Product Documentation

Deploying Secure Mobile Gateway

Sep 27, 2015
Deploying the Secure Mobile Gateway requires performing the following setup tasks:
  • Set up listening addresses for the SMG web service
  • Configure communication with the Device Manager server (‘config provider’)
  • Define local rules that allow you to override rules set in the Device Manager web console

Choosing a Security Model for Secure Mobile Gateway

Establishing a security model is essential to a successful mobile device deployment for organizations of any size. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice. Every organization that manages IT security may have a slightly different or tailored approach to security for mobile devices.

The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile devices per user, and the array of operating system platforms and applications available make the very idea of using a permissive model a weak choice. In most organizations the restrictive model will be the most logical choice. However, it will involve some thinking to successfully roll-out the Secure Mobile Gateway security model. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice

The configuration scenarios that Citrix allows for integrating Secure Mobile Gateway with XenMobile Device Manager is as follows:

Permissive Model (Permit Mode)

The permissive security model operates on the premise that everything is either allowed or granted access by default. Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive controls to deny access where appropriate (when a policy rule is failed).

The Restrictive Model (Block Mode)

The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.

To set up a restrictive mode for Secure Mobile Gateway

The following procedure describes how to set up Secure Mobile Gateway successfully with the restrictive mode (block mode). This configuration for Secure Mobile Gateway and XenMobile Device Manager assumes that both are installed and operational and that mobile devices are enrolled with Device Manager and connecting to ActiveSync services properly. Through and understanding the principles of Secure Mobile Gateway Rules, Filters within Device Manager, Static and Dynamic updates for rules, and the enforcement of an Secure Mobile Gateway restrictive Block mode policy, you can implement a secure device management solution with Device Manager and Secure Mobile Gateway.

Understanding how to set the granularity of security policy and apply it correctly from Device Manager and Secure Mobile Gateway is important with regard to global device management for a large set of users or an entire organization. The following example of a best practice restrictive, or blocked policy, for Secure Mobile Gateway will enable the following results:

  • All users and devices noted on the static list need to belong to and pass the Device Manager inventory rule in order to gain access through the ActiveSync connection of Secure Mobile Gateway.
  • All users with devices that have apps that match the Blacklisted Apps are denied access until the mobile device user removes them manually from the device and, perhaps, the synchronizing application.
  • All unmanaged devices by Device Manager are denied access to ActiveSync connections and services until properly enrolled.
  • All Android devices with root account access enable are denied access. With device hardware and operating system encryption not fully up-to-speed with other platforms, this policy can help to ensure that no malicious apps or devices can penetrate the Exchange messaging system and possibly more.
  • All other devices that were missed by an in-line static and Device Manager dynamic rule or filter to screen acceptable values for devices, users, and applications is allowed or denied access as the closing rule for Secure Mobile Gateway to process. Because this example chose the Static + ZDM Rules: Block Mode, the final outcome of the linear policy scan is to block devices and drop connections until fixed.
  1. Open the SMG Controller Configuration utility and then click Gateway Config tab.
  2. Next to Policy click Static + ZDM Rules: Block Mode and then click Save.
  3. Click the Static Rules tab and then on the Static Allow and Static Deny tabs, enter values for User, DeviceID, DeviceType, or UserAgents.
    • Values for Static Allow are available in the Device Manager web console or in the Secure Mobile Gateway Log in the configuration utility. For information, see To add a static rule.
    • A single entry for a row will only filter on the single value alone. For example, Username alone will only filter based on the single criteria of User.
    • A combination entry for a row will filter based on match for the two values. For example, User and DeviceId combined would restrict access to a user and a specific device.
  4. Open the Device Manager web console and then click Options from the console banner.
  5. Click Secure Mobile Gateway in the left-hand navigation bar.
  6. Choose the desired options for the restrictive environment. In this procedure, the following Secure Mobile Gateway options for Device Manager are enabled:
    • Blacklisted Apps. Enabled with a filter set to Deny devices with any matching applications listed in the Blacklist configuration profile.
      Note: To add additional blocking for jailbroken iOS devices later than iOS v4.1, you can add the Cydia application to this list. Jailbroken devices with Cydia components installed are blocked by Secure Mobile Gateway.
    • Unmanaged Devices. Enabled with a filter set to Deny devices that are not enrolled within Device Manager.
    • Rooted Android Devices. Enabled with a filter set to Deny devices that are running in a rooted mode of the Android OS.
  7. Click Close to exit the web console settings screen.