Product Documentation

Apps

Jan 12, 2017

Enterprise Mobility Management (EMM) segments into Mobile Device Management (MDM) and Mobile Application Management (MAM). While MDM enables organizations to secure and control mobile devices, MAM facilitates application delivery and management. With the increasing adoption of BYOD, you can typically implement a MAM solution, such as XenMobile, to assist with application delivery, software licensing, configuration, and application life cycle management.

With XenMobile, you can go a step further to secure these apps by configuring specific MAM policies and VPN settings to prevent data leak and other security threats. XenMobile provides organizations with the flexibility to deploy their solution as a MAM-only or a MDM-only environment, or to implement XenMobile as a unified XenMobile Enterprise environment that provides both MDM and MAM functionality within in the same platform.

In addition to the ability to deliver apps to mobile devices, XenMobile offers app containerization through MDX technology. MDX secures apps through encryption that is separate from device level encryption; you can wipe or lock the app, and the apps are subject to granular policy-based controls. Independent software vendors (ISVs) can apply these controls using the Worx App SDK.

In a corporate environment, users use a variety of mobile apps to aid in their job role. The apps can include apps from the public app store, in-house developed apps, or native apps as well, in some cases. XenMobile categorizes these apps as follows:

  • Public apps: These apps include free or paid apps available in a public app store, such as iTunes or Google Play. Vendors outside of the organization often make their apps available in public app stores. This option lets their customers download the apps directly from the Internet. You may use numerous public apps in your organization depending on users' needs. Examples of such apps include GoToMeeting, Salesforce, and EpicCare apps.

Citrix does not support downloading app binaries directly from public app stores, and then wrapping them with the MDX Toolkit for enterprise distribution. If you need to wrap third-party applications, work with your app vendor to obtain the app binaries which you can wrap using the MDX Toolkit.

  •  In-house apps: Many organizations have in-house developers who create apps that provide specific functionality and are independently developed and distributed within the organization. In certain cases, some organizations may also have apps that ISVs provide. You can deploy such apps as native apps or you can containerize the apps by using a MAM solution, such as XenMobile. For example, a healthcare organization may create an in-house app that allows physicians to view patient information on mobile devices. An organization can then use the MDX Toolkit to wrap the app in order to secure patient information and enable VPN access to the back-end patient database server.
  • Web and SaaS apps: These apps include apps accessed from an internal network (web apps) or over a public network (SaaS). XenMobile also allows you to create custom web and SaaS apps using a list of app connectors. These app connectors can facilitate single sign-on (SSO) to existing Web apps. For details, see App connector types. For example, you can use Google Apps SAML for SSO based on Security Assertion Markup Language (SAML) to Google Apps.
  • Citrix XenMobile Apps: These are Citrix-developed apps that are included with the XenMobile license.  For details, see About XenMobile Apps. Citrix also offers other business-ready apps that ISVs develop by using the Worx App SDK.
  • HDX apps: These are Windows-hosted apps that you publish with StoreFront. If you have a Citrix XenApp and XenDesktop environment, you can integrate the apps with XenMobile to make the apps available to the enrolled users.

Depending of the type of mobile apps you plan to deploy and manage with XenMobile, the underlying configuration and architecture will differ. For example, if multiple groups of users with different level of permissions will consume a single app, you may have to create separate delivery groups to deploy two separate versions of the same app. In addition, you must make sure the user group membership is mutually exclusive to avoid policy mismatches on users' devices.

You may also want to manage iOS application licensing by using the Apple Volume Purchase Program (VPP). This option will require you to register for the VPP program and configure XenMobile VPP settings in the XenMobile console to distribute the apps with the VPP licenses. A variety of such use cases makes it important to assess and plan your MAM strategy prior to implementing the XenMobile environment. You can start planning your MAM strategy by defining the following:

  • Types of apps - List the different types of apps you plan to support and categorize them, such as public, native, Worx, Web, in-house, ISV apps, and so on. Also, categorize the apps for different device platforms, such as iOS and Android. This categorization will help with aligning different XenMobile settings that are required for each type of app. For example, certain apps may not qualify for wrapping, or a few apps may require the use of the Worx App SDK to enable special APIs for interaction with other apps.
  • Network requirements - You need to configure apps with specific network access requirements with the appropriate settings. For example, certain apps may need access to your internal network through VPN; some apps may require Internet access to route access via the DMZ. In order to allow such apps to connect to the required network, you have to configure various settings accordingly. Defining per-app network requirements help in finalizing your architectural decisions early on, which will streamline the overall implementation process.
  • Security requirements - Defining the security requirements that apply to either individual apps or all the apps is critical to ensure that you create the right configurations when you install XenMobile server. Although settings, such as the MDX policies, apply to individual apps, session and authentication settings apply across all apps, and some apps may have specific encryption, containerization, wrapping, encryption, authentication, geo fencing, passcode or data sharing requirements that you will need to outline in advance to simplify your deployment. For details on security in XenMobile, see Security and User Experience.
  • Deployment requirements - You may want to use a policy-based deployment to allow only compliant users to download the published apps. For example, you may want certain apps to require that device encryption is enabled or the device is managed, or that the device meets a minimum operating system version. You may also want certain apps to be available only to corporate users. You need to outline such requirements in advance so that you can configure the appropriate deployment rules or actions.
  • Licensing requirements - You should record app-related licensing requirements. These notes will help you to manage license usage effectively and to decide if you need to configure specific features in XenMobile to facilitate licensing. For example, if you deploy an iOS app, irrespective of whether it is a free or a paid app, Apple enforces licensing requirements on the app by making the users sign into their iTunes account. You can register for Apple VPP to distribute and manage these apps via XenMobile. VPP allows users to download the apps without having to sign into their iTunes account. Additionally, tools, such as Samsung SAFE and Samsung KNOX, have special licensing requirements, which you need to complete prior to deploying those features.
  • Blacklist/whitelist requirements - There may be apps that you do not want users to install or use at all. Creating a blacklist will define an out of compliance event. You can then set up policies to trigger in case such a thing happens. On the other hand, an app may be acceptable for use but may fall under the blacklist for one reason or another. If this is the case, you can add the app to a whitelist and indicate that the app is acceptable to use but is not required. Also, keep in mind that the apps pre-installed on new devices can include some commonly used apps that are not part of the operating system. This may conflict with your blacklisting strategy.

Use Case

A healthcare organization plans to deploy XenMobile to serve as a MAM solution for their mobile apps. Mobile apps are delivered to corporate and BYOD users. IT decides to deliver and manage the following apps:

XenMobile Apps: iOS and Android apps provided by Citrix. For details, see XenMobile Apps.

Citrix Secure Hub: Client used by all mobile devices to communicate with XenMobile. IT pushes security settings, configurations, and mobile apps to mobile devices via Secure Hub. Android and iOS devices enroll in XenMobile through Secure Hub.

Citrix Receiver: Mobile app that allows users to open XenApp-hosted applications on mobile devices.

GoToMeeting: An online meeting, desktop sharing, and video conferencing client that lets users meet with other computer users, customers, clients, or colleagues via the Internet in real time.

SalesForce1: Salesforce1 lets users access Salesforce from mobile devices and brings all Chatter, CRM, custom apps, and business processes together in a unified experience for any Salesforce user.

RSA SecurID: Software-based token for two-factor authentication.

EpicCare apps: These apps give healthcare practitioners secure and portable access to patient charts, patient lists, schedules, and messaging.

Haiku: Mobile app for the iPhone and Android phones.

Canto: Mobile app for the iPad

Rover: Mobile apps for iPhone and iPad.

HDX: These apps are delivered via Citrix XenApp.

  • Epic Hyperspace: Epic client application for electronic health record management.

ISV:

  • Vocera: HIPAA compliant voice-over IP and messaging mobile app that extends the benefits of Vocera voice technology anytime, anywhere via iPhone and Android smartphones.

In-house apps:

  • HCMail: App that helps compose encrypted messages, search address books on internal mail servers, and send the encrypted messages to the contacts using an email client.

In-house web apps:

  • PatientRounding: Web application used to record patient health information by different departments.
  • Outlook Web Access: Allows the access of email via a web browser.
  • SharePoint: Used for organization-wide file and data sharing.

The following table lists the basic information required for MAM configuration.

App Name

App Type

MDX Wrapping

iOS

Android

Secure Mail

XenMobile App

No for version 10.4.1 and later

Yes

Yes

Secure Web

XenMobile App

No for version 10.4.1 and later

Yes

Yes

Secure Notes

XenMobile App

No for version 10.4.1 and later

Yes

Yes

ShareFile

XenMobile App

No for version 10.4.1 and later

Yes

Yes

Secure Hub

Public App

N/A

Yes

Yes

Citrix Receiver

Public App

N/A

Yes

Yes

GoToMeeting

Public App

N/A

Yes

Yes

SalesForce1

Public App

N/A

Yes

Yes

RSA SecurID

Public App

N/A

Yes

Yes

Epic Haiku

Public App

N/A

Yes

Yes

Epic Canto

Public App

N/A

Yes

No

Epic Rover

Public App

N/A

Yes

No

Epic Hyperspace

HDX App

N/A

Yes

Yes

Vocera

ISV App

Yes

Yes

Yes

HCMail

In-House App

Yes

Yes

Yes

PatientRounding

Web App

N/A

Yes

Yes

Outlook Web Access

Web App

N/A

Yes

Yes

SharePoint

Web App

N/A

Yes

Yes

The following table lists specific requirements you can consult configuring MAM policies in XenMobile.

App Name

 

 

VPN Required

 

 

Interaction
(with apps outside of container)

 

 

Interaction
(from apps outside of container)

 

 

Device Encryption

 

 

Proxy Filtering

 

 

Licensing

 

 

Geo-fencing

 

 

Worx App SDK

 

 

Minimum Operating System Version

 

 

Secure Mail

Y

Selectively Allowed

Allowed

Not required

Required

N/A

Selectively Required

N/A

Enforced

Secure Web

Y

Allowed

Allowed

Not required

Required

N/A

Not required

N/A

Enforced

Secure Notes

Y

Allowed

Allowed

Not required

Required

N/A

Not required

N/A

Enforced

ShareFile

Y

Allowed

Allowed

Not required

Required

N/A

Not required

N/A

Enforced

Secure Hub

Y

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

Citrix Receiver

Y

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

GoToMeeting

N

N/A

N/A

N/A

Not required

VPP

 

Not required

N/A

 

Not enforced

SalesForce1

N

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

RSA SecurID

N

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

Epic Haiku

Y

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

Epic Canto

Y

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

Epic Rover

Y

N/A

N/A

N/A

Not required

VPP

Not required

N/A

Not enforced

Epic Hyperspace

Y

N/A

N/A

N/A

Not required

N/A

Not required

N/A

Not enforced

Vocera

Y

Disallowed

Disallowed

Not required

Required

N/A

Required

Required

Enforced

HCMail

Y

Disallowed

Disallowed

Required

Required

N/A

Required

Required

Enforced

PatientRound-ing

Y

N/A

N/A

Required

Required

N/A

Not required

N/A

Not enforced

Outlook Web Access

Y

N/A

N/A

Not required

Required

N/A

Not required

N/A

Not enforced

SharePoint

Y

N/A

N/A

Not required

Required

N/A

Not required

N/A

Not enforced