November, 2013
XenMobile 8.6 MDM EditionMobile Device Management
Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford
Lead Support Readiness Specialist
© 2013 Citrix | Confidential – Do Not Distribute
Ground Rules
• Introduce yourself
• Expect FULL participation!
• We will use Polls on GoToTraining
• Please raise your hand for questions or comments on GoToTraining
• Type comments and questions in Chat window
• I will check your work by making you presenter… be ready!
• I will call you by name
© 2013 Citrix | Confidential – Do Not Distribute4
Objectives
At the end of this course, you will be able to :
• Module 1: Verify iOS 7 MDM Policiesᵒ Configure and test some of the new iOS 7 restrictions policies
• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filteringᵒ Install XenMobile Mail Managerᵒ Configure and test XenMobile Mail Manager to filter ActiveSync traffic against Exchange
Server 2010
• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offloadᵒ Configure SSL Offload on NetScaler to load balance HTTP connections to Device Manager
serverᵒ Verify that mobile devices (e.g. iOS/Android) can enroll successfully
© 2013 Citrix | Confidential – Do Not Distribute5
Objectives
• Module 4: Integrate XenMobile Device Manager with Microsoft PKIᵒ Setup Client Certificate authentication on Windows ᵒ Configure Client Certificate authentication with XenMobile Device Managerᵒ Configure Exchange Server 2010 for Client Certificate authenticationᵒ Verify mobile devices can enroll and test Client Certificate authentication and
access their mailbox
• Module 5: Learn Samsung KNOX and Amazon MDM Policiesᵒ Learn and configure new Samsung KNOX and Amazon MDM restriction policies
© 2013 Citrix | Confidential – Do Not Distribute6
Assessment
There would be an assessment at the end of the course, covering the following modules:
• Module 1: Verify iOS 7 MDM Policies
• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering
• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload
• Module 4: Integrate XenMobile Device Manager with Microsoft PKI
• Module 5: Learn Samsung KNOX and Amazon MDM Policies
Module 1:Verify iOS 7 MDM Policies
© 2013 Citrix | Confidential – Do Not Distribute
iOS7 HighlightsFeature DescriptionPer App VPN Managed apps can initiate a per App VPN tunnel.
OpenIn Document Control Restrict opening of documents in managed apps and accounts.
Enterprise SSO Single Sign On experience for enterprise resources that requires Kerberos authentication.
Silent Install/UnInstall Only applicable to supervised iOS devices.
New Volume Purchase Program (VPP) service
• Workflow based VPP Registration• Revoke and Re-Issue VPP licenses
Auto Configure Apps Push and auto configure iOS7 apps.
Restrictions • Prevent device unlock via biometric scanning• Prevent document transfer via AirDrop• Prevent password syncing via iCloud• … (many others)
Prevent App UnInstall Only applicable to supervised iOS devices.
© 2013 Citrix | Confidential – Do Not Distribute
iOS7 Policies in XenMobile 8.6
© 2013 Citrix | Confidential – Do Not Distribute
Per App VPN
© 2013 Citrix | Confidential – Do Not Distribute
OpenIn Doc. Control
Module 2:Deploy XenMobile Mail Manager for ActiveSync Filtering
© 2013 Citrix | Confidential – Do Not Distribute
Introduction
The XenMobile Mail Manager (XMM) allows you to utilize XDM to gain Dynamic Access Control for Exchange Active Sync (EAS) devices.
Here are some of the features:
• To access EAS device partnership information provided by exchange.
• To perform an EAS Wipe on a mobile device.
• To access information about Blackberry devices, and
• To perform control operations such as Wipe, and Password Reset.
© 2013 Citrix | Confidential – Do Not Distribute
XMM Components
The XenMbile Mail Manager (XMM) consist of three main components:
• Exchange ActiveSync (EAS) Access Control Management: Communicates with Device Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User Agent
• Remote Powershell Management: Responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by EAS Access Control Management.
• Mobile Service Provider: Provides a web service interface so that Device Manager can query EAS and/or Blackberry devices, and issue control operations such as Wipe against them.
© 2013 Citrix | Confidential – Do Not Distribute
XMM Components
© 2013 Citrix | Confidential – Do Not Distribute
System and Software RequirementsComponent Requirement
Server Software • MS SQL or MS SQL Express 2008/2012• Microsoft .NET Framwork 4.5• Exchange Server 2010 SP2 or higher, OR Exchange 2013• MS Office 365• Blackberry Enterprise Service v5 (optional)
Server Machine Requirements
• Windows Management Framework must be installed• PowerShell V2 supported• The PowerShell execution policy must be set to RemoteSigned
by running “Set-ExecutionPolicy RemoteSigned” from the PowerShell command prompt.
Memory 1 GB
HDD NTFS-formatted with 150 MB disk space
© 2013 Citrix | Confidential – Do Not Distribute
Permissions
If you are using the XMM with an onsite Exchange Server, you will need to ensure the minimum permissions specified in the Exchange Configuration Management Console must be allowed to execute the following Exchange-specific PowerShell commands:
• Get-CASMailbox
• Set-CASMailbox
• Get-Mailbox
• Get-ActiveSyncDevice
• Get-ActiveSyncDeviceStatistics
• Clear-ActiveSyncDevice
© 2013 Citrix | Confidential – Do Not Distribute
Before Installation…
Ensure that the following conditions are met:• .NET Framework 4.5
• SQL Server (one of the following):ᵒ MS SQL 2008ᵒ MS SQL 2008 Expressᵒ MS SQL 2012ᵒ MS SQL 2012 Expressᵒ MS SQL 2012 Express\LocalDB
• XMM “one LDAP Per Domain” Caveatᵒ XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of
more than one LDAP configuration (such as the root domain, sub-domain), you will need to install XMM for each domain.
© 2013 Citrix | Confidential – Do Not Distribute
Installation
© 2013 Citrix | Confidential – Do Not Distribute
Installation
© 2013 Citrix | Confidential – Do Not Distribute
Installation
© 2013 Citrix | Confidential – Do Not Distribute
Installation
© 2013 Citrix | Confidential – Do Not Distribute
Configuring XMM
You can use the XMM Configuration utility to extend the capabilities of XDM to perform the following configuration:
• Create access control rules that can either allow of block Exchange ActiveSync (EAS) devices from accessing Exchange services.
• Build dynamic and statics rules that enforce corporate email policies, allowing you to block those users in violation.
• Perform an EAS wipe out of compliance devices
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Exchange Server
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Exchange Server
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Database Properties
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Database Properties
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Mobile Service Provider (MSP)
© 2013 Citrix | Confidential – Do Not Distribute
To configure the Mobile Service Provider (MSP) hostname in Device Manager
© 2013 Citrix | Confidential – Do Not Distribute
XMM and Exchange ‘Quarantine’ Mode
• XMM when configured in conjunction with MS Exchange ‘Quarantine’ mode, will allow the Exchange Admin to quarantine a user’s device until that device can be determined to be compliant
• In Exchange quarantine mode, a user’s email inbox is blocked, but the user can still see their calendar, appointments, and contacts.
© 2013 Citrix | Confidential – Do Not Distribute
Understanding XMM Access Rules
XenMobile Mail Manager allows you to configure three types of rules:
• Default
• Local
• XDM (rules from Device Manager)
© 2013 Citrix | Confidential – Do Not Distribute
XMM Access Rules – Default Rules
Default access control rules serve as a “catch-all” rule that can be set to allow or deny a device that does not meet the criteria of either the XDM rules or local rules.
The Default Rule’s desired state may be set to Allow, Block, or Unchanged.
If “Unchanged” is selected, the effect will be that XMM will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.
© 2013 Citrix | Confidential – Do Not Distribute
To configure Default access rules
© 2013 Citrix | Confidential – Do Not Distribute
XMM Access Rules – Local Rules
Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties:
• ActiveSync Device Id – Uniquely identifies a specific device.
• Device Type – A set of devices, such as “iPad”, “WP8”, or “Touchdown”.
• User Agent – A set of devices identified by platform version, such as “iOS/6.1.2”.
• User – A specific user.
© 2013 Citrix | Confidential – Do Not Distribute
To configure Local rules
© 2013 Citrix | Confidential – Do Not Distribute
XMM Access Rules – XDM rules
XDM rules are defined within XenMobile Device Manager. These rules are delivered to XenMobile Mail Manager and continuously updated. XDM rules can identify devices by properties known to XDM, such as:• Enrolled in Device Manager
• Jailbroken (iOS) or rooted (Android) devices
• Forbidden Apps are installed (blacklisted apps)
• Non-suggested apps are installed
• Unmanaged
• Out Of Compliance
• Non-Compliant Password
• Revoked status
• Inactive Device
• Anonymous status
© 2013 Citrix | Confidential – Do Not Distribute
To configure XDM rules
Module 3:Integrate XenMobile Device Manager and NetScaler via SSL Offload
© 2013 Citrix | Confidential – Do Not Distribute
Pre Nike Deployment – SSL Bridge
SSL3 00100011 0
XM DM
443
8443
SSL3 00100011 0
443
8443
DMZ
© 2013 Citrix | Confidential – Do Not Distribute
Nike Deployment – SSL Offload
SSL3 00100011 0
XM DM
443
8443
80
DMZ
© 2013 Citrix | Confidential – Do Not Distribute
NetScaler SSL Offload setup
XDM
443
8443 80
DMZ
SSL Offload vServer 1
SSL Offload vServer 2
443HTTP
HTTP
HTTPS
HTTPS
Insert Client Certificate in the HTTP Header
Client Cert Auth enabled
No Client Auth
© 2013 Citrix | Confidential – Do Not Distribute
What’s needed?
• Two virtual serversᵒ 443 ᵒ 8443
© 2013 Citrix | Confidential – Do Not Distribute
What’s needed?
• Bind one or more XDM services on HTTP (80)
© 2013 Citrix | Confidential – Do Not Distribute
What’s needed?
• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Bind both – Devices and Root CA certificates on virtual serverᵒ This is important for iOS enrollment to work!
© 2013 Citrix | Confidential – Do Not Distribute
What’s needed?
• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Create an SSL Policy that only gets executed when a Client Cert is detected
© 2013 Citrix | Confidential – Do Not Distribute
What’s needed?
• Steps required for SSL Offload (HTTPS – 443) virtual serverᵒ Configure NetScaler to insert NSClientCert headerᵒ This is important for iOS enrollment to work!
© 2013 Citrix | Confidential – Do Not Distribute
• Copy the a_patch_860_9998.jar file to \XenMobile Device Manager \tomcat\webapps\[instance_name]\WEB-INF\lib (on all cluster nodes, in a clustered ZDM config)
• Restart XDM service
• Browse to http://XDMURL/instance/help-patches.jsp and confirm the patch shows up under the 'in use' column of the resulting page
NetScaler SSL Offload patch for XDM
Module 4:Integrate XenMobile Device Manager with Microsoft PKI
© 2013 Citrix | Confidential – Do Not Distribute
Create a Certificate Service Account
• XDM will use certificate to authenticate connection to MS Certificate Authority
• The Certificate used will be tied to a user which in this case will be the service account
• This protects the XDM connection from account deletion/disabling ᵒ if the user account were to be disabled, ᵒ deleted in Active Directory if the Admin leaves the company, etc
• This account needs no special rights. A standard AD user is sufficient.
© 2013 Citrix | Confidential – Do Not Distribute
Install Microsoft Certification Services
• Sign in as service account that will be running the CA
• Ensure service account is a local administrator
• CA Type – Enterprise
• Configure IIS for CA installationᵒ Ensure both Client Cert Mapping and IIS client Cert Mapping are checked
© 2013 Citrix | Confidential – Do Not Distribute
CA Configuration for Client Certificate
• Create certificate for IIS https binding
• IIS Authentication modeᵒ Enable Cert Based Authentication
• /CertSrv homeᵒ Configure SSL setting to accept Certificates
• Create a certificate for Service Account userᵒ Create User Templateᵒ Security tab – grant Service Account user full controlᵒ Request SSL certificate for Service Account user
• Install requested certificate
• Export certificate and private key
© 2013 Citrix | Confidential – Do Not Distribute
Disable Windows Auth to Test CA Connection
• Uncheck Enable Integrated Windows Authentication.
© 2013 Citrix | Confidential – Do Not Distribute
Disable Windows Auth to Test CA Connection
• Uncheck Enable Integrated Windows Authentication.
• Close and relaunch your browser
• This tests the certificate that was created to authenticate with CA
• Test on the certificate server with service account
• Should be prompted to select certificate
© 2013 Citrix | Confidential – Do Not Distribute
Disable Windows Auth to Test CA Connection
• Uncheck Enable Integrated Windows Authentication.
• Close and relaunch your browser
• This tests the certificate that was created to authenticate with CA
• Test on the certificate server with service account
• Should be prompted to select certificate
• Do not proceed with configuration until this part works
© 2013 Citrix | Confidential – Do Not Distribute
Setup XDM CA OptionsImport Users Certificate for Service Account
© 2013 Citrix | Confidential – Do Not Distribute
Setup XDM CA Options
Service root URL – trailing “/” at the end is needed
© 2013 Citrix | Confidential – Do Not Distribute
Configure Available Templates
Click New TemplateEnter the name of the template created for this
Note: The Template name is case sensitive
© 2013 Citrix | Confidential – Do Not Distribute
Configure Available Templates
• If the wrong template is specified, the following errors are seen:ᵒ In the zdm.log file
2013-11-13 05:37:03,736 [http-nio-443-exec-7] DEBUG com.sparus.nps.pki.connector.CertSrvResponseParser [UID=28,[email protected],dev=9] - Parsed CrtSrv response, found: error=trueReqId=nullMessage=Your request was denied. The disposition message is: "Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: XDM User Template.“
© 2013 Citrix | Confidential – Do Not Distribute
Configure Available Templates
• If the wrong template is specified, the following errors are seen:ᵒ In the zdm.log fileᵒ In the event viewer of server running Certificate Authority
© 2013 Citrix | Confidential – Do Not Distribute
Configure Available Templates
Select the Server cert you recently uploaded. In this case, administrator-user-cert.pfx
© 2013 Citrix | Confidential – Do Not Distribute
Define a Credential Provider
Name Provider
Issuing Entity created in previous set
Select SIGN and select your template you entered earlier.
© 2013 Citrix | Confidential – Do Not Distribute
Define a Credential Provider
Define key size: Must be 2048
Subject Name: $user.username
Fill in username and UPN. UPN is used by Exchange to determine rights to a user mailbox for example.
© 2013 Citrix | Confidential – Do Not Distribute
Determine Distribution Method
© 2013 Citrix | Confidential – Do Not Distribute
Create iOS/Andriod CredentialCreate an iOS/Andriod Credential
Select credential provider and MS CA provider you created.
© 2013 Citrix | Confidential – Do Not Distribute
Caveats
• When creating a certificate template, Windows 2003 must be selected as the certificate template type. ᵒ This is needed as Windows 2008 templates are not exposed via web enrollment due
to changes in the MS CA. ᵒ There is potentially a workaround by pointing to another enrollment .dll on the MS
side, but that hasn't been explored.
© 2013 Citrix | Confidential – Do Not Distribute
Set CAS to Accept CertificatesVerify in Exchange Management Console.
Basic authentication box should be checked if you want to allow both cert and windows based authentication.
© 2013 Citrix | Confidential – Do Not Distribute
Verify AD Client Certificates is Enabled
Connect to CAS IIS Admin console and enable Client Cert Authenticaiton
© 2013 Citrix | Confidential – Do Not Distribute
ActiveSync configured to accept Client Cert
© 2013 Citrix | Confidential – Do Not Distribute
Ensure Windows Authentication is Enabled
© 2013 Citrix | Confidential – Do Not Distribute
Access Configuration Editor
© 2013 Citrix | Confidential – Do Not Distribute
Access Configuration Editor
Select system.webServer->Security->authentication->ClientCertificateMappingAuthentication
© 2013 Citrix | Confidential – Do Not Distribute
Enable CertificateMappingAuthentication
© 2013 Citrix | Confidential – Do Not Distribute
Configure iOS ActiveSync Profile
© 2013 Citrix | Confidential – Do Not Distribute
Configure iOS Deployment Package
Module 5:Learn Samsung KNOX and Amazon MDM Policies
© 2013 Citrix | Confidential – Do Not Distribute
What is Samsung KNOX
• Dual persona approach for device, app, and data security
• Samsung markets it as the most comprehensive mobile solution for work and play
• KNOX compatible devices include:• Samsung S4
• Samsung Note3
• Samsung Note 10.1 (2014 Edition)
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile 8.6 KNOX PoliciesUse Case/Policy DescriptionExchange ActiveSync for KNOX Provision EAS profile to the containerBrowser Restrictions Disable popup, cookies, auto-fill and JavascriptSilent App. UnInstall Uninstalls apps that are provisioned to the containerContainer Passcode Protect apps in container using a PIN codeApp. Blacklisting B/L apps and prevent users from launching these appsEnterprise VPN IPSec VPN policy for apps provisioned to the container
Lock Container Admin can lock container in case the device is lost or stolen
Unlock and Reset Passcode Admin can unlock container and reset container passcode
Container Wipe Admin can selectively wipe KNOX container from device
© 2013 Citrix | Confidential – Do Not Distribute
KNOX Icon on Device Home Screen
KNOX is an app on device Login to container Access corporate apps
© 2013 Citrix | Confidential – Do Not Distribute
Amazon/XenMobile IntegrationFeature Description
Silent Install/Uninstall Install and Uninstall Apps w/o user interventionPrevent App Uninstall Prevent user from uninstalling appsDevice Restrictions Prevent use of
• Location Services• Factory Reset• Bluetooth• Turn Off Wi-Fi• App. install from Non Amazon app. store
© 2013 Citrix | Confidential – Do Not Distribute
Prevent ShareFile Uninstall
© 2013 Citrix | Confidential – Do Not Distribute
Device Restrictions
© 2013 Citrix | Confidential – Do Not Distribute96
Review
• Module 1: Verify iOS 7 MDM Policiesᵒ Configure and test some of the new iOS 7 restrictions policies
• Module 2: Deploy XenMobile Mail Manager for ActiveSync Filteringᵒ Install XenMobile Mail Managerᵒ Configure and test XenMobile Mail Manager to filter ActiveSync traffic against
Exchange Server 2010
• Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offloadᵒ Configure SSL Offload on NetScaler to load balance HTTP connections to Device
Manager serverᵒ Verify that mobile devices (e.g. iOS/Android) can enroll successfully
© 2013 Citrix | Confidential – Do Not Distribute97
Review
• Module 4: Integrate XenMobile Device Manager with Microsoft PKIᵒ Setup Client Certificate authentication on Windows ᵒ Configure Client Certificate authentication with XenMobile Device Managerᵒ Configure Exchange Server 2010 for Client Certificate authenticationᵒ Verify mobile devices can enroll and test Client Certificate authentication and
access their mailbox
• Module 5: Learn Samsung KNOX and Amazon MDM Policiesᵒ Learn and configure new Samsung KNOX and Amazon MDM restriction policies
Work better. Live better.