Product Documentation

Deploying XenMobile MDM - Device Manager

Dec 21, 2015

XenMobile Device Manager is comprised of the following separate server components:

  • Device Manager is one server or virtual machine that is typically located in the DMZ. This component provides advanced mobile device management and security for iOS, Android, Symbian, Windows Phone 8, Windows 8, Windows CE, and Windows Mobile devices
  • Secure Mobile Gateway is the automated enforcement component that can prevent unmanaged or out-of-compliant devices from accessing your secure network mail environment. You can install the Secure Mobile Gateway on an Exchange Client Access server, Exchange Front End, Microsoft ISA Server , or Microsoft Threat Management Gateway and does not have any prerequisites to complete before installation. For more information, see Secure Mobile Gateway 8.5. You can install the Secure Mobile Gateway you install the Device Manager server.

You can install Device Manager to support a variety of existing network topologies and a large number of users. Some of the installation considerations are related to how the users connect to their Information System (Wi-Fi, Cellular, and Ethernet), existing security rules (DMZ, firewalls), user authentication (Directories), and more. Device Manager should be installed on a standalone physical server or dedicated virtual machine.

In order to be compliant with existing IT infrastructures Device Manager can be deployed in various scenarios:

  • Simple installation: Device Manager is installed behind the firewall.
  • Multi DMZ installation: Device Manager is installed in the private DMZ behind a proxy located in the public DMZ.

The following figure shows a typical Device Manager deployment.

Figure 1. Device Manager Deployment
Device Manager deployment

Citrix recommends deploying the Device Manager server in the DMZ as a perimeter security server for mobile device management. In a conventional single DMZ architecture, prior to installing the Device Manager Server, make sure that the firewalls authorize the network streams.

You can also install Device Manager server in the secure network, however it will require all network firewall ports described in "Device Manager Server" in Product Requirements from the Internet to be allowed inbound to your secure network where the server is placed to fully operate correctly. See Preparing for Device Manager Installation for information on required ports for a Device Manager deployment.

For Device Manager Server connectivity, make sure that it has:

  • A TCP/IP LAN connection of 100 Mbps or more
  • A static IP address, and dedicated Domain Server Name (DNS) published both to the Internet and your network
  • Availability of all required network firewall ports to allow device traffic inbound from the Internet to the Device Manager server, as well as from the Device Manager server to and from your internal network

The computers on which you install Device Manager Remote Support connects to the Device Manager server IP address on port 80 (by default) to retrieve the list of connected devices and on a port selected (port 82 for example) during installation for remote control of devices through the Device Manager server.