Product Documentation

Authentication

Jan 12, 2017

In a XenMobile deployment, several considerations come into play when deciding how to configure authentication.  This section will help you understand the various factors that affect authentication by discussing the following:

  • The main MDX policies, XenMobile client properties and NetScaler Gateway settings involved with authentication.
  • The ways these policies, client properties, and settings interact.
  • The tradeoffs of each choice.

This article also includes three examples of recommended configurations for increasing degrees of security.

Broadly speaking, stronger security results in a less-optimal user experience, because users have to authenticate more often. How you balance those concerns depends on your organization's needs and priorities. By reviewing the three recommended configurations, you should gain a greater understanding of the interplay of authentication measures available to you, and how to best deploy your own XenMobile environment.

Authentication Modes

Online authentication: Allows users into the XenMobile network. Requires an Internet connection.

Offline authentication: Happens on the device. Users unlock the secure vault and have offline access to items, such as downloaded mail, cached websites, and notes.

Methods of Authentication

Single Factor

LDAP: You can configure a connection in XenMobile to one or more directories, such as Active Directory that are compliant with the Lightweight Directory Access Protocol (LDAP). This is a commonly used method to provide single sign-on (SSO) for company environments. You might opt for Citrix PIN with Active Directory password caching to improve the user experience with LDAP while still providing the security of complex passwords on enrollment, password expiration, and account lockout.

For more details, see Domain or domain plus STA in the XenMobile documentation.

Client certificate: XenMobile can integrate with industry-standard certificate authorities to use certificates as the sole method of online authentication. XenMobile provides this certificate after user enrollment, which requires either a one-time password, invitation URL, or LDAP credentials. When using a client certificate as the primary method of authentication, a Citrix PIN is required in client certificate-only environments to secure the certificate on the device. 

XenMobile supports Certificate Revocation List (CRL) only for a third-party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses NetScaler to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can't authenticate using an existing certificate on the device; XenMobile re-issues a new certificate, because it doesn't restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

For a diagram that shows the deployment needed if you plan to use certificate-based authentication for users or if you need to use your enterprise Certificate Authority (CA) for issuing device certificates, see Reference Architecture for On-Premises Deployments

Two Factor

LDAP + Client Certificate: In the XenMobile environment, this configuration is the best combination of security and user experience, with the best SSO possibilities coupled with security provided by two-factor authentication at NetScaler. Using both LDAP and client certificate provides security with both something users know (their Active Directory passwords) and something they have (client certificates on their devices). Secure Mail (and some other XenMobile Apps) can automatically configure and provide a seamless first-time user experience with client certificate authentication, with a properly configured Exchange client access server environment. For optimal usability, you can combine this option with Citrix PIN and Active Directory password caching.

LDAP + Token: This configuration allows for the classic configuration of LDAP credentials, plus a one-time password, using the RADIUS protocol. For optimal usability, you can combine this option with Citrix PIN and Active Directory password caching.

Important Policies, Settings and Client Properties Involved in Authentication

The following policies, settings, and client properties come into play with the following three recommended configurations:

MDX policies

App passcode: If On, a Citrix PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in the XenMobile console in Client Properties on the Settings tab. The default is 15 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note: If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Online session required: If On, the user must have a connection to the enterprise network and an active session in order to access the app on the device. If Off, an active session is not required to access the app on the device. Default is Off.

Maximum offline period (hours): Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. When you set the Maximum offline period, if Secure Hub for iOS has a valid NetScaler Gateway token, the app retrieves new policies for MDX apps from XenMobile without any interruption to users. If Secure Hub does not have a valid NetScaler token, users must authenticate through Secure Hub in order for app policies to update. The NetScaler token may become invalid due to a NetScaler Gateway session inactivity or a forced session time-out policy. When users sign on to Secure Hub again, they can continue running the app.

Users are reminded to sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users sign on. Default is 72 hours (3 days). Minimum period is 1 hour.

Note: Keep in mind that in a scenario in which users travel often and may use international roaming, the default of 72 hours (3 days) may be too short.

Background services ticket expiration: The time period that a background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This property setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default is 168 hours (7 days). When this time-out expires, mail notifications will discontinue.

Online session required grace period: Determines how many minutes a user can use the app offline before the Online session required policy prevents them from further use (until the online session is validated). Default is 0 (no grace period).

For more information about MDX Toolkit authentication policies, see XenMobile MDX Policies for iOS and XenMobile MDX Policies for Android.

XenMobile client properties

Note: Client properties are a global setting that apply to all devices that connect to XenMobile.

Citrix PIN: For a simple sign-on experience, you might choose to enable the Citrix PIN. With the PIN, users do not have to enter other credentials repeatedly, such as their Active Directory user names and passwords. You can configure the Citrix PIN as a standalone offline authentication only, or combine the PIN with Active Directory password caching to streamline authentication for optimal usability. You configure the Citrix PIN in Settings > Client > Client Properties in the XenMobile console.

Following is a summary of a few important properties. For more information, see Client properties in the XenMobile documentation.

ENABLE_PASSCODE_AUTH

Display name: Enable Citrix PIN Authentication

This key allows you to turn on Citrix PIN functionality. With the Citrix PIN or passcode, users are prompted to define a PIN to use instead of their Active Directory password. You should enable this setting if ENABLE_PASSWORD_CACHING is enabled or if XenMobile is using certificate authentication.

Possible values: true or false

Default value: false

ENABLE_PASSWORD_CACHING

Display name: Enable User Password Caching

This key lets you allow the users' Active Directory password to be cached locally on the mobile device. When you set this key to true, users are prompted to set a Citrix PIN or passcode. The ENABLE_PASSCODE_AUTH key must be set to true when you set this key to true.

Possible values: true or false

Default value: false

PASSCODE_STRENGTH

Display name: PIN Strength Requirement

This key defines the strength of the Citrix PIN or passcode. When you change this setting, users are prompted to set a new Citrix PIN or passcode the next time they are prompted to authenticate.

Possible values: Low, Medium, or Strong

Default value: Medium

INACTIVITY_TIMER

Display name: Inactivity timer

This key defines the time in minutes that users can leave their devices inactive and then access an app without being prompted for a Citrix PIN or passcode. To enable this setting for an MDX app, you must set the App Passcode setting to On. If the App Passcode setting is set to Off, users are redirected to Secure Hub to perform a full authentication. When you change this setting, the value takes effect the next time users are prompted to authenticate. The default is 15 minutes.

ENABLE_TOUCH_ID_AUTH

Display name: Enable Touch ID Authentication

Allows the use of the fingerprint reader (in iOS only) for offline authentication. Online authentication will still require the primary authentication method. 

ENCRYPT_SECRETS_USING_PASSCODE

Display name: Encrypt secrets using Passcode

This key lets sensitive data be stored on the mobile device in a secret vault instead of in a platform-based native store, such as the iOS keychain. This configuration key enables strong encryption of key artifacts, but also adds user entropy (a user-generated random PIN code that only the user knows). 

Possible values: true or false

Default value: false

 

NetScaler Settings

Session time-out: If you enable this setting, NetScaler Gateway disconnects the session if NetScaler detects no network activity for the specified interval. This setting is enforced for users who connect with the NetScaler Gateway Plug-in, Citrix Receiver, Secure Hub, or through a web browser. Default is 1440 minutes. If you set this value to zero, the setting is disabled.

Forced time-out: If you enable this setting, NetScaler Gateway disconnects the session after the time-out interval elapses no matter what the user is doing. When the time-out interval elapses, there is no action the user can take to prevent the disconnection. This setting is enforced for users who connect with the NetScaler Gateway Plug-in, Citrix Receiver, Secure Hub, or through a web browser. If Secure Mail is using STA, a special NetScaler mode, the Forced time-out setting does not apply to Secure Mail sessions. Default is 1440 minutes. If you leave this value blank, the setting is disabled.

For more information about time-out settings in NetScaler Gateway, see Configuring Time-Out Settings in the NetScaler documentation. 

For more information on the scenarios that prompt users to authenticate with XenMobile by entering credentials on their devices, see Authentication Prompt Scenarios in the XenMobile Apps documentation.

Default Configuration Settings

These settings are the defaults provided by the NetScaler for XenMobile wizard, by the MDX Toolkit, and in the XenMobile console.

Setting Where to Find the Setting Default Setting

Session time-out

NetScaler Gateway

1440 minutes

Force time-out

NetScaler Gateway

1440 minutes

Maximum offline period

MDX Policies

72 hours

Background services ticket expiration

MDX Policies

168 hours (7 days)

Online session required

MDX Policies

Off

Online session required grace period

MDX Policies

0

App passcode

MDX Policies

On

Encrypt secrets using passcode

XenMobile client properties

false

Enable Worx PIN

XenMobile client properties

false

PIN Strength

XenMobile client properties

Medium

PIN Type

XenMobile client properties

Numeric

Enable Password Caching

XenMobile client properties

false

Inactivity Timer

XenMobile client properties

15

Touch ID

XenMobile client properties

false

Recommended Configurations

This section gives examples of three XenMobile configurations that range from lowest security and optimal user experience, to the highest security and more intrusive user experience. These examples should provide you with helpful reference points to determine where on the scale you want to place your own configuration. Be aware that modifying these settings may require you to alter other settings as well. For instance, the maximum offline period should always be less than the session time-out.

High Security

This configuration, the most convenient to users, provides base-level security.

Setting Where to Find the Setting Recommended Setting Behavior Impact

Session time-out

NetScaler Gateway

10080

Users enter their Secure Hub credentials only when online authentication is required - every 7 days

Force time-out

NetScaler Gateway

No value

Sessions will be extended if there's any activity.

Maximum offline period

MDX Policies

167

Requires policy refresh every week (every 7 days). The hour difference is to allow for refresh ahead of session time-out.

Background services ticket expiration

MDX Policies

240

Time out for STA, which allows for long-lived sessions without a NetScaler Gateway session token. 

In the case of Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop without prompting the user if they don't open the app before the session expires.

Online session required

MDX Policies

Off

Ensures a valid network connection and NetScaler Gateway session to use apps.

Online session required grace period

MDX Policies

0

No grace period (if you enabled Online Session required).

App passcode

MDX Policies

On

Require passcode for application.

Encrypt secrets using passcode

XenMobile client properties

false

Do not require user entropy to encrypt the vault.

Enable Citrix PIN

XenMobile client properties

true

Enable Citrix PIN for simplified authentication experience.

PIN Strength

XenMobile client properties

Low

No password complexity requirements

PIN Type

XenMobile client properties

Numeric

PIN is a numeric sequence.

Enable Password Caching

XenMobile client properties

true

The user PIN caches and protects the Active Directory password.

Inactivity Timer

XenMobile client properties

90

If user does not use MDX apps or Secure Hub for this period of time, prompt for offline authentication.

Touch ID

XenMobile client properties

true

Enables Touch ID for offline authentication use cases in iOS.

Higher Security

A more middle-of-the-road approach, this configuration requires users to authenticate more often - every 3 days, at most, instead of 7 -  and stronger security. The increased number of authentications lock the container more often, ensuring data security when devices aren't in use. 

Setting Where to Find the Setting Recommended Setting Behavior Impact

Session time-out

NetScaler Gateway

4320

Users enter their Secure Hub credentials only when online authentication is required - every 3 days

Force time-out

NetScaler Gateway

No value

Sessions will be extended if there's any activity.

Maximum offline period

MDX Policies

71

Requires policy refresh every 3 days. The hour difference is to allow for refresh ahead of session time-out.

Background services ticket expiration

MDX Policies

168 hours

Time out for STA, which allows for long-lived sessions without a NetScaler Gateway session token. 

In the case of Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop without prompting the user if they don't open the app before the session expires.

Online session required

MDX Policies

Off

Ensures a valid network connection and NetScaler Gateway session to use apps.

Online session required grace period

MDX Policies

0

No grace period (if you enabled Online Session required).

App passcode

MDX Policies

On

Require passcode for application.

Encrypt secrets using passcode

XenMobile client properties

false

Do not require user entropy to encrypt the vault.

Enable Citrix PIN

XenMobile client properties

true

Enable Citrix PIN for simplified authentication experience.

PIN Strength

XenMobile client properties

Medium

Enforces medium password complexity rules.

PIN Type

XenMobile client properties

Numeric

PIN is a numeric sequence.

Enable Password Caching

XenMobile client properties

true

The user PIN caches and protects the Active Directory password.

Inactivity Timer

XenMobile client properties

30

If user does not use MDX apps or Secure Hub for this period of time, prompt for offline authentication.

Touch ID

XenMobile client properties

true

Enables Touch ID for offline authentication use cases in iOS.

Highest Security 

This configuration offers the highest level of security but contains significant usability trade-offs.

Setting Where to Find the Setting Recommended Setting Behavior Impact

Session time-out

NetScaler Gateway

1440

Users enter their Secure Hub credentials only when online authentication is required-every 24 hours.

Force time-out

NetScaler Gateway

1440

Online authentication will be strictly required every 24 hours. Activity doesn't extend session life.

Maximum offline period

MDX Policies

23

Requires policy refresh every day.

Background services ticket expiration

MDX Policies

72 hours

Time out for STA, which allows for long-lived sessions without a NetScaler Gateway session token. 

In the case of Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop without prompting the user if they don't open the app before the session expires.

Online session required

MDX Policies

Off

Ensures a valid network connection and NetScaler Gateway session to use apps.

Online session required grace period

MDX Policies

0

No grace period (if you enabled Online Session required).

App passcode

MDX Policies

On

Require passcode for application.

Encrypt secrets using passcode

XenMobile client properties

true

A key derived from user entropy protects the vault.

Enable Citrix PIN

XenMobile client properties

true

Enable Citrix PIN for simplified authentication experience.

PIN Strength

XenMobile client properties

Strong

High password complexity requirements.

PIN Type

XenMobile client properties

Alphanumeric

PIN is an alphanumeric sequence.

Enable Password Caching

XenMobile client properties

false

Active Directory password is not cached and Citrix PIN will be used for offline authentications.

Inactivity Timer

XenMobile client properties

15

If user does not use MDX apps or Secure Hub for this period of time, prompt for offline authentication.

Touch ID

XenMobile client properties

false

Disables Touch ID for offline authentication use cases in iOS.

Using Step-Up Authentication

Some apps may require enhanced authentication (for example, a secondary authentication factor, such as a token or aggressive session time-outs). You control this authentication method through an MDX policy. The method also requires a separate virtual server to control the authentication methods (on either the same or on separate NetScaler appliances).

Setting Where to Find the Setting Recommended Setting Behavior Impact

Alternate NetScaler Gateway

MDX Policies

Requires the FQDN and port of the secondary NetScaler appliance.

Allows for enhanced authentication controlled by the secondary NetScaler appliance authentication and session policies.

If a user opens an app that logs on to the alternate NetScaler Gateway instance, all other apps will use that NetScaler Gateway instance for communicating with the internal network. The session will only switch back to the lower security NetScaler Gateway instance when the session times out from the NetScaler Gateway instance with enhanced security.

Using Online Session Required

For certain applications, such as Secure Web, you may want to ensure that users run an app only when they have an authenticated session and while the device is connected to a network. This policy enforces that option and allows for a grace period so users can finish their work. 

Setting Where to Find the Setting Recommended Setting Behavior Impact

Online session required

MDX Policies

On

Ensures device is online and has a valid authentication token.

Online session required grace period

MDX Policies

15

Allows a 15-minute grace period before the user can no longer use apps