With App Controller, you can provide the following benefits for each application type:
- SaaS applications. Active Directory-based user identity creation and management, with SAML-based single sign-on (SSO).
- Intranet web applications. HTTP form-based SSO by using password storage.
- iOS and Android apps. Unified store to which you can install MDX apps for iOS and Android devices, and security management for MDX policies, encompassing WorxMail and WorxWeb. You can wrap iOS and Android apps with the MDX Toolkit to create MDX apps.
- ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFile application that provides seamless SAML SSO, and Active Directory-based ShareFile service user account management.
Edition enables the delivery of web, SaaS, mobile iOS and Android apps, along
with Windows-based applications from XenApp and virtual desktops from
XenDesktop. You manage application configuration and policy settings by using
App Controller, with the following capabilities:
You can configure
applications and ShareFile access by using the App Controller web-based
management console. Within the management console, you can configure the
introduces App Controller 2.8, announces what's new in this release, discusses
compatibility between App Controller, Worx Home, and Citrix Receiver, and lists
known issues for App Controller.
The most typical
deployment configuration for App Controller is to locate App Controller in the
secure network. Users can connect to App Controller to access applications.
The key features of
App Controller are:
- Access to web and SaaS
applications that includes:
- Federated support for SAML
1.1 and SAML 2.0 applications
- Password storage and
formfill support for password-based web applications
- User account management
from Active Directory group membership for SaaS applications
- User account management
workflows that allow users to request application accounts and for individuals
in your organization to approve the requests
- Access to Android and iOS
mobile apps that includes:
- The ability to publish
Android and iOS apps that users can download and install on their mobile
devices from Citrix Receiver, including WorxMail and WorxWeb
- Security controls for
Android and iOS apps to ensure application and data security
- Management of mobile apps
on user devices through Receiver
and Worx Home that enables you to control the mobile
apps without managing the mobile device
- The ability to wrap mobile
apps with MDX policies
- Access to ShareFile that
centralized device listing for users that allows you to erase application and
ShareFile data on lost or stolen devices
- Device inventory that
- The ability to configure
App Controller to communicate with and enroll devices in
XenMobile Device Manager
- The ability to view all
devices that have connected to App Controller
- The ability to erase and
stop erasing data on the user device
- The ability to lock and
apps on the user device
- The ability to remove
devices from the list
- Support options that
- GoToAssist phone, email,
and chat options
- Ability to add or modify
App Controller 2.8
supports the following new features:
App Controller as a Secure
Ticket Authority (STA). This capability lets users open
applications in Receiver, such as WorxMail that they want to leave open
securely for long periods of time. To enable this feature, App Controller
issues the tickets with policies that enable lifetime use unless the ticket
expires. You can configure the lifetime of the secure ticket with a different
value for each application. For example, you may configure a secure ticket for
WorxMail to remain valid for 7 days, in which case users must enter their
credentials after a 7-day interval. Or, you may require a different application
to have a secure ticket that remains valid for 24 hours, in which case users
must enter their credentials at least one time every 24 hours to continue to
have access to resources on the internal network. Tickets may be forced to
expire if a user is deprovisioned, the users' permission to use an app is
revoked, a device is locked or wiped, or an app is removed or upgraded.
users start an MDX application that routes through NetScaler Gateway to the
internal network, App Controller issues a ticket that is similar to the STA
from XenApp. You configure time-outs for the connection in NetScaler Gateway.
This new security ticketing feature provides support for ticketing sessions
from Receiver for iOS, Receiver for Android, and Worx Home, as well as for
third-party applications that leverage the ticketing capability and are wrapped
with the MDX Toolkit. When you configure secure ticketing for an application,
App Controller acts as a STA server and issues MDX tickets for Citrix Receiver
or Worx Home to establish secure connections.
Directory settings. When you use the First Time Use wizard to
configure App Controller 2.8 and configure Active Directory settings, you can
enter a group domain name (DN) that speeds the synchronization of Active
Directory membership with App Controller.
- Branding. You
can import a logo for your organization into the App Controller management
console to appear in the Worx Store on devices running Worx Home, Receiver for
Android or Receiver for iOS.
- Clustering. You
can configure clustering for App Controller 2.8 from the command-line console.
You configure several hosts, or
nodes, that run App Controller without connections to a database. The
service nodes connect to the host, or
head, that runs App Controller and hosts the centralized database. All
of the service nodes that run on that cluster share the database. The cluster
head is often deployed with a backup host that acts as a passive, standby
cluster head. The management console for a service node displays only the
Overview and Release Management pages in System Configuration.
- Data security for mobile
apps. When you upload iOS or Android apps to App Controller, you
can configure encryption settings for the app. When you upload an iOS app, you
can allow offline or online access, enable encryption, and configure database
and file exclusions. Android apps allow a greater level of encryption for
public and private files, storage locations, and exclusions. Android apps allow
for offline access only.
Play store credential storage. You can enter users' Google Play
store credentials in order to display an app description and icon in the
management console and in the Worx Store.
store credentials are mandatory when you configure an app for an Android Public
App Store in the management console.
- GoToAssist support options
in Worx Home. You can configure some or all of the following four
pre-defined settings in the management console to enable GoToAssist phone,
email or web options to appear within Worx Home.
- A phone number for IT
- An email address to use
for organizations that don't offer GoToAssist
- A web address that users
click to open a GoToAssist chat session
- An email address for
opening a GoToAssist ticket
- Policies updates for
Android devices. When users wrap applications by using the MDX
Toolkit, you can configure the following new policies:
- Private file encryption
- Private file encryption
- Non-standard external
- Access limits for public
- Public file encryption
- Public file encryption
- Public file migration
- Certificate label
For details on
these policies as well as the entire list of policies for Android apps, see
Configuring MDX Policies for Android Apps in App Controller.
- Receiver deployments
that include StoreFront. You can delegate authentication to
StoreFront, while enabling App Controller to continue to serve as the single
place for managing enterprise application delivery and a single point of access
to all users, across devices. This mode is recommended for advanced
authentication scenarios that rely on the Public Key Infrastructure (PKI). To
enable connections through Receiver to managed applications, you can now
configure the following trust settings in App Controller:
- StoreFront for
authentication. You can deploy StoreFront behind App Controller so
that user connections route through App Controller and then to StoreFront,
which acts as the authentication server.
- NetScaler Gateway in the
DMZ and StoreFront for authentication. You can configure remote
connections to route through NetScaler Gateway in the DMZ and then to an
application running on a server in your network. In this release, you can also
configure this deployment, but also enable StoreFront to act as the
authentication server. In this way, Receiver routes a connection through App
Controller, which proxies the connection to StoreFront for authentication.
Next, the connection is proxied through NetScaler Gateway, which finally routes
the request to App Controller.
offloading. When you configure network connectivity, you can enable
SSL offloading to move SSL decryption and encryption tasks to terminate on a
NetScaler Gateway virtual server that you configure in the DMZ. To enable SSL
offloading, you need to configure the NetScaler Gateway virtual server with an
appropriate SSL certificate to ensure that the communication with devices
running Receiver and Worx Home continue to be secured with the Secure Sockets
Layer (SSL) protocol.
- Support for Worx Mobile
Apps on Android or iOS devices. When users start the app on an
Android or iOS device, Worx Mobile Apps starts rather than Receiver. Users
continue to use Receiver to open HDX apps.
- XenDesktop and XenApp
integration. When users connect to App Controller, they can view
their web, SaaS, MDX and WorX mobile apps, in addition to their XenDesktop and
XenApp applications and desktops. Users can view these apps in either the Web
Interface or in Receiver if the Windows-based apps are delivered from
StoreFront. When you configure StoreFront in front of App Controller and you
configure Receiver to communicate with StoreFront, users continue to have a
- XenMobile Device Manager
trusted communication. You can establish trusted communication
between App Controller and XenMobile Device Manager by configuring a host,
port, and shared key in the App Controller management console. You can also
require that Worx users enroll in Mobile Device Manager. This configuration
facilitates API calls between the App Controller and Device Manager for
information sharing, as well as for the management of native mobile
applications through the Apple Push Notification Service (APNS).