Services

XenMobile 8.6 MDM and Microsoft PKI

Integration

Hands-on lab exercise guide

November 2013 Version 1.0
 Services

Table of Contents
Table of Contents............................................................................................2

Overview.........................................................................................................3

Exercise 1: Configure Microsoft Cert Services to support Client Cert

Authentication.................................................................................................7

Exercise 2: Configuring XDM to Communicate with Microsoft CA..............35

Exercise 3: Create Credential Policy in MDM Server...................................45

Exercise 4: Configure Client Access Server to accept client certificates.....55

Page 2
 Services

Overview
Citrix XenMobile is the revolutionary new way to mobilize your business. The
product offers security and compliance for IT while giving users mobile device,
app and data freedom. Users gain single-click access to all of their mobile, SaaS
and Windows apps from a unified corporate app store, including seamlessly-
integrated email, browser, data sharing and support apps.

IT gains control over mobile devices with full configuration, security,

provisioning and support capabilities. In addition, XenMobile securely delivers
Worx Mobile Apps, mobile apps built for businesses using the Worx App SDK and
found through the Worx App Gallery. With XenMobile, IT can meet their
compliance and control needs while users get the freedom to experience work
and life their way.

In this lab, you will get hands on experience with deploying the full XenMobile
Enterprise Solution.

Hands-on Training Module

This training module has the following details:

Objectiv Provide hands on experience configuring XenMobile

e Device Manager with Microsoft PKI for Client
Certificate Authentication
Provide hands on experience on how to configure
Exchange Server 2010 with Client Certificate
authentication

Audienc Primary: Citrix Technical Support

e

Page 3
 Services

Lab Environment Details

This section is used to describe the lab environment and the virtual machines
that are used.

Machine Details
Site1- 192.168.10.11 Windows Server 2008 R2 SP1. Domain
AD.training. controller for training.lab, DNS, DHCP
lab services, and license server. (Training.lab)
Site1- 192.168.10.20 XM App Controller v2.9
AppC1
Site1-DDC 192.168.10.40 XenDesktop 7 Delivery Controller
Site1- 192.168.10.15 Windows Server 2008 R2 SP1 with
Exchange Exchange 2010 installed
Site1-NS1 NSIP=192.168.1 NetScaler VPX 10.1.e. NetScaler VPX pre-
0.50 configured to provide remote access to MS
SNIP=192.168.1 Exchange and XenMobile Device Manager
0.60 8.6.
VIP =
192.168.10.100

192.168.10.101

192.168.10.102
Site1- 192.168.10.14 Windows Server 2008 R2 SP1 running
SharePoint SharePoint 2010.
Site1-SQL1 192.168.10.12 Windows Server 2008 R2 SP1 running
Microsoft SQL 2008 R2.
Site1-VDA 192.168.10.41 Windows Server 2008 R2 SP1 running as
Virtual Delivery Agent (VDA) for
XenDesktop 7.0
Site1- 192.168.10.201 Windows 7 Client machine
Win7Client
Site1-XDM1 192.168.10.30 Windows Server 2012 running XenMobile
Device Manager 8.6
Site2- 192.168.20.11 Windows Server 2008 R2 SP1. Domain
AD.training controller for training.lab, DNS, DHCP
2.lab services, and license server. (Training2.lab)
Site2-NS2 NSIP=192.168.2 NetScaler VPX 10.1.e.
0.50
SNIP=192.168.2
0.60
VIP =
192.168.20.100

Page 4
 Services

Machine Details

192.168.20.101

192.168.20.102

Page 5
 Services

Required Lab Credentials

Below is the login credentials required to connect to the workshop system and
complete the lab exercises.

Domain/Machine Username Passwor Description

d
AppController (GUI) administra passwor AppController Administrator
tor d
AppController admin passwor AppController Administrator
(XenCenter d
Console)
NetScaler VPX nsroot nsroot NetScaler Administrator
Training.lab administra Citrix12 Domain Administrator
tor 3
Training.lab user1-3 Citrix12 Domain test users
3
Training2.lab administra Citrix12 Domain Administrator
tor 3
Training2.lab user1-3 Citrix12 Domain test users
3
XenMobile Device administra Citrix12 Device Manager Administrator
Manager tor 3

Page 6
 Services

How to login to the environment

Ste Action
p
From your Browser navigate to http://ilt.citrixvirtualclassroom.com/
1.
Enter the Student Portal Session Code (provided by Instructor)
and your Business Email Address

NOTE: to select option keep session to email address when login off.
2. Click Start Lab to launch XenCenter Session

Click Add a Server

Use the XenServer IP and Password provided by the VTC portal
Click Add

Page 7
Exercise 1: Configure Microsoft Cert Services
to support Client Cert Authentication
Overview
In this exercise, students will learn how to configure Microsoft Certificate
Services to support client certificate authentication.

Step-by-step guidance
Estimated time to complete this lab: 60 minutes
Ste Action
p
1. Select the Site1-AD.training.lab virtual machine and navigate to the
Console tab.

Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) and log in using

Username: Training\Administrator
Password: Citrix123

Exercise 1: Page 8
 Ste Action
p
2. Open Active Directory Users and Computers shortcut found on
the desktop

3. Create a new AD user

Exercise 1: Page 9
 Ste Action
p
4. Enter the following details:
First name: CertSvc
User Logon name: Certsvc

Select Next

Exercise 1: Page 10
 Ste Action
p
5. Enter the following details:

Password: Citrix123
Check Password never expires

Select Next -> Finish

Exercise 1: Page 11
 Ste Action
p
6. Make the new user CertSvc part of the Domain Admins group

Exercise 1: Page 12
 Ste Action
p
7. Confirm that both Client Cert Mapping and IIS Client Cert
Mapping are installed

8. Select Add Role Services

Exercise 1: Page 13
 Ste Action
p
9. Select Client Cert Mapping Authentication and IIS Client Cert
Mapping Authentication

Click on Next -> Install

10. Confirm that Client Cert Mapping Authentication and IIS Client
Cert Mapping Authentication roles are now installed

Exercise 1: Page 14
 Ste Action
p
11. Open IIS Manager to confirm that https has been configured
correctly:
Open IIS Manager -> Default web site -> Edit Bindings

Exercise 1: Page 15
 Ste Action
p
12. Select https -> Edit
Confirm SSL Certificate is set to ad.training.lab

13. Select Authentication Methods

Exercise 1: Page 16
 Ste Action
p
14. Enable Active Directory Client Certificate Authentication

15. To enable SSL, select CertSrv - > SSL Settings

Select Accept -> Apply

Exercise 1: Page 17
 Ste Action
p
16. Add Certificate Template MMC snap-in by launching mmc console
Select File -> Add\Remove Snap-in -> Certificate Templates ->
Add

Select OK

Exercise 1: Page 18
 Ste Action
p
17. XDM will be using a certificate to authenticate the connection to the
Microsoft Certificate authority. The Certificate used will be tied to a
user which in this case will be the CertSvc account. (This account
needs no special rights; a standard AD user is sufficient).

Select User template -> Duplicate Template

Exercise 1: Page 19
 Ste Action
p
18. Select Windows Server 2003 Enterprise

NOTE: It is important to create a Windows Server 2003 template as

XDM uses web enrollment to request certificates. 2008 templates
CANNOT be requested via web enrollment.

19. In Properties of New Template

Template display name: XDM User Template

Exercise 1: Page 20
 Ste Action
p
20. In Request Handling Tab ensure Allow private key to be
exported is unchecked

Exercise 1: Page 21
 Ste Action
p
21. In Subject Name tab, select Supply in the request. This allows
XDM to provide parameters to the certificate request. When this
option is selected, the following warning is seen:

Select OK

Exercise 1: Page 22
 Ste Action
p
22. Select the Security tab -> Add CertSvc account and grant Full
Control.

Exercise 1: Page 23
 Ste Action
p
23. Select Authenticated Users and grant them Enroll permissions

Select OK

24. Select Certificate Authority from Desktop

Exercise 1: Page 24
 Ste Action
p
25. Select Certificate Template -> New -> Certificate Template to
Issue

Exercise 1: Page 25
 Ste Action
p
26. Select XDM User Template

Select OK

27. Log of from Domain Controller

Exercise 1: Page 26
 Ste Action
p
28. The next step is to generate a user certificate for CertSvc. This can
be done on the server running the Certificate Authority which, in this
case is the Domain Controller.

Log into Site1-Ad.training.lab using the following logon details:

Username: Certsvc
Password: Citrix123

29. Launch URL https://localhost/Certsrv

Exercise 1: Page 27
 Ste Action
p
30. We will now request an user certificate which will be used to
htt authenticate XDM to the Microsoft Certificate Authority.
Select Request a certificate -> User Certificate

Exercise 1: Page 28
 Ste Action
p
31. The following Web Access Confirmation is seen:

Select Yes

Select Submit

32. The following Web Access Confirmation is seen:

Select Yes

Exercise 1: Page 29
 Ste Action
p
33. Install the certificate. This will make it available in the personal
certificate store and will allow us to open the certificate MMC plug-in
for the user and export the certificate.

Exercise 1: Page 30
 Ste Action
p
34. Add Certificates MMC snap-in by launching mmc console
Select File -> Add\Remove Snap-in -> Certificates -> Add

Choose My user account -> Finish

Select OK

Exercise 1: Page 31
 Ste Action
p
35. Select Certificates -> Personal -> Certificates

36. Select Certificate Service -> All Tasks -> Export

37. Select Yes, export the private key

Exercise 1: Page 32
 Ste Action
p
38. Check:
Include all certificates in the certificate path if possible
Export all extended properties

Click on Next
39. Type a password to protect the Private key
Password: Citrix123

Select Next

Exercise 1: Page 33
 Ste Action
p
40. Specify the file path where to save the certificate:
File name: c:\certs\Certsvc.pfx

Select Finish

Exercise 1: Page 34
 Ste Action
p
41. To test and confirm that Client certificate Authentication is
configured correctly, we need to temporarily disabling integrated
windows authentication.

Launch Internet Explorer -> Internet options -> Advanced ->

Security
Uncheck Enable Integrated Windows Authentication

Select Apply -> OK

Close Internet Explorer and reopen it

Exercise 1: Page 35
 Ste Action
p
42. In a browser, enter the following URL:
https://ad.training.lab/Certsrv
You should be prompted with a certificate as per below:

NOTE: It is very important to have this part working properly. Do not

proceed further until this is working as if it does not prompt you for a
certificate, then something is not configured correctly and XDM will
not be able to authenticate.

END OF EXERCISE

Exercise 1: Page 36
Summary
Key The key takeaways for this exercise are:
Takeaway Configure Microsoft Certificate services to support Client
s certificate authentication

Exercise 1: Page 37
Exercise 2: Configuring XDM to Communicate
with Microsoft CA
Overview
In this exercise you will learn how to configure XenMobile MDM server to
communicate with the Microsoft Certificate Authority and check out client
certificates.

Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.

Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) and log in using

Username: Training\Administrator
Password: Citrix123

Exercise 2: Page 38
 Ste Action
p
2. Launch URL https://xdm1.training.lab/zdm and use the following
credentials:
User name: training\administrator
Password: Citrix123

3. Select Options -> PKI -> Server certificates -> Upload a

certificate

Exercise 2: Page 39
 Ste Action
p
4. In this section we will import the PFX file we just created for user
Certsvc. This is simply a user certificate for a user that has
permission to generate certificates based on the mobility certificate
we plan to issue to the device. XDM authenticates itself to the CA
with this user certificate.

Certificate type: select Keystore

Keystore type: select PKCS#12
Keystore file: \\ad.training.lab\c$\certs\Certsvc.pfx
Password: Citrix123

Click Upload

Exercise 2: Page 40
 Ste Action
p
5. Select Entities -> New -> New MS CertSrv entity

6. Use the following details:

Entity name: MS CA
Service root URL: https://ad.training.lab/certsrv/
certnew.cer page name: certnew.cer
certfnsh.asp page name: certfnsh.asp
Authentication type: Client certificate
SSL client certificate: <This is the user cert you imported in the
previous step>

Exercise 2: Page 41
 Ste Action
p
7. Select the Template tab -> New template
Here we will specify the User template we created in exercise . This
will allow XDM to know which certificate template is available for use
in this CA.

Template name: XDMUserTemplate

8. Select CA Certificates tab -> Add -> <Select imported certificate>

Click Add -> Create

Exercise 2: Page 42
 Ste Action
p
9. Select Credential providers tab -> New credential provider
Use the following details:
Credential provider name: MS CA Provider
Description: CA Provider
Issuing entity: MS CA
Issuing method: SIGN
Template: XDM User template

Exercise 2: Page 43
 Ste Action
p
10. Select CSR tab and use the details below:

Key algorithm: RSA

Key Size: 2048
Signature algorithm: SHA1withRSA
Subject name: cn=$user.username
Subject alternative names:-
Select New alternative name -> select User Principal Name ->
Value: $user.userprincipalname

NOTE: Alternative names are used by an Exchange server to

determine if this certificate authentication has rights to a given
users mailbox where UPN is used to determine this.

Exercise 2: Page 44
 Ste Action
p
11. Select Distribution Tab and use the following details:
Issuer: <Select the issuing CA certificate we added in PKI
Entity>
Distribution mode: Prefer centralised

Exercise 2: Page 45
 Ste Action
p
12. Select Renewal Tab -> Check Renew certificates when they
expire

Select Add
END OF EXERCISE

Exercise 2: Page 46
Summary
Key
In this exercise, you learnt how to configure XenMobile MDM
Takeaway
server to communicate with the Microsoft Certificate Authority
s
and check out client certificates.

Exercise 2: Page 47
Exercise 3: Create Credential Policy in MDM Server

Overview
In this exercise, students will learn how to create a credential policy on the
MDM server which will be included in a deployment package and pushed down
to the devices.

Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.

Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) and log in using

Username: Training\Administrator
Password: Citrix123

Page 48
Ste Action
p
2. Launch URL https://xdm1.training.lab/zdm and use the following
credentials:
User name: Administrator
Password: Citrix123

3. For iOS devices, follow steps 4 6

For Android devices, follow steps 7 8
4. For iOS devices:
Select Policies Tab -> iOS -> Configurations -> Credentials

Page 49
Ste Action
p
5. Select General tab and use the following details:

Identifier: MS Credentials
Display name: MS Credentials
Organisation: Citrix Readiness
Description: MS Credentials

6. Select Credential tab and use the following details:

Credential type: Credential provider

Credential provider: MS CA provider

Select Create

Page 50
Ste Action
p
7. For Android devices:
Select Policies Tab -> Android -> Configurations -> General ->
Credentials

8. Use the following details:

Credential name: MS Credentials
Description: MS Credentials
Credential type: Credential provider
Credentials provider: MS CA Provider

Select Add

Page 51
Ste Action
p
9. Select Deployment tab -> Training Package - iOS -> Edit

10. Select Resources and add MS Credentials

Select Finish

Page 52
Ste Action
p
11. Select Deployment tab -> Training Package - Android -> Edit

12. Select Resources and add MS Credentials

13. Re-enroll your device using the MDM server FQDN (your Extra IP2
FQDN)
Example: 173-192-86-182.mycitrixtraining.net

Page 53
Ste Action
p
14. Use the following credentials:
Username: training\user2
Password: Citrix123

15. Once the device is enrolled, you can confirm that deployment
package has been deployed successfully by:

Select device -> Edit - > Deployment tab

Page 54
Ste Action
p
16. View the MDM server logs by:
Launch URL: https://xdm1.training.lab/zdm/helper.jsp
Select Tools -> Logs -> ZDMLOGFILE -> *

Page 55
Ste Action
p
17. Within the ZDM.log file, you will see the following information:

2013-11-13 06:43:17,522 [http-nio-443-exec-11] INFO

com.sparus.nps.macro [UID=43,usr=user2@training.lab,dev=14] -
Property 'webeas-url' resolved to: https://75-126-86-
235.mycitrixtraining.net:8443/zdm/eas/456e49506dfc969a
2013-11-13 06:43:18,380 [http-nio-443-exec-7] INFO
com.sparus.nps.macro [UID=43,usr=user2@training.lab,dev=14] -
Property 'user.username' resolved to: user2
2013-11-13 06:43:18,380 [http-nio-443-exec-7] INFO
com.sparus.nps.macro [UID=43,usr=user2@training.lab,dev=14] -
Property 'user.userprincipalname' resolved to: user2@training.lab
2013-11-13 06:43:19,160 [http-nio-443-exec-7] INFO
com.zenprise.zdm.enroll.mgmt.EnrollmentManager
[UID=43,usr=user2@training.lab,dev=14] - Adding PAYLOAD/MS
Credentials.credential2 certificate
(serial=191773687551998944083999) to enrollment
EnrollmentImpl{activationDate=2013-11-13 06:43:00.173, id=17,
status=ACTIVE, username='user2@training.lab', device={id:"14",
serialNumber:"DMPHM2PZDJ8T", imei:"null",
activeSyncId:"ApplDMPHM2PZDJ8T", osFamily:"iOS",
strongId:"Q0QUYNFP", Last user name:"user2@training.lab
"user2""}}
2013-11-13 06:45:33,695 [pool-2-thread-1] INFO
com.zenprise.zdm.pki.ocsp.OcspResponderService

END OF EXERCISE

Page 56
Summary
Key The key takeaways for this exercise are:
Takeaway How to integrate configure and deliver Client Certificates to mobile
s devices (e.g. iOS and Android)

Page 57
Exercise 4: Configure Client Access Server to accept client certificates

Overview
In this exercise, you will learn how to configure Microsoft Exchange client
access server to accept client certificates as well as create an ActiveSync policy
within the MDM server.

Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Exchange virtual machine and navigate to the
Console tab.

Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) and log in using

Username: Training\Administrator
Password: Citrix123

Exercise Page 58
 Ste Action
p
2. Open Exchange Management Console shortcut found on the
desktop

3. First, we need to replace the SSL certificate in order to allow mobile

devices make a full SSL connection with Exchange Server. Right now,
NetScaler is configured to terminate the SSL connection which will
cause the Client Certificate not to be passed to Exchange.

Select Microsoft Exchange On-Premises -> Server Configuration

4. Select the first certificate and click Assign Services to Certificate

Exercise Page 59
 Ste Action
p
5. Click Next

6. Select Internet Information Services

Click Next > Assign

Exercise Page 60
 Ste Action
p
7. Verify everything is OK.

Click Finish
8. Select Microsoft Exchange On-Premises -> Server Configuration
-> Client Access

Select Exchange Active Sync tab -> Microsoft-Server-ActiveSync

-> Properties

Exercise Page 61
 Ste Action
p
9. Select Authentication tab -> Accept client certificates

Select Apply -> OK

10. Confirm that both Client Cert Mapping and IIS Client Cert
Mapping are installed in Server Manager

Exercise Page 62
 Ste Action
p
11. Select Add Role Services

12. Select Client Cert Mapping Authentication and IIS Client Cert
Mapping Authentication

Click on Next -> Install

Exercise Page 63
 Ste Action
p
13. Confirm that Client Cert Mapping Authentication and IIS Client
Cert Mapping Authentication roles are now installed
14. Open IIS Manager and select Authentication Methods

Enable Active Directory Client Certificate Authentication

15. Navigate to Microsoft-Server-ActiveSync (EX1 -> Sites -> Default

Web site)

Click SSL Settings -> ensure SSL Settings are set to Accept

Exercise Page 64
 Ste Action
p
16. Ensure Windows Authentication is enabled by selecting
Authentication -> Open Feature

17. Enable Windows Authentication

Exercise Page 65
 Ste Action
p
18. Open Configuration Editor

Exercise Page 66
 Ste Action
p
19. Select system.webServer -> Security -> authentication ->
ClientCertificateMappingAuthentication

20. Select enabled and set it to True

Select Apply
21. Close IIS Manager console

22. Next, we need to re-create the Load Balancing configuration on

NetScaler so we can verify client certificate authentication on
Exchange Server. We need to ensure the SSL connection made from
the mobile device is not terminated by NetScaler.

Exercise Page 67
 Ste Action
p
23. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.

Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) and log in using

Username: Training\Administrator
Password: Citrix123

24. First, lets recreate the Load Balance virtual server of NetScaler for
Exchange connections.

On the desktop, open the folder NS-Configs

Were going to replace the existing configuration on NetScaler from

SSL Offload to SSL Bridge for Exchange server.

Exercise Page 68
 Ste Action
p
25. Leave the folder open and launch WinSCP.

26. Select Site1-NS1 and click Login

27. On the left pane, drag-and-drop the SSL Bridge ns.conf file to the
right pane. Click Yes to overwrite the file.

28. Next, launch PuTTY

29. Double-click on Site1-NS1 to connect via SSH to the NetScaler.

Enter the credentials: nsroot/nsroot

Exercise Page 69
 Ste Action
p
30. Type the following command:

>reboot warm

Hit Enter and enter Y

31. Wait 1-2 minutes for NetScaler to reboot. You want watch the
progress in the XenCenter console.

Exercise Page 70
 Ste Action
p
32. To verify if everything is working as expected, outside from the lab
environment, open Internet Explorer browser and connect to
https://ExtraIP1.mycitrixtraining.net/owa (Note: ExtraIP1 is
available on the ILT page. Ensure to replace the periods between
octets to dashes (-).

Exercise Page 71
 Ste Action
p
33. Next, were going to configure the MDM policy to configure Exchange
with Client Certificate Auth against Exchange Server.

Launch URL https://xdm1.training.lab/zdm and use the following

credentials:
User name: Administrator
Password: Citrix123

34. For iOS devices:

Select Policies Tab -> iOS -> Configurations -> Exchange
ActiveSync

Exercise Page 72
 Ste Action
p
35. Select General tab and use the following details:

Identifier: MS Exchange Credentials

Display name: MS Exchange Credentials
Organization: Citrix Readiness
Description: MS Exchange Credentials

Exercise Page 73
 Ste Action
p
36. Select Exchange ActiveSync tab and use the following details:

Exchange ActiveSync account name: Training Exchange

Exchange ActiveSync host: <extra-IP1>.mycitrixtraining.net
Example: 173-192-86-
182.mycitrixtraining.net
Domain: training.lab
User: $user.username
Email address: $user.mail
Password:
Identity credential: MS Credentials

Select Create

Exercise Page 74
 Ste Action
p
37. Next, create a Credentials policy to push the Root CA for Training.lab
for iOS devices in order to trust the Client Certificate delivered by
MDM.

Go to iOS > Configurations > New Configuration > Profiles and

Settings > Credentials

38. Enter the following parameters:

Identifier: Root Training

Display name: Root Training
Organization: Citrix Support
Description: Root CA Training

Exercise Page 75
 Ste Action
p
39. Go to Credential tab and enter the Credential Name as Root CA
Training.

Click Choose File and navigate to \\ad\Software\Certs. Select Root-

CA TrainingLab.cer

Click Create
40. Select Deployment tab -> Training Package - iOS -> Edit

Exercise Page 76
 Ste Action
p
41. Select Resources and add MS Exchange Credentials and Root
Training

Select Finish
42. If you are not enrolled, re-enroll to XDM. Otherwise, redeploy the
package by:

Select device -> Deploy -> Yes

Exercise Page 77
 Ste Action
p
43. Once the package has been redeployed, you can confirm that the
additional policy has been deployed successfully by:

Select device -> Edit - > Deployment tab

44. Unfortunately for Android devices using TouchDown is not possible to

use client certificate authentication delivered by XenMobile Device
Manager. This is because the client certificate is sandboxed by Worx
Home and TouchDown will not be able to access it.

Were going to configure the Root CA for later use with WorxMail on
XenMobile App and Enterprise Edition exercises.

Next, create an Android credential policy to push the Root CA for

Training.lab.

Exercise Page 78
 Ste Action
p
45. Enter the following parameters:

Credential Name: Root Training

Description: Root CA Training.lab
Credential type: (leave default settings)
Choose File: select Root-CA-TrainingLab.cer from
\\ad\software\certs folder

Click Add
46. Select Deployment tab -> Training Package - Android -> Edit

Exercise Page 79
 Ste Action
p
47. Select Resources and add Exchange ActiveSync and Root
Training

Select Finish
48. If you are not enrolled to XDM, please enroll to test. Otherwise, go to
the Devices tab and click Deploy to the Android device.
49. View the MDM server logs by:
Launch URL: https://xdm1.training.lab/helper.jsp
Select Tools -> Logs -> ZDMLOGFILE -> *

Exercise Page 80
 Ste Action
p
50. Within the ZDM.log file, you will see the following information:

2013-11-13 07:19:03,504 [http-nio-443-exec-2] INFO

com.sparus.nps.macro [UID=49,usr=user3@training.lab,dev=16] -
Property 'user.username' resolved to: user3
2013-11-13 07:19:03,504 [http-nio-443-exec-2] INFO
com.sparus.nps.macro [UID=49,usr=user3@training.lab,dev=16] -
Property 'user.userprincipalname' resolved to: user3@training.lab
2013-11-13 07:19:03,926 [http-nio-443-exec-2] INFO
com.zenprise.zdm.enroll.mgmt.EnrollmentManager
[UID=49,usr=user3@training.lab,dev=16] - Adding PAYLOAD/MS
Exchange Credentials.identity certificate
(serial=192377393956148052230177) to enrollment
EnrollmentImpl{activationDate=2013-11-13 07:18:44.113, id=19,
status=ACTIVE, username='user3@training.lab', device={id:"16",
serialNumber:"DMPHM2PZDJ8T", imei:"null",
activeSyncId:"ApplDMPHM2PZDJ8T", osFamily:"iOS",
strongId:"6KPBQB60", Last user name:"user3@training.lab
"user3""}}
2013-11-13 07:19:03,941 [http-nio-443-exec-2] INFO
com.sparus.nps.macro [UID=49,usr=user3@training.lab,dev=16] -
Property 'user.username' resolved to: user3
2013-11-13 07:19:03,941 [http-nio-443-exec-2] INFO
com.sparus.nps.macro [UID=49,usr=user3@training.lab,dev=16] -
Property 'user.mail' resolved to: user3@training.lab

51. The user should not be prompted for any password as we are now
using the client certificate for authentication
52. Before moving forward with other lab exercises, please revert the
changes on the NetScaler back to SSL Offload by replacing the
ns.conf file. Refer to steps 23-31.
END OF EXERCISE

Exercise Page 81
Summary
Key The key takeaways for this exercise are:
Takeaway Configure Microsoft Exchange CAS to accept Client
s Certificates
Create an ActiveSync policy on MDM server and include it
in a deployment package.

Exercise Page 82
Revision History
Revisi Change Description Updated By Date
on
1.0 Original Version Karen 11/13/2013
Sciberras
1.1 Fixed typos and added the SSL Adolfo 11/25/13
Bridge for Exchange Montoya
1.2 Fixed typos and removed Android Adolfo 12/2/2013
Exchange Profile for MDM and Montoya
TouchDown.

Page 83