Product Documentation

About This Release

Oct 08, 2015

With App Controller, you can provide the following benefits for each application type:

  • SaaS applications. Active Directory-based user identity creation and management, with SAML-based single sign-on (SSO).
  • Intranet web applications. HTTP form-based SSO by using password storage.
  • iOS and Android apps. Unified store to which you can install MDX apps for iOS and Android devices, and security management for MDX policies, encompassing WorxMail and WorxWeb. You can wrap iOS and Android apps with the MDX Toolkit to create MDX apps.
  • ShareFile access. Delivery of files by configuring ShareFile settings and the ShareFile application that provides seamless SAML SSO, and Active Directory-based ShareFile service user account management.

XenMobile App Edition enables the delivery of web, SaaS, mobile iOS and Android apps, along with Windows-based applications from XenApp and virtual desktops from XenDesktop. You manage application configuration and policy settings by using App Controller, with the following capabilities:

  • Centralized user account creation and management for web and SaaS applications, and ShareFile access that provides users with a seamless single sign-on (SSO) experience.
  • The use of Active Directory as the identity repository. Active Directory is then used as the basis for authorizing users to external applications and services.
  • A unified enterprise app store to enable the publishing and distribution of Android and iOS apps for authorized users to download and install on mobile devices.
  • Centralized policy controls to secure the applications and data, with easy removal of user accounts, erase and lock of Citrix-delivered applications and data, and consolidated auditing and reporting of application access.

You can configure applications and ShareFile access by using the App Controller web-based management console. Within the management console, you can configure the following:

  • Roles that include Active Directory groups
  • Applications for SSO only
  • Applications for SSO, user account management, and the creation of new user accounts
  • Apps for Android and iOS devices, including WorxMail and WorxWeb apps
  • Approval workflows to authorize access to applications or to create user accounts on application servers
  • Categories to organize applications in Citrix Receiver and Worx Home
  • HTTP Federated Formfill connectors
  • SAML 1.1 or 2.0 connectors that support the identity provider (IdP) flow
  • Role-based management and delivery of mobile applications
  • Role-based ShareFile document management
  • Device inventory that lists user devices that connect to App Controller

This section introduces App Controller 2.8, announces what's new in this release, discusses compatibility between App Controller, Worx Home, and Citrix Receiver, and lists known issues for App Controller.

Key Features

The most typical deployment configuration for App Controller is to locate App Controller in the secure network. Users can connect to App Controller to access applications.

The key features of App Controller are:

  • Access to web and SaaS applications that includes:
    • Federated support for SAML 1.1 and SAML 2.0 applications
    • Password storage and formfill support for password-based web applications
    • User account management from Active Directory group membership for SaaS applications
    • User account management workflows that allow users to request application accounts and for individuals in your organization to approve the requests
  • Access to Android and iOS mobile apps that includes:
    • The ability to publish Android and iOS apps that users can download and install on their mobile devices from Citrix Receiver, including WorxMail and WorxWeb
    • Security controls for Android and iOS apps to ensure application and data security
    • Management of mobile apps on user devices through Receiver and Worx Home that enables you to control the mobile apps without managing the mobile device
    • The ability to wrap mobile apps with MDX policies
  • Access to ShareFile that includes a centralized device listing for users that allows you to erase application and ShareFile data on lost or stolen devices
  • Device inventory that includes:
    • The ability to configure App Controller to communicate with and enroll devices in XenMobile Device Manager
    • The ability to view all devices that have connected to App Controller
    • The ability to erase and stop erasing data on the user device
    • The ability to lock and unlock managed apps on the user device
    • The ability to remove devices from the list
  • Support options that include:
    • GoToAssist phone, email, and chat options
    • Ability to add or modify support settings

What's New

App Controller 2.8 supports the following new features:

  • App Controller as a Secure Ticket Authority (STA). This capability lets users open applications in Receiver, such as WorxMail that they want to leave open securely for long periods of time. To enable this feature, App Controller issues the tickets with policies that enable lifetime use unless the ticket expires. You can configure the lifetime of the secure ticket with a different value for each application. For example, you may configure a secure ticket for WorxMail to remain valid for 7 days, in which case users must enter their credentials after a 7-day interval. Or, you may require a different application to have a secure ticket that remains valid for 24 hours, in which case users must enter their credentials at least one time every 24 hours to continue to have access to resources on the internal network. Tickets may be forced to expire if a user is deprovisioned, the users' permission to use an app is revoked, a device is locked or wiped, or an app is removed or upgraded.

    When remote users start an MDX application that routes through NetScaler Gateway to the internal network, App Controller issues a ticket that is similar to the STA from XenApp. You configure time-outs for the connection in NetScaler Gateway. This new security ticketing feature provides support for ticketing sessions from Receiver for iOS, Receiver for Android, and Worx Home, as well as for third-party applications that leverage the ticketing capability and are wrapped with the MDX Toolkit. When you configure secure ticketing for an application, App Controller acts as a STA server and issues MDX tickets for Citrix Receiver or Worx Home to establish secure connections.

  • Active Directory settings. When you use the First Time Use wizard to configure App Controller 2.8 and configure Active Directory settings, you can enter a group domain name (DN) that speeds the synchronization of Active Directory membership with App Controller.
  • Branding. You can import a logo for your organization into the App Controller management console to appear in the Worx Store on devices running Worx Home, Receiver for Android or Receiver for iOS.
  • Clustering. You can configure clustering for App Controller 2.8 from the command-line console. You configure several hosts, or service nodes, that run App Controller without connections to a database. The service nodes connect to the host, or cluster head, that runs App Controller and hosts the centralized database. All of the service nodes that run on that cluster share the database. The cluster head is often deployed with a backup host that acts as a passive, standby cluster head. The management console for a service node displays only the Overview and Release Management pages in System Configuration.
  • Data security for mobile apps. When you upload iOS or Android apps to App Controller, you can configure encryption settings for the app. When you upload an iOS app, you can allow offline or online access, enable encryption, and configure database and file exclusions. Android apps allow a greater level of encryption for public and private files, storage locations, and exclusions. Android apps allow for offline access only.
  • Google Play store credential storage. You can enter users' Google Play store credentials in order to display an app description and icon in the management console and in the Worx Store.
    Note: Google store credentials are mandatory when you configure an app for an Android Public App Store in the management console.
  • GoToAssist support options in Worx Home. You can configure some or all of the following four pre-defined settings in the management console to enable GoToAssist phone, email or web options to appear within Worx Home.
    • A phone number for IT Help
    • An email address to use for organizations that don't offer GoToAssist
    • A web address that users click to open a GoToAssist chat session
    • An email address for opening a GoToAssist ticket
  • Policies updates for Android devices. When users wrap applications by using the MDX Toolkit, you can configure the following new policies:
    • Private file encryption
    • Private file encryption exclusions
    • Non-standard external storage locations
    • Access limits for public files
    • Public file encryption
    • Public file encryption exclusions
    • Public file migration
    • Certificate label

    For details on these policies as well as the entire list of policies for Android apps, see Configuring MDX Policies for Android Apps in App Controller.

  • Receiver deployments that include StoreFront. You can delegate authentication to StoreFront, while enabling App Controller to continue to serve as the single place for managing enterprise application delivery and a single point of access to all users, across devices. This mode is recommended for advanced authentication scenarios that rely on the Public Key Infrastructure (PKI). To enable connections through Receiver to managed applications, you can now configure the following trust settings in App Controller:
    • StoreFront for authentication. You can deploy StoreFront behind App Controller so that user connections route through App Controller and then to StoreFront, which acts as the authentication server.
    • NetScaler Gateway in the DMZ and StoreFront for authentication. You can configure remote connections to route through NetScaler Gateway in the DMZ and then to an application running on a server in your network. In this release, you can also configure this deployment, but also enable StoreFront to act as the authentication server. In this way, Receiver routes a connection through App Controller, which proxies the connection to StoreFront for authentication. Next, the connection is proxied through NetScaler Gateway, which finally routes the request to App Controller.
  • SSL offloading. When you configure network connectivity, you can enable SSL offloading to move SSL decryption and encryption tasks to terminate on a NetScaler Gateway virtual server that you configure in the DMZ. To enable SSL offloading, you need to configure the NetScaler Gateway virtual server with an appropriate SSL certificate to ensure that the communication with devices running Receiver and Worx Home continue to be secured with the Secure Sockets Layer (SSL) protocol.
  • Support for Worx Mobile Apps on Android or iOS devices. When users start the app on an Android or iOS device, Worx Mobile Apps starts rather than Receiver. Users continue to use Receiver to open HDX apps.
  • XenDesktop and XenApp integration. When users connect to App Controller, they can view their web, SaaS, MDX and WorX mobile apps, in addition to their XenDesktop and XenApp applications and desktops. Users can view these apps in either the Web Interface or in Receiver if the Windows-based apps are delivered from StoreFront. When you configure StoreFront in front of App Controller and you configure Receiver to communicate with StoreFront, users continue to have a seamless experience.
  • XenMobile Device Manager trusted communication. You can establish trusted communication between App Controller and XenMobile Device Manager by configuring a host, port, and shared key in the App Controller management console. You can also require that Worx users enroll in Mobile Device Manager. This configuration facilitates API calls between the App Controller and Device Manager for information sharing, as well as for the management of native mobile applications through the Apple Push Notification Service (APNS).