Citrix XenMobile Tech Deck - V1.6

Citrix XenMobile
Technical Overview
Feb, 2013
Enterprise Mobility in Numbers

BYO Devices
Multiple Locations App Proliferation
Unmanaged Data
65%
200+
80%+
Devices
Employees
Apps
Fortune 500
Average per
Employee
Work in multiple
locations
Average Citrix
customer portfolio
Use unmanaged
cloud storage
Source: Citrix and leading analysts
2013 Citrix | Confidential Do Not Distribute
50%
43%
40%
32%
work from home

work from client
sites
work while traveling
work at public sites
Forrsights Networks And Telecommunications
Survey
By 2015:
Mobile app development
projects will outnumber
native PC projects by a
ratio of 4-to-1
Gartner
Mobile; 13%
Win; 38%
Mobile; 5% SaaS; 25%
SaaS; 16%Win; 40%
Other; 39%
Other; 24%
2011
2015
IDC
How Mobile Feels Today
User Needs
Want access to all apps and data
from any of their devices
A complete stack for

Wipe selectively apps, data
managing and
Smartphones
& devices remotely
securing
apps, data,
Tablets
Follow
me apps & data on
PCs
and Macs
and devices
any device with federated
SSO
Clientless secure remote
access
AccessGateway&&SSO
SSO
AccessGateway
Control access polices for

apps, data and devices
AppManagement
Management
App
Introducing XenMobile
Business
BusinessApps
Apps
Productivity and Collaboration
Secure
SecureMail
Mail
Data
DataManagement
Management
Device
DeviceManagement
Management
Two Simple Packages

XenMobile
XenMobile
XenMobile MDM
MDM
MDM
Edition
Edition
(CloudEdition
or On-premise)
XenMobile
Mobile
Solutions
Mobile
Solutions
Enterprise
Edition
Bundle
Bundle
Secure, simple to use

Mobile Device
Management
for SMB & Enterprise
Mobile Device
Management
Comprehensive
Enterprise
Mobility Management
for all apps, data &
devices
Email encryptrion
Internal Web Apps
SaaS Apps
Wrapped Native Apps
Secure Data with
ShareFile
MDM Edition
Installed client-side
Installed server-side
Enroll and Connect. Connect

= Device management client
XenMobile Gateway
MDM Server. Policy server and admin

console for device management
AppController. Mobile, SaaS, and
web apps and data. Includes MDX
technology for centralized app mgmt
and security
Netscaler Access Gateway. SSL VPN
with scenario-based remote access
and Micro VPN (Netscaler sold
separately)
StoreFront. App Controller, remote
desktop, and Windows/DC apps
ShareFile. Follow-me data

Mobility Bundle (with Data Add-On)

Installed client-side
Installed server-side
Enroll and Connect. Connect

= Device management client
MDM Server. Policy server and admin

console for device management
Receiver. Unified app store,

single sign on
AppController. Mobile, SaaS, and web

apps and data. Includes MDX
technology for centralized app mgmt and
security.
@WorkMail, @WorkWeb.
Secure email client and web
browser
SharePoint. Secure
SharePoint Access
ShareFile. Follow-me data
(sold separately)
Netscaler Access Gateway. SSL VPN

with scenario-based remote access and
Micro VPN (NetScaler sold separately)
(Optional) StoreFront. Only for Citrix
XenDesktop/XenApp customers. Nextgeneration Web Interface that unifies
the app store for XD/XA & AppController
NetScaler appliance & ShareFile sold separately
Secure and
manage my
devices
My users are bringing in all

types of devicesI need to set
PIN codes, WiFi, etc..
issuing shared tablets to shift

workers in hospital/retail
stores/restaurants/dist centers
need to manage
personal and corporate
devices alongside each
other
MDM Edition
Want to give device

choicebut what do I do
if devices are lost or
stolen?
Secure and
manage my
devices
MDM Edition
Enterprise-grade MDM:
Manage & configure corporate and
BYO devices
Detect jailbreak, blacklist/whitelist
apps
Full/selective device wipe
Easy to setup:
Fully wizard-driven
Extensible:
Enterprise integration (e.g.: LDAP
and PKI)
Upgrade to Enterprise for mail or
app mgmt any time
Mobile Device Manager

XM ActiveSync Controller
TMG
MDM Client
XM Device Manager
DMZ
Native Mail
Encryption
Mobile
Device
Managem
ent
Give me mail
that users
love and
IT embraces
Using Good, but the

user experience stinks
make my users lives

better with email thats
beautiful, yet secure
replacing BlackBerrys,
but need similar policy
controls for iOS and
Android devices
provision an emailspecific PIN code
Mobile Solutions Bundle
Beautiful email client, sandboxed for

Give me mail
IT
2
that users
Native mobile mail, calendar, and
love and
contacts
IT embraces Attach and save data to ShareFile
One touch access to internal sites
with @WorkWeb
Calendar invites with GoToMeeting
using free/busy
Encrypted email, attachments,
contacts
Available on iPhone, iPad, Android
Phone & Tablet
Secure Mail
Receiver
Access
Gateway
Netscaler
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Mobilize my
apps and data
give employees mobile

access to our intranet and
web apps
need SSO for my

field who use
SalesForce/Evernote
give users easy

access to content onthe-go
need to secure and

manage custom and offthe-shelf iOS / Android
apps
Good Dynamics
is too hard to
implement
extend my
enterprise to partners
and contractors.
Secure email to any iOS/ Android

Mobilize my
apps and data device
Secure intranet web browsing with
micro VPN
Enterprise iOS/ Android app with
MDX controls
Integrated ShareFile data
accessibility
SAML Federation and AD based
identity management
Scenario-based access controls
Mobile Apps & Data
XM Device Manager
Receiver
Access
Gateway
Netscaler
DMZ
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
All Apps & Data -XA & XD Integration
Receiver
Access
Gateway
StoreFront
Services
XM AppController
Deskto
ps
Apps
Netscaler
DMZ
Web &
Mobile
SaaS
Secure
Apps
Data
XD / XA
Complete Mobility Infrastructure Apps, Data, and Devices

TMG
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
StoreFront
Services
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
XenMobile
iOS and Android device security control

Device access provisioning
MDM
Native iOS and Android store app delivery
Locating a lost device and wipe/selective wipe
Edition
Pushing apps automatically
Automating actions on the device (wipe when user is
disabled in AD)
Secure email to any iOS/ Android device

Secure intranet web browsing with micro VPN Mobility
Enterprise iOS/ Android app with MDX controls Bundle
Integrated ShareFile data accessibility
22 SAML Federation and AD based identity management

Citrix The Most Complete Mobile Portfolio

Optimized Mobile Enterprise
Mobile ROI
Mobile Device
Management
Sandboxed
Mail and Web
Mobile App
Security
Mobile Data
Control
Mobile Network
Control
SSO and Identity

Management
Desktop
and App
Virtualization
Collaboration
XenMobile MDM Edition

Mobile Device Management

TMG
MDM Client
XM Device Manager
DMZ
Native Mail
Encryption
Mobile
Device
Managem
ent
XenMobile Device Manager

Actively manage policy and configuration for iOS, Android, Windows Mobile/CE
and Symbian
Deploy and administer mobile applications
Functionality varies by app and platform
Control data access with DLP add-on

Receives connections directly from mobile devices
Makes connections to:
Database Server (MS SQL Server or Postgres)
Directory Server (AD or any other LDAP based system)
XM MDM Installation tips

Installation is supported on 64bit Windows Server 2005, 2008 and 2008R2
2003 supported until EOL
You will need an external DNS record and APNS cert

Only install the recommended version of Java
Be sure to include the Unlimited Strength crypto jar files
If you do not have MS SQL, the installer includes PostgresSQL for PoCs
XenMobile MDM Pre-requisites

Windows Server (Standard or Enterprise) 2003 64 bit, 2008 64 bit, or 2008 R2 64 bit
Service Accounts
Installation account must be local admin of server
Does not require SQL rights directly
Account with database creation permissions in SQL
Intended MDM server does not need to be a member of the domain
Do not install IIS. Uninstall IIS if it exists on this server
External DNS record for the MDM server
(ex. Mobile.yourcompany.com)
Apple APNS certificate
required during the install, obtained using the XenMobile APNS Certificate Setup Guide
Java SE 7
Java Cryptography Extension (JCE) files Unlimited Strength Jurisdiction Policy Files
copy local_policy.jar and US_export_policy.jar to /Java/jdk1.6.0_x/jre/lib/security
Software License
XM MDM Directory Services

Real-time access to LDAP (AD, Domino, etc..) source
Can configure multiple connections to multiple servers
Supports LDAP and LDAPS with certificate management
Wizard driven configuration
XM MDM Role Based Access Control

Roles can be created as desired
For example, multiple helpdesk tiers, devices managed by business units, etc..
Access is granular by admin function or group

Roles are selected by group
Groups can be defined locally or referenced from AD
SAM Account vs. User Principal Name (UPN)
sAMAccount is used to support

older OS WindowsNT4.0,
Windows95, Windows98, and
LAN Manager
When configuring an LDAP connection, you can

choose the User Search option of either
sAMAccount Name or userPrincipalName.
Any user enrolling their device will need to know
the format of their username see opposite
By convention, UPN should map

to the user email name (Use
This)
User Tips
Remember: Users may belong to multiple groups and this can affect which
packages are deployed
Be sure to create at least 1 local account for emergency use
This account should not be in AD and be sure to protect this password. This may be
your only way to log into the server if the AD connection is severed somehow.
ZDM does not crawl the entire LDAP tree looking for users. Deeply buried user
accounts may not be able to log in if the LDAP connection simply references
the root.
Secure Mobile Gateway

ISAPI filter, installed at point of access for mobile devices
Internet Server Application Programming Interface
Active Sync Controller automatically filters devices as specified by XM MDM

Static rules may be configured on individual Active Sync Controller instances if
required
Zenprise Security at the Network

Secure Mobile Gateway
ZDM Secure Mobile Gateway
Mail
2 Rules, Device,
User Properties,
Applications
5 Block User from

Intranet
Internal
Resources
3G / 4G
4 Monitored traffic
flow
1 Normal traffic flow
3 Blacklisted App
Install
Block
Block on
on blacklisted
blacklisted apps,
apps, rooted
rooted devices,
devices, unmanaged
unmanaged devices,
devices,
user/group
user/group
Secure Mobile Gateway - Installation

Installed at point of access for mobile devices
ISA Server 2006 SP1

TMG Server 2010 SP1 Update 1
Exchange CAS 2010, IIS 7.5
ISAPI filter screens all ActiveSync http requests from mobile devices
according to the set of rules configured by XenMobile MDM
Installation process
As simple as possible
Download, double click setup.msi, Next, Agree, Next, Next, Close
Secure Mobile Gateway Rules

Use the rule set in ZDM to configure device allow/block on
the SMG.
Active Sync Controller Installation Tips

Supported servers
ISA Server 2006 SP1

TMG Server 2010 SP1 Update 1
Active Sync Controller must be reinstalled on every new Active Sync server
Installation on CAS server requires manually adding ZenpriseIsapi.dll
Dont forget to configure it
Secure Mobile Gateway Configuration Tool
Device Support
Citrix XenMobile MDM allows you to manage the following mobile device platforms:
Apple handheld devices (iPhone, iPad) using iOS 5.0 or higher
Android handheld devices using 2.2 or higher
Microsoft Windows 8 Phone and Windows 8 Tablet
Windows Mobile and its derivatives, including Smartphone and PocketPC

Windows Mobile 5.x or 6.x (PocketPC or Smartphone Edition)
Pocket PC 2003
Windows CE 4.x, 5.x or 6.x
BlackBerry handheld devices using BlackBerry OS versions 5.x, 6.x, and 7.x
Symbian
BB10
Device Functionality Matrix (1 of 4)

Feature
Mobile
Windows8
Windows 8 Phone
Dashboard
--
Enhanced Enrollment
Modes (OTP, Multifactor,
Invitation-based)
--
--
--
--
--
Invitation Client
Download
--
--
--
--
--
Email Attachment
Encryption
--
--
--
--
--
--
--
--
--
--
--
--
--
--
App Lock ('Kiosk Mode')
App Tunnels
Mobile SSL VPN
--

Feature
Mobile
Storage Card
Encryption Policy
Auto discovery Logon
--
Windows8
Windows 8 Phone
--
--
--
--
---
Automated Actions
--
--
--
Notifications
--
--
--
Agent Notification
--
--
--
--
--
Enterprise App Store
--
--
--
--
--
--
--
--
LocateDevice

Feature
Mobile
Geo-Tracking, GeoFencing
Secure SharePoint
--
---
Windows8
Windows 8 Phone
--
---
--
--
--
Remote client
installation (OTA)
--
--
--
Provisioning of
devices & users
--
--
--
Hardware Inventory
--
Software Inventory
--
Security Jailbreak
detection
--
--
--
--
--

Feature
Mobile
Remote Wipe & Lock
Windows8
Windows 8 Phone
(limited)
Software download &

install
--
File transfer
--
Device Remote
Control
--
--
Roaming Management
Reports (activity &
devices inventory)
Local device data
encryption (option)
--
--
--
---
--
---
--
--
--
How Citrix defines Policies

Policies are all the individual elements of configuration or restriction available
for definition
Policies do not take effect unless deployed to a device
In the event of a policy conflict, the more restrictive policy is applied
Policies
Policies are all the individual elements of configuration or restriction

available for definition
Policies do not take effect unless deployed to a device
In the event of a policy conflict, the more restrictive policy is applied
MDM Policies
Device specific configuration and restriction
policies
Application Tunnels
Automated Actions
Server Groups
XenMobile Policies
Application access policies (black/white lists)
XM SDK enabled app control
SharePoint configuration
Policy Tips
Name policies with descriptive names
When browsing lists, the policy name is the only information you have to tell what the
policy does
One common technique is to prefix the policy with the people who should receive it
i.e.: Corp HQ Wi-Fi or Engineering Password Policy
Remember that you can define as many policies as you like

Policies only take effect when they are deployed to a device
Variables can be used to create more dynamic policies

For example, ${user.domainname}, ${user.userprincipalname}, etc.
A complete list is available at http://docs.zenprise.com
Lock Screen Policies
Common requirements (in order)

1.
2.
3.
4.
5.
Have a passcode defined

Disallow simple passcodes
Set auto-lock time
Set maximum password age
Set maximum password length
Restriction Policies
Can be very useful for Corporate Owned devices
Not recommended for BYOD
Common restrictions
1.
2.
3.
4.
Disable installation of apps

Disable camera
Disable iCloud
Disable Google Play / App Store
iOS Restrictions
Full list of restrictions
Automated Actions
Special policies which automatically triggers actions based
on data
All automated actions require devices to re-connect to the
Zenprise Device Manager
To trigger an automated action for a blacklisted application,
the application to be blacklisted in Policies / Blacklist.
Example Automated Task

Alerting a user when their access to email access has been blocked.
Choose the trigger type
Choose the action, in this

case we want to contact a
user using a contact
template
Finally, choose your
squelching parameters for
the alert
Notification Template
Notification templates are configured under the
Options menu
You will need to have a notification

server defined for each type of
notification you would like to send
Notification Templates, continued

Remember to use template
variables, they come in very
handy here
Other Automated Actions

Here are a few other automated actions
Selective wipe when a device leaves geofence
Warn users for any type of violation of their terms of use
Set a out of compliance flag when a blacklisted app is installed
Subsequent deployments can be based on this flag, eg, remove wifi access when
wikileaker is installed
Automatically revoke a jailbroken device
Deployments
Deployment packages are used to push policies to devices
Packages are comprised

of:
A package name
Groups of users
Resources which are
a combination of
A server group
App tunnels
Registry config.
XML
configurations
Software
inventory
Applications
Files
Zenprise
Knowledge Base URL
Deployment
schedule
Deployment Tips
There are 2 schools of thought for deployment best practice
Create multiple deployment packages with few policies
Benefits:
Control users policies and exceptions in a clear way
Failed policies do not block other policies
Drawback:
Many packages to create and manage
Create few packages with many policies

Benefits:
Control users policies en masse
Clear groupings of policies. (e.g., everyone in Asia gets Policy 1 2 and 4.)
Drawback:
Failed policy blocks remaining policies in the package
Exceptions require creating alternate packages
Location Services
A location services policy must be pushed to a device in order to track the

device or use the geofencing functionality
Location services policies only apply to iOS devices currently
Geotracking results
Once enabled, ZDM can store up to 6 hours of
movement for each device
XenMobile Mobility Bundle

MDX Technologies & Mobile Application Management

TMG
MDM Client
Receiver
XM Device Manager
Access
Gateway
Netscaler
DMZ
Native Mail
Encryption
XM AppController
Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data
Citrix Mobile App Management

Full support for both personal and corporate usage (BYOD)
Corporate apps and data secure even on employee-owned devices
New consumer-driven devices supported immediately
No risk of corporate data loss or compliance exceptions when:

Device is lost or stolen or employee leaves organization
Collaboration / file sharing apps used on the device
Governance is built-in
Policies can be updated on hundreds of apps with no requirement to change source
code
No requirement for developers to change the way they develop apps or learn
mobile security standards
MDX
Controller
MDX
App Vault
MDX
Access
MDX
InterApp
Secure container
that enables app
and data
containment, wipe
and lock
Secure access to
Intranet resources
Trusted application
communication
fabric
MDXVault
MDX InterApp
Citrix Receiver
Native
Native Mobile
Mobile
Apps
Apps
Deny
DenySMS
SMS
Disable
DisableiCloud
iCloud
Disable
screenshots
Disable screenshots
Force
Forceauthentication
authentication
Block
jailbroken
Block jailbroken
device
device
MDX
MDX Policies
Policies
during
during app
app
wrapping
wrapping
app
private
data vault
app
private
data vault
private
data
XenMobile
XenMobile
MDXInterapp
MDX InterApp
Citrix Receiver
Open
with
Deny
access
to insecure
applicatio
ns
XenMobile
XenMobile
private
data
MDXAccess
MDX InterApp
Citrix Receiver
private
data
MDXAccess
MDX InterApp
Citrix Receiver
SaaS
Web
Mobile
Data
SSL3 00100011 SSL3 001000111010101 SSL3 00100101 SSL3 001000111010101
SSL3 00100011 SSL3 001000111010101 SSL3 00100101 SSL3 001000111010101
Access Gateway
C-VPN Mode
private
data
XenMobile
MDX Architecture
Private
MDX
Private
MDX
mobile
mobile
app
mobile
mobile
appapp
app
network files clipboard
Policy
Policyaware
aware
interception
interceptionfunctions
functions
network files clipboard
mobile
mobileOS
OS
encryptedencrypted
micro-VPN
storage clipboard
Citrix
Citrixmobile
mobileservices
services
Data Containment Policies

Containm
ent
Feature
Policy Keyword(s)
Defaul
t Value
Description
Pasteboard
DisableCopy
DisablePaste
AppSecurityGroup
PasteFromSystemClipb
oard
TRUE
Prevents user from using copy/cut in the managed app.

Prevents user from using paste in the managed app.
App security group for shared clipboard
Allows paste from either system or shared clipboard
Open-In
DisableOpenIn
TRUE
Prevents user from opening documents with other apps from within
the managed app.
iCloud
DisableiCloud
TRUE
Prevents managed app from using iCloud storage for documents

and settings.
Printing
DisablePrinting
TRUE
Prevents user from printing documents from the managed app.
Camera
DisableCamera
TRUE
Prevents user from using the devices camera within the managed
app.
SMS/Text
DisableSms
TRUE
Prevents user from using iOS text interface from within the
managed app.
Email
DisableEmail
TRUE
Prevents user from using iOS Email interface from within the
managed app.
GPS
DisableLocation
TRUE
Prevents app from using the GPS or location services within the
managed app.
Microphone
DisableMicrophone
TRUE
Prevents app from using the microphone for audio recording within
None
TRUE
Data Containment Preliminary iOS Policies
AppWrapper
Mobile App Wrap tool runs on Mac OS X
Mobile App Wrap tool for Android Beta Available
Takes a pre-compiled iOS native application bundle
(.IPA) as input
Produces repackaged iOS application bundle with Citrix
app wrapper logic inserted (.MDX)
Recertifies the repacked app with using a customer
provided enterprise distribution profile
App Preparation Process

Secure app
with App
Preparation
Tool
Upload app to
XenMobile
QuickOffice.ip
a
App
available as
a secure,
managed
app
QuickOffice Enterprise
Push App via

ZP Client
App is visible
on iOS home
screen
QuickOffice
Enterprise
QuickOffice
mobile
app
Me@Work
family
@WorkWe @WorkMail ShareFile GoToMeetin

Email, calendar Follow-me
b
g
Secure
Browsing
Data
& contacts
Podio
Social
Team
Integrated
Collaboration Collaborati
on
@ Life
@ Work
MDX
App Vault
@ Life
MDX
InterApp
MDX
Policy
InterApp Sharing
iCloud Backup
Enable DLP
Require Authentication
Trusted Network Only
Disable printing
Restrict outbound URL

Allow Camera
@ Life
Offline lease period
24 h
MDX
Policy
@ Life
Lock and wipe

Enable DLP
Inter-app controls Require Authentication

Trusted Network Only
Conditional access policies
Disable printing
Restrict outbound URL

Allow Camera
Secure app containers
InterApp Sharing
Micro VPN
iCloud Backup
Offline lease period
24 h
@WorkMail
Mail, calendar, contacts

Enterprise class security
Beautiful native
experience
Full inter-app integration
MDX-secured
@WorkWeb
Secure browser
Internal web app access
Consumer experience
MDX-secured
Secure Exchange
connectivity
@WorkMail
No new messaging
infrastructure
Connected/
disconnected access
@WorkWeb
Any intranet site

access
Native browser
experience
@Work Mail
@WorkMail
Mail, calendar, contacts
Enterprise class security
Beautiful native experience
MDX-secured
Secure email body and attachment

Open in control to provide data leak
protection
NO Exchange server exposure to internet
Send email with ShareFile attachments
Integrated calendars and Exchange GAL
NOTE: Release candidate available now
@Work Mail - Topology

Firewall
@WorkMa
il
Internet
Micro VPN
NetScaler/
Client Access Server (CAS)
Access Gateway
@Work Web
iOS and Android device intranet web
browsing
Easy accesst to SharePoint, Intranet Portal etc
@WorkWeb
Secure browser
Internal web app access
Consumer experience
MDX-secured
81
Similar look/ feel as native browser

Safari on iOS; Chrome on Android
Single sign-on via NetScaler

Respond to HTTP 401
@Work Web - Topology

Firewall
@WorkWeb
Internet
Micro VPN
NetScaler/
Access Gateway
Mobile Application Policies
Federated Single Sign-on

Active
Directo
ry
AppControlle
r
Web/SaaS
Administration
Define Roles
Configure Applications
Roles map to AD groups
Connectors for federated

access or user accounts
Extracts memberof
attribute
MAP
Long list of built-in

connectors
Wizards for custom
federated access
Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine
Role-based User Account Management

Active
Directo
ry
Master
Employee
List
Syn
c
AppController
1. Standard enterprise provisioning

systems create user accounts on
AD
AppC supports programmatic integration with

PeopleSoft, SAP, Oracle HRMS and other
systems, in addition to LDAP sync
2. Sync to identify user-group

association
3. Create user accounts with
associated privileges on external
applications
If user is disabled on AD, all external accounts

can be disabled too
Role-based User Account Management
Automatic Account Provisioning

Active
Directo
ry
Auth
Syn
c
Create
AppControll
Users
er
Log
Reporting
Systems
What privilege on
application?
Any app specific
security rules?
Additional approvals
required before
creating account?
Automatic Account Provisioning
Workflow Management
1. User self-service application
request
Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine
2
Approver
3
Approver
Approver
AppControll
er
All app requests and subscriptions

consolidated on the Citrix Receiver
2. Request triggers AppC

workflows
3. Approvers get mail
notifications and approve
request
4.4Application account gets
provisioned for user
Workflow Management
Scenario-based controls
Certificate Management
Certificates
We can host multiple certificates in
AppController
Server
Root CA
SAML
Only one Server Certificate can be

active
Only one SAML Certificate can be
active
Device registration
First time logon: lightweight mobile device registration
Receiver silently registers device with AppController
Receiver provides device unique token and selected device information
AppController issues unique device ID Receiver

AppController links device ID/tokens to users
Admins can view all devices registered to users
Devices can be locked or marked for app data wipe
Receiver and MDX apps poll CG current lock/wipe status
Gateway must be reachable, but no logon needed
User authentication and roles

Receiver is the primary authenticator of users seeking access to
enterprise resources for
Hosted apps (ICA/HDX)
SaaS/Web applications
Managed mobile applications for Android and iOS
AppController roles are always linked to Active Directory users and
groups
Users are entitled to specific apps through the roles they belong to
Deep AD integration allows for automatic provision/de-provision of SaaS
accounts when AD users are removed or added
Device and app authentication

Receiver registers and track devices to users
Permits lock and wipe of corporate data/apps on selected devices
Receiver also serves as access manager for MDX managed applications

Strongly identifies applications
Determine app entitlements and policies
Brokers permitted data exchanges between managed apps
MDX applications can parlay their Receiver auth context into other
credentials for single-sign
NTLM challenge/response (or the real AD domain, username, & password)
User and device certificates
Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
Single sign-on
Receiver and AppController directly provide SSO for
Hosted applications (ICA/HDX)
Web/SaaS applications
MDX applications can parlay their Receiver authentication context

into other credentials and access rights
Gateway tickets for micro-VPN access
NTLM challenge/response (or even the real AD domain, username, &
password)
User and device certificates
Specialty tokens like Sharefile SAML token
Eventually credentials for auth systems kerberos tokens, Oauth/OpenID ,
etc.
AppController
Direct or Integrated Mode
What is Direct vs. Integrated?

Direct connectivity mode allow users use Citrix Receiver or
Receiver for Web to connect to the AppController store for
Web/SaaS/Docs/Mobile resources
Ideal for customers that only want access to
Web/SaaS/Mobile/Docs resources
Integrated connectivity mode allow users connect to
Web/SaaS/Docs plus Windows resources
Integrated mode requires StoreFront running on Windows
AppController does not have the capability to communicate
with XenApp/XenDesktop farms unless a Citrix StoreFront
running on Windows exist
Direct Mode
TMG
MDM Client
Receiver
XM Device Manager
Access
Gateway
Netscaler
DMZ
Native Mail
Encryption
XM AppController
Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data
Integrated Mode
TMG
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
StoreFront
Services
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
Citrix Receiver
Access Your Apps and Data From

Any Device
All appson a single pane of glass
Simple setup of receiver (AG 10+)

receiver.mycompany.com
Validate Certificate
Login
Setup
Access
Gatewa
y
StoreFro
nt
or
AppC
Email based configuration

me@mycorp.com
_citrixreceiver.tcp.mycorp.com
Access Gateway or Account Service
hostname
Validate Certificate
Login
Get Account
DNS
Access
Gatewa
y
Account Service
Access Gateway
What is Access Gateway?

Citrix Access Gateway is the only secure application and desktop access
solution that provides administrators with application-level control while
empowering users with access from anywhere.
Secure
Secure Single
Single
Sign-on
Sign-on to
to
StoreFront
StoreFront
Services
Services
Ticket-based
Ticket-based
Connection
Connection
Authorization
Authorization
VPN-less
VPN-less
Remote
Remote Access
Access
from
from Any
Any Device
Device
Endpoint
Endpoint
Analysis
Analysis &
&
SmartAccess
SmartAccess
Introducing Access Gateway

Trusted
Single
Sign-on
Access
Gateway
and
StoreFront
Trusted
Single
Sign-on
Access
Gateway
and
StoreFront
Services
Services verify
verify the
the existence
existence of
of each
each
other
other to
to ensure
ensure credentials
credentials are
are passed
passed
from
from aa trusted
trusted source
source
Endpoint
SmartAccess
and
SmartAccess
Endpoint analysis
analysis
and session
session policy
policy
controls
controls allow
allow for
for server-side
server-side filtering
filtering of
of
resource
resource lists
lists are
are passed
passed from
from aa
trusted
trusted source
source
Secure
Secure Ticketing
Ticketing
Network
Network Access
Access
Connections
Connections are
are authorized
authorized using
using aa
secure
secure single-use
single-use ticket.
ticket. This
This prevents
prevents
man-in-the-middle
man-in-the-middle as
as well
well as
as replay
replay
attacks
attacks
Anywhere
Anywhere Access
Access
Allows
Allows users
users to
to securely
securely access
access
desktops
desktops and
and applications
applications using
using any
any
device
device in
in any
any Application,
Application, including
including
home
home computers
computers and
and mobile
mobile devices
devices
Allows
Allows users
users to
to access
access network
network
resources
resources using
using aa traditional
traditional SSL
SSL VPN
VPN
with
with strict
strict authorization
authorization policies
policies and
and
split
split tunneling
tunneling controls
controls
VPN-less
VPN-less Access
Access
Enables
Enables secure
secure remote
remote access
access to
to
critical
critical web
web applications
applications from
from users
users
browsers
browsers without
without requiring
requiring additional
additional
client
client components
components
Micro-VPN
Policy controlled per-application tunneling technology
Relies on Citrix Receiver for authentication and SSO
Network access policy choices:
Blocked
Application network APIs are blocked and fail as if network is not available
Unconstrained
Application network APIs work normally
Tunneled
Application network APIs are tunneled through XenMobile to enterprise intranet
Full power of Access Gateway Enterprise 10.x to configure VPN behavior

Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back into
enterprise intranet
Powerful rules engine for constraining access for external applications
What Is SmartAccess?
Single logon experience to Web
Interface
Certificate/Token Required
SecurePre-authorization
Application and
Desktop
scan
Virtualization
Allow client drives connected
Delivery applications and desktops
based on Allow
trust USB devices
Dynamically
Turn
off Virtual
clipboardChannels
filter
based Connect
on endpoint
conditions
client printers
Automatically deploy client
Allow with
Remote
AERO
components
Citrix
Receiver
Secure Ticketing
SFS sends
XenApp
Policy
User clicks Inspection info to STA
and
an app
receives
SFS ticket
sends ICA
Browser
AG validates
file with STA
invokes ICA
ticket info and
ticket and AG
plug-in and
sets up ICA
info to client
sends ticket
tunnel
info to AG
Receiver
Access
Gateway
StoreFront
Services
XenDesktop
AppController
XenApp
SmartAccess Corporate Laptop
Policy
Request Inspection
Resource
MS Word
Financial
App
SAP
Win7
Desktop Access
Receiver
Gateway
XenDesktop
Policy
Result
MS Word
Financial
App
SAP
Win7
Desktop
AppController
StoreFront
Services
XenApp
VPN-less Remote Access
Policy
Request Inspection
Resource
SSL 001000111010101 SSL 00
SSL
0010
0
0111
0101
0
Secure Connection to requested

resource only
Receiver
Access
Gateway
XenDesktop
Request
Resource
1 SS
L 00
1000
1110
1010
1S
AppController
SL 0
0100
0111
0101
StoreFront
Services
01
XenApp
Remote Access
Basic scenarios
NetScaler Access Gateway + StoreFront
(no AppController)
NetScaler Access Gateway + AppController
(no StoreFront)
NetScaler Access Gateway + StoreFront +
AppController
Note: All the scenarios described that use Citrix StoreFront are using Single
Server deployment mode.
Remote Access
StoreFront only (no AppController)
Ideal for XenApp / XenDesktop customers
No need for clientless access (CVPN)
NetScaler Access Gateway needs Platform
License only
Access Gateway vserver can be set to Basic
mode
Remote Access
StoreFront only (no AppController)
Case 1: Remote access Mobile users
Native connection to stores
Case 2: Remote access for Windows/Mac users

Receiver for Web connection
Case 1: Remote Access

Mobile
New Mobile Receivers will contact
Account Services from StoreFront
Account Services will provide the
following information:
Store URL
Beacons
Access Gateway(s)
Alternatively, Mobile Receivers can

execute Provisioning File from
StoreFront

Windows and Mac Receiver Connections
New generation of Citrix Receivers
for Windows/Mac devices contain a
new Header value: X-Citrix-Gateway
The value CitrixReceiver becomes
part of the HTTP Header when
accessing the store from StoreFront
or AppController
When connecting via Receiver for
Web site, CitrixReceiver and XCitrix-Gateway are not part of the
HTTP Header
POST /cgi/login HTTP/1.1

X-Citrix-Gateway: agzeus.adolfolab.ctx
User-Agent: CitrixReceiver
Windows/6.1 AuthManager/3.0.0.47031
(Release)
Accept-Language: en-US
Content-Type: application/x-www-formurlencoded
Host: agzeus.adolfolab.ctx
Content-Length: 28

Windows and Mac Receiver Connections
New Citrix Receivers for Windows/Mac will
contact Account Services from StoreFront
Account Services will provide the following
information:
Store URL
Beacons
Access Gateway(s)
Alternatively, Receivers can execute

Provisioning File from StoreFront or
users can enter the FQDN of Access
Gateway
Remote Access
AppController only (no StoreFront)
Ideal for Enterprise customers that want
Application and User Management via
AppController
Customers do not have XenApp /
XenDesktop, hence, no StoreFront is needed
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses
Remote Access
AppController only (no StoreFront)

Remote Access
StoreFront + AppController
Ideal for Enterprise customers that leverage
the entire XenMobile solution to access
Windows apps/desktops, Web/SaaS and
mobile apps
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses
Remote Access
StoreFront + AppController

Licenses/Policies CG Use Cases

Cloud Gateway Express (Store Front)
Ica Proxy VIP set to Basic (no Universal License requiered it uses
XD/XA license) see Policy
Cloud Gateway Enterprise Receiver Web
Receiver Header Policy = User-Agent NOTCONTAINS

CitrixReceiver&&Referer EXISTS
RfWeb Rewrite Policy This policy hits for all RfWeb traffic and
essentially turns Server side Rewrite ON. See Policy
Cloud Gateway Enterprise Apps,SaaS Web,Micro vpn
AGEE VIP set to Smart Access (universal license needed)

Cloud Gateway Enterprise Receivers
User-Agent CONTAINS CitrixReceiver&&X-Citrix-Gateway EXISTS

Applies to
Receiver Header Policy= RfWin >= 3.3 .x
RfMac >= 11.6x
RfAndroid >= 3.1.x
RfIOS >= 5.6.1x
See policy
No Rewrite policy This policy is hit for all non-RfWeb traffic, and essentially
turns off server side Rewrite. This is done since, Receivers will provide Client side
rewrite
Access Gateway is licensed Types

Platform License &Universal License
Platform Licenses
Every Access Gateway (VPX/MPX) comes with a Platform license, which

enables all the basic functionality in Access Gateway. After purchasing an
appliance, this license is automatically made available in your MyCitrix
account, and can be easily downloaded and installed on your appliance.
Platform licenses can be used to provide seamless access to:
ICAProxy access to XenApp / XenDesktop, using Web Interface
ICAProxy access to XenApp / XenDesktop, using Storefront (XenMobile
Express
Universal Licenses
Universal Licenses are used to enable additional/advanced functionality on
access gateway appliances. These are add-on licenses and work along with
the Platform licenses to provide seamless access to your Citrix deployments.
Universal licenses are purchased separately from the appliance, and can be
installed in the same manner as the platform license.
Universal licenses can be used to turn on the following advanced
functionalities:
End Point Analysis
Smart Access to XenApp/XenDesktop
CVPN Clientless access to internal web resources
Full Tunnel (SSL VPN)
MDX Micro VPN
Universal License use case

Universal Licenses are required to support the
following Citrix deployments:
ICAProxy access to XenApp / XenDesktop with
Smart Access (both Web Interface and Storefront)
XM Mobility Bundle Mobility (AppController)
XM Mobility Bundle (AppController + Storefront)
Virtual Server Modes

Basic vs Smart Access
Basic Mode vServer

A basic mode vServer is a server that consumes
platform licenses and hence can be used to provide
ICAProxy access to your XenApp / XenDesktop
deployments, both via Web Interface and Storefront. A
basic mode vServer essentially works out of the box,
without the need to purchase any additional licenses
Smart Access mode vServer

A smart access mode vServer essentially consumes Universal licenses and
can be used to provide access to any Citrix deployment. Including XenApp /
XenDesktop / XenMobile. Hence one can set up such a vServer only if
additional Universal licenses are purchased, or are received as a bundles
offering with XM Mobility Bundle / Xen Desktop platinum offerings. Note that a
Smart Access vServer can only consume Universal licenses and will start
dropping connections, once all universal licenses are consumed
Mobile ROI
Citrix- Competitive
The Most Comprehensive
Solution
Citrix
Position
Device
Managemen
t
MDM
Sandboxed
mail and
web
MDM Edition
Mobile
network
control
SSO &
Id Mgmt
Enterprise
Enterprise
Collaboratio
Mobile app Desktop & Secure data
n
control
security
App
Virtualizatio
Mobility Management
n
GoToMeeting
GoToAssist
Podio
Why Citrix?
Comprehensive
Any device with MDM

Any app with MAM & XenApp
Any data with file sync & share
Compelling
Beautiful, simple user experience

Stunning apps for email & web
Easy to use admin interface
Compliant
Device, app & data security

Policy compliance across platforms & apps
Scenario-based controls
Our Tier-1 Competition The Usual Suspects

Facts
The low price leader
Point solution for MDM
Legacy mobile
email
133 with bad user
Founded in 2003 and based in Atlanta

Funded by founders
Started in wireless LAN management software before
MDM
Offers primarily cloud based MDM
Aggressive marketing/awareness spend
Founded in 2007 and based in SF Bay Area
Venture funding from Sequoia Capital, Norwest Venture
Partners, Storm Ventures and Foundation Capital
Shipping products since Q4 2009
AT&T partnership is primary route to market
Started with wireless email access for corporate users

Based in SF Bay Area
Specializes in secure email and PIM
Acquired (2006) and sold (2009) by Motorola
Recent acquisitions include Copiun (data) and
AppCentral (apps)
Our Tier-1 Competition The Usual Suspects

Strengths
Win customers at all
cost
High awareness
Aggressive with new
features
Legacy mobile
email
134 with bad user
Weaknesses
Weak on-prem offering
Poor reliability
Poor support
Strong 1st gen MDM

Execution focus
Playing catch-up in
MDM 2.0
Poor customer
satisfaction
One of the early

players
Secure mobile email
FIPS certification
Niche solution
Restrictive container
approach
Poor user experience
How They Will Position Against Citrix + Zenprise

Lose Focus or
Dismantle Company
Zenprise CEO GM of mobile BU
100% of Zenprise team on-boarded
Mobile is top priority with 2x dev
team
Citrix solid track record 45% of
Revenue from acquisitions
Lose All the

Best People
Strong team built on customer
success
Key employees have large/small
exp
Wont Integrate
Highly complementary roadmap
Strong technology integration track
record with prior acquisitions (e.g.,
XenSource, Netscaler, ShareFile)
Support Will Decline

Both companies have strong
commitment to CSAT
Both have top loyalty ratings
(NPS in mid-+60s Nordstrom
Summary Competitive Plays
Legacy mobile email

with bad user
experience
Lead with on-premise differentiation

Future proof mobile strategy with
comprehensive solution from established
vendor
Highlight quality/reliability and support
differentiators
Lead with comprehensive vs. point products
message
Manage apps and data beyond smartphones and
tablets
Highlight scalability and follow-the-sun support
Lead with comprehensive, superior user
experience message
Ability to provide MDM, MAM or both
True follow me data and Any app on any
device
Our Strategic Features vs. Competitors

Strategic feature
Citrix
AirWatch
MobileIron
Good
via a third party
Mail, docs, browser.

Sandboxed, yet stunning
Docs and browser

(no DLP controls);
no mail
Docs and mail

(attachmts only; no
DLP controls); no
browser
Mobile app containers via MDX.

BYO apps secured
None
Roadmap
Good Dynamics
SDK
Unified app store.

Any app, any device
Mobile only
Mobile only
Mobile only
Federated identity & single sign

on. Login once
SAML only; not

across all apps
No SSO
Only between Good

apps
Scenario-based access
controls. Dynamic network
protection
No context-based
access
No context-based
access
Enterprise grade MDM.

All devices managed
ShareFile & Follow-Me-Data
Why ShareFile?
Enable workforce mobility & BYOD
Address the Dropbox-Problem
Simple and secure data sharing
Fellow employees
Team collaboration
Clients, 3rd party collaboration
Enhanced productivity
Enables file sharing with anyone

Syncs data across all devices
Online file sharing spaces for virtual teams
Selective offline access on mobile devices
Store
Sync
Data protection
Encryption
Device lock
Remote wipe
Poison-pill
Share
Citrix XenMobile & ShareFile

Advanced Authentication & Provisioning
XenApp Integration
Data protection Encrypt, Lock & Wipe
Policy-based Control
Offline Access and 2 way
Synchronization
Single Sign On
AD / Role based provisioning
141
Security Information
SSAE 16 audited data centers
SSL Encryption in transit
AES 256-bit encryption at rest
All uploaded files scanned for viruses
Daily scans for McAfee SECURE accreditation
All ShareFile servers protected by dedicated firewalls
Enterprise Active Directory Options

SAML 2.0 Support
Requires customer provided and
configured SAML provider
Microsoft ADFS Support
Also supports popular Identity
Providers such as:
OneLogin
CA SiteMinder
PingIdentity PingFederate
SalesForce
Xen Mobile
Selective data wipe
Instant user provisioning and deprovisioning
Real-time SaaS application monitoring
Comprehensive access control policies
Unified storefront for all applications, data
and services
StoreFront Services
XenMobile Enterprise + XD / XA
Integrated Mode with StoreFront Services

TMG
Native Mail
Encryption
MDM Client
Receiver
XM Device Manager
Access
Gateway
SF
XM AppController
Web &
Mobile
SaaS
Secure
Apps
Data
Deskto
ps
Apps
Netscaler
DMZ
Mobile
Device
Managem
ent
XD / XA
StoreFront Services
Search to quickly find, subscribe to, or launch
apps, documents or services
Role based Follow-me Subscriptions for
applications and data
Request applications
Single authentication
Integrated with Citrix Online GoTo Products
Apps can be:
Hosted
Streamed (App-V or Citrix)
Web (SaaS)
Enterprise-ready Storefront
Infrastructure
t
Fron
Store
t
Fron
Store
Credential Wallet
Replicated
t
Fron
Store
SQ
L
Central
Subscription
2013 Citrix | Confidential Do Not Database
Distribute
t
Fron
Store
Centralized administration
Leverages SQL Server
Easy to scale out
Resources
Tools to be successful
148
From Demo Center to onsite PoC

Provision DC environment (Allow 24h for completion)
https://demo.citrix.com
Log on with your citrite / citrix credentials
Receive automated email with instructions for DC

Usernames and Passwords
Links to all documentation needed for DC
Demo solution to customer using step by step Demo Guide

Schedule onsite PoC and make use of the XenMobile PoC Kit
https://www.citrix.com/skb/articles/RDY9633
Sales Resources Available

Sales Knowledge Base/Success Kits
www.citrix.com/skb
www.citrix.com/successkits
Customer Overview Deck

Customer Tech Deck (for technical IT audiences)
Pricing & Licensing Deck
Product Reference Card/Battlecards
Selling & Positioning Deck
Citrix Mobile Solutions Bundle/XenMobile MDM D&Q Card
POC Kit
Competitive
Executive Checklist whitepaper on building an enterprise mobility strategy
10 Must-Haves whitepaper on secure enterprise mobility
Demo Center
http://demo.citrix.com
http://www.citrix.com/skb/articles/RDY9505
Useful presentations
Citrix Mobile Solutions Bundle/XenMobile MDM Technical Deck
Citrix Mobile Solutions Bundle/XenMobile MDM Selling & Positioning Deck

Citrix Mobile Solutions Bundle/XenMobile MDM Customer Deck

Citrix Mobile Solutions Bundle/XenMobile MDM Pricing & Licensing Deck

XenMobile MDM & Citrix Mobile Solutions Bundle Reference Architecture

Prepare for a Successful POC

XenMobile PoC Kit
Make use of the Prerequisite

Checklist
It will save your life!!!

Citrix XenMobile Tech Deck - V1.6

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Citrix XenMobile Tech Deck - V1.6

Загружено:

Авторское право:

Доступные форматы

Citrix XenMobile

Enterprise Mobility in Numbers

Multiple Locations App Proliferation

Source: Citrix and leading analysts

2013 Citrix | Confidential Do Not Distribute

work from home

2013 Citrix | Confidential Do Not Distribute

How Mobile Feels Today

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

A complete stack for

2013 Citrix | Confidential Do Not Distribute

Control access polices for

Productivity and Collaboration

Two Simple Packages

Secure, simple to use

2013 Citrix | Confidential Do Not Distribute

Enroll and Connect. Connect

MDM Server. Policy server and admin

ShareFile. Follow-me data

Mobility Bundle (with Data Add-On)

Enroll and Connect. Connect

MDM Server. Policy server and admin

Receiver. Unified app store,

AppController. Mobile, SaaS, and web

Netscaler Access Gateway. SSL VPN

NetScaler appliance & ShareFile sold separately

My users are bringing in all

issuing shared tablets to shift

2013 Citrix | Confidential Do Not Distribute

Want to give device

2013 Citrix | Confidential Do Not Distribute

Mobile Device Manager

Using Good, but the

make my users lives

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

Beautiful email client, sandboxed for

2013 Citrix | Confidential Do Not Distribute

2013 Citrix | Confidential Do Not Distribute

give employees mobile

need SSO for my

give users easy

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

need to secure and

Secure email to any iOS/ Android

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

Mobile Apps & Data

2013 Citrix | Confidential Do Not Distribute

All Apps & Data -XA & XD Integration

Complete Mobility Infrastructure Apps, Data, and Devices

2013 Citrix | Confidential Do Not Distribute

iOS and Android device security control

Secure email to any iOS/ Android device

22 SAML Federation and AD based identity management

Citrix The Most Complete Mobile Portfolio

2013 Citrix | Confidential Do Not Distribute

SSO and Identity

XenMobile MDM Edition

Complete Mobility Infrastructure Apps, Data, and Devices

XenMobile Device Manager

Control data access with DLP add-on