Product Documentation

Configuring XenMobile Mail Manager

May 06, 2015

You can use the XenMobile Mail Manager Configuration utility to extend the capabilities of XenMobile Device Manage to create access control rules that can either allow or block Exchange ActiveSync (EAS) devices from accessing Exchange services. You can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also use the utility to perform an EAS wipe on out of compliance devices.

The XenMobile Mail Manager also provides the ability to access information about Blackberry devices and to perform control operations such as Wipe and ResetPassword.

Configuring the Exchange Server

  1. From the Start menu, launch XenMobile Mail Manager.
  2. In the XenMobile Mail Manager utility, click the Configure > Exchange tab.
  3. Select the type of Exchange server environment, either On premise or Office 365. If you select On-premise, enter the name of the Exchange CAS server that will be used for Remote Powershell commands.
  4. Enter the User name of a Windows identity that has sufficent rights on the Exchange server. For more information on permissions required for XMM to access the Exchange server, see Onsite Exchange Requirements and Office 365 Exchange Requirements
  5. Enter the Password for the User.
  6. Select the schedule for running Major snapshots. A major snapshot detects every EAS partnership.
  7. Select the schedule for running Minor snapshots. A minor snapshot detects newly created EAS partnerships.
  8. Next, select the if you want the XemMobile Mail Manager to take Deep or Shallow snapshots. Shallow snapshots are faster and are sufficient to perform all the EAS Access Control functions of XenMobile Mail Manager. Deep snapshots may take significantly longer and are only needed is the Mobile Service Provider is enabled for ActiveSync (which allows Device Manager to query for unmanaged devices). If you are configuring XenMobile Mail Manager with a Mobile Service Provider(MSP) ActiveSync interface, for example, to apply access control rules to unmanaged BlackBerry devices from a BES server, you muse choose Deep snapshots. If MSP ActiveSync capability is not required, Citrix recommends using shallow snapshots for better performance.
  9. Click Test Connectivity to check that a connection can be made to the exchange server.
  10. Click Save. When prompted by a message asking if you would like to restart the service, click Yes.

Configuring database properties

The first task in configuring the XenMobile Mail Manager requires configuring a connection to the database it will be using to store data.

  1. From the Start menu, launch XenMobile Mail Manager.
  2. In the XenMobile Mail Manager utility, click the Configure > Database tab.
  3. Enter the Server name of the SQL Server (defaults to localhost).
  4. Let the Database name be set to the default (CitrixXmm).
  5. In the Authentication field, from the drop-down, select the Authentication mode used for SQL:
    1. SQL. If you choose this authentication, then enter the username and password of a valid SQL user.
    2. Windows Integrated. If you choose this option, then the Logon credential of the XenMobile Mail Manager Service must be changed to a Windows account that is compatible. To do this, launch Control Panel > Administrative Tools > Services, right-click on the XenMobile Mail Manager Service entry and select the Log On tab.
  6. Click Test Connectivity to check that a connection can be made to the SQL server .
  7. Click Save. When prompted by a dialog asking if you would like to restart the service, click Yes.

Configuring a Mobile Service Provider

Configuring a Mobile Service Provider (MSP) is optional and needed only if the Device Manager server is also configured to use the Mobile Service Provider interface to query unmanaged devices; for example: BlackBerry devices from a BlackBerry Enterprise Server (BES).

Note: XMM manages BlackBerry devices from BES 4.1 and BES 5 servers, BB Z10 devices and other ActiveSync devices from Exchange 2010. http/https protocols used should be consistent between XMM and XDM.
  1. From the Start menu, launch XenMobile Mail Manager.
  2. Click the Configure > MSP tab
  3. Set the Service Transport type (HTTP or HTTPS) for the MSP service
  4. Set the Service port (typically 80 or 443) for the MSP service.
  5. Set the Authorization Group or User. This sets the user or set of users that will be able to connect to the MSP service from the Device Manager server.
  6. Select Enable ActiveSync if you want to enable ActiveSync queries. Note: If ActiveSync queries are enabled for the Device Manager server then the Snapshot type for the Exchange server(s) must be set to Deep. Be aware that this could have significant performance costs for performing snapshots.
  7. Click Save.

Configuring the Mobile Service Provider hostname in Device Manager

Once you have configured the XMM to use the Mobile Service Provider web service interface to query unmanaged devices (if you want to manager ActiveSync traffic of BlackBerry devices from the BES 5 server), then you need to configure the Device Manager server to connect to the XMM server.

  1. Log in to the Device Manager web console.
  2. Click Options.
  3. In the Options dialog, select Modules Configuration > Mobile Service Provider.
  4. Enter the following information:
    1. Web service URL. This is the hostname of the XMM server. For example: http://XmmServer/services/zdmservice.
    2. Username. Username of the administrator account on the XMM server. For example: domain\admin.
    3. Password. Password for the administrator account on the XMM server.
    4. Enable automatic update of BlackBerry and ActiveSync devices connections. Select this option.
  5. Click Check Connection to test the communication between XMM and Device Manager.
  6. Click Close.

Configuring Blackberry BES servers (optional)

  1. From the Start menu, launch XenMobile Mail Manager.
  2. Click the Configure > MSP tab
  3. Under BlackBerry Configuration, click Add.
  4. In the BES Properties dialog box, type the Server name of the BES Sql server
  5. Type the database name of the BES Management database.
  6. Next, select the Authentication mode for server access. If Windows Integrated authentication is selected, the user account of the XenMobile Mail Manager service is the account that is used to connect to the BES Sql Server. If SQL authentication is selected enter the user name and password.
  7. Set the Sync Schedule. This is the schedule used to connect to the BES SQL server and check for any device updates.
  8. Click Test Connectivity to check connectivity to the SQL server.

    Note: If Windows Integrated is selected, this test uses the current logged in user and not the XenMobile Mail Manager Service user and therefore does not accurately test SQL authentication.

  9. If you want to support remote Wipe and/or ResetPassword of BlackBerry devices from Device Manager, select Enabled. In the fields, enter the following information:
    1. The BAS Server FQDN.
    2. The BAS Server port used for the Admin web service.
    3. The fully qualified User and Password required by the BES service.
  10. Click Test Connectivity to test the connection to the BES server.
  11. Click Save.

XenMobile Mail Manager and Exchange 'Quarantine' Mode

The Xenmobile Mail Manager can be indepensible when configured in conjunction with Microsoft Exchange's “Quarantine” mode, which allows an Exchange admin to quarantine a user's device until that device can be determined to be compliant. (In Exchange quarantine mode, a user's email inbox is blocked, but the user can still see their calendar, appointments, and contacts.)

For example, when a user configures a corporate email account on their person device, as soon as the user connects to the Exchange server, the user's new device is placed into quarantine mode. Exchange allows the administrator to have a mail sent to a new user telling them they need to enroll their new device in XenMobile Device Manager.

When the new device is then enrolled in Device Manager, the Device Manager will then notify the XenMobile Mail Manager to un-quarantine (or Allow) the device, provided the device is compliant with Device Manager policy. This policy is defined in Device Manager’s SMG Options dialog box.

Understanding XenMobile Mail Manager Access Rules

XenMobile Mail Manager allows you to configure three types of rules:
  • Local
  • XDM (from Device Manager)
  • Default

Each rule contains and a desired access state (Allow or Block), and a criteria for matching an ActiveSync device. The matching criteria may match a particular device or a set of devices.

Local Rules

Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties:
  • ActiveSync Device Id. Uniquely identifies a specific device.
  • Device Type. A set of devices, such as “iPad”, “WP8”, or “Touchdown”.
  • User Agent. A set of devices identified by platform version, such as “iOS/6.1.2”.
  • User. A specific user.

XDM (Device Manager) Rules

XDM rules are defined within XenMobile Device Manager. These product of these rules is delivered to XenMobile Mail Manager and continuously updated in the background. XDM rules can identify devices by properties known to XDM, such as:
  • Enrolled in Device Manager
  • Jailbroken (iOS) or rooted (Android) devices
  • Forbidden Apps are installed (blacklisted apps)
  • Non-suggested apps are installed
  • Unmanaged
  • Out Of Compliance
  • Non-Compliant Password
  • Revoked status
  • Inactive Device
  • Anonymous status

Default Rules

The Default Rule matches the set of all devices. The Default Rule’s desired state may be set to Allow, Block, or Unchanged. If the latter is selected, the effect will be that XenMobile Mail Manager will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.

Rule Evaluation

For each ActiveSync device known to the Exchange server, the rules are evaluated in order: first Local Rules, then XDM Rules, then the Default Rule. If a match is found it any rule, the rule’s desired state is then enacted for the device and no further rules are evaluated for the device.

Rule enactment results in a Powershell command being sent by XenMobile Mail Manager to Exchange to change the access state. However, if the current known access state of the device is already equal to the desired state, no action is taken.

Whenever the rules, or the set of known devices changes, the rules are re-evaluated.

Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In this mode, Powershell commands are not issued to modify the access state. Instead, XenMobile Mail Manager records in its database that such an action was simulated.

Note: the order in which Local and XDM rules are evaluated can be configured so that XDM rules are evaluated before Local rules (this requires manual editing of config.xml).

Configuring Default access control rules

Default access control rules serve as a 'catch-all' rules that can be set to allow or deny a device that does not meet the criteria of either XDM rules or local rules. For example, if you set the Default rules to Allow, then any device that does not meet the criteria set to block a device in either XDM or Local rules will be allowed to connect to Exchange.

  1. From the Start menu, launch XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab
  3. Select the Default Access, either Allow or Block. This setting controls how all devices other than those identified by explicit Device Manager or Local rules will be treated.
  4. Next, select the ActiveSync Command Mode, either Powershell or Simulation. In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control. In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled.
  5. Click Save.

Configuring XDM (Device Manager) rules

You can use XDM (from Device Manager) rules in XenMobile Mail Manager to work in combination with Local and Default rules. Device Manager rules provide control over devices that do not meet your corporate device compliance standards, such as the ability to block devices that have blacklisted apps, device that have been rooted or jailbroken, or that meet some other condition.

Device Manager rules are configured in the Device Manager web console, in the Options dialog box.

Device Manager rules are evaulated by XenMobile Device Manager after Local rules, and before Default rules.

  1. From the Start menu, launch XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab
  3. Click the XDM Rules tab.
  4. Click Add.
  5. Type a name for the XenMobile Device Manager (XMD) rules, such as “XDM”.
  6. Modify the URL string to refer to the Device Manager server. For example, if the Device Manager server name is “Xdm01” then you would enter http://Xdm01/zdm/services/MagConfigService.
  7. Enter an authorized user on the Device Manager server.
  8. Enter the password of the user.
  9. Leave the Baseline Interval, Delta Interval, and Timeout values at the default settings.
  10. Click Test Connectivity to check the connection to the Device Manager server.
  11. Click OK.

Configuring local rules

Local rules are those you create from and that are specific to the XenMobile Mail Manager utility, and provide an extra layer of filtering and control over your company email access policies. When used in combination with Default access rules and Device Manager Secure Mobile Gateway Rules (XDM rules), you can create useful combinations of filters to ensure that you have control over email access according to company policy.

You can build local rules to allow or block access by device ID, Device Type (all Android devices, for example), specific user, Active Directory group, or even agent version (device platform version).

In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, and then followed by Default rules, from top to bottom as they are listed in the user interface.

  1. From the Start menu, launch XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab
  3. Click the Local Rules tab.
  4. If you want to build local rules that operate on AD Groups, click Configure LDAP and configure the LDAP connection properties.
  5. From the drop-down list, select local rules to add based on ActiveSync Device ID, Device Type, AD Group, User, or device UserAgent.
  6. Type text or text fragments in the text box. Optionally click the query button to view the entities that match the fragment. Note that for all types other than Group, the system relies on the devices that have been found in a snapshot. So, if you are just starting and haven’t completed a snapshot, no entities will be available.
  7. Select a text value in the results and then click Allow or Deny to add it to the Rule List on the right side.
  8. You can change the order of rules or remove them using the buttons to the right of the Rule List. The order is significant because for a given user and device, rules are evaluated in the order shown, and a match on a higher rule (nearer the top) will cause subsequent rules to have no effect. For example, if you have a rule allowing all iPad devices, and a subsequent rule blocking user “Matt”, then Matt’s iPad will still be allowed because the ”iPad” rule has a higher effective priority than the “Matt” rule.
  9. To determine the effects of multiple rules with groups that have overlapping members, click View Expanded. This show the net result of the combination of groups.
  10. Click Save.

Simulation vs Powershell Mode

Before you implement and activate your Access Control Rules with XenMobile Mail Manager, you can use 'Simulation' mode to test the rules out, as opposed to Powrshell mode, which actually executes the rules in your live environment. The difference between the two modes is as follows:
  • In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled.
  • In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control.

To choose between the two, in the XenMobile Mail Manager utility, click the Configure > Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab, select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.