- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
About XenMobile Service
You choose a XenMobile Service offering based on whether you need Mobile Device Management (MDM), Mobile App Management (MAM), or both.
For example, if you use only the MDM features of XenMobile, you can:
- Deploy device policies and apps.
- Retrieve asset inventories.
- Carry out actions on devices, such as a device wipe.
If you use only the MAM features of XenMobile, you can:
- Secure apps and data on BYO mobile devices.
- Deliver enterprise mobile apps.
- Lock apps and wipe their data.
If you use both the MDM and MAM features, you can:
- Manage a corporate-issued device by using MDM
- Deploy device policies and apps
- Retrieve an asset inventory
- Wipe devices
- Deliver enterprise mobile apps
- Lock apps and wipe the data on devices
For more information about XenMobile Service offerings, see this data sheet.
The device and app management requirements of your organization determine the XenMobile components in your XenMobile architecture. The components of XenMobile are modular and build on each other. For example, your deployment includes NetScaler Gateway to give users remote access to mobile apps and to track user device types. XenMobile is where you manage apps and devices, and NetScaler Gateway enables users to connect to your network.
The following diagram shows a general architectural overview of a XenMobile Service cloud deployment and its integration with your data center.
The following subsections contain reference architecture diagrams for the core XenMobile Service and for optional components such as an external Certificate Authority and XenMobile Mail Manager.
For more information about NetScaler and NetScaler Gateway requirements, see the Citrix product documentation at docs.citrix.com.
Core reference architecture
For details about port requirements, see System requirements.
Reference architecture with an external Certificate Authority
Reference architecture with XenApp and XenDesktop
Reference architecture with XenMobile Mail Manager
Reference architecture with XenMobile NetScaler Connector
Place resource locations where they best meet your business needs. For example, in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include:
- Proximity to subscribers
- Proximity to data
- Scale requirements
- Security attributes
You can build any number of resource locations. For example, you might:
- Build a resource location in your data center for the head office, based on subscribers and applications that require proximity to the data.
- Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers.
- Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations.
Citrix uses Cloud Connector to integrate the XenMobile Service architecture into your existing infrastructure. Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector supports all XenMobile authentication types.
The following diagram shows the traffic flow for Cloud Connector.
Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn’t accept incoming connections.
A solution that includes Mobile App Management (MAM) requires a micro VPN that is provided by an on-premises NetScaler Gateway. Cloud Connector, NetScaler Gateway, and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with XenMobile Service and your on-premises NetScaler Gateway.
XenMobile console. You use the XenMobile administrator console to configure XenMobile Service. For details about using the XenMobile console, see the articles under XenMobile Service. Citrix notifies you when the What’s new articles for XenMobile Service are updated for a new release.
Note these differences between XenMobile Service and the on-premises releases:
- The Remote Support client is not available for XenMobile Service.
- XenMobile Service server-side components are not FIPS 140-2 compliant.
- Citrix does not support syslog integration in XenMobile Service with an on-premises syslog server. Instead, you can download the logs from the Support page in the XenMobile console. When doing so, you must click Download All.
MDX Service. The XenMobile MDX Service securely wraps mobile apps created within your organization or outside the company. For more information, see XenMobile MDX Service.
XenMobile Secure Apps. Citrix-developed XenMobile Apps provide a suite of productivity and communication tools within the XenMobile environment. Your company policies secure those apps. For more information, see XenMobile Apps.
XenMobile Mail Manager. XenMobile Mail Manager provides secure email access to users who use native mobile email apps. XenMobile Mail Manager provides ActiveSync filtering at the Exchange service level. As a result, filtering only occurs once the mail reaches the Exchange service, rather than when it enters the XenMobile environment. XenMobile Mail Manager doesn’t require the use of NetScaler. You can deploy XenMobile Mail Manager without changing routing for the existing ActiveSync traffic. For more information, see XenMobile Mail Manager.
XenMobile NetScaler Connector. XenMobile NetScaler Connector provides secure email access to users who use native mobile email apps. XenMobile NetScaler Connector provides ActiveSync filtering at the perimeter, by using NetScaler as a proxy for ActiveSync traffic. As a result, the filtering component sits in the path of mail traffic flow, intercepting mail as it enters or leaves the environment. XenMobile NetScaler Connector acts an intermediary between NetScaler and the XenMobile server. For more information, see XenMobile NetScaler Connector.
Citrix Cloud manages the control plane for XenMobile environments, including the XenMobile server, NetScaler load balancer, and a single-tenant database. The cloud service integrates with a customer data center using Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage NetScaler Gateway in their data centers.
The following figure illustrates the service and its security boundaries.
The information in this section:
- Provides an introduction to the security functionality of Citrix Cloud.
- Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment.
- Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services.
The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections.
Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center.
The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials.
The service handles the following types of credentials:
- User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection.
- Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service.
- Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database.
Citrix recommends that you consult the published best practices documentation for deploying NetScaler Gateway within your environments.
See the following resources for more security information:
- Citrix Security Site: http://www.citrix.com/security
- Citrix Cloud Documentation: Secure Deployment Guide for the Citrix Cloud Platform
- Secure Deployment Guide for NetScaler