En - Cloudgateway.xmob Install Config Xenmobile N Wrapper Con

Installing XenMobile Components
2013-12-19 18:22:26 UTC 2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
Installing XenMobile Components ......................................................................... Downloading XenMobile Product Software ................................................... Installing NetScaler Gateway 10.1 in Your Network ........................................ Installing XenMobile MDM Edition.............................................................. Installing Device Manager ................................................................. Device Manager 8.6 ................................................................... Installing Patches for Device Manager ........................................ Choosing Device Manager Components to Install ........................... Installing Device Manager ...................................................... Configuring Active Directory on Device Manager ...................... Upgrading Device Manager to Version 8.6 ................................... Backing Up and Restoring Device Manager................................... To perform a full manual backup of Device Manager server To perform a directory and native SQL backup of Device Manager server ........................................................................ XenMobile NetScaler Connector .......................................................... XenMobile NetScaler Connector..................................................... XenMobile NetScaler Connector 8.5 .......................................... About This Release ......................................................... Key Features ........................................................... XenMobile NetScaler Connector System Requirements Deploying XenMobile NetScaler Connector ............................. To set up listening addresses for the XNC web service To configure device access control policies ...................... To configure communication with the Device Manager server Deploying XNC for Redundancy and Scalability Installing XenMobile NetScaler Connector.............................. To install XenMobile NetScaler Connector ........................ To uninstall XenMobile NetScaler Connector
5 6 10 11 13 14 15 16 17 31 32 33 34 35 36 37 38 39 40 41 42 44 45 46 47 48 49 50
Managing XenMobile NetScaler Connector.............................. Configuring XenMobile NetsScaler Connector Choosing a Security Model for XenMobile NetScaler Connector .............................................................. Configuring XenMobile NeScaler Connector Policy Modes To configure static rules ....................................... To configure dynamic rules .................................... To configure custom policies by editing the XenMobile NetsScaler Connector XML file ................................ Configuring the XenMobile NetScaler Connector XML File To import a policy from Device Manager.......................... To configure a connection to XenMobile NetsScaler Connector .............................................................. Choosing Filters for XenMobile NetScaler Connector To simulate ActiveSync traffic ...................................... Monitoring XenMobile NetScaler Connector ............................ XenMobile Mail Manager ................................................................... XenMobile Mail Manager.............................................................. XenMobile Mail Manager ........................................................ XenMobile Mail Manager 8.5 .............................................. XenMobile Mail Manager Components.............................. XenMobile Mail Manager System and Software Requirements Onsite Exchange Requirements ............................... Office 365 Exchange Requirements Installing XenMobile Mail Manager ................................. Configuring XenMobile Mail Manager............................... To configure the Exchange Server ............................ To configure database properties............................. To configure a Mobile Service Provider To configure the Mobile Service Provider hostname in Device Manager .................................................. To configure Blackberry BES servers (optional) XenMobile Mail Manager and Exchange 'Quarantine' Mode Understanding XenMobile Mail Manager Access Rules To configure Default access control rules To configure XDM (Device Manager) rules To configure local rules ................................... Simulation vs Powershell Mode Monitoring XenMobile Mail Manager................................
51 52 53 54 56 57 58 59 60 61 63 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 85 86 87 88 89
To monitor ActiveSync devices ................................ To monitor BlackBerry devices ................................ To view snapshot history ....................................... Installing App Controller ........................................................................ Installing App Controller 2.9 .............................................................. Getting Ready to Install App Controller ........................................... Installing App Controller on XenServer ....................................... Installing App Controller by Using VMware ESXi............................. Installing App Controller on Microsoft Hyper-V ............................. Setting the App Controller IP Address for the First Time.................. Configuring App Controller for the First Time............................... Icons in the AppController Management Console...................... Adding Active Directory Domains to App Controller........................ Adding and Synchronizing Active Directory Domains ................. Installing the MDX Toolkit.......................................................................
90 91 92 93 94 96 98 99 100 101 102 105 106 109 112
Installing XenMobile Components

Citrix recommends that you install XenMobile components in the following order:
NetScaler or NetScaler Gateway. Device Manager. XenMobile NetScaler Connector (XNC). App Controller. StoreFront (optional). For details, see the StoreFront documentation in eDocs. ShareFile (optional) For details, see the ShareFile documentation in eDocs.
After you install the XenMobile components, you can use the MDX Toolkit to wrap .ipa and .apk files. Then, you can upload the MDX files to App Controller for users to download and install. This section includes installation information about the following:
NetScaler Gateway Device Manager
XNC
Mobile Mail Manager App Controller
MDX Toolkit
Downloading XenMobile Product Software

You can download product software from the Citrix web site. You need to log on to the site and then click the Downloads link on the Citrix web page. You can then select the product and type you want to download. For example, the following figure shows XenMobile product software drop-down list:
When you click Find, a page listing the available downloads appears with the most recent version at the top of the list:
You can select your software from the available list of options. For example, if you select XenMobile 8.6 Enterprise Edition, you can download the software for Device Manager, App Controller, NetScaler Gateway, and other XenMobile components as shown in the following figure:
To download the software for NetScaler Gateway

You can use this procedure to download the NetScaler Gateway virtual appliance or software upgrades to your existing NetScaler Gateway appliance. 1. Go to the Citrix web site. 2. Click My Account and log on. 3. Click Downloads. 4. Under Find Downloads, select NetScaler Gateway.
Downloading XenMobile Product Software 5. In Select Download Type, select Product Software and then click Find. You can also select Virtual Appliances to download NetScaler VPX. When you select this option, you receive a list of software for the virtual machine for each hypervisor. 6. On the NetScaler Gateway page, expand NetScaler Gateway or Access Gateway. 7. Click the appliance software version you want to download. 8. On the appliance software page for the version you want to download, select the virtual appliance and then click Download. 9. Follow the instructions on your screen to download the software.
To download the software for Device Manager

1. Go to the Citrix web site. 2. Click My Account and log on. 3. Click Downloads. 4. Under Find Downloads, select XenMobile. 5. In Select Download Type, select Product Software and then click Find. 6. On the XenMobile Product Software page, click XenMobile 8.6 MDM Edition. 7. Under XenMobile Device Manager, click Download next to XenMobile Device Manager 8.6. 8. Follow the instructions on your screen to download the software.
To download the software for App Controller

1. Go to the Citrix web site. 2. Click My Account and log on. 3. Click Downloads. 4. Under Find Downloads, select XenMobile. 5. In Select Download Type, select Product Software and then click Find. 6. On the XenMobile Product Software page, click XenMobile 8.6 App Edition. 7. On the XenMobile 8.6 App Edition page, click the appropriate App Controller virtual image in order to install App Controller on XenServer, VMware, or Hyper-V. 8. Follow the instructions on your screen to download the software.
To download the MDX Toolkit

You can run the MDX Toolkit for wrapping iOS and Android apps on Mac OS X Version 10.7 (Lion), Version 10.8 (Mountain Lion), or Version 10.9 (Mavericks). 1. Go to the Citrix web site. 2. Click My Account and log on. 3. Click Downloads. 4. Under Find Downloads, select XenMobile. 5. In Select Download Type, select Product Software and then click Find. 6. On the XenMobile Product Software page, click XenMobile 8.6 Enterprise Edition. 7. On the XenMobile 8.6 Enterprise Edition page, expand Worx Mobile Apps. 8. Locate MDX Toolkit & SDK for iOS and Android Build 2.2.321. 9. Click Download. 10. Follow the instructions on your screen to download the software.
Installing NetScaler Gateway 10.1 in Your Network

NetScaler Gateway allows remote users to securely access internal network resources. Users can connect with any device to access their applications, email, and file shares in the internal network. You can deploy the following models in your network:
NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler documentation in Citrix eDocs. NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections. NetScaler VPX - a virtual machine that can handle up to 875 user connections.
Before you install either the physical appliance or the virtual appliance, complete the NetScaler information in the XenMobile Solution Pre-Installation Checklist. After you install the physical appliance by following the instructions in Installing the Model MPX Appliance, you turn on the appliance and perform the initial configuration. This includes configuring:
NetScaler Gateway IP address (NSIP) Subnet IP address (SNIP) Default gateway DNS servers Host name Licenses Certificates that include the fully qualified domain name (FQDN)
For more information about NetScaler Gateway, see the following topics in Citrix eDocs:
About the NetScaler Gateway MPX Appliance NetScaler Gateway Virtual Appliances Performing the Initial Configuration of the MPX Appliance Configuring NetScaler VPX for the First Time NetScaler Gateway 10.1
10
Installing XenMobile MDM Edition

XenMobile MDM is a robust mobile device management solution that delivers role-based management, configuration, and security for both corporate and employee-owned devices. Upon user device enrollment, IT can provision policies and apps to devices automatically, blacklist or whitelist apps, detect and protect against jailbroken or rooted devices, and wipe or selectively wipe a device that is lost, stolen, or out of compliance. Users can use any device they choose, while IT can ensure compliance of corporate assets and secure corporate content on the device. With XenMobile MDM, you can do the following:
Configure device settings, email and applications, policies, and device and application restrictions. Distribute internally built and externally available apps to users' iOS, Android, Samsung, Samsung Knox, HTC, Windows Phone 8, and Windows 8 devices. Provision devices simply and rapidly by enabling user self-service enrollment and by distributing configuration, policy, and application packages in an automated, role-based manner over-the-air. Secure devices, applications, and data by setting authentication and access policies, blacklisting and whitelisting applications, enabling application tunnels, and enforcing security policies at the gateway. Support users by remotely locating, locking, and wiping devices in the event of loss or theft, as well as remotely troubleshooting device and service issues. Monitor devices, infrastructure, service, and telecom expenses. Decommission devices by identifying inactive devices and wiping or selectively wiping devices upon employee departure. Run reports on user and device actions.
XenMobile MDM contains the following products:
XenMobile Device Manager allows you to manage mobile devices, set mobile policies and compliance rules, gain visibility to the mobile network, provide control over mobile apps and data, and shield your network from mobile threats. With a "one-click" dashboard, simple administrative console, and real-time integration with Microsoft Active Directory and other enterprise infrastructure like PKI and Security Information and Event Management (SIEM) systems, Device Manager simplifies the management of mobile devices. The Secure Mobile Gateway provides access control for email and calendar services. You can configure Secure Mobile Gateway to allow or block access to connection requests from devices based on device status, app blacklists or whitelists, and a host of other compliance conditions. The status of requests blocked by Secure Mobile Gateway can be immediately viewed on the Device Manager dashboard so that you can take appropriate action.
11
Installing XenMobile MDM Edition
XenMobile Multi-Tenant Console is a web console that enables service providers and organizations to administer several physical servers running Device Manager from a single site. XenMobile Remote Support application provides several tools to assist in the inspection, troubleshooting, and modification of remotely controlled handheld devices. XenMobile ZSM Lite is a component that enables access to query Blackberry and ActiveSync environments and provides the device and user information to Device Manager through the XenMobile Mobile Service Provider.
12
Installing Device Manager

You can install Device Manager 8.6 on Windows Server. Before you install Device Manager, you must install the Java components, which include:
Oracle Java SE 7 JDK (JDK Download Edition) update 11 and later Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
For more information about the Java requirements for Device Manager, see System Requirements. After you download Device Manager to the Windows Server, you run the installation program. This section describes the selections available in the installation program and how to configure the settings.
13
Installing Patches for Device Manager

If a patch has been issued to resolve a problem that applies to your situation and Device Manager implementation, you may download the appropriate patch(es) for your system. Patches follow the naming convention of 'a_patch_###_xxxx.jar' where ### signs are the version release number for Device Manager and xxxx refers to the patch number. To install the patch, copy the file 'a_patch_###_xxxx.jar' to the following directory %systemroot%\Program Files (x86)\Zenprise\ZenpriseDevice Manager\tomcat\webapps\zdm\WEB-INF\lib or the directory in which you installed Device Manager. After you copy the file to the directory, restart the Device Manager service.
14
Installing Patches for Device Manager

If a patch has been issued to resolve a problem that applies to your situation and Device Manager implementation, you may download the appropriate patch(es) for your system. Patches follow the naming convention of 'a_patch_###_xxxx.jar' where ### signs are the version release number for Device Manager and xxxx refers to the patch number. To install the patch, copy the file 'a_patch_###_xxxx.jar' to the following directory %systemroot%\Program Files (x86)\Zenprise\ZenpriseDevice Manager\tomcat\webapps\zdm\WEB-INF\lib or the directory in which you installed Device Manager. After you copy the file to the directory, restart the Device Manager service.
15
Choosing Device Manager Components to Install

If you are installing Device Manager on your computer for the first time, select Full install, which installs:
The Device Manager server The Device Manager repository database (PostgreSQL) and automatic creation of the database and requisite tables The integrated web application server hosting the Device Manager server
Note: If you install an Application Server prior to installing Device Manager, remove Application Server before installing Device Manager.
Installing Databases
Device Manager includes the PostgreSQL database server installation. f you installed a SQL database server on your computer or another server, clear the PostgreSQL check box in the list of components during the installation wizard. The install type switches automatically to Custom. When using a Microsoft SQL server please refer to the installation instructions provided by Microsoft for the SQL server installation. If you do not clear the check box, the PostgreSQL installation wizard appears with configuration instructions. If you install PostgreSQL, an installation wizard appears. The installation program automatically selects all the default PostgreSQL options required to install an Device Manager server. However, you can check any additional options you want to install. You can also change the installation location with the Browse button. During installation of PostgreSQL, define the service account that runs the PostgreSQL server. The Service name, Account name, and Account domain fields are already completed. You need to enter a password for the service account. If the user account does not exist, you receive a prompt to confirm creation of the account. In addition, if the password you chose is not a strong password, then you are prompted to replace the password with a random strong password. Click No in the message dialog box to keep the password you originally entered.
Installing License Files

After you configure the PostgreSQL database, you can then install licenses. If you are using a different SQL database and did not install PostgreSQL, after choosing the initial components and installation location, you install the licenses.
16

Before you install Device Manager, make sure you do the following:
Disable TCP/IP6 on the network adapter and in the registry. For more information, see How to disable IP version 6 or its specific components in Windows on the Microsoft web site. Disable the User Account Control setting in Control Panel.
Caution: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. The setup wizard includes several discrete tasks. You need to complete the all of the tasks in this topic in consecutive order to complete the entire wizard. The installation tasks include:
Device Manager components Installation location Microsoft SQL Server database installation Database cluster settings Licenses Device Manager and database communication Crystal Reports keycode HTTP and HTTPS connectors Root and server certificates Apple Push Notification Service (APNS) certificates Remote support settings Active Directory service account for managing users
To select Device Manager components

After you download the software package to your computer, navigate to the folder and then double-click the Device Manager executable installation file to start the Setup Wizard. When the wizard starts, you set the language and then read and accept the End User License Agreement. After these two steps, on the Choose Components page, click to clear 17
Installing Device Manager Database server to disable installation of the PostgreSQL database. Important: Citrix recommends that you use Microsoft SQL Server instead of the PostgreSQL database that comes with Device Manager. The PostgreSQL database should be used for demonstration purposes only.
After you select your components, on the Choose Install Location page, leave the default install location and then click Install. Citrix recommends that you use the default location to install Device Manager.
To install the license on Device Manager

Device Manager requires a license. For more information about licenses for Device Manager, see Obtaining and Installing Licenses. You upload the .crt license file from your computer. When the upload is complete, the license details appear in the XenMobile Device Manager License dialog box.
18
To test the connection to the database from Device Manager

You need to configure the Device Manager settings to connect to your database. In the Confgure database connection dialog box, you select the SQL Server database. You provide the database name or use the default value. You need to complete the following information, as shown in the following figure:
In Host name or IP address, enter the fully qualified domain name (FQDN) or IP address of SQL Server. In Port, enter the port number. The default port number for SQL Server is 1433. In User name, enter a user name for the database. In Password, enter the password to connect to the SQL Server database. In Database name, enter the database name or leave the default value.
19
After you configure the database connection, you then enter the keycode for Crystal Reports.
To configure and register Crystal Reports

With Crystal Reports, you can process the mobile device connection and session logs to generate activity reports online by using the Device Manager web console, or offline from the Device Manager repository database. The reports include a watermark with registration information. To remove the watermark, you need a Crystal Reports Developer Edition license and a keycode for the product. If you did not enter a license serial number during installation, you can define it later by following these steps: 1. Open the crconfig.xml configuration file located at in the Device Manager setup folder, which is typically %systemroot%\Program Files\Xenmobile\tomcat\webapps\Device Manager\WEBINF\classes\crconfig.xml on a Windows Server. 2. Add your serial number by editing the <keycode></keycode> element. For example, if your serial number is XXXX-YYYY-ZZZZ, modify the line as follows: <keycode>XXXX-YYYY-ZZZZ</keycode>
20
Installing Device Manager On the Crystal Report Java Reporting Components configuration page, to leave a watermark on the reports, leave the keycode blank. Or, to remove the watermark, enter your keycode for the product.
To configure the server connectors

When you configure the connection between the Device Manager agent and the Device Manager server, you can configure the following connectors, which require the same information but serve different purposes:
If you manage IOS devices, select Enable iOS. When you select the checkbox, the authentication code appears automatically. In Authentication code for applications/tunnels, enter a prefix that Device Manager uses to create authentication keys used by the software. Use a simple alphanumeric word or passphrase. Use mixed case, numbers, and letters only. Then, record this value for use later when you configure the system. Important: You can only select Enable iOS during installation. If you do not select this option and you want to enable the mode in the future, you must reinstall the application server.
21
HTTP connector that allows unsecure connections over port 80. You can configure this connector if NetScaler Gateway is installed between the Device Manager server and mobile devices.
HTTPS connector for secure connections over port 443 with a certificate.
22
HTTPS connector that allows secure connections over port 8443 for device enrollment.
23
When you configure connectors, you set the following parameters:
Protocol for secure and unsecure connections (HTTP or HTTPS). IP addresses. Port settings for the connector. To allow connections over HTTPS and that use certificates for authentication, you use port 443. For secure connections without certificates, use port 8443. For unsecure connections use port 80. Maximum concurrent connections defines the total amount of user connections that are allowed for each connector.
To configure root and server certificates in Device Manager

Device Manager supports root, server, and APNS certificates. Root certificates enable Device Manager to communicate with other XenMobile components. Server certificates enabler secure communication between Device Manager and devices. The installation wizard prompts you to install a root certificate from a Certificate Authority (CA) first and then the server certificate. For each certificate, you provide the following 24
Installing Device Manager information:
Keystore file path is the certificate location on your computer. Do not change the default path. The server configuration provides the file path automatically. Keystore password and Confirm keystore password is for the private key. Enter the private password used for each component of the local CA. Although you can use the same password for each CA keystore component, Citrix recommends using separate passwords for the root, server, device, and Web Service certificates. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII symbol values. Passwords are case sensitive. Organizational unit is an optional parameter. Enter a value typically given to the entity or group that has management authority over the certificate. Organization is an optional parameter. Enter a value typically given to the entity or organization that is the parent that owns the certificate and its rights.
For root certificates, you need to provide the common name for the CA that issued the root certificate. Leave the default name to associate it with the creation of the CA component and certificate. If you change this field, your devices may not receive the proper chain of certificates and will not be able to enroll. Note: The root certificate is used to issue and sign certificates for intermediate server and client-device certificates. The root certificate is also used to regenerate intermediate certificates in the event of compromise. You can install root certificates in the operating system as a trusted CA root certificate.
25
For secure server certificates, you need to include the IP address or FQDN that is in the certificate. Users connect by using the IP address or FQDN contained within the certificate.
26
To install an APNS certificate in Device Manager

To allow users to connect from iOS devices, you must install an APNS certificate from Apple. When you install the certificate on Device Manager, you enter the associated private key password used to generate the original Certificate Signing Request (CSR) in the field in Private key password. In Certificate file path, specify the file system location of a pre-authenticated APNS certificate file that you download and convert to PKCS#12 format from the Apple iOS Developer for Enterprise portal. Note: APNS certificates are provisioned by Apple, Inc. To obtain an APNS certificate, sign in to the Apple Push Certificates Portal. When you log on, you can compare the information on the Apple web site with the values shown in the following figure:
27
Allowing Remote Support to Connect to Mobile Devices

On the Configure tunnel port(s) used by remote support page, define the port range used by remote support for Android and Windows Mobile devices. The default is port 8081.
28
To designate the Device Manager administrator

To connect to the Device Manager web console, you need to configure an account with the administrator role. On the Extended management of the users page, you enter the administrator's name and password. After you enter the values, you can check the user name in Active Directory.
29
After you configure the administrator user and password, you can finish the installation wizard. After you finish the wizard, you should do the following:
Log on to the administration console at https://serverfqdn/zdm to configure Device Manager. On the console, user the first-time use wizard to configure LDAP and your first deployment package. Note: If you want to add your own server certificate instead of the self-signed server certificate that is issued during the installation, follow the steps in this topic, Configuring an External Certificate Authority by Using SSL.
30
Configuring Active Directory on Device Manager

You use Active Directory with Device Manager to manage groups of users, not individual user accounts. Device Manager supports the following sources of user account information:
LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties. Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts. Provisioning file. You can develop a file outside of Device Manager containing user accounts and properties and then import the file. Device Manager automatically creates objects and sets properties values.
You can perform the following actions in Device Manager for LDAP connections:
Create a new LDAP connection. Edit an existing connection. Set the default LDAP connection. Activate or deactivate an LDAP connection.
When you create a new LDAP connection, you configure the LDAP directory settings and then you import a signed secure certificate. When you define the connection parameters, you need to grant the following rights to the Search User service account: READALLUSERINFORMATION READALLNETWORKPERSON Note: In the Lockout Limit field, the default is set to zero. However, Citrix recommends using a higher value, as well as a value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is configured to a limit of five attempts before lockout, Citrix suggests that you enter a 3 or 4 in this field. You can also map the LDAP directory attributes to the Device Manager Repository database. If you do not modify the default settings, Device Manager binds automatically to the LDAP directory. You can specify the base DN that defines the LDAP directory groups that are imported to Device Manager.
31
Upgrading Device Manager to Version 8.6

Upgrading the Device Manager server is a simple, in-place upgrade process. The automated Setup Wizard updates your existing Device Manager installation and database in one step. As a best practice, it is advised to backup the database and Device Manager core application directories and save them to a location as a roll-back plan. Supported Upgrade Paths:
7.1.0 -> 8.5.0 -> 8.6.0 8.0.1 -> 8.6.0 8.5.0 -> 8.6.0
Note: If you are running Device Manager version 8.0.1, you should already have the correct version of Java on your server. If you do not, make sure that you are running Oracle Java SE 7 JDK (JDK Download Edition) update 11 and above and Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7. For more information, see Device Manager System Requirements. Before you upgrade: Before upgrading, make sure that you perform a backup of your Device Manager database and application directory as described here: To perform a full manual backup of Device Manager server
To upgrade Device Manager to version 8.6

1. As Administrator, run the Device Manager executable installation file. 2. Follow the directions in the Setup Wizard.
32
Backing Up and Restoring Device Manager

Backing up your Device Manger server installation and core application file system directory is crucial to a good disaster recovery or business continuity plan. This section describes backing up and restoring Device Manager. You can back up Device Manager by using the following methods:
Stop all services and then make a copy of the entire application directory on the server. Copy the application directories required for restoration and also perform a native SQL database server backup by using the PostgreSQL utility called pgAdmin. You can also use Microsoft SQL Server Management Studio for your version of Microsoft SQL Server.
If you want to restore Device Manager, you also use pgAdmin or Microsoft SQL Server Management Studio.
33
To perform a full manual backup of Device Manager server

A very simple method for backing up a default installation of the Device Manager server is to stop all services and make a copy of the entire application directory on the server. 1. From the Services utility on the Device Manager server, stop the XenMobile Device Manager and the XenMobile Device Manager Database - PostgreSQL 8.3 services. MS SQL database installations should follow the best practices used for the particular type of SQL server installation. Online and Offline backups are acceptable as long as the backup database and transaction logs are maintained together for restoration. 2. Back up the XenMobile Device Manager database and application environment. This is accomplished by making a full directory copy of the Device Manager application directory typically located at:C:\Program Files (x86)\Citrix\XenMobile Device Manager 3. Save the full directory copy to a safe external location such as tape backup or external media storage system. This full directory backup contains the Database, Application, PKI configuration and certificates, and all configuration and log files.
34
To perform a directory and native SQL backup of Device Manager server

Another method of backup for Device Manager server is to copy the application directories required for restoration and also perform a native SQL database server backup utilizing the default PostgreSQL utility pgAdmin. If utilizing a Microsoft SQL Server database installation the Microsoft SQL Server Management Studio utility is used. The following steps will guide you through the process using the default PostgreSQL pgAdmin III utility only. 1. From the Services utility on the Device Manager server, stop the XenMobile Device Manager service. 2. Start the pgAdmin III utility fromStart > All Programs > PostgreSQL 8.3. Database backup is performed using the pgAdmin III utility if using the default PostgreSQL database. For a Microsoft SQL Server database installation use the Microsoft SQL Server Management Studio application and follow the instructions provided by Microsoft or your database administrator to back up your database according to your needs. 3. Enter the password for the default postgres administrator account for the database. This was recorded during installation. 4. Expand the Databases branch of the servers tree in the pgAdmin utility, right-click on the xdm database object, and then select Backup. 5. Enter a directory location and new filename for the backup file then click OK. 6. When completed the backup process will show the following message window. When finished, click Done. The resulting backup file will be saved off to your predetermined location for archival and retrieval when a database restore is necessary. 7. Next, while the Device Manager service is stopped, backup at least the following directories within the main application folder:
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF 8. Verify the backed-up directory has a complete copy of the Tomcat configuration and PKI certificates. These files are located under the parent directory: C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
9. Verify that the backup directory also contains the license file normally found at: C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF 10. The Device Manager application and database environment is now fully backed up and can be restored to the same or different system host.
35
XenMobile NetScaler Connector

Citrix is introducing a new solution for controlling access to corporate email, calendar and contacts from mobile devices the XenMobile NetScaler Connector (XNC). XNC allows customers to send a list of compliant devices from the XenMobile Device Manager to NetScaler, which in turn controls which mobile devices are allowed to synch with the corporate Exchange server. XenMobile MDM provides complete protection for your mobile applications, network, and data, and ensures end-to-end security and compliance, NetScaler optimizes, secures, and controls the delivery of all enterprise and cloud services. Together, these two products provide the ability to scale, ensure high availability for apps, and maintain security while reducing mobility deployment and management costs.
XenMobile NetScaler Connector (XNC)

The XenMobile NetScaler Connector (XNC) provides a device level authorization service of ActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol. Authorization is controlled by a combination of policies defined within the XenMobile Device Manager and by rules defined locally by XNC. XenMobile Device Manager provides whitelisting (approved) and blacklisting (forbidden) of devices based on compliance with high-level policies such as detection of jailbroken devices or detection of specific apps. The XNC local rules are typically are used to augment the XDM rules in cases where specific overrides are required; for example to block all devices using a specific operating system version.
NetScaler
NetScaler delivers an extensive portfolio of essential datacenter security capabilities that are significant for mobile users, their apps and data. NetScaler provides critically important application security, network/infrastructure security, and identity and access management, which when combined with XenMobile MDM delivers a tightly coupled solution that enables IT to support the security needs of mobile users and the enterprise.
36
XenMobile NetScaler Connector 8.5

The XenMobile NetScaler Connector (XNC) provides a device level authorization service of ActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol. Authorization is controlled by a combination of policies defined within the XenMobile Device Manager and by rules defined locally by XenMobile NetScaler Connector. Note: For information and documentation on how to deploy and configure the NetScaler for the XNC, contact your Citrix sales representative and request the document named 'NetScaler and XenMobile Solution for Enterprise Mobility Deployment Guide'.
37
XenMobile NetScaler Connector 8.5

The XenMobile NetScaler Connector (XNC) provides a device level authorization service of ActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol. Authorization is controlled by a combination of policies defined within the XenMobile Device Manager and by rules defined locally by XenMobile NetScaler Connector. Note: For information and documentation on how to deploy and configure the NetScaler for the XNC, contact your Citrix sales representative and request the document named 'NetScaler and XenMobile Solution for Enterprise Mobility Deployment Guide'.
38
About This Release

XenMobile NetScaler Connector 8.5 provides the following capabilities:
Filter-based rules to allow or block access. XenMobile NetScaler Connector evaluates a particular client request routed through NetScaler against the organization's rules. The end result is a binary state of allowed, in which the client is permitted to contact the Microsoft Exchange 2010 Client Access Server (CAS), or blocked, in which the client request is dropped and access to the Exchange CAS is not permitted. Paired with settings in the Device Manager console, you can prevent Exchange ActiveSync email access to device users based on compliance criteria, such as when a blacklisted app is installed on the device, if the device is jailbroken, and so on. A two-tiered filter model. The first tier parses the incoming HTTP requests based on path-specific information. The second tier filters based on user or device specific information. You can configure both tiers. Filter rules stored in configuration files. Specific filter rules pertaining to the user accounts and devices in your organization are stored in the gateway's XML configuration files. Contains information about this release, including XenMobile NetScaler Connector features, components, what's new, and known issues. Provides system requirements for XenMobile NetScaler Connector and for the XenMobile NetScaler Connector Console. Provides deployment information for XenMobile NetScaler Connector. Provides information about how to install XenMobile NetScaler Connector on either its own server or on the same server as Device Manager. Provides information on choosing a security model for your organization, creating block or allow policies, setting static or dynamic filters, and connecting to Device Manager. This section also provides information about enabling and understanding email attachment encryption. Provides information about enabling XenMobile NetScaler Connector logging.
About This Release
System Requirements
Deploy Install and Setup
Manage
Monitor
39
Key Features
The key features of XenMobile NetScaler Connector are:
Access Control of HTTP ActiveSync requests. XenMobile NetScaler Connector can control the HTTP ActiveSync requests that mobile devices make of Exchange servers. You can build filters in XenMobile NetScaler Connector that enable you to allow or block user devices based on rules and criteria that you specify. When you set the rules in XenMobile NetScaler Connector, you can turn on and off the rules in XenMobile Device Manager, which then manages the ability for devices to access email within the organization. Remote configuration. Device Manager controls the baseline and delta intervals used by XenMobile NetScaler Connector. Logging. On the Log tab of the XenMobile NetScaler Connector configuration utility, you can view when the encryption is enabled for a given user device at the request level, in addition to devices that are allowed or blocked. Remote configuration. Device Manager controls the baseline and delta intervals used by Secure Mobile Gateway.
40
XenMobile NetScaler Connector System Requirements

The XenMobile NetScaler Connector communicates with NetScaler over an SSL bridge configured on the NetScaler appliance that enables the appliance to bridge all secure traffic directly to XenMobile Device Manager. XenMobile NetScaler Connector can be installed on its own server, or on the same server as the XenMobile Device Manager and requires the following minimum system configuration: Component Computer and processor NetScaler Memory Hard disk Operating system Other devices Requirement 733 MHz Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor (recommended) NetScaler Applicance with software version 10. 1 gigabyte (GB) NTFS-formatted local partition with 150 MB of available hard-disk space Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 SP2 (recommended)
Network adapter compatible with the host operating system for communication with the internal network
Display VGA or higher-resolution monitor The host computer for XenMobile NetScaler Connector requires the following minimum available hard disk space:
Application. 10 -15 MB (100 MB recommended) Logging. 1 GB (20 GB recommended)
41
Deploying XenMobile NetScaler Connector
XenMobile NetScaler Connector allows you to use NetScaler to proxy and load balance Device Manager communication with a XenMobile managed devices. XenMobile NetScaler Connector communicates periodically with Device Manager to synchronize policies. XenMobile NetScaler Connector and Device Manager may be clustered, together or independently, and load balanced by NetScaler. Figure 1. XenMobile NetScaler Connector Deployment
XenMobile NetScaler Connector Components

XenMobile NetScaler Connector consists of the following four components:
XenMobile NetScaler Connector Service. This provides a REST web service interface that can be invoked by NetScaler to determine if an ActiveSync request from a device is authorized. XenMobile Configuration Service. This service communicates with Device Manager to synchronize Device Manager policy changes with XenMobile NetScaler Connector. XenMobile Notification Service. This service sends notifications of unauthorized device access to Device Manager so that Device Manager can take appropriate measures such as notifying the user why the device was blocked XenMobile NetScaler Configuration. This application allows the administrator to configure and monitor XenMobile NetScaler Connector.
42
Deploying XenMobile NetScaler Connector
Figure 2. XenMobile NetScaler Connector Components
43
To set up listening addresses for the XNC web service

In order for the XenMobile NetScaler Connector to be able to receive requests from NetScaler to authorize ActiveSync traffic, you need to specify the port on which the XenMobile NetScaler Connector will listen to NetScaler web service calls. 1. From the Start menu, select the XenMobile NetScaler Configuration utility. 2. Select the Web Service tab and type the listening addresses for the XenMobile NetScaler Connector web service. You may select HTTP and/or HTTPS. If XenMobile NetScaler Connector is co-resident with Device Manager (installed on the same server), select port values that do not conflict with Device Manager. 3. Once the values are configured click Save, then click Start Service to start the web service.
44
To configure device access control policies

In this task, you will configure the access control policy you want to apply to your managed devices. 1. In the XenMobile NetScaler Configuration utility, select the Path Filters tab. 2. Select the first row (Microsoft-Server-ActiveSync is for ActiveSync) and Click Edit. 3. From the Policy list, select the desired policy. For a policy that is inclusive of Device Manager policies, select Static + ZDM: Permit Mode or Static + ZDM: Block Mode. These policies combine local (aka static) rules with those from Device Manager. Permit Mode means that all devices not explicitly identified by the rules will be permitted access to ActiveSync. Block Mode means that such devices will be blocked. 4. When you have set the pollicies, click Save.
45
To configure communication with the Device Manager server

In this task, you will specify the name and properties of the XenMobile Device Manager server (also known as a 'Config Provider') which you want to use with XenMobile NetScaler Connector and NetScaler. Note: This deployment tasks assumes you have already installed and configured the Device Manager server. 1. In the XenMobile NetScaler Configuration utility, select the Config Providers tab. 2. Click Add. 3. Enter the name and URL to the Device Manager server you are using in this deployment. If you have multiple XenMobile Device Manager servers deployed in a Multi-Tenant deployment, this this Name must be unique for each server instance. For example, for Name, you could type XDM. 4. In Url, enter the Web address of the Device Manager GCP (GlobalConfig Provider), typically in the format https://DeviceManagerHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive. 5. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server. 6. In Managing Host, enter the server name where you installed the XenMobile NetScaler Connector. 7. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager. 8. In Request Timeout, specify the server request timeout interval. 9. In Config Provider, select if the config provider server instance is providing the policy configuration. 10. In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Device Manager when a device is blocked. This option is required if you are using Secure Mobile Gateway rules in any of your Device Manager Automated Actions. 11. Once the server is configured, click Test Connectivity to test the connection to the Device Manager server. 12. When Connectivity has been established, click Save.
46
Deploying XNC for Redundancy and Scalability

If you want to scale your XNC and Device Manager deployment, you can install XNC instances on multiple Windows servers, all pointing to the same XDM instance, and then load balance them using Citrix NetScaler. There are two modes for XNC configuration: non-shared and shared.
In non-shared mode, each XNC instance communicates with an XDM server and keeps its own private copy of the resulting policy. For example, if you had a cluster of Device Manager servers, you could run an XNC instance on each XDM server and XNC would get policy from the local XDM. In shared mode, one XNC node is designated the master and it communicates with Device Manager. The resulting configuration is shared among the other nodes either by Windows network share or by Windows (or 3rdparty) replication.
The entire XNC configuration is in a single folder (a few XML files). The XNC Connector process detects changes to any file in this folder and automatically reloads the configuration. There is no failover for the master in shared mode. But the system can tolerate the master being down for minutes (for example, to reboot) because the last known good config is cached in the XNC Connector process.
47
Installing XenMobile NetScaler Connector

You can install the XenMobile NetScaler Connector on its own server, or on the same server where you installed XenMobile Device Manager. You might consider installing the XenMobile Netscaler Connector on its own server (separate from Device Manager) for the following reasons:
If your Device Manager server is hosted remotely in the cloud (physical location). If you do not want your XenMobile Netscaler Connector to be affected by reboots of the Device Manager server (availability). If you want a server's system resources to be devoted entirely to the XenMobile Netscaler Connector (performance)
The CPU load that XNC puts on a server depends on how many devices are managed, but a general rule of thumb is to provision for one additional CPU core if XNC is deployed on the same server as XDM. For large numbers of devices (over 50 thousand), you may need to provision additional cores if you do not have a clustered environment. The memory footprint of XNC in not significant enough to warrant additional memory.
48
To install XenMobile NetScaler Connector

1. Run XncInstaller.exe under an administrator account. This will install XenMobile NetScaler Connector or allow for upgrade or removal of an existing XNC. 2. Follow the onscreen instructions to complete the installation. After the XNC install the two services XenMobile Configuration Service and the Notification Service must be restarted manually.
49
To uninstall XenMobile NetScaler Connector

1. Run XncInstaller.exe under an administrator account. 2. Follow the onscreen instructions to complete the uninstallation.
50
Managing XenMobile NetScaler Connector

You can use XenMobile NetScaler Connector to build access control rules to either allow or block access to ActiveSync connection requests from managed devices based on device status, app blacklists or whitelists and a host of other compliance conditions. Using the XenMobile NetScaler Connector utility, you can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also set up email attachment encryption so that all attachments that pass through your Exchange server to managed devices are encrypted and only viewable on managed devices by authorized users.
51
Configuring XenMobile NetsScaler Connector

You can configure XenMobile NetScaler Connector to selectively block or allow ActiveSync requests based on the following properties: Active Sync Service ID, Device type, User Agent (device operating system), Authorized user, and ActiveSync Command. The default configuration supports a combination of static and dynamic groups. You maintain Static groups by using the SMG Controller Configuration utility. The static groups may consist of known categories of devices, such as all devices using a given user agent. Dynamic groups are maintained by an external source called a Gateway Configuration Provider and collected by XenMobile NetScaler Connector on a periodic basis. XenMobile Device Manager is Gateway Configuration Provider and can export groups of allowed and blocked devices and users to XenMobile NetScaler Connector. A policy is an ordered list of groups where each group has an associated action (allow or block) and a list of group members. A policy may have any number of groups. Group ordering within a policy is important because when a match is found the action of the group is taken, and subsequent groups are not evaluated. A member defines a way to match the properties of a request. It can match a single property (such as device ID), or multiple properties (such as device type and user agent).
52
Choosing a Security Model for XenMobile NetScaler Connector

Permissive Model (Permit Mode)
Establishing a security model is essential to a successful mobile device deployment for organizations of any size. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice. Every organization that manages IT security may have a slightly different or tailored approach to security for mobile devices. The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile devices per user, and the array of operating system platforms and applications available make the very idea of using a permissive model a weak choice. In most organizations the restrictive model will be the most logical choice. However, it will involve some thinking to successfully roll-out the XenMobile NetScaler Connector security model. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice The configuration scenarios that Citrix allows for integrating XenMobile NetScaler Connector with XenMobile Device Manager is as follows: The permissive security model operates on the premise that everything is either allowed or granted access by default. Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive controls to deny access where appropriate (when a policy rule is failed).
The Restrictive Model (Block Mode)

The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.
53
Configuring XenMobile NeScaler Connector Policy Modes

XenMobile NetScaler Connector can run in the following six modes:
Allow All. This policy mode will grant access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used. Deny All. This policy mode will block access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used. Static Rules: Block Mode. This policy mode will execute static rules with an implicit deny or block statement at the end. Devices that are not allowed or permitted via other filter rules will be blocked by XenMobile NetScaler Connector. Static Rules: Permit Mode. This policy mode will execute static rules with an implicit permit or allow statement at the end. Devices that are not blocked or denied via other filter rules will be allowed through XenMobile NetScaler Connector. Static + ZDM Rules: Block Mode. This policy mode will execute static rules first, followed by dynamic rules from Device Manager with an implicit deny or block statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are blocked. Static + ZDM Rules: Permit Mode. This policy mode will execute static rules first, followed by dynamic rules from XenMobile Device Manager with an implicit permit or allow statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are allowed.
The XenMobile NetScaler Connector process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed since Android devices cannot be definitively differentiated. The gateway can still be configured to statically block these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user agent. To specify the policy mode, in the SMG Controller Configuration utility, do the following: 1. Click the Path Filters tab and then click Add. 2. In the Path Properties dialog box, select a policy mode from the Policy drop-down list and then click Save.
54
Configuring XenMobile NeScaler Connector Policy Modes You can review rules on the Policies tab of the configuration utility. The rules are processed on XenMobile NetScaler Connector from top to bottom. The active policy is displayed with green checkmark, while the rules that are not active show a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. The ordering of rules can be modified in the config.xml file. To test rules, click the Simulator tab. Specify values in the fields. These can also be obtained from the logs. Click Simulate. A result message will appear specifying Allow or Block.
55
To configure static rules

You must enter static rules with values that are read by the ISAPI filtering of the ActiveSync connection HTTP request. Static rules enable XenMobile NetScaler Connector to permit or block traffic by the following criteria:
User. XenMobile NetScaler Connector uses the authorized user value and name structure that was captured during device enrollment. This is commonly found as domain\username as referenced by the server running XenMobile Device Manager connected to Active Directory via LDAP. The Log tab within the XenMobile NetScaler Connector configuration utility will show the values that are passed through XenMobile NetScaler Connector if the value structure needs to be determined or is different. Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. This value is commonly found within the specific device properties page in the Device Manager web console. This value can also be screened from the Log tab in the XenMobile NetScaler Connector configuration utility. DeviceType. XenMobile NetScaler Connector can determine if a device is an iPhone, iPad or other device type and permit or block based on that criteria. As with other values, the XenMobile NetScaler Connector utility can reveal all connected device types being processed for the ActiveSync connection. UserAgent. Contains information on the ActiveSync client that is utilized. In most cases, the value specified corresponds to a specific operating system build and version for the mobile device platform.
The XenMobile NetScaler Connector utility running on the server always manages the static rules. 1. In the SMG Controller Configuration utility, click the Static Rules tab and then click Add. 2. In the Static Rule Properties dialog box, specify the values that you want to use as criteria. For example, you can enter a user to allow access by entering the user name (for example, AllowedUser, and clearing the Disabled check box. 3. Click Save. The static rule is now in effect. Additionally, you can use regular expressions to define values, but you must enable the rule processing mode in the config.xml file.
56
To configure dynamic rules

Dynamic rules are defined by device policies and properties in XenMobile Device Manager and can trigger a dynamic XenMobile NetScaler Connector filter based on the presence of a policy violation or property setting. The XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting and if the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following configuration options enable you to define whether you want to allow or deny the devices in the Device List by using XenMobile NetScaler Connector. Note: These dynamic rules must be configured on the Device Manager web console. 1. Open the Device Manager web console and then click Options from the console banner. 2. In the left-hand navigation, click Mobile Configuration and then click XenMobile NetScaler Connector. 3. In the Enable column, select the check boxes for the filters that you want to enable and then select either the Allow or Deny check box.
57
To configure custom policies by editing the XenMobile NetsScaler Connector XML file
You can view the basic policies in the default configuration on the Policies tab of the configuration tool. If you want to create custom policies, you can edit the XML configuration file (config\config.xml). 1. Find the PolicyList section in the file and add a new Policy element. 2. If a new Group is also required, such as an additional static group or to support an additional GCP, add the new Group element to the GroupList section. 3. Optionally, you can change the ordering of Groups within an existing Policy by rearranging the GroupRef elements.
58
Configuring the XenMobile NetScaler Connector XML File

XenMobile NetScaler Connector uses an XML configuration file to guide its actions. Among other entries, the file specifies the group files and associated actions the filter will take when evaluating HTTP requests. By default, the file is named config.xml and can be found at the following location: ..\Program Files\Citrix\XenMobile NetScaler Connector\config\.
GroupRef Nodes
The GroupRef nodes define the logical group names - by default, the AllowGroup and the DenyGroup. Note: The order of the GroupRef nodes as they appear in the GroupRefList node is significant. The id value of a GroupRef node identifies a logical container or collection of members that are used for matching specific user accounts or devices. The action attributes specifies how the filter will treat a member that matches a rule in the collection. For example, a user account or device that matches a rule in the AllowGroup set will "pass" (be allowed to access the Exchange CAS), while a user account or device that matches a rule in the DenyGroup set will be "rejected" (not allowed to access the Exchange CAS). When a particular user account/device or combination meets rules in both groups, a precedence convention is used to direct the request's outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRef nodes are ranked in priority order. Thus, the nodes shown in the figure above (which depicts the default order) are such that rules for a given condition in the Allow group will always take precedence over rules for the same condition in the Deny group.
Group Nodes
Additionally, the config.xml defines Group nodes. These nodes link the logical containers AllowGroup and DenyGroup to external XML files. Entries stored in the external files form the basis of the filter rules. Note: In this release, only external XML files are supported. The default installation implements two XML file in the configuration - allow.xml and deny.xml.
59
To import a policy from Device Manager

1. In the XenMobile NetScaler Configuration utility, click the Config Providers tab and then click Add. 2. In the Config Providers dialog box, in Name, enter a user name that will be used for basic HTTP authorization with the Device Manager web server and that has administrative privileges. 3. In Url, enter the Web address of the XenMobile Device Manager Gateway Configuration Service (GCP), typically in the format https://xdmHost/xdm/services/MagConfigService. The MagConfigService name is case sensitive. 4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server. 5. Click Test Connectivity to test gateway to configuration provider connectivity . If the connection fails, check that your local firewall settings allow the connection, or check with your administrator. 6. When a connection is successfully made, clear the Disabled check box and then click Save. 7. In Managing Host, leave the default DNS name of the local host computer. This setting used to coordinate communication with Device Manager when multiple Forefront Threat Management Gateway (TMG) servers are configured in an array. After you save the settings, open the GCS.
60
To configure a connection to XenMobile NetsScaler Connector

XenMobile NetScaler Connector communicates with XenMobile Device Manager and other remote configuration providers through secure web services. 1. In the XenMobile NetScaler Connector utility, click the Config Providers tab and then click Add. 2. In the Config Providers dialog box, in Name, enter a user name that will be used for basic HTTP authorization with the Device Manager web server and has administrative privileges. 3. In Url, enter the Web address of the Device Manager GCP, typically in the format https://ZdmHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive. 4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server. 5. In Managing Host, enter the XenMobile NetScaler Connector server name. 6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager. 7. In Delta interval, specify a time period for when an update of dynamic rules is pulled. 8. In Request Timeout, specify the server request timeout interval. 9. In Config Provider, select if the config provider server instance is providing the policy configuration. 10. In Events Enabled, enable this option if you want XenMobile NetScaler Connector to notify Device Manager when a device is blocked. This option is required if you are using XenMobile NetScaler Connector rules in any of your Device Manager Automated Actions. 11. Click Save and then click Test Connectivity to test gateway to configuration provider connectivity . If the connection fails, check that the local firewall settings allow the connection or contact the Device Manager administrator. 12. When the connection succeeds, clear the Disabled check box and then click Save. When you add a new configuration provider, XenMobile NetScaler Connector automatically creates one or more policies associated with the provider. These policies are defined by a template definition contained in config\policyTemplates.xml in the NewPolicyTemplate> section. For each Policy element defined within this section, a new policy is created. The operator may add, remove, or modify policy elements provided that the policy element conforms to the schema definition, and that the standard substitution strings (enclosed in braces) are mot modified. Next, add new groups for the provider and update the policy to include the new groups. 61
To configure a connection to XenMobile NetsScaler Connector
62
Choosing Filters for XenMobile NetScaler Connector

XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following filters are available for XenMobile NetScaler Connector within XenMobile Device Manager.
Blacklisted Apps. Allows or denies devices based on the Device List defined by Blacklist policies and the presence of blacklisted apps. Whitelisted Apps only. Allows or denies devices based on the Device List defined by Whitelist policies and the presence of non-whitelisted apps. Unmanaged Devices. Creates a Device List of all devices in the Device Manager database. The Mobile Application Gateway needs to be deployed in a Block Mode. Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged as rooted and allows or denies based on rooted status. Out of Compliance Devices. Allows you to deny or allow devices that meet your own internal IT compliance criteria. Compliance is an arbitrary setting defined by the device property named Out of Compliance, which is a Boolean flag that can be either True or False. (You can create this property manually and set the value, or you can use Automated Actions to create this property on a device if the device does or does not meet specific criteria.)
Out of Compliance = True. If a device does not meet the compliance standards and policy definitions set by your IT department, the device is out of compliance.
Out of Compliance = False. If a device does meet the compliance standards and policy definitions set by your IT department, the device is compliant. Noncompliant password. Creates a Device List of all devices that do not have a passcode on the device.
Revoked Status. Creates a Device List of all revoked devices and allows or denies based on revoked status. Inactive devices. Creates a Device List of devices that have not communicated with Device Manager within a specified period of time and are thus considered inactive and allows or denies the devices accordingly. Anonymous Devices. Allows or denies those devices that are enrolled in Device Manager but the user's identity is unknown. For example, this could be a user who was enrolled but their Active Directory password is expired, or a user who enrolled with unknown credentials. Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies based on that list. The Implicit
63
Choosing Filters for XenMobile NetScaler Connector Allow/Deny option ensures that the XenMobile NetScaler Connector status in the Devices tab is enabled and shows XenMobile NetScaler Connector status for your devices. The Implicit Allow/Deny option also controls all of the other XenMobile NetScaler Connector filters that have not been selected. For example, Blacklists Apps will be denied (blocked) by XenMobile NetScaler Connector, whereas all other filters will be allowed because the Implicit Allow/Deny option is selected to Allow.
64
To simulate ActiveSync traffic

You can use the XenMobile NetScaler Connector to simulate what ActiveSync traffic will look like in conjunction with your policies to test your configurations. 1. In the XenMobile NetScaler Configuration utility, select the Simulations tab.
The results show you how you policies will apply according to the rules you have configured.
65
Monitoring XenMobile NetScaler Connector

The XenMobile NetScaler Connector utility provides detailed logging that you can use to view all traffic passing through your Exchange sever that is either allowed or blocked by Secure mobile Gateway. Use the Log tab to view history of the ActiveSync requests forwarded to XenMobile NetScaler Connector by NetScaler for authorization. Also, to make sure the XNC web service is running, ou can load the following URL into a browser on the XNC server http://<host:port>/services/ActiveSync/Version, and if this returns the product version as a string then this is an indication that the web service is responsive.
66
XenMobile Mail Manager

The XenMobile Mail Manager (XMM) allows you to utilize XenMobile Device Manager (XDM) to gain Dynamic Access Control for Exchange Active Sync (EAS) devices, to access EAS device partnership information provided by Exchange, to perform an EAS Wipe on a mobile device, to access information about Blackberry devices, and to perform control operations such as Wipe and ResetPassword.
67

68

69
XenMobile Mail Manager 8.5

The XenMobile Mail Manager (XMM) provides the functionality that extends the capabilities of the XenMobile Device Manager (Device Manager) in the following ways:
Dynamic Access Control for Exchange Active Sync (EAS) devices. Based on rules defined by XenMobile Device Manager and/or XenMobile Mail Manager, EAS devices can be automatically allowed or blocked access to Exchange services. Provides the ability for Device Manager to access EAS device partnership information provided by Exchange. This allows Device Manager to view and manage EAS devices that have never been enrolled in Device Manager. Provides the ability for Device Manager to perform an EAS Wipe on a mobile device. Provides the ability for Device Manager to access information about Blackberry devices, and to perform control operations such as Wipe and ResetPassword.
70
XenMobile Mail Manager Components

The XenMobile Mail Manager consists of three main components:
Exchange ActiveSync (EAS) Access Control Management. This component communicates with Device Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User Agent (generally the mobile platform version). Remote Powershell Management. This component is responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by EAS Access Control Management. It periodically snapshots the EAS database to detect new or changed EAS devices. Mobile Service Provider. This component provides a web service interface so that Device Manager can query EAS and/or Blackberry devices, and issue control operations such as Wipe against them. This capability was previously provided by the ZsmLite\ZMSP products.
Figure 1. XenMobile Mail Manager Components
71
XenMobile Mail Manager System and Software Requirements

The XenMobile Mail Manager (XMM) requires the following minimum system configuration: Component Computer and processor Operating system Server software Requirement Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor (recommended) Windows Server 2008 R2 or 2012
Microsoft SQL Server 2008 or 2012, or Microsoft SQL Server Express 2008 or 2012, or Microsoft SQL Server 2012 Express LocalDB Microsoft .NET Framework 4.5 Exchange Server 2010 SP2 or later Microsoft Office 365 Blackberry Enterprise Service, version 5 (optional, if managing BlackBerry devices) Windows Management Framework must be installed PowerShell V2 supported The PowerShell execution policy must be set to RemoteSigned by running Set-ExecutionPolicy RemoteSigned from the PowerShell command prompt
Server machine requirements
Memory Hard disk Other devices Display
1 gigabyte (GB) NTFS-formatted local partition with 150 MB of available hard-disk space Network adapter compatible with the host operating system for communication with the internal network VGA or higher-resolution monitor
72
Onsite Exchange Requirements

If you are using XenMobile Mail Manager (XMM) with an onsite instance of Microsoft Exchange, you will need to ensure your deployment meets the following requirements listed below. Permissions Exchanges Role-Based Access Control (RBAC) is beyond the scope of this help topic; however, at a minimum the credentials specified in the Exchange Configuration Management Console must be able to connect to the Exchange Server and be allowed to execute the following Exchange-specific PowerShell cmdlets:
Get-CASMailbox Set-CASMailbox Get-Mailbox Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Clear-ActiveSyncDevice
As documented by Microsoft here, in order to establish a remote connection and run remote commands, the credentials must correspond to a user that is an administrator on the remote machine. Additionally, the Exchange server must be configured to support remote PowerShell requests via HTTP. Typically, an administrator running the following PowerShell command on the Exchange server is all that is required: WinRM QuickConfig. Throttling Policy Considerations Among the many Exchange throttling policies, one controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is 18 on Exchange 2010. Once the connection limit is reached, XMM will not be able to connect to the Exchange server. While there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate Exchanges throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.
73
Office 365 Exchange Requirements

If you are using XenMobile Mail Manager (XMM) with an onsite instance of Microsoft Exchange hosted through Office 365, you will need to ensure your deployment meets the following requirements listed below. Permissions Exchanges Role-Based Access Control (RBAC) is beyond the scope of this help topic; however, at a minimum the credentials specified in the Exchange Configuration Management Console must be able to connect to the Exchange Server and be allowed to execute the following Exchange-specific PowerShell cmdlets:
Get-CASMailbox Set-CASMailbox Get-Mailbox Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Clear-ActiveSyncDevice
The supplied credentials must have been granted the right to connect to the Office 365 server through the remote Shell. By default, Office 365 online admin has the requisite privileges. Throttling Policy Considerations Among the many Exchange throttling policies, one controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is three on Office 365. Once the connection limit is reached, XMM will not be able to connect to the Exchange server. While there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate Exchanges throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.
74
Installing XenMobile Mail Manager

The following conditions must be met before installing XenMobile Mail Manager:
If .NET Framework 4.5 is not installed, download and install from www.Microsoft.com. If a Microsoft SQL Server is not installed or available remotely, install one of the following:
Microsoft SQL Server 2008 Microsoft SQL Server 2008 SqlExpress Microsoft SQL Server 2012 Microsoft SQL Server 2012 SqlExpress
Microsoft SQL Server 2012 SqlExpress\LocalDB XMM 'One LDAP Per Domain' Caveat
XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of more than one LDAP configurtion (such as the root domain, sub domain, and so on), you will need need to install XMM for each domain. You can set LDAP connection properties to use the Global Catalog Server, which will give you access to global groups across domains. To do this, you modify the connection string from "LDAP:" to "GC:". For example, instead of "LDAP://dc=citrix, dc=com", use "GC://dc=citrix, dc=com". To install the XenMobile Mail Manager: Once thes above conditions have been met, to install the XenMobile Mail Manager, clicking the XmmSetup.msi file and following the onscreen instructions.
75
Configuring XenMobile Mail Manager

You can use the XenMobile Mail Manager Configuration utility to extend the capabilities of XenMobile Device Manage to create access control rules that can either allow or block Exchange ActiveSync (EAS) devices from accessing Exchange services. You can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also use the utility to perform an EAS wipe on out of compliance devices. The XenMobile Mail Manager also provides the ability to access information about Blackberry devices and to perform control operations such as Wipe and ResetPassword.
76
To configure the Exchange Server

1. From the Start menu, launch XenMobile Mail Manager. 2. In the XenMobile Mail Manager utility, click the Configure > Exchange tab. 3. Select the type of Exchange server environment, either On premise or Office 365. If you select On-premise, enter the name of the Exchange CAS server that will be used for Remote Powershell commands. 4. Enter the User name of a Windows identity that has sufficent rights on the Exchange server. For more information on permissions required for XMM to access the Exchange server, see Onsite Exchange Requirements and Office 365 Exchange Requirements 5. Enter the Password for the User. 6. Select the schedule for running Major snapshots. A major snapshot detects every EAS partnership. 7. Select the schedule for running Minor snapshots. A minor snapshot detects newly created EAS partnerships. 8. Next, select the if you want the XemMobile Mail Manager to take Deep or Shallow snapshots. Shallow snapshots are faster and are sufficient to perform all the EAS Access Control functions of XenMobile Mail Manager. Deep snapshots may take significantly longer and are only needed is the Mobile Service Provider is enabled for ActiveSync (which allows Device Manager to query for unmanaged devices). If you are configuring XenMobile Mail Manager with a Mobile Service Provider(MSP) ActiveSync interface, for example, to apply access control rules to unmanaged BlackBerry devices from a BES server, you muse choose Deep snapshots. If MSP ActiveSync capability is not required, Citrix recommends using shallow snapshots for better performance. 9. Click Test Connectivity to check that a connection can be made to the exchange server. 10. Click Save. When prompted by a message asking if you would like to restart the service, click Yes.
77
To configure database properties

The first task in configuring the XenMobile Mail Manager requires configuring a connection to the database it will be using to store data. 1. From the Start menu, launch XenMobile Mail Manager. 2. In the XenMobile Mail Manager utility, click the Configure > Database tab. 3. Enter the Server name of the SQL Server (defaults to localhost). 4. Let the Database name be set to the default (CitrixXmm). 5. In the Authentication field, from the drop-down, select the Authentication mode used for SQL: a. SQL. If you choose this authentication, then enter the username and password of a valid SQL user. b. Windows Integrated. If you choose this option, then the Logon credential of the XenMobile Mail Manager Service must be changed to a Windows account that is compatible. To do this, launch Control Panel > Administrative Tools > Services, right-click on the XenMobile Mail Manager Service entry and select the Log On tab. 6. Click Test Connectivity to check that a connection can be made to the SQL server . 7. Click Save. When prompted by a dialog asking if you would like to restart the service, click Yes.
78
To configure a Mobile Service Provider

Configuring a Mobile Service Provider (MSP) is optional and needed only if the Device Manager server is also configured to use the Mobile Service Provider interface to query unmanaged devices; for example: BlackBerry devices from a BlackBerry Enterprise Server (BES). Note: XMM manages BlackBerry devices from BES 4.1 and BES 5 servers, BB Z10 devices and other ActiveSync devices from Exchange 2010. http/https protocols used should be consistent between XMM and XDM. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > MSP tab 3. Set the Service Transport type (HTTP or HTTPS) for the MSP service 4. Set the Service port (typically 80 or 443) for the MSP service. 5. Set the Authorization Group or User. This sets the user or set of users that will be able to connect to the MSP service from the Device Manager server. 6. Select Enable ActiveSync if you want to enable ActiveSync queries. Note: If ActiveSync queries are enabled for the Device Manager server then the Snapshot type for the Exchange server(s) must be set to Deep. Be aware that this could have significant performance costs for performing snapshots. 7. Click Save.
79
To configure the Mobile Service Provider hostname in Device Manager

Once you have configured the XMM to use the Mobile Service Provider web service interface to query unmanaged devices (if you want to manager ActiveSync traffic of BlackBerry devices from the BES 5 server), then you need to configure the Device Manager server to connect to the XMM server. 1. Log in to the Device Manager web console. 2. Click Options. 3. In the Options dialog, select Modules Configuration > Mobile Service Provider. 4. Enter the following information: a. Web service URL. This is the hostname of the XMM server. For example: http://XmmServer/services/zdmservice. b. Username. Username of the administrator account on the XMM server. For example: domain\admin. c. Password. Password for the administrator account on the XMM server. d. Enable automatic update of BlackBerry and ActiveSync devices connections. Select this option. 5. Click Check Connection to test the communication between XMM and Device Manager. 6. Click Close.
80
To configure Blackberry BES servers (optional)

1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > MSP tab 3. Under BlackBerry Configuration, click Add. 4. In the BES Properties dialog box, type the Server name of the BES Sql server 5. Type the database name of the BES Management database. 6. Next, select the Authentication mode for server access. If Windows Integrated authentication is selected, the user account of the XenMobile Mail Manager service is the account that is used to connect to the BES Sql Server. If SQL authentication is selected enter the user name and password. 7. Set the Sync Schedule. This is the schedule used to connect to the BES SQL server and check for any device updates. 8. Click Test Connectivity to check connectivity to the SQL server. Note: If Windows Integrated is selected, this test uses the current logged in user and not the XenMobile Mail Manager Service user and therefore does not accurately test SQL authentication. 9. If you want to support remote Wipe and/or ResetPassword of BlackBerry devices from Device Manager, select Enabled. In the fields, enter the following information: a. The BAS Server FQDN. b. The BAS Server port used for the Admin web service. c. The fully qualified User and Password required by the BES service. 10. Click Test Connectivity to test the connection to the BES server. 11. Click Save.
81
XenMobile Mail Manager and Exchange 'Quarantine' Mode

The Xenmobile Mail Manager can be indepensible when configured in conjunction with Microsoft Exchange's Quarantine mode, which allows an Exchange admin to quarantine a user's device until that device can be determined to be compliant. (In Exchange quarantine mode, a user's email inbox is blocked, but the user can still see their calendar, appointments, and contacts.) For example, when a user configures a corporate email account on their person device, as soon as the user connects to the Exchange server, the user's new device is placed into quarantine mode. Exchange allows the administrator to have a mail sent to a new user telling them they need to enroll their new device in XenMobile Device Manager. When the new device is then enrolled in Device Manager, the Device Manager will then notify the XenMobile Mail Manager to un-quarantine (or Allow) the device, provided the device is compliant with Device Manager policy. This policy is defined in Device Managers SMG Options dialog box.
82
Understanding XenMobile Mail Manager Access Rules

XenMobile Mail Manager allows you to configure three types of rules:
Local XDM (from Device Manager) Default
Each rule contains and a desired access state (Allow or Block), and a criteria for matching an ActiveSync device. The matching criteria may match a particular device or a set of devices. Local Rules Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties:
ActiveSync Device Id. Uniquely identifies a specific device. Device Type. A set of devices, such as iPad, WP8, or Touchdown. User Agent. A set of devices identified by platform version, such as iOS/6.1.2. User. A specific user.
XDM (Device Manager) Rules XDM rules are defined within XenMobile Device Manager. These product of these rules is delivered to XenMobile Mail Manager and continuously updated in the background. XDM rules can identify devices by properties known to XDM, such as:
Enrolled in Device Manager Jailbroken (iOS) or rooted (Android) devices Forbidden Apps are installed (blacklisted apps) Non-suggested apps are installed Unmanaged Out Of Compliance Non-Compliant Password Revoked status
83
Understanding XenMobile Mail Manager Access Rules
Inactive Device Anonymous status
Default Rules The Default Rule matches the set of all devices. The Default Rules desired state may be set to Allow, Block, or Unchanged. If the latter is selected, the effect will be that XenMobile Mail Manager will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.
Rule Evaluation
For each ActiveSync device known to the Exchange server, the rules are evaluated in order: first Local Rules, then XDM Rules, then the Default Rule. If a match is found it any rule, the rules desired state is then enacted for the device and no further rules are evaluated for the device. Rule enactment results in a Powershell command being sent by XenMobile Mail Manager to Exchange to change the access state. However, if the current known access state of the device is already equal to the desired state, no action is taken. Whenever the rules, or the set of known devices changes, the rules are re-evaluated. Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In this mode, Powershell commands are not issued to modify the access state. Instead, XenMobile Mail Manager records in its database that such an action was simulated. Note: the order in which Local and XDM rules are evaluated can be configured so that XDM rules are evaluated before Local rules (this requires manual editing of config.xml).
84
To configure Default access control rules

Default access control rules serve as a 'catch-all' rules that can be set to allow or deny a device that does not meet the criteria of either XDM rules or local rules. For example, if you set the Default rules to Allow, then any device that does not meet the criteria set to block a device in either XDM or Local rules will be allowed to connect to Exchange. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > Access Rules tab 3. Select the Default Access, either Allow or Block. This setting controls how all devices other than those identified by explicit Device Manager or Local rules will be treated. 4. Next, select the ActiveSync Command Mode, either Powershell or Simulation. In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control. In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled. 5. Click Save.
85
To configure XDM (Device Manager) rules

You can use XDM (from Device Manager) rules in XenMobile Mail Manager to work in combination with Local and Default rules. Device Manager rules provide control over devices that do not meet your corporate device compliance standards, such as the ability to block devices that have blacklisted apps, device that have been rooted or jailbroken, or that meet some other condition. Device Manager rules are configured in the Device Manager web console, in the Options dialog box. Device Manager rules are evaulated by XenMobile Device Manager after Local rules, and before Default rules. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > Access Rules tab 3. Click the XDM Rules tab. 4. Click Add. 5. Type a name for the XenMobile Device Manager (XMD) rules, such as XDM. 6. Modify the URL string to refer to the Device Manager server. For example, if the Device Manager server name is Xdm01 then you would enter http://Xdm01/zdm/services/MagConfigService. 7. Enter an authorized user on the Device Manager server. 8. Enter the password of the user. 9. Leave the Baseline Interval, Delta Interval, and Timeout values at the default settings. 10. Click Test Connectivity to check the connection to the Device Manager server. 11. Click OK.
86
To configure local rules

Local rules are those you create from and that are specific to the XenMobile Mail Manager utility, and provide an extra layer of filtering and control over your company email access policies. When used in combination with Default access rules and Device Manager Secure Mobile Gateway Rules (XDM rules), you can create useful combinations of filters to ensure that you have control over email access according to company policy. You can build local rules to allow or block access by device ID, Device Type (all Android devices, for example), specific user, Active Directory group, or even agent version (device platform version). In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, and then followed by Default rules, from top to bottom as they are listed in the user interface. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > Access Rules tab 3. Click the Local Rules tab. 4. If you want to build local rules that operate on AD Groups, click Configure LDAP and configure the LDAP connection properties. 5. From the drop-down list, select local rules to add based on ActiveSync Device ID, Device Type, AD Group, User, or device UserAgent. 6. Type text or text fragments in the text box. Optionally click the query button to view the entities that match the fragment. Note that for all types other than Group, the system relies on the devices that have been found in a snapshot. So, if you are just starting and havent completed a snapshot, no entities will be available. 7. Select a text value in the results and then click Allow or Deny to add it to the Rule List on the right side. 8. You can change the order of rules or remove them using the buttons to the right of the Rule List. The order is significant because for a given user and device, rules are evaluated in the order shown, and a match on a higher rule (nearer the top) will cause subsequent rules to have no effect. For example, if you have a rule allowing all iPad devices, and a subsequent rule blocking user Matt, then Matts iPad will still be allowed because the iPad rule has a higher effective priority than the Matt rule. 9. To determine the effects of multiple rules with groups that have overlapping members, click View Expanded. This show the net result of the combination of groups. 10. Click Save.
87
Simulation vs Powershell Mode

Before you implement and activate your Access Control Rules with XenMobile Mail Manager, you can use 'Simulation' mode to test the rules out, as opposed to Powrshell mode, which actually executes the rules in your live environment. The difference between the two modes is as follows:
In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled. In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control.
To choose between the two, in the XenMobile Mail Manager utility, click the Configure > Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab, select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.
88
Monitoring XenMobile Mail Manager

The Monitor tab in the XenMobile Mail Manager allows for browsing of the EAS and BlackBerry devices that have been detected, and displays the history of automated PowerShell commands that have been issued. There are 3 tabs under the Monitor tab:
ActiveSync Devices Blackberry Devices Automation History
Also, the history of all snapshots is available under the Configure tab:
In the Exchange tab, click the Info icon for the desired Exchange server. Under the MSP tab, click the Info icon for the desired Blackberry server. Snapshot history shows when the snapshot took place, how long it took, how many devices were detected and any errors that occurred.
89
To monitor ActiveSync devices

From the Monitor tab, you can view all BlackBerry devices that have been detected and a history of PowerShell commands issued by XenMobile Mail Manager. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Monitor > ActiveSync Devices tab 3. From this tab, you can view a list of all devices discovered by the XenMobile Mail Manager, and using the drop down list, you can filter the list to see which devices have been allowed, which have been allowed, and you can filter by the these commands according to those issues in the last hour, or the last day. You can also search the list by user or device ID. 4. To see more details on a specific command or device (or user), click the green (allowed) or red (blocked) icon next to the entry.
90
To monitor BlackBerry devices

From the Monitor tab, you can view all BlackBerry devices that have been deteced and a history of PowerShell commands issued by XenMobile Mail Manager. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Monitor > BlackBerry Devices tab 3. From this tab, you can view a list of all BlackBerry devices discovered by the XenMobile Mail Manager. You can search the list for a specific user by typing the user's email address and then clicking Go. 4. To see more details on a specifc command or device (or user), click the green (allowed) or red (blocked) icon next to the entry.
91
To view snapshot history

You can view the history of snapshots take for your Exchange or BlackBerry servers by clicking the information icon (I) next to it. 1. From the Start menu, launch XenMobile Mail Manager. 2. Click the Configure > Exchange tab. 3. Click the small blue information icon next to the Exchange server to see the history of snapshots taken of the server's ActiveSync traffic. 4. To view the history of snapshots taken of a configured BlackBerry server, click the Configure > MSP tab. 5. Click the small blue information icon next to the BlackBerry server to see the history of snapshots taken.
92
Installing App Controller

Citrix App Controller delivers access to web, SaaS, Android, and iOS apps, as well as integrated ShareFile data and documents. Users access their applications through Citrix Receiver, Receiver for Web, or Worx Home. With App Controller, you can provide the following benefits for each application type:
SaaS applications. Active Directory-based user identity creation and management, with SAML-based single sign-on (SSO). Intranet web applications. HTTP form-based SSO by using password storage. iOS and Android apps. Unified store to which you can install MDX apps for iOS and Android devices, and security management for MDX policies, encompassing WorxMail and WorxWeb. You can wrap iOS and Android apps with the MDX Toolkit to create MDX apps. ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFile application that provides seamless SAML SSO, and Active Directory-based ShareFile service user account management.
In This Section
The topics in this section provide information about installing and configuring App Controller 2.9.
93
Getting Ready to Install App Controller

The App Controller virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. You can use XenCenter or vSphere management consoles to install App Controller 2.9. Before installing App Controller, you must do the following:
Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to XenServer or VMware ESXi host through the network. Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host.
This section details the following steps for installing App Controller on XenServer, Hyper-V, or VMware:
Installing the VM on XenServer and setting the properties for App Controller in XenCenter. Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardware components to App Controller, such as memory and virtual CPUs. Installing App Controller on Hyper-V. Configuring the IP address and subnet mask, default gateway, DNS servers, and Network Time Protocol (NTP) servers for App Controller by using the XenCenter or vSphere command-line console.
When you finish configuring App Controller network settings by using the command-line console, you log on to the App Controller management console. Then, you configure the following network settings:
Active Directory configuration from which you obtain groups for App Controller Note: After you complete the Configure wizard, you can configure settings for additional Active Directory servers in your network.
Administrator settings Workflow email settings
Optionally, you can change the settings you configured by using the command-line console in the wizard. These settings include:
App Controller system settings, such as IP address, subnet mask, and the default gateway
94
Installing App Controller 2.9
NTP and DNS server settings and the time zone
After you configure App Controller system settings, to complete the configuration, App Controller retrieves the groups and members of the groups from the specified Base DN in Active Directory. When the retrieval is complete, App Controller logs off. You can log on again to continue configuring App Controller features.
95

The App Controller virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. You can use XenCenter or vSphere management consoles to install App Controller 2.9. Before installing App Controller, you must do the following:
Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to XenServer or VMware ESXi host through the network. Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host.
This section details the following steps for installing App Controller on XenServer, Hyper-V, or VMware:
Installing the VM on XenServer and setting the properties for App Controller in XenCenter. Installing App Controller on VMware ESXi and using vSphere to allocate virtual hardware components to App Controller, such as memory and virtual CPUs. Installing App Controller on Hyper-V. Configuring the IP address and subnet mask, default gateway, DNS servers, and Network Time Protocol (NTP) servers for App Controller by using the XenCenter or vSphere command-line console.
When you finish configuring App Controller network settings by using the command-line console, you log on to the App Controller management console. Then, you configure the following network settings:
Active Directory configuration from which you obtain groups for App Controller Note: After you complete the Configure wizard, you can configure settings for additional Active Directory servers in your network.
Administrator settings Workflow email settings
Optionally, you can change the settings you configured by using the command-line console in the wizard. These settings include:
App Controller system settings, such as IP address, subnet mask, and the default gateway
96
NTP and DNS server settings and the time zone
After you configure App Controller system settings, to complete the configuration, App Controller retrieves the groups and members of the groups from the specified Base DN in Active Directory. When the retrieval is complete, App Controller logs off. You can log on again to continue configuring App Controller features.
97
Installing App Controller on XenServer

After you download the virtual image (VM) from the Citrix web site, install App Controller on XenServer. After installation, set the properties for App Controller in XenCenter.
To install App Controller on XenServer

1. Start XenCenter on your computer. 2. In the navigation pane, click the name of the XenServer on which you want to install App Controller and then connect. 3. On the File menu, click Import. 4. In the Import wizard, in Filename, browse to the location to which you saved the .xva image file and then click Open. 5. Follow the instructions in the wizard to import the App Controller image. After you click Finish in the wizard, you can click the Logs tab to view the status of the import process. When the import process is complete, you configure the initial settings for App Controller by using the command-line console. For more information, see Setting the App Controller IP Address for the First Time.
To set the properties for App Controller

When you import App Controller, the number of virtual CPUs (VCPUs) is set to 2. You cannot change this setting. The default memory setting is 4096. You can leave the memory setting or change it by using the Memory tab in XenCenter. Note: If the App Controller virtual machine acts as the cluster head, configure 4 VCPUs.
98
Installing App Controller by Using VMware ESXi

To install App Controller on VMware ESXi, you must first install VMware on a computer with adequate hardware resources. To perform the App Controller installation, you use vSphere. You install vSphere on a remote computer that can connect to the VMware host through the network. After you install App Controller, you can create virtual hardware components on VMware and then use vSphere to allocate them to App Controller. When you install App Controller on VMware ESXi, you use the vSphere client. You select the OVF template to start the Deploy OVF Wizard. Follow the directions in the wizard to import the App Controller OVA (.ova) file. You provide a name for App Controller and then configure additional settings to import the file to VMWare ESXi. After the import is complete, you set the App Controller properties in vSphere. These settings include:
Allow the virtual machine to start and stop automatically with the system. Set the startup order for App Controller. Set the memory size to 4096. Set the number of VCPUs to 2.
For more information about VMWare ESXi and the vSphere client, see the manufacturer's documentation.
99
Installing App Controller on Microsoft Hyper-V

To install App Controller on Microsoft Hyper-V, you must first install Microsoft Server 2012 with Hyper-V enabled or Microsoft Hyper-V Server 2012 on a computer with adequate hardware resources. To perform the App Controller installation, you use the Hyper-V Manager, which is a Microsoft Management Console (MMC) snap-in. Hyper-V Manager is installed automatically when you enable the Hyper-V role. You download a compressed ZIP file to install App Controller on Microsoft Hyper-V. You extract the files and then use Hyper-V Manager to install App Controller. Note: Make sure that you extract the files in the ZIP folder into a different folder before you specify the path to the folder. After you import the virtual machine, you need to configure the virtual network adapter by associating the adapter to the virtual networks created by Hyper-V. App Controller 2.8 requires one virtual network adapter. In Hyper-V Manager, you select the server on which you want to install App Controller and then import the virtual machine. When the import starts, your are prompted to specify the path of the folder that contains the App Controller software files. After the import is complete, you set the App Controller properties in Hyper-V Manager. These settings include:
Allow the virtual machine to start and stop automatically with the system. Set the startup order for App Controller. Set the memory size to 4096. Set the number of VCPUs to 2.
For more information about Microsoft Hyper-V and the Hyper-V Manager, see the manufacturer's documentation.
100
Setting the App Controller IP Address for the First Time

After importing the App Controller image, you need to configure the IP address. The IP address is the management address at which you can access App Controller through a web browser or by using a Secure Shell (SSH) client, such as PuTTY. You can access the App Controller command-line interface through the XenCenter console to specify an IP address, subnet mask, default gateway, Domain Name Servers (DNS) and a Network Time Protocol (NTP) server. The default IP address for App Controller is 10.20.30.40.
To change the IP address for App Controller in XenCenter

1. In XenCenter, select the App Controller virtual machine and then click the Console tab. 2. At the console logon prompt, enter the administrator credentials. The default user name for the console is admin and the default password is password. 3. At a command prompt, type 0 to select Express Setup. 4. Select the appropriate number to change the IP address, subnet mask, default gateway, DNS servers, and NTP server. Note: Citrix recommends using an NTP server to set the date and time on App Controller. 5. Press 5 to commit the changes. When you commit the changes, you are prompted to restart App Controller. Review your settings and then type y to commit the changes. After App Controller restarts, you can then access the management console by using the new IP address in a web browser. To open the management console, type https://App ControllerIPaddress:4443/ControlPoint in the address bar of the web browser. For example, type https:// 10.20.30.40:4443/ControlPoint. The user name is administrator and the password is password. When you connect to App Controller, you must use HTTPS. If you attempt to connect with HTTP, the connection fails.
101
Configuring App Controller for the First Time

After you install the App Controller virtual machine (VM) and configure the initial settings by using the command-line console, you can configure additional App Controller network settings in the App Controller management console. When you log on to the management console for the first time, the Configure wizard appears prompting you to configure settings that include the following:
Administrator password Note: Make sure that the email address is part of the base DN that you configure in the Active Directory settings.
App Controller host name, IP address, subnet mask, and default gateway Note: You can also configure an IP address for App Controller if you want a different IP address than what you configured by using the command-line console.
Active Directory settings to one server Certificates Note: In the Configure wizard, you can add, create, or remove certificates on the Active Directory page. The option to configure certificates from the Active Directory page only appears when you configure App Controller for the first time in the management console. After you run the Configure wizard for the first time, you can then manage certificates from the Settings tab in the management console.
Network Time Protocol (NTP) server and time zone DNS server settings Workflow email settings Important: For workflows to work correctly, when you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
After you configure and save the remaining network settings in the management console, App Controller retrieves users from Active Directory and then logs off. If you changed the password, log on again with the new password. Important: If you have a large number of users or groups, it might take a few hours for App Controller to retrieve users. You cannot make any changes to App Controller until this process is complete. If you close the browser, interrupt the synchronization and then restart the Configure wizard in another web browser, your settings are not saved. Citrix recommends that you allow the Active Directory synchronization to complete. When you
102
Configuring App Controller for the First Time configure the App Controller settings for the first time, you can enter a group domain name (DN) that speeds the synchronization of Active Directory membership with App Controller. If you need to make changes to system settings at a later time, you can access the Settings tab. You can configure or reconfigure the following on the Settings tab:
Active Directory settings, such as IP address, administrator email and password, and base DN Administrator settings that allows you to change the password for the management console and the command line console Support options that allows you to configure GoToAssist user assistance settings. Branding that allows you to upload your own Portable Network Graphics (png) to mobile devices Certificates where you can install root, intermediate, and server certificates on App Controller Deployment settings for StoreFront or NetScaler Gateway Domain Name Server such as a DNS or WINS server GoToAssist settings for email or phone support Log transfer that sends logs to a server in your network Network connectivity that are the App Controller network settings NTP server that contains the settings for a Network Time Protocol server Receiver email template where you can send emails to your users to download Receiver Receiver updates Release management that allows you to upload software upgrades, patches, and application connectors Store credentials where you can save the user name, password, and device ID for the Google Play Store SysLog server settings Workflow email which is the administrator email settings for workflows XenMobile MDM where you configure connection settings to XenMobile Device Manager
103
Configuring App Controller for the First Time
To change App Controller settings

1. In the App Controller management console, click Settings at the top of the page. 2. In the left pane, under System Configuration, click one of the options to configure the settings. After you complete App Controller configuration, you can configure roles, users, applications, and application categories for single sign-on (SSO). You can do the following:
Refresh users from Active Directory. Add roles to map which Active Directory groups receive access to applications. Add web and SaaS applications to App Controller from the provided connector catalog. Upload mobile apps to App Controller. View a user device inventory in which you can erase and stop erasing application data and documents from a device, lock and unlock a device, or delete a device from the inventory. Retrieve mobile app information by configuring mobile links. Add links to commonly used web sites including Internet and intranet sites. Create access to applications that are not in the catalog for SSO by using either HTTP Federated Formfill or SAML connectors. Download certificates for use with some SAML applications. Create user accounts automatically based on Active Directory group membership. Assign users to applications based on their role within the organization. Add categories to which you can add applications. Connect StoreFront to App Controller. When users connect with Citrix Receiver, they can see the application list, subscribe to applications, and access applications seamlessly. Configure ShareFile settings for user data and documents. Download a CR (.cr) file that configures Receiver on the user device. You can send this file to users in an email. The .cr file contains all of the settings that Receiver needs to connect to App Controller.
104
Icons in the AppController Management Console

The AppController management console includes icons that users click to perform different tasks. The following table defines each icon. Ico n Icon Name Enable Disabl e Edit Remov e Sync Definition Indicates that an app is disabled. When clicked, enables the app. Indicates that an app is enabled. When clicked, disables the app. Used to edit a role or application. Used to remove an application, remove an application from a role, or to remove a category, workflow, or user device. Used to synchronize application users with Active Directory for accounts that are configured for user account management. Also opens a Storage Zone dialog box in Roles to enable you to find a particular storage zone and provide credentials. Used to upgrade a mobile application with a new version. In Roles, you can view the Active Directory groups that belong to a configured role or you can delete the role. Used to lock a user device. Used to unlock a user device after you have locked it. Used to erase data and documents from a device. Used to stop the process of erasing data and documents from the device. In Workflows, shows the apps with which the workflow is associated, if any. In Workflows, lets you view the levels of manager approval and additional approvers for a configured workflow. In Roles, lets you view members of the Active Directory groups.
Upgrad e Role details Lock Unlock Erase Stop erasing Apps Workfl ow details User
105
Adding Active Directory Domains to App Controller

App Controller uses Active Directory groups and users. You configure Active Directory in two ways:
With the Configure wizard when you log on to the App Controller management console for the first time. This domain is considered the default domain. On the Settings tab where you can configure multiple Active Directory domains.
With Active Directory, you can:
Create roles in App Controller that map to one or more Active Directory groups within multiple domains. Create and remove user application accounts based on their Active Directory group membership by using applications assigned to roles. Create workflows for manager approval of user accounts for applications.
Important: When you add users to Active Directory, you must enter the first name and last name in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. The administrator account must be recognized by all corresponding Active Directory domains you configure in App Controller. When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App Controller or if you manually synchronize with Active Directory, the length of time it takes to synchronize depends on the size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active Directory, the synchronization occurs more quickly. For example, you enter cn=Users,dc=servername,dc=net, where cn=users is the group base DN and servername is the name of the Active Directory server. When the initial synchronization is finished, App Controller logs off from the management console and returns to the management console logon page. Note: If you provide the root level base DN, such as dc=mycompany,dc=com, App Controller retrieves users in child domains. To prevent retrieval of child domain users, provide specific user base DN paths that relate to the parent domain.
Configuring Multiple Active Directory Domains

After you configure one Active Directory domain by using the Configure wizard, you can add additional Active Directory domains on the Settings > Active Directory tab in the App Controller management console.
106
Adding Active Directory Domains to App Controller When you configure Active Directory domains, you provide the server information including:
IP address Port Domain name Service account Password User base DN Group base DN SSL support
You can configure Active Directory domains in the following ways:
One Active Directory instance per domain. You can specify multiple base DNs in each domain. Separate each base DN with a semi-colon (;). Two domains that belong to different Windows Server trees. Two domains that belong to different Windows Server forests.
For each domain, the service account you specify must be able to access the base DN for each domain. App Controller does not maintain any internal relationship between managed domains. You can manage multiple Active Directory domains as separate instances. When you configure multiple Active Directory domains, Citrix recommends that you use the User Principal Name (UPN) so you can include the domain name. If you configure multiple domains, keep the following in mind:
Default domain users only can log on directly to App Controller. Log on from users in other domains must be authenticated by NetScaler Gateway. Domains configured in App Controller and NetScaler Gateway must match. Domains configured in App Controller and StoreFront must match when StoreFront is used as the authentication server.
If StoreFront is used as the authentication server, the domain information must be included in the token validation response from StoreFront. You can use sAMAccount (domain\user name) or UPN (user@domain) for user logon.
Modifying and Deleting Active Directory Domains

You can modify and delete Active Directory domains in App Controller. App Controller retrieves users and groups when you add each domain. If you modify a domain, if you change the user or group base DN, App Controller synchronizes with Active Directory.
107
Adding Active Directory Domains to App Controller You can delete one domain at a time and you cannot delete the default domain. When you delete a domain, App Controller marks all of the users in the domain as terminated users. These users lose access to role-based apps. App Controller also deletes pending workflows and provisioning requests. User accounts reconciled to terminated users are processed according to the app configuration (ignore, disable, or delete). Important: If you delete a domain, you cannot add the same domain to App Controller again.
108
Adding and Synchronizing Active Directory Domains

You can add multiple Active Directory domains to App Controller. After you add a domain, click the Sync icon to retrieve users and groups from the Active Directory domain.
To add Active Directory domains

1. In the App Controller management console, click Settings at the top of the page. 2. In the left pane, under System Configuration, click Active Directory. 3. In the details pane, click Add. 4. In Server and Port, enter the IP address and port number of the Active Directory server. The default port number is 389. 5. In Domain name, add the Active Directory domain, such as mycompany.net. When you add the domain name, User Base DN and Group Base DN populate automatically. 6. In User Base DN and Group Base DN enter any other parameters, such as cn=Users. A warning appears if the base DN is a top-level domain. 7. In Service Account, add the email address of the administrator account. You can use either the sAMAccountName, in which users log on with domain\user, or the User Principal Name (UPN) in which users log on with user@mycompany.com. Note: All Active Directory domains that you add to App Controller must recognize this service account. 8. Password and Confirm Password enter the password of the service account and then click Save. When you configure settings and only configure the top-level domain, the Add Domain dialog box appears as in the following figure:
109
Adding and Synchronizing Active Directory Domains
To remove the warning message, configure a subdomain as part of the base DN. For example, enter cn=Users, dc=mycompany,dc=net.
To manually synchronize with Active Directory

App Controller supports the following three types of Active Directory synchronization:
Initial synchronization. When you log on to the management console for the first time, you configure Active Directory settings in the initial wizard along with network and email settings. When you save the settings, App Controller synchronizes with Active Directory. Periodic synchronization. App Controller contacts Active Directory every five minutes to determine if there are any changes in Active Directory. App Controller looks for added, removed, and modified users in Active Directory. App Controller also looks for group membership changes and new and removed groups. This periodic synchronization starts for domains that have previously retrieved users and groups. The earlier
110
Adding and Synchronizing Active Directory Domains synchronization must successful for the periodic synchronization to run.
Manual synchronization. You can synchronize with Active Directory at any time by using the synchronize icon next to the Active Directory domain in the App Controller management console. When you synchronize, App Controller updates all users from Active Directory for that domain and determines any changes to the user records. This synchronization can take as long as the initial synchronization and depends on the size of Active Directory. This synchronization also returns changes to users, including group membership. You can start synchronization for all managed domains. The App Controller synchronization process runs in the background, one domain after another. When you manually synchronize, App Controller displays a progress bar so you can track the progress.
1. In the App Controller management console, click Settings at the top of the page. 2. In the left pane, under System Configuration, click Active Directory. 3. In the details pane, under Actions, click the Sync icon for the domain with which you want to synchronize.
111
Installing the MDX Toolkit

The Citrix MDX Toolkit is available from the Citrix web site. The MDX Toolkit runs on a computer running Mac OS X Versions 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks). The tool is not supported on a Windows-based computer. Important: You must update to the latest version of Worx Home 8.6 on Android and iOS devices before you wrap apps with the 2.2.321 version of the MDX Toolkit. If not, when you try to open the apps in earlier versions of Worx Home, an incompatibility error message appears. After you download the tool from the Citrix web site, you install the tool on your computer. When you install the tool, you are prompted for licensing, the location where you want to install the tool, and installation information. The installation package includes a small utility for removing the MDX Toolkit. You can find the utility at the following location on your computer: /Applications/Citrix/CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility to start the uninstaller app and then follow the prompts. When you remove the tool, you receive a message prompting you for your user name and password.
112

En - Cloudgateway.xmob Install Config Xenmobile N Wrapper Con

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

En - Cloudgateway.xmob Install Config Xenmobile N Wrapper Con

Încărcat de

Drepturi de autor:

Formate disponibile

Installing XenMobile Components

90 91 92 93 94 96 98 99 100 101 102 105 106 109 112

Installing XenMobile Components

NetScaler Gateway Device Manager

Mobile Mail Manager App Controller

Downloading XenMobile Product Software

Downloading XenMobile Product Software

To download the software for NetScaler Gateway

To download the software for Device Manager

To download the software for App Controller

Downloading XenMobile Product Software

To download the MDX Toolkit

Installing NetScaler Gateway 10.1 in Your Network

Installing XenMobile MDM Edition

XenMobile MDM contains the following products:

Installing XenMobile MDM Edition

Installing Device Manager

Installing Patches for Device Manager

Installing Patches for Device Manager

Choosing Device Manager Components to Install

Installing License Files

Installing Device Manager

To select Device Manager components

To install the license on Device Manager

Installing Device Manager

To test the connection to the database from Device Manager

Installing Device Manager

To configure and register Crystal Reports

To configure the server connectors

Installing Device Manager

Installing Device Manager

Installing Device Manager

When you configure connectors, you set the following parameters:

To configure root and server certificates in Device Manager

Installing Device Manager information:

Installing Device Manager

Installing Device Manager

To install an APNS certificate in Device Manager

Installing Device Manager

Allowing Remote Support to Connect to Mobile Devices

Installing Device Manager

To designate the Device Manager administrator

Installing Device Manager

Configuring Active Directory on Device Manager

Upgrading Device Manager to Version 8.6

To upgrade Device Manager to version 8.6

Backing Up and Restoring Device Manager

To perform a full manual backup of Device Manager server

To perform a directory and native SQL backup of Device Manager server

C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf

XenMobile NetScaler Connector

XenMobile NetScaler Connector (XNC)

XenMobile NetScaler Connector 8.5

XenMobile NetScaler Connector 8.5

About This Release

About This Release

Deploy Install and Setup

XenMobile NetScaler Connector System Requirements

Application. 10 -15 MB (100 MB recommended) Logging. 1 GB (20 GB recommended)

Deploying XenMobile NetScaler Connector

XenMobile NetScaler Connector Components

Deploying XenMobile NetScaler Connector

Figure 2. XenMobile NetScaler Connector Components