An Integrated Deployment of XenMobile 10.

January 2018
Table of Contents
Table of Contents ......................................................................................................... 3

Training Overview ....................................................................................... 4

Training Overview ........................................................................................................ 5

Lab Environment Details .............................................................................................. 6

Lab Scenario ................................................................................................................ 8

Module1: Initial Configuration...................................................................... 9

Exercise 1: Initial configuration of XenMobile Server ................................................. 10

Exercise 2: Getting Started with XenMobile Server .................................................... 19

Exercise 3: Creating Device Policies .......................................................................... 30

Exercise 4: Deploying and Configuring Apps ............................................................. 43

Exercise 5: Assigning Resources to Delivery Groups ................................................ 58

Exercise 6: Configuring NetScaler using Wizards ...................................................... 63

Module2: Advanced Configuration ............................................................ 72

Exercise 7: XenMobile Server Fine Tuning ................................................................ 76

Exercise 8: Mobile Device Enrollment ........................................................................ 85

Exercise 9: Enroll and locate Windows 10 Desktop/Tablet ........................................ 95

Exercise 10: Windows Information Protection device policy..................................... 105

Exercise 11: Mobile access to ShareFile Storage Zones ......................................... 115

Exercise 12: Integrated Deployment with Published Apps ....................................... 132

Exercise 13: Smart Access to HDX Apps ................................................................. 143

Lab Guide Appendix ............................................................................... 159

Bonus Exercise 1: Configuring Secure Web to Proxy Mobile traffic ............................. 2

Bonus Exercise 2: Configuring 2FA Authentication .................................................... 10

Appendix B: Additional Resources and Information ................................................... 25

 Training Overview

citrix.com 4
Training Overview
Objective
This training will provide you with hands on experience in setting up a XenMobile Server with NetScaler to
provide an enterprise grade unified endpoint mobility solution. In the guide we will start with the initial
configuration steps right through to using the best practices from Citrix consultants to “fine tune” the
deployment.

Required Prerequisites
The required prerequisites include a basic understanding of Unified Endpoint Management concepts such
as MDM and MAM. An understanding of types of applications that are required to be deployed to devices
such as Web, SaaS, Native and wrapped mobile apps. A basic understanding networking concepts within
enterprise mobility and NetScaler.

Optional Prerequisites
In order to complete all the exercise within this document you will need to use an un-enrolled iPhone
and/or Android phone/tablet. However you can still complete the majority of exercise with the Win10
Desktop.

Audience
Target

Citrix Internal Sales Engineers

Citrix Internal Consultants
Citrix Internal Technical Support
Partners
Customers

Lab Guide Conventions

Indicator Purpose
This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this

Start Bold text indicates reference to a button or object

Focuses attention on a particular part of the screen (R:255 G:20 B:147)

Shows where to click or select an item on a screenshot (R:255 G:102 B:0)

Lab Environment Details
The follow diagram shows an overview of the virtual machines and networking configurations included in
the lab environment.

Student Internet
Desktop

NetScaler AD Exchange SQL DDC

XMS Server SZC Win10Client VDA

Virtual Machines
VM Name IP Address Description

AD.training.lab 192.168.10.11 Domain Controller, DNS, DHCP, Certificate Services

NetScaler 192.168.10.14 NetScaler 11.1 build
Exchange 192.168.10.12 Exchange 2010 SP2
SQL 192.168.10.19 MS SQL Enterprise 2014
DDC 192.168.10.17 XenDesktop Delivery Controller 7.11
XMS 192.168.10.20 XenMobile Sever 10.7
Server 192.168.10.70 Radius Server, Proxy Server
SZC 192.168.10.75 ShareFile Storage Zone Controller
Win10Client 192.168.10.201 Windows 10 Client Machine (NOT DOMAIN JOINED)
VDA 192.168.10.205 Windows 10 Desktop, VDA 7.11

citrix.com 6
Credentials
User Name Password Description

Training\Administrator Citrix123 Domain Administrator

Training\User1 Citrix123 Standard User
Training\User2 Citrix123 Standard User
nsroot nsroot NetScaler Login
Administrator Citrix123 XMS Administrator account
Admin Citrix123 XMS CLI Administrator account

citrix.com 7
Lab Scenario
You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTex, Inc.
in order to provide secure mobile access to business critical and data resources. The company will
be offering a Bring Your Own Device mobility solution to it employees. Additionally sales teams will
be given a Windows Tablet/Laptop that will require additional management controls. Your task is
to use the guidelines outlined below to implement a solution that meets the business needs.
Guidelines:
 All users will require secure remote access to company data, such as e-mail documents and
spreadsheets that should be available to employees both internally and externally. The company
will require this data to be containerized whilst on personal devices with the ability to selective
wipe corporate data.
 End users should be able to browse internal sites securely; only approved Internet sites should
be accessed through corporate applications.
 The company requires the use of two-factor authentication to specific enterprise applications.
 The company wishes to manage all BYO (bring your own) end user devices with XenMobile,
which may include iOS, Android and Windows 10 smartphones, tablets and laptops.
 Sales will be issued with a corporate Windows Tablet or laptop, which requires them to be
restricted as MDM managed devices. The automatic Windows update service should also be
blocked.
 The company has an existing XenDesktop infrastructure which they would like the Mobile Device
fleet to integrate into, however due to strict compliance laws it must be possible to restrict access
to devices that are not compliant with corporate policies.

citrix.com 8
 Module1: Initial Configuration

citrix.com 9
Exercise 1: Initial configuration of XenMobile Server
Overview
Configuring the XenMobile Server is a two-part process. The initial configuration is done at the
console of the server by configuring the new password, network settings (i.e. IP address, subnet
mask, default gateway), database location, and external FQDN. Once this is done, you connect
to the Administration Console from a web browser to continue the basic configuration via the
Start-up Wizard. In this lab, you will perform the initial configuration at the console of the
XenMobile Server.
Citrix recommends the use of MS SQL Server rather than more limited SQL Server Express. A
Microsoft SQL Server VM has already been setup for you.

In this exercise you will:

 Run the XenMobile Server First Time User wizard from the command-line interface

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

XMS1

Step by Step Guidance

Step Action
1. Citrix XenCenter should launch automatically on the Student Desktop. If not, launch using the
shortcut.

2. If an existing XenServer is displayed, right-click the XenServer node and click Connect.

citrix.com 10
Step Action
3. If it there is no XenCenter, click Add New Server to add your XenServer to XenCenter

4. Enter the parameters below:

Server: 192.168.10.5

User name: admin

Password: Provided on web page

Click Add

citrix.com 11
Step Action
5. Optional: If you get the following message, click close.

6. XenCenter will attach to your physical XenServer.

Your Physical XenServer name

will be different.

7. Within XenCenter, select the XM 10.7 virtual machine and click the Console tab. You
will notice that the XenMobile Server is (in First Time Use mode).
Configure the following:
New Password: Citrix123

Re-enter new password: Citrix123

citrix.com 12
Step Action
8. Configure the Network settings:

IP Address: 192.168.10.20

Netmask: 255.255.255.0

Default gateway: 192.168.10.1

Primary DNS server: 192.168.10.11

Secondary DNS server [optional] Leave blank and hit Enter

Hit Enter to commit the settings.

9. When the network settings are applied you will be prompted to confirm if this if an
upgrade. Hit Enter to confirm this is a new install.

10. Hit [n] and press enter to manually set the Encryption Passcode.

11. Enter and then confirm the passphrase as Citrix123456

citrix.com 13
Step Action
12. You are given the option to enable FIPS. Hit Enter to accept the default [n].

13. Next we will configure a remote database connection. In this lab the administrator
account has dbcreate permissions, in a production deployment a service account should
be used.
Configure the following settings:

Local or remote [l/r]: Hit Enter to accept the default [r]

Type (Microsoft SQL, PostgreSQL or Hit Enter to accept the default [mi]
MySQL) [mi/p/my]:
Use SSL: Hit Enter to accept the default [n]

Server: sqlserver.training.lab

Port: Hit Enter to accept the default [1433]

Username: training\administrator

Password: Citrix123

Database name: Hit Enter to accept the default [DB_service]

Hit Enter to accept the default y to commit the settings.

citrix.com 14
Step Action
14. You are prompted to enable clustering. Hit Enter to accept the default [y].

Note: To enable clustering you will need to enable communications

over port 80 between the XMS nodes

15. You are prompted for the XenMobile hostname. This will be the enrollment FQDN for an
Enterprise deployment of XenMobile Server
Enter <IP2 FQDN> from your portal page and hit the Enter key.

Note: Your IP2 FQDN is available on the

portal page.

Example:

Hit Enter to accept the default [y] to commit the settings.

citrix.com 15
Step Action
16. Configure the following communication ports (Port listeners):

HTTP: Hit Enter to accept the default [80]

HTTPS with certificate authentication: Hit Enter to accept the default [443]

HTTPS with no certificate authentication: Hit Enter to accept the default [8443]

HTTPS for management: Hit Enter to accept the default [4443]

Hit Enter to accept the default [y] to commit the settings.

17. Hit Enter to accept the default instance name [zdm] hit Enter to confirm.

citrix.com 16
Step Action
18. You are asked if you wish to use the same password for all certificates of the PKI.
Hit Enter to accept the default [y].
Configure the following:
New Password: Citrix123
Re-enter new password: Citrix123

Hit Enter to accept the default [y] to commit the settings.

Note: This configuration is for all the Public Key Infrastructure

(PKI) certificates. This step creates the device manager’s
certificate authorities. If you intend to cluster XenMobile
Server nodes, you will need to provide identical passwords for
subsequent nodes.

19. You are prompted to configure the XenMobile console administrator account.
Configure the account as follows:

Username: Hit Enter to accept the default [administrator]

Password: Citrix123

Re-enter new password: Citrix123

Hit Enter to accept the default [y] to commit the settings.

citrix.com 17
Step Action
20. The initial system configuration is complete. Make a note of the url given to complete
the setup process.

Exercise Summary
You have now configured the XenMobile Server FTU wizard including networking information, FQDN,
DNS Server, and connection to a remote SQL database. Please move on the Exercise 2 to complete the
initial configuration.

citrix.com 18
Exercise 2: Getting Started with XenMobile Server
Overview
In this exercise we will go through the XenMobile Server Getting Started wizard, where you will
configure the Citrix License Server, install the required certificates, configure LDAP and
NetScaler Gateway integration. Once completed you with then be able to configure categories,
applications, policies, and delivery groups.
In this exercise you will:
Complete the XenMobile Server Getting Started Wizard

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Student Desktop XMS

Step by Step Guidance

Step Action
1. On the Student Desktop open the Google Chrome browser

citrix.com 19
Step Action
2. Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 (unsafe) to accept the

certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

citrix.com 20
Step Action
3. The Get Started page is displayed. Click Start to begin the configuration wizard.

4. The Initial Configuration window is displayed.

Click OFF to configure the remote license server.

citrix.com 21
Step Action
5. Enter the following settings for the license server
License Type Remote license
License Server licenses.citrixvirtualclassroom.com
Port 27000

Click Test Connection. The license server will retrieve your licenses.

6. Select the Citrix XenMobile Enterprise Edition User license and Activate

Click Next

citrix.com 22
Step Action
7. Next we will need to import the required Certificates into the XMS Server. On the
Certificate page, click Import.

citrix.com 23
Step Action
8. First we will import the APNs certificate to enable iOS device connectivity. Configure the
following settings:
Import Keystore
Keystore type PKCS#12
Use as APNs
Keystore file APNS.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123

Click Import

A notification window pops up. Click OK.

citrix.com 24
Step Action
9. Next we will install the SSL Listener certificate. Click Import again.

Configure the following settings:

Import Keystore
Keystore type PKCS#12
Use as SSL Listener
Keystore file MCTWildcard_FullChain.pfx
(Browse to \\Ad\Software\Certificates)
Password Citrix123
Click Import.

10. You receive a prompt advising that this will replace the existing self-signed certificate
and when installing this type of certificate a server reboot is required to complete the
installation
Click OK.

citrix.com 25
Step Action
11. Click Import again.

Configure the following settings:

Import Certificate
Use as Server
Certificate import* Root.cer (Browse to \\Ad\Software\Certificates)

Click Import.

12. The APNs, Root and SSL Listener certificates are displayed.
Click Next.

citrix.com 26
Step Action
13. Click Next. You are prompted to configure NetScaler Gateway.

Configure the following settings:

Name NSG
Alias Leave Blank
External URL https://<IP1 FQDN>
Logon Type Domain only
Password Required On

On the lab portal page you will find your IP1 FQDN

Click Next.

citrix.com 27
Step Action
14. The LDAP Configuration page is displayed.
Configure the following settings:
Primary Server 192.168.10.11
Port 389 (Default)
Domain name training.lab
User base DN dc=training,dc=lab (auto-filled in)
Group base DN dc=training,dc=lab (auto-filled in)
User ID: administrator@training.lab
Password Citrix123
Domain alias training.lab
Use search by sAMAccountName

Click Next.

15. Click Next to skip the Notification Server configuration.

16. Click Finish on the Summary page.

citrix.com 28
Step Action
17. The initial configuration is complete. Click Start Managing XenMobile

18. You land on the XM reporting screen. Proceed to the next step.

19. Close the browser window

20. In the XenCenter Console Reboot the XMS server

Exercise Summary
You have now completed the initial steps install and configure XenMobile server, please continue to
exercise 3 where you will configure the apps, resources and policies that are applied to end users.

citrix.com 29
Exercise 3: Creating Device Policies
Overview
XenMobile Server empowers enterprise organizations to apply device configurations, settings,
and security parameters to multiple device platforms and operating systems. In this exercise,
students will configure policies on XenMobile Server to push to iOS, Mac OSx, Android and
Windows 10 devices.

In this exercise you will:

 Create a passcode policy for all possible BYO devices that will enroll

 Configure advanced device policies for Windows 10 devices

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required For This Exercise

Student Desktop XMS

Step by Step Guidance

Step Action
1. On the Student Desktop open the Google Chrome browser

citrix.com 30
Step Action
2. Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 to accept the certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

3. In the XenMobile Server management console, select the Configure tab and click the
Device Policies node.

4. On the Device Policies window, click Add.

5. Click Passcode

citrix.com 31
Step Action
6. The Policy Information page is displayed. Configure the following:
Policy name Passcode

Click Next.

7. For this exercise we will set a passcode policy for iOS, Mac OSx, Android and
Windows Phone and Desktop/Tablet devices, please ensure only these platforms are
selected

citrix.com 32
Step Action
8. The Policy Information window is displayed for iOS devices.
Configure the following settings:
Passcode required On
Minimum length 4
Maximum failed sign-on attempts 4

Click Next.

citrix.com 33
Step Action
9. The Policy Information window is displayed for Mac OSx devices.
Configure the following settings:
Passcode required On
Minimum length 6
Maximum failed sign-on attempts 4

Click Next

citrix.com 34
Step Action
10. The Policy Information window is displayed for Android devices.
Configure the following settings:
Passcode required On
Minimum length 4
Maximum failed sign-on attempts 4
Enable encryption On

Click Next

citrix.com 35
Step Action
11. The Policy Information window is displayed for Windows Phone devices.
Configure the following settings:
Passcode required On
Characters required Numeric or alphanumeric
Minimum length 4
Maximum failed sign-on attempts before wipe 4

Click Next

citrix.com 36
Step Action
12. The Policy Information window is displayed for Windows Desktop/Tablet devices.
Configure the following settings:
Minimum passcode length 6
Passcode expiration in days 90
Passcode History 10
Maximum Inactivity before device lock in minutes 10

Click Next

13. Apply policy to AllUsers and click Save.

(We will use AllUsers for convenience in the lab – in production it is recommended to
add new Delivery Groups for all users)
14. The Passcode policy is displayed.

citrix.com 37
Step Action
15.
On the Device Policies window, click Add.

16.
On the right, scroll down to Custom and select Custom XML

17. Ensure that only Windows Desktop/Tablet is selected under Platforms

18. The first policy you will create is required to block the user from un-enrolling and
removing management from their device.
Configure the following
Policy name Windows Device – Block Un-enroll

Click Next

19. In the next screen you will need to enter the XML content.
(Open File Explorer and Browse to \\ad\software\Win 10 Custom XML)

citrix.com 38
Step Action
20. Right click on MDM Unenrollment.xml and open with WordPad.
21. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.

Click Next, then click Save

22. Repeat steps 15 – 18 to create another XML Policy that will block the user from installing
any Windows Updates
23. Configure the following
Policy name Windows Device – Block Updates

Click Next

24. In the next screen you will need to enter the XML content.
(In File Explorer Browse to \\ad\software\Win 10 Custom XML)
25. Right click on Win Updates.xml and open with WordPad.

26. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.

Click Next, then click Save

27. Repeat steps 15 – 18 to create a final XML Policy that can be used to perform a full
factory reset on the device in the event that it is lost or stolen
28. Configure the following
Policy name Windows Device – Factory reset

Click Next

citrix.com 39
Step Action
29. In the next screen you will need to enter the XML content.
Browse to //ad/software/Win 10 Custom XML
30. Right click on Factory Reset.xml and open with WordPad.

31. Highlight the text, then copy and paste into the XML content window in the XenMobile
GUI.

Click Next, then click Save

32. Now you will set up a Windows Information Protection (WIP) policy. This is a Windows
10 technology that protects against the potential leakage of enterprise data
33. The last policy we’re going to setup is to assure Android devices are getting policy
updates and new apps without user interaction. On iOS this is being accomplished by
APNS, for Android devices we’ll setup a scheduler (Interval or always connected).
Click Add again.

The Add a New Policy window is displayed. Select Scheduling and enable only the
Android platform to keep connected to the XenMobile Server.

citrix.com 40
Step Action
34. Enter Schedule as the policy name. Disable the remaining platforms and click Next.

35. Accept the default option Always to permanently keep the device connected.

Click Next and assign the policy to the AllUsers delivery group. Then click Save.

36. You have now setup all the policies that we will use for this lab. We will now set up
Client Properties to enhance the user experience.
37. Click the Settings icon on the green ribbon and navigate to Client Properties

citrix.com 41
Step Action
38. The Client Properties are displayed. Click Enable Citrix PIN Authentication then
click Edit.

39. Change the Value parameter to true and click Save.

40. Configure the remaining Client Properties with the following settings.

Note: Some of the settings in the table below can be found on page 2.

Enable User Password Caching true

Encrypt secrets using Passcode true
Pin Strength Requirement Medium
Pin Attempts 5
Enable Touch ID Authentication true

Exercise Summary
This completes the exercise to setup a simple passcode policy for all devices that enroll ensuring basic
device security and device level encryption is enabled across all devices. You have then created some
advanced polices that will be deployed later to Sales users Windows 10 corporate devices. We have also
create the Secure Pin to allow for simple authentication against the NetScaler Gateway

citrix.com 42
Exercise 4: Deploying and Configuring Apps
Overview
In this exercise you will create app categories within the XenMobile Server. You will then add
mobile, web and SaaS applications and assign them to the appropriate category.
In this exercise you will:
 Upload Apps and assign them into XenMobile Store categories

Estimated time to complete this exercise: 15 Minutes

Virtual Machines Required For This Exercise

Student Desktop

Step by Step Guidance

Step Action
1. You should still have the XenMobile Admin console open, if not browse to
https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 (unsafe) to accept the

certificate error.
Login with the following credentials:
Username administrator
Password Citrix123
2. On the green ribbon, click on Configure then Apps

citrix.com 43
Step Action
3. Click Category.

4. The Categories Window pops up. In the Add new category text box, enter Sales
Apps and click the plus sign in the green box.

5. Repeat Steps 3-4 to add the following categories:

Engineering Apps, Office Apps, and Web Links.

6. The categories have been added.

Click the X on the top right corner to close the window.

7. Click Add.

citrix.com 44
Step Action
8. In the Add App window, click the Web Link app type.

citrix.com 45
Step Action
9. The Add Web App window is displayed. Configure the following settings:

App Name Citrix

App description Citrix Company site
URL http://www.citrix.com
App is hosted in internal network Off
App Category Web Links

Click Next.

10. Assign to AllUsers and click Save.

11. Click Add again.

citrix.com 46
Step Action
12. This time select MDX.

13. Configure the application as follows and click Next :

Name* Secure Mail

App category Office Apps

citrix.com 47
Step Action
14. Deselect the Windows Phone and Windows Desktop/Tablet platform options on the
left.
Click Next.

15. In the iOS MDX App window, click Upload.

Select \\AD\Software\Mobile Apps\iOS Apps\SecureMail.mdx file.

citrix.com 48
Step Action
16. The iOS MDX App details and policy options appear.

17. Scroll down to the Network Access section and verify the following is selected:

Network access Tunneled to the internal network

citrix.com 49
Step Action
18. Scroll down to the App Settings section and configure the following settings:

Secure Mail Exchange Server exchange.training.lab

Secure Mail user domain training
Background network services exchange.training.lab:443
Background network service gateway <IP1>FQDN:443

Note: Your IP1 FQDN is available on the portal page

Example Only: 184-172-16-228.mycitrixtraining.net

19. Scroll down to Accept all SSL certificates and set to On

20. Scroll down to Push Notifications and set to On

Click Next.

citrix.com 50
Step Action
21. In the Android MDX App window, click Upload.

Select \\AD\Software\XenMobile Apps\Android Apps\SecureMail.mdx file.

22. The Android MDX App details and policy options appear.

23. Scroll down to the Network Access section and verify the following is selected:

Network access Tunneled to the internal network

citrix.com 51
Step Action
24. Scroll down to the Applications Settings section and configure the following settings:
Secure Mail Exchange Server exchange.training.lab
Secure Mail user domain training
Background network services exchange.training.lab:443
Background network service gateway <IP1>FQDN:443

Note: Your IP1 FQDN is available on the portal page.

Example Only: 184-172-16-228.mycitrixtraining.net

25. Scroll down to Accept all SSL certificates and set to On

Click Next.

26. The Approvals window is displayed. Click Next to skip the Approvals window.

27. In delivery group assignments apply to AllUsers and click Save to save the application
and its settings.

citrix.com 52
Step Action
28. Secure Mail has been added to the App Store.

29. Repeat Steps 11-12 of this exercise to add Secure Web.

30. Configure the application as follows:
Name Secure Web
App category Office Apps

citrix.com 53
Step Action
31. Deselect the Windows Phone and Windows Desktop/Tablet platforms on the left.
Click Next.

32. In the iOS MDX App window, click Upload.

Select \\AD\Software\Mobile Apps\iOS Apps\SecureWeb.mdx file.

citrix.com 54
Step Action
33. The iOS MDX App details and policy options appear.

34. Scroll down to the Network Access section and ensure the following is configured:

Network Access Tunneled to the internal network

Click Next.

35. In the Android MDX App window, click Upload.

Select \\AD\Software\Mobile Apps\Android Apps\SecureWeb.mdx file.

citrix.com 55
Step Action
36. The Android MDX App details and policy options appear.

37. Scroll down to the Network Access section and ensure the following is configured:

Network Access Tunneled to the internal network

Click Next.

38. Click Next to skip the Approvals configuration.

39. Apply to AllUsers and click Save.

citrix.com 56
Step Action
40. Secure Web has been added to the App Store

41. You should continue to add the remaining MDX apps following this process, ensuring
that all are set to tunnelled to the internal network

42. We will complete the delivery group assignments in a later exercise

Exercise Summary
In this exercise we have uploaded a web clip and wrapped MDX apps to deploy to iOS and Android
devices, next we will need to configure the delivery groups to assign the apps and policies to users.

citrix.com 57
Exercise 5: Assigning Resources to Delivery Groups
Overview
In this exercise students will create Delivery Groups within the XenMobile Server. Students will
then map Active Directory groups to those roles and assign applications to the respective
delivery groups.
In this exercise you will:
 Create and edit delivery groups to assign resources such as apps and policies to users

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Student Desktop

Step by Step Guidance

Step Action
1. You should still have the XenMobile Admin console open, if not with Chrome browse to
https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 (unsafe) to accept the

certificate error.
Login with the following credentials:
Username administrator
Password Citrix123
2. Select the Configure tab, and on the green ribbon, click Delivery Groups.

3. Click Add.

citrix.com 58
Step Action
4. Name the Delivery Group Sales.

Click Next.

5. The Select User Groups window is displayed.

Type Sales in the Include user groups text box and click the Search button.

6. The Sales group is enumerated. Click the checkbox next to the Sales group.
Click Next.

citrix.com 59
Step Action
7. The Policies window is displayed. Drag the Windows Device Block Un-enroll and
Updates Policies and Passcode policies to the right to assign to the delivery group.

Click Next.

8. The Applications window is displayed. We will not be assigning any apps

Click Next

9. The Actions window is displayed.

Click Next to skip.

10. The ShareFile window is displayed.

Click Next to skip.

11. In Enrollment Profile Global should be selected.

Click Next

citrix.com 60
Step Action
12. The Summary page is displayed. Click Save

13. The Sales delivery group is saved. Select the AllUsers delivery group and click Edit

14. Click Next to edit the resources

15. In Policies Passcode and Schedule should be the only assigned policies click Next

citrix.com 61
Step Action
16. In Apps remove all from Optional Apps, then drag Secure Mail, Secure Web and Citrix
to Required Apps

Click Next 4 times then Save to amend the AllUsers delivery group

17. You may now close the browser tab or window

Exercise Summary
In this exercise you have created specific delivery groups and assigned them to Active Directory security
groups so that BYO users and Sales users receive the Policies and Apps that they require.

citrix.com 62
Exercise 6: Configuring NetScaler using Wizards
Overview
In this exercise you will use the XenMobile Get Started wizard within the NetScaler
Configuration Utility to configure NetScaler Gateway for an Enterprise Store. The wizard will
create the virtual server, load balancing virtual server, policies, and profiles necessary to
connect to the enterprise store on the XenMobile Server.

In this exercise you will:

 Configure NetScaler Gateway to provide microVPN access for XenMobile apps

 Load balance MDM and MAM traffic between the XMS and mobile devices

Estimated time to complete this exercise: 15 Minutes

Virtual Machines Required For This Exercise

Student Desktop NetScaler

Step by Step Guidance

Step Action
1. On the student desktop please launch Google Chrome

citrix.com 63
Step Action
2. Browse to http://192.168.10.50

Login with the following credentials:

Username nsroot
Password nsroot

Click Log On.

3. In the NetScaler Configuration Tab, in the Integrate with Citrix Products section and
click XenMobile.

Deploying with XenMobile 10 should be displayed. Click Get Started.

citrix.com 64
Step Action
4. In the NetScaler for XenMobile window click Continue.

5.

Configure the following settings:

IP Address 192.168.10.92
Port 443
Virtual Server Name XenMobileGateway

Click Continue.

citrix.com 65
Step Action
6. In server certificate for NetScaler Gateway a wildcard certificate has already been
installed select Continue

If you receive a warning to validate the certificate, the certificate chain is complete
except for the Root-CA certificate, therefore click Continue.

citrix.com 66
Step Action
7. Configure the following LDAP Authentication Settings:

IP Address 192.168.10.11
Port 389
Base DN dc=training,dc=lab
Service account administrator@training.lab
Password Citrix123
Confirm Password Citrix123
Server Logon Name Attribute sAMAccountName

Click Continue.

Note: A best practice is to use a service account for the Base DN.
However, for this lab environment and exercise, we are using the
administrator account.

citrix.com 67
Step Action
8. Configure the following App Management Settings:

Load Balancing FQDN for MAM IP2FQDN

Load Balancing IP address for MAM 192.168.10.21
Port 8443
HTTPS communication to XenMobile
SSL Traffic Configuration Server

Note: Your IP2 FQDN is available on the portal

page, this is now also your XMS hostname
Example Only: 184-172-16-

We will leave the MicroVPN options as default. Click Continue.

9. Select the wildcard.citrixtraining.lab certificate for the gateway load balancer

SSL communication and click Continue.

If you receive the certificate warning, again click Continue

citrix.com 68
Step Action
10. Add the XenMobile Server by clicking Add Server

Site1-XMS1 192.168.10.20

11. Click Load Balance XenMobile Servers.

citrix.com 69
Step Action
12. The Load Balancing Virtual Server Configuration window comes up.
Configure the following settings:
IP Address* 192.168.10.93
Name*: XenMobileMDM

The communication is already configured as SSL Bridge. Click Continue

13. Confirm the XenMobile server has both been added automatically and click Continue.

14. Click Done.

citrix.com 70
Step Action
15. NetScaler Gateway and XenMobile Server Load Balancing should be reported as “up”.
There is a connectivity test to confirm the configuration if required.

Exercise Summary
In this exercise we have configured a basic setup of the NetScaler to provide a remote access or
microVPN gateway for devices to connect to internal resources. We have also configured Load Balancing
across the MDM and MAM communications enabling us to easily scale the deployment by adding
additional XMS nodes.

citrix.com 71
 Module2: Advanced Configuration

citrix.com 72
Exercise 7: XenMobile Server Fine Tuning
Overview
In this exercise we will leverage the fine-tuning recommendations from Citrix Consultants. You
will focus on the settings that are most frequently configured to optimize the XenMobile server’s
integration with SQL and Active Directory. Please check the Tuning XenMobile Operations
pages on docs.citrix.com for full details.

In this exercise you will:

 Apply global server properties to optimize the XenMobile server

 Optimize Android device notifications

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Student Desktop XMS

Step by Step Guidance

Step Action
1. On the Student Desktop open the Google Chrome browser

citrix.com 76
Step Action
2. Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 to accept the certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

citrix.com 77
Step Action
3. Firstly we will optimise the number of available connections between the XenMobile
Server and the SQL Database. Recommendations for lower than 5000 devices will be
200 connections
Click the Settings icon on the green ribbon.

Navigate to Server Properties

4. Click Add to add a custom server property

citrix.com 78
Step Action
5. Configure the following custom key settings
Key hibernate.c3p0.max_size
Value 200
Display Name hibernate.c3p0.max_size=200
Description DB Connections to SQL

Click Save

6. To activate the changes you must reboot the XenMobile Server. Click OK

7. Next we will optimize the connection between the XenMobile Server and Apple APNs,
which is recommended for large iOS deployments.
In the server properties window search for Push Services

citrix.com 79
Step Action
8. Select the Push Services Heartbeat Interval and select Edit

9. Update the value to 12 and click Save

10. Click OK on the warning to reboot the XenMobile Server

11. To improve APNs communications from the XenMobile server to the Apple APNs we will
also increase the connection pool to ensure APNs communications happen in a timely
manner, i.e. iOS Apps are deployed in a timely manner.
In the XenMobile Server Properties page search for Connection Pool
12. Update the value to 10 and click Save

13. Click OK on the warning to reboot the XenMobile Server

citrix.com 80
Step Action
14. The final global server property to edit will enable two-step iOS enrollment to improve
the user experience.
In the server properties window search for iOS Device Management

15. Select iOS Device Management Enrollment Install Root CA if Required and click
Edit

16. Update the value to false and click Save

17. Next we will optimize the experience for Android devices.

Open a new tab on your browser and go to:
https://console.firebase.google.com

Login with your Google Play accounts credentials. This will not be associated to the
account and can be deleted after the lab has completed. If you do not have a login you
can register on https://myaccount.google.com
18. Select Create a new project

citrix.com 81
Step Action
19. Enter a project name as SUM602Lab and click on Create

20. In your project click on the gear symbol then select Project Settings

21. Select the cloud messaging tab to reveal the Server Key and Sender ID

Keep the window open as you will need to copy these settings across to the XenMobile
Server

citrix.com 82
Step Action
22. Go back to the XenMobile server console
http://192.168.10.20:4443

If the console has timed-out login with the following credentials:

Username administrator
Password Citrix123

23. Click on Settings

24. Navigate to Server and select Google Cloud Messaging

25. You will be prompted to enter an API Key and Sender ID. Copy the Server key from the
Firebase console to the API Key setting and then populate the Sender ID

Click Save

citrix.com 83
Step Action
26. You have now completed the configurations and may close the browser
27. In the XenCenter Console Reboot the XMS server

Exercise Summary
In this exercise you have configured XenMobile server optimizations for iOS and Android devices as
recommended by Citrix consultants.

citrix.com 84
Exercise 8: Mobile Device Enrollment
Overview
In order for XenMobile Server to manage mobile devices, the Secure Hub client must be
installed and configured on the endpoint device. In this exercise, you will install Secure Hub,
enroll your device to the XenMobile server and install the required mobile apps
In this exercise you will:
 Enterprise Enroll an iOS or Android device

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Just your smartphone or tablet

Step by Step Guidance

Step Action
1. Download and install Secure Hub by Download and install Secure Hub from the
Citrix from the Apple App Store. Google Play Store.

citrix.com 85
Step Action
2. After installation is complete, launch the After installation is complete, launch the
Secure Hub app Secure Hub application.
3. You are prompted for the server URL, You are prompted for the server URL, UPN
UPN or e-mail address. or e-mail address.
Enter the IP2 FQDN Enter the IP2 FQDN

Your IP2 FQDN is available from the portal Your IP2 FQDN is available from the portal
page. page.
Example Only: Example Only:
184-172-16-134.mycitrixtraining.net 184-172-16-134.mycitrixtraining.net
Tap Next.
Tap Next.

citrix.com 86
Step Action
4. Tab Yes to enroll your device. Tab Yes to enroll your device.

5. Enter the user credentials. Enter the user credentials.

Username: user1 Username: user1
Password: Citrix123 Password: Citrix123
Tap Next. Tap Next

citrix.com 87
Step Action
6. A browser message “Enroll Your You are prompted to activate the Device
iPhone/iPad” will appear. Administrator.
Tap Activate.

citrix.com 88
Step Action
7. In the following steps the device will be
prepared for corporate usage.
You will go through the tasks to install the
following profiles:

 XenMobile CA
 XenMobile Profile Service
 MDM Configuration
For each of these you need to confirm the
installation, enter the device PIN and
confirm you trust the management.

citrix.com 89
Step Action
8. Click Done to continue. Secure Hub will ask for a PIN code, which
was defined as Client Properties in the
XenMobile Server configuration.

Note: Your PIN can not be

consecutive numbers. (IE:123456)

When prompted please click Open.

citrix.com 90
Step Action
9. Secure Hub has enrolled your device If you do not have screen lock configured,
against the MDM service and will SSO to you are prompted to configure your screen
the MAM instance (Authenticating). lock settings.
Secure Hub will ask for a PIN code, which Specify a PIN in the settings.
was defined as Client Properties in the
XenMobile Server configuration.

Note: Your PIN can not be

consecutive numbers.
(IE:123456).
Enter and confirm your 6-digit PIN code.

citrix.com 91
Step Action
10. You need to confirm, that Secure Hub is
allowed to use the devices location Note: Some Android devices require
you to allow installation of apps from
service. unknown sources before Secure Web
and Secure Mail can be installed.

This is done in Settings >Security >

Unknown Sources.

citrix.com 92
Step Action
11. If you are running iOS10 you will be Tab on the Add apps from the Store
prompted to enable a Secure Hub VPN to access the enterprise store.
Configuration. Click OK then Allow

A VPN configuration will then be added,

you will need to authenticate with Touch ID
or device passcode to allow this
12. The app marked as required will now be
pushed to your device. Click Install
Ensure all available applications in the
XenMobile Store are installed on your
device by selecting the app then Tap on
Add to install.

citrix.com 93
Step Action
13. The XenMobile apps are now being The XenMobile apps are now being
pushed to your device from the iTunes app pushed to your device from the Google
store, therefore depending upon your Store, when prompted click Install
account settings you may be prompted to
enter your iTunes store password.

14. All installed app will now be installed and will be accessible on your springboard.

Exercise Summary
You have now successfully enrolled a mobile device, downloaded a policy and some business apps.

citrix.com 94
Exercise 9: Enroll and locate Windows 10 Desktop/Tablet
Overview
In this exercise you will enroll a Windows 10 desktop in order to being the device under
management. The policies configured earlier will be applied and remove the ability for users to
perform updates and un-enroll from the XenMobile server.
This exercise will also show you how to issue the Locate command from the XenMobile console
to find Windows 10 devices.

In this exercise you will:

 Enroll the Windows 10 virtual machine

 Locate Windows 10 devices by issuing a Locate command

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required For This Exercise

Win10Client

Step by Step Guidance

Step Action
1. First due to the networking configuration in the lab we will need to edit the host file to
enable Windows 10 enrollment.
Within XenCenter, select the Win10Client virtual machine and click the Console tab.
Login with the following account
Username Sales1

Password Citrix123

2. On the desktop right click on the host file and open with Notepad

citrix.com 95
Step Action
3. The IP address of the XMS server has been added, you will need to update the FQDN to
match the IP2 FQDN (Enrollment FQDN) from the lab portal page

4. Save the changes to the host file

5. Next you will need to replace the existing host file. In Windows Explorer browse to
c:\windows\system32\drivers\etc and copy and replace the file
6. You can now begin to enroll the Windows 10 Desktop into the XenMobile server. On the
start menu click on the Settings Icon

citrix.com 96
Step Action
7. Click on Accounts

8. Click on Access Work or School

9.
In Connect to work or School click Connect

citrix.com 97
Step Action
10. In the Set up a work or school account menu enter sales1@training.lab

Click Next

citrix.com 98
Step Action
11.
You will receive an error message as AutoDiscovery has not been setup for the lab.
Enter the following settings to enrol
Email Address sales1@training.lab
MDM URL IP2FQDN:8443/zdm/wpe

Click Next

citrix.com 99
Step Action
12.
You will be prompted to enter your login credentials. Enter the following
Username sales1

Password Citrix123

Click Continue

citrix.com 100
Step Action
13.
The Windows 10 desktop is now MDM enrolled. Click Finished

14.
You can confirm that the desktop policies have applied by checking the restricted
services, we will attempt to remove the MDM enrollment. Click on the existing MDM
enrollment

citrix.com 101
Step Action
15.
Click Disconnect to remove the enrollment

16.
You will receive a prompt that the work or school account cannot be removed by system
policy

Click Yes

17.
Your Windows 10 desktop is now fully MDM enrolled.
18. Locating the Device:
XenMobile console administrators can now locate Windows 10 phones, desktops, and
tablets. The locate feature is already available for iOS and Android devices. When you
issue a locate command, the XenMobile Server communicates directly with the device.

19. From the XenMobile console, Click on Manage>Devices.

Select the device you would like to locate and Click Secure

citrix.com 102
Step Action
20. In Security Actions, Click Locate

21. In the pop-up window, Click Device Locate

22. Select the device, click Show more to get to the Device details page.

citrix.com 103
Step Action
23. The Device details page will show status of the location request

Once the device connects to the environment, a map displaying the location will be
available

Exercise Summary
In this exercise you have worked through the basic steps to enroll a Windows 10 desktop. The steps used
here are also the same on a phone or tablet as we use the MDM functions in the Windows 10 universal
operating system. Additional policies could now be added through the MDM policies or Customer XML
policies as detailed in the Microsoft CSP website for OMA-DM.
You also used the new locate feature to find a Windows 10 device enrolled in the environment.

citrix.com 104
Exercise 10: Windows Information Protection device policy
Overview
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is
a Windows 10 technology that protects against the potential leakage of enterprise data. Data
leakage can occur through sharing of enterprise data to non-enterprise protected apps, between
apps, or outside of the network of your organization
This policy enables you to specify an enforcement level that affects the user experience. For
example, you can:
Block any inappropriate data sharing.
Warn about inappropriate data sharing and allow users to override the policy.
Run WIP silently while logging and permitting inappropriate data sharing.

In this exercise you will:

 Create an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate to add
to your WIP device policy.

 Create a device policy in XenMobile to specify the apps that require Windows
Information Protection when the enforcement level is set to override.

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required For This Exercise

Windows 10
client XMS

citrix.com 105
Step by Step Guidance
Step Action
1. First you will have to create an Encrypted File System (EFS DRA) certificate before you
can fully configure your WIP policy.
Within XenCenter, select the AD.training.lab virtual machine and click the
Console tab. Login with the following account:

Username administrator

Password Citrix123

2. Launch the cmd prompt and navigate to the where you want to store the certificate:
Change directory to c:\software\certificates
Type cd c:\
Type cd software\certificates
Run the command: cipher /r:EFSRA (or any name you choose)
Type the password: Citrix123
Confirm the password to protect your .pfx file.

The command cipher /r:EFSRA successfully created your .cer and .pfx files in the
location you specified.

3. Log out of AD.training.lab and proceed to create your WIP device policy in the
XenMobile console.

citrix.com 106
Step Action
4. On the Student Desktop open the Google Chrome browser

5. Browse to https://192.168.10.20:4443. Click Advanced then Proceed to

192.168.10.20 (unsafe) to accept the certificate error.

Login with the following credentials, then Click Sign in.

Username administrator
Password Citrix123

citrix.com 107
Step Action
6. Next we will need to import the required EFS DRA certificate into the XM Server to add
to the WIP policy.
Go to Settings, Click certificates and then click Import

EFSDRA is the Encrypting File System Data Recovery Agent certificate!

**The name of the cert can be changed.

citrix.com 108
Step Action
7. Configure the following settings:
Import Keystore
Keystore type PKCS#12
Use as Server
Keystore file EFSRA.pfx (Browse to \\Ad\Software\Certificates)
Password Citrix123

Click Import

citrix.com 109
Step Action
8. Now configure a WIP policy to Warn users when inappropriate data sharing between
Enterprise and non-enterprise Apps is attempted.
Go to Configure > Device Policies and add the Windows Information Protection policy
Add Policy Name: WIP

Click Next

9. In the app list set iexplore.exe to Denied and set MicrosoftEdge store app to
Allowed.

citrix.com 110
Step Action
10. Scroll down and configure the following WIP policy settings:
Enforcement Level 2-Override
Protected Domain Names training.lab
Data Recovery Certificate Select CN=Administrator
certificate from the drop down
Network domain names training.lab
IP range 192.168.10.100-192.168.10.201

Click next

11. Apply policy to AllUsers and click Save.

(We will use AllUsers for convenience in the lab – in production it is recommended to
add new Delivery Groups for all users)
12. Now create a file that is protected by the EFS DRA certificate.
In the XenCenter Console logon to Win10client

citrix.com 111
Step Action
13. Open an app on your protected app list, and then create and save a file so that it is
encrypted by WIP. The file icon will show a briefcase indicating it is protected.

Launch notepad, type some text, and then select File>save to the Win10 desktop.
In notepad when trying to save a file you will see an option to save as work or
personal. Select work.

Close the file.

citrix.com 112
Step Action
14.
Go to your Google drive or any other personal location using MicrosoftEdge
browser.

Upload the notepad work document (Workfile) that you saved to the desktop in the
previous step to the Google Drive.
You will receive the warning pop-up question asking permission to “change the content
to personal”

Select Change to personal to transfer the file to the non-enterprise location. In this
instance, Google Drive.

citrix.com 113
Step Action
15. Now go to you Google Drive or non-enterprise location using Internet Explorer.

From the same Windows 10 desktop in XenCenter, launch Internet Explorer and
connect to your Google Drive.
Upload the notepad work document (Workfile) that you saved to the desktop. You will
receive the warning pop-up question to “change the content to personal”

Click on Change to personal to upload the file to Google Drive

16.
In both instances the behavior was the same because the WIP policy is set to
override.

You can continue the exercise by setting the policy to block and observe the outcome.

Exercise Summary
In this exercise, you created an EFS DRA certificate, protected an app with the certificate then
created a WIP policy to warn Windows 10 users about inappropriate data sharing between
Enterprise and non-enterprise Apps.

citrix.com 114
Exercise 11: Mobile access to ShareFile Storage Zones
Overview
In this exercise you will enable secure mobile access to an existing CIFS data repository
through the XenMobile server without the requirement of a ShareFile control plane. This
function provides access to documents from mobile devices only, for a fully featured ShareFile
deployment customers can easily change the configuration to support ShareFile Enterprise
deployment.

In this exercise you will:

 Configure the ShareFile Storage Zone connector

 Integrate the XenMobile Server with the ShareFile storage Zone

Estimated time to complete this exercise: 15 Minutes

Virtual Machines Required For This Exercise

SZC Student Desktop

Step by Step Guidance

Step Action
1. Select the SZC virtual machine and go to the Console tab

Login with the following credentials:

Username: training\administrator

Password: Citrix123

2. Launch the IIS Manager console from the Start menu.

citrix.com 115
Step Action
3. In IIS Manager click in the SZC web server, the double click to Open ISAPI and CGI
Restrictions

4. Ensure the ASP.NET v4.0.30319 extensions are set to Allowed

5. In IIS Manager click in the SZC web server to go to SZC home, Double click and
launch Server Certificates

citrix.com 116
Step Action
6. A self-signed certificate should be installed on the server, otherwise use the actions
menu to install a new certificate

7. In IIS Manager click expand Sites and select Default Web Site

8. In action menu click on Bindings

9. We need to add a new binding for SSL. Click Add

citrix.com 117
Step Action
10. Set the following settings then click OK

Type HTTPS
IP Address All Unassigned
Port 443
Home [SHOULD BE BLANK]

SSL Certificate szc certificate

Click Close

11. Close the IIS Manager window. Next you will install the ShareFile Storage Zone
controller.
12. Open File Explorer and Browse to \\ad\software\ShareFile. Double click on and run the
StorageCenter_4.3.0.4299 MSI file

citrix.com 118
Step Action
13. Start the setup by clicking Next

14. Accept the license terms and click Next

citrix.com 119
Step Action
15. Keep the default destination folder and click Next

16. Click Install

citrix.com 120
Step Action
17. Deselect Launch StorageZones Controller Configuration Page and click Finish

18. Click Yes to restart the server

19. Once restarted log into the szc server with the administrator credentials. To test the
ShareFile Setup, On the SZC server browse to http://localhost or https://localhost
(ignore certificate errors)

citrix.com 121
Step Action
20. Next we need to prepare the Storage Zone Controller for XenMobile management
without a ShareFile Control Plane.
Open File Explorer and Browse to \\ad\software\ShareFile and locate the StorageZone
binary zip file
Please note the following steps have been included in the SF Connector
Commands Text file in this location
21. Copy the StorageZone.Zip file to C:\inetpub\wwwroot\Citrix\StorageCenter\Tools
22. Right click and go to the Properties of the sfconfig.zip file.

citrix.com 122
Step Action
23. Click Unblock to remove the security block then click OK

24. Extract the zip file to C:\inetpub\wwwroot\Citrix\StorageCenter\Tools

25. Open Command Prompt as the Administrator User

citrix.com 123
Step Action
26. Run the following command to change directory
cd c:\pstools

27. Run the following command to launch the powershell tools

PsExec.exe -i -u "NT AUTHORITY\NetworkService"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

citrix.com 124
Step Action
28. Click Agree to Run the sysinternals tool

29. A PowerShell widow will open. Run the following command

Import-Module
"C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig
.dll"

30. Run the final command to create a passphrase and set the szc address
New-Zone –Passphrase Citrix123 -ExternalAddress
https://szc.training.lab

The storage zone controller is now configured. You may now configure the connector
from the XenMobile Server.

Close the PowerShell window

citrix.com 125
Step Action
31. On the Student Desktop open the Google Chrome browser

32. Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 to accept the certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

33. By default the XenMobile Server is configured to support ShareFile enterprise, to set up
for Storage Zone connectors only you need to edit the server properties. Click on the
Settings Icon

34. Under Server click on Server Properties

citrix.com 126
Step Action
35. Edit the StorageZone Connectors supported property to SUPPORTED and click Save

36. You will be prompted to activate the changes and you must reboot the XenMobile
Server. Click OK

37. Set the ShareFile configurator type to CONNECTORS and click Save

You will again be prompted that to activate the changes you must reboot the XenMobile
Server. Click OK

citrix.com 127
Step Action
38. In the XenCenter Console Reboot the XM10.7 server

39. Once the XMS has rebooted you will need to log back into the XMS Web UI
Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 to accept the certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

40. Click on Configure, then select ShareFile

41. The configure storage zone connector window should be displayed

citrix.com 128
Step Action
42. First click on Manage StorageZones then enter the following settings

Name SZC
FQDN szc.training.lab
Port 443
Secure ON
Connection
Administrator administrator@training.lab
Password Citrix123

Click Save, then click Close

43. Click Add

citrix.com 129
Step Action
44. Complete the following settings then click Next

Connector Name SZC

Description CIFS Share
Type Network
StorageZone SZC
Location \\server\files

45. Next we need to assign the delivery group access, select the AllUsers delivery group
and click Next

46. A summary window is displayed, click Save

citrix.com 130
Step Action
47. The configuration is now complete

You may now test this by installing the ShareFile app v5.3 or later from your enrolled
device

Exercise Summary
In this exercise, you enabled secure mobile access to on premise CIFS data leveraging the XenMobile
server as the IDP.

citrix.com 131
Exercise 12: Integrated Deployment with Published Apps
Overview
In this exercise you will integrate the XenMobile Server with the existing XenDesktop / XenApp
7.11 deployment. To configure this you will first enable secure remote access to the Storefront
server and then integrate XenMobile with the legacy PNAgent to provide a single Enterprise
store to users from Mobile devices to access native mobile, saas/web, published windows apps
and desktops

In this exercise you will:

 Configure StoreFront to enable remote access

 Integrate the XenMobile Server with StoreFront

Estimated time to complete this exercise: 15 Minutes

Virtual Machines Required For This Exercise

DDC Student Desktop

Step by Step Guidance

Step Action
1. Select the DDC virtual machine and go to the Console tab

Login with the following credentials:

Username: training\administrator

Password: Citrix123

citrix.com 132
Step Action
2. Launch the Citrix StoreFront console from the Start menu.

3. When the Citrix StoreFront console opens, click the Server Group node on the left
side of the window.

4. On the right side of the window, select Change Base URL.

citrix.com 133
Step Action
5. Ensure https://ddc.training.lab is in the Base URL textbox.

Click OK.

6. Select the Stores node. Click Configure Remote Access Settings

citrix.com 134
Step Action
7. In the Configure Remote Access Settings window, check the Enable Remote
Access check box.

Then click Add from the NetScaler Gateway appliances section.

citrix.com 135
Step Action
8. In the Add NetScaler Gateway Appliance window, configure the following settings:
Display Name NSG
NetScaler Gateway URL https://IP1 FQDN
Usage or role Authentication and HDX Routing

Note: Your IP1 FQDN is available on

the portal page.

Click Next.

citrix.com 136
Step Action
9. In the Secure Ticket Authority section, click Add.

10. Type http://ddc.training.lab in the STA URL field and click OK.

citrix.com 137
Step Action
11. Click Next

citrix.com 138
Step Action
12. In the Authentication Settings enter the following
Version 10.0 (Build 69.4) or later
Logon Type Domain
Callback URL https://IP1 FQDN

Click Create

citrix.com 139
Step Action
13. Click Finish

The NetScaler Gateway configuration has been added.

14. Ensure the newly added NSG configuration is selected then click OK to complete the
remote access setup

citrix.com 140
Step Action
15. On the student desktop launch Chrome and browse to the XenMobile server console
http://192.168.10.20:4443

If the console has timed-out login with the following credentials:

Username administrator
Password Citrix123
16. Click on Settings

17. Under Server click on the XenApp/XenDesktop node.

citrix.com 141
Step Action
18. Enter the following settings:
Host ddc.training.lab
Port 443
Relative Path /Citrix/Store/PNAgent/config.xml
Use HTTPS ON

Click Save.

You may view the relative path in StoreFront under XenApp Services URL.
19. You will now be able to view published Windows apps in the Secure Hub Enterprise
Store. To launch you will first need to install Citrix Receiver from the public store.

Exercise Summary
In this exercise, you enabled integrated communications from the XenMobile Server the StoreFront
Server to provide a single Enterprise Store for Windows/SAAS/Web/Native apps from a mobile device.

citrix.com 142
Exercise 13: Smart Access to HDX Apps
Overview
A new feature in XenMobile 10.5 enables smart access to HDX applications ensuring than only
fully compliant devices can gain access to corporate resources. This configuration requires
deeper integration between the XenMobile Server and Storefront

In this exercise you will:

 Install the XenMobile SAML certificate on Storefront

 Configure Storefront delivery group access policy

 Configure device compliance with XenMobile automated actions

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required For This Exercise

DDC Student Desktop

Step by Step Guidance

Step Action
1. On the student desktop please launch Google Chrome

citrix.com 143
Step Action
2. Browse to https://192.168.10.20:4443

Click Advanced then Proceed to 192.168.10.20 to accept the certificate error.

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

3. Click on the Settings Icon

4. Click on Server Properties

5. Click on Add to add a custom server property

citrix.com 144
Step Action
6. Setup a custom key with the following settings
Key Custom
Key pna.smartaccess.flag
Value true
Display Name Smart Access
Description Enables Smart Access for Mobile

Click Save, then click OK on the prompt to restart

7. Click on the Settings icon once more

8. Click on Certificates

9. Select the XenMobile server SAML Certificate and click on Export

citrix.com 145
Step Action
10. Ensure that export private key is set to OFF and click Export

11. Move the certficate file from the download directory of the Student Desktop to
\\ad\software\certificates (certificate.pem file)
12. Once the SAML Cert has been exported using the XenCenter Tools restart the XM 10.7
server

13. This certificate will be in PEM format. To import this into the StoreFront server you will
need to convert this into CER.
In XenCenter Select the DDC virtual machine and go to the Console tab

Login with the following credentials:

Username: training\administrator

Password: Citrix123

14. Search for and the open an MMC Console

15. Click on File and then Add/Remove Snap-In

citrix.com 146
Step Action
16. Select Certificates and click Add, Finish then OK

17. Expand Certificates – Personal to reveal the personal certificate folder. Right click on
this folder, highlight All Tasks and select Import

18. The Certificate Import Wizard will open, click Next

citrix.com 147
Step Action
19. Browse to \\ad\software\certificates\certificate.pem and click Next

20. Selecting the options to place the certificate in the Personal store and click Next

21. Click Finish to Import the certificate and then OK.

citrix.com 148
Step Action
22. In the MMC console locate the personal certificate store and right click on the
XMS.example.com SAML certificate, highlight All Tasks and click Export

23. The Certificate Export wizard will open, click Next

citrix.com 149
Step Action
24. Select DER encoded binary X.509 (.CER) as the format and click Next

25. Browse to and name the cert C:\SmartCert\smartaccesscert.cer and click Next

citrix.com 150
Step Action
26. Click Finish to complete the Export

27. Close the MMC console

28. On the desktop launch PowerShell

29. Run the following commands

$store = Get-STFStoreService –VirtualPath /Citrix/Store
Grant-STFStorePnaSmartAccess –StoreService $store –
CertificatePath “C:\smartcert\smartaccesscert.cer” –
ServerName “XMS server”

Enter Y to Confirm

30. Next we can configure Smart Access within XenDesktop. From the Start Menu launch
Citrix Studio

citrix.com 151
Step Action
31. Select Delivery Groups in the navigation pane

32. Select User Delivery Group and click on Edit Delivery Group

citrix.com 152
Step Action
33. On the Access Policy page, Ensure Connections through NetScaler Gateway and
Connection Meeting any of the following Filters are checked

Click Add
34. Add an access policy with the following settings:
Farm XM
Filter XMCompliantDevice

Click OK

citrix.com 153
Step Action
35. Click Apply to save the changes and click OK

36. The Smart Access Integration is now complete, next we need to configure Actions to
trigger device compliance rules.

On the Student desktop open a browser and launch the XenMobile Web Admin console
and login (https://192.168.10.20:4443)
37. Click on Configure and then click on Actions

38. Click Add

citrix.com 154
Step Action
39. Name the Action Information: Smart Access Compliance and click Next

40. In the details page set the following actions

Trigger User Property
Name
Is
User1
Action Mark the device Out of Compliance
Is
True
0
Hours

Click Next
Triggers can be set for Device Property, User Property and Installed App Name
41. Set the delivery group to All Users and click Next
42. Review the summary and click Save
43. Now when a non compliant device connects the HDX apps will no longer appear in the
Store, any HDX apps saved to the Springboard will fail to launch. You may now create
another action to send the user a notification that they are out of compliance.
44. Click on the Settings icon

citrix.com 155
Step Action
45. Under Notifications click on Notification Templates

46. Click Add to create a new template

47. As we havent setup a SMS or SMTP service only Secure Hub notifications are available,
click No, set up later to ignore the prompt.

citrix.com 156
Step Action
48. Create the following Template
Name HDX Apps blocked
Description Device out of Compliance
Type Ad hoc notification
Secure Hub Select Activated
Message Your device is not compliant…

Click Add
49. Repeat steps 37 and 38 to create a new automated action
50. Name the Action Information Notify Out of HDX App Compliance click Next

citrix.com 157
Step Action
51. Set the following action details
Trigger Device Property
Out of Compliance
Is
True
Action Send Notification
HDX Apps blocked
Interval 0 Hours
1 Minutes

Click Next
52. Assign to All Users delivery group and click Next
53. Save the configuration and test on your enrolled device

Exercise Summary
In this exercise we have configured smart access to HDX apps, ensuring only compliant devices can gain
access to corporate resources. If devices are marked out of compliant then the user will be notified which
device is out of compliance and to take action to resolve.

citrix.com 158
 Lab Guide Appendix

citrix.com
159
Bonus Exercise 1: Configuring Secure Web to Proxy
Mobile traffic
Overview
In order to ensure that Secure Web traffic is filtered through a web proxy to comply with
corporate policies it is necessary to configure Secure Web with a full VPN Tunnel. We can then
add some simple traffic policies on the NetScaler Gateway to proxy HTTP and HTTPS traffic
with a full SSO experience.
In this exercise you will:
Configure NetScaler Gateway traffic policies to proxy Secure Web traffic only.

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Student Desktop VDA

Step by Step Guidance

Step Action
1. In XenCenter, select the VDA virtual machine and click the Console tab.

Login with the following credentials:

Username: training\user1
Password: Citrix123

citrix.com
2
Step Action
2. Launch Microsoft Edge from the desktop and go to http://www.facebook.com

The proxy rules configured on this desktop report that access to the webpage is
forbidden.
3. On your Mobile device launch Secure Web and authenticate with your PIN if required

4. In Secure Web go to http://www.facebook.com currently as traffic is not routed via the

proxy this is allowed

citrix.com
3
Step Action
5. On the student desktop open Chrome and Browse to the NetScaler admin GUI on
http://192.168.10.50

Login with the following credentials:

Username nsroot
Password nsroot

Click Log On.

6. In the configuration screen expand NetScaler Gateway and select Virtual Servers

citrix.com
4
Step Action
7. Select the _XM_XenMobileGateway virtual server then select Edit

8. Scroll down to the Polices section and click +

9. Under Policies Choose Traffic and click Continue

10. Under Policy Binding, Select Policy click +

citrix.com
5
Step Action
11. Enter a name for the policy as Proxy_Secure_Web_Only the under
Request Profile select +

citrix.com
6
Step Action
12. Create a session profile with the following settings

Name Secure_Web_Proxy

Protocol http

AppTimeout 2

Single Sign-on On

Proxy 192.168.10.70:8080

Port 8080

Scroll down to Click Create

citrix.com
7
Step Action
13. In the create traffic policy window add the following expression (copy and paste)
REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb || REQ.HTTP.HEADER User-
Agent CONTAINS MDXSecureBrowserIOS

Click Create

14. Set the Binding Priority to 100 and select Bind

15. Under policies you should now see a traffic policy has been added

Click Done

citrix.com
8
Step Action
16. On your Mobile device launch Secure Web and authenticate with your PIN if required

17. In Secure Web go to http://www.facebook.com this will now be Forbidden

18.

Exercise Summary
In this exercise you have successfully configured Secure Web traffic to be proxied so that
corporate policies can be applied to HTTP and HTTPS traffic through the corporate browser.

citrix.com
9
Bonus Exercise 2: Configuring 2FA Authentication
Overview
In order to provide two-factor authentication to specific enterprise applications you will integrate
the XenMobile Server and NetScaler gateway with a radius server. In the lab SMS2 (radius
server) has been installed

In this exercise you will:

 Configure NetScaler with SMS2 to provide radius authentication

 Configure the XMS server and apps that require 2FA

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required For This Exercise

Student Desktop XMS NetScaler

Step by Step Guidance

Step Action
54. On the student desktop please launch Google Chrome

citrix.com
10
Step Action
55. Browse to http://192.168.10.50

Login with the following credentials:

Username nsroot
Password nsroot

Click Log On.

56. In the configuration tab expand NetScaler Gateway and select Virtual Servers

57. Select the existing _XM_XenMobileGateway and click on Edit

58. Under Basic Authentication click on 1 LDAP Policy

citrix.com
11
Step Action
59. Click on the existing 192.168.10.11_LDAP_pol to highlight the policy and click Unbind

60. Confirm that you wish to unbind the LDAP Policy by clicking Yes

61. Next we will create the Radius Authentication Polciy. In Basic Authentication click +

62. In the Policies window set the following options then click Continue
Choose Policy Radius
Choose Type Primary

63. In the Policy Binding windows under Select Policy click +

citrix.com
12
Step Action
64. The Create Authentication RADIUS Policy window will open. Name the policy
Radius_Pol

To configure the Radius Server, under Server click +

citrix.com
13
Step Action
65. Configure the new Radius Authentication server with the following settings. Click on
Test Connection to verify the radius server is correctly configured.

Name 2FA_Auth
Server Server IP
IP Address 192.168.10.70
Port 1812
Secret Key Citrix123
Confirm Secret Key Citrix123
Timeout 3 seconds

Click on More and scroll down to set Accounting to OFF

Click Create

citrix.com
14
Step Action
66. Under expression add the expression ns_true

Click Create

Click Bind

67. To enable 2FA we need to add the LDAP Policy back. In Basic Authentication click on +

68. In the Policy window set the following then click Continue
Choose Policy LDAP
Choose Type Secondary

69. In Policy Binding click Click to select

citrix.com
15
Step Action
70. Click on the existing 192.168.10.11_LDAP_pol and click Select

71.
Click Bind to set the LDAP policy

72. In the VPN Virtual server screen scroll down to the Policies section and click on 3
Session Policies

73.
Select the PL_OS_192.168.10.92 session policy (native mobile traffic) and under Edit
click on Edit Profile

citrix.com
16
Step Action
74.
Click on the Client Experience tab

75.
Scroll down to Credential Index and set to Secondary

Click OK

The NetScaler Gateway configuration for 2FA is complete. Click Close then click Done

citrix.com
17
Step Action
76. In Chrome browse to the XenMobile Admin GUI
https://192.168.10.20:4443

Login with the following credentials:

Username administrator
Password Citrix123

Click Sign in.

citrix.com
18
Step Action
77. Click the Settings icon on the green ribbon.

Navigate to Server>NetScaler Gateway

78. Select the existing NetScaler Gateway and click Edit

79. Set the logon type to Domain and Security Token and click Save

The XMS server is now also configured.

citrix.com
19
Step Action
80. For this lab we will use the Google Authenticator app to generate the soft tokens. You
will need to install this app from the Public App Store (iTunes or Google Play) before
proceeding

81. In Xencenter select the Server VM and go to the Console tab

Login with the following credentials:
Username: training\administrator

Password: Citrix123
82. From the Start Menu launch the SMS2 Administration Console. (SMS2 is the free radius
authentication product we are using in the lab)

citrix.com
20
Step Action
83. Click on the User 1 account and click on Authentication Options

84. Click on the Auth Options tab

citrix.com
21
Step Action
85. Set the Authenticator to Google Authenticator

86. Click on Generate Shared Secret then click on Save Configuration

87. Click OK to accept the updated record. A QR code will be generated in the window

citrix.com
22
Step Action
88. Launch the Google Authenticator app from your device. Select Begin Setup and Scan
Barcode

89. Scan the barcode in the SMS2 Console

citrix.com
23
Step Action
90. When the QR code successfully scans the Google Authenticator app will begin to
generate tokens for User 1. You may close the SMS2 console

91. In order to test the radius auth and LDAP two-factor authentication configuration you will
need to re-enrol your device and follow the steps in Exercise 8. Prior to creating a new
Secure Hub pin code you will be prompted to enter a security token. You should enter
the latest token from the Google Authenticator App.

Exercise Summary
In this exercise we have configured 2FA to secure enterprise apps and data.

citrix.com
24
Appendix B: Additional Resources and Information
WIP Policy
https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-
and-verify-an-efs-dra-certificate

https://support.citrix.com/article/CTX224385

citrix.com
25
Authors
The following authors contributed to the creation of this deliverable.
Citrix
Christopher Friend
Citrix Systems UK
Chalfont Park, Gerrard’s Cross, Bucks, UK
Phone: +44 (0)1753 - 276200
christopher.friend@citrix.com

Revision History
Revision Change Description Updated By Date
1.0 Original Christopher Friend April 2017
1.1 Update Joslyn Bailey-White January 2018

citrix.com
26
 Corporate Headquarters India Development Center
Fort Lauderdale, FL, USA Bangalore, India Latin America Headquarters
Coral Gables, FL, USA
Silicon Valley Headquarters Online Division Headquarters
Santa Clara, CA, USA Santa Barbara, CA, USA UK Development Center
Chalfont, United Kingdom
EMEA Headquarters Pacific Headquarters
Schaffhausen, Switzerland Hong Kong, China

About Citrix

Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable
new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to
apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making
IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations
and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2014 Citrix Systems, Inc. All rights reserved. [list Citrix trademarks (without ® or ™ symbols!) in document] are trademarks of Citrix
Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned
herein may be trademarks of their respective companies.

citrix.com 27