Product Documentation

XenMobile Mail Manager

Feb 25, 2014

In this article:

XenMobile Mail Manager allows you to use XenMobile Device Manager to gain Dynamic Access Control for Exchange ActiveSync devices. With XenMobile Mail Manager, you can access Exchange ActiveSync device partnership information provided by Exchange, perform a wipe on a mobile device, access information about BlackBerry devices, and perform control operations, such as reset password.

XenMobile Mail Manager extends the capabilities of XenMobile in the following ways:
  • Dynamic Access Control for Exchange ActiveSync devices. Based on rules that you define in Device Manager and XenMobile Mail Manager, you can automatically allow or block access from Exchange ActiveSync devices to Exchange services.
  • Provides the ability for Device Manager to access Exchange ActiveSync device partnership information provided by Exchange. This allows you to view and manager Exchange ActiveSync devices that are not enrolled in XenMobile.
  • Lets you perform an Exchange ActiveSync wipe on a mobile device.
  • Lets you access information about Blackberry devices and perform operations, such as wipe and reset password.

XenMobile Mail Manager Components

The XenMobile Mail Manager consists of three main components:
  • Exchange ActiveSync Access Control Management. This component communicates with Device Manager to retrieve Exchange ActiveSync policies, and then merges the policies with any locally defined policies to determine which Exchange ActiveSync devices should be allowed or denied access to Exchange. Locally defined policies extend the policy rules to allow access control by Active Directory Group, User, Device Type, or Device User Agent (generally the mobile platform version).
  • Remote Powershell Management. This component is responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by Exchange ActiveSync Access Control Management. The component periodically creates a snapshot of the Exchange ActiveSync database to detect new or changed Exchange ActiveSync devices.
  • Mobile Service Provider. This component provides a web service interface so that Device Manager can query Exchange ActiveSync and Blackberry devices, and issue operations, such as a wipe operation, on the devices.
Figure 1. XenMobile Mail Manager Components

XenMobile Mail Manager System and Software Requirements

XenMobile Mail Manager requires the following minimum system configuration:

Component Requirement

Computer and processor

Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor (recommended)

Operating system

Windows Server 2008 R2 or 2012

Server software

  • Microsoft SQL Server 2008 or 2012, Microsoft SQL Server Express 2008 or 2012, or Microsoft SQL Server 2012 Express LocalDB
  • Microsoft .NET Framework 4.5
  • Exchange Server 2010 SP2 or later
  • Microsoft Office 365
  • BlackBerry Enterprise Service, version 5 (optional, if managing BlackBerry devices)

Server machine requirements

  • Windows Management Framework must be installed
  • PowerShell V2
  • The PowerShell execution policy must be set to RemoteSigned by running Set-ExecutionPolicy RemoteSigned from the PowerShell command prompt

Memory

1 gigabyte (GB)

Hard disk

NTFS-formatted local partition with 150 MB of available hard-disk space

Other devices

Network adapter compatible with the host operating system for communication with the internal network

Display

VGA or higher-resolution monitor

Onsite Exchange Requirements

If you are using XenMobile Mail Manager with an onsite instance of Microsoft Exchange, you will need to ensure that your deployment meets the following requirements:

Permissions

Exchange role-based access control (RBAC) is beyond the scope of this topic; however, at a minimum, the credentials specified in the Exchange Configuration Management Console must be able to connect to Exchange Server and be allowed to execute the following Exchange-specific PowerShell cmdlets:

  • Get-CASMailbox
  • Set-CASMailbox
  • Get-Mailbox
  • Get-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Clear-ActiveSyncDevice

As documented by Microsoft, in order to establish a remote connection and run remote commands, the credentials must correspond to a user who is an administrator on the remote machine.

Additionally, the Exchange Server must be configured to support remote PowerShell requests via HTTP. Typically, an administrator running the following PowerShell command on the Exchange Server is all that is required: WinRM QuickConfig.

Throttling Policy Considerations

Among the many Exchange throttling policies, one policy controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is 18 on Exchange 2010. When the connection limit is reached, XenMobile Mail Manager cannot connect to Exchange Server.

Although there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate the Exchange throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.

Office 365 Exchange Requirements

If you are using XenMobile Mail Manager with an onsite instance of Microsoft Exchange hosted through Office 365, you will need to ensure that your deployment meets the following requirements:

Permissions

Exchange role-based access control (RBAC) is beyond the scope of this topic; however, at a minimum, the credentials specified in the Exchange Configuration Management Console must be able to connect to Exchange Server and be allowed to execute the following Exchange-specific PowerShell cmdlets:

  • Get-CASMailbox
  • Set-CASMailbox
  • Get-Mailbox
  • Get-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Clear-ActiveSyncDevice

The supplied credentials must have been granted the right to connect to the Office 365 server through the remote Shell. By default, the Office 365 online admin has the requisite privileges.

Throttling Policy Considerations

Among the many Exchange throttling policies, one policy controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is three on Office 365. When the connection limit is reached, XenMobile Mail Manager cannot connect to the Exchange Server.

Although there are ways to change the maximum allowed simultaneous connections via PowerShell, Citrix recommends that you investigate the Exchange throttling policies as related to remote management with PowerShell that best suit the demands of your Exchange environment.

Installing XenMobile Mail Manager

The following conditions must be met before you install XenMobile Mail Manager:
  • Download and install .NET Framework 4.5 from Microsoft.
  • One of the following versions of Microsoft SQL Server:
    • Microsoft SQL Server 2008
    • Microsoft SQL Server 2008 SqlExpress
    • Microsoft SQL Server 2012
    • Microsoft SQL Server 2012 SqlExpress
    • Microsoft SQL Server 2012 SqlExpress\LocalDB

One LDAP Per Domain Caveat

XenMobile Mail Manager supports only one LDAP configuration per installation. If you want to manage the traffic of more than one LDAP configurations (such as the root domain, sub domain, and so on), you will need to install an instance of XenMobile Mail Manager for each domain.

You can set LDAP connection properties to use the Global Catalog Server, which will give you access to global groups across domains. To do this, you modify the connection string from "LDAP:" to "GC:".

For example, instead of "LDAP://dc=citrix, dc=com", use "GC://dc=citrix, dc=com".

To install XenMobile Mail Manager

To install XenMobile Mail Manager, click the XmmSetup.msi file and follow the onscreen instructions.

Configuring XenMobile Mail Manager

You can use the XenMobile Mail Manager configuration utility to extend the capabilities of XenMobile Device Manager to create access control rules that can either allow or block Exchange ActiveSync devices from accessing Exchange services. You can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also use the utility to perform an Exchange ActiveSync wipe on out of compliance devices.

To configure the Exchange Server

  1. From the Start menu, open XenMobile Mail Manager.
  2. In the XenMobile Mail Manager utility, click the Configure > Exchange tab.
  3. Select the type of Exchange Server environment, either On premise or Office 365.

    If you select On-premise, enter the name of the Exchange CAS server that will be used for Remote Powershell commands.

  4. Enter the User name of a Windows identity that has sufficient rights on the Exchange Server. For more information about permissions required for XenMobile Mail Manager to access Exchange Server, see Onsite Exchange Requirements and Office 365 Exchange Requirements.
  5. Enter the Password for the User.
  6. Select the schedule for running Major snapshots. A major snapshot detects every Exchange ActiveSync partnership.
  7. Select the schedule for running Minor snapshots. A minor snapshot detects newly created Exchange ActiveSync partnerships.
  8. Next, select if you want XenMobile Mail Manager to take Deep or Shallow snapshots. Shallow snapshots are faster and are sufficient to perform all of the Exchange ActiveSync Access Control functions of XenMobile Mail Manager. Deep snapshots may take significantly longer and are only needed if the Mobile Service Provider is enabled for ActiveSync (which allows Device Manager to query for unmanaged devices).

    If you are configuring XenMobile Mail Manager with a Mobile Service Provider (MSP) ActiveSync interface, for example, to apply access control rules to unmanaged BlackBerry devices from a BES server, you must choose Deep snapshots. If MSP ActiveSync capability is not required, Citrix recommends using shallow snapshots for better performance.

  9. Click Test Connectivity to check that a connection can be made to the Exchange Server.
  10. Click Save. When prompted by a message asking if you would like to restart the service, click Yes.

To configure database properties

The first task in configuring the XenMobile Mail Manager requires configuring a connection to the database that the component will be using to store data.

  1. From the Start menu, open XenMobile Mail Manager.
  2. In the XenMobile Mail Manager utility, click the Configure > Database tab.
  3. Enter the Server name of the SQL Server (defaults to localhost).
  4. Leave the Database name as the default (CitrixXmm).
  5. In the Authentication field, in the drop-down list, select the Authentication mode used for SQL:

    • SQL. If you choose this mode, enter the user name and password of a valid SQL user.
    • Windows Integrated. If you choose this option, the Logon credential of the XenMobile Mail Manager Service must be changed to a Windows account that is compatible. To do this, open Control Panel > Administrative Tools > Services, right-click the XenMobile Mail Manager Service entry and then select the Log On tab.
  6. Click Test Connectivity to check that a connection can be made to the SQL Server.
  7. Click Save. When prompted to restart the service, click Yes.

To configure a Mobile Service Provider

Configuring a Mobile Service Provider is optional and only necessary if Device Manager is also configured to use the Mobile Service Provider interface to query unmanaged devices; for example: BlackBerry devices from a BlackBerry Enterprise Server (BES).

Note: XenMobile Mail Manager manages BlackBerry devices from BES 4.1 and BES 5 servers, BlackBerry Z10 devices and other ActiveSync devices from Exchange 2010. The http/https protocols used should be consistent between XenMobile Mail Manager and Device Manager.
  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > MSP tab.
  3. Set the Service Transport type (HTTP or HTTPS) for the Mobile Service Provider service.
  4. Set the Service port (typically 80 or 443) for the Mobile Service Provider service.
  5. Set the Authorization Group or User. This sets the user or set of users that will be able to connect to the Mobile Service Provider service from the Device Manager server.
  6. Select Enable ActiveSync if you want to enable ActiveSync queries.

    Note: If ActiveSync queries are enabled for the Device Manager server, the Snapshot type for one or more Exchange Servers must be set to Deep. Be aware that this setting could have significant performance costs when performing snapshots.

  7. Click Save.

To configure the Mobile Service Provider hostname in Device Manager

After you have configured XenMobile Mail Manager to use the Mobile Service Provider web service interface to query unmanaged devices (if you want to manage ActiveSync traffic of BlackBerry devices from the BES 5 server), you need to configure the Device Manager server to connect to the XenMobile Mail Manager server.

  1. Log on to the Device Manager web console.
  2. Click Options.
  3. In the Options dialog box, click Modules Configuration > Mobile Service Provider.
  4. Enter the following information:

    1. Web service URL. This is the host name of the XenMobile Mail Manager server. For example: http://XmmServer/services/zdmservice.
    2. Username. User name of the administrator account on the XenMobile Mail Manager server. For example: domain\admin.
    3. Password. Password for the administrator account on the XenMobile Mail Manager server.
    4. Enable automatic update of BlackBerry and ActiveSync devices connections. Select this option.
  5. Click Check Connection to test the communication between XenMobile Mail Manager and Device Manager.
  6. Click Close.

To configure BlackBerry BES servers (optional)

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > MSP tab.
  3. Under BlackBerry Configuration, click Add.
  4. In the BES Properties dialog box, type the Server name of the BES SQL server.
  5. Type the database name of the BES Management database.
  6. Select the Authentication mode for server access. If Windows Integrated authentication is selected, the user account of the XenMobile Mail Manager service is the account that is used to connect to the BES SQL Server. If SQL authentication is selected, enter the user name and password.
  7. Set the Sync Schedule. This is the schedule used to connect to the BES SQL server and check for any device updates.
  8. Click Test Connectivity to check connectivity to the SQL server.

    Note: If Windows Integrated is selected, this test uses the current logged in user and not the XenMobile Mail Manager service user and therefore does not accurately test SQL authentication.

  9. If you want to support remote Wipe and/or ResetPassword of BlackBerry devices from Device Manager, select Enabled. In the fields, enter the following information:

    1. The BAS Server FQDN.
    2. The BAS Server port used for the Admin web service.
    3. The fully qualified User and Password required by the BES service.
  10. Click Test Connectivity to test the connection to the BES server.
  11. Click Save.

XenMobile Mail Manager and Exchange Quarantine Mode

XenMobile Mail Manager can be indispensable when configured in conjunction with Microsoft Exchange Quarantine mode, which allows an Exchange administrator to quarantine a user's device until that device is determined to be compliant. In Exchange quarantine mode, a user's email inbox is blocked, but the user can still see the calendar, appointments, and contacts.

For example, when a user configures a corporate email account on a new device, as soon as the user connects to the Exchange Server, the device is placed into quarantine mode. Exchange allows the administrator to send an email to the user telling them that they need to enroll their new device in XenMobile.

When the new device is enrolled, XenMobile directs XenMobile Mail Manager to un-quarantine (or Allow) the device, provided that the device is compliant with Device Manager policy as defined in the Device Manager SMG Options dialog box.

Understanding XenMobile Mail Manager Access Rules

XenMobile Mail Manager allows you to configure three types of rules:
  • Local
  • XDM (from Device Manager)
  • Default

Each rule contains a desired access state (Allow or Block) and criteria for matching an ActiveSync device. The matching criteria may match a particular device or a set of devices.

Local Rules

Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block, based on any of the following properties.

  • ActiveSync Device Id. Uniquely identifies a specific device.
  • Device Type. A set of devices, such as “iPad”, “WP8”, or “Touchdown”.
  • User Agent. A set of devices identified by platform version, such as “iOS/6.1.2”.
  • User. A specific user.

The ActiveSync Device Id is detected on the device and then delivered to XenMobile Mail Manager by Device Manager as policy. However, there are some devices for which the ActiveSync Device Id cannot be detected. If you want to allow such devices, you must configure Device Manager to send a policy that allows the user and, therefore, all the devices accessed by that user. Alternatively, you can install NitroDesk TouchDown on these devices because the ActiveSync DeviceId of TouchDown can be detected.

Device Manager (XDM) Rules

XDM rules are defined within Device Manager. The product of these rules is delivered to XenMobile Mail Manager and continuously updated in the background. XDM rules can identify devices by properties known to Device Manager, such as:
  • Enrolled with Device Manager
  • Jailbroken or rooted devices
  • Forbidden (blacklisted) applications installed
  • Non-suggested applications installed
  • Unmanaged
  • Out of compliance
  • Non-compliant password
  • Revoked status
  • Inactive device
  • Anonymous status

Default Rules

The Default rule matches the set of all devices and the desired state of the rule can be set to Allow, Block, or Unchanged. When Unchanged is selected, XenMobile Mail Manager does not modify the state of any devices that are not matched explicitly by a Local or XDM rule.

Rule Evaluation

For each ActiveSync device known to Microsoft Exchange, the rules are evaluated in order: first Local rules, then XDM rules, then the Default rule. If a match is found in any rule, the desired state for that rule is then enacted for the device and no further rules are evaluated for the device. You can change the order in which rules are evaluated so that XDM rules are evaluated before Local rules by manually editing the config.xml file.

When a rule is enacted, XenMobile Mail Manager sends a PowerShell command to Microsoft Exchange to change the access state. However, if the current known access state of the device is already equal to the desired state, no action is taken. Whenever the rules, or the set of known devices changes, the rules are reevaluated.

XenMobile Mail Manager can also be configured in Simulation mode. In this mode, PowerShell commands are not issued to modify the access state. Instead, XenMobile Mail Manager records in the database that such an action was simulated.

To configure default access control rules

Default access control rules serve as "catch-all" rules that can be set to allow or deny a device that does not meet the criteria of either XDM rules or local rules. For example, if you set the Default rules to Allow, any device that does not meet the criteria set to block a device in either XDM or Local rules will be allowed to connect to Exchange.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab.
  3. Set the Default Access to either Allow or Block. This setting controls how all devices other than those identified by explicit Device Manager or Local rules will be treated.
  4. Set the ActiveSync Command Mode to either Powershell or Simulation. In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control. In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled.
  5. Click Save.

To configure XDM Device Manager rules

You can use XDM rules from Device Manager in XenMobile Mail Manager to work in combination with Local and Default rules. Device Manager rules provide control over devices that do not meet your corporate device compliance standards. You can block devices that have blacklisted apps, devices that have been rooted or jailbroken, or that meet some other condition.

Device Manager rules are configured in the Device Manager web console, in the Options dialog box.

Device Manager rules are evaluated by Device Manager after Local rules and before Default rules.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab.
  3. Click the XDM Rules tab.
  4. Click Add.
  5. Type a name for the Device Manager rules, such as XDM.
  6. Modify the URL string to refer to the Device Manager server. For example, if the Device Manager server name is Xdm01, you would enter http://Xdm01/zdm/services/MagConfigService.
  7. Enter an authorized user on the Device Manager server.
  8. Enter the password of the user.
  9. Leave the Baseline Interval, Delta Interval, and Timeout values at the default settings.
  10. Click Test Connectivity to check the connection to the Device Manager server.
  11. Click OK.

To configure local rules

Local rules are rules that you create from XenMobile Mail Manager and that are specific to the XenMobile Mail Manager utility. The rules provide an extra layer of filtering and control over your company email access policies. When used in combination with Default access rules and Device Manager Secure Mobile Gateway Rules, you can create useful combinations of filters to ensure that you have control over email access according to company policy.

You can build local rules to allow or block access by device ID, Device Type (all Android devices, for example), specific user, Active Directory group, or even agent version (device platform version).

In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, followed by Default rules, from top to bottom as they are listed in the user interface.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > Access Rules tab.
  3. Click the Local Rules tab.
  4. If you want to build local rules that operate on Active Directory Groups, click Configure LDAP and then configure the LDAP connection properties.
  5. From the drop-down list, select local rules to add based on ActiveSync Device ID, Device Type, AD Group, User, or device UserAgent.
  6. Type text or text fragments in the text box. Optionally, click the query button to view the entities that match the fragment. Note that for all types other than Group, the system relies on the devices that have been found in a snapshot. So, if you are just starting and haven’t completed a snapshot, no entities will be available.
  7. Select a text value in the results and then click Allow or Deny to add it to the Rule List on the right side.
  8. You can change the order of rules or remove rules by using the buttons to the right of the Rule List. The order is significant because for a given user and device, rules are evaluated in the order shown. A match on a higher rule (nearer the top) will cause subsequent rules to have no effect. For example, if you have a rule allowing all iPad devices, and a subsequent rule blocking user “Matt”, then Matt’s iPad will still be allowed because the ”iPad” rule has a higher effective priority than the “Matt” rule.
  9. To determine the effects of multiple rules with groups that have overlapping members, click View Expanded. This shows the net result of the combination of groups.
  10. Click Save.

Simulation Compared to Powershell Mode

Before you implement and activate your Access Control Rules with XenMobile Mail Manager, you can use Simulation mode to test the rules, as opposed to Powershell mode, which actually executes the rules in your live environment. The difference between the two modes is as follows:
  • In Simulation mode, XenMobile Mail Manager will not issue Powershell commands, but will log the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have occurred if Powershell mode was enabled.
  • In Powershell mode, XenMobile Mail Manager will issue Powershell commands to enact the desired access control.

To choose between the two, in the XenMobile Mail Manager utility, click the Configure > Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab, select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.

Monitoring XenMobile Mail Manager

The Monitor tab in XenMobile Mail Manager allows for browsing of Exchange ActiveSync and BlackBerry devices that have been detected, and displays the history of automated PowerShell commands that have been issued.

There are three tabs under the Monitor tab:
  • ActiveSync Devices
  • Blackberry Devices
  • Automation History
Also, the history of all snapshots is available under the Configure tab:
  • In the Exchange tab, click the Info icon for the desired Exchange Server.
  • Under the MSP tab, click the Info icon for the desired BlackBerry server. Snapshot history shows when the snapshot took place, how long it took, how many devices were detected, and any errors that occurred.

To monitor ActiveSync devices

From the Monitor tab, you can view all BlackBerry devices that have been detected and a history of PowerShell commands issued by XenMobile Mail Manager. From this tab, you can view a list of all devices discovered by XenMobile Mail Manager. Using the drop down list, you can filter the list to see which devices have been allowed, which have been blocked, and you can filter by the commands according to issues in the last hour or the last day. You can also search the list by user or device ID.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Monitor > ActiveSync Devices tab.
  3. To see more details on a specific command, device, or user, click the green (allowed) or red (blocked) icon next to the entry.

To monitor BlackBerry devices

From the Monitor tab, you can view all BlackBerry devices that have been detected and a history of PowerShell commands issued by XenMobile Mail Manager.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Monitor > BlackBerry Devices tab.
  3. To search the list for a specific user, type the user's email address and then click Go.
  4. To see more details on a specific command, device, or user, click the green (allowed) or red (blocked) icon next to the entry.

To view snapshot history

You can view the history of snapshots you have taken of your Exchange or BlackBerry servers by clicking the Information icon next to the server name.

  1. From the Start menu, open XenMobile Mail Manager.
  2. Click the Configure > Exchange tab.
  3. Click the small blue Information icon next to the Exchange Server to see the history of snapshots taken of the server's ActiveSync traffic.
  4. To view the history of snapshots taken of a configured BlackBerry server, click the Configure > MSP tab.
  5. Click the Information icon next to the BlackBerry server to see the history of snapshots taken.