Product Documentation

ShareFile Worx Clients

Aug 02, 2016

ShareFile is an enterprise file sync and sharing service that lets users exchange documents easily and securely. ShareFile gives users a variety of access options, including ShareFile mobile clients, such as ShareFile for Android Phone and ShareFile for iPad.

For the Citrix ShareFile release notes, see the ShareFile Community page where Citrix ShareFile employees and other ShareFile subscribers actively help customers. You can also documentation including a Getting Started Guide in the Citrix Knowledge Center

ShareFile Worx clients are MDX-capable versions of ShareFile mobile clients. ShareFile Worx clients provide secure, integrated access to data in other MDX-wrapped apps. ShareFile Worx clients also benefit from MDX features, such as micro VPN, single sign-on (SSO) with Worx Home, and two-factor authentication.

You use XenMobile, ShareFile, ShareFile StorageZones Controller, and NetScaler as follows to deploy and manage ShareFile Worx clients:

  • XenMobile acts as a SAML identity provider (IdP) and deploys ShareFile Worx clients.
  • ShareFile manages ShareFile data. No ShareFile data travels through XenMobile.
  • ShareFile StorageZones Controller provides connectivity to data in network shares and SharePoint.
  • NetScaler manages requests from external users, securing their connections, load balancing requests, and handling content switching for StorageZones Connectors.

You can download ShareFile Worx clients from https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-enterprise-edition-worx-apps-and-mdx-toolkit.html. You can download ShareFile Worx clients for Android and iOS, including separate iOS clients for use with restricted StorageZones.

Quick links to sections in this article

How ShareFile Worx Clients Differ from ShareFile Mobile Clients

The following table describes the differences between ShareFile Worx clients and ShareFile mobile clients. ShareFile Worx clients are also referred to as wrapped ShareFile. ShareFile mobile clients are also referred to as unwrapped ShareFile.

Features ShareFile Worx clients ShareFile mobile clients
User access Users obtain and open ShareFile Worx clients from Worx Home. Users obtain ShareFile mobile clients from app stores.
SSO You can configure XenMobile as a SAML IdP for ShareFile.

In this configuration, Worx Home obtains a SAML token for the ShareFile Worx client, using XenMobile as the SAML IdP.

A user who starts the ShareFile Worx client, but is not signed on to Worx Home is prompted to sign on to Worx Home. The user does not have to know their ShareFile domain or account information.

You can configure XenMobile and NetScaler Gateway as a SAML IdP for ShareFile.

In this configuration, a user logging on to ShareFile using a web browser or other ShareFile clients is redirected to the XenMobile environment for user authentication. After successful authentication by XenMobile, the user receives a SAML token that is valid for logon to their ShareFile account.

Micro VPN Remote users can connect using a VPN or micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network. This feature, available through NetScaler integration with XenMobile, is transparent to users. Not applicable.
Two-factor authentication NetScaler integration with XenMobile also supports authentication using a combination of client certificate authentication and another authentication type, such as LDAP or RADIUS. Not applicable.
Folder permissions Determined by ShareFile.
Document access protection Users can open attachments received in WorxMail or downloaded by any MDX-wrapped app. Only MDX-wrapped apps appear when the user performs an Open In action. Data that is from a non-wrapped app is not available to a ShareFile Worx client.

WorxMail users can attach files from their ShareFile repository without needing to download the file to the device.

If a user has wrapped ShareFile and unwrapped ShareFile on a device, the wrapped ShareFile client cannot access files in the user's personal ShareFile account. The wrapped ShareFile client can access only the ShareFile subdomain configured in XenMobile.

Users can open attachments from any app.
ShareFile account access To access a personal ShareFile account or a third-party ShareFile account, users must use a non-MDX version of ShareFile on the device. Available from ShareFile clients.
Device policies Both XenMobile and ShareFile device policies apply to ShareFile Worx clients. For example, from the XenMobile console, you can perform a device wipe. From the ShareFile console, you can remotely wipe the ShareFile app.
MDX policies MDX policies let you configure settings that the Worx Store enforces. Policies available only through MDX include the ability to block the camera, mic, email compose, screen capture, and clipboard cut, copy, and paste operations. Not applicable.
Data encryption Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption.
Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption.
Availability ShareFile Worx clients are included with XenMobile Advanced and Enterprise editions. All XenMobile editions include all ShareFile Enterprise features.

System Requirements for ShareFile Worx Clients

ShareFile Worx Clients have the same system requirements as the ShareFile mobile clients. For supported versions of ShareFile Worx Clients, see XenMobile Compatibility.

Integrating and Delivering ShareFile Worx Clients

To integrate and deliver ShareFile Worx clients with XenMobile, follow these general steps:

  1. Enable XenMobile as a SAML IdP for ShareFile, to provide SSO from ShareFile Worx clients to ShareFile. To do so, you must configure ShareFile account information in XenMobile, as described in this article in To configure ShareFile account information in XenMobile for SSO.

    ShareFile for Android 3.9 is required for SSO with Worx Home 10.0.8.

    Important: To use XenMobile as a SAML IdP for non-MDX ShareFile clients, such as the ShareFile web app and the ShareFile Sync clients, additional configuration is required. For details, see this article on the ShareFile support site: Configure ShareFile Single Sign-On with XenMobile 10.
  2. Download (https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-enterprise-edition-worx-apps-and-mdx-toolkit.html) and wrap the ShareFile Worx clients. For details, see About the MDX Toolkit.
  3. Add the ShareFile Worx clients to XenMobile. For details, see To add ShareFile Worx clients to XenMobile, in this article.
  4. Validate your configuration. For details, see To validate ShareFile Worx clients, in this article.

To configure ShareFile account information in XenMobile for SSO

To enable SSO from Worx Home to Worx apps, you specify ShareFile account and ShareFile administrator service account information in the XenMobile console. With that configuration, XenMobile acts as a SAML IdP for ShareFile, for Worx clients, ShareFile Worx clients, and non-MDX ShareFile clients. When a user starts a Worx client, Worx Home obtains a SAML token for the user from XenMobile and sends it to the Worx client.

In the XenMobile console, click Configure > Settings, expand More and then click ShareFile.

ShareFile settings in XenMobile console

 

About the settings:

  • Domain is the ShareFile subdomain to be used for the Worx clients.
  • Only the users in the selected delivery groups will have SSO access to ShareFile from the Worx clients.

    If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile Worx client to XenMobile.

  • The ShareFile Administrator Account Logon information is used by XenMobile to save the SAML settings in the ShareFile control plane.
Important: The configuration that enables SSO from ShareFile Worx clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. Access to those Connector data sources requires authentication to the Active Directory domain in which the network shares or SharePoint servers reside.

To add ShareFile Worx clients to XenMobile

When you add ShareFile Worx clients to XenMobile, you can enable SSO access to Connector data sources from ShareFile Worx clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section.

Prerequisites

  • XenMobile must be able to reach your ShareFile subdomain. To test the connection, ping your ShareFile subdomain from the XenMobile server.
  • The time zone configured for your ShareFile account and for the hypervisor running XenMobile must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach ShareFile within the expected time frame. To configure the NTP server for XenMobile 10, use the XenMobile command-line interface.
    Note: Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.
  • Log in to the Sharefile administrator console using a ShareFile admin account and verify the SAML SSO settings in Admin > Configure Single Sign-On.
  • Download and wrap the ShareFile Worx clients.

Steps:

  1. In the XenMobile console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Enter a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the ShareFile Worx client.
  5. Click Next to configure the app information and policies.

    App Policies in the XenMobile console


    The configuration that enables SSO from ShareFile Worx clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. To enable SSO between the Worx Home micro VPN and ShareFile StorageZones Controller, complete the following policy configuration:

    • Set the Network access policy to Tunneled to the internal network.

      In this mode of operation, all network traffic from the ShareFile Worx client is intercepted by the Worx MDX framework and redirected through NetScaler Gateway using an app-specific micro VPN.

    • Set the Preferred VPN mode policy to Secure browse.

      In this mode of tunneling, SSL/HTTP traffic from an MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user's behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

  6. Complete the Approvals and Delivery Group Assignments as needed.

    Only the users in the selected delivery groups will have SSO access to ShareFile from the ShareFile Worx clients. If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile Worx client to XenMobile.

To validate ShareFile Worx clients

  1. After completing the configuration described in this article, start the ShareFile Worx client. ShareFile should not prompt you to sign on.
  2. In WorxMail, compose an email and add an attachment from ShareFile. Your ShareFile Home page should open, without prompting you to sign on.