Citrix XenMobile (8.6) revisited

Just four months after Citrix released XenMobile 8.5 they’re now on the verge of launching version 8.6, I know, it’s hard to keep up. During this Blog I’d like to point out some of the new features and possibilities that version 8.6 will bring to the table, as announced by Citrix. At the same time I’d like to spend a minute discussing the device enrolment process when using MDM and have a closer look at the Worx enabled apps concept as well, including the MDX technology involved, since this tends to confuse people from time to time.

The Cloud

Yes! Next to the XenMobile MDM and App edition (as of version 8.5) the Enterprise edition is now available as a cloud service as well. It offers us the exact same features as its on-premises counterpart (this goes for all three editions). Providing us with low(er) infrastructure costs, and, as Citrix likes to call it, ‘peace of mind’. I haven’t seen any prizes yet, but this is definitely another step forward. Some notes from Citrix, XenMobile cloud provides:

AES 256 bit encryption of data at rest & in transit; SSL encryption for traffic data # Infinite scalability on Citrix highly available, globally redundant infrastructure # Daily backups for 1 month, plus monthly backups for a min. of 24 mos. # Monitoring and reporting for real time troubleshooting and optimization # Hosting facilities are both SOC1/SSAE16 and ISO27001 certified # Regular penetration testing and vulnerability scanning # Availability 24 hours per day, 7 days per week # Multi tenancy with secure, dedicated instances # 99.5 % uptime Service Level Agreements. # Automated and manual disaster recovery

iOS 7

Already (partly) supported in 8.5 but again improved. It now offers over 60 additional app level policies, including blocking copy and paste actions between secured and unsecured applications, control app level usage based on WiFi networks and backward compatibility with other / older iOS versions.


To enhance overall productivity, Citrix’s GoToMeeting and Cisco’s Webex online collaboration services have been more tightly integrated into the XenMobile, offering its users one touch launch and join functionality built into existing mail and calendar services. By simply touching a calendar appointment, or the ‘join meeting button’ on their mobile device users will automatically launch and join GoToMeeting and Webex sessions, easy as that. Your device will automatically dial the number associated with the meeting and enter the participant code.

Simplified authentication

Instead of using Active Directory (which is used in most cases) based (complex) passwords to launch applications and to access other corporate resources, It’s now possible to use a simple 4 or 5 digit PIN number, including SSO capabilities. The PIN works in conjunction with a digital certificate installed on the end users mobile device which holds the users (Active Directory) credentials. The PIN number is basically used as a form of two factor authentication, complementing the certificate. When somebody leaves the company, or the device gets lost or stolen, IT can delete the digital certificate remotely, which basically leaves the device useless. Even if the PIN number is know it won’t work without the certificate. Another option would be to either remotely wipe the entire device or selectively wipe only the business related apps and data, which will probably be done anyway.


Citrix also states that they’ve simplified the device enrolment process when it comes to MDM, although I’m unable to find any more information on this, I do want to share the current enrolment process (as of version 8.5) with you since this tends to be unclear to some people. It’s relatively simple, if you want to enrol an Android device you download Citrix Worx Home en go from there. If you want to enrol an iOS device then you’ll need to download the Citrix Enrol app from the apple store. Once enrolled, in the case of iOS, you will also need to download, or push it from MDM during enrolment, at least Worx Home to be able to connect to AppController to start using your Web, Mobiles and SaaS or HTML based applications.

Now for the tricky part. Depending on how your underlying architecture is set up you can either use Worx Home, Citrix receiver or a combination of both to access / launch your resources, Windows applications and or desktops included. Have a look here It mainly depends on if StoreFront is enabled and if you enable or disable authentication on your AppController, as explained in the E-Docs article.

Note that although by using Worx Home you’ll be able to access Windows applications and desktops, again, depending on your setup, once launched, it will still leverage Citrix receiver in the background to actually start the (Windows based) application(s) and or desktop(s) (you won’t have to do a thing), of course it (receiver) needs to installed for this to work. I’m just wondering, has anybody had the change to test some of the above scenario’s, can someone confirm that receiver is still needed? Or can Worx Home handle (do the actual launch) it all, given the proper setup?

MDX and Worx enabled applications

It’s known by most that XenMobile App edition uses some sort of sandbox technology keeping all of your business related applications and data separated from the rest of the device. They’re put in a secure vault, completely isolated. The thing most people don’t get is how they’ve accomplished to do this, especially when Citrix mixes up different terms and technologies it only adds to the confusion. I already explained some of this during one of my previous Blogs, but this time I’ll try and throw in some more details.

For one, applications that are ‘published’ or ‘made available’ using AppController are called; Worx enabled applications. They all share a set of common characteristics; they reside in a vault automatically separating them from any personal apps and or data that might reside on the same device as well, they can only communicate with other apps in the vault, but only if we want and allow them to. We also have Micro VPN’s, in combination with Citrix NetScaler, that we can use to set up a secure connection between the endpoint device and the application running in the datacenter. Worx enabled applications also enable us to completely manage each application on an individual basis, giving IT total control and flexibility.

So how do these applications get Worx enabled? This is done by applying a technology called MDX, which stand for Mobile Device Experience. All applications, before they get provisioned using AppController, need to get the MDX bits and bytes applied making them Worx enabled. They all need to be ‘Wrapped’ as Citrix likes to call it, adding a MDX layer on top of each application giving the application the shared characteristics mentioned earlier. These characteristics, on their turn, have separate names as well, they’re called; MDX App Vault, MDX Access and MDX InterApp, see below. Citrix developed a special Worx App SDK which can be used to ‘Wrap’ your mobile applications, applying the specific MDX bits and bytes.

A word from Citrix: It (the SDK) leverages the Citrix MDX app container technology to add in features like data encryption, password authentication, secure lock and wipe, interapp policies and micro VPNs to mobile apps (all configurable per application). The MDX library can be embedded into any app with a single line of code. Developers can also opt to wrap their apps post-development without adding any code to their app. Here’s a link to Citrix’s SDK page. I hope this gives you a general idea on how this is done. Just remember that a Worx enabled application is ‘Wrapped’ with the MDX technology adding in all of the above capabilities.

The Citrix ready Worx program

Next to the mobile Worx enabled application suite developed by Citrix, which consists of; Worx Enroll, Home, Web, Mail, ShareFile, available separately and offered as part of the XenMobile App and Enterprise editions, more information can be found here a whole bunch (over 65 already) of other software vendors including big names like Adobe software, IBM and Cisco (yes, they do software as well :-) also showed their support towards the Worx Program and have committed to join the community by making their mobile applications Worx enabled giving them the exact same capabilities, and shared characteristics mentioned above. A quote from Citrix ‘Citrix introduced the Citrix Ready Worx Verified program to make it simple for ISVs, System Integrators and enterprise developers to extend enterprise-grade management and security in any existing mobile application’.

Worx App Gallery

Customers are now able to download (some apps are free of charge, others are not) a broad array of fully secure and enterprise ready Worx Enabled mobile applications from the new Citrix Worx App Gallery. Over 65 (and the number is still growing) leading mobile app vendors already announced their support for the Citrix Ready Worx Verified program. Have a look here for an overview on participating vendors.

Loose ends

To wrap things up… XenMobile now also supports Amazon Kindle Fire, OS 7 and Samsung KNOX management API’s, have a look at this post from Jack Madden for some more info on this. Some other enhancements include; simplified enrolment (highlighted earlier), setup and configuration of XenMobile in general, including (easier) management for multiple locations within the MDM user console, unfortunately, for now anyway, there’s not a lot more I can tell or show you.

Bas van Kaam ©

Reference materials used: and the Citrix E-Docs website.


14 thoughts on “Citrix XenMobile (8.6) revisited”

  1. Hi Bas,

    I didn’t test the new release, but is still App controller and the MDM should installed in Different servers, and can you share some installing challenges, as I am planning to do POC Next week


    1. Hi Mustafa,

      I corrected Das into Bas :-)

      I would recommend following the best practices from the Citrix E-Docs website:

      There are also many additional components available, that come with MDM for example, which might impact your final design, give it a good read and you’ll be fine! Very educational as well. As far as POC / test lab environments go, I would recommend keeping it as simple as possible and try to virtualize and consolidate ‘roles’ where you can; MDM server, AppController, a VPX NetScaler perhaps etc…

      Fortunately I was lucky enough in that I could use one of Citrix’s demo environments.
      Good luck and let me know how it worked out.



  2. Hello Bas,

    as below From Citrix edoc site, What if we want to have an App Controller(s) at another site in the event that the existing site becomes unavailable? What do you thing ?

    Configuring High Availability:
    Assign IP addresses from the same subnet to each VM in the pair.


    1. Hi Mustafa,

      I’m a bit late, sorry :-)

      My first thought is, if your primary site becomes unavailable, you’ll probably need to set up, restore and or rebuild a whole lot of other stuff as well, or isn’t that what you mean? Anyway, AppController will still need AD, DNS etc. to function properly, but if you’ve got that part covered, then there are options.

      They need to be in the same subnet to be able to communicate. Perhaps it is possible to implement a stretched VLAN (each VLAN has it’s own subnet) between the two sites? That should work. Of course the connection between the sites needs to be reliable as well. Configuring it this way means it will failover automatically. You could also set up and configure a cold standby AppController, but this will need manual intervention when things go wrong, and ApControllers are tricky. I don’t know all the ins and outs myself. This probably isn’t the best way to go. Have a look here as well:

      Using AppController snapshots you can easily restore your configuration settings if it, for whatever reason, goes down, or you want to rebuilt it. Of course you could also use snapshots in combination with the above. Hope this helps, at least a little. Let me know what you think.



  3. Thanks Bas,

    very helpful, the best choice snapshot, I am running a POC but it not easy, many steps, like I need to wrap any application If I need to add it to the App controller, even with worx mail, and I need to have two wildcard certificate, apple account ……

  4. Bas,
    I must say you have a very informative site. There are some questions about HA configuration with Citrix 8.6. I am working on upgrading 8.5 to 8.6 but Citrix tells me that it is not possible to set up an HA in the cloud. Are you familiair with that? Of course we would like to have redundancy.
    Bart Deege

    1. Hi Bart,

      Thank you, that’s always nice to hear! Well… If Citrix says so :-) Have you spoken to one of Citrix’s (sales) representatives? I Think it might have something to do with this, perhaps you’ve seen it already?

      They don’t want you steeling their thunder :-) The document does state that it is possible to connect your cloud edition to your private data centre, but it doesn’t mention HA or something similar. But then again, if you look at the numbers they are offering, who needs HA? They do all the work for you. Perhaps this is something you can discuss with Citrix? Maybe there’s something in between we don’t know about. Technically it should be possible.

      Have you considered one of the other options I mentioned in one of my earlier comments? Anyway, I hope you can work something out, let me know what you think and please keep be posted, interesting stuff!



  5. HI Bas,

    Wonderful article. I have below queries on XenMobile Cloud model,

    One of our customer is having Citrix VDI implemented in his environment. This is a full fledged citrix Infra with NSAGW and CB. Customer is now looking at XenMobile on cloud model only as the cost works for him, but he wants to have NetScaler on prim for more security since they are into Financial service and this is also been approved by Citrix SEs and architects.

    1) How the data flow would be? I mean how NetScaler on Prim integrates with Cloud?
    2) Will there be a NetScaler on Cloud too?
    3) Citrix team in India says technically this works but the Cloud team in US says this is not supported as of now, Since the cloud team cannot manage the netscaler on prim or they will not have the control.
    4) When the Exchange is on prim how worxmail works here in cloud model. I mean when a user receives a new mail how the device gets authenticated, once the device got authenticated how the data flow would be. Customer’s main concern is about his data travelling out of india or to the cloud.

    Kindly help me in getting these clarified . Please bear with me as i am new to XenMobile.

    1. Hi Sandeep,

      I would advice you to contact Citrix support or one of your Citrix (sales) representatives, they should be able to answer all your questions in great detail.

      To start, yes, you can use a NetScaler either on Prem or in the cloud but you’ll have to manage it yourself. Of course this will also influence data flow etc.

      See this doc as well, it will answer some of your questions:

      As far as data flow goes, I could probably point you in the right direction, but I can’t guarantee anything, this is why I don’t feel comfortable in doing so. Again, I advice you to contact Citrix directly. Their engineers / sales department should be able to help to. A lot will depend on your current infrastructure as well.

      Hope this helps, a little.

      Have a good weekend.



  6. HI Bas,

    Thanks a lot for the reply, Some of my concerns got cleared but i am not really clear about the data flow. It is fine if you can give me some inputs here to get a basic idea, I am trying to understand how exactly this whole process works before i start implementing. So it is fine without any guarantee also.


    1. Sandeep,

      Have a look at both these links:

      Your NetScaler / CloudBridge will be your entry point for both your internal network (on premises) as well as the Citrix XenMobile Cloud. XenMobile MDM will take care of the initial device registration (enrolment) and user authentication since it will have an integration with your AD. Once registered, your device will receive its policies, (MDX enabled) mobile and SaaS apps etc. in combination with AppController if configured as part of the Enterprise Edition. Which you’ll need when using Worx Mail.

      From there on, when your device checks in with MDM, compliance is checked (zero-touch updates) and applications can be enumerated, and users authenticated, through AppController and or StoreFront depending on your configuration. In combination with your AD for authentication of course.

      If Exchange is on premises, than that’s where mail will be delivered. You’ll only use Worx Mail to contact your exchange server to read, write, send, delete, etc, e-mail, using micro VPN’s by the way. As far as I know, mail won’t leave the (on premises) data center. Worx Mail will only contact your back-end XenMobile infrastructure to check on policies changes for example. Check this link:

      Mail will also reside on the mobile devices itself, in a secure MDX Vault, or container, but can be remotely wiped at any time.

      This will have to do for now. If you want more advice / support, I’m available but it’s gonna cost you ;-)

      Keep me posted.

      Good luck.



  7. As for the Netscaler VPX appliance to securely publish the MDM, should I use one Interface in the DMZ or I should use two vNICs Netscaler which goes to DMZ and Internal LAN (insecure) ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s