Академический Документы
Профессиональный Документы
Культура Документы
Technical Overview
Feb, 2013
Unmanaged Data
65%
200+
80%+
Devices
Employees
Apps
Fortune 500
Average per
Employee
Work in multiple
locations
Average Citrix
customer portfolio
Use unmanaged
cloud storage
50%
43%
40%
32%
By 2015:
Mobile app development
projects will outnumber
native PC projects by a
ratio of 4-to-1
Gartner
Mobile; 13%
Win; 38%
Mobile; 5% SaaS; 25%
SaaS; 16%Win; 40%
Other; 39%
Other; 24%
2011
2013 Citrix | Confidential Do Not Distribute
2015
IDC
User Needs
Want access to all apps and data
from any of their devices
AccessGateway&&SSO
SSO
AccessGateway
AppManagement
Management
App
Introducing XenMobile
Business
BusinessApps
Apps
Secure
SecureMail
Mail
Data
DataManagement
Management
Device
DeviceManagement
Management
XenMobile
Mobile
Solutions
Mobile
Solutions
Enterprise
Edition
Bundle
Bundle
Mobile Device
Management
Comprehensive
Enterprise
Mobility Management
for all apps, data &
devices
Email encryptrion
Internal Web Apps
SaaS Apps
Wrapped Native Apps
Secure Data with
ShareFile
MDM Edition
Installed client-side
Installed server-side
XenMobile Gateway
Installed server-side
@WorkMail, @WorkWeb.
Secure email client and web
browser
SharePoint. Secure
SharePoint Access
ShareFile. Follow-me data
(sold separately)
2013 Citrix | Confidential Do Not Distribute
Secure and
manage my
devices
need to manage
personal and corporate
devices alongside each
other
MDM Edition
Secure and
manage my
devices
MDM Edition
Enterprise-grade MDM:
Manage & configure corporate and
BYO devices
Detect jailbreak, blacklist/whitelist
apps
Full/selective device wipe
Easy to setup:
Fully wizard-driven
Extensible:
Enterprise integration (e.g.: LDAP
and PKI)
Upgrade to Enterprise for mail or
app mgmt any time
MDM Client
XM Device Manager
DMZ
2013 Citrix | Confidential Do Not Distribute
Native Mail
Encryption
Mobile
Device
Managem
ent
Give me mail
that users
love and
IT embraces
Secure Mail
Receiver
Access
Gateway
Netscaler
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Mobilize my
apps and data
Good Dynamics
is too hard to
implement
extend my
enterprise to partners
and contractors.
XM Device Manager
Receiver
Access
Gateway
Netscaler
DMZ
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Receiver
Access
Gateway
StoreFront
Services
XM AppController
Deskto
ps
Apps
Netscaler
DMZ
2013 Citrix | Confidential Do Not Distribute
Web &
Mobile
SaaS
Secure
Apps
Data
XD / XA
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
StoreFront
Services
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
XenMobile
Mobile ROI
Mobile Device
Management
Sandboxed
Mail and Web
Mobile App
Security
Mobile Data
Control
Mobile Network
Control
Desktop
and App
Virtualization
Collaboration
MDM Client
XM Device Manager
DMZ
2013 Citrix | Confidential Do Not Distribute
Native Mail
Encryption
Mobile
Device
Managem
ent
If you do not have MS SQL, the installer includes PostgresSQL for PoCs
User Tips
Remember: Users may belong to multiple groups and this can affect which
packages are deployed
Be sure to create at least 1 local account for emergency use
This account should not be in AD and be sure to protect this password. This may be
your only way to log into the server if the AD connection is severed somehow.
ZDM does not crawl the entire LDAP tree looking for users. Deeply buried user
accounts may not be able to log in if the LDAP connection simply references
the root.
2 Rules, Device,
User Properties,
Applications
3G / 4G
4 Monitored traffic
flow
1 Normal traffic flow
3 Blacklisted App
Install
Block
Block on
on blacklisted
blacklisted apps,
apps, rooted
rooted devices,
devices, unmanaged
unmanaged devices,
devices,
user/group
user/group
ISAPI filter screens all ActiveSync http requests from mobile devices
according to the set of rules configured by XenMobile MDM
Installation process
As simple as possible
Active Sync Controller must be reinstalled on every new Active Sync server
Installation on CAS server requires manually adding ZenpriseIsapi.dll
Dont forget to configure it
Secure Mobile Gateway Configuration Tool
Device Support
Citrix XenMobile MDM allows you to manage the following mobile device platforms:
Apple handheld devices (iPhone, iPad) using iOS 5.0 or higher
Android handheld devices using 2.2 or higher
Microsoft Windows 8 Phone and Windows 8 Tablet
BlackBerry handheld devices using BlackBerry OS versions 5.x, 6.x, and 7.x
Symbian
BB10
2013 Citrix | Confidential Do Not Distribute
Mobile
Windows8
Windows 8 Phone
Dashboard
--
Enhanced Enrollment
Modes (OTP, Multifactor,
Invitation-based)
--
--
--
--
--
Invitation Client
Download
--
--
--
--
--
Email Attachment
Encryption
--
--
--
--
--
--
--
--
--
--
--
--
--
--
App Tunnels
Mobile SSL VPN
--
Mobile
Storage Card
Encryption Policy
Auto discovery Logon
--
Windows8
Windows 8 Phone
--
--
--
--
---
Automated Actions
--
--
--
Notifications
--
--
--
Agent Notification
--
--
--
--
--
--
--
--
--
--
--
--
--
LocateDevice
Mobile
Geo-Tracking, GeoFencing
Secure SharePoint
--
---
Windows8
Windows 8 Phone
--
---
--
--
--
Remote client
installation (OTA)
--
--
--
Provisioning of
devices & users
--
--
--
Hardware Inventory
--
Software Inventory
--
Security Jailbreak
detection
--
--
--
--
--
Mobile
Windows8
Windows 8 Phone
(limited)
--
File transfer
--
Device Remote
Control
--
--
Roaming Management
Reports (activity &
devices inventory)
Local device data
encryption (option)
--
--
--
---
--
---
--
--
--
Policies
MDM Policies
Device specific configuration and restriction
policies
Application Tunnels
Automated Actions
Server Groups
XenMobile Policies
Application access policies (black/white lists)
XM SDK enabled app control
SharePoint configuration
2013 Citrix | Confidential Do Not Distribute
Policy Tips
Name policies with descriptive names
When browsing lists, the policy name is the only information you have to tell what the
policy does
One common technique is to prefix the policy with the people who should receive it
i.e.: Corp HQ Wi-Fi or Engineering Password Policy
Restriction Policies
Can be very useful for Corporate Owned devices
Not recommended for BYOD
Common restrictions
1.
2.
3.
4.
iOS Restrictions
Full list of restrictions
Automated Actions
Special policies which automatically triggers actions based
on data
All automated actions require devices to re-connect to the
Zenprise Device Manager
To trigger an automated action for a blacklisted application,
the application to be blacklisted in Policies / Blacklist.
Notification Template
Notification templates are configured under the
Options menu
Deployments
Deployment packages are used to push policies to devices
Deployment Tips
There are 2 schools of thought for deployment best practice
Create multiple deployment packages with few policies
Benefits:
Control users policies and exceptions in a clear way
Failed policies do not block other policies
Drawback:
Many packages to create and manage
Drawback:
Failed policy blocks remaining policies in the package
Exceptions require creating alternate packages
Location Services
Geotracking results
Once enabled, ZDM can store up to 6 hours of
movement for each device
MDM Client
Receiver
XM Device Manager
Access
Gateway
Netscaler
DMZ
Native Mail
Encryption
XM AppController
Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data
Governance is built-in
Policies can be updated on hundreds of apps with no requirement to change source
code
No requirement for developers to change the way they develop apps or learn
mobile security standards
2013 Citrix | Confidential Do Not Distribute
MDX
Controller
MDX
App Vault
MDX
Access
MDX
InterApp
Secure container
that enables app
and data
containment, wipe
and lock
Secure access to
Intranet resources
Trusted application
communication
fabric
MDXVault
MDX InterApp
Citrix Receiver
Native
Native Mobile
Mobile
Apps
Apps
Deny
DenySMS
SMS
Disable
DisableiCloud
iCloud
Disable
screenshots
Disable screenshots
Force
Forceauthentication
authentication
Block
jailbroken
Block jailbroken
device
device
MDX
MDX Policies
Policies
during
during app
app
wrapping
wrapping
app
private
data vault
app
private
data vault
private
data
XenMobile
XenMobile
MDXInterapp
MDX InterApp
Citrix Receiver
Open
with
Deny
access
to insecure
applicatio
ns
XenMobile
XenMobile
private
data
MDXAccess
MDX InterApp
Citrix Receiver
private
data
MDXAccess
MDX InterApp
Citrix Receiver
SaaS
Web
Mobile
Data
Access Gateway
C-VPN Mode
private
data
XenMobile
MDX Architecture
Private
MDX
Private
MDX
mobile
mobile
app
mobile
mobile
appapp
app
Policy
Policyaware
aware
interception
interceptionfunctions
functions
mobile
mobileOS
OS
encryptedencrypted
micro-VPN
storage clipboard
Citrix
Citrixmobile
mobileservices
services
Policy Keyword(s)
Defaul
t Value
Description
Pasteboard
DisableCopy
DisablePaste
AppSecurityGroup
PasteFromSystemClipb
oard
TRUE
Open-In
DisableOpenIn
TRUE
Prevents user from opening documents with other apps from within
the managed app.
iCloud
DisableiCloud
TRUE
Printing
DisablePrinting
TRUE
Camera
DisableCamera
TRUE
Prevents user from using the devices camera within the managed
app.
SMS/Text
DisableSms
TRUE
Prevents user from using iOS text interface from within the
managed app.
DisableEmail
TRUE
Prevents user from using iOS Email interface from within the
managed app.
GPS
DisableLocation
TRUE
Prevents app from using the GPS or location services within the
managed app.
Microphone
DisableMicrophone
TRUE
Prevents app from using the microphone for audio recording within
None
TRUE
AppWrapper
Mobile App Wrap tool runs on Mac OS X
Mobile App Wrap tool for Android Beta Available
Takes a pre-compiled iOS native application bundle
(.IPA) as input
Produces repackaged iOS application bundle with Citrix
app wrapper logic inserted (.MDX)
Recertifies the repacked app with using a customer
provided enterprise distribution profile
Upload app to
XenMobile
QuickOffice.ip
a
App
available as
a secure,
managed
app
QuickOffice Enterprise
App is visible
on iOS home
screen
QuickOffice
Enterprise
QuickOffice
mobile
app
Me@Work
family
Data
& contacts
Podio
Social
Team
Integrated
Collaboration Collaborati
on
@ Life
@ Work
MDX
App Vault
@ Life
MDX
InterApp
MDX
Policy
InterApp Sharing
iCloud Backup
Enable DLP
Require Authentication
Trusted Network Only
Disable printing
@ Life
24 h
MDX
Policy
@ Life
24 h
@WorkMail
@WorkWeb
Secure browser
Internal web app access
Full inter-app integration
Consumer experience
MDX-secured
Secure Exchange
connectivity
@WorkMail
No new messaging
infrastructure
Connected/
disconnected access
@WorkWeb
experience
@Work Mail
@WorkMail
Mail, calendar, contacts
Enterprise class security
Beautiful native experience
Full inter-app integration
MDX-secured
@WorkMa
il
Internet
Micro VPN
NetScaler/
Client Access Server (CAS)
Access Gateway
@Work Web
iOS and Android device intranet web
browsing
Easy accesst to SharePoint, Intranet Portal etc
@WorkWeb
Secure browser
Internal web app access
Full inter-app integration
Consumer experience
MDX-secured
81
2013 Citrix | Confidential Do Not Distribute
@WorkWeb
Internet
Micro VPN
NetScaler/
Access Gateway
AppControlle
r
Web/SaaS
Administration
Define Roles
Configure Applications
Extracts memberof
attribute
MAP
Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine
Syn
c
AppController
Syn
c
Create
AppControll
Users
er
Log
Reporting
Systems
What privilege on
application?
Any app specific
security rules?
Additional approvals
required before
creating account?
Workflow Management
1. User self-service application
request
Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine
2
Approver
3
Approver
Approver
AppControll
er
Workflow Management
Scenario-based controls
Certificate Management
Certificates
We can host multiple certificates in
AppController
Server
Root CA
SAML
Device registration
First time logon: lightweight mobile device registration
Receiver silently registers device with AppController
Receiver provides device unique token and selected device information
groups
Users are entitled to specific apps through the roles they belong to
Deep AD integration allows for automatic provision/de-provision of SaaS
accounts when AD users are removed or added
2013 Citrix | Confidential Do Not Distribute
MDX applications can parlay their Receiver auth context into other
credentials for single-sign
NTLM challenge/response (or the real AD domain, username, & password)
User and device certificates
Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
2013 Citrix | Confidential Do Not Distribute
Single sign-on
Receiver and AppController directly provide SSO for
Hosted applications (ICA/HDX)
Web/SaaS applications
AppController
Direct or Integrated Mode
Direct Mode
XM ActiveSync Controller
TMG
MDM Client
Receiver
XM Device Manager
Access
Gateway
Netscaler
DMZ
Native Mail
Encryption
XM AppController
Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data
Integrated Mode
XM ActiveSync Controller
TMG
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
StoreFront
Services
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
Citrix Receiver
Validate Certificate
Login
Setup
Access
Gatewa
y
StoreFro
nt
or
AppC
_citrixreceiver.tcp.mycorp.com
Access Gateway or Account Service
hostname
Validate Certificate
Login
Get Account
DNS
Access
Gatewa
y
Account Service
Access Gateway
Ticket-based
Ticket-based
Connection
Connection
Authorization
Authorization
VPN-less
VPN-less
Remote
Remote Access
Access
from
from Any
Any Device
Device
Endpoint
Endpoint
Analysis
Analysis &
&
SmartAccess
SmartAccess
Endpoint
SmartAccess
and
SmartAccess
Endpoint analysis
analysis
and session
session policy
policy
controls
controls allow
allow for
for server-side
server-side filtering
filtering of
of
resource
resource lists
lists are
are passed
passed from
from aa
trusted
trusted source
source
Secure
Secure Ticketing
Ticketing
Network
Network Access
Access
Connections
Connections are
are authorized
authorized using
using aa
secure
secure single-use
single-use ticket.
ticket. This
This prevents
prevents
man-in-the-middle
man-in-the-middle as
as well
well as
as replay
replay
attacks
attacks
Anywhere
Anywhere Access
Access
Allows
Allows users
users to
to securely
securely access
access
desktops
desktops and
and applications
applications using
using any
any
device
device in
in any
any Application,
Application, including
including
home
home computers
computers and
and mobile
mobile devices
devices
2013 Citrix | Confidential Do Not Distribute
Allows
Allows users
users to
to access
access network
network
resources
resources using
using aa traditional
traditional SSL
SSL VPN
VPN
with
with strict
strict authorization
authorization policies
policies and
and
split
split tunneling
tunneling controls
controls
VPN-less
VPN-less Access
Access
Enables
Enables secure
secure remote
remote access
access to
to
critical
critical web
web applications
applications from
from users
users
browsers
browsers without
without requiring
requiring additional
additional
client
client components
components
Micro-VPN
Policy controlled per-application tunneling technology
Relies on Citrix Receiver for authentication and SSO
Network access policy choices:
Blocked
Application network APIs are blocked and fail as if network is not available
Unconstrained
Application network APIs work normally
Tunneled
Application network APIs are tunneled through XenMobile to enterprise intranet
What Is SmartAccess?
Single logon experience to Web
Interface
Certificate/Token Required
SecurePre-authorization
Application and
Desktop
scan
Virtualization
Allow client drives connected
Delivery applications and desktops
based on Allow
trust USB devices
Dynamically
Turn
off Virtual
clipboardChannels
filter
based Connect
on endpoint
conditions
client printers
Automatically deploy client
Allow with
Remote
AERO
components
Citrix
Receiver
Secure Ticketing
SFS sends
XenApp
Policy
User clicks Inspection info to STA
and
an app
receives
SFS ticket
sends ICA
Browser
AG validates
file with STA
invokes ICA
ticket info and
ticket and AG
plug-in and
sets up ICA
info to client
sends ticket
tunnel
info to AG
Receiver
2013 Citrix | Confidential Do Not Distribute
Access
Gateway
StoreFront
Services
XenDesktop
AppController
XenApp
Policy
Request Inspection
Resource
MS Word
Financial
App
SAP
Win7
Desktop Access
Receiver
Gateway
XenDesktop
Policy
Result
MS Word
Financial
App
SAP
Win7
Desktop
AppController
StoreFront
Services
XenApp
Policy
Request Inspection
Resource
SSL 001000111010101 SSL 00
SSL
0010
0
0111
0101
0
Receiver
2013 Citrix | Confidential Do Not Distribute
Access
Gateway
XenDesktop
Request
Resource
1 SS
L 00
1000
1110
1010
1S
AppController
SL 0
0100
0111
0101
StoreFront
Services
01
XenApp
Remote Access
Basic scenarios
NetScaler Access Gateway + StoreFront
(no AppController)
NetScaler Access Gateway + AppController
(no StoreFront)
NetScaler Access Gateway + StoreFront +
AppController
Note: All the scenarios described that use Citrix StoreFront are using Single
Server deployment mode.
Remote Access
StoreFront only (no AppController)
Ideal for XenApp / XenDesktop customers
No need for clientless access (CVPN)
NetScaler Access Gateway needs Platform
License only
Access Gateway vserver can be set to Basic
mode
Remote Access
StoreFront only (no AppController)
Case 1: Remote access Mobile users
Native connection to stores
Remote Access
AppController only (no StoreFront)
Ideal for Enterprise customers that want
Application and User Management via
AppController
Customers do not have XenApp /
XenDesktop, hence, no StoreFront is needed
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses
Remote Access
AppController only (no StoreFront)
Case 1: Remote access Mobile users
Native connection to stores
Remote Access
StoreFront + AppController
Ideal for Enterprise customers that leverage
the entire XenMobile solution to access
Windows apps/desktops, Web/SaaS and
mobile apps
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses
Remote Access
StoreFront + AppController
Case 1: Remote access Mobile users
Native connection to stores
Ica Proxy VIP set to Basic (no Universal License requiered it uses
XD/XA license) see Policy
Cloud Gateway Enterprise Receiver Web
Platform Licenses
Universal Licenses
Universal Licenses are used to enable additional/advanced functionality on
access gateway appliances. These are add-on licenses and work along with
the Platform licenses to provide seamless access to your Citrix deployments.
Universal licenses are purchased separately from the appliance, and can be
installed in the same manner as the platform license.
Universal licenses can be used to turn on the following advanced
functionalities:
End Point Analysis
Smart Access to XenApp/XenDesktop
CVPN Clientless access to internal web resources
Full Tunnel (SSL VPN)
MDX Micro VPN
2013 Citrix | Confidential Do Not Distribute
Mobile ROI
Citrix- Competitive
The Most Comprehensive
Solution
Citrix
Position
Device
Managemen
t
MDM
Sandboxed
mail and
web
MDM Edition
2013 Citrix | Confidential Do Not Distribute
Mobile
network
control
SSO &
Id Mgmt
Enterprise
Enterprise
Collaboratio
Mobile app Desktop & Secure data
n
control
security
App
Virtualizatio
Mobility Management
n
GoToMeeting
GoToAssist
Podio
Why Citrix?
Comprehensive
Compelling
Compliant
Legacy mobile
email
133 with bad user
2013 Citrix | Confidential Do Not Distribute
Legacy mobile
email
134 with bad user
2013 Citrix | Confidential Do Not Distribute
Weaknesses
Weak on-prem offering
Poor reliability
Poor support
Playing catch-up in
MDM 2.0
Poor customer
satisfaction
Niche solution
Restrictive container
approach
Poor user experience
Wont Integrate
Highly complementary roadmap
Strong technology integration track
record with prior acquisitions (e.g.,
XenSource, Netscaler, ShareFile)
Citrix
AirWatch
MobileIron
Good
None
Roadmap
Good Dynamics
SDK
Mobile only
Mobile only
Mobile only
No SSO
Scenario-based access
controls. Dynamic network
protection
No context-based
access
No context-based
access
Why ShareFile?
Enable workforce mobility & BYOD
Address the Dropbox-Problem
Simple and secure data sharing
Fellow employees
Team collaboration
Clients, 3rd party collaboration
Enhanced productivity
Store
Sync
Data protection
Encryption
Device lock
Remote wipe
Poison-pill
Share
141
2013 Citrix | Confidential Do Not Distribute
Security Information
SSAE 16 audited data centers
SSL Encryption in transit
AES 256-bit encryption at rest
All uploaded files scanned for viruses
Daily scans for McAfee SECURE accreditation
All ShareFile servers protected by dedicated firewalls
OneLogin
CA SiteMinder
PingIdentity PingFederate
SalesForce
Xen Mobile
Selective data wipe
Instant user provisioning and deprovisioning
Real-time SaaS application monitoring
Comprehensive access control policies
Unified storefront for all applications, data
and services
StoreFront Services
XenMobile Enterprise + XD / XA
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
SF
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
StoreFront Services
Search to quickly find, subscribe to, or launch
apps, documents or services
Role based Follow-me Subscriptions for
applications and data
Request applications
Single authentication
Integrated with Citrix Online GoTo Products
Apps can be:
Hosted
Streamed (App-V or Citrix)
Web (SaaS)
Enterprise-ready Storefront
Infrastructure
t
Fron
Store
t
Fron
Store
Credential Wallet
Replicated
t
Fron
Store
SQ
L
Central
Subscription
2013 Citrix | Confidential Do Not Database
Distribute
t
Fron
Store
Centralized administration
Leverages SQL Server
Easy to scale out
Resources
Tools to be successful
148
Demo Center
http://demo.citrix.com
http://www.citrix.com/skb/articles/RDY9505
Useful presentations
Citrix Mobile Solutions Bundle/XenMobile MDM Technical Deck
http://www.citrix.com/skb/articles/RDY9400