Citrix Content Collaboration for Endpoint Management

Citrix Content Collaboration for Endpoint Management clients are MDX-capable versions of Citrix Files mobile clients. These clients provide secure, integrated access to data in other MDX-wrapped apps. Citrix Content Collaboration for Endpoint Management clients also benefit from MDX features, such as micro VPN, single sign-on (SSO) with Secure Hub, and two-factor authentication.

Citrix Files is an enterprise file sync and sharing service that lets users exchange documents easily and securely. Citrix Files gives users various access options, including Citrix Files mobile clients, such as Citrix Files for Android Phone and Citrix Files for iPad.

You can integrate Citrix Files with Endpoint Management to provide the full Citrix Files feature set or to provide access only to storage zones connectors. By default, the Citrix Endpoint Management console enables configuration of Citrix Files only. To configure Endpoint Management for use with storage zones connectors instead, see Use Citrix Content Collaboration with Endpoint Management in the Citrix Endpoint Management documentation.

You use Endpoint Management, Citrix Files, storage zones controller, and Citrix ADC as follows to deploy and manage Citrix Content Collaboration for Endpoint Management clients:

  • When Endpoint Management is configured with Citrix Files, Endpoint Management acts as a SAML identity provider (IdP) and deploys Citrix Content Collaboration for Endpoint Management clients. Citrix Files manages Citrix Files data. No Citrix Files data travels through Endpoint Management.
  • When Endpoint Management is configured with Citrix Files or with storage zones connectors, the storage zones controller provides connectivity to data in network shares and SharePoint. Users access your stored data through the Citrix Files mobile productivity apps. Users can edit Microsoft Office documents, preview, and annotate Adobe PDF files from mobile devices.
  • Citrix ADC manages requests from external users, securing their connections, load balancing requests, and handling content switching for storage zones connectors.

For Citrix Content Collaboration for Endpoint Management and other mobile productivity apps system requirements, see Support for mobile productivity apps.

How Citrix Content Collaboration for Endpoint Management clients differ from Citrix Files mobile clients

The following describes the differences between Citrix Content Collaboration for Endpoint Management clients and Citrix Files mobile clients.

User access

Citrix Content Collaboration for Endpoint Management clients:

Users obtain and open Citrix Content Collaboration for Endpoint Management clients from Secure Hub.

Citrix Files mobile clients:

Users obtain Citrix Files mobile clients from app stores.

SSO

Citrix Content Collaboration for Endpoint Management clients:

For Endpoint Management integration with Citrix Files: You can configure Endpoint Management as a SAML IdP for Citrix Files. In this configuration, Secure Hub obtains a SAML token for the Citrix Content Collaboration for Endpoint Management client, using Endpoint Management as the SAML IdP. A user who starts the Citrix Content Collaboration for Endpoint Management client, but is not signed on to Secure Hub, is prompted to sign on to Secure Hub. The user does not have to know their Citrix Files domain or account information.

Citrix Files mobile clients:

You can configure Endpoint Management and Citrix Gateway as a SAML IdP for Citrix Files. In this configuration, a user logging on to Citrix Files using a web browser or other Citrix Files clients is redirected to the Endpoint Management environment for user authentication. After successful authentication by Endpoint Management, the user receives a SAML token that is valid for logon to their Citrix Files account.

Micro VPN

Citrix Content Collaboration for Endpoint Management clients:

Remote users can connect using a VPN or micro VPN connection through Citrix Gateway to access apps and desktops in the internal network. This feature, available through Citrix ADC integration with Endpoint Management is transparent to users.

Citrix Files mobile clients:

Not applicable.

Two-factor authentication

Citrix Content Collaboration for Endpoint Management clients:

Citrix ADC integration with Endpoint Management also supports authentication using a combination of client certificate authentication and another authentication type, such as LDAP or RADIUS.

Citrix Files mobile clients:

Not applicable.

Folder permissions

Citrix Content Collaboration for Endpoint Management clients and Citrix Files mobile clients:

For Endpoint Management integration with Citrix Files: Determined by Citrix Files.

Document access protection

Citrix Content Collaboration for Endpoint Management clients:

Users can open attachments received in Secure Mail or downloaded by any MDX-wrapped app. Only MDX-wrapped apps appear when the user performs an Open In action. Data that is from a non-wrapped app is not available to a Citrix Content Collaboration for Endpoint Management client. Secure Mail users can attach files from their Citrix Files repository without needing to download the file to the device. If a user has wrapped and unwrapped Citrix Files on a device, the wrapped Citrix Files client cannot access files in the user’s personal Citrix Files account. The wrapped Citrix Files client can access only the Citrix Files subdomain configured in Endpoint Management.

Citrix Files mobile clients:

Users can open attachments from any app.

Citrix Files account access

Citrix Content Collaboration for Endpoint Management clients:

For Endpoint Management integration with Citrix Files: To access a personal Citrix Files account or a third-party Citrix Files account, users must use a non-MDX version of Citrix Files on the device.

Citrix Files mobile clients:

For Endpoint Management integration with Citrix Files: Available from Citrix Files clients.

Device policies

Citrix Content Collaboration for Endpoint Management clients and Citrix Files mobile clients:

Both Endpoint Management and Citrix Files device policies apply to Citrix Content Collaboration for Endpoint Management clients. For example, from the Endpoint Management console, you can perform a device wipe. From the Citrix Files console, you can remotely wipe the Citrix Files app.

MDX policies

Citrix Content Collaboration for Endpoint Management clients:

MDX policies let you configure settings in Citrix Endpoint Management that the Endpoint Management app store enforces. Policies available only through MDX include the ability to block the camera, mic, email compose, screen capture, and clipboard cut, copy, and paste operations.

Citrix Files mobile clients:

Not applicable.

Data encryption

Citrix Content Collaboration for Endpoint Management clients and Citrix Files mobile clients:

Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption.

Availability

Citrix Content Collaboration for Endpoint Management clients:

Citrix Content Collaboration for Endpoint Management clients are included with Endpoint Management Advanced and Enterprise editions.

Citrix Files mobile clients:

All Endpoint Management editions include all Citrix Files features. You can integrate Endpoint Management with the full Citrix Files feature set or just storage zones connectors.

Integrating and delivering Citrix Content Collaboration for Endpoint Management clients

To integrate and deliver Citrix Content Collaboration for Endpoint Management clients, follow these general steps:

  1. Enable Endpoint Management as a SAML IdP for Citrix Files, to provide SSO from Citrix Files clients to Citrix Files. To do so, you must configure Citrix Files account information in Endpoint Management. For more information, see “To configure Citrix Files account information in Endpoint Management for SSO” section.

    Important:

    To use Endpoint Management as an SAML IdP for non-MDX Citrix Files clients, such as the Citrix Files web app and the Citrix Files Sync clients, extra configuration is required.

  2. Download the Citrix Files clients.

  3. Add the Citrix Files clients to Endpoint Management. For details, see “To add Citrix Files to Endpoint Management” later in this article.

  4. Validate your configuration. For details, see “To validate Citrix Files clients,” later in this article.

    Image for configuring Citrix Files in Endpoint Management

About the settings:

  • Domain is the Citrix Files subdomain to be used for the clients.

  • Only the users in the selected DGs have SSO access to Citrix Files from the clients.

    If a user in a DG does not have a Citrix Files account, Endpoint Management provisions the user into Citrix Files when you add the Citrix Files client to Endpoint Management.

  • The Citrix Files Administrator Account Logon information is used by Endpoint Management to save the SAML settings in the Citrix Files control plane.

Important:

The configuration that enables SSO from Citrix Files clients to Citrix Files does not authenticate users to network shares or SharePoint document libraries. Access to those connector data sources requires authentication to the Active Directory domain in which the network shares or SharePoint servers reside.

To configure Citrix Files account information in Endpoint Management for SSO

To enable SSO from Secure Hub to mobile productivity apps, you specify Citrix Files account and Citrix Files administrator service account information in the Endpoint Management console. With that configuration, Endpoint Management acts as a SAML IdP for Citrix Files, for mobile productivity app clients, Citrix Files clients, and non-MDX Citrix Files clients. When a user starts a mobile productivity app client, Secure Hub obtains a SAML token for the user from Endpoint Management and sends it to the Citrix Files client.

In the Endpoint Management console, click Configure > Content Collaboration, which is the former name of Citrix Files.

To add Citrix Content Collaboration for Endpoint Management clients to Endpoint Management

When you add Citrix Content Collaboration for Endpoint Management clients to Endpoint Management, you can enable SSO access to Connector data sources from Citrix Content Collaboration for Endpoint Management clients. To do so, configure the Network access policy and the Preferred VPN mode policy as described in this section.

Prerequisites

  • Endpoint Management must be able to reach your Citrix Files subdomain. To test the connection, ping your Citrix Files subdomain from the Endpoint Management server.

  • The time zone configured for your Citrix Files account and for the hypervisor running Endpoint Management must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach Citrix Files within the expected time frame. To configure the NTP server for Endpoint Management, use the Endpoint Management command-line interface.

    Note:

    The Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.

  • Log in to the ShareFile Account as an admin and verify the SAML SSO settings in Settings > Admin Settings > Security > Login & Security Policy > Single sign-on / SAML 2.0 Configuration.

  • Download Citrix Content Collaboration for Endpoint Management clients.

Steps:

  1. In the Endpoint Management console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Enter a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the Citrix Content Collaboration for Endpoint Management client.
  5. Click Next to configure the app information and policies.

    The configuration that enables SSO from Citrix Content Collaboration for Endpoint Management clients to Citrix Files does not authenticate users to network shares or SharePoint document libraries.

  6. To enable SSO between the Secure Hub micro VPN and storage zones controller, complete the following policy configuration:

    • Set the Network access policy to Tunneled to the internal network.

      In this mode, the MDX framework intercepts all network traffic from the Citrix Content Collaboration for Endpoint Management client. The network traffic is then redirected through Citrix Gateway using an app-specific micro VPN.

    • Set the Preferred VPN mode policy to Tunneled – Web SSO.

      In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app, which then initiates new connections to internal connections on the user’s behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

  7. Complete the Approvals and Delivery Group (DG) Assignments as needed.

Only the users in the selected DGs have SSO access to Citrix Files from the Citrix Content Collaboration for Endpoint Management clients. If a user in a DG does not have a Citrix Files account, Endpoint Management provisions the user into Citrix Files when you add the Citrix Content Collaboration for Endpoint Management client to Endpoint Management.

To validate Citrix Content Collaboration for Endpoint Management clients

  1. After completing the configuration described in this article, start the Citrix Content Collaboration for Endpoint Management client. Citrix Files does not prompt you to sign on.
  2. In Secure Mail, compose an email and add an attachment from Citrix Files. Your Citrix Files home page opens, without prompting you to sign on.

Note:

Citrix Content Collaboration for Endpoint Management