaler Connector Allow/Deny option ensures that the XenMobile NetScaler Connector status in the Devices tab is enabled and shows XenMobile NetScaler Connector status for your devices. The Implicit Allow/Deny option also controls all of the other XenMobile NetScaler Connector filters that have not been selected. For example, Blacklists Apps will be denied (blocked) by XenMobile NetScaler Connector, whereas all other filters will be allowed because the Implicit Allow/Deny option is selected to Allow.
64
The results show you how you policies will apply according to the rules you have configured.
65
66
67
68
69
Dynamic Access Control for Exchange Active Sync (EAS) devices. Based on rules defined by XenMobile Device Manager and/or XenMobile Mail Manager, EAS devices can be automatically allowed or blocked access to Exchange services. Provides the ability for Device Manager to access EAS device partnership information provided by Exchange. This allows Device Manager to view and manage EAS devices that have never been enrolled in Device Manager. Provides the ability for Device Manager to perform an EAS Wipe on a mobile device. Provides the ability for Device Manager to access information about Blackberry devices, and to perform control operations such as Wipe and ResetPassword.
70
Exchange ActiveSync (EAS) Access Control Management. This component communicates with Device Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User Agent (generally the mobile platform version). Remote Powershell Management. This component is responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by EAS Access Control Management. It periodically snapshots the EAS database to detect new or changed EAS devices. Mobile Service Provider. This component provides a web service interface so that Device Manager can query EAS and/or Blackberry devices, and issue control operations such as Wipe against them. This capability was previously provided by the ZsmLite\ZMSP products.
71
Microsoft SQL Server 2008 or 2012, or Microsoft SQL Server Express 2008 or 2012, or Microsoft SQL Server 2012 Express LocalDB Microsoft .NET Framework 4.5 Exchange Server 2010 SP2 or later Microsoft Office 365 Blackberry Enterprise Service, version 5 (optional, if managing BlackBerry devices) Windows Management Framework must be installed PowerShell V2 supported The PowerShell execution policy must be set to RemoteSigned by running Set-ExecutionPolicy RemoteSigned from the PowerShell command prompt
1 gigabyte (GB) NTFS-formatted local partition with 150 MB of available hard-disk space Network adapter compatible with the host operating system for communication with the internal network VGA or higher-resolution monitor
72
As documented by Microsoft here, in order to establish a remote connection and run remote commands, the credentials must correspond to a user that is an administrator on the remote machine. Additionally, the Exchange server must be configured to support remote PowerShell requests via HTTP. Typically, an administrator running the following PowerShell command on the Exchange server is all that is required: WinRM QuickConfig. Throttling Policy Considerations Among the many Exchange throttling policies, one controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is 18 on Exchange 2010. Once the connection limit is reached, XMM will not be able to connect to the Exchange server. While there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate Exchanges throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.
73
The supplied credentials must have been granted the right to connect to the Office 365 server through the remote Shell. By default, Office 365 online admin has the requisite privileges. Throttling Policy Considerations Among the many Exchange throttling policies, one controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is three on Office 365. Once the connection limit is reached, XMM will not be able to connect to the Exchange server. While there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate Exchanges throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.
74
If .NET Framework 4.5 is not installed, download and install from www.Microsoft.com. If a Microsoft SQL Server is not installed or available remotely, install one of the following:
Microsoft SQL Server 2008 Microsoft SQL Server 2008 SqlExpress Microsoft SQL Server 2012 Microsoft SQL Server 2012 SqlExpress
Microsoft SQL Server 2012 SqlExpress\LocalDB XMM 'One LDAP Per Domain' Caveat
XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of more than one LDAP configurtion (such as the root domain, sub domain, and so on), you will need need to install XMM for each domain. You can set LDAP connection properties to use the Global Catalog Server, which will give you access to global groups across domains. To do this, you modify the connection string from "LDAP:" to "GC:". For example, instead of "LDAP://dc=citrix, dc=com", use "GC://dc=citrix, dc=com". To install the XenMobile Mail Manager: Once thes above conditions have been met, to install the XenMobile Mail Manager, clicking the XmmSetup.msi file and following the onscreen instructions.
75
76
77
78
79
80
81
82
Each rule contains and a desired access state (Allow or Block), and a criteria for matching an ActiveSync device. The matching criteria may match a particular device or a set of devices. Local Rules Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties:
ActiveSync Device Id. Uniquely identifies a specific device. Device Type. A set of devices, such as iPad, WP8, or Touchdown. User Agent. A set of devices identified by platform version, such as iOS/6.1.2. User. A specific user.
XDM (Device Manager) Rules XDM rules are defined within XenMobile Device Manager. These product of these rules is delivered to XenMobile Mail Manager and continuously updated in the background. XDM rules can identify devices by properties known to XDM, such as:
Enrolled in Device Manager Jailbroken (iOS) or rooted (Android) devices Forbidden Apps are installed (blacklisted apps) Non-suggested apps are installed Unmanaged Out Of Compliance Non-Compliant Password Revoked status
83
Default Rules The Default Rule matches the set of all devices. The Default Rules desired state may be set to Allow, Block, or Unchanged. If the latter is selected, the effect will be that XenMobile Mail Manager will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.
Rule Evaluation
For each ActiveSync device known to the Exchange server, the rules are evaluated in order: first Local Rules, then XDM Rules, then the Default Rule. If a match is found it any rule, the rules desired state is then enacted for the device and no further rules are evaluated for the device. Rule enactment results in a Powershell command being sent by XenMobile Mail Manager to Exchange to change the access state. However, if the current known access state of the device is already equal to the desired state, no action is taken. Whenever the rules, or the set of known devices changes, the rules are re-evaluated. Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In this mode, Powershell commands are not issued to modify the access state. Instead, XenMobile Mail Manager records in its database that such an action was simulated. Note: the order in which Local and XDM rules are evaluated can be configured so that XDM rules are evaluated before Local rules (this requires manual editing of config.xml).
84
85
86
87
In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled. In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control.
To choose between the two, in the XenMobile Mail Manager utility, click the Configure > Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab, select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.
88
Also, the history of all snapshots is available under the Configure tab:
In the Exchange tab, click the Info icon for the desired Exchange server. Under the MSP tab, click the Info icon for the desired Blackberry server. Snapshot history shows when the snapshot took place, how long it took, how many devices were detected and any errors that occurred.
89
90
91
92
SaaS applications. Active Directory-based user identity creation and management, with SAML-based single sign-on (SSO). Intranet web applications. HTTP form-based SSO by using password storage. iOS and Android apps. Unified store to which you can install MDX apps for iOS and Android devices, and security management for MDX policies, encompassing WorxMail and WorxWeb. You can wrap iOS and Android apps with the MDX Toolkit to create MDX apps. ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFile application that provides seamless SAML SSO, and Active Directory-based ShareFile service user account management.
In This Section
The topics in this section provide information about installing and configuring App Controller 2.9.
93
Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to XenServer or VMware ESXi host through the network. Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host.
This section details the following steps for installing App Controller on XenServer, Hyper-V, or VMware:
Installing the VM on XenServer and setting the properties for App Controller in XenCenter. Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardware components to App Controller, such as memory and virtual CPUs. Installing App Controller on Hyper-V. Configuring the IP address and subnet mask, default gateway, DNS servers, and Network Time Protocol (NTP) servers for App Controller by using the XenCenter or vSphere command-line console.
When you finish configuring App Controller network settings by using the command-line console, you log on to the App Controller management console. Then, you configure the following network settings:
Active Directory configuration from which you obtain groups for App Controller Note: After you complete the Configure wizard, you can configure settings for additional Active Directory servers in your network.
Optionally, you can change the settings you configured by using the command-line console in the wizard. These settings include:
App Controller system settings, such as IP address, subnet mask, and the default gateway
94
After you configure App Controller system settings, to complete the configuration, App Controller retrieves the groups and members of the groups from the specified Base DN in Active Directory. When the retrieval is complete, App Controller logs off. You can log on again to continue configuring App Controller features.
95
Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to XenServer or VMware ESXi host through the network. Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host.
This section details the following steps for installing App Controller on XenServer, Hyper-V, or VMware:
Installing the VM on XenServer and setting the properties for App Controller in XenCenter. Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardware components to App Controller, such as memory and virtual CPUs. Installing App Controller on Hyper-V. Configuring the IP address and subnet mask, default gateway, DNS servers, and Network Time Protocol (NTP) servers for App Controller by using the XenCenter or vSphere command-line console.
When you finish configuring App Controller network settings by using the command-line console, you log on to the App Controller management console. Then, you configure the following network settings:
Active Directory configuration from which you obtain groups for App Controller Note: After you complete the Configure wizard, you can configure settings for additional Active Directory servers in your network.
Optionally, you can change the settings you configured by using the command-line console in the wizard. These settings include:
App Controller system settings, such as IP address, subnet mask, and the default gateway
96
After you configure App Controller system settings, to complete the configuration, App Controller retrieves the groups and members of the groups from the specified Base DN in Active Directory. When the retrieval is complete, App Controller logs off. You can log on again to continue configuring App Controller features.
97
98
Allow the virtual machine to start and stop automatically with the system. Set the startup order for App Controller. Set the memory size to 4096. Set the number of VCPUs to 2.
For more information about VMWare ESXi and the vSphere client, see the manufacturer's documentation.
99
Allow the virtual machine to start and stop automatically with the system. Set the startup order for App Controller. Set the memory size to 4096. Set the number of VCPUs to 2.
For more information about Microsoft Hyper-V and the Hyper-V Manager, see the manufacturer's documentation.
100
101
Administrator password Note: Make sure that the email address is part of the base DN that you configure in the Active Directory settings.
App Controller host name, IP address, subnet mask, and default gateway Note: You can also configure an IP address for App Controller if you want a different IP address than what you configured by using the command-line console.
Active Directory settings to one server Certificates Note: In the Configure wizard, you can add, create, or remove certificates on the Active Directory page. The option to configure certificates from the Active Directory page only appears when you configure App Controller for the first time in the management console. After you run the Configure wizard for the first time, you can then manage certificates from the Settings tab in the management console.
Network Time Protocol (NTP) server and time zone DNS server settings Workflow email settings Important: For workflows to work correctly, when you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
After you configure and save the remaining network settings in the management console, App Controller retrieves users from Active Directory and then logs off. If you changed the password, log on again with the new password. Important: If you have a large number of users or groups, it might take a few hours for App Controller to retrieve users. You cannot make any changes to App Controller until this process is complete. If you close the browser, interrupt the synchronization and then restart the Configure wizard in another web browser, your settings are not saved. Citrix recommends that you allow the Active Directory synchronization to complete. When you
102
Configuring App Controller for the First Time configure the App Controller settings for the first time, you can enter a group domain name (DN) that speeds the synchronization of Active Directory membership with App Controller. If you need to make changes to system settings at a later time, you can access the Settings tab. You can configure or reconfigure the following on the Settings tab:
Active Directory settings, such as IP address, administrator email and password, and base DN Administrator settings that allows you to change the password for the management console and the command line console Support options that allows you to configure GoToAssist user assistance settings. Branding that allows you to upload your own Portable Network Graphics (png) to mobile devices Certificates where you can install root, intermediate, and server certificates on App Controller Deployment settings for StoreFront or NetScaler Gateway Domain Name Server such as a DNS or WINS server GoToAssist settings for email or phone support Log transfer that sends logs to a server in your network Network connectivity that are the App Controller network settings NTP server that contains the settings for a Network Time Protocol server Receiver email template where you can send emails to your users to download Receiver Receiver updates Release management that allows you to upload software upgrades, patches, and application connectors Store credentials where you can save the user name, password, and device ID for the Google Play Store SysLog server settings Workflow email which is the administrator email settings for workflows XenMobile MDM where you configure connection settings to XenMobile Device Manager
103
Refresh users from Active Directory. Add roles to map which Active Directory groups receive access to applications. Add web and SaaS applications to App Controller from the provided connector catalog. Upload mobile apps to App Controller. View a user device inventory in which you can erase and stop erasing application data and documents from a device, lock and unlock a device, or delete a device from the inventory. Retrieve mobile app information by configuring mobile links. Add links to commonly used web sites including Internet and intranet sites. Create access to applications that are not in the catalog for SSO by using either HTTP Federated Formfill or SAML connectors. Download certificates for use with some SAML applications. Create user accounts automatically based on Active Directory group membership. Assign users to applications based on their role within the organization. Add categories to which you can add applications. Connect StoreFront to App Controller. When users connect with Citrix Receiver, they can see the application list, subscribe to applications, and access applications seamlessly. Configure ShareFile settings for user data and documents. Download a CR (.cr) file that configures Receiver on the user device. You can send this file to users in an email. The .cr file contains all of the settings that Receiver needs to connect to App Controller.
104
Upgrad e Role details Lock Unlock Erase Stop erasing Apps Workfl ow details User
105
With the Configure wizard when you log on to the App Controller management console for the first time. This domain is considered the default domain. On the Settings tab where you can configure multiple Active Directory domains.
Create roles in App Controller that map to one or more Active Directory groups within multiple domains. Create and remove user application accounts based on their Active Directory group membership by using applications assigned to roles. Create workflows for manager approval of user accounts for applications.
Important: When you add users to Active Directory, you must enter the first name and last name in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. The administrator account must be recognized by all corresponding Active Directory domains you configure in App Controller. When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App Controller or if you manually synchronize with Active Directory, the length of time it takes to synchronize depends on the size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active Directory, the synchronization occurs more quickly. For example, you enter cn=Users,dc=servername,dc=net, where cn=users is the group base DN and servername is the name of the Active Directory server. When the initial synchronization is finished, App Controller logs off from the management console and returns to the management console logon page. Note: If you provide the root level base DN, such as dc=mycompany,dc=com, App Controller retrieves users in child domains. To prevent retrieval of child domain users, provide specific user base DN paths that relate to the parent domain.
106
Adding Active Directory Domains to App Controller When you configure Active Directory domains, you provide the server information including:
IP address Port Domain name Service account Password User base DN Group base DN SSL support
One Active Directory instance per domain. You can specify multiple base DNs in each domain. Separate each base DN with a semi-colon (;). Two domains that belong to different Windows Server trees. Two domains that belong to different Windows Server forests.
For each domain, the service account you specify must be able to access the base DN for each domain. App Controller does not maintain any internal relationship between managed domains. You can manage multiple Active Directory domains as separate instances. When you configure multiple Active Directory domains, Citrix recommends that you use the User Principal Name (UPN) so you can include the domain name. If you configure multiple domains, keep the following in mind:
Default domain users only can log on directly to App Controller. Log on from users in other domains must be authenticated by NetScaler Gateway. Domains configured in App Controller and NetScaler Gateway must match. Domains configured in App Controller and StoreFront must match when StoreFront is used as the authentication server.
If StoreFront is used as the authentication server, the domain information must be included in the token validation response from StoreFront. You can use sAMAccount (domain\user name) or UPN (user@domain) for user logon.
107
Adding Active Directory Domains to App Controller You can delete one domain at a time and you cannot delete the default domain. When you delete a domain, App Controller marks all of the users in the domain as terminated users. These users lose access to role-based apps. App Controller also deletes pending workflows and provisioning requests. User accounts reconciled to terminated users are processed according to the app configuration (ignore, disable, or delete). Important: If you delete a domain, you cannot add the same domain to App Controller again.
108
109
To remove the warning message, configure a subdomain as part of the base DN. For example, enter cn=Users, dc=mycompany,dc=net.
Initial synchronization. When you log on to the management console for the first time, you configure Active Directory settings in the initial wizard along with network and email settings. When you save the settings, App Controller synchronizes with Active Directory. Periodic synchronization. App Controller contacts Active Directory every five minutes to determine if there are any changes in Active Directory. App Controller looks for added, removed, and modified users in Active Directory. App Controller also looks for group membership changes and new and removed groups. This periodic synchronization starts for domains that have previously retrieved users and groups. The earlier
110
Adding and Synchronizing Active Directory Domains synchronization must successful for the periodic synchronization to run.
Manual synchronization. You can synchronize with Active Directory at any time by using the synchronize icon next to the Active Directory domain in the App Controller management console. When you synchronize, App Controller updates all users from Active Directory for that domain and determines any changes to the user records. This synchronization can take as long as the initial synchronization and depends on the size of Active Directory. This synchronization also returns changes to users, including group membership. You can start synchronization for all managed domains. The App Controller synchronization process runs in the background, one domain after another. When you manually synchronize, App Controller displays a progress bar so you can track the progress.
1. In the App Controller management console, click Settings at the top of the page. 2. In the left pane, under System Configuration, click Active Directory. 3. In the details pane, under Actions, click the Sync icon for the domain with which you want to synchronize.
111
112