Security and User Experience
Security is important to any organization, but you need to achieve a balance between security and user experience. For example, you might have a highly secured environment that is difficult for users to use. Or, your environment might be so user-friendly that access control is not as strict. The other sections in this virtual handbook cover security features in detail. The purpose of this article is to give a general overview of common security concerns and the security options available in XenMobile.
Here are some key considerations to keep in mind for each use case:
- Do you want to secure certain apps, the entire device, or both?
- How do you want your users to authenticate their identity? Do you plan to use LDAP, certificate-based authentication, or a combination of the two?
- How do you want to handle user session time-outs? Keep in mind that there are different time-out values for background services, Citrix ADC, and for being able to access apps while offline.
- Do you want users to set up a device-level passcode, an app-level passcode, or both? How many logon attempts do you want to afford to users? Keep in mind how extra per-app authentication requirements implemented with MAM might impact user experience.
- What other restrictions do you want to place on users? Do you want users to access cloud services such as Siri? What can they do and not do with each app you make available to them? Do you want to deploy corporate Wi-Fi policies to prevent cellular data plans from being consumed while inside office spaces?
App vs. Device
One of the first things to consider is whether to secure only certain apps by using mobile app management (MAM). Or if you also want to manage the entire device by using mobile device management (MDM). Most commonly, if you don’t require device-level control, you only manage mobile apps, especially if your organization supports Bring Your Own Device (BYOD).
Users with devices that XenMobile doesn’t manage can install apps through the app store. Instead of device-level controls, such as selective or full wipe, you control access to the apps through app policies. The policies, depending on the values you set, require the device to check XenMobile routinely to confirm that the apps are still allowed to run.
MDM allows you to secure an entire device, including the ability to take inventory of all the software on a device. You can prevent enrollment if the device is jailbroken, rooted, or has unsafe software installed. Taking this level of control, however, makes users leery of allowing that much power over their personal devices and might reduce enrollment rates.
Authentication is where a great deal of the user experience takes place. If your organization is already running Active Directory, using Active Directory is the simplest way to have your users access the system.
Another significant part of the authentication user experience is time-outs. A high security environment can have users log on every time they access the system, but that option isn’t ideal for all organizations. For example, having users enter their credentials every time they want to access their email can significantly impact user experience.
For added security, you can enable a feature called user entropy. Citrix Secure Hub and some other apps often share common data like passwords, PINs, and certificates to ensure everything functions properly. This information is stored in a generic vault within Secure Hub. If you enable user entropy through the Encrypt Secrets option, XenMobile creates a new vault called UserEntropy. XenMobile moves the information from the generic vault into the new vault. For Secure Hub or another app to access the data, users must enter a password or PIN.
Enabling user entropy adds another layer of authentication in several places. As a result, users must enter a password or PIN each time an app requires access to shared data, including certificates, in the UserEntropy vault.
Both MDX and MDM policies give a great deal of flexibility to organizations, but they can also restrict users. For instance, you might want to block access to cloud applications, such as Siri or iCloud, that have the potential to send sensitive data to various locations. You can set up a policy to block access to these services, but keep in mind that such a policy can have unintended consequences. The iOS keyboard mic is also reliant on cloud access and you might block access to that feature as well.
Enterprise Mobility Management (EMM) segments into Mobile Device Management (MDM) and Mobile Application Management (MAM). While MDM enables organizations to secure and control mobile devices, MAM facilitates application delivery and management. With the increasing adoption of BYOD, you can typically implement a MAM solution to assist with application delivery, software licensing, configuration, and application life cycle management.
With XenMobile, you can go a step further to secure these apps by configuring specific MAM policies and VPN settings to prevent data leak and other security threats. XenMobile provides organizations with the flexibility to deploy any of the following solutions:
- MAM-only environment
- MDM-only environment
- Unified XenMobile Enterprise environment that provides both MDM and MAM functionality in the same platform
In addition to the ability to deliver apps to mobile devices, XenMobile offers app containerization through MDX technology. MDX secures apps through encryption that is separate from device level encryption provided by the platform. You can wipe or lock the app, and the apps are subject to granular policy-based controls. Independent software vendors (ISVs) can apply these controls using the Mobile Apps SDK.
In a corporate environment, users use various mobile apps to aid in their job role. The apps can include apps from the public app store, in-house developed apps, and native apps. XenMobile categorizes these apps as follows:
Public apps: These apps include free or paid apps available in a public app store, such as the Apple App Store or Google Play. Vendors outside of the organization often make their apps available in public app stores. This option lets their customers download the apps directly from the Internet. You might use numerous public apps in your organization depending on users’ needs. Examples of such apps include GoToMeeting, Salesforce, and EpicCare apps.
Citrix does not support downloading app binaries directly from public app stores, then wrapping them with the MDX Toolkit for enterprise distribution. To MDX-enable third-party applications, contact your app vendor to obtain the app binaries. You can wrap the binaries by using the MDX Toolkit or integrate the MAM SDK with the binaries.
In-house apps: Many organizations have in-house developers who create apps that provide specific functionality and are independently developed and distributed within the organization. In certain cases, some organizations might also have apps that ISVs provide. You can deploy such apps as native apps or you can containerize the apps by using a MAM solution, such as XenMobile. For example, a healthcare organization can create an in-house app that allows physicians to view patient information on mobile devices. An organization can then MAM SDK enable or MDM-wrap the app to secure patient information and enable VPN access to the back-end patient database server.
Web and SaaS apps: These apps include apps accessed from an internal network (web apps) or over a public network (SaaS). XenMobile also allows you to create custom web and SaaS apps using a list of app connectors. These app connectors can facilitate single sign-on (SSO) to existing Web apps. For details, see App connector types. For example, you can use Google Apps SAML for SSO based on Security Assertion Markup Language (SAML) to Google Apps.
Mobile productivity apps: Citrix-developed apps that are included with the XenMobile license. For details, see About mobile productivity apps. Citrix also offers other business-ready apps that ISVs develop by using the Mobile Apps SDK.
HDX apps: Windows-hosted apps that you publish with StoreFront. If you have a Citrix Virtual Apps and Desktops environment, you can integrate the apps with XenMobile to make the apps available to the enrolled users.
Depending on the type of mobile apps you plan to deploy and manage with XenMobile, the underlying configuration and architecture differ. For example, if multiple groups of users with different permission levels consume a single app, you might need separate delivery groups to deploy two versions of the app. In addition, you must make sure the user group membership is mutually exclusive to avoid policy mismatches on user devices.
You might also want to manage iOS application licensing by using Apple volume purchase. This option will require you to register for Apple volume purchase and configure XenMobile volume purchase settings in the XenMobile console to distribute the apps with the volume purchase licenses. A variety of such use cases makes it important to assess and plan your MAM strategy prior to implementing the XenMobile environment. You can start planning your MAM strategy by defining the following:
Types of apps: List the different types of apps you plan to support and then categorize them. For example: public, native, mobile productivity apps, Web, in-house, ISV apps, and so on. Also, categorize the apps for different device platforms, such as iOS and Android. This categorization helps you align the XenMobile settings that are required for each type of app. For example, certain apps might not qualify for wrapping, or might require the Mobile Apps SDK to enable special APIs for interaction with other apps.
Network requirements: Configure apps with specific network access requirements with the appropriate settings. For example, certain apps might need access to your internal network through VPN. Some apps might require Internet access to route access via the DMZ. To allow such apps to connect to the required network, you have to configure various settings accordingly. Defining per-app network requirements help in finalizing your architectural decisions early on, which streamlines the overall implementation process.
Security requirements: It’s critical to define the security requirements that apply to either individual apps or all the apps. That planning ensures that you create the right configurations when you install the XenMobile Server. Although settings, such as the MDX policies, apply to individual apps, the session and authentication settings apply across all apps. Some apps might have specific encryption, containerization, wrapping, encryption, authentication, geofencing, passcode, or data sharing requirements that you can outline in advance to simplify your deployment.
Deployment requirements: You might want to use a policy-based deployment to allow only compliant users to download the published apps. For example, you might want certain apps to require any of the following:
- device platform-based encryption is enabled
- the device is managed
- the device meets a minimum operating system version
- certain apps are available only to corporate users
You might also want certain apps available only to corporate users. Outline such requirements in advance so that you can configure the appropriate deployment rules or actions.
Licensing requirements: Keep a record of app-related licensing requirements. These notes help you to manage license usage effectively and to decide whether to configure specific features in XenMobile to facilitate licensing. For example, if you deploy a free or paid iOS app, Apple enforces licensing requirements on the app by requiring users to sign in to their iTunes account. You can register for Apple volume purchase to distribute and manage these apps via XenMobile. Volume purchase allows users to download the apps without having to sign into their iTunes account. Also, tools, such as Samsung SAFE and Samsung Knox, have special licensing requirements, which you need to complete before deploying those features.
Allow list and block list requirements: You likely want to prevent users from installing or using some apps. Create an allow list of apps that make a device out of compliance. Then, set up policies to trigger when a device becomes non-compliant. On the other hand, an app might be acceptable for use but might fall under the block list for some reason. In that case, you can add the app to an allow list and indicate that the app is acceptable to use, but isn’t required. Also, keep in mind that the apps pre-installed on new devices can include some commonly used apps that are not part of the operating system. Those apps might conflict with your block list strategy.
A healthcare organization plans to deploy XenMobile to serve as a MAM solution for their mobile apps. Mobile apps are delivered to corporate and BYOD users. IT decides to deliver and manage the following apps:
- Mobile productivity apps: iOS and Android apps provided by Citrix.
- Secure Mail: Email, calendar, and contact app.
- Secure Web: Secure web browser that provides access to the Internet and intranet sites.
- Citrix Files: App to access shared data and to share, sync, and edit files.
- Secure Hub: Client used by all mobile devices to communicate with XenMobile. IT pushes security settings, configurations, and mobile apps to mobile devices via the Secure Hub client. Android and iOS devices enroll in XenMobile through Secure Hub.
- Citrix Receiver: Mobile app that allows users to open applications hosted by Virtual Apps and Desktops on mobile devices.
- GoToMeeting: An online meeting, desktop sharing, and video conferencing client that lets users meet with other computer users, customers, clients, or colleagues via the Internet in real time.
- Salesforce1: Salesforce1 lets users access Salesforce from mobile devices and brings all Chatter, CRM, custom apps, and business processes together in a unified experience for any Salesforce user.
- RSA SecurID: Software-based token for two-factor authentication.
EpicCare apps: These apps give healthcare practitioners secure and portable access to patient charts, patient lists, schedules, and messaging.
- Haiku: Mobile app for the iPhone and Android phones.
- Canto: Mobile app for the iPad
- Rover: Mobile apps for iPhone and iPad.
HDX: These apps are delivered via Citrix Virtual Apps and Desktops.
- Epic Hyperspace: Epic client application for electronic health record management.
- Vocera: HIPAA compliant voice-over IP and messaging mobile app that extends the benefits of Vocera voice technology anytime, anywhere via iPhone and Android smartphones.
- HCMail: App that helps compose encrypted messages, search address books on internal mail servers, and send the encrypted messages to the contacts using an email client.
- PatientRounding: Web application used to record patient health information by different departments.
- Outlook Web Access: Allows the access of email via a web browser.
- SharePoint: Used for organization-wide file and data sharing.
The following table lists the basic information required for MAM configuration.
|App Name||App Type||MDX Wrapping||iOS||Android|
|Secure Mail||XenMobile App||No for version 10.4.1 and later||Yes||Yes|
|Secure Web||XenMobile App||No for version 10.4.1 and later||Yes||Yes|
|Citrix Files||XenMobile App||No for version 10.4.1 and later||Yes||Yes|
|Secure Hub||Public App||NA||Yes||Yes|
|Citrix Receiver||Public App||NA||Yes||Yes|
|RSA SecurID||Public App||NA||Yes||Yes|
|Epic Haiku||Public App||NA||Yes||Yes|
|Epic Canto||Public App||NA||Yes||No|
|Epic Rover||Public App||NA||Yes||No|
|Epic Hyperspace||HDX App||NA||Yes||Yes|
|Outlook Web Access||Web App||NA||Yes||Yes|
The following tables list specific requirements you can consult when configuring MAM policies in XenMobile.
|App Name||VPN Required||Interaction||Interaction||Device Platform-Based Encryption|
|(with apps outside of container)||(from apps outside of container)|
|Secure Mail||Y||Selectively Allowed||Allowed||Not required|
|Secure Web||Y||Allowed||Allowed||Not required|
|Citrix Files||Y||Allowed||Allowed||Not required|
|Outlook Web Access||Y||N/A||N/A||Not required|
|App Name||Proxy Filtering||Licensing||Geo-fencing||Mobile Apps SDK||Minimum Operating System Version|
|Secure Mail||Required||N/A||Selectively Required||N/A||Enforced|
|Secure Web||Required||N/A||Not required||N/A||Enforced|
|Citrix Files||Required||N/A||Not required||N/A||Enforced|
|Secure Hub||Not required||Volume purchase||Not required||N/A||Not enforced|
|Citrix Receiver||Not required||Volume purchase||Not required||N/A||Not enforced|
|GoToMeeting||Not required||Volume purchase||Not required||N/A||Not enforced|
|Salesforce1||Not required||Volume purchase||Not required||N/A||Not enforced|
|RSA SecurID||Not required||Volume purchase||Not required||N/A||Not enforced|
|Epic Haiku||Not required||Volume purchase||Not required||N/A||Not enforced|
|Epic Canto||Not required||Volume purchase||Not required||N/A||Not enforced|
|Epic Rover||Not required||Volume purchase||Not required||N/A||Not enforced|
|Epic Hyperspace||Not required||N/A||Not required||N/A||Not enforced|
|PatientRound-ing||Required||N/A||Not required||N/A||Not enforced|
|Outlook Web Access||Required||N/A||Not required||N/A||Not enforced|
|SharePoint||Required||N/A||Not required||N/A||Not enforced|
Every organization consists of diverse user communities that operate in different functional roles. These user communities perform different tasks and office functions using various resources that you provide through the users’ mobile devices. Users might work from home or in remote offices using mobile devices that you provide. Or, users might use their personal mobile devices, which allows them to access tools that are subject to certain security compliance rules.
As more user communities use mobile devices, Enterprise Mobility Management (EMM) becomes critical to prevent data leaks and to enforce security restrictions. For efficient and more sophisticated mobile device management, you can categorize your user communities. Doing so simplifies the mapping of users to resources and ensures that the right security policies apply to the right users.
The following example illustrates how the user communities of a healthcare organization are classified for EMM.
This example healthcare organization provides technology resources and access to multiple users, including network and affiliate employees and volunteers. The organization has chosen to roll out the EMM solution to non-executive users only.
User roles and functions for this organization can be broken into subgroups including: clinical, non-clinical, and contractors. A selected set of users receives corporate mobile devices, while others can access limited company resources from their personal devices. To enforce the right level of security restrictions and prevent data leaks, the organization decided that corporate IT manages each enrolled device, either corporate-issued or BYOD. Also, users can only enroll a single device.
The following section provides an overview of the roles and functions of each subgroup:
- Physicians (Doctors, Surgeons, and so on)
- Specialists (Dieticians, anesthesiologists, radiologists, cardiologists, oncologists, and so on)
- Outside physicians (Non-employee physicians and office workers that work from remote offices)
- Home Health Services (Office and mobile workers performing physician services for patient home visits)
- Research Specialist (Knowledge Workers and Power Users at six Research Institutes performing clinical research to find answers to issues in medicine)
- Education and Training (Nurses, physicians, and specialists in education and training)
- Shared Services (Office workers performing various back office functions including: HR, Payroll, Accounts Payable, Supply Chain Service, and so on)
- Physician Services (Office workers performing various healthcare management, administrative services, and business process solutions to providers, including: Administrative Services, Analytics and Business Intelligence, Business Systems, Client Services, Finance, Managed Care Administration, Patient Access Solutions, Revenue Cycle Solutions, and so on)
- Support Services (Office workers performing various non-clinical functions including: Benefits Administration, Clinical Integration, Communications, Compensation & Performance Management, Facility & Property Services, HR Technology Systems, Information Services, Internal Audit & Process Improvement, and so o.)
- Philanthropic Programs (Office and mobile workers that perform various functions in support of philanthropic programs)
- Manufacturer and vendor partners (Onsite and remotely connected via site-to-site VPN providing various non-clinical support functions)
Based on the preceding information, the organization created the following entities. For more information about delivery groups in XenMobile, see Deploy resources.
For OU = XenMobile Resources:
- OU = Clinical; Groups =
- XM-Outside Physicians
- XM-Home Health Services
- XM-Research Specialist
- XM-Education and Training
- OU = Non-Clinical; Groups =
- XM-Shared Services
- XM-Physician Services
- XM-Support Services
- XM-Philanthropic Programs
For Group= Contractors, Users =
- Vendor 3
- … Vendor 10
- Clinical-Outside Physicians
- Clinical-Home Health Services
- Clinical-Research Specialist
- Clinical-Education and Training
- Non-Clinical-Shared Services
- Non-Clinical-Physician Services
- Non-Clinical-Support Services
- Non-Clinical-Philanthropic Programs
|Active Directory Groups||XenMobile Delivery Groups|
|XM-Outside Physicians||Clinical-Outside Physicians|
|XM-Home Health Services||Clinical-Home Health Services|
|XM-Research Specialist||Clinical-Research Specialist|
|XM-Education and Training||Clinical-Education and Training|
|XM-Shared Services||Non-Clinical-Shared Services|
|XM-Physician Services||Non-Clinical-Physician Services|
|XM-Support Services||Non-Clinical-Support Services|
|XM-Philanthropic Programs||Non-Clinical-Philanthropic Programs|
The following tables illustrate the resources assigned to each delivery group in this use case. The first table shows the mobile app assignments. The second table shows the public app, HDX apps, and device management resources.
|XenMobile Delivery Groups||Citrix Mobile Apps||Public Mobile Apps||HDX Mobile Apps|
|Clinical-Home Health Services||X|
|Clinical-Education and Training||X||X|
|XenMobile Delivery Groups||Public App: RSA SecurID||Public App: EpicCare Haiku||HDX App: Epic Hyperspace||Passcode Policy||Device Restrictions||Automated Actions||WiFi Policy|
|Clinical-Home Health Services|
|Clinical-Education and Training||X||X|
- XenMobile creates a default delivery group named All Users during the initial configuration. If you do not disable this Delivery Group, all Active Directory users have rights to enroll into XenMobile.
- XenMobile synchronizes Active Directory users and groups on demand using a dynamic connection to the LDAP server.
- If a user is part of a group that is not mapped in XenMobile, that user cannot enroll. Likewise, if a user is a member of multiple groups, XenMobile categorizes the user as only in the groups mapped to XenMobile.
- To make MDM enrollment mandatory, you must set the Enrollment Required option to True in Server Properties in the XenMobile console. For details, see Server Properties.
- You can delete a user group from a XenMobile delivery group by deleting the entry in the SQL Server database, under dbo.userlistgrps. Caution: Before you perform this action, create a backup of XenMobile and the database.
About Device Ownership in XenMobile
You can group users according to the owner of a users’ device. Device ownership includes corporate-owned devices and user-owned devices, also known as bring your own device (BYOD). You can control how BYOD devices connect to your network in two places in the XenMobile console: in the deployment rules for each resource type and through server properties on the Settings page. For details about deployment rules, see Configuring Deployment Rules in the XenMobile documentation. For details about server properties, see Server Properties.
You can require all BYOD users to accept corporate management of their devices before they can access apps. Or, you can give users access to corporate apps without also managing their devices.
When you set the server setting wsapi.mdm.required.flag to true, XenMobile manages all BYOD devices, and any user who declines enrollment is denied access to apps. Consider setting wsapi.mdm.required.flag to true in environments in which enterprise IT teams need high security along with a positive user experience when enrolling user devices in XenMobile.
If you leave wsapi.mdm.required.flag as false, which is the default setting, users can decline enrollment, but might still access apps on their devices through the XenMobile Store. Consider setting wsapi.mdm.required.flag to false in environments in which privacy, legal, or regulatory constraints require no device management, only enterprise app management.
Users with devices that XenMobile doesn’t manage can install apps through the XenMobile Store. Instead of device-level controls, such as selective or full wipe, you control access to the apps through app policies. The policies, depending on the values you set, require the device to check the XenMobile Server routinely to confirm that the apps are still allowed to run.
The number of security considerations when deploying a XenMobile environment can quickly become overwhelming. There are many interlocking pieces and settings. To help you get started and choose an acceptable level of protection, Citrix provides recommendations for High, Higher, and Highest Security, outlined in the following table.
Your deployment mode choice involves more than just security concerns. It is important to also review the requirements of the use case and decide if you can mitigate security concerns before choosing your deployment mode.
High: Using these settings provides an optimal user experience while maintaining a basic level of security acceptable to most organizations.
Higher: These settings create a stronger balance between security and usability.
Highest: Following these recommendations provides a high level of security at the cost of usability and user adoption.
The following table specifies the deployment modes for each security level.
|High Security||Higher Security||Highest Security|
|MAM or MDM||MDM+MAM||MDM+MAM; plus FIPS|
- Depending on the use case, a MDM-only or MAM-only deployment can meet security requirements and provide a good user experience.
- If you don’t need app containerization, micro VPN, or app specific policies, MDM is sufficient to manage and secure devices.
- For use cases like BYOD in which app containerization alone can satisfy all business and security requirements, Citrix recommends MAM-only mode.
- For high security environments (and corporate issued devices), Citrix recommends MDM+MAM to take advantage of all security capabilities available. Be sure to enforce MDM enrollment.
- FIPS options for environments with the highest security needs, such as the federal government.
If you enable FIPS mode, you must configure SQL Server to encrypt SQL traffic.
The following table specifies the Citrix ADC and Citrix Gateway recommendations for each security level.
|High Security||Higher Security||Highest Security|
|Citrix ADC is recommended. Citrix Gateway is required for MAM and ENT; recommended for MDM||Standard Citrix ADC for XenMobile wizard configuration with SSL bridge if XenMobile is in the DMZ. Or SSL offload if necessary to meet security standards when the XenMobile Server is in the internal network.||SSL Offload with end-to-end encryption|
- Exposing the XenMobile Server to the Internet through NAT or existing third-party proxies and load-balancers can be an option for MDM. However, that setup requires that the SSL traffic terminates on the XenMobile Server, which poses a potential security risk.
- For high security environments, Citrix ADC with the default XenMobile configuration typically meets or exceeds security requirements.
- For MDM environments with the highest security needs, SSL termination at the Citrix ADC enables traffic inspection at the perimeter and maintains end-to-end SSL encryption.
- Options to define SSL/TLS ciphers.
- SSL FIPS Citrix ADC hardware is also available.
- For more information, see Integrating with Citrix Gateway and Citrix ADC.
The following table specifies the Citrix ADC and Citrix Gateway recommendations for each security level.
|High Security||Higher Security||Highest Security|
|Active Directory Group membership only. All users Delivery Group disabled.||Invitation only enrollment security mode. Active Directory Group membership only. All users Delivery Group disabled||Enrollment security mode tied to Device ID. Active Directory Group membership only. All users Delivery Group disabled|
- Citrix generally recommends that you restrict enrollment to users in predefined Active Directory groups only. That setup requires disabling the built-in All users Delivery Group.
- You can use enrollment invitations to restrict enrollment to users with an invitation. Enrollment invitations aren’t available for Windows devices.
- You can use one-time PIN (OTP) enrollment invitations as a two-factor authentication solution and to control the number of devices a user can enroll. OTP invitations aren’t available for Windows devices.
The following table specifies the device passcode recommendations for each security level.
|High Security||Higher Security||Highest Security|
|Recommended. High security is required for device-level encryption. Enforced by using MDM. You can set high security as required for MAM-only by using the MDX policy, Non-compliant device behavior.||Enforced by using MDM, an MDX policy, or both.||Enforced by using MDM and MDX policy. MDM Complex passcode policy.|
- Citrix recommends the use of a device passcode.
- You can enforce a device passcode via an MDM policy.
- You can use an MDX policy to make a device passcode a requirement for using managed apps. For example, for BYOD use cases.
- Citrix recommends combining the MDM and MDX policy options for increased security in MDM+MAM environments.
- For environments with the highest security requirements, you can configure complex passcode policies and enforced them with MDM. You can configure automatic actions to notify administrators or issue selective/full device wipes when a device doesn’t comply with a passcode policy.