- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
NetScaler Gateway and XenMobile
When you configure NetScaler Gateway using XenMobile, you establish the authentication mechanism for remote device access to the internal network. This functionality enables apps on a mobile device to access corporate servers located in the intranet. XenMobile creates a micro VPN from the apps on the device to NetScaler Gateway.
You configure NetScaler Gateway for use with XenMobile Server by exporting a script from XenMobile that you run on NetScaler Gateway.
- NetScaler (minimum version 11.0, Build 70.12).
- NetScaler IP address is configured and has connectivity to the LDAP server, unless LDAP is load balanced.
- NetScaler Subnet (SNIP) IP address is configured, has connectivity to the necessary back end servers, and has public network access over port 8443/TCP.
- DNS can resolve public domains.
- NetScaler is licensed with Platform/Universal or Trial licenses. For information, see https://support.citrix.com/article/CTX126049.
- A NetScaler Gateway SSL certificate is uploaded and installed on the NetScaler. For information see, https://support.citrix.com/article/CTX136023.
- XenMobile Server (minimum version 10.6).
- LDAP server is configured.
In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.
Under Server, click NetScaler Gateway. The NetScaler Gateway page appears. In the following example, a NetScaler Gateway instance exists.
Configure these settings:
- Authentication: Select whether to enable authentication. The default is ON.
- Deliver user certificate for authentication: Select whether you want XenMobile to share the authentication certificate with Secure Hub so that the NetScaler Gateway handles client certificate authentication. The default is OFF.
- Credential Provider: In the list, click the credential provider to use. For more information, see Credential providers.
After you save the authentication settings, you add a NetScaler Gateway instance to XenMobile.
In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page opens.
Under Server, click NetScaler Gateway. The NetScaler Gateway page appears.
Click Add. The Add New NetScaler Gateway page appears.
Configure these settings:
- Name: Type a name for the NetScaler Gateway instance.
- Alias: Optionally include an alias name for the NetScaler Gateway.
External URL: Type the publicly accessible URL for NetScaler Gateway. For example,
- Logon Type: Choose a logon type. Types include Domain only, Security token only, Domain and security token, Certificate, Certificate and domain, and Certificate and security token. The default setting for the Password Required field changes based on the Logon Type you select. The default is Domain only.
If you have multiple domains, use Certificate and domain.
If you use Certificate and security token, some additional configuration is required on NetScaler Gateway to support Secure Hub. For information, see Configuring XenMobile for Certificate and Security Token Authentication.
For more information, see Authentication in the Deployment Handbook.
- Password Required: Select whether you want to require password authentication. The default varies based on the Logon Type chosen.
- Set as Default: Select whether to use this NetScaler Gateway as the default. The default is OFF.
- Export Configuration Script: Click the button to export a configuration bundle that you upload to NetScaler Gateway to configure it with XenMobile settings. For information, see “Configure an on-premises NetScaler Gateway for use with XenMobile Server” after these steps.
- Callback URL and Virtual IP: Save your settings before adding these fields. For information, see Add a callback URL and NetScaler Gateway VPN virtual IP in this article.
The new NetScaler Gateway is added and appears in the table. To edit or delete an instance, click the name in the list.
To configure an on-premises NetScaler Gateway for use with XenMobile Server, you perform the following general steps, detailed in this article:
Download a script and related files from XenMobile Server. See the readme file provided with the script for the latest detailed instructions.
Verify that your environment meets the prerequisites.
Update the script for your environment.
Run the script on NetScaler.
Test the configuration.
The script configures these NetScaler Gateway settings required by XenMobile:
- NetScaler Gateway virtual servers needed for MDM and MAM
- Session policies for the NetScaler Gateway virtual servers
- XenMobile Server details
- Authentication Policies and Actions for the NSG virtual server. The script describes the LDAP configuration settings.
- Traffic actions and policies for the proxy server
- Clientless access profile
- Static local DNS record on NetScaler
- Other bindings: Service policy, CA certificate
The script doesn’t handle the following configuration:
- Exchange load balancing
- ShareFile load balancing
- ICA Proxy configuration
- SSL Offload
To download, update, and run the script
If you’re adding a NetScaler Gateway, click Export Configuration Script on the Add New NetScaler Gateway page.
Or, if you add a NetScaler Gateway instance and click Save before you export the script: Return to Settings > NetScaler Gateway, select the NetScaler, click Export Configuration Script, and then click Download.
After you click Export Configuration Script, XenMobile creates a .tar.gz script bundle. The script bundle includes:
- Readme file with detailed instructions
- Script that contains the NetScaler CLI commands used to configure the required components in NetScaler
- Public Root CA certificate and the Intermediate CA certificate of XenMobile Server (these certificates, for SSL offload, are not needed for the current release)
- Script that contains the NetScaler CLI commands used to remove the NetScaler configuration
Edit the script (NSGConfigBundle_CREATESCRIPT.txt) to replace all placeholders with details from your environment.
Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/NSGConfigBundle_CREATESCRIPT.txt"
When the script completes, the following lines appear.
Test the configuration
Validate that the NetScaler Gateway Virtual Server shows a state of UP.
Validate that the Proxy Load Balancing Virtual Server shows a state of UP.
Open a web browser, connect to the NetScaler Gateway URL, and attempt to authenticate. If the authentication fails, this message appears: HTTP Status 404 - Not Found
Enroll a device and ensure it gets both MDM and MAM enrollment.
After adding the NetScaler Gateway instance, you can add a callback URL and specify a NetScaler Gateway virtual IP address. These settings are optional, but can be configured for extra security, especially when the XenMobile Server is in the DMZ.
In Settings > NetScaler Gateway, select the NetScaler Gateway and then click Edit.
In the table, click Add.
For Callback URL type the fully qualified domain name (FQDN). The callback URL verifies that a request originated from NetScaler Gateway.
Ensure that the callback URL resolves to an IP address that is reachable from XenMobile Server. The callback URL can be an external NetScaler Gateway URL or some other URL.
Type the NetScaler Gateway Virtual IP address and then click Save.