Beruflich Dokumente
Kultur Dokumente
Contents
XenMobile Deployment Guide .................................................................................................................................. i
Purpose and Scope .................................................................................................................................................2
XenMobile Components ...........................................................................................................................................2
Page i of 144
XenMobile Components
XenMobile is comprised of the following key technology components:
1. XM MDM Client and Receiver are used to enable mobile device management on the device
and to deliver XenMobile enabled applications to the end users
2. XM Device Manager incorporates mobile SSL VPN, application data traffic optimization, device
management, device data encryption and real-time device remote control to safely control
mobile IT environments
3. XM AppController integrates with Active Directory, Share File, Web/SaaS applications and
native mobile apps to deliver enterprise mobility feature
4. Access Gateway allows secure access to enterprise resources from outside of the corporate
network and is an integral part of the XenMobile solution suite
Prerequisite:
You must download and or have the following files available:
1. XenMobile MDM Manager
2. XenMobile Device Manager license
3. AppController VM
4. Netscaler VM
5. APNS Certificate
6. Web Server Certificate for the XM-Device Manager, XM-AppController and Netscaler and the root
certificate
Page 2 of 144
Page 3 of 144
Page 4 of 144
Page 5 of 144
Page 6 of 144
The second approach requires the deployment of StoreFront. With StoreFront all application
delivery services are aggregated through a single StoreFront service. In this case users will
have all their applications available through a single store, no switching is required.
Page 7 of 144
Page 8 of 144
Environment Details
This section is used to describe the lab environment and the virtual machines that are used.
Machine
XenServer
Active Directory
AppController
Access Gateway (on Netscaler
VPX)
XenMobile Device Manager
Details
Hosts virtual machines
Virtual Machine providing directory services
Virtual Machine
Hardware providing secure remote access to CG
Virtual Machine providing Mobile Device Management
Username
Password
Hostname
default is
password
https://filmdmapp.finolexind.com:4443
XM Device
Manager
default is
Administrator
Finadmin/domain
user ID
Netscaler VPX
default is nsroot
default is
nsroot
IPAddress
AD-Domain
Controller
AppController
https://mobile.finolexwater.com/zdm/login.jsp
Page 9 of 144
NSIP:
SNIP
AG-VIP:
LB-VIP:
2.
Action
Download the following files to the XenMobile Device Manager
1. Download Java SE 7 JDK (JDK Download Edition) update 11 and later
http://www.oracle.com/technetwork/java/javase/downloads/index.html
2. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download432124.html
3. XenMobile Device Manager installer from
http://download.citrix.com/downloads.html
4. The XenMobile Device Manager license file
5. The APNS Certificate
Open the folder where you downloaded Java 7 too
Run the jdk-7xx-windows-x64 installer
Page 10 of 144
Step
3.
4.
Action
Click Next three times
Then click Continue
Click the Java icon on the task bar to display the Java FX SDK Setup window.
Click Next two times
Then click Close
Page 11 of 144
Step
5.
6.
Action
5 Close the registration window that automatically opens.
Open the folder containing JCE-7 policy files
Copy files local_policy.jar and US_export_policy.jar
Page 12 of 144
Step
7.
8.
Action
Open the folder containing XenMobile MDM installer
Run the XenMobile Device Manager installer
Click OK
Page 13 of 144
Step
9.
10.
Action
Click Next
Click I Agree
Page 14 of 144
Step
11.
12.
Action
Click Next
Page 15 of 144
Step
13.
Action
The PostgreSQL installer is displayed
Click Next three times
Page 16 of 144
Step
14.
Action
Enter the following in the PostgreSQL Service configuration window:
Account password: ctx@1234 (or the password of your Choice)
Verify password: ctx@1234 (or the password of your Choice)
Click Next
Click Yes to allow the installer to create an account for you
Click No when prompted to replace the password with a random password
Page 17 of 144
Step
15.
Action
Enter the following in the PostgreSQL Initialize database cluster window:
Password: ctx@1234 (or the password of your Choice)
Password (again): ctx@1234 (or the password of your Choice)
Click Next four times using the default functions
Then click Finish
16.
Page 18 of 144
Step
17.
Action
Click Open
18.
Click Next
Page 19 of 144
Step
19.
Action
Enter the following in the Configure database connection window:
User name: postgres
Password: ctx@1234 (or the password of your Choice)
Click Check the connection > Create > OK > Next
20.
Click Next
Page 20 of 144
Step
21.
Action
Click Next
22.
Click Next
Page 21 of 144
Step
23.
Action
Click Next
24.
Click Next
Page 22 of 144
Step
25.
Action
Enter the following parameters:
Keystore password: ctx@1234 (or the password of your Choice)
Confirm keystore password: ctx@1234 (or the password of your Choice)
Click Next
Repeat this step for the next two screens
Page 23 of 144
Step
26.
27.
Action
Enter the following parameters:
Keystore password: ctx@1234 (or the password of your Choice)
Confirm keystore password: ctx@1234 (or the password of your Choice)
IP address or FQDN: mobile.finoexwater.com
Click Next
Page 24 of 144
Step
28.
29.
Action
Browse for the APNS Certificate
Click Open
Enter the Private key password: ctx@1234 (or the password of your Choice)
Click Next
Page 25 of 144
Step
30.
31.
Action
The Minimum Port and Maximum Port will auto-fill
Click Next
Page 26 of 144
Step
32.
33.
Action
Click Finish
Page 27 of 144
Step
34.
35.
Action
Wait for the installation to complete
Click Next
Page 28 of 144
2.
Page 29 of 144
3.
If you have the XenMobile AppController deployed select the checkbox in front of
Yes, and click Next
4.
Page 30 of 144
5.
Build your base packet according to your requirements by dragging the icons from
the left to the right
Page 31 of 144
6.
For example:
Passcode Policy
7.
8.
9.
Page 32 of 144
10.
Page 33 of 144
12.
13.
Page 34 of 144
14.
15.
16.
Page 35 of 144
17.
18.
19.
Optionally you can test the enrollment at this point. If no devices are enrolled click
Skip
Close the Startup Wizard by clicking on Go To Device Manager
Check Microsoft Active Directory
Click Enable
Check Microsoft Active Directory again
Click Define by default
20.
Notice that the Microsoft Active Directory connection is now Enabled and by Default
Click Close and Log Out of the XM Device Manager Console
Page 36 of 144
21.
Log back into the XenMobile Device Manager console using the following:
Username: some-user@your-domain.xxx
Password: Users Domain Password
22.
Notice how this users Role limits their capabilities on the self-service portal
Log Out of the XM Device Manager Console
Page 37 of 144
Action
Log on to the Device Manager at https://192.9.210.53/zdm with the following
credentials:
Username: finadmin
Password: ctx@1234
Page 38 of 144
Step
2.
3.
Action
Click the Applications tab
Page 39 of 144
Step
4.
5.
Action
Enter the following parameter:
URL: https://itunes.apple.com/us/app/gotomypc-remotedesktop/id417742726?mt=8
Click Go
Click Add
Page 40 of 144
Step
6.
Action
Click New in the upper left hand corner
Select New external APK application
Page 41 of 144
Step
7.
8.
Action
Enter the following parameters in the Add an external APK application window:
Application store: GooglePlay
URL:
https://play.google.com/store/apps/details?id=com.citrixonline.gotomypc&
hl=en
Click Go
Click Add
Page 42 of 144
Step
9.
10.
Action
Click New in the upper left hand corner
Select New external APK application
Enter the following parameters in the Add an external APK application window:
Application store: GooglePlay
URL:
https://play.google.com/store/apps/details?id=com.citrix.Receiver&hl=en
Click Go
Click Add
Page 43 of 144
2.
Click Browse
Page 44 of 144
3.
4.
Click Import
Page 45 of 144
5.
6.
7.
Click Browse
Page 46 of 144
8.
9.
Page 47 of 144
10.
Page 48 of 144
Step
1.
Action
Click the Policies tab
Page 49 of 144
Step
2.
Action
Expand iOS in the left panel
Select Configurations
Check/highlight Passcode configuration
Click Edit
3.
Page 50 of 144
Step
4.
5.
Action
In the Policy tab, enter the following parameter:
Minimum length codes: 4
Click Update
In the right panel, click New Configuration > Profiles and Settings > Restrictions
Page 51 of 144
Step
6.
Action
In the General tab, enter the following parameters
Identifier: Camera
Display name: Camera Restriction
Organization: Citrix (Change from ZenPrise Support)
Description: Restrict Device from Using Camera
Page 52 of 144
Step
7.
Action
In the Restrictions tab, enter the following:
Allow use of camera: <uncheck>
Click Create
8.
Page 53 of 144
Step
9.
Action
Check the Passcode configuration
Click Edit
Page 54 of 144
Step
11.
12.
Action
Click New Configurations
Then click Samsung > Restrictions
Page 55 of 144
Step
13.
14.
Action
In the Hardware controls tab, enter the following
Allow Camera: <uncheck>
Click Create
Notice how the Camera Restriction policy for Samsung devices is now available
Page 56 of 144
Action
Click the Deployment tab
Page 57 of 144
2.
3.
Page 58 of 144
4.
5.
Page 59 of 144
6.
Under Application Push -> External iOS app select your-apps and click
Under Application Push -> External iOS app select your-apps and click
7.
Page 60 of 144
8.
9.
Click Next
Page 61 of 144
10.
11.
Page 62 of 144
12.
13.
Page 63 of 144
14.
15.
Page 64 of 144
16.
17.
Page 65 of 144
18.
Click Next
19.
Page 66 of 144
20.
Click Deploy
Click Yes
Page 67 of 144
7: Endpoint Configuration
Overview
This step-by-step guide will demonstrate how to configure XM MDM Client for iOS on an iPad.
Note: If the device is enrolled with another MDM solution, the enrollment will fail. To
continue, you must un-enroll from your existing MDM solution.
Action
Open the App Store on your iOS device
Search for Citrix Mobile Enroll
Tap on Citrix Mobile Enroll
Tap install
Page 68 of 144
2.
3.
Page 69 of 144
4.
Enter the MDM server FQDN (If NetScaler Gateway is deployed the MDM Server
FQDN is the public IP address of your NetScaler LB-VIP)
Tap Next
Page 70 of 144
5.
Page 71 of 144
6.
Page 72 of 144
7.
Tap Install
Tap Install when prompted with the Unverified Profile Warning box
Enter your passcode
Click Done after the profile is installed.
Page 73 of 144
8.
Page 74 of 144
9.
Page 75 of 144
10.
11.
Once the enrollment is complete you will be prompted to install the applications
you configured in your Deployment Package
Page 76 of 144
8: Wiping Devices
Overview
XenMobile Device Manager allows administrators to view device specifications as well as wipe,
lock, and disable devices remotely.
Action
Log on to your XM Device Manager https://mobile.finolexwater.com/zdm
Page 77 of 144
Step
2.
3.
Action
Click the Dashboard tab
You will see a new device registered under New Devices Last 24 Hours
Click the arrow corresponding to New Devices Last 24 Hours
Page 78 of 144
Step
4.
Action
Under the General tab, notice the devices specifications
5.
Under the Properties tab, administrators can view the Network and Security
information about the device
6.
Under the iOS Profiles tab, administrators can view the profiles pushed onto a device
Page 79 of 144
Step
7.
8.
Action
Under the Certificates tab, administrators can view the certificates on the device
Under the Deployment tab, administrators can monitor the status of packages
Page 80 of 144
Step
9.
Action
Click X
You will return back to the Devices tab
Make sure that the newly registered device is checked
Click Security
Then click Selective wipe
10.
Click Yes
Move back to your iPad
Watch the apps delivered from the MDM server disappear, while all personal apps
remain untouched
Page 81 of 144
Step
1.
2.
Action
Within XenCenter start the AppController vm and select the Console tab to log in to
the AppController CLI
Username: admin
Password: password
The Main Menu is displayed
Enter 0 to perform Express Setup
Page 82 of 144
Step
3.
Action
Enter 1 to configure the IP Address, Subnet Mask
Configure AppController with the following:
IP Address: 192.9.210.43
Subnet Mask: 255.255.255.0 (Press enter to leave it at /24)
4.
Page 83 of 144
Step
5.
6.
Action
Enter 5 to Commit Changes
Enter Y to restart AppController
Page 84 of 144
Step
7.
Action
You will be presented with the following screen. First we are going to run through the
Configure wizard.
You will be prompted to change the Administrator password. Type
Current password: password
New password: New-Password
Confirm password: New-Password
Click Next
8.
Page 85 of 144
Step
9.
Action
Enter the following parameters for the Active Directory configuration:
Server: 192.9.210.12 (this is the IP address of your Domain Controller)
Domain name: FINOLEXIND.COM
Service account: finadmin@finolexind.com
Password: YOUR-DOMAIN-PASSWORD
Confirm password: YOUR-DOMAIN-PASSWORD
Click Next
Page 86 of 144
Step
10.
Action
Enter the following parameters for the NTP Server Configuration:
NTP server: (general best practice is to use the DC as time server)
Time Zone: (pick the appropriate time zone)
DNS suffixes: finolexind.com
Primary IP address: 192.9.210.11
Click Next
Page 87 of 144
Step
11.
12.
Action
Enter the following information for your Workflow Email Settings:
Email Server: (the IP address of your mail server)
Port: 25
Email: (the from account for sending workflow emails)
This will enable workflow application request and manager authorization process.
Click Next
Page 88 of 144
Step
13.
14.
Action
When the Confirm pop up is displayed, click Yes to continue
The AppController logs off when settings are saved and users/groups are retrieved
from Active Directory
15.
16.
Page 89 of 144
Step
17.
Action
Click Import and then select Server (.pfx) from the Import drop-down menu
18.
19.
20.
Select the newly imported certificate and click on Make Active on the right side and
click Yes when the Activation when prompted
NOTE: You will be logged out. Simply log back into the AppController to continue with
the lab
Page 90 of 144
2.
3.
At the bottom left hand corner of the screen, click Add role
4.
Page 91 of 144
5.
Use the search box on the left side to search for Sales. Move the Sales-Group group
from Available groups to Role members using the single right arrow button. Click
Save
6.
7.
Page 92 of 144
8.
Click the categories drop-down and then click + above All categories
9.
Click on Web & SaaS App in the left panel and then click the large green plus sign
Page 93 of 144
10.
11.
Page 94 of 144
12.
13.
Click Save
14.
Page 95 of 144
15.
To upload MDX wrapped applications select either iOS MDX or Android MDX in the
left panel
Click on the
sign on the right
16.
In the Upload Mobile App Dialog browse to your MDX wrapped application
Click on Next
17.
Complete the Upload Wizard and configure the policy settings according to Company
Policy
Click Save
Page 96 of 144
18.
To assign applications from the Apple App Store or Google play. You first muct fetch
the application URL from iTunes / Google Play
Within a browser search for the application name + itunes for IOS devices or
application name + google play
19.
Most likely the first result will be the App URL you need to copy into the
AppController
Page 97 of 144
20.
21.
In the AppController UI within AppS & Docs click on Public App Store in the left pane
Click on the
Page 98 of 144
22.
23.
Page 99 of 144
Action
Log on to the Device Manager at https://your-XMDM-IP/zdm with the following
credentials:
Username: administrator
Password: Your-Password
Step
2.
3.
Action
Click on Options in the upper right corner
In the left Panel select AppC WebService API and enter your AppController
information in the right key. Make note of the shared key you enter here, the same
key has to be entered on the AppController.
Click Close
Step
4.
Action
Log on to the AppController WebUI at https://filmdmapp.finolexind.com:4443
Click on Settings
Click on XenMobile MDM
Click on Edit
Step
5.
Action
Enter the following information
Host: mobile.finolexwater.com
Port: 80
Shared Key: The same shared key as you configured on the MDM server
Click Save
Step
1.
2.
Action
After importing the NetScaler VM onto your Hypervisor configure the basic IP settings
from the console
From the console enter the following information for your NetsCaler
NetScalers IPv4 address: (The Netscaler management IP aka NSIP)
Netmask:
Gateway:
3.
4.
Step
5.
Action
Open Internet Explorer and navigate to http://192.9.210.45
Log in to the NetScaler Configuration Utility
Username: nsroot
Password: nsroot
Step
6.
Action
At the Wizard prompt enter the following information and click Continue when
done:
Subnet IP aka SNIP:
The SNIP is the IP address that the NetScaler uses for all internal bound
communication (See Diagram #1)
Hostname: (enter the FQDN, not the short name)
DNS server: (IP address of your DNS server)
Step
7.
Action
Upload and apply the NetScaler License
Click on Browse to upload the License file
Browse to your license file and click Upload
The NetScaler will reboot once completed
Step
8.
Action
Enable needed features
Enable Load Balancing
Enable SSL
Enable NetScaler Gateway
Expand Traffic Management
Right click on Load Balancing and click on Enable Feature
Repeat the same steps for SSL within Traffic Management
Repeat the same steps for Global Settings within NetScaler Gateway
Step
9.
Action
Import Certificate
First you must create a private key
The private key is required to install a valid certificate issued by the Certificate
Authority (CA). The certificate that you receive from the CA is valid only with the
private key used to create the CSR.
You can create two types of private keys on Access Gateway: RSA and DSA.
An RSA private key is the most commonly used private key. It provides strong
encryption and security for Access Gateway. Citrix recommends using an RSA
private key on the Access Gateway.
A DSA private key is an older type of private key. It also provides encryption and
is paired with the server certificate.
To create an RSA private key
In the configuration utility, in the navigation pane, click SSL
In the details pane, under SSL Keys, click Create RSA Key
In Key Filename, type the name of the private key or click Browse to navigate to
an existing file
In Key Size (Bits), type the size of the private key
In Key Format, select PEM or DER. Citrix recommends PEM format for the
certificate
In PEM Encoding Algorithm, select DES or DES3
In PEM Passphrase and Verify Passphrase, type the password, click Create and
then click Close
Note: To assign a passphrase, the Key Format must be PEM and you must select
the encoding algorithm
Step
10.
Action
Create a Certificate Signing Request (CSR)
In the configuration utility, in the navigation pane, click SSL
In the details pane, under SSL Certificates, click Create CSR (Certificate Signing
Request
Select the private key created in the previous step
Complete the settings for the certificate and then click Create
Step
11.
Action
Export the previously created CSR for signing
Click on Manage Certificates / Keys / CSRs
Select Run and Trust on all Java dialogs
Select the previously generated CSR and click on Download and save the file to
your local PC
Step
12.
Action
Import the signed certificate
On NetScaler expand Traffic Management SSL and click on Certificates
Click on Install
Step
13.
Action
Configure AG VIP via the Wizard
Click on NetScaler Gateway
Step
14.
Action
From the Certificate dropdown select the certificate you imported earlier
Click Continue
Step
15.
Action
Configure your LDAP settings. Select Configure New and enter the applicable
information
Click Continue
Step
16.
Action
Configure your AppController
Enter the FQDN of your xmob.finolexind.com
Click Done
Step
17.
Action
Configure LB-VIP for access to the XMDM
Configure the Services for port 80, 443 & 8443
Expand Traffic Management Load Balancing
Click on Services
Click on Add
Step
18.
Action
Configure the following settings
Service Name: 80
Server: The IP address of your XMDM server
Protocol: SSL_BRIDGE
Port: 80
Available Monitors: tcp (Move from the left to the right)
Step
19.
20.
Action
If your XMDM is already configured your services should show as Up
Step
21.
Action
Configure the following settings
Name: LB-SRV-80
IP Address: Enter the public reachable IP address for your LB-VIP
Protocol: SSL_BRIDGE
Port: 80
Active Services: Select Service for port 80
Step
22.
Action
If your ports are already configured to forward to the IP all services should show as
Up
Appendix:
The appendix contains additional optional exercises to deepen the hands-on experience with
the XenMobile solution.
2.
3.
4.
5.
In the Levels of manager approval field, select 1 level for approval from the
immediate manager. Level 2 or 3 will result in the ,managers managers will be
additional approvers
6.
7.
Under the Apps & Docs tab, click on Web & SaaS App in the left panel
Click the large green plus sign
8.
9.
10.
11.
12.
Privileges Categories
1. AppMngnt: Add Application, View Application Details, Modify Application
Details, Fetch Application, Sync Application, Delete Application, Reset Password,
Save User Credentials, Create User Account, Delete User Account, Disable User
Account, Enable User Account, Reconcile User Account, Unreconcile User
Account, Clear Use Account password
2. UsrMgmt: Unlock User Account, Reset AD Password, View User Details, View
User Details By Filter
3. RoleMgmt: Add Role, View Role By Name, View Roles By Filter, Delete Role,
Modify Role
4. ConnectorMgmt: Add Connector, View Connector, Delete Connector, Upload
Connector Library
5. WorkFlowMgmt: Add Connector, View Connector, Delete Connector, Upload
Connector Library
6. PrivMgmt: Add Delegated Admin, Modify Delegated Admin Details, View
Delegated Admins, Delete Delegated Admin, Create DA Role, Delete DA Role,
Modify DA Role
7. ConfigMgmt: View Config Details, Modify Config Details, Add Category, Delete
Category, Import Certificate, Delete Certificate
8. MasterListMgmt: View Master User List, Modify Master User List, Save Master
Action
Step
Action
Navigate to the Win7Client console tab.
Open Internet Explorer and enter https://filmdmapp.fionlexind.com:4443/admin in
the address bar. Log in using the following credentials:
User Name: Administrator
Password: ctx@1234 (or the password of your Choice)
Step
Action
Expand the Delegated Administration in the left panel
Step
Action
Select Delegated Admins
Click Add in the bottom left corner. In the User List window, highlight Manager, Boss
then click Add. When prompted to add, click Yes
Step
Action
Click Delegated Admin Roles in the left panel
local_policy.jar
Click Add in the bottom left corner. In the Add Role window, enter the following:
Name: Help Desk
Description: Help Desk Support
US_export_policy.jar
Click Create
local_policy.jar
US_export_policy.jar
Step
Action
Highlight Help Desk from the Role category
Click Bind Privileges located at the bottom of the screen. In the List of Privileges
window, highlight UserMgmt then click Bind. When prompted, click Yes
Step
Action
Check Modify and Monitor. Then, click OK
Click Logout at the top right corner
Step
Action
Log back in to the admin page using the following credentials:
User Name: Administrator
Password: ctx@1234 (or the password of your Choice)
Domain: <Leave as is>
View: Manager Users
Step
Action
See the management options available for Manager
Action
From the Win7Client VM console, open Internet Explorer and navigate to
http://192.9.210.45
Log in using the following credentials:
User Name: nsroot
Password: nsroot
Click Access Gateway > Policies > Session. Click the Profile tab at the top. Double-click
prof_native and click the Client Experience tab. Under Split Tunnel, select ON from
the drop-down menu
Click OK
Click Access Gateway in the left panel. Click Active user sessions
You can now monitor your session traffic and split traffic connections