Endpoint Management integration
This article covers what to consider when planning how Endpoint Management is to integrate with your existing network and solutions. For example, if you’re already using NetScaler for XenApp and XenDesktop:
- Should you use the existing NetScaler instance or a new, dedicated instance?
- Do you want to integrate with Endpoint Management the HDX apps that are published using StoreFront?
- Do you plan to use ShareFile with Endpoint Management?
- Do you have a Network Access Control solution that you want to integrate into Endpoint Management?
NetScaler Gateway is required for Endpoint Management ENT and MAM modes. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.
You can use existing NetScaler instances or set up new ones for Endpoint Management. The following sections note the advantages and disadvantages of using existing or new, dedicated NetScaler instances.
Shared NetScaler MPX with a NetScaler Gateway VIP created for Endpoint Management
- Uses a common NetScaler instance for all Citrix remote connections: XenApp, full VPN, and clientless VPN.
- Uses the existing NetScaler configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
- Uses a single NetScaler platform license.
- It is more difficult to plan for scale when you handle two very different use cases on the same NetScaler.
- Sometimes you need a specific NetScaler version for a XenApp use case. That same version might have known issues for Endpoint Management. Or Endpoint Management might have known issues for the NetScaler version.
- If a NetScaler Gateway exists, you cannot run the NetScaler for XenMobile wizard a second time to create the NetScaler configuration for Endpoint Management.
- Except when Platinum licenses are used for NetScaler Gateway 11.1 or later: User access licenses installed on NetScaler and required for VPN connectivity are pooled. Because those licenses are available to all NetScaler virtual servers, services other than Endpoint Management can potentially consume them.
Dedicated NetScaler VPX/MPX instance
Citrix recommends using a dedicated instance of NetScaler.
- Easier to plan for scale and separates Endpoint Management traffic from a NetScaler instance that might already be resource constrained.
- Avoids issues when Endpoint Management and XenApp need different NetScaler software versions. The recommendation generally is to use the latest compatible NetScaler version and build for Endpoint Management.
- Allows Endpoint Management configuration of NetScaler through the built-in NetScaler for XenMobile wizard.
- Virtual and physical separation of services.
- Requires setup of extra services on NetScaler to support Endpoint Management configuration.
- Requires another NetScaler platform license. License each NetScaler instance for NetScaler Gateway.
For information about what to consider when integrating NetScaler and NetScaler Gateway with each Endpoint Management server mode, see Integrating with NetScaler and NetScaler Gateway.
If you have a Citrix XenApp and XenDesktop environment, you can integrate HDX applications with Endpoint Management using StoreFront. When you integrate HDX apps with Endpoint Management:
- The apps are available to users who are enrolled with Endpoint Management.
- The apps display in the app store along with other mobile apps.
- Endpoint Management uses the legacy PNAgent (services) site on StoreFront.
- When the Citrix Workspace app is installed on a device, HDX apps start using that app.
StoreFront has a limitation of one services site per StoreFront instance. Suppose that you have multiple stores and want to segment it from other production usage. In that case, Citrix generally recommends that you consider a new StoreFront Instance and services site for Endpoint Management.
- Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through Endpoint Management using the same NetScaler Gateway.
- Use the same store or create a new one?
- Use the same or a different StoreFront server?
The following sections note the advantages and disadvantages of using separate or combined storefronts for Citrix Workspace and Citrix mobile productivity apps.
Integrate your existing StoreFront instance with Endpoint Management
- Same store: No additional configuration of StoreFront is required for Endpoint Management, assuming that you use the same NetScaler VIP for HDX access. Suppose that you choose to use the same store and want to direct Citrix Workspace access to a new NetScaler VIP. In that case, add the appropriate NetScaler Gateway configuration to StoreFront.
- Same StoreFront server: Uses the existing StoreFront installation and configuration.
- Same store: Any reconfiguration of StoreFront to support XenApp and XenDesktop workloads may adversely affect Endpoint Management as well.
- Same StoreFront server: In large environments, consider the additional load from Endpoint Management usage of PNAgent for app enumeration and start-up.
Use a new, dedicated StoreFront instance for integration with Endpoint Management
- New store: Any configuration changes of the StoreFront store for Endpoint Management should not affect existing XenApp and XenDesktop workloads.
- New StoreFront server: Server configuration changes should not affect XenApp and XenDesktop workflows. Additionally, load outside of Endpoint Management usage of PNAgent for app enumeration and launch should not affect scalability.
- New store: StoreFront store configuration.
- New StoreFront server: Requires new StoreFront installation and configuration.
For more information, see Citrix XenApp and XenDesktop through Citrix Secure Hub.
ShareFile enables users to access and sync all of their data from any device. With ShareFile, users can securely share data with people both inside and outside the organization. If you integrate ShareFile with Endpoint Management Advanced Edition or Enterprise Edition, Endpoint Management can provide ShareFile with:
- Single sign-on authentication for mobile productivity app users.
- Active Directory-based user account provisioning.
- Comprehensive access control policies.
Mobile users can benefit from the full ShareFile Enterprise feature set.
Alternatively, you can configure Endpoint Management to integrate only with StorageZone Connectors. Through StorageZone Connectors, ShareFile provides access to:
- Ddocuments and folders
- Network file shares
- In SharePoint sites: Site collections and document libraries.
Connected file shares can include the same network home drives used in Citrix XenApp and XenDesktop environments. You use the Endpoint Management console to configure the integration with ShareFile Enterprise or StorageZones Connectors. For more information, see ShareFile use with Endpoint Management.
The following sections note the questions to ask when making design decisions for ShareFile.
Integrate with ShareFile Enterprise or only StorageZone Connectors
Questions to ask:
- Do you need to store data in Citrix-managed StorageZones?
- Do you want to provide users with file sharing and sync capabilities?
- Do you want to enable users to access files on the ShareFile website? Or to access Office 365 content and Personal Cloud connectors from mobile devices?
- If the answer to any of those questions is “yes,” integrate with ShareFile Enterprise.
- An integration with only StorageZone Connectors gives iOS users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data. Using StorageZones Connectors with Endpoint Management complies with security restrictions against leaking user information outside of the corporate network.
ShareFile StorageZones Controller server location
Questions to ask:
- Do you require on-premises storage or features such as StorageZone Connectors?
- If using on-premises features of ShareFile, where will the ShareFile StorageZones Controllers sit in the network?
- Determine whether to locate the StorageZones Controller servers in the ShareFile cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.
- StorageZones Controllers require some internet access to communicate with the Citrix ShareFile Control Plane. You can connect in several ways, including direct access or NAT/PAT configurations.
Questions to ask:
- What are the CIFS share paths?
- What are the SharePoint URLs?
- Determine if on-premises StorageZones Controllers are required to access those locations.
- Due to StorageZone Connector communication with internal resources such as file repositories, CIFS shares, and SharePoint: Citrix recommends that StorageZones Controllers reside in the internal network behind DMZ firewalls and fronted by NetScaler.
SAML integration with Endpoint Management Enterprise
Questions to ask:
- Is Active Directory authentication required for ShareFile?
- Does first time use of the ShareFile app for Endpoint Management require SSO?
- Is there a standard IdP in your current environment?
- How many domains are required to use SAML?
- Are there multiple email aliases for Active Directory users?
- Are there any Active Directory domain migrations in progress or scheduled soon?
Endpoint Management Enterprise environments may choose to use SAML as the authentication mechanism for ShareFile. The authentication options are:
- Use the Endpoint Management server as the Identity Provider (IdP) for SAML
This option can provide excellent user experience and automate ShareFile account creation, as well as enable mobile app SSO features.
- The Endpoint Management server is enhanced for this process: It does not require the synchronization of Active Directory.
- Use the ShareFile User Management Tool for user provisioning.
- Use a supported third-party vendor as the IdP for SAML
If you have an existing and supported IdP and don’t require mobile app SSO capabilities, this option might be the best fit for you. This option also requires the use of the ShareFile User Management Tool for account provisioning.
Using third-party IdP solutions such as ADFS may also provide SSO capabilities on the Windows client side. Be sure to evaluate use cases before choosing your ShareFile SAML IdP.
Additionally, to satisfy both use cases, you can Configure and ADFS and Endpoint Management as a Dual IdP.
Questions to ask:
- Which ShareFile mobile app do you plan to use (public, MDM, MDX)?
- You distribute Citrix mobile productivity apps from the Apple App Store and Google Play Store. With that public app store distribution, you obtain wrapped apps from the Citrix downloads page.
- If security is low and you don’t require containerization, the public ShareFile application may not be suitable. In an MDM-only environment, you can deliver the MDM version of the ShareFile app using Endpoint Management in MDM mode.
- For more information, see Apps and Citrix ShareFile for Endpoint Management.
Security, policies, and access control
Questions to ask:
- What restrictions do you require for desktop, web, and mobile users?
- What standard access control settings do you want for users?
- What file retention policy do you plan to use?
- ShareFile lets you manage employee permissions and device security. For information, see Employee Permissions and Managing Devices and Apps.
- Some ShareFile device security settings and MDX policies control the same features. In those cases, Endpoint Management policies take precedence, followed by the ShareFile device security settings. Examples: If you disable external apps in ShareFile, but enable them in Endpoint Management, the external apps get disabled in ShareFile. You can configure the apps so that Endpoint Management doesn’t require a PIN/passcode, but the ShareFile app requires a PIN/passcode.
Standard vs. restricted StorageZones
Questions to ask:
- Do you require Restricted StorageZones?
- A standard StorageZone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.
- A restricted StorageZone protects sensitive data: Only authenticated domain users can access the data stored in the zone.
Enterprises can now manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as Endpoint Management are great at providing security and controls for mobile devices, independent of location. However, when coupled with a Network Access Control (NAC) solution, you can add QoS and more fine-grained control to devices that are internal to your network. That combination enables you to extend the Endpoint Management device security assessment through your NAC solution. Your NAC solution then can use the Endpoint Management security assessment to facilitate and handle authentication decisions. Citrix has validated NAC integration with Endpoint Management for Cisco Identity Services Engine (ISE) or ForeScout. Citrix doesn’t guarantee integration for other NAC solutions.
Advantages of a NAC solution integration with Endpoint Management include the following:
- Better security, compliance, and control for all endpoints on an enterprise network.
- A NAC solution can:
- Detect devices at the instant they attempt to connect to your network.
- Query Endpoint Management for device attributes.
- Then use that information to determine whether to allow, block, limit, or redirect those devices. Those decisions depend on the security policies you choose to enforce.
- A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.
For a description of the NAC compliance filters supported by Endpoint Management, see Network Access Control.