Citrix XenMobile. Technical Overview

Citrix XenMobile™

Enterprise Mobility in Numbers

3

65%

200+

80%+

Mobile devices enable work from more

locations

“How often do you work from the following locations?”

(at least once a week)

Base: 4,985 US information workers

90% 45% 38% 28% 87% 35% 26% 17% 87% 33% 13% 13% 0% 20% 40% 60% 80% 100%

Office Home Client site While traveling or

commuting

Tablet

Smartphone Laptop

37% of workforce will be mobile 15 Billion connected devices 4-times more mobile projects than Windows projects

BY 2015……….

User Needs

Want access to all apps and data

from any of their devices

For Enterprise IT,

IT Needs

But the needs of

A complete stack for

managing and

securing apps, data,

and devices

App Management

Device Management Data Management

Choice at Entry

11

Mobile Device Management Mobile App Management

App and Desktop Virtualization

Choice at Entry

Provision security, apps & data to mobile devices

Complete solution to manage apps, data & devices

Three Simple Packages

XenMobile MDM

Edition

XenMobile Enterprise

Edition

Add advanced app & data management to any MDM solution

XenMobile App

Edition

MDM Edition

Use case

Client Side

Server Side

• Mobile device management • Jailbreak detection

• Selective or full wipe • Geo location tracking • Passcode enforcement • Pushing applications

• Native mail client access control • Wifi & vpn access control

• Access to sharepoint & network drives

Worx Enroll Worx Home XenMobile Device Manager

MDM Edition

Enroll

D M Z

App Edition

Use case

Client Side

Server Side

• Mobile application management • Federated single sign on

• Secure email • Secure browsing

• Automated account provisioning • Workflow

• Policy based interapp security • App specific micro vpn

• Unified corporate app store

Worx Home XenMobile App Controller NetScaler Gateway

Optional

App Edition

D M Z

Worx

Enterprise Edition

17

Use case

Client Side

Server Side

• All MDM Edition Use cases • All App Edition Use cases • Secure document sharing,

syncing & editing

• Both cloud and on-premise data storage options

Worx Enroll Worx Home Worx Mail Worx Web ShareFile SharePoint XenMobile Device Manager Access Gateway App Controller

Optional Native Mail Encryption

Enterprise Edition

Enroll

D M Z

Worx

MDM Edition App Edition Enterprise Edition Configure, secure & provision mobile devices  

One-click live chat & support   Access SharePoint & network drives    Secure mobile web browser – Internet    Secure mobile web browser – intranet/enterprise   Secure mail, calendar and contacts app   Activate and manage Worx capabilities in apps  

Unified corporate app store  

Multi-factor single sign-on   Secure document sharing, sync & editing  Both cloud & on-premise data storage options 

MDM Edition

“My users are bringing in all types of devices…I need to set PIN codes, WiFi, etc..”

“Want to give device

choice…but what do I do if devices are lost or stolen?” “…need to manage personal and

corporate devices alongside each other”

“…issuing shared tablets to shift workers in hospital/retail stores/restaurants/dist centers…”

Secure and

manage my

devices

Enterprise-grade MDM:

• Manage & configure corporate and BYO

devices

• Detect jailbreak, blacklist/whitelist apps

• Full/selective device wipe

Easy to setup:

• Fully wizard-driven

Extensible:

• Enterprise integration (e.g.: LDAP and PKI)

• Upgrade to Enterprise for mail or app mgmt

any time

MDM Edition

Secure and

manage my

devices

App Edition

Give me mail that

users love and

IT embraces

2 “…Using Good, but the user

experience stinks…”

“…replacing BlackBerrys, but need similar policy controls for iOS and Android devices…”

“…provision an email-specific PIN code…”

“…make my users’ lives better with email that’s beautiful, yet secure…”

• Beautiful email client, sandboxed for IT

• Native mobile mail, calendar, and contacts

• Attach and save data to ShareFile

• One touch access to internal sites with

WorxWeb

• Calendar invites with GoToMeeting using

free/busy

• Encrypted email, attachments, contacts

• Available on iPhone, iPad, Android Phone &

Tablet

App Edition

Give me mail that

users love and

IT embraces

Native Mail Encryption

Secure Email

D M Z

Worx

“…extend my enterprise to partners and contractors.”

App Edition

“…need SSO for my field who use

SalesForce/Evernote”

“…need to secure and

manage custom and off-the-shelf iOS / Android apps”

“…give users easy access to content on-the-go”

Mobilize my

apps and data

3

“…Good Dynamics is too hard to

implement” “…give employees mobile access

• Secure email to any iOS/ Android device

• Secure intranet web browsing with micro

VPN

• Enterprise iOS/ Android app with MDX

controls

• Integrated ShareFile data accessibility

• SAML Federation and AD based identity

management

• Scenario-based access controls

App Edition

Mobilize my

apps and data

Citrix – The Most Complete Mobile Portfolio

Mobile VOI

Mobile Device Management

Sandboxed Mail and Web

Mobile App Security Secure Mobile Data Sharing Mobile Network Control SSO & Identity

Management

Desktop & App Virtualization

Social & Web Collaboration

Recognized as a “Leader” by Gartner; Winner at Interop

Magic Quadrant Critical Capabilities

Source: Gartner report, Magic Quadrant for Mobile Device Management Software, May 23, 2013, Phillip Redman, John Girard, Terrence Cosgrove, Monica Basso Source: Gartner report, Critical Capabilities for Mobile Device Management Software, May 23, 2013, Phillip Redman

XenMobile MDM Edition

Mobile Device Management

What Policies are Companies Using?

XenMobile MDM

• Give users device choice whether corporate issued or BYO

• Manage the device throughout lifecycle

What You Need to Know

The 6 Key Stages of the MDM Lifecycle

Configure

Provision

Secure

Support

Monitor

Decommission

Assess what devices you

are going to support

• First do an assessment of what types of devices are connecting • Exclude devices that lack

features you require for compliance

• Dynamic dashboard for changing policy

Define User Groups

Based on LDAP

• Quickly define policies by Active Directory group

• Automatically assign a user to a role such as “Sales”

• Provide up to date data when employees leave the

company for timely

Jailbreak Detection

• Block jailbroken or rooted

devices before enrollment

to prevent security threats • Ensure device and OS

versions are compliant • Devices can be monitored

Control Access to

Corporate Mail

• IT Benefit: Protect company data and improved productivity

• End User Benefit: Access to

corporate mail via native email client

• Network Considerations:

• Leverage your NetScaler investment

to control ActiveSync traffic from mobile devices

• Supports native iOS client and Touchdown for Android

Enforce Passcodes

by customers

• Multiple passcode policies

ᵒ Complexity ᵒ Length

ᵒ Auto-lock time ᵒ Maximum age

• Also strengthens device-level encryption for data-at-rest

• Strike a balance – don’t

make passwords too complicated!

Enforce use of PKI

and certificates

• Benefit for IT:

Stronger user authentication

• Benefit for End User: Single Sign On

for Email, WiFi & VPN

• Network Considerations: XenMobile supports multiple PKI solutions: ᵒ Microsoft ᵒ RSA ᵒ OpenTrust ᵒ Entrust Devices Step1: MDM Connection Port 443

Step2: ZDM generates CSR based on template defined in CredentialProvider

Step3: CSR signed using CA public key PKI Issued User Certificate

PKI Issued User Certificate

Step5: Validate User Cert EAS: Username/Password + Cert

EAS: Username + Cert Step4:

Step6: Retrieve Email

Step6: Email Sync

XenMobile Device Manager PKI Server NetScaler Exchange Server

Control access to

corporate WiFi & VPN

managed devices to access network for better security • User Benefits:

Reduce time to setup WiFi and VPN settings for employees (also reduces help desk calls) • Network Considerations:

Can leverage cert-based auth for WiFi & VPN

Push Apps to a Mobile Device

• IT Benefits:

ᵒ Allow admins to remotely push and remove iOS and Android apps to a mobile device to enhance productivity of employees

ᵒ Convenient for mass distribution of corporate mobile apps

• User Benefit:

ᵒ Access to corporate apps and data on their own device

How do you handle pushing business apps to all of your

Track device location

to control use of devices

and apps in specific locations • User Benefit: Ability to track

your own device in case it is lost or stolen

• Other Considerations: Can also track history of device’s location over period of time

Selective Device Wipe

• IT Benefit:

Removes corporate apps, mail and data in the event device is stolen, lost,

non-compliant or if employee leaves company

• User Benefit:

Leaves personal data intact

• Other Considerations: Remote lock, automated actions and full wipe also available

What happens if a device is

left behind at Starbucks? _{What if employees are} downloading non-compliant

Native Mail Encryption

MDM Mobility Infrastructure

Enroll

D M Z

Port 443

Worx

XM-DM Enroll

User enters their username, MDM server address and password

The MDM server validates the user request and checks credentials with Active Directory

The user credentials are validated at Active Directory

A configuration profile is sent to the user’s device. This configuration profile prompts the device for

additional information The user is prompted to install the profile. Once

installed, this configuration profile prompts the device to respond back to the server with specific

device attributes

MDM server receives the device response and sends a second configuration profile with the SCEP

payload to the device The device generates a key and a certificate signing

request using the SCEP protocol

The certificate issuing service (SCEP enabled)

receives the CSR from the device, verifies it, signs it

and responds with the certificate for the device The device receives the certificate, generates a

response back to the

MDM server which is signed with the new certificate

The MDM server then responds with an encrypted configuration profile containing the policies, settings,

etc. The device receives the profile and automatically

installs it

Active Directory Certificate Authority

XenMobile Device Manager

• Actively manage policy and configuration for iOS, Android, Windows Mobile/CE and Symbian

• Deploy and administer mobile applications

ᵒ Functionality varies by app and platform

• Control data access with DLP add-on

• Receives connections directly from mobile devices • Makes connections to:

ᵒ Database Server (MS SQL Server or Postgres)

XenMobile Device Manager Installation tips

• Installation is supported on 64bit Windows Server 2005, 2008 and 2008R2

ᵒ 2003 supported until EOL

• You will need an external DNS record and APNS cert • Only install the recommended version of Java

ᵒ Be sure to include the Unlimited Strength crypto jar files

XenMobile Device Manager Pre-requisites

• Service Accounts

ᵒ Installation account must be local admin of server ᵒ Does not require SQL rights directly

ᵒ Account with database creation permissions in SQL

• Intended MDM server does not need to be a member of the domain • Do not install IIS. Uninstall IIS if it exists on this server

• External DNS record for the MDM server ᵒ (ex. Mobile.yourcompany.com) • Apple APNS certificate

ᵒ required during the install, obtained using the XenMobile APNS Certificate Setup Guide • Java SE 7

• Java Cryptography Extension (JCE) files Unlimited Strength Jurisdiction Policy Files ᵒ copy local_policy.jar and US_export_policy.jar to /Java/jdk1.6.0_x/jre/lib/security • Software License

XenMobile Device Manager Directory Services

• Real-time access to LDAP (AD, Domino, etc..) source • Can configure multiple connections to multiple servers • Supports LDAP and LDAPS with certificate management • Wizard driven configuration

XenMobile Device Manager Role Based Access

Control

• Roles can be created as desired

ᵒ For example, multiple helpdesk tiers, devices managed by business units, etc..

• Access is granular by admin function or group • Roles are selected by group

SAM Account vs. User Principal Name (UPN)

sAMAccount is used to support older OS Windows NT 4.0, Windows 95,

Windows 98, and LAN Manager

By convention, UPN should map to the user email name (Use This)

When configuring an LDAP connection, you can choose the User Search option of either sAMAccount Name or

userPrincipalName. Any user enrolling their device will need

User Tips

• Remember: Users may belong to multiple groups and this can affect which packages are deployed

• Be sure to create at least 1 local account for emergency use

ᵒ This account should not be in AD and be sure to protect this password. This may be your only way to log into the server if the AD connection is severed somehow.

• XenMobile Device Manager does not crawl the entire LDAP tree looking for users. Deeply buried user accounts may not be able to log in if the LDAP connection simply references the root.

Device Support

Citrix XenMobile Device Manager allows you to manage the following mobile device platforms:

• Apple handheld devices (iPhone, iPad) using iOS 5.0 or higher • Android handheld devices using 2.2 or higher

• Microsoft Windows 8 Phone and Windows 8 Tablet

ᵒ Windows Mobile and its derivatives, including Smartphone and PocketPC ᵒ Windows Mobile 5.x or 6.x (PocketPC or Smartphone Edition)

ᵒ Pocket PC 2003

ᵒ Windows CE 4.x, 5.x or 6.x

• BlackBerry handheld devices using BlackBerry OS versions 5.x, 6.x, and 7.x • Symbian

Feature

Mobile Windows 8

Windows 8 Phone

Dashboard

--Enhanced Enrollment Modes (OTP, Multifactor, Invitation-based)

-- -- -- --

--Invitation Client Download -- -- -- --

--Email Attachment Encryption -- -- -- --

--App Lock ('Kiosk Mode') -- -- -- -- --

--App Tunnels

-- -- -- --

Mobile SSL VPN

Feature

Mobile Windows 8

Windows 8 Phone

Storage Card Encryption

Policy --

-- -- -- -- Auto discovery Logon -- -- -- --

Automated Actions --

Notifications -- -- --

Agent Notification -- -- -- -- -- Enterprise App Store -- -- -- -- -- Locate Device -- -- --

Feature Mobile Windows 8 Windows 8 Phone Geo-Tracking, Geo-Fencing -- -- -- -- Secure SharePoint -- -- -- -- -- Remote client installation

(OTA) -- -- -- Provisioning of devices &

users -- -- -- Hardware Inventory -- Software Inventory -- Security – Jailbreak

detection -- -- -- -- --

Feature

Mobile Windows 8

Windows 8 Phone

Remote Wipe & Lock (limited) Software download &

install -- --

File transfer -- Device Remote Control -- -- -- --

Roaming Management -- -- -- Reports (activity & devices

inventory) --

Local device data

encryption (option) -- -- -- --

How Citrix defines Policies

• Policies are all the individual elements of configuration or restriction available for definition

• Policies do not take effect unless deployed to a device

Policies

• Policies are all the individual elements of configuration or restriction available for definition • Policies do not take effect unless deployed to a device

• In the event of a policy conflict, the more restrictive policy is applied MDM Policies

Device specific configuration and restriction policies

Application Tunnels Automated Actions Server Groups

XenMobile Policies

Application access policies (black/white lists) XM SDK enabled app control

Policy Tips

• Name policies with descriptive names

ᵒ When browsing lists, the policy name is the only information you have to tell what the policy does

ᵒ One common technique is to prefix the policy with the people who should receive it i.e.: Corp HQ Wi-Fi or Engineering Password Policy

• Remember that you can define as many policies as you like

ᵒ Policies only take effect when they are deployed to a device

• Variables can be used to create more dynamic policies

ᵒ For example, ${user.domainname}, ${user.userprincipalname}, etc. ᵒ A complete list is available at http://docs.zenprise.com

Lock Screen Policies

• Common requirements (in order)

1. Have a passcode defined 2. Disallow simple passcodes 3. Set auto-lock time

4. Set maximum password age 5. Set maximum password length

Restriction Policies

• Can be very useful for Corporate Owned devices • Not recommended for BYOD

• Common restrictions

1. Disable installation of apps 2. Disable camera

3. Disable iCloud

Automated Actions

• Special policies which automatically triggers actions based on data

• All automated actions require devices to re-connect to the XenMobile Device Manager

• To trigger an automated action for a blacklisted

application, the application to be blacklisted in Policies / Blacklist.

Example Automated Task

• Alerting a user when their access to email access has been blocked.

Choose the trigger type

Choose the action, in this case we want to contact a user using a contact template

Finally, choose your squelching parameters for the alert

Notification Template

Notification templates are configured under the “Options” menu

You will need to have a notification server

defined for each type of notification you would like to send

Notification Templates, continued

Remember to use template variables, they come in very handy here

Other Automated Actions

• Here are a few other automated actions

• Selective wipe when a device leaves geofence

• Warn users for any type of violation of their terms of use

• Set a out of compliance flag when a blacklisted app is installed

ᵒ Subsequent deployments can be based on this flag, eg, remove wifi access when an app is installed

Deployments

Deployment packages are used to push policies to devices

Packages are comprised of: • A package name

• Groups of users

• “Resources” which are a combination of • A server group • App tunnels • Registry config. • XML configurations • Software inventory • Applications • Files • Deployment schedule • Deployment rules

Deployment Tips

• There are 2 schools of thought for deployment best practice • Create multiple deployment packages with few policies

ᵒ Benefits:

• Control user’s policies and exceptions in a clear way • Failed policies do not block other policies

ᵒ Drawback:

• Many packages to create and manage

• Create few packages with many policies

ᵒ Benefits:

• Control user’s policies en masse

• Clear groupings of policies. (e.g., everyone in Asia gets Policy 1 2 and 4.)

ᵒ Drawback:

• Failed policy blocks remaining policies in the package • Exceptions require creating alternate packages

Location Services

• A location services policy must be pushed to a device in order to track the device or use the geofencing functionality

XenMobile MDX Technologies

MDX Technologies & Mobile Application Management

Native Mail Encryption

The Mobile App Management Fabric

XM AppC Mobile Device Management XM DM

Enroll

D M Z

Worx

App

App

App

MDX Technologies

• Encrypted local storage

• Micro (app specific) VPN

• App specific lock and wipe

• Inter-app communication

• Conditional access policies

• Federated identity and SSO

App

App deployment – securing apps with MDX

2. Prepare apps with MDX Toolkit

App Preparation Tool

1. Download apps from www.citrix.com

ShareFile

• SSO to all MDX apps • User support for MDX apps

• Integrated email, contacts and calendar • Designed for work

• Internet and intranet browsing • Supports file download

• All your files available anywhere

• Sharing integrated into other MDX apps

WorxMail

WorxWeb

WorxHome

ShareFile

WorxMail

WorxWeb

WorxHome

Google Play

XenMobile Worx

System Overview

NetScaler

StorageZone Control Plane

XenMobile

app private data vault

logon

policies

Secure IPC

MDX Framework MDX Framework MDX Framework

app private data vault

app private data vault

shared data vault

Secure Network Tunnel _gateway

services

MDX Architecture

Managed apps

vault encryption

MDX Framework provided by either: 1. Wrapping toolset 2. Directly compiled SDK app one app two

MDX Fundamentals – API interception

API Interception techniques

ᵒ Redirect system services to proxy objects/methods ᵒ Extend app lifecycle classes (Android)

• Run-time augmentation

ᵒ Objective-C class extension w/method swizzling (iOS) ᵒ Runtime API interception for system calls & native libraries mobile app

mobile OS

network files clipboard

policy aware interception functions

Citrix mobile services

network files clipboard

micro-VPN encrypted storage

encrypted clipboard

Core MDX Framework

• Authentication and SSO • App access controls

• Information containment

• Secure inter-app communication • App behavior controls

• File and database encryption

Authentication

Authentication and SSO

• Strongly authenticates users

ᵒ NetScaler Gateway is primary authentication point

ᵒ Permits combinations of AD credentials with certificates, tokens, and other second factors

• Registers devices to users

ᵒ Permits lock and wipe of corporate data/apps on selected devices • Serves as access manager for MDX managed apps

ᵒ Strongly identifies managed apps

ᵒ Determines app entitlements and policies for authenticated users ᵒ Brokers permitted data exchanges between managed apps

Single sign-on

Authentication and SSO

• SSO for all managed apps

ᵒ Hosted HDX apps and desktops ᵒ Web/SaaS apps

ᵒ MDX managed mobile apps

• Various online and offline modes selected by app policy

• MDX apps can use derived credentials

ᵒ Gateway tickets for micro-VPN access ᵒ Automatic HTTP auth challenge responses

(NTLM today, Kerberos coming soon)

ᵒ Certificates for PKI protected web sites ᵒ Specialty credentials eg

(SAML token for Sharefile access)

App Access Controls

• Block/permit app access based on policy • User authentication (how and when)

ᵒ Online versus offline, re-authentication period, max offline time

• Device security posture

ᵒ Jail-broken or rooted ᵒ PIN/passcode enabled

ᵒ Hardware enforced encryption ᵒ MDM enrolled vs unmanaged

• Network state

ᵒ Internal network or external ᵒ Specific internal wifi networks ᵒ Wifi Only

Information Containment

• Control data exchange with other

apps and devices:

ᵒ Cut/Copy/Paste

ᵒ Document exchange (Open-In) ᵒ Inter-app communications

ᵒ Network APIs

Quick Look Mail Evernote

Facebook Box OfficeHD

Quick Look OfficeHD

without containment with containment

Secure inter-app communication

• Restricted – Allow only trusted apps to share data with one another

• Unrestricted – No controls, “Open In” shows all apps registered to handle that file type

• Blocked – No way to share that app’s data with anything else

app one app two

mobile OS Open-In

App Behavior Restrictions

• Block mobile OS API sets and features

ᵒ Printing ᵒ iCloud

ᵒ Email and SMS compose

ᵒ Inter-app URL dispatch and scheme handlers (iOS) ᵒ Intent launch and content providers (Android)

• Block access to sensitive device hardware

ᵒ Camera, microphone, location services, etc.

• All controls are applied at run-time based on app policies

Data security on mobile platforms

The Problem

• Mobile platforms secure persistent data in app sandboxes

• Mobile platforms can encrypt persistent data… but there are limits

ᵒ Keys are often protected by cryptographically weak PIN or passcode ᵒ No means to destroy keys or revoke access if device is not recovered

ᵒ Encrypt app data only… not the entire device

ᵒ Enterprise sets the key management rules on an app-by-app basis

File and Database Encryption

• MDX framework intercepts/redirects file and database I/O transparently

ᵒ No need to rewrite apps

• Two key management modes:

ᵒ Online only - Keys held in XenMobile key management service (server-side)

• Must have network access to authenticate user and recover keys when needed

• Keys are never persisted on device

ᵒ Offline - Keys maintained by Worx Home

Micro-VPN

• Network Access policies:

ᵒ Blocked: App network APIs are blocked and fail as if network is not available

ᵒ Unconstrained: App network APIs work normally

ᵒ Tunneled:

• App network APIs are tunneled through NetScaler Gateway to enterprise intranet • Relies on Worx Home for authentication and SSO

• Tunneled setting enables Micro-VPN features

ᵒ Full power of NetScaler Gateway 10.x to configure VPN behavior

ᵒ Split-tunnel based on IP address ranges or domain suffix, or route all traffic back to intranet ᵒ Automatically respond to HTTP auth challenges on behalf of app

Micro-VPN Architecture (iOS)

network requests (redirected to local proxy)

proxy info

localhost listener

MDX Framework

direct calls

(resolve domain, etc.)

mobile app

Network interception functions

ASIHTTPRequest session ticket

encrypted tunnel auth NSURLReques t NSURLReques t CFNetwork BSD Sockets

Worx-enable any mobile app

MDXSDK/FunctionRename.h

Worx

Apple App Store

Google Play

Public distribution

with MDX controls

Where IT finds

Worx-enabled

mobile apps

Using Worx Apps

• MDX file (app and policy metadata) delivered from Worx App Gallery

• App binaries sourced from public app stores

• ISVs can deliver these apps as either

ᵒ A new app designed specifically for XenMobile

ᵒ A general app store app that can activate the MDX framework/policies dynamically

Worx App Gallery .ipa .apk .mdx XenMobile user’s device

Apple App Store Google Play

Citrix Mobile App Management

• Full support for both personal and corporate usage (BYOD)

ᵒ Corporate apps and data secure even on employee-owned devices ᵒ New consumer-driven devices supported immediately

• No risk of corporate data loss or compliance exceptions when:

ᵒ Device is lost or stolen or employee leaves organization ᵒ Collaboration / file sharing apps used on the device

• Governance is built-in

ᵒ Policies can be updated on hundreds of apps with no requirement to change source code

• No requirement for developers to change the way they develop apps or learn mobile security standards

MDX App Vault

Secure container that enables app and

data containment, wipe and lock

MDX Access

Micro-VPN tunnel to corporate resources from mobile apps along with access control policies

MDX InterApp

Control inter-app communications with external apps, cloud, clipboard & devices

private data Citrix Receiver MDX InterApp

MDXVault

MDX Policies during app wrapping app private data vault app private data vault

MDXInterapp

MDXAccess

private data

Citrix Receiver

MDXAccess

Access Gateway

C-VPN Mode

XenMobile

•

Secure app containers

•

Micro VPN

•

App specific lock and wipe

•

Inter-app communication

•

Conditional access policies

• Secure mobile browser • Internal web app access • URL black/whitelists • Mail, calendar, contacts

• Enterprise class security

• Beautiful native-like experience

WorxMail

Mail, calendar, contacts Enterprise class security Beautiful native experience

Full inter-app integration MDX-secured

• Secure email body and attachment

• “Open in” control to provide data leak

protection

• No Exchange server exposure to internet

• Send email with ShareFile attachments

• Integrated calendars and Exchange GAL

Sandboxed email, calendar and contacts app

• Secure email app with great user experience

• Attach files to emails and save attachments

• Full calendar with access to free/busy

• Directly open web links to any site, including intranet sites

Secure document sharing, sync & editing

• Both cloud and on-premise data storage options

• Capable of accessing SharePoint and network drives

• “Open-in” capabilities can be restricted to other Worx-enabled apps

Internet

WorxMail- Topology

Client Access Server (CAS)

1. WorxMail resolves internal-FQDN

2. Traffic is tunneled inside micro VPN (SSL Session) 3. NetScaler upwraps @workMail traffic, forward to

exchange server

NetScaler/ Access Gateway

WorxWeb

114

Secure browser Internal web app access Full inter-app integration

Consumer experience MDX-secured

• iOS and Android device intranet web

browsing

• Easy accesst to SharePoint, Intranet Portal etc

• Similar look/ feel as native browser

• Safari on iOS; Chrome on Android

• Single sign-on via NetScaler

Secure mobile web browser

• Full-featured consumer-like browser

• Secure access to internal,

external and HTML5 web apps • URL whitelisting and blacklisting • Access to enterprise resources

Internet

WorxWeb- Topology

NetScaler/ Access Gateway 1. WorxWeb does HTTP GET/Post to internal-FQDN

2. Traffic is tunneled inside micro VPN (SSL session) 3. NetScaler upwraps WorxWeb traffic, communicates with

internal web server

4. Enterprise web proxy could be NetScaler’s next-hop, for internet bound traffic (Split-tunnel is OFF)

5. Split-tunnel ‘ON’ sends internet traffic bypassing the enterprise

Citrix Enroll, Worx Home and

Receiver

Unified corporate app store

• Available on 3B+ devices • Mobile apps native on device • Seamless delivery of Windows,

datacenter and web apps

• Any device – smartphone, tablet, PC and Mac

Multi-factor single sign-on

• Two-factor authentication for app and data access

• SSO for Windows, web, datacenter & mobile apps

120

• Platforms - iOS and Android • Purpose – Unified single-client experience for Mobile MDX, Windows HDX and SaaS apps • MDM-Mode or MAM-Only mode

• Platforms –Win, Mac, iOS, Android, Web • Purpose – Windows

HDX Experience

• Used with Worx Home for HDX ICA handling

Enroll

• Platform - iOS

• Purpose – Enroll your iOS device

What is Worx Enroll

• MDM client

• Registers the device into the MDM system

• Push:

ᵒ Mobile applications

ᵒ Web and SaaS links

ᵒ HDX links

ᵒ Profiles

What is Worx Home?

• Central authentication engine providing Single Sign-On

• Contains the MDM configuration engine

Use email address or server URL to configure Worx Home

URL is the NetScaler Gateway or XenMobile App Controller server address

Once the server is found, the user is prompted for:

• Username • Password

Worx Home screen

Shows all the applications installed on the device which includes mobile, Web/SaaS, and Windows (XenApp/XenDesktop) apps

Single store for Web/SaaS, mobile apps, and HDX applications are available Allows custom company branding with the company logos as well as

Downloading an iOS mobile application wrapped in MDX

technology, prompts for installation, as with any other native application

This store allows the installation of mobile, web/SaaS links, and HDX applications

Applications shown in the native iOS springboard and within the My Apps screen of Worx Home

Swiping to the right or left brings you to the Support Page. This page is not only for Worx Home but any IT issue.

All versions of the XenMobile come with a seat of

GoToAssist

Three support options: • Phone

• Chat • Email

Phone support: • Tablet – Phone number is displayed • Smartphone - Phone number is automatically dialed

GoToAssist Chat

Chat support:

• Chat with a support desk staff on issue

• Log file automatically sent to chat support • Pictures can be sent

from the photo catalog • If support staff not

available, the chat will prompt to open a support ticket

A support ticket to GoToAssist or any IT

Support email address can be initiated

Includes the log files from Worx Home

Email based Auto-discovery for Receiver

• If work email is entered, Receiver extracts domain suffix – e.g. domain.com and query DNS for SRV record

• If no DNS record is found, alternatives are:

ᵒ Enter server address of AG or StoreFront – e.g.

https://ag.domain.com or

https://StoreFront.domain.com

#CitrixSynergy #SYN203

Simple store discovery

DNS Resolve domain Identify AG FQDN Hit AG Prompt for authN StoreFront Discover Stores

HDX applications?

• Authenticate to Worx Home will single Sign On to Receiver

• User adds from Company app store

• User can launch HDX app from the My Apps within Worx or

if using MDM a link can be added to the iOS springboard

MDM only

=> Worx Enroll + Worx Home

MDX only

=> Worx Home

MDM + MDX

=> Worx Enroll + Worx Home

MDM + MDX + HDX

=> Worx Enroll + Worx Home

+ Receiver

MDX + HDX

=> Worx Home

+ Receiver

App Controller Features

• iOS and Android device security controls • Secure email to any iOS/ Android device

• Secure intranet web browsing with micro VPN • Enterprise iOS/ Android app with policy controls • Device status, remote lock, wipe and recovery • Integrated Data accessibility

Native Mail Encryption

AppController – Standalone

Enroll

D M Z

Worx

Native Mail Encryption

Integrate with XA/XD – StoreFront Only

XM AppC Mobile Device Management XM DM

Enroll

D M Z

Worx

Native Mail Encryption

Integrate with XA/XD – Web Interface Only

XM AppC Mobile Device Management XM DM

Enroll

D M Z

Worx

DMZ Zone

Internet Zone Corporate LAN Zone

Web & SaaS Apps

389/636 80/443 (App Specific) 443 443 80 for downloads DNS 53 NTP 123 2195 &2196 iOS only 5223 80 443 80 /443 / 8443 80/443 (App Specific) Netscaler 80 /443 8443 80/443 80/443 StoreFront XA/XD

443 443 for Form-Fill auth

443 443 443 DNS 53 NTP 123 1494 / 2598 1433 443 445 App Controller DNS & NTP Active Directory Exchange CIFS SharePoint NSIP AG VIP XNC SNIP SQL MS CS StorageZone Controller 9080 FIR EW A LL FIR EW A LL XM DM Apple App Store Goole Play Store LB VIP

App Controller Connection Modes

• Supports for ‘direct’ mode access to Web/SaaS resources

• Supports integration with Citrix StoreFront/WI on Windows • Supports remote access via

NetScaler Gateway

• Supports Citrix Update Services • Supports Account Services

• By default, App Controller mode is enabled for direct access of

Web/SaaS/Mobile/Docs resources • StoreFront mode is to integrate App

Controller with XenApp & XenDesktop

• For remote access to

Web/SaaS/Mobile/Docs resources from App Controller, select

App Controller

Administration Web/SaaS

Define Roles

Roles map to AD groups

Extracts “memberof” attribute

Configure Applications

Connectors for federated access or user accounts

Long list of built-in connectors Wizards for custom federated access

MAP

Federated Single Sign-on

Active Directory

W ork flo w and P ro visi oning Engine Sync Master Employee List

1. Standard enterprise provisioning systems create user accounts on AD 2. Sync to identify user-group association 3. Create user accounts with associated

privileges on external applications

• If user is disabled on AD, all external accounts can be disabled too

App Controller

Role-based User Account Management

Active Directory

App Controller Reporting Systems Create Users What privilege on application?

Any app specific security rules?

Additional approvals required before creating account?

Sync

Log Auth

Automatic Account Provisioning

Active Directory

Approver

1

3

1. User self-service application request 2. Request triggers AppC workflows 3. Approvers get mail notifications –

and approve request 4. Application account gets

provisioned for user

Approver Approver W ork flo w and P ro visi oning Engine App Controller 2 4

Workflow Management

Certificate Management

• App Controller hosts:

ᵒ Server Certificate ᵒ SAML Certificate

ᵒ Intermediate and Root CA Certificates

• Only one Server Certificate can be active

• Only one SAML Certificate can be active

Device Registration

First time logon: lightweight mobile device

registration

• Worx Home silently registers device with App Controller

ᵒ Worx Home provides device unique token and selected device

information

• App Controller issues unique device ID  Worx Home

• App Controller links device ID/tokens to users

ᵒ Admins can view all devices registered to users

ᵒ Devices can be locked or marked for app data wipe

ᵒ Worx Home and MDX apps poll App Controller current lock/wipe

status

User authentication and roles

• Worx Home is the primary authenticator of users seeking access

to enterprise resources for

ᵒ Managed mobile applications for Android and iOS ᵒ SaaS/Web applications

ᵒ Hosted apps (ICA/HDX)

• App Controller

roles are always linked to Active Directory users and

groups

ᵒ Users are entitled to specific apps through the roles they belong to

ᵒ Deep AD integration allows for automatic provision/de-provision of SaaS accounts when AD users are removed or added

Device and app authentication

• Worx Home registers and track devices to users

ᵒ Permits lock and wipe of corporate data/apps on selected devices

• Worx Home also serves as access manager for MDX managed

applications

ᵒ Strongly identifies applications

ᵒ Determine app entitlements and policies

ᵒ Brokers permitted data exchanges between managed apps

• MDX applications can parlay their Worx Home auth context into

other credentials for single-sign

ᵒ NTLM challenge/response (or the real AD domain, username, & password) ᵒ User and device certificates

ᵒ Specialty tokens like Sharefile SAML token eventually kerberos, Oauth/OpenID , etc.

Single sign-on

• Worx Home and

App Controller

directly provide SSO for

ᵒ Hosted applications (ICA/HDX) ᵒ Web/SaaS applications

• MDX applications can parlay their Worx Home authentication

context into other credentials and access rights

ᵒ Gateway tickets for micro-VPN access

ᵒ NTLM challenge/response (or even the real AD domain, username, & password)

ᵒ User and device certificates

ᵒ Specialty tokens like Sharefile SAML token

ᵒ Eventually credentials for auth systems… kerberos tokens, Oauth/OpenID , etc.

Users Demand

Instant file and data access from any device File sharing (with anyone)

Easy and familiar (love Dropbox)

IT Wants

Security Control no data leakage (hate Dropbox)

ShareFile Enterprise

Empower users with Instant access to data, synced across all devices Improve collaboration and productivity through secure file sharing

Meet corporate security and compliance standards with a secure service Deliver an enterprise-class service that meets workflow and productivity needs Enable IT to retain control and deliver a managed service

Workflow Integration with Microsoft Outlook

Attachment conversion Unclog mail servers

Overcome file size restrictions Better control and visibility Request large files

Plug-ins for Windows Explorer and Mac Finder Integration that provide an intuitive user experience

Team Folders - File Distribution to Any Device

Latest file versions pushed to user devices

ShareFile Enables Mobile Workstyles

• Native apps for iPhone, iPad, Android phone, Android tablet, Windows phone • Mobile-optimized ShareFile web site

• Secure online or offline access and sharing

Mobile Device Support

Mobile Site iPhone Android BlackBerry Windows 7 Phone

Built-in Mobile Content Editor

Automatically sync folder contents for offline editing

Offline editing of Microsoft Word, Excel and PowerPoint documents Mark up PDF documents with text, arrows, shapes and drawings

Restrict use of unauthorized content editing tools

Folder sync to mobile devices

Automatically sync folder contents for offline viewing/editing

• Sync occurs only over Wi-Fi by default

PDF Annotation on mobile devices

ShareFile with StorageZones

ShareFile with StorageZones

Choose where your data is stored

Cloud

On-Prem

Existing

File storage

Citrix-managed

StorageZones

Customer-managed

_StorageZones

_{shares and ECM}

Existing network

systems

Why StorageZones?

• Legal compliance with geographic

storage requirements

• Alignment with organizational

policies

• Files and folders in closer proximity

to users

• File access performance

optimization

ShareFile with StorageZones

Citrix-managed StorageZone

190

Citrix- Managed StorageZones

Storage Center (EC2)

S3 Authorization *.sharefile.com Sharefile.eu. DB Client Control Plane • Web Application • Reporting StorageZones • Storage centers • Backend storage • Various locations WW Windows phone

Storage Center (EC2)

S3

Customer- Managed StorageZones

Storage Center (Windows IIS)

NAS Customer Datacenter Client Client Windows phone *.sharefile.com Sharefile.eu Authorization DB Control Plane StorageZones • Web Application • Reporting • Storage centers • Backend storage • Various locations WW NAS

ShareFile StorageZone Connectors

193

ShareFile Personal Folder ShareFile Team Folder

ShareFile Team Folder Existing Network Share

On-Demand Sync

+

Optimized for Virtual Desktops

ShareFile and XenMobile Integration

195

• Use ShareFile as the underlying data platform

• Containerize enterprise data

• Store, sync, share, edit documents

• Intelligent interoperability between MDX apps

MDX Wrapped Apps

Containerized

Receiver “Docs Tab” Retirement

196

• ShareFile had been integrated into Receiver via “Docs tab” • Replaced by MDX-Enabled ShareFile mobile app

Citrix XenMobile & ShareFile

199

• Advanced Authentication & Provisioning

• XenApp Integration

• Data protection – Encrypt, Lock & Wipe

• Policy-based Control

• Offline Access and 2 way

Synchronization

• Single Sign On

Security Information

• SSAE 16 audited data centers • SSL Encryption in transit

• AES 256-bit encryption at rest

• All uploaded files scanned for viruses

• Daily scans for McAfee SECURE accreditation