Académique Documents
Professionnel Documents
Culture Documents
January 2018
Table of Contents
Table of Contents ......................................................................................................... 3
citrix.com 4
Training Overview
Objective
This training will provide you with hands on experience in setting up a XenMobile Server with NetScaler to
provide an enterprise grade unified endpoint mobility solution. In the guide we will start with the initial
configuration steps right through to using the best practices from Citrix consultants to “fine tune” the
deployment.
Required Prerequisites
The required prerequisites include a basic understanding of Unified Endpoint Management concepts such
as MDM and MAM. An understanding of types of applications that are required to be deployed to devices
such as Web, SaaS, Native and wrapped mobile apps. A basic understanding networking concepts within
enterprise mobility and NetScaler.
Optional Prerequisites
In order to complete all the exercise within this document you will need to use an un-enrolled iPhone
and/or Android phone/tablet. However you can still complete the majority of exercise with the Win10
Desktop.
Audience
Target
reboot Text the student enters or an item they select is printed like this
Student Internet
Desktop
Virtual Machines
VM Name IP Address Description
citrix.com 6
Credentials
User Name Password Description
citrix.com 7
Lab Scenario
You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTex, Inc.
in order to provide secure mobile access to business critical and data resources. The company will
be offering a Bring Your Own Device mobility solution to it employees. Additionally sales teams will
be given a Windows Tablet/Laptop that will require additional management controls. Your task is
to use the guidelines outlined below to implement a solution that meets the business needs.
Guidelines:
All users will require secure remote access to company data, such as e-mail documents and
spreadsheets that should be available to employees both internally and externally. The company
will require this data to be containerized whilst on personal devices with the ability to selective
wipe corporate data.
End users should be able to browse internal sites securely; only approved Internet sites should
be accessed through corporate applications.
The company requires the use of two-factor authentication to specific enterprise applications.
The company wishes to manage all BYO (bring your own) end user devices with XenMobile,
which may include iOS, Android and Windows 10 smartphones, tablets and laptops.
Sales will be issued with a corporate Windows Tablet or laptop, which requires them to be
restricted as MDM managed devices. The automatic Windows update service should also be
blocked.
The company has an existing XenDesktop infrastructure which they would like the Mobile Device
fleet to integrate into, however due to strict compliance laws it must be possible to restrict access
to devices that are not compliant with corporate policies.
citrix.com 8
Module1: Initial Configuration
citrix.com 9
Exercise 1: Initial configuration of XenMobile Server
Overview
Configuring the XenMobile Server is a two-part process. The initial configuration is done at the
console of the server by configuring the new password, network settings (i.e. IP address, subnet
mask, default gateway), database location, and external FQDN. Once this is done, you connect
to the Administration Console from a web browser to continue the basic configuration via the
Start-up Wizard. In this lab, you will perform the initial configuration at the console of the
XenMobile Server.
Citrix recommends the use of MS SQL Server rather than more limited SQL Server Express. A
Microsoft SQL Server VM has already been setup for you.
XMS1
2. If an existing XenServer is displayed, right-click the XenServer node and click Connect.
citrix.com 10
Step Action
3. If it there is no XenCenter, click Add New Server to add your XenServer to XenCenter
Click Add
citrix.com 11
Step Action
5. Optional: If you get the following message, click close.
7. Within XenCenter, select the XM 10.7 virtual machine and click the Console tab. You
will notice that the XenMobile Server is (in First Time Use mode).
Configure the following:
New Password: Citrix123
citrix.com 12
Step Action
8. Configure the Network settings:
IP Address: 192.168.10.20
Netmask: 255.255.255.0
9. When the network settings are applied you will be prompted to confirm if this if an
upgrade. Hit Enter to confirm this is a new install.
10. Hit [n] and press enter to manually set the Encryption Passcode.
citrix.com 13
Step Action
12. You are given the option to enable FIPS. Hit Enter to accept the default [n].
13. Next we will configure a remote database connection. In this lab the administrator
account has dbcreate permissions, in a production deployment a service account should
be used.
Configure the following settings:
Server: sqlserver.training.lab
Username: training\administrator
Password: Citrix123
citrix.com 14
Step Action
14. You are prompted to enable clustering. Hit Enter to accept the default [y].
15. You are prompted for the XenMobile hostname. This will be the enrollment FQDN for an
Enterprise deployment of XenMobile Server
Enter <IP2 FQDN> from your portal page and hit the Enter key.
Example:
citrix.com 15
Step Action
16. Configure the following communication ports (Port listeners):
HTTPS with certificate authentication: Hit Enter to accept the default [443]
HTTPS with no certificate authentication: Hit Enter to accept the default [8443]
17. Hit Enter to accept the default instance name [zdm] hit Enter to confirm.
citrix.com 16
Step Action
18. You are asked if you wish to use the same password for all certificates of the PKI.
Hit Enter to accept the default [y].
Configure the following:
New Password: Citrix123
Re-enter new password: Citrix123
19. You are prompted to configure the XenMobile console administrator account.
Configure the account as follows:
Password: Citrix123
citrix.com 17
Step Action
20. The initial system configuration is complete. Make a note of the url given to complete
the setup process.
Exercise Summary
You have now configured the XenMobile Server FTU wizard including networking information, FQDN,
DNS Server, and connection to a remote SQL database. Please move on the Exercise 2 to complete the
initial configuration.
citrix.com 18
Exercise 2: Getting Started with XenMobile Server
Overview
In this exercise we will go through the XenMobile Server Getting Started wizard, where you will
configure the Citrix License Server, install the required certificates, configure LDAP and
NetScaler Gateway integration. Once completed you with then be able to configure categories,
applications, policies, and delivery groups.
In this exercise you will:
Complete the XenMobile Server Getting Started Wizard
citrix.com 19
Step Action
2. Browse to https://192.168.10.20:4443
citrix.com 20
Step Action
3. The Get Started page is displayed. Click Start to begin the configuration wizard.
citrix.com 21
Step Action
5. Enter the following settings for the license server
License Type Remote license
License Server licenses.citrixvirtualclassroom.com
Port 27000
Click Test Connection. The license server will retrieve your licenses.
6. Select the Citrix XenMobile Enterprise Edition User license and Activate
Click Next
citrix.com 22
Step Action
7. Next we will need to import the required Certificates into the XMS Server. On the
Certificate page, click Import.
citrix.com 23
Step Action
8. First we will import the APNs certificate to enable iOS device connectivity. Configure the
following settings:
Import Keystore
Keystore type PKCS#12
Use as APNs
Keystore file APNS.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import
citrix.com 24
Step Action
9. Next we will install the SSL Listener certificate. Click Import again.
10. You receive a prompt advising that this will replace the existing self-signed certificate
and when installing this type of certificate a server reboot is required to complete the
installation
Click OK.
citrix.com 25
Step Action
11. Click Import again.
Click Import.
12. The APNs, Root and SSL Listener certificates are displayed.
Click Next.
citrix.com 26
Step Action
13. Click Next. You are prompted to configure NetScaler Gateway.
On the lab portal page you will find your IP1 FQDN
Click Next.
citrix.com 27
Step Action
14. The LDAP Configuration page is displayed.
Configure the following settings:
Primary Server 192.168.10.11
Port 389 (Default)
Domain name training.lab
User base DN dc=training,dc=lab (auto-filled in)
Group base DN dc=training,dc=lab (auto-filled in)
User ID: administrator@training.lab
Password Citrix123
Domain alias training.lab
Use search by sAMAccountName
Click Next.
citrix.com 28
Step Action
17. The initial configuration is complete. Click Start Managing XenMobile
18. You land on the XM reporting screen. Proceed to the next step.
Exercise Summary
You have now completed the initial steps install and configure XenMobile server, please continue to
exercise 3 where you will configure the apps, resources and policies that are applied to end users.
citrix.com 29
Exercise 3: Creating Device Policies
Overview
XenMobile Server empowers enterprise organizations to apply device configurations, settings,
and security parameters to multiple device platforms and operating systems. In this exercise,
students will configure policies on XenMobile Server to push to iOS, Mac OSx, Android and
Windows 10 devices.
citrix.com 30
Step Action
2. Browse to https://192.168.10.20:4443
3. In the XenMobile Server management console, select the Configure tab and click the
Device Policies node.
5. Click Passcode
citrix.com 31
Step Action
6. The Policy Information page is displayed. Configure the following:
Policy name Passcode
Click Next.
7. For this exercise we will set a passcode policy for iOS, Mac OSx, Android and
Windows Phone and Desktop/Tablet devices, please ensure only these platforms are
selected
citrix.com 32
Step Action
8. The Policy Information window is displayed for iOS devices.
Configure the following settings:
Passcode required On
Minimum length 4
Maximum failed sign-on attempts 4
Click Next.
citrix.com 33
Step Action
9. The Policy Information window is displayed for Mac OSx devices.
Configure the following settings:
Passcode required On
Minimum length 6
Maximum failed sign-on attempts 4
Click Next
citrix.com 34
Step Action
10. The Policy Information window is displayed for Android devices.
Configure the following settings:
Passcode required On
Minimum length 4
Maximum failed sign-on attempts 4
Enable encryption On
Click Next
citrix.com 35
Step Action
11. The Policy Information window is displayed for Windows Phone devices.
Configure the following settings:
Passcode required On
Characters required Numeric or alphanumeric
Minimum length 4
Maximum failed sign-on attempts before wipe 4
Click Next
citrix.com 36
Step Action
12. The Policy Information window is displayed for Windows Desktop/Tablet devices.
Configure the following settings:
Minimum passcode length 6
Passcode expiration in days 90
Passcode History 10
Maximum Inactivity before device lock in minutes 10
Click Next
(We will use AllUsers for convenience in the lab – in production it is recommended to
add new Delivery Groups for all users)
14. The Passcode policy is displayed.
citrix.com 37
Step Action
15.
On the Device Policies window, click Add.
16.
On the right, scroll down to Custom and select Custom XML
18. The first policy you will create is required to block the user from un-enrolling and
removing management from their device.
Configure the following
Policy name Windows Device – Block Un-enroll
Click Next
19. In the next screen you will need to enter the XML content.
(Open File Explorer and Browse to \\ad\software\Win 10 Custom XML)
citrix.com 38
Step Action
20. Right click on MDM Unenrollment.xml and open with WordPad.
21. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.
22. Repeat steps 15 – 18 to create another XML Policy that will block the user from installing
any Windows Updates
23. Configure the following
Policy name Windows Device – Block Updates
Click Next
24. In the next screen you will need to enter the XML content.
(In File Explorer Browse to \\ad\software\Win 10 Custom XML)
25. Right click on Win Updates.xml and open with WordPad.
26. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.
27. Repeat steps 15 – 18 to create a final XML Policy that can be used to perform a full
factory reset on the device in the event that it is lost or stolen
28. Configure the following
Policy name Windows Device – Factory reset
Click Next
citrix.com 39
Step Action
29. In the next screen you will need to enter the XML content.
Browse to //ad/software/Win 10 Custom XML
30. Right click on Factory Reset.xml and open with WordPad.
31. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.
32. Now you will set up a Windows Information Protection (WIP) policy. This is a Windows
10 technology that protects against the potential leakage of enterprise data
33. The last policy we’re going to setup is to assure Android devices are getting policy
updates and new apps without user interaction. On iOS this is being accomplished by
APNS, for Android devices we’ll setup a scheduler (Interval or always connected).
Click Add again.
The Add a New Policy window is displayed. Select Scheduling and enable only the
Android platform to keep connected to the XenMobile Server.
citrix.com 40
Step Action
34. Enter Schedule as the policy name. Disable the remaining platforms and click Next.
35. Accept the default option Always to permanently keep the device connected.
Click Next and assign the policy to the AllUsers delivery group. Then click Save.
36. You have now setup all the policies that we will use for this lab. We will now set up
Client Properties to enhance the user experience.
37. Click the Settings icon on the green ribbon and navigate to Client Properties
citrix.com 41
Step Action
38. The Client Properties are displayed. Click Enable Citrix PIN Authentication then
click Edit.
40. Configure the remaining Client Properties with the following settings.
Note: Some of the settings in the table below can be found on page 2.
Exercise Summary
This completes the exercise to setup a simple passcode policy for all devices that enroll ensuring basic
device security and device level encryption is enabled across all devices. You have then created some
advanced polices that will be deployed later to Sales users Windows 10 corporate devices. We have also
create the Secure Pin to allow for simple authentication against the NetScaler Gateway
citrix.com 42
Exercise 4: Deploying and Configuring Apps
Overview
In this exercise you will create app categories within the XenMobile Server. You will then add
mobile, web and SaaS applications and assign them to the appropriate category.
In this exercise you will:
Upload Apps and assign them into XenMobile Store categories
Student Desktop
citrix.com 43
Step Action
3. Click Category.
4. The Categories Window pops up. In the Add new category text box, enter Sales
Apps and click the plus sign in the green box.
7. Click Add.
citrix.com 44
Step Action
8. In the Add App window, click the Web Link app type.
citrix.com 45
Step Action
9. The Add Web App window is displayed. Configure the following settings:
Click Next.
citrix.com 46
Step Action
12. This time select MDX.
citrix.com 47
Step Action
14. Deselect the Windows Phone and Windows Desktop/Tablet platform options on the
left.
Click Next.
citrix.com 48
Step Action
16. The iOS MDX App details and policy options appear.
17. Scroll down to the Network Access section and verify the following is selected:
citrix.com 49
Step Action
18. Scroll down to the App Settings section and configure the following settings:
Click Next.
citrix.com 50
Step Action
21. In the Android MDX App window, click Upload.
22. The Android MDX App details and policy options appear.
23. Scroll down to the Network Access section and verify the following is selected:
citrix.com 51
Step Action
24. Scroll down to the Applications Settings section and configure the following settings:
Secure Mail Exchange Server exchange.training.lab
Secure Mail user domain training
Background network services exchange.training.lab:443
Background network service gateway <IP1>FQDN:443
Click Next.
26. The Approvals window is displayed. Click Next to skip the Approvals window.
27. In delivery group assignments apply to AllUsers and click Save to save the application
and its settings.
citrix.com 52
Step Action
28. Secure Mail has been added to the App Store.
citrix.com 53
Step Action
31. Deselect the Windows Phone and Windows Desktop/Tablet platforms on the left.
Click Next.
citrix.com 54
Step Action
33. The iOS MDX App details and policy options appear.
34. Scroll down to the Network Access section and ensure the following is configured:
Click Next.
citrix.com 55
Step Action
36. The Android MDX App details and policy options appear.
37. Scroll down to the Network Access section and ensure the following is configured:
Click Next.
citrix.com 56
Step Action
40. Secure Web has been added to the App Store
41. You should continue to add the remaining MDX apps following this process, ensuring
that all are set to tunnelled to the internal network
Exercise Summary
In this exercise we have uploaded a web clip and wrapped MDX apps to deploy to iOS and Android
devices, next we will need to configure the delivery groups to assign the apps and policies to users.
citrix.com 57
Exercise 5: Assigning Resources to Delivery Groups
Overview
In this exercise students will create Delivery Groups within the XenMobile Server. Students will
then map Active Directory groups to those roles and assign applications to the respective
delivery groups.
In this exercise you will:
Create and edit delivery groups to assign resources such as apps and policies to users
Student Desktop
3. Click Add.
citrix.com 58
Step Action
4. Name the Delivery Group Sales.
Click Next.
6. The Sales group is enumerated. Click the checkbox next to the Sales group.
Click Next.
citrix.com 59
Step Action
7. The Policies window is displayed. Drag the Windows Device Block Un-enroll and
Updates Policies and Passcode policies to the right to assign to the delivery group.
Click Next.
citrix.com 60
Step Action
12. The Summary page is displayed. Click Save
13. The Sales delivery group is saved. Select the AllUsers delivery group and click Edit
15. In Policies Passcode and Schedule should be the only assigned policies click Next
citrix.com 61
Step Action
16. In Apps remove all from Optional Apps, then drag Secure Mail, Secure Web and Citrix
to Required Apps
Click Next 4 times then Save to amend the AllUsers delivery group
Exercise Summary
In this exercise you have created specific delivery groups and assigned them to Active Directory security
groups so that BYO users and Sales users receive the Policies and Apps that they require.
citrix.com 62
Exercise 6: Configuring NetScaler using Wizards
Overview
In this exercise you will use the XenMobile Get Started wizard within the NetScaler
Configuration Utility to configure NetScaler Gateway for an Enterprise Store. The wizard will
create the virtual server, load balancing virtual server, policies, and profiles necessary to
connect to the enterprise store on the XenMobile Server.
Load balance MDM and MAM traffic between the XMS and mobile devices
citrix.com 63
Step Action
2. Browse to http://192.168.10.50
3. In the NetScaler Configuration Tab, in the Integrate with Citrix Products section and
click XenMobile.
citrix.com 64
Step Action
4. In the NetScaler for XenMobile window click Continue.
5.
Click Continue.
citrix.com 65
Step Action
6. In server certificate for NetScaler Gateway a wildcard certificate has already been
installed select Continue
If you receive a warning to validate the certificate, the certificate chain is complete
except for the Root-CA certificate, therefore click Continue.
citrix.com 66
Step Action
7. Configure the following LDAP Authentication Settings:
IP Address 192.168.10.11
Port 389
Base DN dc=training,dc=lab
Service account administrator@training.lab
Password Citrix123
Confirm Password Citrix123
Server Logon Name Attribute sAMAccountName
Click Continue.
Note: A best practice is to use a service account for the Base DN.
However, for this lab environment and exercise, we are using the
administrator account.
citrix.com 67
Step Action
8. Configure the following App Management Settings:
citrix.com 68
Step Action
10. Add the XenMobile Server by clicking Add Server
Site1-XMS1 192.168.10.20
citrix.com 69
Step Action
12. The Load Balancing Virtual Server Configuration window comes up.
Configure the following settings:
IP Address* 192.168.10.93
Name*: XenMobileMDM
13. Confirm the XenMobile server has both been added automatically and click Continue.
citrix.com 70
Step Action
15. NetScaler Gateway and XenMobile Server Load Balancing should be reported as “up”.
There is a connectivity test to confirm the configuration if required.
Exercise Summary
In this exercise we have configured a basic setup of the NetScaler to provide a remote access or
microVPN gateway for devices to connect to internal resources. We have also configured Load Balancing
across the MDM and MAM communications enabling us to easily scale the deployment by adding
additional XMS nodes.
citrix.com 71
Module2: Advanced Configuration
citrix.com 72
Exercise 7: XenMobile Server Fine Tuning
Overview
In this exercise we will leverage the fine-tuning recommendations from Citrix Consultants. You
will focus on the settings that are most frequently configured to optimize the XenMobile server’s
integration with SQL and Active Directory. Please check the Tuning XenMobile Operations
pages on docs.citrix.com for full details.
citrix.com 76
Step Action
2. Browse to https://192.168.10.20:4443
citrix.com 77
Step Action
3. Firstly we will optimise the number of available connections between the XenMobile
Server and the SQL Database. Recommendations for lower than 5000 devices will be
200 connections
Click the Settings icon on the green ribbon.
citrix.com 78
Step Action
5. Configure the following custom key settings
Key hibernate.c3p0.max_size
Value 200
Display Name hibernate.c3p0.max_size=200
Description DB Connections to SQL
Click Save
6. To activate the changes you must reboot the XenMobile Server. Click OK
7. Next we will optimize the connection between the XenMobile Server and Apple APNs,
which is recommended for large iOS deployments.
In the server properties window search for Push Services
citrix.com 79
Step Action
8. Select the Push Services Heartbeat Interval and select Edit
11. To improve APNs communications from the XenMobile server to the Apple APNs we will
also increase the connection pool to ensure APNs communications happen in a timely
manner, i.e. iOS Apps are deployed in a timely manner.
In the XenMobile Server Properties page search for Connection Pool
12. Update the value to 10 and click Save
citrix.com 80
Step Action
14. The final global server property to edit will enable two-step iOS enrollment to improve
the user experience.
In the server properties window search for iOS Device Management
15. Select iOS Device Management Enrollment Install Root CA if Required and click
Edit
Login with your Google Play accounts credentials. This will not be associated to the
account and can be deleted after the lab has completed. If you do not have a login you
can register on https://myaccount.google.com
18. Select Create a new project
citrix.com 81
Step Action
19. Enter a project name as SUM602Lab and click on Create
20. In your project click on the gear symbol then select Project Settings
21. Select the cloud messaging tab to reveal the Server Key and Sender ID
Keep the window open as you will need to copy these settings across to the XenMobile
Server
citrix.com 82
Step Action
22. Go back to the XenMobile server console
http://192.168.10.20:4443
25. You will be prompted to enter an API Key and Sender ID. Copy the Server key from the
Firebase console to the API Key setting and then populate the Sender ID
Click Save
citrix.com 83
Step Action
26. You have now completed the configurations and may close the browser
27. In the XenCenter Console Reboot the XMS server
Exercise Summary
In this exercise you have configured XenMobile server optimizations for iOS and Android devices as
recommended by Citrix consultants.
citrix.com 84
Exercise 8: Mobile Device Enrollment
Overview
In order for XenMobile Server to manage mobile devices, the Secure Hub client must be
installed and configured on the endpoint device. In this exercise, you will install Secure Hub,
enroll your device to the XenMobile server and install the required mobile apps
In this exercise you will:
Enterprise Enroll an iOS or Android device
citrix.com 85
Step Action
2. After installation is complete, launch the After installation is complete, launch the
Secure Hub app Secure Hub application.
3. You are prompted for the server URL, You are prompted for the server URL, UPN
UPN or e-mail address. or e-mail address.
Enter the IP2 FQDN Enter the IP2 FQDN
Your IP2 FQDN is available from the portal Your IP2 FQDN is available from the portal
page. page.
Example Only: Example Only:
184-172-16-134.mycitrixtraining.net 184-172-16-134.mycitrixtraining.net
Tap Next.
Tap Next.
citrix.com 86
Step Action
4. Tab Yes to enroll your device. Tab Yes to enroll your device.
citrix.com 87
Step Action
6. A browser message “Enroll Your You are prompted to activate the Device
iPhone/iPad” will appear. Administrator.
Tap Activate.
citrix.com 88
Step Action
7. In the following steps the device will be
prepared for corporate usage.
You will go through the tasks to install the
following profiles:
XenMobile CA
XenMobile Profile Service
MDM Configuration
For each of these you need to confirm the
installation, enter the device PIN and
confirm you trust the management.
citrix.com 89
Step Action
8. Click Done to continue. Secure Hub will ask for a PIN code, which
was defined as Client Properties in the
XenMobile Server configuration.
citrix.com 90
Step Action
9. Secure Hub has enrolled your device If you do not have screen lock configured,
against the MDM service and will SSO to you are prompted to configure your screen
the MAM instance (Authenticating). lock settings.
Secure Hub will ask for a PIN code, which Specify a PIN in the settings.
was defined as Client Properties in the
XenMobile Server configuration.
citrix.com 91
Step Action
10. You need to confirm, that Secure Hub is
allowed to use the devices location Note: Some Android devices require
you to allow installation of apps from
service. unknown sources before Secure Web
and Secure Mail can be installed.
citrix.com 92
Step Action
11. If you are running iOS10 you will be Tab on the Add apps from the Store
prompted to enable a Secure Hub VPN to access the enterprise store.
Configuration. Click OK then Allow
citrix.com 93
Step Action
13. The XenMobile apps are now being The XenMobile apps are now being
pushed to your device from the iTunes app pushed to your device from the Google
store, therefore depending upon your Store, when prompted click Install
account settings you may be prompted to
enter your iTunes store password.
14. All installed app will now be installed and will be accessible on your springboard.
Exercise Summary
You have now successfully enrolled a mobile device, downloaded a policy and some business apps.
citrix.com 94
Exercise 9: Enroll and locate Windows 10 Desktop/Tablet
Overview
In this exercise you will enroll a Windows 10 desktop in order to being the device under
management. The policies configured earlier will be applied and remove the ability for users to
perform updates and un-enroll from the XenMobile server.
This exercise will also show you how to issue the Locate command from the XenMobile console
to find Windows 10 devices.
Win10Client
Password Citrix123
2. On the desktop right click on the host file and open with Notepad
citrix.com 95
Step Action
3. The IP address of the XMS server has been added, you will need to update the FQDN to
match the IP2 FQDN (Enrollment FQDN) from the lab portal page
citrix.com 96
Step Action
7. Click on Accounts
9.
In Connect to work or School click Connect
citrix.com 97
Step Action
10. In the Set up a work or school account menu enter sales1@training.lab
Click Next
citrix.com 98
Step Action
11.
You will receive an error message as AutoDiscovery has not been setup for the lab.
Enter the following settings to enrol
Email Address sales1@training.lab
MDM URL IP2FQDN:8443/zdm/wpe
Click Next
citrix.com 99
Step Action
12.
You will be prompted to enter your login credentials. Enter the following
Username sales1
Password Citrix123
Click Continue
citrix.com 100
Step Action
13.
The Windows 10 desktop is now MDM enrolled. Click Finished
14.
You can confirm that the desktop policies have applied by checking the restricted
services, we will attempt to remove the MDM enrollment. Click on the existing MDM
enrollment
citrix.com 101
Step Action
15.
Click Disconnect to remove the enrollment
16.
You will receive a prompt that the work or school account cannot be removed by system
policy
Click Yes
17.
Your Windows 10 desktop is now fully MDM enrolled.
18. Locating the Device:
XenMobile console administrators can now locate Windows 10 phones, desktops, and
tablets. The locate feature is already available for iOS and Android devices. When you
issue a locate command, the XenMobile Server communicates directly with the device.
citrix.com 102
Step Action
20. In Security Actions, Click Locate
22. Select the device, click Show more to get to the Device details page.
citrix.com 103
Step Action
23. The Device details page will show status of the location request
Once the device connects to the environment, a map displaying the location will be
available
Exercise Summary
In this exercise you have worked through the basic steps to enroll a Windows 10 desktop. The steps used
here are also the same on a phone or tablet as we use the MDM functions in the Windows 10 universal
operating system. Additional policies could now be added through the MDM policies or Customer XML
policies as detailed in the Microsoft CSP website for OMA-DM.
You also used the new locate feature to find a Windows 10 device enrolled in the environment.
citrix.com 104
Exercise 10: Windows Information Protection device policy
Overview
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is
a Windows 10 technology that protects against the potential leakage of enterprise data. Data
leakage can occur through sharing of enterprise data to non-enterprise protected apps, between
apps, or outside of the network of your organization
This policy enables you to specify an enforcement level that affects the user experience. For
example, you can:
Block any inappropriate data sharing.
Warn about inappropriate data sharing and allow users to override the policy.
Run WIP silently while logging and permitting inappropriate data sharing.
Create a device policy in XenMobile to specify the apps that require Windows
Information Protection when the enforcement level is set to override.
Windows 10
client XMS
citrix.com 105
Step by Step Guidance
Step Action
1. First you will have to create an Encrypted File System (EFS DRA) certificate before you
can fully configure your WIP policy.
Within XenCenter, select the AD.training.lab virtual machine and click the
Console tab. Login with the following account:
Username administrator
Password Citrix123
2. Launch the cmd prompt and navigate to the where you want to store the certificate:
Change directory to c:\software\certificates
Type cd c:\
Type cd software\certificates
Run the command: cipher /r:EFSRA (or any name you choose)
Type the password: Citrix123
Confirm the password to protect your .pfx file.
The command cipher /r:EFSRA successfully created your .cer and .pfx files in the
location you specified.
3. Log out of AD.training.lab and proceed to create your WIP device policy in the
XenMobile console.
citrix.com 106
Step Action
4. On the Student Desktop open the Google Chrome browser
Username administrator
Password Citrix123
citrix.com 107
Step Action
6. Next we will need to import the required EFS DRA certificate into the XM Server to add
to the WIP policy.
Go to Settings, Click certificates and then click Import
citrix.com 108
Step Action
7. Configure the following settings:
Import Keystore
Keystore type PKCS#12
Use as Server
Keystore file EFSRA.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import
citrix.com 109
Step Action
8. Now configure a WIP policy to Warn users when inappropriate data sharing between
Enterprise and non-enterprise Apps is attempted.
Go to Configure > Device Policies and add the Windows Information Protection policy
Add Policy Name: WIP
Click Next
9. In the app list set iexplore.exe to Denied and set MicrosoftEdge store app to
Allowed.
citrix.com 110
Step Action
10. Scroll down and configure the following WIP policy settings:
Enforcement Level 2-Override
Protected Domain Names training.lab
Data Recovery Certificate Select CN=Administrator
certificate from the drop down
Network domain names training.lab
IP range 192.168.10.100-192.168.10.201
Click next
(We will use AllUsers for convenience in the lab – in production it is recommended to
add new Delivery Groups for all users)
12. Now create a file that is protected by the EFS DRA certificate.
In the XenCenter Console logon to Win10client
citrix.com 111
Step Action
13. Open an app on your protected app list, and then create and save a file so that it is
encrypted by WIP. The file icon will show a briefcase indicating it is protected.
Launch notepad, type some text, and then select File>save to the Win10 desktop.
In notepad when trying to save a file you will see an option to save as work or
personal. Select work.
citrix.com 112
Step Action
14.
Go to your Google drive or any other personal location using MicrosoftEdge
browser.
Upload the notepad work document (Workfile) that you saved to the desktop in the
previous step to the Google Drive.
You will receive the warning pop-up question asking permission to “change the content
to personal”
Select Change to personal to transfer the file to the non-enterprise location. In this
instance, Google Drive.
citrix.com 113
Step Action
15. Now go to you Google Drive or non-enterprise location using Internet Explorer.
From the same Windows 10 desktop in XenCenter, launch Internet Explorer and
connect to your Google Drive.
Upload the notepad work document (Workfile) that you saved to the desktop. You will
receive the warning pop-up question to “change the content to personal”
16.
In both instances the behavior was the same because the WIP policy is set to
override.
You can continue the exercise by setting the policy to block and observe the outcome.
Exercise Summary
In this exercise, you created an EFS DRA certificate, protected an app with the certificate then
created a WIP policy to warn Windows 10 users about inappropriate data sharing between
Enterprise and non-enterprise Apps.
citrix.com 114
Exercise 11: Mobile access to ShareFile Storage Zones
Overview
In this exercise you will enable secure mobile access to an existing CIFS data repository
through the XenMobile server without the requirement of a ShareFile control plane. This
function provides access to documents from mobile devices only, for a fully featured ShareFile
deployment customers can easily change the configuration to support ShareFile Enterprise
deployment.
Password: Citrix123
citrix.com 115
Step Action
3. In IIS Manager click in the SZC web server, the double click to Open ISAPI and CGI
Restrictions
5. In IIS Manager click in the SZC web server to go to SZC home, Double click and
launch Server Certificates
citrix.com 116
Step Action
6. A self-signed certificate should be installed on the server, otherwise use the actions
menu to install a new certificate
7. In IIS Manager click expand Sites and select Default Web Site
citrix.com 117
Step Action
10. Set the following settings then click OK
Type HTTPS
IP Address All Unassigned
Port 443
Home [SHOULD BE BLANK]
Click Close
11. Close the IIS Manager window. Next you will install the ShareFile Storage Zone
controller.
12. Open File Explorer and Browse to \\ad\software\ShareFile. Double click on and run the
StorageCenter_4.3.0.4299 MSI file
citrix.com 118
Step Action
13. Start the setup by clicking Next
citrix.com 119
Step Action
15. Keep the default destination folder and click Next
citrix.com 120
Step Action
17. Deselect Launch StorageZones Controller Configuration Page and click Finish
19. Once restarted log into the szc server with the administrator credentials. To test the
ShareFile Setup, On the SZC server browse to http://localhost or https://localhost
(ignore certificate errors)
citrix.com 121
Step Action
20. Next we need to prepare the Storage Zone Controller for XenMobile management
without a ShareFile Control Plane.
Open File Explorer and Browse to \\ad\software\ShareFile and locate the StorageZone
binary zip file
Please note the following steps have been included in the SF Connector
Commands Text file in this location
21. Copy the StorageZone.Zip file to C:\inetpub\wwwroot\Citrix\StorageCenter\Tools
22. Right click and go to the Properties of the sfconfig.zip file.
citrix.com 122
Step Action
23. Click Unblock to remove the security block then click OK
citrix.com 123
Step Action
26. Run the following command to change directory
cd c:\pstools
citrix.com 124
Step Action
28. Click Agree to Run the sysinternals tool
30. Run the final command to create a passphrase and set the szc address
New-Zone –Passphrase Citrix123 -ExternalAddress
https://szc.training.lab
The storage zone controller is now configured. You may now configure the connector
from the XenMobile Server.
citrix.com 125
Step Action
31. On the Student Desktop open the Google Chrome browser
33. By default the XenMobile Server is configured to support ShareFile enterprise, to set up
for Storage Zone connectors only you need to edit the server properties. Click on the
Settings Icon
citrix.com 126
Step Action
35. Edit the StorageZone Connectors supported property to SUPPORTED and click Save
36. You will be prompted to activate the changes and you must reboot the XenMobile
Server. Click OK
37. Set the ShareFile configurator type to CONNECTORS and click Save
You will again be prompted that to activate the changes you must reboot the XenMobile
Server. Click OK
citrix.com 127
Step Action
38. In the XenCenter Console Reboot the XM10.7 server
39. Once the XMS has rebooted you will need to log back into the XMS Web UI
Browse to https://192.168.10.20:4443
citrix.com 128
Step Action
42. First click on Manage StorageZones then enter the following settings
Name SZC
FQDN szc.training.lab
Port 443
Secure ON
Connection
Administrator administrator@training.lab
Password Citrix123
citrix.com 129
Step Action
44. Complete the following settings then click Next
45. Next we need to assign the delivery group access, select the AllUsers delivery group
and click Next
citrix.com 130
Step Action
47. The configuration is now complete
You may now test this by installing the ShareFile app v5.3 or later from your enrolled
device
Exercise Summary
In this exercise, you enabled secure mobile access to on premise CIFS data leveraging the XenMobile
server as the IDP.
citrix.com 131
Exercise 12: Integrated Deployment with Published Apps
Overview
In this exercise you will integrate the XenMobile Server with the existing XenDesktop / XenApp
7.11 deployment. To configure this you will first enable secure remote access to the Storefront
server and then integrate XenMobile with the legacy PNAgent to provide a single Enterprise
store to users from Mobile devices to access native mobile, saas/web, published windows apps
and desktops
Password: Citrix123
citrix.com 132
Step Action
2. Launch the Citrix StoreFront console from the Start menu.
3. When the Citrix StoreFront console opens, click the Server Group node on the left
side of the window.
citrix.com 133
Step Action
5. Ensure https://ddc.training.lab is in the Base URL textbox.
Click OK.
citrix.com 134
Step Action
7. In the Configure Remote Access Settings window, check the Enable Remote
Access check box.
citrix.com 135
Step Action
8. In the Add NetScaler Gateway Appliance window, configure the following settings:
Display Name NSG
NetScaler Gateway URL https://IP1 FQDN
Usage or role Authentication and HDX Routing
Click Next.
citrix.com 136
Step Action
9. In the Secure Ticket Authority section, click Add.
10. Type http://ddc.training.lab in the STA URL field and click OK.
citrix.com 137
Step Action
11. Click Next
citrix.com 138
Step Action
12. In the Authentication Settings enter the following
Version 10.0 (Build 69.4) or later
Logon Type Domain
Callback URL https://IP1 FQDN
Click Create
citrix.com 139
Step Action
13. Click Finish
citrix.com 140
Step Action
15. On the student desktop launch Chrome and browse to the XenMobile server console
http://192.168.10.20:4443
citrix.com 141
Step Action
18. Enter the following settings:
Host ddc.training.lab
Port 443
Relative Path /Citrix/Store/PNAgent/config.xml
Use HTTPS ON
Click Save.
You may view the relative path in StoreFront under XenApp Services URL.
19. You will now be able to view published Windows apps in the Secure Hub Enterprise
Store. To launch you will first need to install Citrix Receiver from the public store.
Exercise Summary
In this exercise, you enabled integrated communications from the XenMobile Server the StoreFront
Server to provide a single Enterprise Store for Windows/SAAS/Web/Native apps from a mobile device.
citrix.com 142
Exercise 13: Smart Access to HDX Apps
Overview
A new feature in XenMobile 10.5 enables smart access to HDX applications ensuring than only
fully compliant devices can gain access to corporate resources. This configuration requires
deeper integration between the XenMobile Server and Storefront
citrix.com 143
Step Action
2. Browse to https://192.168.10.20:4443
citrix.com 144
Step Action
6. Setup a custom key with the following settings
Key Custom
Key pna.smartaccess.flag
Value true
Display Name Smart Access
Description Enables Smart Access for Mobile
8. Click on Certificates
citrix.com 145
Step Action
10. Ensure that export private key is set to OFF and click Export
11. Move the certficate file from the download directory of the Student Desktop to
\\ad\software\certificates (certificate.pem file)
12. Once the SAML Cert has been exported using the XenCenter Tools restart the XM 10.7
server
13. This certificate will be in PEM format. To import this into the StoreFront server you will
need to convert this into CER.
In XenCenter Select the DDC virtual machine and go to the Console tab
Password: Citrix123
citrix.com 146
Step Action
16. Select Certificates and click Add, Finish then OK
17. Expand Certificates – Personal to reveal the personal certificate folder. Right click on
this folder, highlight All Tasks and select Import
citrix.com 147
Step Action
19. Browse to \\ad\software\certificates\certificate.pem and click Next
20. Selecting the options to place the certificate in the Personal store and click Next
citrix.com 148
Step Action
22. In the MMC console locate the personal certificate store and right click on the
XMS.example.com SAML certificate, highlight All Tasks and click Export
citrix.com 149
Step Action
24. Select DER encoded binary X.509 (.CER) as the format and click Next
25. Browse to and name the cert C:\SmartCert\smartaccesscert.cer and click Next
citrix.com 150
Step Action
26. Click Finish to complete the Export
Enter Y to Confirm
30. Next we can configure Smart Access within XenDesktop. From the Start Menu launch
Citrix Studio
citrix.com 151
Step Action
31. Select Delivery Groups in the navigation pane
32. Select User Delivery Group and click on Edit Delivery Group
citrix.com 152
Step Action
33. On the Access Policy page, Ensure Connections through NetScaler Gateway and
Connection Meeting any of the following Filters are checked
Click Add
34. Add an access policy with the following settings:
Farm XM
Filter XMCompliantDevice
Click OK
citrix.com 153
Step Action
35. Click Apply to save the changes and click OK
36. The Smart Access Integration is now complete, next we need to configure Actions to
trigger device compliance rules.
On the Student desktop open a browser and launch the XenMobile Web Admin console
and login (https://192.168.10.20:4443)
37. Click on Configure and then click on Actions
citrix.com 154
Step Action
39. Name the Action Information: Smart Access Compliance and click Next
Click Next
Triggers can be set for Device Property, User Property and Installed App Name
41. Set the delivery group to All Users and click Next
42. Review the summary and click Save
43. Now when a non compliant device connects the HDX apps will no longer appear in the
Store, any HDX apps saved to the Springboard will fail to launch. You may now create
another action to send the user a notification that they are out of compliance.
44. Click on the Settings icon
citrix.com 155
Step Action
45. Under Notifications click on Notification Templates
47. As we havent setup a SMS or SMTP service only Secure Hub notifications are available,
click No, set up later to ignore the prompt.
citrix.com 156
Step Action
48. Create the following Template
Name HDX Apps blocked
Description Device out of Compliance
Type Ad hoc notification
Secure Hub Select Activated
Message Your device is not compliant…
Click Add
49. Repeat steps 37 and 38 to create a new automated action
50. Name the Action Information Notify Out of HDX App Compliance click Next
citrix.com 157
Step Action
51. Set the following action details
Trigger Device Property
Out of Compliance
Is
True
Action Send Notification
HDX Apps blocked
Interval 0 Hours
1 Minutes
Click Next
52. Assign to All Users delivery group and click Next
53. Save the configuration and test on your enrolled device
Exercise Summary
In this exercise we have configured smart access to HDX apps, ensuring only compliant devices can gain
access to corporate resources. If devices are marked out of compliant then the user will be notified which
device is out of compliance and to take action to resolve.
citrix.com 158
Lab Guide Appendix
citrix.com
159
Bonus Exercise 1: Configuring Secure Web to Proxy
Mobile traffic
Overview
In order to ensure that Secure Web traffic is filtered through a web proxy to comply with
corporate policies it is necessary to configure Secure Web with a full VPN Tunnel. We can then
add some simple traffic policies on the NetScaler Gateway to proxy HTTP and HTTPS traffic
with a full SSO experience.
In this exercise you will:
Configure NetScaler Gateway traffic policies to proxy Secure Web traffic only.
citrix.com
2
Step Action
2. Launch Microsoft Edge from the desktop and go to http://www.facebook.com
The proxy rules configured on this desktop report that access to the webpage is
forbidden.
3. On your Mobile device launch Secure Web and authenticate with your PIN if required
citrix.com
3
Step Action
5. On the student desktop open Chrome and Browse to the NetScaler admin GUI on
http://192.168.10.50
6. In the configuration screen expand NetScaler Gateway and select Virtual Servers
citrix.com
4
Step Action
7. Select the _XM_XenMobileGateway virtual server then select Edit
citrix.com
5
Step Action
11. Enter a name for the policy as Proxy_Secure_Web_Only the under
Request Profile select +
citrix.com
6
Step Action
12. Create a session profile with the following settings
Name Secure_Web_Proxy
Protocol http
AppTimeout 2
Single Sign-on On
Proxy 192.168.10.70:8080
Port 8080
citrix.com
7
Step Action
13. In the create traffic policy window add the following expression (copy and paste)
REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb || REQ.HTTP.HEADER User-
Agent CONTAINS MDXSecureBrowserIOS
Click Create
15. Under policies you should now see a traffic policy has been added
Click Done
citrix.com
8
Step Action
16. On your Mobile device launch Secure Web and authenticate with your PIN if required
18.
Exercise Summary
In this exercise you have successfully configured Secure Web traffic to be proxied so that
corporate policies can be applied to HTTP and HTTPS traffic through the corporate browser.
citrix.com
9
Bonus Exercise 2: Configuring 2FA Authentication
Overview
In order to provide two-factor authentication to specific enterprise applications you will integrate
the XenMobile Server and NetScaler gateway with a radius server. In the lab SMS2 (radius
server) has been installed
citrix.com
10
Step Action
55. Browse to http://192.168.10.50
56. In the configuration tab expand NetScaler Gateway and select Virtual Servers
citrix.com
11
Step Action
59. Click on the existing 192.168.10.11_LDAP_pol to highlight the policy and click Unbind
60. Confirm that you wish to unbind the LDAP Policy by clicking Yes
61. Next we will create the Radius Authentication Polciy. In Basic Authentication click +
62. In the Policies window set the following options then click Continue
Choose Policy Radius
Choose Type Primary
citrix.com
12
Step Action
64. The Create Authentication RADIUS Policy window will open. Name the policy
Radius_Pol
citrix.com
13
Step Action
65. Configure the new Radius Authentication server with the following settings. Click on
Test Connection to verify the radius server is correctly configured.
Name 2FA_Auth
Server Server IP
IP Address 192.168.10.70
Port 1812
Secret Key Citrix123
Confirm Secret Key Citrix123
Timeout 3 seconds
Click Create
citrix.com
14
Step Action
66. Under expression add the expression ns_true
Click Create
Click Bind
67. To enable 2FA we need to add the LDAP Policy back. In Basic Authentication click on +
68. In the Policy window set the following then click Continue
Choose Policy LDAP
Choose Type Secondary
citrix.com
15
Step Action
70. Click on the existing 192.168.10.11_LDAP_pol and click Select
71.
Click Bind to set the LDAP policy
72. In the VPN Virtual server screen scroll down to the Policies section and click on 3
Session Policies
73.
Select the PL_OS_192.168.10.92 session policy (native mobile traffic) and under Edit
click on Edit Profile
citrix.com
16
Step Action
74.
Click on the Client Experience tab
75.
Scroll down to Credential Index and set to Secondary
Click OK
The NetScaler Gateway configuration for 2FA is complete. Click Close then click Done
citrix.com
17
Step Action
76. In Chrome browse to the XenMobile Admin GUI
https://192.168.10.20:4443
citrix.com
18
Step Action
77. Click the Settings icon on the green ribbon.
79. Set the logon type to Domain and Security Token and click Save
citrix.com
19
Step Action
80. For this lab we will use the Google Authenticator app to generate the soft tokens. You
will need to install this app from the Public App Store (iTunes or Google Play) before
proceeding
Password: Citrix123
82. From the Start Menu launch the SMS2 Administration Console. (SMS2 is the free radius
authentication product we are using in the lab)
citrix.com
20
Step Action
83. Click on the User 1 account and click on Authentication Options
citrix.com
21
Step Action
85. Set the Authenticator to Google Authenticator
87. Click OK to accept the updated record. A QR code will be generated in the window
citrix.com
22
Step Action
88. Launch the Google Authenticator app from your device. Select Begin Setup and Scan
Barcode
citrix.com
23
Step Action
90. When the QR code successfully scans the Google Authenticator app will begin to
generate tokens for User 1. You may close the SMS2 console
91. In order to test the radius auth and LDAP two-factor authentication configuration you will
need to re-enrol your device and follow the steps in Exercise 8. Prior to creating a new
Secure Hub pin code you will be prompted to enter a security token. You should enter
the latest token from the Google Authenticator App.
Exercise Summary
In this exercise we have configured 2FA to secure enterprise apps and data.
citrix.com
24
Appendix B: Additional Resources and Information
WIP Policy
https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-
and-verify-an-efs-dra-certificate
https://support.citrix.com/article/CTX224385
citrix.com
25
Authors
The following authors contributed to the creation of this deliverable.
Citrix
Christopher Friend
Citrix Systems UK
Chalfont Park, Gerrard’s Cross, Bucks, UK
Phone: +44 (0)1753 - 276200
christopher.friend@citrix.com
Revision History
Revision Change Description Updated By Date
1.0 Original Christopher Friend April 2017
1.1 Update Joslyn Bailey-White January 2018
citrix.com
26
Corporate Headquarters India Development Center
Fort Lauderdale, FL, USA Bangalore, India Latin America Headquarters
Coral Gables, FL, USA
Silicon Valley Headquarters Online Division Headquarters
Santa Clara, CA, USA Santa Barbara, CA, USA UK Development Center
Chalfont, United Kingdom
EMEA Headquarters Pacific Headquarters
Schaffhausen, Switzerland Hong Kong, China
About Citrix
Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable
new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to
apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making
IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations
and by over 100 million users globally. Learn more at www.citrix.com.
Copyright © 2014 Citrix Systems, Inc. All rights reserved. [list Citrix trademarks (without ® or ™ symbols!) in document] are trademarks of Citrix
Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned
herein may be trademarks of their respective companies.
citrix.com 27