Citrix

Produktdokumentation



Ganzes Dokument herunterladen

Management Modes

Jan. 12, 2017

For each XenMobile instance (a single server or a cluster of nodes), you can choose whether to manage just devices, just apps, or both. XenMobile uses the following terms for device and app management modes, sometimes also referred to as deployment modes, discussed in detail in this section. 

  • Mobile Device Management mode (MDM mode)
  • Mobile App Management mode (MAM mode)
  • MDM+MAM mode (Enterprise mode)

Note: This section applies to XenMobile Cloud and XenMobile on-premises deployments.

Mobile Device Management (MDM Mode)

With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices, as well as data on devices at a system level. You can leverage policies, actions, and security functions, such as selectively wiping a device if it becomes lost, stolen, or out of compliance. While per-app management is not available with MDM mode, you can deliver mobile applications, such as public app store and enterprise apps in this mode. Following are some examples of common use cases for MDM mode: 

  • MDM is a consideration for corporate-owned devices where device-level management policies or restrictions, such as full wipe, selective wipe, or geo-location are required.
  • When customers require management of an actual device, but do not require any MAM or MDX feature sets, such as app containerization, controls over app data sharing, or micro VPN.
  • If your users only need email delivered to their native email clients on their mobile devices and Exchange ActiveSync or Client Access Server is already externally accessible, you can use MDM to configure email delivery.
  • If you need to deploy native enterprise apps (non-MDX) or public app store apps.
    • Be sure to consider that a pure MDM solution alone might not prevent data leakage of confidential information between apps on the device, such as copy/paste or Save As in Office 365 apps.

Mobile App Management (MAM Mode)

MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With XenMobile configured for MAM mode (also referred to as MAM-only mode to distinguish it from a legacy MAM mode), you can use MDX-enabled mobile apps to provide per-app containerization and control. By leveraging MDX policies, XenMobile provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.

MAM mode is often suitable for BYO devices because, although the device is unmanaged, corporate data remains protected. MDX has more than 50 MAM-only policies that you can set without needing an MDM control or relying on device passcodes for encryption.

MAM also supports the full suite of XenMobile Apps, which include secure email delivery to Citrix Secure Mail, data sharing between the secured XenMobile Apps, and secure data storage in Citrix ShareFile. For details, see the XenMobile Apps documentation.

Note:  Worx Mobile Apps are renamed to XenMobile Apps as of the 10.4 release. Most of the individual XenMobile Apps are renamed as well. For details, see About XenMobile Apps.

MAM is often suitable for the following examples: 

  • You need to deliver mobile apps, such as MDX apps, managed at the app level.
  • You don't have a requirement to manage devices at a system level.

MDM+MAM (Enterprise Mode)

MDM+MAM is a hybrid mode, also referred to as Enterprise Mode, which enables all feature sets available in the XenMobile Enterprise Mobility Management (EMM) solution. Configuring XenMobile with MDM+MAM mode enables both MDM and MAM features. XenMobile lets you specify whether users can choose to opt out of device management or whether you require device management. This flexibility is useful for environments that include a mix of use cases, which may or may not require management of a device through MDM policies in order to access your MAM resources.

MDM+MAM is suitable for the following examples: 

  • You have a single use case in which both MDM and MAM are required; MDM is required to access your MAM resources.
  • Some use cases require MDM while some do not.
  • Some use cases require MAM while some do not. 

You specify the management mode for a XenMobile server through the Server Mode property in the XenMobile console, which can be MDM, MAM, or ENT (for MDM+MAM).

The XenMobile edition that you license determines the management modes and other features available, as shown in the following table.

XenMobile MDM Edition

XenMobile Advanced Edition

XenMobile Enterprise Edition

MDM features only

Secure Hub

QuickEdit

MDM and MAM features

MDX Toolkit

XenMobile Apps:

Secure Hub

Secure Mail  

Secure Web

QuickEdit

Secure Tasks

MDM and MAM features

MDX Toolkit

XenMobile Apps:

Secure Hub

Secure Mail

Secure Web

QuickEdit

Secure Tasks

ShareConnect

Secure Notes

ShareFile Enterprise Edition

Device Management and MDM Enrollment

A XenMobile Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources. Before deploying XenMobile Apps to users, it is important to fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, users will likely need to re-enroll their devices.

Note: To specify whether you require users to enroll in MDM, use the XenMobile server property Enrollment Required in the XenMobile console (Settings > Server Properties). That global server property applies to all users and devices for the XenMobile instance; it applies only when the XenMobile Server Mode is ENT.

The following table summarizes some of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment in a XenMobile Enterprise mode deployment.

MDM Enrollment

Advantages

Disadvantages and Mitigations

Is optional

Users can access MAM resources without putting their devices under MDM management. This can increase user adoption.

Ability to secure access to MAM resources to protect enterprise data.

MDX policies such as App Passcode can control app access for each MDX app.

Configuring NetScaler, XenMobile Server, and per-application time-outs, along with Citrix (previously Worx) PIN, provide an additional layer of protection.

While MDM actions do not apply to the device, some MDX policies are available to deny MAM access based on system settings, such as jailbroken or rooted devices.

Users can choose whether to enroll their device with MDM during first time use.

MAM resources are available to devices not enrolled in MDM.

MDM policies and actions are available only to MDM-enrolled devices.

Mitigation options:

Have users agree to a company "terms and conditions" that holds them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.

Manage application access and security by using application timers. Be aware that decreased time-out values increase security, but may affect user experience.

A second XenMobile environment with MDM enrollment required is an option. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.

Is required

Ability to restrict access to MAM resources only to MDM managed devices.

MDM policies and actions can apply to all devices in the environment as desired.

Users do not have the option to opt out of enrolling their device.

Requires all users to enroll with MDM.

Might decrease adoption for users who object to corporate management of their personal devices.

Mitigation options:

Educate users about what XenMobile actually manages on their devices and what information administrators can access.

You can leverage a second XenMobile environment, with a Server Mode of MAM (also referred to as MAM-only mode), for devices that don't need MDM management. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.

 

About MAM and Legacy MAM Modes

XenMobile 10.3.5 introduced a new MAM-only server mode. To distinguish the prior and new MAM modes, Citrix documentation refers to the new mode as "MAM-only" or "MAM" and refers to the prior MAM mode as "legacy MAM mode." While the legacy MAM functionality is the same as before, Citrix won't enhance it in future releases.

MAM-only mode is in effect when the Server Mode property of XenMobile is MAM. Devices register in MAM mode.

Legacy MAM functionality is in effect when the Server Mode property of XenMobile is ENT and users choose to opt out of device management. In that case, devices register in MDM+MAM mode. In MAM+MDM mode, users who opt out of MDM management continue to receive the legacy MAM functionality.

Note: Previously, setting the Server Mode property to MAM had the same effect as setting it to ENT: Devices registered in MDM+MAM mode; users who opted out of MDM management received the legacy MAM functionality.

The following table summarizes the Server Mode setting to use for a particular license type and desired device mode:

Your licenses are for this edition

You want devices to register in this mode

Set the Server Mode property to

Enterprise/ Advanced/MDM

MDM mode

MDM

Enterprise/Advanced

MAM mode (also referred to as MAM-only mode)

MAM

Enterprise/Advanced

MDM+MAM mode

ENT

Users who opt out of device management will operate under the legacy MAM mode.

MAM-only mode supports the following features that were previously available only for MDM. These features are not available for Windows Phone. 

  • Certificate-based authentication: MAM-only mode supports certificate-based authentication. Users will experience continued access to their apps even when their Active Directory password expires. If you use certificate-based authentication for MAM devices, you must configure your NetScaler Gateway. By default, in XenMobile Settings > NetScaler Gateway, Deliver user certificate for authentication is set to Off, meaning that user name and password authentication is used. You must change that setting to On to enable certificate authentication.
  • Self Help Portal: To enable end users to perform their own app lock and app wipe. Those actions apply to all apps on the device. You can configure the App Lock and App Wipe actions in Configure > Actions.
  • All enrollment modes: Including High Security, Invitation URL, and Two Factor, configured through Manage > Enrollment.
  • Device registration limit for Android and iOS devices: The Server Property Number of Devices Per User has moved to Configure > Enrollment Profiles and now also applies to MAM-only mode.
  • MAM-only APIs: For MAM-only devices, you can call REST services by using any REST client and the XenMobile REST API to call services that the XenMobile console exposes.
  • The MAM-only APIs enable you to:
    • Send an invitation URL and one-time PIN.
    • Issue app lock and wipe on devices. 


The following table summarizes the differences between the legacy MAM and MAM-only functionality.

Enrollment Scenarios and Other Features

Legacy MAM (server mode is ENT)

MAM-only mode (server mode is MAM)

Certificate authentication

Not supported.

Supported. To use certificate authentication, NetScaler Gateway is required.

Deployment requirement

XenMobile Server does not need to be directly accessible from devices.

XenMobile Server must be accessible from devices.

Enrollment option

Use the NetScaler Gateway FQDN or opt not to enroll.

Use XenMobile Server FQDN.

Enrollment methods*

User name + Password

User name + Password, High Security, Invitation URL, Invitation URL+PIN, Invitation URL + Password, Two Factor, User name + PIN

App lock and wipe

Supported.

Supported.

Self Help Portal options for app lock and wipe

Not supported.

Supported.

App wipe behavior

Apps remain on the device but are not usable. XenMobile deletes the account on the client only.

Apps remain on the device but are not usable. XenMobile deletes the account on the client only.

Automated actions for MAM-only users.

Event, device property, user property actions are supported.

Doesn't support installed app-based automated actions.

Event, device property, user property actions are supported.

Doesn't support installed app-based automated actions.

Built-in action when an Active Directory user is deleted

Supports app wipe.

Supports app wipe.

Enrollment limit

Supported; configured through an enrollment profile.

Supported; configured through an enrollment profile.

Software inventory

Supported; XenMobile lists apps installed on a device

Not supported

*Regarding notifications: SMTP is the only supported method for sending enrollment invitations. 

Important: To use MAM-only mode, previously enrolled users must re-enroll their devices. Be sure to provide users with the XenMobile Server FQDN they'll need for enrollment. In MAM-only mode, just like the ENT mode, devices enroll using the XenMobile Server FQDN. (In the legacy MAM mode, devices enroll using the NetScaler Gateway FQDN.)

Back to Top