Endpoint Management integration
This article covers what to consider when planning how Endpoint Management is to integrate with your existing network and solutions. For example, if you’re already using Citrix Gateway for Citrix Virtual Apps and Desktops:
- Should you use the existing Citrix Gateway instance or a new, dedicated instance?
- Do you want to integrate with Endpoint Management the HDX apps that are published using StoreFront?
- Do you plan to use Citrix Files with Endpoint Management?
- Do you have a Network Access Control solution that you want to integrate into Endpoint Management?
Citrix Gateway is required for Endpoint Management. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.
You can use existing Citrix Gateway instances or set up new ones for Endpoint Management. The following sections note the advantages and disadvantages of using existing or new, dedicated Citrix Gateway instances.
Shared Citrix Gateway MPX with a Citrix Gateway VIP created for Endpoint Management
- Uses a common Citrix Gateway instance for all Citrix remote connections: Citrix Virtual Apps, full VPN, and clientless VPN.
- Uses the existing Citrix Gateway configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
- Uses a single Citrix Gateway platform license.
- It is more difficult to plan for scale when you handle two very different use cases on the same Citrix Gateway.
- Sometimes you need a specific Citrix Gateway version for a Citrix Virtual Apps use case. That same version might have known issues for Endpoint Management. Or Endpoint Management might have known issues for the Citrix Gateway version.
- If a Citrix Gateway exists, you cannot run the NetScaler for XenMobile wizard a second time to create the Citrix Gateway configuration for Endpoint Management.
- Except when Platinum licenses are used for Citrix Gateway 11.1 or later: User access licenses installed on Citrix Gateway and required for VPN connectivity are pooled. Because those licenses are available to all Citrix Gateway virtual servers, services other than Endpoint Management can potentially consume them.
Dedicated Citrix Gateway VPX/MPX instance
Citrix recommends using a dedicated instance of Citrix Gateway.
- Easier to plan for scale and separates Endpoint Management traffic from a Citrix Gateway instance that might already be resource constrained.
- Avoids issues when Endpoint Management and Citrix Virtual Apps need different Citrix Gateway software versions. The recommendation generally is to use the latest compatible Citrix Gateway version and build for Endpoint Management.
- Allows Endpoint Management configuration of Citrix Gateway through the built-in NetScaler for XenMobile wizard.
- Virtual and physical separation of services.
- Requires setup of extra services on Citrix Gateway to support Endpoint Management configuration.
- Requires another Citrix Gateway platform license. License each Citrix Gateway instance for Citrix Gateway.
For information about what to consider when integrating Citrix Gateway and Citrix Gateway with each Endpoint Management server mode, see Integrating with Citrix Gateway and Citrix ADC.
If you have a Citrix Virtual Apps and Desktops environment, you can integrate HDX applications with Endpoint Management using StoreFront. When you integrate HDX apps with Endpoint Management:
- The apps are available to users who are enrolled with Endpoint Management.
- The apps display in the app store along with other mobile apps.
- Endpoint Management uses the legacy PNAgent (services) site on StoreFront.
- When the Citrix Workspace app is installed on a device, HDX apps start using that app.
StoreFront has a limitation of one services site per StoreFront instance. Suppose that you have multiple stores and want to segment it from other production usage. In that case, Citrix generally recommends that you consider a new StoreFront Instance and services site for Endpoint Management.
- Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through Endpoint Management using the same Citrix Gateway.
- Use the same store or create a new one?
- Use the same or a different StoreFront server?
The following sections note the advantages and disadvantages of using separate or combined storefronts for Citrix Workspace and Citrix mobile productivity apps.
Integrate your existing StoreFront instance with Endpoint Management
- Same store: No additional configuration of StoreFront is required for Endpoint Management, assuming that you use the same Citrix Gateway VIP for HDX access. Suppose that you choose to use the same store and want to direct Citrix Workspace access to a new Citrix Gateway VIP. In that case, add the appropriate Citrix Gateway configuration to StoreFront.
- Same StoreFront server: Uses the existing StoreFront installation and configuration.
- Same store: Any reconfiguration of StoreFront to support Citrix Virtual Apps and Desktops workloads may adversely affect Endpoint Management as well.
- Same StoreFront server: In large environments, consider the additional load from Endpoint Management usage of PNAgent for app enumeration and start-up.
Use a new, dedicated StoreFront instance for integration with Endpoint Management
- New store: Any configuration changes of the StoreFront store for Endpoint Management should not affect existing Virtual Apps and Desktops workloads.
- New StoreFront server: Server configuration changes should not affect Virtual Apps and Desktops workflows. Additionally, load outside of Endpoint Management usage of PNAgent for app enumeration and launch should not affect scalability.
- New store: StoreFront store configuration.
- New StoreFront server: Requires new StoreFront installation and configuration.
For more information, see Citrix Virtual Apps and Desktops through the app store.
Citrix Files enables users to access and sync all of their data from any device. With Citrix Files, users can securely share data with people both inside and outside the organization. If you integrate Citrix Files with Endpoint Management Advanced Edition or Enterprise Edition, Endpoint Management can provide Citrix Files with:
- Single sign-on authentication for mobile productivity app users.
- Active Directory-based user account provisioning.
- Comprehensive access control policies.
Mobile users can benefit from the full Citrix Files Enterprise feature set.
Alternatively, you can configure Endpoint Management to integrate only with StorageZone Connectors. Through StorageZone Connectors, Citrix Files provides access to:
- Ddocuments and folders
- Network file shares
- In SharePoint sites: Site collections and document libraries.
Connected file shares can include the same network home drives used in Citrix Virtual Apps and Desktops environments. You use the Endpoint Management console to configure the integration with Citrix Files Enterprise or StorageZones Connectors. For more information, see Citrix Files use with Endpoint Management.
The following sections note the questions to ask when making design decisions for Citrix Files.
Integrate with Citrix Files Enterprise or only StorageZone Connectors
Questions to ask:
- Do you need to store data in Citrix-managed StorageZones?
- Do you want to provide users with file sharing and sync capabilities?
- Do you want to enable users to access files on the Citrix Files website? Or to access Office 365 content and Personal Cloud connectors from mobile devices?
- If the answer to any of those questions is “yes,” integrate with Citrix Files Enterprise.
- An integration with only StorageZone Connectors gives iOS users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t set up a Citrix Files subdomain, provision users to Citrix Files, or host Citrix Files data. Using StorageZones Connectors with Endpoint Management complies with security restrictions against leaking user information outside of the corporate network.
StorageZones Controller server location
Questions to ask:
- Do you require on-premises storage or features such as StorageZone Connectors?
- If using on-premises features of Citrix Files, where will the StorageZones Controllers sit in the network?
- Determine whether to locate the StorageZones Controller servers in the Citrix Files cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.
- StorageZones Controllers require some internet access to communicate with the Citrix Files Control Plane. You can connect in several ways, including direct access or NAT/PAT configurations.
Questions to ask:
- What are the CIFS share paths?
- What are the SharePoint URLs?
- Determine if on-premises StorageZones Controllers are required to access those locations.
- Due to StorageZone Connector communication with internal resources such as file repositories, CIFS shares, and SharePoint: Citrix recommends that StorageZones Controllers reside in the internal network behind DMZ firewalls and fronted by Citrix Gateway.
SAML integration with Endpoint Management Enterprise
Questions to ask:
- Is Active Directory authentication required for Citrix Files?
- Does first time use of the Citrix Files app for Endpoint Management require SSO?
- Is there a standard IdP in your current environment?
- How many domains are required to use SAML?
- Are there multiple email aliases for Active Directory users?
- Are there any Active Directory domain migrations in progress or scheduled soon?
Endpoint Management Enterprise environments may choose to use SAML as the authentication mechanism for Citrix Files. The authentication options are:
- Use the Endpoint Management server as the Identity Provider (IdP) for SAML
This option can provide excellent user experience and automate Citrix Files account creation, as well as enable mobile app SSO features.
- The Endpoint Management server is enhanced for this process: It does not require the synchronization of Active Directory.
- Use the Citrix Files User Management Tool for user provisioning.
- Use a supported third-party vendor as the IdP for SAML
If you have an existing and supported IdP and don’t require mobile app SSO capabilities, this option might be the best fit for you. This option also requires the use of the Citrix Files User Management Tool for account provisioning.
Using third-party IdP solutions such as ADFS may also provide SSO capabilities on the Windows client side. Be sure to evaluate use cases before choosing your Citrix Files SAML IdP.
Additionally, to satisfy both use cases, you can Configure and ADFS and Endpoint Management as a Dual IdP.
Questions to ask:
- Which Citrix Files mobile app do you plan to use (public, MDM, MDX)?
- You distribute Citrix mobile productivity apps from the Apple App Store and Google Play Store. With that public app store distribution, you obtain wrapped apps from the Citrix downloads page.
- If security is low and you don’t require containerization, the public Citrix Files application may not be suitable. In an MDM-only environment, you can deliver the MDM version of the Citrix Files app using Endpoint Management in MDM mode.
- For more information, see Apps and Citrix Citrix Files for Endpoint Management.
Security, policies, and access control
Questions to ask:
- What restrictions do you require for desktop, web, and mobile users?
- What standard access control settings do you want for users?
- What file retention policy do you plan to use?
- Citrix Files lets you manage employee permissions and device security. For information, see Employee Permissions and Managing Devices and Apps.
- Some Citrix Files device security settings and MDX policies control the same features. In those cases, Endpoint Management policies take precedence, followed by the Citrix Files device security settings. Examples: If you disable external apps in Citrix Files, but enable them in Endpoint Management, the external apps get disabled in Citrix Files. You can configure the apps so that Endpoint Management doesn’t require a PIN/passcode, but the Citrix Files app requires a PIN/passcode.
Standard vs. restricted StorageZones
Questions to ask:
- Do you require Restricted StorageZones?
- A standard StorageZone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.
- A restricted StorageZone protects sensitive data: Only authenticated domain users can access the data stored in the zone.
Enterprises can now manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as Endpoint Management are great at providing security and controls for mobile devices, independent of location. However, when coupled with a Network Access Control (NAC) solution, you can add QoS and more fine-grained control to devices that are internal to your network. That combination enables you to extend the Endpoint Management device security assessment through your NAC solution. Your NAC solution then can use the Endpoint Management security assessment to facilitate and handle authentication decisions. Citrix has validated NAC integration with Endpoint Management for Cisco Identity Services Engine (ISE) or ForeScout. Citrix doesn’t guarantee integration for other NAC solutions.
Advantages of a NAC solution integration with Endpoint Management include the following:
- Better security, compliance, and control for all endpoints on an enterprise network.
- A NAC solution can:
- Detect devices at the instant they attempt to connect to your network.
- Query Endpoint Management for device attributes.
- Then use that information to determine whether to allow, block, limit, or redirect those devices. Those decisions depend on the security policies you choose to enforce.
- A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.
For a description of the NAC compliance filters supported by Endpoint Management, see Network Access Control.