hands-on lab exercise guidedocs.citrixvirtualclassroom.com/events/syn2015/syn-605.pdf · 2017. 7....

605: Secure Mobile Access with the New XenMobile

Hands-on Lab Exercise Guide

Walter Hofstetter, Christopher Friend, and

Frank Martinez

May 2015

| 1 |

Table of Contents Table of Contents ....................................................................................................................... 1

Overview .................................................................................................................................... 2

Scenario..................................................................................................................................... 5

Exercise 1: Initial Configuration of the XenMobile Server ........................................................... 6

Exercise 2: XenMobile Server Getting Started Wizard ..............................................................14

Exercise 3: Configure Policies on XenMobile Server .................................................................24

Exercise 4: Adding Categories and Applications to XenMobile Server ......................................44

Exercise 5: Assigning Applications to a Delivery Group ............................................................68

Exercise 6: Configure NetScaler Gateway for Enterprise Store .................................................75

Exercise 7: Device Enrollment ..................................................................................................93

Exercise 8: Verify Enrollment and Enterprise App Store .......................................................... 101

Exercise 9: Working with Device and MDX Policies ................................................................ 109

Optional Lab: PKI Integration - Certificate Based Authentication ............................................. 126

| 2 |

Overview

Hands-on Training Module

Objective

This training will provide hands-on experience with the following:

Initial configuration of XenMobile Server 10.0 with FIPS mode enabled

Integrating XenMobile Server with NetScaler Gateway to terminate the MDM SSL traffic securely (SSL Offload) and allow access to the corporate network using mVPN

Work with Device- and App- (MDX) policies to achieve secure operation mode, which avoids data leakage through apps/OS and devices taken out of the campus.

Prerequisites

Basic understanding of Web/SaaS/Mobile apps.

Familiarity with navigating the NetScaler Configuration Utility.

Basic understanding of http/https communication.

Basic understanding of networking concepts (i.e.: IP addressing and communication)

Audience

Citrix Partners, Customers, Sales Engineers, & Consultants.

| 3 |

Lab Environment Details

The lab environment for the exercises to come contains the following:

External access to common services (HTTP, SSL, SMTP, RDP, SSH, DNS) to simulate a

real production environment customized

1 Active Directory namespace

Pre-configured enterprise applications (Exchange & MSSQL)

XenMobile Enterprise components (XenMobile Server, NetScaler Gateway)

The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All

windows applications such as XenCenter, (the XenServer GUI management tool), are accessed

from the Student Desktop.

| 4 |

Lab Guide Conventions

This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this

VMDemo Filename mentioned in text or lines added to files during editing

Start Bold text indicates reference to a button or object

Focuses attention on a particular part of the screen (R:255 G:20 B:147)

Shows where to click or select an item on a screen shot (R:255 G:102 B:0)

List of Virtual Machines Used

VM Name IP Address Description / OS

AD.training.lab 192.168.10.11

Windows Server 2012 R2 Standard. Domain

controller for training.lab, DNS, DHCP services,

and license server.

DDC 192.168.10.40 Windows Server 2012 R2 Std. with XenDesktop

7.6 installed.

XMS

192.168.10.20

XenMobile Server 10.0. Students will perform the

initial/basic XenMobile Server and configure apps,

policies, and delivery groups.

XMS MAM LB VIP 192.168.10.21 Load Balancing VIP MAM (e.g. for Clustering)

Exchange 192.168.10.15 Windows Server 2008 R2 with Exchange 2010

installed

NS

NSIP=192.168.10.50

VIP=192.168.10.100

VIP=192.168.10.101

NS/AGEE 10.5. Students will perform steps to

integrate NetScaler Gateway with Citrix StoreFront

and XenMobile Server.

SQLServer

192.168.10.12

Windows Server 2012 Standard with SQL Server

installed.

VDA 192.168.10.205 Windows 8.1 Professional with XenDesktop VDA

installed.

Win81Client 192.168.10.201 Windows 8.1 Professional virtual machine

Required Lab Credentials

The credentials required to connect to the environment and complete the lab exercises.

VM Name Username Password Description

Win81Client administrator Citrix123 Domain admin

NS1 nsroot nsroot NetScaler admin

AD.training.lab administrator Citrix123 Domain admin

| 5 |

Scenario You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTeX, Inc.

in order to provide management of devices along with access to internal applications and data

resources from any mobile device. Your task is to use the guidelines outlined below to implement a

solution that meets the business needs.

High-level guidelines:

MDM Enrollments needs to assure, that device passwords and restriction can be enforced.

MAM Enrollments may be used to secure company data; specifically e-mail security is a

concern. Additionally MAM Enrollments are being used for BYO Scenarios.

All data has to be encrypted during transit and rest, FIPS compliant cryptography has to be

leveraged.

| 6 |

Exercise 1

Initial Configuration of the XenMobile Server

Overview

Configuring the XenMobile Server is a two-part process. The initial configuration is done at the console of the server by configuring the new password, network settings (i.e: IP address, subnet mask, default gateway), database location, and external FQDN. Once this is done, you connect to the Administration Console from a web browser to configure the basic configuration via the Start-up Wizard. In this lab, you will perform the initial configuration at the console of the XenMobile 10 server.

Step by step guidance

Estimated time to complete this lab: 20 minutes.

Step Action

1. Within XenCenter, select the SQLServer virtual machine and click the Console tab.

Login as:

Username training\administrator

Password Citrix123

Start the SQL Configuration Manager and verify that the SQL Server Service has been

started. If not, right click on the service and start it now.

| 7 |

Step Action

2. Within XenCenter, select the XMS virtual machine and click the Console tab. You will

notice that the XenMobile Server is (in First Time Use mode).

Configure the following:

New Password Citrix123

Re-enter new password Citrix123

3. Configure the following settings:

IP Address 192.168.10.20

Netmask 255.255.255.0

Default gateway 192.168.10.1

Primary DNS server 192.168.10.11

Secondary DNS server [optional] Leave blank and hit Enter

Hit Enter to commit the settings.

4. The network settings are applied. Hit Enter to accept the default [y] to generate a random

password to secure server data.

| 8 |

Step Action

5. You are given the option to enable FIPS mode. Press [y] and Hit Enter to enable FIPs

mode

6. Next we will configure the database.

You will be asked what remote Database you will be connecting to.

Hit Enter to accept the default [mi] for Microsoft SQL.

7. To enable a secure connection you must copy or import a Root certificate.

Hit Enter to accept the default [y] to upload a root certificate.

8. Hit Enter to accept the default [c] to copy the certificate.

9. In XenCenter, select the AD.training.lab virtual machine and click the Console tab.

Login with the following credentials:


Password Citrix123

Note: FIPS mode only supports an SSL encrypted remote

database connection.

Note: Ensure you log into the remote Desktop. If not, you will

not be able to paste the root certificate into the XMS server.

| 9 |

Step Action

10. Click on the Desktop tile if required

11. Browse to C:\Software\Certificates to locate the Root.pem certificate

12. Open the Root.pem certificate with Notepad, highlight and copy the contents.

| 10 |

Step Action

13. In XenCenter, select the XMS virtual machine and click the Console tab. Right-click and

paste the certificate. Hit Enter twice.

14. Configure the database with the following settings:

Server sqlserver.training.lab

Port Hit Enter to accept the default [1433]


Password Citrix123

Database name Hit Enter to accept the default [DB_service]

Hit Enter to accept the default [y] to commit the settings.

15. You are prompted to enable clustering. Delete [y] and Enter [n] and hit the Enter key.

| 11 |

Step Action

16. You are prompted for the XenMobile hostname.

Enter <IP2 FQDN> from your portal page and hit the Enter key.

17. Hit Enter to accept the default [y] to commit the settings.

18. Configure the following communication ports (Port listeners):

HTTP [80]

HTTPS with certificate authentication [443]

HTTPS with no certificate authentication [8443]

HTTPS for management [4443]


Note: Your IP2 FQDN is available on the portal page.

Example Only: 75-126-159-220.mycitrixtraining.net

| 12 |

Step Action

19. You are asked to use the same password for all certificates of the PKI.

Hit Enter to accept the default [y].


New Password: Citrix123

Re-enter new password: Citrix123


20. You are prompted to configure the XenMobile console administrator account.

Configure the account as follows:

Username: [administrator]

Password: Citrix123

Re-enter new password: Citrix123


Note: This configuration is for all the Public Key Infrastructure (PKI) certificates.

This step creates the device manager’s certificate authorities. If you intend to

cluster XenMobile Server nodes, you will need to provide identical passwords for

subsequent nodes.

| 13 |

Step Action

21. You are asked if this is an upgrade from a previous release.

Hit Enter to accept the default [n].

The initial system configuration is complete.

Make a note of the URL given to complete the setup process.

Exercise Summary

In this exercise, the student performed the initial configuration of the XenMobile Server. During the

first time use, you configured the XenMobile Server networking information, FQDN, DNS Server,

and connection to a remote SQL database.

| 14 |

Exercise 2

XenMobile Server Getting Started Wizard

Overview

In this exercise we will go through the XenMobile Server Getting Started wizard, in order to

configure categories, applications, policies, and delivery groups. The applications and policies will

be assigned to the delivery groups.



Step Action

1. In XenCenter, select the Win81Client virtual machine and click the Console tab.


Username: training\administrator

Password: Citrix123

2. Click on the Desktop tile.

| 15 |

Step Action

3. Launch Internet Explorer and browse to https://192.168.10.20:4443

Click Continue to this website to accept the certificate error.


Username administrator

Password Citrix123

Click Sign in.

4. The Get Started page is displayed. Click Start to begin the configuration wizard.

https://192.168.10.20:4443/

| 16 |

Step Action

5. The Initial Configuration window is displayed.

Click Next to accept the use of the evaluation license.

6. On the SSL Certificate page, click Import.

| 17 |

Step Action


Import Keystore

Keystore type PKCS#12

Use as APNs

Keystore file APNS.pfx (Browse to \\Ad\Software\Certificates)

Password Citrix123

Click Import.

A confirmation window pops up.

Click OK.

| 18 |

Step Action

8. Click Import again.

Configure the following settings:

Import Keystore


Use as Server

Keystore file MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)

Password Citrix123

Click Import.

| 19 |

Step Action



Import Keystore


Use as SSL Listener

Keystore file MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)

Password Citrix123

Click Import.

10. You receive a prompt

Click OK.

| 20 |

Step Action



Import Certificate

Use as Server

Certificate import* Root.cer (Browse to \\Ad\Software\Certificates)

Click Import.

12. The APNs, Server, Root and SSL Listener certificates are displayed.

Click Next.

| 21 |

Step Action

13. Click Next. You are prompted to configure NetScaler Gateway.


Name NSG

Alias Leave Blank

External URL https://<IP1 FQDN>

Logon Type Domain only

Password Required On

Click Next.



| 22 |

Step Action

14. The LDAP Configuration page is displayed.


Primary Server 192.168.10.11

Port 389 (Default)

Domain name training.lab

User base DN dc=training,dc=lab (auto-filled in)

Group base DN dc=training,dc=lab (auto-filled in)

User ID: [email protected]

Password Citrix123

Domain alias training.lab

Use search by sAMAccountName

Click Next.

15. Click Next to skip the Notification Server configuration.

16. Click Finish on the Summary page.

mailto:[email protected]

| 23 |

Step Action

17. The initial configuration is complete. Click Start Managing Apps and Devices.

18. In XenCenter, select the XMS virtual machine.

Click Reboot to reboot the server.

Click Yes on the popup window to reboot the vm.

19. Wait until the XMS server is back up before continuing with the next exercise.

Exercise Summary

The Getting Started wizard takes you through configuring licensing, certificates, NetScaler Gateway

& LDAP settings for the XenMobile Server.

| 24 |

Exercise 3

Configure Policies on XenMobile Server

Overview

XenMobile Server empowers enterprise organizations to apply device configurations, settings, and security parameters to multiple devices. In this exercise, students will configure policies on XenMobile Server to push to iOS or Android mobile devices.



Step Action

1. Select the Win81Client virtual machine.

If the vm screen is locked, login with the following credentials:

Username: training\administrator

Password: Citrix123

2. Open a browser and navigate to https://192.168.10.20:4443.

3. Login with the following credentials

Username: administrator

Password: Citrix123

Click Sign in.

https://192.168.10.20:4443/

| 25 |

Step Action

4. In the XenMobile Server management console, select the Configure tab and click the

Device Policies node on the green ribbon.

5. On the Device Policies window, click Add.

6. Click Passcode

| 26 |

Step Action

7. The Policy Information page is displayed. Configure the following:

Policy name Passcode

Click Next.

8. Click the checkbox next to the Samsung Safe, Samsung KNOX, Windows Phone 8.1, and

Windows 8.1 Tablet, and platforms. These platforms will be disabled.

| 27 |

Step Action

9. The Policy Information window is displayed for iOS devices.


Passcode required On

Minimum length 6

Maximum failed sign-on attempts 4

Click Next.

| 28 |

Step Action

10. The Policy Information window is displayed for Android devices.


Passcode required On

Minimum length 6

Maximum failed sign-on attempts 4

Click Next

11. Apply policy to AllUsers and click Save.

| 29 |

Step Action

12. The Passcode policy is displayed.

13. Click Add again.

14. The Add a New Policy window is displayed. Click More.

15. Under the Security column, select Credentials.

| 30 |

Step Action

16. The Credentials Policy configuration is displayed.


Policy Name* Root Certificate

17. On the left side of the Window, deselect the Windows 8.1 Tablet platform.

Click Next.

| 31 |

Step Action

18. The Policy Information window for iOS devices is displayed.


Credential Name* Root Certificate

The credential file path* Root.cer (Click browse and navigate to

\\AD\Software\Certificates)

Click Next.

19. The Policy Information window for Android devices is displayed.


Credential File Path: Root.cer (Click browse and navigate to

\\AD\Software\Certificates)

Click Next.

| 32 |

Step Action


21. The Root Certificate policy is displayed.


23. The Add a New Policy window is displayed. Click Restrictions.

24. The Restrictions Policy configuration is displayed.


Policy Name* Device Restrictions

| 33 |

Step Action

25. On the left side of the Window, deselect the Windows Phone 8.1, Windows 8.1 Tablet and

Amazon platforms.

Click Next.

26. The Policy Information window is displayed for iOS devices. Here you will see a list of the

possible hardware restrictions for iOS devices, the required iOS version and device mode to

apply the policy.

Scroll down and set AirDrop to OFF and click Next.

Note: This policy can only apply in Supervised Mode.

Please test on your device. If using iOS, skip to Step 28.

Note: If you are using an iOS device, deselect the Samsung

SAFE platform also.

| 34 |

Step Action

27. The Policy Information window is displayed for Samsung SAFE devices. Here you will see

a list of the possible hardware restrictions to Samsung devices with SAFE mode enabled

Scroll down and set NFC to OFF and click Next.


29. The Device Restrictions policy is displayed.

30. Click Add again

31. The Add a New Policy window is displayed. Type Location in the search bar and click the

Search button.

Note: This policy can only apply on Samsung SAFE. Please

test on your device.

| 35 |

Step Action

32. Select Location Services.

33. In the Policy Name field type Geofence Policy and click Next.

| 36 |

Step Action

34. The Policy information window is displayed for iOS devices


Report if Location Services are disabled On

Geofencing On

Radius 500 Meters

Center Point Latitude 36.1214

Center Point Longitude -115.1689

Warn on Perimeter breach On

Wipe Corporate data on perimeter breach On

Click Next.

| 37 |

Step Action

35. The Policy information window is displayed for Android devices


Report if Location Services are disabled On

Geofencing On

Radius 500 Meters

Center point latitude 36.1214

Center point longitude -115.1689

Warn user on perimeter breach On

Device connects to XenMobile for policy refresh Wipe corporate data

Delay on local wipe 60 seconds

Click Next.


37. The Geofence Policy is displayed

| 38 |

Step Action

38. Click Add again

39. The Add a New Policy window is displayed. Click More.

40. Under the Security column, select Samsung MDM License Key.

| 39 |

Step Action

41. Enter Samsung SAFE in the policy name and uncheck Samsung KNOX.

Click Next.

42. Leave the default string in the ELM license key field.

Click Next and assign the policy to the AllUsers delivery group.

Click Save.

43. Click Add again

| 40 |

Step Action

44. The Add a New Policy window is displayed. Type App Inventory in the search bar and

click the Search button. Click More

Choose App Inventory, enter App Inventory in the policy name and uncheck all but iOS and

Android in the platform section. The Policy will be enabled by default for iOS and Android.

Click Next three times and assign the policy to the AllUsers delivery group.

Click Save

45. The last policy we’re going to setup is to assure Android devices are getting policy updates

and new apps without user interaction. On iOS this is being accomplished by APNS, for

Android devices we’ll setup a scheduler (Interval or always connected).

Click Add again.

The Add a New Policy window is displayed. Select Scheduling and enable only the

Android platform to keep connected to the XenMobile Server.

| 41 |

Step Action

46. Enter Schedule as the policy name, disable the Symbian platform and select Always as to

permanently keep the device connected.

Click Next and assign the policy to the AllUsers delivery group.

47. You should have the following policies defined by now.

48. Click the Settings tab on the green ribbon.

Navigate to More> Client> Client Properties

| 42 |

Step Action

49. The Client Properties are displayed.

Click the checkbox next to Enable Worx PIN Authentication then click Edit.

50. Change the Value parameter to true and click Save.

51. Configure the remaining Client Properties the with the following settings:

Enable User Password Caching true

Encrypt secrets using Passcode true

Worx Pin Strength Requirement Strong

Enable FIPs Mode true

| 43 |

Step Action

52. After all the changes your Client Properties should look like this:

Exercise Summary

You have now configured a Passcode, Credentials and Device Restrictions Policies. The root

certificate is required to enable trust between WorxMail and Exchange. Check to see what device

restrictions have applied, not all will be possible to add at a device level without entering a device

into supervised or SAFE mode. You have also configured secure client property settings ensuring

strict security requirements have been met. Now you are ready to create add categories and

applications to XenMobile Server.

| 44 |

Exercise 4

Adding Categories and Applications to XenMobile Server

Overview

In this exercise students will create Categories within the XenMobile Server. Students will then add

mobile, web, and SaaS applications and assign them to the appropriate category.



Step Action

1. On the green ribbon, click on the Apps tab.

2. Click Category.

3. The Categories Window pops up. In the Add new category text box, enter Sales Apps

and click the plus sign in the green box.

| 45 |

Step Action

4. The Sales Apps category is added.

5. Repeat Steps 2-3 to add the following categories:

Engineering Apps, Office Apps, and Web Links.

6. The categories have been added.

Click the X on the top right corner to close the window.

7. Click Add.

| 46 |

Step Action

8. In the Add App window, click the Web Link app type.

| 47 |

Step Action

9. The Add Web App window is displayed. Configure the following settings:

App Name Citrix

App description Citrix Company site

URL http://www.citrix.com

App is hosted in internal network Off

App Category Web Links

Click Next.

10. Assign to AllUsers and click Save.


| 48 |

Step Action

12. This time select MDX.

13. Configure the application as follows:

Name* WorxMail

App category Office Apps

| 49 |

Step Action

14. Deselect the Windows Phone platform options on the left.

Click Next.

15. In the iOS MDX App window, click Upload.

Select \\AD\Software\XenMobile MDX Apps\iOS\WorxMail.mdx file.

| 50 |

Step Action

16. The iOS MDX App details and policy options appear.

17. Scroll down to the Network Access section and configure the following:

Network access Tunneled to the internal network

| 51 |

Step Action

18. Scroll down to the Applications Settings section and configure the following settings:

WorxMail Exchange Server exchange.training.lab

WorxMail user domain training

Background network services exchange.training.lab:443

Background network service gateway <IP1>FQDN:443

Export Contacts ON

Click Next.

19. In the Android MDX App window, click Upload.

Select \\AD\Software\XenMobile MDX Apps\Android\CitrixEmail.mdx file.

Note: Your IP1 FQDN is available on the portal page


| 52 |

Step Action

20. The Android MDX App details and policy options appear.

21. Scroll down to the Network Access section and configure the following:

Network access Tunneled to the internal network

| 53 |

Step Action

22. Scroll down to the Applications Settings section and configure the following settings:

WorxMail Exchange Server exchange.training.lab

WorxMail user domain training

Background network services exchange.training.lab:443

Background network service gateway <IP1>FQDN:443

Export Contacts ON

Click Next.

23. Click Next. The Approvals window is displayed.

24. Click Next to skip the Approvals window.

25. Assign to AllUsers and click Save to save the application and its settings.



| 54 |

Step Action

26. WorxMail has been added to the App Store.

27. Repeat Steps 11-12 of this exercise to add WorxWeb.

28. Configure the application as follows:

Name WorxWeb

App category Office Apps

| 55 |

Step Action

29. Deselect the Windows Phone platform option on the left.

Click Next.

30. In the iOS MDX App window, click Upload.

Select \\AD\Software\XenMobile MDX Apps\iOS\WorxWeb.mdx file.

31. The iOS MDX App details and policy options appear.

| 56 |

Step Action

32. Scroll down to the Application Settings section and configure the following:

Preloaded bookmarks “Citrix”,Edocs,http://support.citrix.com/proddocs

Home page URL http://www.citrix.com

Browser UI Read-only address bar

Click Next.

33. In the Android MDX App window, click Upload.

Select \\AD\Software\XenMobile MDX Apps\Android\CitrixBrowser.mdx file.

34. The Android MDX App details and policy options appear.

http://www.citrix.com/

| 57 |

Step Action

35. Scroll down to the Application Settings section and configure the following:

Preloaded bookmarks “Citrix”,Edocs,http://support.citrix.com/proddocs

Home page URL http://www.citrix.com

Browser UI Read-only address bar

Click Next.

36. Click Next to skip the Approvals configuration.

37. Apply to AllUsers and click Save.

38. WorxWeb has been added to the App Store.

Note: If you are performing this lab with an iOS device,

go to Step 42.


| 58 |

Step Action

39. Navigate to Configure > Settings and expand the More node.

40. Under the Server section, click on Google Play Credentials.

41. Enter your Google credentials and device id below.

User name:

Password:

Device ID:

Note: To obtain your device id, download the

Device ID application from the Google Play store.

| 59 |

Step Action

42. Navigate to Configure -> Apps and click Add again.

43. Select Public App Store.

44. The App Information window is displayed.


Name* GoToMeeting

App category Default

| 60 |

Step Action

45. Windows Tablet and Windows Phone are disabled by default.

Click Next.

46. In the Search text box, enter GoToMeeting and click Search.

47. The Search results are displayed.

Click on GoToMeeting.

48. Scroll down and expand Worx Store Configuration.


uncheck the Google Play platform.

| 61 |

Step Action

49. App ratings and Allow app comments are enabled by default.

Click Next.

50. The iPad search results are displayed.

Click GoToMeeting.


52. Allow App ratings and Allow app comments are enabled by default.

Click Next.

| 62 |

Step Action

53. The Search results for Google Play are displayed.

Click GoToMeeting.


55. App ratings and Allow app comments are enabled by default.

Click Next.


Apply to the AllUsers group and click Save.

| 63 |

Step Action

57. GoToMeeting has been added from the public app store.

58. Click Add again and select Public App Store.

Name* Citrix Receiver

App category Default

59. Windows Tablet and Windows Phone are disabled by default.

Click Next.


uncheck the Google Play platform.

| 64 |

Step Action

60. Name the application Citrix Receiver.

Click Next.

61. In the Search text box, enter Citrix Receiver and click Search.

62. The search results for iPhone are displayed.

Click on Citrix Receiver.


| 65 |

Step Action

64. Enable Allow App ratings and Allow app comments are enabled by default.

Click Next.

65. The search results for iPads are displayed.




Click Next.

| 66 |

Step Action

68. The search results for Google Play are displayed.




Click Next.


Apply to the AllUsers group and click Save.

| 67 |

Step Action

72. Citrix Receiver is added to the Enterprise App Store.

Exercise Summary

You have now added web links, mdx apps, and public store applications to XenMobile Server for

your iOS or Android devices. Now you are ready to add applications to delivery groups in order to

control the deployment of the apps

| 68 |

Exercise 5

Assigning Applications to a Delivery Group

Overview

In this exercise students will create Delivery Groups within the XenMobile Server. Students will then map Active Directory groups to those roles and assign applications to the respective delivery groups.



Step Action

1. Select the Configure tab, and on the green ribbon, click Delivery Groups.

2. Click Add.

3. Name the Delivery Group Sales.

Click Next.

| 69 |

Step Action

4. The Select User Groups window is displayed.

Type Sales in the Include user groups text box and click the Search button.

5. The Sales group is enumerated. Click the checkbox next to the Sales group.

Click Next.

| 70 |

Step Action

6. The Policies window is displayed. Drag the App Inventory, Schedule, Root Certificate,

Samsung Safe, Device Restrictions and Passcode policies to the right to assign to the

delivery group.

Leave the Geofence Policy unassigned for right now.

Then click Next.

7. The Applications window is displayed.

| 71 |

Step Action

8. Drag GoToMeeting, Citrix Receiver, WorxMail, and WorxWeb applications over to the

Required Applications box. Drag the Citrix web link over to the Optional Applications

box.

Click Next.

9. The Actions window is displayed.

Click Next to skip.

| 72 |

Step Action

10. The Summary page is displayed.

Click Save.

11. The Sales delivery group is saved.

12. Click on the Sales delivery group.

| 73 |

Step Action

13. The properties of the delivery group are displayed.

Click on Deploy.

14. Click Deploy again on the Deploy devices popup window.

15. Click the X to close the Sales delivery group properties window.

| 74 |

Step Action

16. Repeat the steps with the same policies and apps for a new delivery group called

Engineering.

17. Verify the setting of the AllUsers delivery group and make sure only the Passcode policy

is set and all apps are defined as Optional Apps.

Exercise Summary

In this exercise, you added applications to the XenMobile Server. You have also created delivery

groups, mapped an AD group to the delivery group, and assigned applications to the delivery group.

This allows an administrator to easily assign applications to users based on their group.

| 75 |

Exercise 6

Configure NetScaler Gateway for Enterprise Store

Overview

In this exercise you will use the XenMobile Get Started wizard within the NetScaler Configuration

Utility to configure NetScaler Gateway for an Enterprise Store. The wizard will create the virtual

server, load balancing virtual server, policies, and profiles necessary to connect to the enterprise

store on the XenMobile Server.



Step Action

1. By using SSL Offload will the SSL session will be terminated on the NetScaler. In order

to allow the backend traffic to tcp port 80 (HTTP) we need to re-configure the firewall of

the XenMobile Server.

Switch to XenCenter and go to the console of the XenMobile Server (XMS) and logon

with the following credentials:

Username admin

Password Citrix123

| 76 |

Step Action

2. Enable tcp port 80 traffic to the XenMobile Server. Optionally you can add the

NetScaler Gateway SNIP in the Access white list, to add additional security.

-----------------------------------

Main Menu

-----------------------------------

[0] Configuration

[1] Clustering

[2] System

[3] Troubleshooting

[4] Help

[5] Log Out

-----------------------------------

Choice: [0 - 5] 0

-----------------------------------

Configuration Menu

-----------------------------------

[0] Back to Main Menu

[1] Network

[2] Firewall

[3] Database

[4] Listener Ports

-----------------------------------

Choice: [0 - 4] 2

Configure which services are enabled through the firewall.

Can optionally configure allow access white lists:

- comma separated list of hosts or networks

- e.g. 10.20.5.3, 10.20.6.0/24

- an empty value means no access restriction

- enter c as value to clear list

HTTP service

Port: 80

Enable access (y/n) [n]: y

Access white list []:

Management HTTPS service

Port: 4443

Enable access (y/n) [y]:

Access white list []:

SSH service

Port [22]: 22

Enable access (y/n) [n]:

Management API (for initial staging) HTTPS service

Port [30001]:


Remote support tunnel

Port [8081]:


Applying firewall settings ...

Writing iptables configuration...

Restarting iptables...

3. Select the Win81Client virtual machine in XenCenter.

| 77 |

Step Action

4. In IE, open another tab and navigate to http://192.168.10.50 and log on with the

following credentials:

Username nsroot

Password nsroot

5. In the NetScaler Gateway Configuration Utility, scroll down to the Integrate with Citrix

Products section and click XenMobile.

Click Get Started.

http://192.168.10.50/

| 78 |

Step Action

6. Scroll down to the bottom of the window and click Continue.


IP Address 192.168.10.100

Port 443

Virtual Server Name XenMobileGateway

Click Continue.

| 79 |

Step Action

8. The wildcard.mycitrixtraining.net certificate is selected by default.

Click Continue.

| 80 |

Step Action

9. Configure the following Authentication Settings:

IP Address 192.168.10.11

Port 389

Base DN dc=training,dc=lab

Service account [email protected]

Password Citrix123

Confirm Password Citrix123

Server Logon Name Attribute sAMAccountName

Click Continue.

Note: A best practice is to use a service account for the Base DN. However, for this lab environment and exercise, we are using the administrator account.

| 81 |

Step Action

10. Configure the following MAM Controller FQDN, LB VIP Address and Port No., select

HTTP communication to XenMobile Server and click Continue:

Load Balancing FQDN for MAM IP2FQDN

Load Balancing IP address for MAM 192.168.10.21

Port 8443



| 82 |

Step Action

11. The wildcard.citrixtraining.lab certificate is selected by default for the load

balancer SSL communication.

Click Continue.

12. Add the XenMobile Server to the load balancer and click Continue.

| 83 |

Step Action

13. Click Load Balance Device Manager Servers.

14. The Load Balancing Virtual Server Configuration window comes up.


IP Address* 192.168.10.101

Name*: XenMobileMDM

Click Continue.

15. Select the existing certificate wildcard.mycitrixtraining.net and click

Continue.

| 84 |

Step Action

16. For SSL Offload we need to install the Device Certificate (CA), which can be exported

from the XenMobile Server.

Open a new Tab in your browser; connect to https://192.168.10.20:4443 and login as

administrator.

Navigate to Configure -> Settings -> Certificates and export the cacerts.pem.

17.

Click on Export and save the file.

18. Back on the NetScaler GUI Tab, choose to Install Certificate and click Browse.

Navigate to the certificate.pem file you downloaded in the previous step and select

it.

Click Continue.

https://192.168.10.20:4443/

| 85 |

Step Action

19. The XenMobile Server should be “known” from the first part when configuring the MAM

load balancer.

If not you may us the Add Server button and add XMS (192.168.10.20).

Click Continue.

20. You can review / edit the configuration before exiting the wizard.

Click Done.

| 86 |

Step Action

21. NetScaler Gateway and XenMobile Server Load Balancing should be reported as “up”.

22. Navigate to NetScaler Gateway > Virtual Servers and double-click the

_XM_XenMobileGateway virtual server.

23. Scroll down to the Policies section. Click on Session Policies.

| 87 |

Step Action

24. Notice that the wizard has created all session policies and profiles.

25. Select the PL_OS_192.168.10.100 policy and click Edit > Edit Action.

| 88 |

Step Action

26. Select the Published Applications tab and configure the following settings:

Web Interface address Unchecked (The field should be blank)

Single Sign-on Domain Unchecked (The field should be blank)

| 89 |

Step Action

27. Select the Client Experience tab and configure the following settings:

Split Tunnel* On

Clientless Access* On

Clientless Access URL Encoding* Clear

Single Sign-on to Web Applications Checked

28. Scroll down and click OK to close the session profile.

29. Click Close, then click Back to close the Policy Binding window.

| 90 |

Step Action

30. Navigate to NetScaler Gateway > Resources > Intranet Applications and click Add.

31. Enter the following Intranet Application settings:

Name* Mobility

Mode* Transparent

Protocol* TCP (Accept the default)

Destination Type IP Address and Netmask (Accept the default)

IP Address* 192.168.10.0

Netmask 255.255.255.0

Click Create.

| 91 |

Step Action

32. Navigate to NetScaler Gateway > Virtual Servers and double-click the

_XM_XenMobileGateway virtual server.

33. Under the Advanced section on the right, click the “+” next to Intranet Applications.

34. Scroll down to the Intranet Applications section.

Click No Intranet Application.

35. Click the “>”.

| 92 |

Step Action

36. Click the radio button next to the Mobility intranet application.

Click OK.

37. Click Bind.

38. The Mobility intranet application is now bound to the _XM_XenMobileGateway virtual

server.

Exercise Summary

In this exercise, you used the wizard to configure NetScaler Gateway to connect to an enterprise

store. The wizard created the virtual server as well as the authentication and session policies. The

wizard is designed to simplify configuration for the administrator so that manual configuration of the

policies is avoided.

Note: A best practice is to save the running configuration after making

changes. This prevents loss of configuration in the event the NetScaler is

rebooted.

| 93 |

Exercise 7

Device Enrollment

Overview

In order for XenMobile Server to manage mobile devices, the WorxHome client must be installed

and configured on the endpoint device. In this exercise, you will install WorxHome and configure

the XenMobile Server IP address that the device should connect to for enrollment.



Step iOS Android

1. Download and install WorxHome from the

Apple App Store.

Download and install WorxHome from the

Google Play Store.

2. After installation is complete, launch the

WorxHome application.

After installation is complete, launch the

WorxHome application.

Note: If your device is enrolled with another MDM solution, the enrollment will fail. To continue, you must un-enroll from your existing MDM solution.

| 94 |

3. You are prompted for the server URL, UPN

or e-mail address.

Enter the IP2 FQDN

Your IP2 FQDN is available from the portal

page.

Example Only:

75-126-27-196.mycitrixtraining.net

Tap Next.

You are prompted for the server URL, UPN

or e-mail address.

Enter the IP2 FQDN

Your IP2 FQDN is available from the portal

page.

Example Only:

75-126-27-196.mycitrixtraining.net

Tap Next.

| 95 |

4. Tab Yes to enroll your device.

Tab Yes to enroll your device.

5. Enter the user credentials.

Username: sales1

Password: Citrix123

Tap Sign On.

You are prompted to activate the Device

Administrator.

Tap Activate.

6. A browser message “Enroll Your

iPhone/iPad” will appear.

Enter the user credentials.

Username: sales1

Password: Citrix123

Tap Sign On.

| 96 |

7. In the following steps the device will be

prepared for corporate usage.

You will go through the tasks to install the

following profiles:

XenMobile CA

XenMobile Profile Service

MDM Configuration

For each of these you need to confirm the

installation, enter the device PIN and

confirm you trust the management.

WorxHome has enrolled your device

against the MDM service and will SSO to

the MAM instance (Authenticating).

If using a Samsung SAFE capable device

you will be asked to accept the terms and

conditions and enter your current PIN code

to confirm

If your PIN code does not meet the new

requirements, enter and confirm a 6-digit

PIN code.

WorxHome will ask for a PIN code, which

was defined as Client Properties in the

XenMobile Server configuration.

Note: Your PIN can not be

consecutive numbers. (IE:123456).

| 97 |

| 98 |

8. WorxHome has enrolled your device

against the MDM service and will SSO to

the MAM instance (Authenticating).

WorxHome will ask for a PIN code, which

was defined as Client Properties in the

XenMobile Server configuration.

Enter and confirm your 6-digit PIN code.

Click OK to install the CA certificate.

9. You need to confirm, that WorxHome is

allowed to use the devices location service.

If you do not have screen lock configured,

you are prompted to configure your screen

lock settings.

Specify a PIN in the settings.

Note: Your PIN can not be

consecutive numbers. (IE:123456).

| 99 |

10. Depending on your current settings and

installed apps you’ll be requested to:

Enter a passcode (passcode policy)

Confirm app install (mandatory apps)

Enter App Store password (public apps)

This is done in Settings >Security >

Unknown Sources.

11. Tab on the + Worx Store icon to access

the enterprise store.

Mandatory MDX Apps will be pushed

automatically after you confirm.

Note: Some Android devices require you to allow installation of apps from unknown sources before WorxWeb and WorxMail can be installed.

| 100 |

12. You are taken to the Google Play store to

install “public app store apps” such as

Citrix Receiver.

Tap Install > Accept.

13. All installed applications are accessible on your springboard.

Exercise Summary

In this exercise, you have now enrolled your iOS or Android device. You also successfully pushed

mobile applications to your mobile device. Only after the device is successfully enrolled can it be

managed by policies on the XenMobile Server.

Note: Order of application installs

may vary. You may have to

logoff/login in order for applications

to download.

| 101 |

Exercise 8

Verify Enrollment and Enterprise App Store

Overview

Before we’re going to work closer with security policies, we’ll verify which policies and apps have

been installed. Likely, you’ll find pending or failed deployment in the current setup, however the

console should unleash potential causes. Review an app on your Enterprise app store.



Step iOS Android

1. Launch WorxHome and tap on the menu

button. Here you can information about

your mobility status. Click Device Info.

Launch WorxHome and tap on the menu

button. Here you can information about

your mobility status. Click Device Info.

2. Verify your login name (sales1), device

information (XMS Server, WorxHome

Version and location).

Verify your login name (sales1) and device

information (XMS Server, WorxHome

Version).

| 102 |

3. Open IE on your Windows 8 VM and connect to the XMS console on

https://192.169.10.20:4443 and login as administrator.

We’ll verify the communication and enrollment status from XenMobile Server side.

Navigate to Manage > Devices.

Your device should appear in the list and both MDM and MAM mode (Green)

4. If clicking on a device, a pop-up will be displayed with options to display device details or

actions to perform against it.

Click on Notify to send a test message to your device.

Note: The device assigned to 2 delivery groups, which

provide 4 policies and 5 applications.

https://192.169.10.20:4443/

| 103 |

5. Enter “Test message from XMS” in the message box and deselect the SMTP and SMS

checkboxes.

Click on Notify

6. Check your device for the message.

| 104 |

7. Switch to your XMS Console screen and click on the Secure button and use the Locate

function.

8. After a short while, you should be able to see your location on the device details click on

show more > (to speed this up launch WorxHome from your device)

9. You can verify the status of the deployment, in the device details. Click on your device in

the device list and select Show More >

| 105 |

10. Click 4 Assigned Policies under the Device details section on the left.

You should see quickly if any of the policies or apps couldn’t be deployed. Deployment

errors can have various reasons and sometimes it just needs a bit more time until the

deployment is finished and XMS is aware of that.

11. Deployment failures will also be visible on the device list.

As you see in the screen above, this Android reported a deployment error. Clicking on the

show more again will display the following screen:

The Samsung SAFE policy, which enables additional management capabilities, could not

be deployed, as this device is a Samsung device, but doesn’t support the SAFE features.

12. Select 7 Delivery Groups typically provides more details on the deployment operation.

| 106 |

13. In this step, we’re going to observe the changes applied to the device during the

enrollment process.

14. Navigate in your iOS device to Settings >

General -> Profiles & Device

Management. There’s should be 2 profiles;

MDM Configuration and XenMobile CA.

In the MDM Configuration, you’ll find the

restrictions and managed apps.

In the XenMobile CA you’’ find details about

Certificates installed.

Navigate in your Android device to

Settings > Security -> Device

Administrator. Worx Home will be listed

and checked as Device Administrator.

Navigate to Settings > Security ->

Trusted Credentials -> User.

The only certificate exposed to the user is

the Root.cer from the credential policy.

15. Close Settings and switch to Worx Home

Note: Removal of the Profiles will render the device as unmanaged and company access is denied. Only devices in “Supervised Mode” will restrict the user from profile removal.

Note: Disabling the Worx Home as device Administrator will render the device as unmanaged and company access is denied.

| 107 |

16. The company appstore can be accessed from Worx Home by taping on the + sign.

17. The store offers the links, apps from the pulbic App Store and MDX enabled apps. When

you added apps on the XenMobile Server console, you allowed App Store rating and

reviewing in the app policy.

18. Tap on the GoToMeeting icon, rate the app and write some text in the review.

| 108 |

19. Switch to IE on your Windows 8 VM and connect to the XMS console

https://192.169.10.20:4443 and login as administrator.

Navigate to Configure > Apps and click on GoToMeeting > Show more.

The deployment information provides information about how many time the app has been

installed against failed or pending deployments.

Verify your rating in the Worx Store on you mobile devices from the previous step.

Exercise Summary

In this exercise, you have verified the enrollment of a mobile device in your lab. The device is

confirmed and operating in MDM and MAM mode. The device is able to receive notifications, either

through APNS or scheduling. Common policies such as password policies were enforced.

https://192.169.10.20:4443/

| 109 |

Exercise 9

Working with Device and MDX Policies

Overview

In the previous step you verified the XenMobile Server manages your device and policies have

been applied. This exercise will show some of the limitations of MDM and how XME closed the gap

with the MDX technology. You’ll go through steps to apply tighter security policies and verify the

effect for the user.

The guide assumes, that your Android device isn’t SAFE capable, otherwise the MDM and/or MDX

polices may be used. Due to the diversity of the Android products, some steps may not work or

software might not be available for testing some advanced policies (e.g. NFC blocking).



Step Action

1. Current MDM policies configured on XMS.

Delete the Samsung SAFE Policy to ensure NFC is enabled on your device.

The Geofence policy is the only policy NOT assigned to any delivery groups yet.

2. For iOS devices, you may verify, that only

the passcode, root cert and app inventory

polices are relevant and successfully

deployed.

The device restriction policy for iOS is

configured to disallow AirDrop, but this

policy is only for devices enrolled in

supervised mode

For Android device, this exercise would

require a device, which has NFC (Near

Field Communication) hardware built in.

http://www.nfcworld.com/nfc-phones-list/

provides a list of NFC equipped devices. Or

check for this Logo:

http://www.nfcworld.com/nfc-phones-list/

| 110 |

3. Verify AirDrop operation with a 2nd device if

available or ask a colleague to work

together on this lab.

Verify NFC operation with a 2nd device of

available or ask a colleague to work

together on this lab.

4. Make sure your device has AirDrop

enabled and activated on the control

center.

Make sure your device has NFC enabled

activated. Go to Settings > Wireless &

Networks > More.

5. Open a picture or take a picture with your

camera app and tap on the share icon.

Use your favorite tool to exchange files

(Beam file) or read / write to an NFC tag.

6. AirDrop is still working as expected. NFC is still working as expected.

Note: If you don’t have a second device or no colleague/student to verify AirDrop is functional, go to Step 7.

Note: If you don’t have a second

device or no colleague/student to

verify NFC is functional, go to Step 7.

| 111 |

7. We’ll add a new MDX app and go though some security policies to assure data only can

be shared in a controlled manner.

No data may be shared outside the policy enforced by MDX.

Switch to your XMS Console (https://192.168.10.20:4443) and navigate to Configure ->

Apps and add a new app by clicking on the add icon:

8. We’ll add Worx Edit to the Enterprise App Store, to work with office documents in a

secure sandboxed environment on the mobile device. Click MDX

Configure Worx Edit for iOS and Android as follow:

App Name Worx Edit

App Category Office Apps

iOS binary \\ad\Software\XenMobile MDX

Apps\iOS\WorxEdit.mdx

Android binary \\ad\Software\XenMobile MDX

Apps\Android\WorxEdit.mdx

The policies we’re going to set is aiming for inbound data exchange exclusively with

Worx Mail and limiting the clipboards cut and copy functions.

Verify the following settings in the app policies:

Erase app data on lock ON

Cut/Copy Restricted

Paste Unrestricted

Document Exchange (Open In) Restricted

Inbound document exchange (Open In) Restricted

Block AirDrop (iOS)

Block NFC (Android)

ON

Assign Worx Edit to Sales and Engineering groups and click Save.

| 112 |

9. We also want to verify the security policy of the Worx Mail application.

Click on the Edit button.

10. Change / verify the following values are set in the policies for iOS and Android.

App Passcode

ON

This setting forces the user to enter the

configured PIN when launching /

switching to the app. This policy works in

conjunction with the inactivity timer

(default 60 Min)

Maximum offline period

24

Must connect to XMS for app entitlement /

policy changes once a day at least

App update grace period

72

An app update can’t be postponed longer

than 3 days

Erase app data on lock

ON

When ever a lock is issues, e.g. because

of a last device, app entitlement removal

or Worx Home removal, all data will be

deleted.

Cut and copy Restricted

Paste Unrestricted

Document Exchange (Open In) Restricted

Inbound document Exchange (Open In) Restricted

AirDrop / Block NFC ON

After you’re finished with the changes click on the Save button.

| 113 |

11. Open a new tab on the browser and connect to outlook web on your exchange server

https://exchange.training.lab/owa and login as training\user1 password=Citrix123. Click

OK to accept timezone.

12. Create and new message and attach the citrix-secure-email-deployment-

guide.pdf located at C:\.

Send to [email protected].

13. Conduct the next steps on the mobile device, which is enrolled to the training lab you

configured during the class.

https://exchange.training.lab/owa

mailto:[email protected]

| 114 |

14. Launch Worx Home and open the Worx Store. Swipe down on the screen to refresh the

store if Worx Edit isn’t listed yet.

15. Install Worx Edit by tapping on the respective icon / plus sign. A confirmation for the app

install will be requested from the user. The process is the same for both iOS and Android,

though screens might slightly differ.

| 115 |

16. Launch Worx Mail on your iOS device.

Exchange server and user ID has been

populated by the configuration already.

Submit your password (Citrix123).

Launch Worx Mail on your Android device.

Exchange server and user ID has been

populated by the configuration already.

Submit your password (Citrix123).

17. You’ll find the message in your inbox from

UserOne.

You’ll find the message in your inbox from

UserOne.

| 116 |

18. Open the e-mail, click on the attached PDF

and try to share it with other apps (open in).

As you see, MDX won’t allow any other app

except Worx Edit to handle the attachment

from Worx Mail.

Open the e-mail, click on the attached PDF

and try to share it with other apps (open in).

Worx Edit is the only app, which is allowed

by the MDX policy to handle the

attachments form Worx Mail.

19. Create a new message or reply to UserOne

and add picture you just take from your

classroom.

Create a new message or reply to UserOne

and add picture you just take from your

classroom.

Note: Using security groups allows

creating different domains of data

sharing between MDX apps.

Note: Using security groups allows

creating different domains of data

sharing between MDX apps.

| 117 |

20. By default the camera is not blocked by the

MDX policy.

Turn Block Camera on in the App

Restriction of Worx Mail

Terminate Worx Mail, sign-out and sign-in

to Worx Home. Refresh the store and start

Worx Mail again from the springboard.

Create a new message to UserOne and try

to attach a picture from your camera.

The policy changes do not allow the

camera usage while the Worx Mail app is

active. The camera can still be used in

other apps.

By default the camera is not blocked by the

MDX policy.

Turn Block Camera on in the App

Restriction of Worx Mail

“Kill” Worx Mail, sign-out and sign-in to

Worx Home. Refresh the store and start

Worx Mail again from the springboard.

Create a new message to UserOne and try

to attach a picture from your camera.

The policy changes do not allow the

camera usage while the Worx Mail app is

active. The camera can still be used in

other apps.

21. The last MDX policies for Worx Mail we

want to test are the clipboard restrictions

(App Interaction).

The result of this policy is that data can be

pasted into Worx Mail, but we don’t allow

any data copied to the clipboard from

Worx Mail.

The last MDX policies for Worx Mail we

want to test are the clipboard restrictions

(App Interaction).

The result of this policy is that data can be

pasted into Worx Mail, but we don’t allow

any data copied to the clipboard from

Worx Mail.

| 118 |

22. Open a web page on your mobile browser,

copy some text into the clipboard and paste

it into a new message to the UserOne

message.

The text will be pasted as expected.

Open a web page on your mobile browser,

copy some text into the clipboard and paste

it into a new message to the UserOne

message.

The text will be pasted as expected.

23. Op Open the message from UserOne in

Worx Mail and copy the body text to the

clipboard and paste it to a local Notes or

Memo app.

Did you notice the missing paste function?

Open the message from UserOne in

Worx Mail and copy the body text to the

clipboard and paste it to the local Gmail

app.

You may see the past button, but no data.

24. We have successfully implemented measures against data leakage by encrypting all data

during transit and rest and defined communication to the datacenter and in between apps.

For this setup we want to further lock the devices to restrict installations of mobile apps

and assure the device cannot be taken outside the campus with our data.

| 119 |

25. In our environment we don’t allow the Skype app for security reasons.

Switch to your XMS Console (https://192.168.10.20:4443) and navigate to Configure ->

Device Policies and add a new policy by clicking on the add icon:

Enter App A and click on Search.

Choose App Access. Then click More and App Access again.

26. Enter the following data into the App Access Policy:

Policy Name Blacklist Skype

Access Policy Forbidden

App name Skype

App identifier (iOS) com.skype.skype

App identifier (Android) com.skype.raider

Assignment (Delivery Group) Sales

Click Save to close.

The following policy has been created.

27. We’ll create a notification template, which can be used to warn users in case of Skype has

been detected on the managed device.

Navigate to Settings -> Notification Templates and add a new action by clicking on the

add icon:

| 120 |

28. Y You can ignore the warning about SMS / SMTP server as we’ll use the inbound

(Worx Home) messaging.

Click No, set up later to continue.

29. Enter the following data into the Notification Template:

Name Skype Install Detected

Type Device noncompliant of B/W app policy

Worx Home Activated

Message Company policy doesn't allow

installations of the Skype app.

Please remove Skype to avoid blocked

access to corporate resources.

For assistance please call Phone No.

1234

Click Activate on Worx Home channel, then click Add to save and continue.

| 121 |

30. Now, we’re ready to configure an Action based on the event of B/W App triggered and tell

XMS to send a custom notification to the user.

Navigate to Configure -> Actions and add a new action by clicking on the add icon:

Enter the following data into the Actions:

Name Skype Action

Trigger Type Event

Event The device is noncompliant with

the App Access policy

Action Send notification

Notification Template Skype Install Detected

Timing After 1 Min, every 5 Minutes

Assign the Action to the Sales delivery group; click Next and Save and Deploy.

31. You can check the status by navigating to Configure -> Actions, highlight the

Skype Action and click on Show more >

32. If you don’t have the Skype app installed yet, please do so, in order to test the policy /

action we just configured.

| 122 |

33. Your device should play the configured sound and display the notification.

(Refresh the policy in Worx Home if necessary - )

34. Remove the Skype Action form the Sales deployment group, to avoid getting the

notification every 5 minutes.

35. The second device policy we’re going to apply is targeting to avoid any device with

corporate data leaves a certain perimeter.

We already created a geofence policy, but didn’t assign it to a delivery group. First we

need to verify / define the correct location.

Navigate to Manage -> Devices, highlight your device and click on Show more -> and

Click on 2. Properties. Location information can be obtained here.

Copy the data into you clipboard / empty WordPad document.

Note: In a real deployment we would

probably issue selective wipe after a grace

period or deny access to corporate resources.

| 123 |

36. Navigate to Configure -> Policies and edit Geofence Policy.

Enter the following data into the Actions:

Policy Name Geofence Policy

Report if location Services are disabled ON

Geofencing ON

Radius 500 Meters

Latitude Enter current latitude

Longitude Enter current longitude

Warn user on perimeter breach ON

Wipe corporate data on perimeter breach OFF

Assign the policy to the Sales delivery group; click Next and Save.

37. Check your mobile device, if the new policy has been received.

Navigate to Manage -> Devices, highlight your device and click on Show more -> and

Click on 4. Assigned Policies. The Geofence Policy should appear here.

Note: If this is your last exercises you’re doing in this lab,

consider to turn “Wipe corporate data on perimeter

breach” to see the data being deleted from the device.

| 124 |

38. If the policy is listed in the Pending tab, you may refresh the policy from Worx Home ->

Device Info.

39. T To verify the Geofence Policy, you may either go for a walk; remember we defined a 500

Meter radius, or you can change the geofence data (latitude / longitude).

Save and deploy the changed policy.

| 125 |

40. You may have to refresh the policy on your mobile device again or wait until the policy has

been refreshed.

You should get a notification, which notifies you, that the device is no longer in the

geofence area.

Exercise Summary

In this exercise, you have applied tightened security policies for MDX apps and to assure data

cannot be shared outside defined areas. Additionally you added MDM policies to make sure

unwanted apps are not tolerated on the devices and data may be wiped if the device leaves the

companies campus.

| 126 |

Optional Lab

PKI Integration - Certificate Based Authentication

Overview

Certificate based authentication is a key requirement for many organizations to avoid issues around

password management.

In this exercise we’re going to connect the XenMobile server to a Microsoft CA PKI and configure

the system to issue user certificates and deploy these during the enrollment phase.



Step Action

1. Within XenCenter, select the AD.training.lab virtual machine and click the Console tab.

Login as training\administrator using password Citrix123.

Before we add an additional role to our AD server, we need to add the administrator to the

IIS_IUSRS group.

Open Active Directory Users and Computers and add the training\administrator user to

the IIS_IUSRS group.

Note: Best practices is to create a service account

which has explicit rights on the CA, but no other

privileges.

| 127 |

2. The Microsoft AD Certificate Service is already installed, but we need to add the web

enrollment service to allow the XenMobile Server remotely request user certificates.

Open Server Manager and click on Add roles and features and add the

Certificate Enrollment Web Service.

3. Make the AD CS Configuration with the following data:

Credential TRAINING\Administrator

Role Service Certificate Enrollment Web Srvc

CA for CES CA Name

Authentication Type Client certificate Auth

Service Account TRAINING\administrator

Server Certificate AD.training.lab

Close the Server Manager once the configuration has completed.

4. On the AD server launch mmc (Microsoft Management Console) and add the certificate

Snap-in.

| 128 |

5. Right click on Personal and Request new Certificate.

6. Request a User certificate for the current user (training\administrator)

7. Export the new created certificate and save it on

c:\Software\Certificates\CertAdmin.pfx.

Include the private key in the export and use Citrix123 as password to protect the key.

| 129 |

8. While still on the mmc, load the Certificate Template snap-in, right click on the User

template and select Duplicate Template.

9. Enter the following data into the copied User cert template:

Compatibility Windows Server 2003

Template name XMCert

Subject Name Supply in the request

Cryptography – Key Size 2048

Click Apply to save the data into the template.

10. Load the Certificate Authority snap-in, right click on Certificate Template and select

New -> Certificate Template to Issue.

11. Choose the XMCert we just created from the copied User template.

| 130 |

12. Verify the XMCert it’s available in the list of templates for the CA.

13. In the Internet Information Server Services Manager configure to accept client

certificate for the CertSrv web site.

14. Switch to your Windows 8.1 VM and navigate to \\ad\software\certitifcates.

Double click on the CertAdmin.pfx file.

Use all default value from the import process and save it in the keychain.

| 131 |

15. Open IE on the Windows 8.1 VM and navigate to

https://ad.training.lab/certsrv

As you imported the CertAdmin certificate and configured IIS to allow certificate based

authentication, you should see the following login screen.

16. This is the landing page of the MS CA server.

17. Select Request a certificate -> Advanced certificate request -> Submit Certificate…

to verify the availability of the XMCert template.

| 132 |

18. Switch to your XMS Console (https://192.168.10.20:4443) and navigate to

Configure -> Settings -> Certificate and import the

\\ad\software\certitifcates\CertAdmin.pfx certificate.

Import Keystore

Keystore Type PKCS#12

Use as Server

Keystore file CertAdmin.pfx

Password Citrix123

If the keystore import doesn’t work (depending on build) you may try to convert using

OpenSSL. Consider to copy the pfx to the NetScaler using scp and convert by issue:

openssl pkcs12 -in CertAdmin.pfx -out CertAdmin.pem

19. Navigate to Configure -> Settings -> Certificate Management and select PKI

Entities.

20. Click on Add and select Microsoft Certificate Services Entity.

21. Enter the following data to configure the Certificate Services Entity:

Name MS CA

Web enrollment URL https://ad.training.lab/

certnew.cer page name certnew.cer

certfnsh.asp certfnsh.asp

Authentication type Client Certificate

SSL Client Certificate Administrator

Template (Case Sensitive) XMCert

CA Certificate training-AD-CA

| 133 |

22. Click Save to continue. You should have now a PKI entity listed.

23. Navigate to Configure -> Settings -> Certificate Management and select

Credential Providers.

24. Enter the following data to configure the Credential Provider:

Name MS CA

Issuing Entity MS CA

Issuing method SIGN

Templates XMCert

Key Algorithm RSA

Key size 2048

Signature Algorithm SHA256

Subject name CN=$user.username

Subject Alternate Name – UPN $user.userprincipalname

Distribution – Issuing CA Cert training-AD-CA

Distribution – Distribution mode Prefer Centralized

Renewal = ON Renew within 30 days of exp.

Click Save to continue. You should have now a Credential Provider listed.

| 134 |

25. Two more steps are required, to leverage the certificate based authentication.

On the Windows 8.1 host open IE and connect to the NetScaler

http://192.168.10.50

Login as:


Password Citrix123

26. Navigate to Configuration -> NetScaler Gateway -> Virtual Server and double click on

_XM_XenMobileGateway.

Click on No CA Certificate and the > sign to add our root certificate, which is installed

in the NetScaler already.

27. Select Training_root from the list of installed certificates.

Click OK and bind the make root certificate available to the vServer.

28. Click on the plus sign next to SSL Parameters in the right panel.

| 135 |

29. Enable Client Authentication and Client Certificate as Mandatory.

30. Click Done and add the required authentication policy by clicking on the plus sign.

Select CERTIFICATE policy and choose Primary type.

Note: You may consider to remove support

for the SSL v3 protocol here too, due to

vulnerabilities concerns (not needed by XME).

| 136 |

31. Add a new authentication policy by clicking on the plus sign.

32. Enter the following data to configure the Authentication CERT Server:

Name CertAuthPol

Server Name AD_Training

Expression ns_true

User Name Field SubjectAltName:PrincipalName

Click Create to continue.

Ensure the CertAuthPol policy has a higher priority (lower number) than the LDAP

Policy.

| 137 |

33. Depending on the NetScaler version, it’s known that the XenMobile Wizard created the

LDAP Policy with a priority of 0. Verify and correct if necessary.

Click on the LDAP Policy.

If priority is < 90, select Edit Binding and assign a priority of 100.

| 138 |

34. The last step is to configure the XenMobile Enterprise Server for user certificate delivery

for authentication.

Switch to your XMS Console (https://192.168.10.20:4443) and navigate to

Configure -> Settings -> NetScaler Gateway.

Enable Deliver user certificate for authentication, select MS CA as Credential provider

and click the Save button.

35. This concludes the backend configuration for the PKI integration for use certificate based

authentication. Users might have to re-enroll, to leverage the certificate authentication.

Exercise Summary

In this exercise, you enabled the XenMobile Enterprise to communicate to the MS Cert Server in

the lab. Together with the NetScaler Gateway the backend system will request a user certificate

from the MS Cert Server and deliver it to Worx Home during the enrollment process.

Note: CertAuth may not behave as expected on early XMS builds

(Unable to enroll). Please consult e-docs for any update and

supported NetScaler Gateway versions once the product is released.

| 139 |

Revision: Change Description Updated By Date

1.0 Original Version

Walter Hofstetter,

Christopher Friend

and Frank Martinez

May 2015

About Citrix

Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to

work and collaborate from anywhere, securely accessing apps and data on any of the latest

devices, as easily as they would in their own office. Citrix solutions help IT and service providers

build clouds, leveraging virtualization and networking technologies to deliver high-performance,

elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop

virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations

of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.

Citrix products are in use at more than 330,000 organizations and by over 100 million users

globally. Annual revenue in 2012 was $2.59 billion. Learn more at http://www.citrix.com.


hands-on lab exercise guidedocs.citrixvirtualclassroom.com/events/syn2015/syn-605.pdf · 2017. 7....

Documents