For each XenMobile instance (a single server or a cluster of nodes), you can choose whether to manage devices, apps, or both. XenMobile uses the following terms for device and app management modes, sometimes also referred to as deployment modes:
- Mobile device management mode (MDM mode)
- Mobile app management mode (MAM mode)
- MDM+MAM mode (Enterprise mode)
Note: This section applies to XenMobile Service and XenMobile on-premises deployments.
Mobile device management (MDM Mode)
If you configure MDM mode and later change to ENT mode, be sure to use the same (Active Directory) authentication. XenMobile doesn’t support changing the authentication mode after user enrollment. For more information, see Upgrade.
With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices and data on devices at a system level. You can configure policies, actions, and security functions. For example, you can wipe a device selectively if the device is lost, stolen, or out of compliance. Although app management is not available with MDM mode, you can deliver mobile apps, such as public app store and enterprise apps, in this mode. Following are common use cases for MDM mode:
- MDM is a consideration for corporate-owned devices where device-level management policies or restrictions, such as full wipe, selective wipe, or geo-location are required.
- When customers require management of an actual device, but do not require MDX policies, such as app containerization, controls on app data sharing, or micro VPN.
- When users only need email delivered to their native email clients on their mobile devices, and Exchange ActiveSync or Client Access Server is already externally accessible. In this use case, you can use MDM to configure email delivery.
- When you deploy native enterprise apps (non-MDX), public app store apps, or MDX apps delivered from public stores. Consider that an MDM solution alone might not prevent data leakage of confidential information between apps on the device. Data leakage might occur with copy and paste or Save As operations in Office 365 apps.
Mobile app management (MAM Mode)
MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With XenMobile configured for MAM mode, you can use MDX-enabled mobile apps to provide per-app containerization and control. The term MAM mode is also called MAM-only mode. This term distinguishes this mode from a legacy MAM mode.
By leveraging MDX policies, XenMobile provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.
MAM mode is often suitable for bring-your-own (BYO) devices because, although the device is unmanaged, corporate data remains protected. MDX has more than 50 MAM-only policies that you can set without needing an MDM control or relying on device passcodes for encryption.
MAM also supports the XenMobile Apps. This support includes secure email delivery to Citrix Secure Mail, data sharing between the secured XenMobile Apps, and secure data storage in ShareFile. For details, see XenMobile Apps.
MAM is often suitable for the following examples:
- You deliver mobile apps, such as MDX apps, managed at the app level.
- You are not required to manage devices at a system level.
MDM+MAM (Enterprise Mode)
MDM+MAM is a hybrid mode, also called Enterprise Mode, which enables all feature sets available in the XenMobile Enterprise Mobility Management (EMM) solution. Configuring XenMobile with MDM+MAM mode enables both MDM and MAM features.
XenMobile lets you specify whether users can choose to opt out of device management or whether you require device management. This flexibility is useful for environments that include a mix of use cases. These environments may or may not require management of a device through MDM policies to access your MAM resources.
MDM+MAM is suitable for the following examples:
- You have a single use case in which both MDM and MAM are required. MDM is required to access your MAM resources.
- Some use cases require MDM while some do not.
- Some use cases require MAM while some do not.
You specify the management mode for XenMobile Server through the Server Mode property. You configure the setting in the XenMobile console. The mode can be MDM, MAM, or ENT (for MDM+MAM).
The XenMobile edition for which you have a license determines the management modes and other features available, as shown in the following table.
|XenMobile MDM Edition||XenMobile Advanced Edition||XenMobile Enterprise Edition|
|MDM features||MDM features||MDM features|
|-||MAM features||MAM features|
|-||MDX Toolkit||MDX Toolkit|
|Secure Hub||Secure Hub||Secure Hub|
|-||Secure Mail||Secure Mail|
|-||Secure Web||Secure Web|
|-||Secure Tasks||Secure Tasks|
|-||-||ShareFile Enterprise Edition|
Device Management and MDM Enrollment
A XenMobile Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources. Before deploying XenMobile Apps to users, fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, it is likely that users must re-enroll their devices.
Note: To specify whether you require users to enroll in MDM, use the XenMobile Server property Enrollment Required in the XenMobile console (Settings > Server Properties). That global server property applies to all users and devices for the XenMobile instance. The property applies only when the XenMobile Server Mode is ENT.
Following is a summary of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment in a XenMobile Enterprise mode deployment.
When MDM enrollment is optional
- Users can access MAM resources without putting their devices under MDM management. This option can increase user adoption.
- Ability to secure access to MAM resources to protect enterprise data.
- MDX policies such as App Passcode can control app access for each MDX app.
- Configuring NetScaler, XenMobile Server, and per-application time-outs, along with Citrix PIN, provide an extra layer of protection.
- While MDM actions do not apply to the device, some MDX policies are available to deny MAM access. The denial would be based on system settings, such as jailbroken or rooted devices.
- Users can choose whether to enroll their device with MDM during first-time use.
- MAM resources are available to devices not enrolled in MDM.
- MDM policies and actions are available only to MDM-enrolled devices.
- Have users agree to a company terms and conditions that holds them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.
- Manage application access and security by using application timers. Decreased time-out values increase security, but may affect user experience.
- A second XenMobile environment with MDM enrollment required is an option. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.
When MDM enrollment is required
- Ability to restrict access to MAM resources only to MDM-managed devices.
- MDM policies and actions can apply to all devices in the environment as desired.
- Users are not able to opt out of enrolling their device.
- Requires all users to enroll with MDM.
- Might decrease adoption for users who object to corporate management of their personal devices.
- Educate users about what XenMobile actually manages on their devices and what information administrators can access.
- You can use a second XenMobile environment, with a Server Mode of MAM (also called MAM-only mode), for devices that don’t need MDM management. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.
About MAM and Legacy MAM Modes
XenMobile 10.3.5 introduced a new MAM-only server mode. To distinguish the prior and new MAM modes, the documentation uses these terms. The new mode is called MAM-only or MA, the prior MAM mode is called legacy MAM mode.
MAM-only mode is in effect when the Server Mode property of XenMobile is MAM. Devices register in MAM mode.
Legacy MAM functionality is in effect when the Server Mode property of XenMobile is ENT and users choose to opt out of device management. In that case, devices register in MAM mode. Users who opt out of MDM management continue to receive the legacy MAM functionality.
Note: Previously, setting the Server Mode property to MAM had the same effect as setting it to ENT: Users who opted out of MDM management received the legacy MAM functionality.
The following table summarizes the Server Mode setting to use for a particular license type and desired device mode:
|Your licenses are for this edition||You want devices to register in this mode||Set the Server Mode property to|
|Enterprise/ Advanced/MDM||MDM mode||MDM|
|Enterprise/Advanced||MAM mode (also called MAM-only mode)||MAM|
|Enterprise/Advanced||MDM+MAM mode||ENT (Users who opt out of device management operate under the legacy MAM mode.)|
MAM-only mode supports the following features that were previously available only for ENT. These features are not available for Windows Phone.
- Certificate-based authentication: MAM-only mode supports certificate-based authentication. Users will experience continued access to their apps even when their Active Directory password expires. If you use certificate-based authentication for MAM devices, you must configure your NetScaler Gateway. By default, in XenMobile Settings > NetScaler Gateway, Deliver user certificate for authentication is set to Off, meaning that user name and password authentication is used. Change that setting to On to enable certificate authentication.
- Self Help Portal: To enable users to perform their own app lock and app wipe. Those actions apply to all apps on the device. You can configure the App Lock and App Wipe actions in Configure > Actions.
- All enrollment modes: Including High Security, Invitation URL, and Two Factor, configured through Manage > Enrollment Invitations.
- Device registration limit for Android and iOS devices: The Server Property Number of Devices Per User has moved to Configure > Enrollment Profiles and now applies to all server modes.
- MAM-only APIs: For MAM-only devices, you can call REST services by using any REST client and the XenMobile REST API to call services that the XenMobile console exposes.
- The MAM-only APIs enable you to:
- Send an invitation URL and one-time PIN.
- Issue app lock and wipe on devices.
The following table summarizes the differences between the legacy MAM and MAM-only functionality.
|Enrollment Scenarios and Other Features||Legacy MAM (server mode is ENT)||MAM-only mode (server mode is MAM)|
|Certificate authentication||Not supported.||Supported. For certificate authentication, NetScaler Gateway is required.|
|Deployment requirement||XenMobile Server does not need to be directly accessible from devices.||XenMobile Server does not need to be directly accessible from devices.|
|Enrollment option||Use the NetScaler Gateway FQDN or, when using MDM FQDN, opt not to enroll.||Use XenMobile Server FQDN.|
|Enrollment methods*||User name + Password||User name + Password, High Security, Invitation URL, Invitation URL+PIN, Invitation URL + Password, Two Factor, User name + PIN|
|App lock and wipe||Supported.||Supported.|
|Self Help Portal options for app lock and wipe||Not supported.||Supported.|
|App wipe behavior||Apps remain on the device but are not usable. XenMobile deletes the account on the client only.||Apps remain on the device but are not usable. XenMobile deletes the account on the client only.|
|Automated actions for MAM-only users.||Event, device property, user property actions are supported. Doesn’t support installed app-based automated actions.||Supports event, device property, user property, and some app-based actions, including app wipe and app lock.|
|Built-in action when an Active Directory user is deleted||Supports app wipe.||Supports app wipe.|
|Enrollment limit||Supported; configured through an enrollment profile.||Supported; configured through an enrollment profile.|
|Software inventory||Supported. XenMobile lists apps installed on a device||Not supported.|
*Regarding notifications: SMTP is the only supported method for sending enrollment invitations.
For MAM-only mode, previously enrolled users must re-enroll their devices. Be sure to provide users with the XenMobile Server FQDN they need for enrollment. In MAM-only mode, like the ENT mode, devices enroll using the XenMobile Server FQDN. (In the legacy MAM mode, devices enroll using the NetScaler Gateway FQDN.)