Citrix Files for Endpoint Management

Citrix ShareFile for Endpoint Management is now Citrix Files for Endpoint Management. Citrix Files is an enterprise file sync and sharing service that lets users exchange documents easily and securely. Citrix Files gives users a variety of access options, including Citrix Files mobile clients, such as Citrix Files for Android Phone and Citrix Files for iPad.

You can integrate Citrix Files with Endpoint Management to provide the full Citrix Files feature set or to provide access only to storage zones connectors. By default, the Endpoint Management console enables configuration of Citrix Files only. To configure Endpoint Management for use with storage zones connectors instead, see Citrix Files use with Endpoint Management in the Citrix Endpoint Management documentation.

Citrix Files for Endpoint Management clients are MDX-capable versions of Citrix Files mobile clients. These clients provide secure, integrated access to data in other MDX-wrapped apps. Citrix Files for Endpoint Management clients also benefit from MDX features, such as micro VPN, single sign-on (SSO) with Secure Hub, and two-factor authentication.

You use Endpoint Management, Citrix Files, storage zones controller, and Citrix ADC as follows to deploy and manage Citrix Files for Endpoint Management clients:

  • When Endpoint Management is configured with Citrix Files, Endpoint Management acts as a SAML identity provider (IdP) and deploys Citrix Files for Endpoint Management clients. Citrix Files manages Citrix Files data. No Citrix Files data travels through Endpoint Management.
  • When Endpoint Management is configured with Citrix Files or with storage zones connectors, the storage zones controller provides connectivity to data in network shares and SharePoint. Users access your stored data through the Citrix Files mobile productivity apps. Users can edit Microsoft Office documents, as well as preview and annotate Adobe PDF files from mobile devices.
  • Citrix ADC manages requests from external users, securing their connections, load balancing requests, and handling content switching for storage zones connectors.

To download Citrix Files for Endpoint Management clients, see Endpoint Management downloads. You can download Citrix Files for Endpoint Management clients for Android and iOS, including separate iOS clients for use with restricted storage zones.

For Citrix Files for Endpoint Management and other mobile productivity apps system requirements, see System requirements.

How Citrix Files for Endpoint Management clients differ from Citrix Files mobile clients

The following describes the differences between Citrix Files for Endpoint Management clients and Citrix Files mobile clients.

User access

Citrix Files for Endpoint Management clients:

Users obtain and open Citrix Files for Endpoint Management clients from Secure Hub.

Citrix Files mobile clients:

Users obtain Citrix Files mobile clients from app stores.

SSO

Citrix Files for Endpoint Management clients:

For Endpoint Management integration with Citrix Files: You can configure Endpoint Management as a SAML IdP for Citrix Files. In this configuration, Secure Hub obtains a SAML token for the Citrix Files for Endpoint Management client, using Endpoint Management as the SAML IdP. A user who starts the Citrix Files for Endpoint Management client, but is not signed on to Secure Hub, is prompted to sign on to Secure Hub. The user does not have to know their Citrix Files domain or account information.

Citrix Files mobile clients:

You can configure Endpoint Management and Citrix Gateway as a SAML IdP for Citrix Files. In this configuration, a user logging on to Citrix Files using a web browser or other Citrix Files clients is redirected to the Endpoint Management environment for user authentication. After successful authentication by Endpoint Management, the user receives a SAML token that is valid for logon to their Citrix Files account.

Micro VPN

Citrix Files for Endpoint Management clients:

Remote users can connect using a VPN or micro VPN connection through Citrix Gateway to access apps and desktops in the internal network. This feature, available through Citrix ADC integration with Endpoint Management is transparent to users.

Citrix Files mobile clients:

Not applicable.

Two-factor authentication

Citrix Files for Endpoint Management clients:

Citrix ADC integration with Endpoint Management also supports authentication using a combination of client certificate authentication and another authentication type, such as LDAP or RADIUS.

Citrix Files mobile clients:

Not applicable.

Folder permissions

Citrix Files for Endpoint Management clients and Citrix Files mobile clients:

For Endpoint Management integration with Citrix Files: Determined by Citrix Files.

Document access protection

Citrix Files for Endpoint Management clients:

Users can open attachments received in Secure Mail or downloaded by any MDX-wrapped app. Only MDX-wrapped apps appear when the user performs an Open In action. Data that is from a non-wrapped app is not available to a Citrix Files for Endpoint Management client. Secure Mail users can attach files from their Citrix Files repository without needing to download the file to the device. If a user has wrapped Citrix Files and unwrapped Citrix Files on a device, the wrapped Citrix Files client cannot access files in the user’s personal Citrix Files account. The wrapped Citrix Files client can access only the Citrix Files subdomain configured in Endpoint Management.

Citrix Files mobile clients:

Users can open attachments from any app.

Citrix Files account access

Citrix Files for Endpoint Management clients:

For Endpoint Management integration with Citrix Files: To access a personal Citrix Files account or a third-party Citrix Files account, users must use a non-MDX version of Citrix Files on the device.

Citrix Files mobile clients:

For Endpoint Management integration with Citrix Files: Available from Citrix Files clients.

Device policies

Citrix Files for Endpoint Management clients and Citrix Files mobile clients:

Both Endpoint Management and Citrix Files device policies apply to Citrix Files for Endpoint Management clients. For example, from the Endpoint Management console, you can perform a device wipe. From the Citrix Files console, you can remotely wipe the Citrix Files app.

MDX policies

Citrix Files for Endpoint Management clients:

MDX policies let you configure settings that the Endpoint Management app store enforces. Policies available only through MDX include the ability to block the camera, mic, email compose, screen capture, and clipboard cut, copy, and paste operations.

Citrix Files mobile clients:

Not applicable.

Data encryption

Citrix Files for Endpoint Management clients and Citrix Files mobile clients:

Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption.

Availiabilty

Citrix Files for Endpoint Management clients:

Citrix Files for Endpoint Management clients are included with Endpoint Management Advanced and Enterprise editions.

Citrix Files mobile clients:

All Endpoint Management editions include all Citrix Files features. You can integrate Endpoint Management with the full Citrix Files feature set or just storage zones connectors.

Integrating and delivering Citrix Files Endpoint Management clients

To integrate and deliver Citrix Files clients with Endpoint Management, follow these general steps:

  1. Enable Endpoint Management as a SAML IdP for Citrix Files, to provide SSO from Citrix Files clients to Citrix Files. To do so, you must configure Citrix Files account information in Endpoint Management, as described in this article in the “To configure Citrix Files account information in Endpoint Management for SSO” section.

    Important:

    To use Endpoint Management as an SAML IdP for non-MDX Citrix Files clients, such as the Citrix Files web app and the Citrix Files Sync clients, additional configuration is required. For details, see this article on the Citrix Files support site:

    Citrix Files (ShareFile) Single Sign-On SSO. The article contains a download link to the Endpoint Management configuration guide.

  2. Download the Citrix Files clients.

  3. Add the Citrix Files clients to Endpoint Management. For details, see “To add Citrix Files to Endpoint Management” later in this article.

  4. Validate your configuration. For details, see “To validate Citrix Files clients,” later in this article.

    Configure Citrix Files

About the settings:

  • Domain is the Citrix Files subdomain to be used for the clients.

  • Only the users in the selected delivery groups will have SSO access to Citrix Files from the clients.

    If a user in a delivery group does not have a Citrix Files account, Endpoint Management provisions the user into Citrix Files when you add the Citrix Files client to Endpoint Management.

  • The Citrix Files Administrator Account Logon information is used by Endpoint Management to save the SAML settings in the Citrix Files control plane.

Important:

The configuration that enables SSO from Citrix Files clients to Citrix Files does not authenticate users to network shares or SharePoint document libraries. Access to those connector data sources requires authentication to the Active Directory domain in which the network shares or SharePoint servers reside.

To configure Citrix Files account information in Endpoint Management for SSO

To enable SSO from Secure Hub to mobile productivity apps, you specify Citrix Files account and Citrix Files administrator service account information in the Endpoint Management console. With that configuration, Endpoint Management acts as a SAML IdP for Citrix Files, for mobile productivity app clients, Citrix Files clients, and non-MDX Citrix Files clients. When a user starts a mobile productivity app client, Secure Hub obtains a SAML token for the user from Endpoint Management and sends it to the Citrix Files client.

In the Endpoint Management console, click Configure > Settings, expand More and then click ShareFile, which is the former name of Citrix Files.

To add Citrix Files for Endpoint Management clients to Endpoint Management

When you add Citrix Files for Endpoint Management clients to Endpoint Management, you can enable SSO access to Connector data sources from Citrix Files for Endpoint Management clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section.

Prerequisites

  • Endpoint Management must be able to reach your Citrix Files subdomain. To test the connection, ping your Citrix Files subdomain from the Endpoint Management server.

  • The time zone configured for your Citrix Files account and for the hypervisor running Endpoint Management must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach Citrix Files within the expected time frame. To configure the NTP server for Endpoint Management, use the Endpoint Management command-line interface.

    Note:

    Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.

  • Log in to the Citrix Files administrator console using a Citrix Files admin account and verify the SAML SSO settings in Admin > Configure Single Sign-On.

  • Download Citrix Files for Endpoint Management clients.

Steps:

  1. In the Endpoint Management console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Enter a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the Citrix Files for Endpoint Management client.
  5. Click Next to configure the app information and policies.

    The configuration that enables SSO from Citrix Files for Endpoint Management clients to Citrix Files does not authenticate users to network shares or SharePoint document libraries.

  6. To enable SSO between the Secure Hub micro VPN and storage zones controller, complete the following policy configuration:

    • Set the Network access policy to Tunneled to the internal network.

      In this mode of operation, all network traffic from the Citrix Files for Endpoint Management client is intercepted by the Endpoint Management MDX framework and redirected through Citrix Gateway using an app-specific micro VPN.

    • Set the Preferred VPN mode policy to Secure browse.

      In this mode of tunneling, SSL/HTTP traffic from an MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

  7. Complete the Approvals and Delivery Group Assignments as needed.

Only the users in the selected delivery groups will have SSO access to Citrix Files from the Citrix Files for Endpoint Management clients. If a user in a delivery group does not have a Citrix Files account, Endpoint Management provisions the user into Citrix Files when you add the Citrix Files for Endpoint Management client to Endpoint Management.

To validate Citrix Files for Endpoint Management clients

  1. After completing the configuration described in this article, start the Citrix Files for Endpoint Management client. Citrix Files should not prompt you to sign on.
  2. In Secure Mail, compose an email and add an attachment from Citrix Files. Your Citrix Files Home page should open, without prompting you to sign on.