XenMobile 8.

6 App Edition
Mobile Application Management

Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford

Lead Support Readiness Specialist
November, 2013
 Objectives

At the end of this course, you will be able to :

Module 1: Deploy WorxMail 1.3

Configure and test some of the new WorxMail 1.3 features on iOS or Android devices
Module 2: Deploy WorxWeb 1.3
Configure and verify ability to create blacklist/whitelist of URLs
Configure and verify ability to set a Homepage for WorxWeb
Module 3: Deploy Native iOS (.IPA) or Android (.APK) apps
Configure and verify ability to upload .IPA or .APK files to XenMobile App Controller
Verify mobile users can access and download native apps from XenMobile App
Controller

3 2013 Citrix | Confidential Do Not Distribute

 Objectives

Module 4: Deploy Public Stores apps to iOS and Android devices

Configure and verify ability to publish iOS free and paid apps available from the App
Store
Configure and verify ability to publish Android free and paid apps available from the
Google Play
Module 5: Deploy XenMobile App Controller in a Multi-Windows
Domain Environment
Configure XenMobile App Controller to authenticate users from two independent
Windows domains
Configure and test NetScaler Gateway 10.1.e to allow remote users access
resources from either domain

4 2013 Citrix | Confidential Do Not Distribute

 Objectives

Module 6: Deploy XenMobile App Controller with Multiple NetScaler

Gateways
Configure and test XenMobile App Controller with multiple NetScaler Gateways (2)
to allow remote users access resources from either Gateway

5 2013 Citrix | Confidential Do Not Distribute

 Assessment

There would be an assessment at the end of the course, covering the following
modules:

Module 1: Deploy WorxMail 1.3

Module 2: Deploy WorxWeb 1.3
Module 3: Deploy Native iOS (.IPA) or Android (.APK) apps
Module 4: Deploy Public Stores apps to iOS and Android devices
Module 5: Deploy XenMobile App Controller in a Multi-Windows Domain
Environment
Module 6: Deploy XenMobile App Controller with Multiple NetScaler Gateways

6 2013 Citrix | Confidential Do Not Distribute

Module 1:
Deploy WorxMail 1.3
What is WorxMail?

ActiveSync email client for iOS/Android

Mail, calendar, contacts
Enterprise class security
Beautiful native experience
Full inter-app integration
MDX-secured
Secure email body and attachment
Open in control to provide data leak
protection
No Exchange server exposure to internet
Send email with ShareFile attachments
Integrated calendars and Exchange GAL

2013 Citrix | Confidential Do Not Distribute

ActiveSync Policy Support

Control Sync settings for WorxMail

Limit email size
Allow Direct Push when roaming
Allow attachments to be downloaded
Allow HTML-formatted emails
Define maximum attachment size

2013 Citrix | Confidential Do Not Distribute

Fast Join and Fast Dial

Join GoToMeeting sessions right

from WorxMail
Dial-in right from the event details
Running late option to quickly
notify attendees via email

2013 Citrix | Confidential Do Not Distribute

Fast Join and Fast Dial

2013 Citrix | Confidential Do Not Distribute

Out of Office

Out of Office option

Configure time period
Configure
inside/outside my
organization

2013 Citrix | Confidential Do Not Distribute

Secure Photo Sharing From WorxMail

2013 Citrix | Confidential Do Not Distribute

Info Rights Management Android WorxMail

2013 Citrix | Confidential Do Not Distribute

Module 2:
Deploy WorxWeb 1.3
WorxWeb

iOS and Android device intranet web

browsing
o Easy access to SharePoint, Intranet Portal etc

Similar look/ feel as native browser

Secure browser
o Safari on iOS; Chrome on Android
Internal web app access
Full inter-app integration Single sign-on via NetScaler
Consumer experience o Respond to HTTP 401
MDX-secured

2013 Citrix | Confidential Do Not Distribute

Secure Mobile Web Browser

Full-featured consumer-like
browser
Secure access to internal,
external and HTML5 web apps
URL whitelisting and blacklisting
Access to enterprise resources
with a Micro VPN

2013 Citrix | Confidential Do Not Distribute

Whats New in 1.3 ?

iOS 7 Support
New policies support
Homepage
Hide function (URL, Toolbar, etc)
Web links filtering

2013 Citrix | Confidential Do Not Distribute

 2013 Citrix | Confidential Do Not Distribute
Module 3:
Deploy Native iOS (.IPA) or Android (.APK) apps
.IPA and .APK file support

Support to publish both .ipa and .apk applications

2013 Citrix | Confidential Do Not Distribute

.IPA and .APK file support

Support to publish both .ipa and .apk applications

Applications are not in .mdx format, no policies are applied
Only details tab available in edit properties of application
Cannot be included as part of a workflow

2013 Citrix | Confidential Do Not Distribute

.IPA and .APK file support

Support to publish both .ipa and .apk applications

Applications are not in .mdx format, no policies are applied
Only details tab available in edit properties of application
Cannot be included as part of a workflow
No distinction between .ipa/.apk files and .mdx files in Apps/Docs view

2013 Citrix | Confidential Do Not Distribute

.IPA and .APK file support

Support to publish both .ipa and .apk applications

Applications are not in .mdx format, no policies are applied
Only details tab available in edit properties of application
Cannot be included as part of a workflow
No distinction between .ipa/.apk files and .mdx files in Apps/Docs view
Available as part of Worx store

2013 Citrix | Confidential Do Not Distribute

Module 4:
Deploy Public Stores apps to iOS and Android
devices
 Features

Publish iOS apps from App Store

FREE apps
Paid apps
Publish Android apps from Google Play store
FREE apps
Paid apps

28 2013 Citrix | Confidential Do Not Distribute

 Public Store iOS and Android apps

29 2013 Citrix | Confidential Do Not Distribute

 Public Store iOS apps

Publish iOS App Store links on XM

App Controller
XM App Controller will
automatically determine if app is
free or paid
XM App Controller downloads
App name
Description
Icon

30 2013 Citrix | Confidential Do Not Distribute

 Public Store iOS apps

Publish iOS App Store links on XM

App Controller
XM App Controller will
automatically determine if app is
free or paid
XM App Controller downloads
App name
Description
Icon

31 2013 Citrix | Confidential Do Not Distribute

 Public Store Android apps

Publish Android apps links from

Google Play store on XM App
Controller
XM App Controller will not
automatically determine if app is
free or paid
IT Admin needs to enter app info
App name
Description
Paid or free
Image (icon)

32 2013 Citrix | Confidential Do Not Distribute

Module 5:
Deploy XenMobile App Controller in a Multi-
Windows Domain Environment
Multiple Domain Support

First domain specified in initial configuration is default domain

Default domain cannot be deleted
The domains may belong to different forests
As long as service account can access base DN
In forest deployment each domain will need to specified as separate instance
Internal relationship between domains will not be considered
Trusts between domains will not be considered
Nested groups will not be supported
Only users in specified group will be included in role
Users in a group within a specified group will not be included in role

2013 Citrix | Confidential Do Not Distribute

App Controller Configuration

Modify Domain setting

Configuration data can be edited by Administrator
Changes to user/group DN will require AppC to re-sync
No further configuration changes can be completed during a re-sync

2013 Citrix | Confidential Do Not Distribute

App Controller Configuration

Modify Domain setting

Configuration data can be edited by Administrator
Changes to user/group DN will require AppC to re-sync
No further configuration changes can be completed during a re-sync
When multiple domains are configured on AppC
Direct login only allowed for default domain users
All other domain authentication only supported through NetScaler Gateway
Group membership across domains
Global or Universal groups are not supported

2013 Citrix | Confidential Do Not Distribute

Master User List

Master user list may be used to confirm that the additional domains
synchronized correctly

2013 Citrix | Confidential Do Not Distribute

NetScaler Gateway Configuration

To support authentication from multiple domains, users need to gain access

through NetScaler Gateway
Add LDAP policy for each additional domain to Authentication tab within
Enterprise gateway configuration

2013 Citrix | Confidential Do Not Distribute

NetScaler Gateway Configuration

To support authentication from multiple domains, users need to gain access

through NetScaler Gateway
Add LDAP policy for each additional domain to Authentication tab within
Enterprise gateway configuration
Same priority can be given to all the LDAP policies configured
Within each LDAP policy, Server Logon Name is configured to
UserPrincipalName

2013 Citrix | Confidential Do Not Distribute

Module 6:
Deploy XenMobile App Controller with Multiple
NetScaler Gateways
Problem with XenMobile 8.5

For XenDesktop deployment in multiple sites, one NSG is

involved in each site
App Controller supported only a single NSG to be configured
App Controller needs to handle when all the NSGs use the
same FQDN in GSLB case

2013 Citrix | Confidential Do Not Distribute

How it worked previously
AppController 2.8 and lower

Enable
Callback URL
Gateway in front of AppC

Logon type
External URL Domain only
VIP on the NetScaler Security token only
Domain & Security token

2013 Citrix | Confidential Do Not Distribute

Approach

ControlPoint allows multiple NSGs to be configured

Each NSG has its own configurations
FQDN (for Account Service Record)
Callback URL (for AGESSO)
App Controller AuthService uses two headers to reach back to the right NSG
X-Citrix-Via (indicating NSG FQDN)
X-Citrix-Via-VIP (indicating NSG VIP)

2013 Citrix | Confidential Do Not Distribute

Multi-NSG
AGESSO Callback

NetScaler GW 1
X-Citrix-Via: NSG1_FQDN
X-Citrix-Via-VIP: NSG1_VIP

X-Citrix-Via: NSG2_FQDN
X-Citrix-Via-VIP: NSG2_VIP

NetScaler GW 2
X-Citrix-Via: NSG3_FQDN
X-Citrix-Via-VIP: NSG3_VIP AppControll
er

NetScaler GW 3

2013 Citrix | Confidential Do Not Distribute

Detail
ControlPoint
NSG configuration table where each row represents one NSG
For GSLB NSGs, only a single row is configured
Otherwise there could be multiple rows
AuthService
If X-Citrix-Via-VIP header is present in the request
Use X-Citrix-Via value as the SSL endpoint (for certificate validation against FQDN)
Use X-Citrix-Via-VIP as TCP endpoint
If X-Citrix-Via-VIP header is not present
Use current behaviour by doing callback to X-Citrix-Via value
If there is a static host entry for that NSG FQDN, use it instead of doing DNS lookup
(OPTIONAL but requested by customers)

2013 Citrix | Confidential Do Not Distribute

Multiple Callback URLs

Each NetScaler Gateway will support

multiple callback URLs (compared to
before, it supported only one)
Can have zero, one, or many callback
URLs for each NetScaler Gateway
When there are one or more callback
URLs defined, AppController will
choose the first URL on the list and
failover to the next only if the first try
times out and so on

2013 Citrix | Confidential Do Not Distribute

Piggy Back Features

Internal Beacon configuration

Currently App Controller uses its own FQDN as the internal beacon and it is not
modifiable
Making this field modifiable makes it easier to enforce clients to always go through
NSG
(Optional) External Beacon configuration
Currently App Controller uses the NSG it is configured with for external beacon
If possible, we should also make these modifiable

2013 Citrix | Confidential Do Not Distribute

 Review

Module 1: Deploy WorxMail 1.3

Configure and test some of the new WorxMail 1.3 features on iOS or Android devices
Module 2: Deploy WorxWeb 1.3
Configure and verify ability to create blacklist/whitelist of URLs
Configure and verify ability to set a Homepage for WorxWeb
Module 3: Deploy Native iOS (.IPA) or Android (.APK) apps
Configure and verify ability to upload .IPA or .APK files to XenMobile App Controller
Verify mobile users can access and download native apps from XenMobile App
Controller

55 2013 Citrix | Confidential Do Not Distribute

 Review

Module 4: Deploy Public Stores apps to iOS and Android devices

Configure and verify ability to publish iOS free and paid apps available from the App
Store
Configure and verify ability to publish Android free and paid apps available from the
Google Play
Module 5: Deploy XenMobile App Controller in a Multi-Windows
Domain Environment
Configure XenMobile App Controller to authenticate users from two independent
Windows domains
Configure and test NetScaler Gateway 10.1.e to allow remote users access
resources from either domain

56 2013 Citrix | Confidential Do Not Distribute

 Review

Module 6: Deploy XenMobile App Controller with Multiple NetScaler

Gateways
Configure and test XenMobile App Controller with multiple NetScaler Gateways (2)
to allow remote users access resources from either Gateway

57 2013 Citrix | Confidential Do Not Distribute

Work better. Live better.