- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
Reference Architecture for On-Premises Deployments
The figures in this article illustrate the reference architectures for the XenMobile deployment on premises. The deployment scenarios include MDM-only, MAM-only, and MDM+MAM as the core architectures, as well as those that include components, such as the SNMP Manager, XenMobile NetScaler Connector, XenMobile Mail Manager, and XenApp and XenDesktop. The figures show the minimal components required for XenMobile.
Use this chart as a general guide for your deployment decisions.
In the figures, the numbers on the connectors represent ports that you must open to allow connections between the components. For a complete list of ports, see Port requirements in the XenMobile documentation.
Deploy this architecture if you plan to use only the MDM features of XenMobile. For example, you need to manage a corporate-issued device through MDM in order to deploy device policies, apps and to retrieve asset inventories and be able to carry out actions on devices, such as a device wipe.
Deploy this architecture if you plan to use only the MAM features of XenMobile without having devices enroll for MDM. For example, you want to secure apps and data on BYO mobile devices; you want to deliver enterprise mobile apps and be able to lock apps and wipe their data. The devices cannot be MDM enrolled.
Deploy this architecture if you plan to use MDM+MAM features of XenMobile. For example, you want to manage a corporate-issued device via MDM; you want to deploy device policies and apps, retrieve an asset inventory and be able to wipe devices. You also want to deliver enterprise mobile apps and be able to lock apps and wipe the data on devices.
Deploy this architecture if you plan to enable SNMP monitoring with XenMobile. For example, you want to allow monitoring systems to query and obtain information on your XenMobile nodes. For details, see SNMP monitoring.
Deploy this architecture if you plan to use XenMobile NetScaler Connector with XenMobile. For example, you need to provide secure email access to users who use native mobile email apps. These users will continue accessing email via a native app or you may transition them over time to Citrix Secure Mail. Access control needs to occur at the network layer before traffic hits the Exchange Active Sync servers. Even though the diagram shows XenMobile NetScaler Connector deployed in a MDM and MAM architecture, you can also deploy XenMobile NetScaler Connector in the same manner as part of an MDM-only architecture.
Deploy this architecture if you plan to use XenMobile Mail Manager with XenMobile. For example, you want to provide secure email access to users who use native mobile email apps. These users will continue accessing email via a native app or you may transition users over time to Secure Mail. You can achieve access control on the Exchange ActiveSync servers. Although the diagram shows XenMobile Mail Manager deployed in a MDM and MAM architecture, you can also deploy XenMobile Mail Manager in the same manner as part of an MDM-only architecture.
A deployment that includes an external certificate authority is recommended to meet one or more of the following requirements:
- You require user certificates for user authentication to NetScaler Gateway (for intranet access).
- You require Secure Mail users to authenticate to Exchange Server by using a user certificate.
- You need to push certificates issued by your corporate Certificate Authority to mobile devices for WiFi access, for example.
Although the diagram shows an external certificate authority deployed in an MDM+MAM architecture, you can also deploy an external Certificate Authority in the same manner as part of an MDM-only or MAM-only architecture.
Deploy this architecture if you plan to integrate XenApp and XenDesktop with XenMobile. For example, you need to provide a unified app store to mobile users for all types of applications (mobile, SaaS and Windows). Although the diagram shows XenDesktop deployed in a MDM and MAM architecture, you can also deploy XenDesktop in the same manner as part of a MAM-only architecture.
You can deploy an architecture with XenMobile in the internal network to meet one or more of the following requirements:
- You do not have or are not allowed to have a hypervisor in the DMZ.
- Your DMZ can only contain network appliances.
- Your security requirements require the use of SSL Offload.
Deploy this architecture if you want to integrate ShareFile Enterprise or only StorageZone Connectors with XenMobile. ShareFile Enterprise integration enables you to meet one or more of the following requirements:
- You need an IDP to give users single sign-on (SSO) to ShareFile.com.
- You need a way to provision accounts into ShareFile.com.
- You have on-premises data repositories that need to be accessed from mobile devices.
An integration with only StorageZone Connectors gives users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t need to set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data.
Although the diagram shows ShareFile deployed in a MDM+MAM architecture, you can also deploy ShareFile in the same manner as part of a MAM-only architecture.
Reference Architecture for On-Premises Deployments
In this article
- Core MDM-Only Reference Architecture
- Core MAM-Only Reference Architecture
- Core MAM+MDM Reference Architecture
- Reference Architecture with SNMP
- Reference Architecture with XenMobile NetScaler Connector
- Reference Architecture with XenMobile Mail Manager
- Reference Architecture with External Certificate Authority
- Reference Architecture with XenApp and XenDesktop
- Reference Architecture with XenMobile in the Internal Network
- Reference Architecture with ShareFile