Product Documentation

Citrix ShareFile for XenMobile

ShareFile is an enterprise file sync and sharing service that lets users exchange documents easily and securely. ShareFile gives users a variety of access options, including ShareFile mobile clients, such as ShareFile for Android Phone and ShareFile for iPad.

You can integrate ShareFile with XenMobile to provide the full ShareFile Enterprise feature set or to provide access only to ShareFile Connectors. By default, the XenMobile console enables configuration of ShareFile Enterprise only. To configure XenMobile for use with StorageZones Connectors instead, see ShareFile Integration with XenMobile in the XenMobile documentation.

ShareFile for XenMobile clients are MDX-capable versions of ShareFile mobile clients. These clients provide secure, integrated access to data in other MDX-wrapped apps. ShareFile for XenMobile clients also benefit from MDX features, such as micro VPN, single sign-on (SSO) with Secure Hub, and two-factor authentication.

You use XenMobile, ShareFile, ShareFile StorageZones Controller, and NetScaler as follows to deploy and manage ShareFile for XenMobile clients:

  • When XenMobile is configured with ShareFile Enterprise, XenMobile acts as a SAML identity provider (IdP) and deploys ShareFile for XenMobile clients. ShareFile manages ShareFile data. No ShareFile data travels through XenMobile.
  • When XenMobile is configured with ShareFile Enterprise or with StorageZones Connectors, the ShareFile StorageZones Controller provides connectivity to data in network shares and SharePoint. Users access your stored data through the ShareFile XenMobile apps. Users can edit Microsoft Office documents as well as preview and annotate Adobe PDF files from mobile devices.
  • NetScaler manages requests from external users, securing their connections, load balancing requests, and handling content switching for StorageZones Connectors.

To download ShareFile for XenMobile clients, see XenMobile downloads. You can download ShareFile for XenMobile clients for Android and iOS, including separate iOS clients for use with restricted StorageZones.

For ShareFile for XenMobile and other XenMobile App system requirements, see System requirements for XenMobile Apps.

How ShareFile for XenMobile Clients differ from ShareFile mobile clients

The following describes the differences between ShareFile for XenMobile clients and ShareFile mobile clients. ShareFile for XenMobile clients are also referred to as wrapped ShareFile. ShareFile mobile clients are also referred to as unwrapped ShareFile.

User access

ShareFile for XenMobile clients:

Users obtain and open ShareFile for XenMobile clients from Secure Hub.

ShareFile mobile clients:

Users obtain ShareFile mobile clients from app stores.

SSO

ShareFile for XenMobile clients:

For XenMobile integration with ShareFile Enterprise: You can configure XenMobile as a SAML IdP for ShareFile. In this configuration, Secure Hub obtains a SAML token for the ShareFile for XenMobile client, using XenMobile as the SAML IdP. A user who starts the ShareFile for XenMobile client, but is not signed on to Secure Hub is prompted to sign on to Secure Hub. The user does not have to know their ShareFile domain or account information.

ShareFile mobile clients:

You can configure XenMobile and NetScaler Gateway as a SAML IdP for ShareFile. In this configuration, a user logging on to ShareFile using a web browser or other ShareFile clients is redirected to the XenMobile environment for user authentication. After successful authentication by XenMobile, the user receives a SAML token that is valid for logon to their ShareFile account.

Micro VPN

ShareFile for XenMobile clients:

Remote users can connect using a VPN or micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network. This feature, available through NetScaler integration with XenMobile, is transparent to users.

ShareFile mobile clients:

Not applicable.

Two-factor authentication

ShareFile for XenMobile clients:

NetScaler integration with XenMobile also supports authentication using a combination of client certificate authentication and another authentication type, such as LDAP or RADIUS.

ShareFile mobile clients:

Not applicable.

Folder permissions

ShareFile for XenMobile clients and ShareFile mobile clients:

For XenMobile integration with ShareFile Enterprise: Determined by ShareFile.

Document access protection

ShareFile for XenMobile clients:

Users can open attachments received in Secure Mail or downloaded by any MDX-wrapped app. Only MDX-wrapped apps appear when the user performs an Open In action. Data that is from a non-wrapped app is not available to a ShareFile for XenMobile client. Secure Mail users can attach files from their ShareFile repository without needing to download the file to the device. If a user has wrapped ShareFile and unwrapped ShareFile on a device, the wrapped ShareFile client cannot access files in the user’s personal ShareFile account. The wrapped ShareFile client can access only the ShareFile subdomain configured in XenMobile.

ShareFile mobile clients:

Users can open attachments from any app.

ShareFile account access

ShareFile for XenMobile clients:

For XenMobile integration with ShareFile Enterprise: To access a personal ShareFile account or a third-party ShareFile account, users must use a non-MDX version of ShareFile on the device.

ShareFile mobile clients:

For XenMobile integration with ShareFile Enterprise: Available from ShareFile clients.

Device policies

ShareFile for XenMobile clients and ShareFile mobile clients:

Both XenMobile and ShareFile device policies apply to ShareFile for XenMobile clients. For example, from the XenMobile console, you can perform a device wipe. From the ShareFile console, you can remotely wipe the ShareFile app.

MDX policies

ShareFile for XenMobile clients:

MDX policies let you configure settings that the XenMobile Store enforces. Policies available only through MDX include the ability to block the camera, mic, email compose, screen capture, and clipboard cut, copy, and paste operations.

ShareFile mobile clients:

Not applicable.

Data encryption

ShareFile for XenMobile clients and ShareFile mobile clients:

Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption.

Availiabilty

ShareFile for XenMobile clients:

ShareFile for XenMobile clients are included with XenMobile Advanced and Enterprise editions.

ShareFile mobile clients:

All XenMobile editions include all ShareFile Enterprise features. You can integrate XenMobile with the full ShareFile feature set or just StorageZones Connectors.

Integrating and Delivering ShareFile XenMobile Clients

To integrate and deliver ShareFile Worx clients with XenMobile, follow these general steps:

  1. Enable XenMobile as a SAML IdP for ShareFile, to provide SSO from ShareFile Worx clients to ShareFile. To do so, you must configure ShareFile account information in XenMobile, as described in this article in the “To configure ShareFile account information in XenMobile for SSO” section.

    ShareFile for Android 3.9 is required for SSO with Worx Home 10.0.8.

    Important: To use XenMobile as an SAML IdP for non-MDX ShareFile clients, such as the ShareFile web app and the ShareFile Sync clients, additional configuration is required. For details, see this article on the ShareFile support site: ShareFile Single Sign-On SSO. The article contains a download link to the XenMobile 10 configuration guide.

  2. Download and wrap the ShareFile Worx clients. For details, see About the MDX Toolkit.

  3. Add the ShareFile Worx clients to XenMobile. For details, see “To add ShareFile Worx clients to XenMobile”, further down.

  4. Validate your configuration. For details, see “To validate ShareFile Worx clients”, later in this article.

    Configure ShareFile

About the settings:

  • Domain is the ShareFile subdomain to be used for the Worx clients.

  • Only the users in the selected delivery groups will have SSO access to ShareFile from the Worx clients.

    If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile Worx client to XenMobile.

  • The ShareFile Administrator Account Logon information is used by XenMobile to save the SAML settings in the ShareFile control plane.

Important:

The configuration that enables SSO from ShareFile Worx clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. Access to those Connector data sources requires authentication to the Active Directory domain in which the network shares or SharePoint servers reside.

To configure ShareFile account information in XenMobile for SSO

To enable SSO from Worx Home to XenMobile apps, you specify ShareFile account and ShareFile administrator service account information in the XenMobile console. With that configuration, XenMobile acts as a SAML IdP for ShareFile, for Worx clients, ShareFile Worx clients, and non-MDX ShareFile clients. When a user starts a Worx client, Worx Home obtains a SAML token for the user from XenMobile and sends it to the Worx client.

In the XenMobile console, click Configure > Settings, expand More and then click ShareFile.

To add ShareFile for XenMobile clients to XenMobile

When you add ShareFile for XenMobile clients to XenMobile, you can enable SSO access to Connector data sources from ShareFile for XenMobile clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section.

Prerequisites

  • XenMobile must be able to reach your ShareFile subdomain. To test the connection, ping your ShareFile subdomain from the XenMobile server.

  • The time zone configured for your ShareFile account and for the hypervisor running XenMobile must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach ShareFile within the expected time frame. To configure the NTP server for XenMobile 10, use the XenMobile command-line interface.

    Note:

    Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.

  • Log in to the Sharefile administrator console using a ShareFile admin account and verify the SAML SSO settings in Admin > Configure Single Sign-On.

  • Download and wrap ShareFile for XenMobile clients.

Steps:

  1. In the XenMobile console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Enter a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the ShareFile for XenMobile client.
  5. Click Next to configure the app information and policies.

    Configure apps

    The configuration that enables SSO from ShareFile for XenMobile clients to ShareFile does not authenticate users to network shares or SharePoint document libraries.

  6. To enable SSO between the Secure Hub micro VPN and ShareFile StorageZones Controller, complete the following policy configuration:

    • Set the Network access policy to Tunneled to the internal network.

    In this mode of operation, all network traffic from the ShareFile for XenMobile client is intercepted by the XenMobile MDX framework and redirected through NetScaler Gateway using an app-specific micro VPN.

    • Set the Preferred VPN mode policy to Secure browse.

    In this mode of tunneling, SSL/HTTP traffic from an MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

  7. Complete the Approvals and Delivery Group Assignments as needed.

Only the users in the selected delivery groups will have SSO access to ShareFile from the ShareFile for XenMobile clients. If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile for XenMobile client to XenMobile.

To validate ShareFile for XenMobile clients

  1. After completing the configuration described in this article, start the ShareFile for XenMobile client. ShareFile should not prompt you to sign on.
  2. In Secure Mail, compose an email and add an attachment from ShareFile. Your ShareFile Home page should open, without prompting you to sign on.