Product Documentation

Onboarding and resource setup

To sign up for a Citrix account and request a XenMobile Service trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears. Next to XenMobile Service, click Request Trial.

Image of Cloud configuration screen

The button then changes to Trial Requested. After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. The information that you must provide is included in the Onboarding Handbook under “XenMobile Service Trial Sales Engineer engagement.” You receive an email to notify you when your trial becomes available.

While waiting for the trial, be sure to prepare for your XenMobile Service deployment by reviewing System requirements. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for XenMobile Service changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to XenMobile Service.

The following diagram shows the first screen that you see when starting a trial. The XenMobile Service setup wizard first prompts you to configure details such as a site name and IP address range for the cloud-hosted components.

Image of Cloud configuration screen

After you set up resource locations in the XenMobile Service setup wizard, the wizard guides you through the initial configuration of XenMobile Server, starting with LDAP.

Image of XenMobile configuration screen

After you complete the wizard, Citrix Cloud Operations group integrates your XenMobile Service on Citrix Cloud. Meanwhile, you can start the process of preparing to support Android, iOS, and Windows platforms. For more information, see “Mobile platform support” in XenMobile Service.

The following sections describe more setup to perform when you can access the XenMobile console.

Configure allowed URLs for resource locations

To specify the allowed URLs for a resource location, go to Settings >Cloud Connector Whitelist, click Add, and choose a Resource Location. Then, specify the Allowed/Whitelisted URLs for that location.

  • Allowed/Whitelisted URLs: Specify one URL per line. You can use the asterisk (*) or question mark (?) wildcards.

Image of Cloud Connector configuration screen

Configure users and groups

A User type column appears on the Manage > Users page of the XenMobile console. That column indicates whether each user is a local, Active Directory, or cloud user.

For local users and AD users, you can perform all user management functions described in User accounts, roles, and enrollment.

A cloud user is a special user account that Citrix Cloud creates and manages on the XenMobile Server. Citrix Cloud creates a cloud user account when an administrator is added to your Citrix Cloud customer account. A cloud user account uses the same user name as the administrator account. The cloud user account provides single sign-on and performs other administrative functions.

For cloud users:

  • You can change the roles and user properties of cloud users through the XenMobile console.
  • You cannot change cloud user passwords through the XenMobile console.
  • You can change a cloud user password from Identity and access management in Citrix Cloud.
  • You cannot delete cloud users.
  • You cannot give cloud users membership in a group.

Configure delivery groups

When you create a delivery group, you specify whether the user assignments are managed in XenMobile or in Citrix Cloud. You cannot change this specification after you create the delivery group.

If you plan to use the delivery group to deliver other services available through Citrix Cloud, specify that the user assignments are managed in Citrix Cloud. Other services include XenApp and XenDesktop, Life Cycle Management, ShareFile, or Secure Browser Service. You can only add Active Directory users to these delivery groups.

If you only need mobility management for a delivery group of users and apps, set Manage user assignments to In XenMobile. Delivery groups with users managed in XenMobile are not visible in Citrix Cloud. Therefore, you cannot use delivery groups managed in XenMobile to deliver other services.

You can perform all XenMobile delivery group management functions through the XenMobile console, as described in Deploy Resources.

To add a delivery group and specify how its user assignments are managed:

  1. In the console, click Configure > Delivery Groups.

  2. From the Delivery Groups page, click Add. The Delivery Group Information page appears.

    Image of Delivery Groups configuration screen

  3. Enter a name and description for the delivery group and click Next.

  4. On the User Assignments page, specify how to manage the delivery group user assignments.

    • In XenMobile. Select this option if you plan to create a delivery group for users and apps that only need mobility management. Delivery groups whose user assignments are managed in XenMobile are not visible in Citrix Cloud and cannot be used to deliver other services.
    • In Citrix Cloud. Select this option if you plan to use the delivery group to deliver other services, such as XenApp or ShareFile.

    Image of Delivery Groups configuration screen

Important

You cannot change the Manage user assignments setting after the user group is created.

  1. Add users to the delivery group and click Next.

  2. Add optional resources to the delivery group, as described in Deploy Resources.

  3. Review the Summary page.

  4. Click Save to create the delivery group.

Configure resource locations for PKI entity connections

To use Cloud Connector for Microsoft Certificate Services entity connections, go to Settings > PKI Entities. When you add or edit a PKI entity, change Use Cloud Connector to ON. Then, specify a Resource Location and Allowed Relative Paths for those locations.

  • Resource Location: Choose from the resource locations defined in Citrix Cloud Connector.
  • Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard.

Suppose that the resource location is http://www.ServiceRoot/certsrv. To provide access to all URLs in that path, enter * in Allowed Relative Paths.

Image of PKI configuration screen

Configure resource locations for XenApp and XenDesktop connections

To use Cloud Connector for XenApp and XenDesktop connections, go to Settings > XenApp/XenDesktop. Then, change Use Cloud Connector to ON and specify the following options for those locations.

  • Resource Location: Choose from the resource locations defined in Citrix Cloud Connector.
  • Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard.

    Suppose that the resource location is https://storefront.company.com and you want to provide access to the following URLs:

    • https://storefront.company.com/Citrix/PNAgent/Config.xml
    • https://storefront.company.com/Citrix/PNAgent/enum.aspx
    • https://storefront.company.com/Citrix/PNAgent/launch.aspx

    To allow all requests with the URL https://storefront.company.com/Citrix/PNAgent/*, enter this path: /Citrix/PNAgent/*

    XenMobile blocks all other paths.

Image of XenApp and XenDesktop configuration screen

Configure an on-premises NetScaler Gateway for use with XenMobile Service

To configure an on-premises NetScaler Gateway for use with XenMobile Service, you perform the following general steps, detailed in this section:

  1. Download a script and related files from XenMobile Server.
  2. Update the script for your environment.
  3. Run the script on NetScaler. You can use the script to configure multiple NetScaler Gateways.

The script configures these NetScaler Gateway settings required by XenMobile:

  • NetScaler Gateway virtual servers needed for MDM and MAM
  • Session policies for the NetScaler Gateway virtual servers
  • XenMobile Server details
  • Proxy load balancer for certificate validation
  • LDAP server details (The script includes comments about the LDAP configuration details.)
  • Traffic actions and policies for the proxy server
  • Clientless access profile
  • Static local DNS record on NetScaler
  • Bindings: Service and traffic policy; CA certificate and service

The script doesn’t handle the following configuration:

  • Exchange load balancing
  • ShareFile load balancing
  • ICA Proxy configuration

The rest of this section describes these general steps for using the script. See the readme file provided with the script for the latest detailed instructions.

  1. Verify that your environment meets the prerequisites. For information, see System requirements.

  2. Download the script bundle, update the script placeholders with details from your environment, and then run the script.

  3. Test the configuration.

Download the script bundle and update the script for your environment

  1. To download the script bundle, go to the Settings > NetScaler Gateway page, select a NetScaler, click Export Configuration Script, and then click Download.

    Image of NetScaler Gateway configuration screen

    The Export Configuration Script button also appears on the page where you add a NetScaler Gateway.

    The script bundle includes a:

    • Readme file with detailed instructions
    • Script that contains the NetScaler CLI commands used to configure the required components in NetScaler
    • Public Root CA certificate and the Intermediate CA certificate
    • Script that contains the NetScaler CLI commands used to remove the NetScaler configuration
  2. Upload and install the certificate files (provided in the script bundle) on the NetScaler appliance in the /nsconfig/ssl/ directory.

    Image of NetScaler Gateway configuration screen

    The following examples show how to install the root certificate.

    Image of NetScaler Gateway configuration screen

    Image of NetScaler Gateway configuration screen

    Image of NetScaler Gateway configuration screen

    Image of NetScaler Gateway configuration screen

    Ensure that you install both the root and intermediate certificates.

  3. Edit the script (OfflineNSGConfigtBundle_CREATESCRIPT) to replace all placeholders with details from your environment.

    Image of NetScaler Gateway configuration screen

  4. Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example:

    /netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/OfflineNSGConfigtBundle_CREATESCRIPT.txt"

    Image of NetScaler Gateway configuration screen

    When the script completes, the following lines appear.

    Image of NetScaler Gateway success screen

Test the configuration

To validate the configuration:

  1. Validate that the NetScaler Gateway Virtual Server shows a state of UP.

    Image of NetScaler Gateway status screen

  2. Validate that the Proxy Load Balancing Virtual Server shows a state of UP.

    Image of NetScaler Gateway status screen

  3. Open a web browser, connect to the NetScaler Gateway URL, and attempt to authenticate. If the authentication succeeds, you are redirected to an “HTTP Status 404 - Not Found” message.

  4. Enroll a device and ensure it gets both MDM and MAM enrollment.

XenMobile Service administration

The XenMobile Service is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, XenMobile administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and the XenMobile Service.

All Citrix Cloud administrators also are created as XenMobile administrators by default. To change a role at any time, access the XenMobile console from the Citrix Cloud dashboard. For more information, see “To add, edit, or delete local user accounts” in User accounts, roles, and enrollment. You can change only the role and membership of a user. You cannot change user names or passwords, nor delete or edit local users, from the XenMobile console. Instead, make those changes within Citrix Cloud.

Image of XenMobile Dashboard screen

If you have a ShareFile account that existed before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the ShareFile account. When you’re ready to proceed, go to https://onboarding.cloud.com.

  1. After you log in, a screen similar to the following appears.

    Image of Cloud configuration screen

  2. In the ShareFile tile, choose Link Account.

    Image of ShareFile Service screen

    After we confirm your ShareFile account, the following page appears:

    Image of ShareFile Service screen

  3. Click Link Account to complete the process. You can immediately manage your ShareFile account from within Citrix Cloud.