Ever since Citrix acquired Zenprise and officially launched Citrix XenMobile it has been under constant development. Not to long ago Citrix announced version 8.6.1 (adding in PIN based authentication, multi domain and Site support, single join functionality and more) and I’m sure it won’t be long before we’ll see another version increment. BYOD has always been a hard concept to ‘get’ and manage and over the pas few years (it’s still relatively new) we’ve seen multiple vendors offer their ‘solution’ to take on the challenge. Since Citrix XenMobile is still considered as one of the leading parties, and probably will be for years to come, I though it would be a good idea to sum up some of its most important features.
I’m not going to discuss and compare different vendors, solutions or the various XenMobile editions available. I assume that you’re already up to speed with the BYOD concept in general including some of the management capabilities that XenMobile has to offer and those of some of the other vendors as well. Not all features mentioned are completely new but since they do complement the XenMobile suite as a whole, I’ll highlight them anyway. Also, some features might be thought of as more important then others, but since this can, and probably will, differ per company I’ll list them in random order.
Manage your mobile devices
I know, an obvious one, but still. Citrix XenMobile allows IT to securely and remotely manage all of your mobile devices, either privately or corporately owned. It will allow your users to access Windows desktops, SaaS, mobile and web apps from a unified (secure) enterprise app store. Once a device is ‘enrolled’ it’s (almost) completely controllable by your IT department. But don’t worry, if it’s a BYOD type scenario, IT will only manage the business part of your device. Your private applications and or data will be left alone since both sides, private and business, won’t be able to communicate anyway, unless you want them to.
As of version 8.6.1 the Mobile Device Management (MDM) server supports SSL Offloading through Citrix NetScaler. Because of this It can now be placed on your secure, internal network. No more, unsecure, DMZ deployments, something not all other vendors can offer. Of course you’ll need a Citrix NetScaler for this, but you’ll probably have that in place anyway. Don’t take this one lightly, it’s a great addition!
The device enrolment process
Before any of your devices can be managemed, or applications can be ‘pushed’, a device needs to enrol and ‘get known’ by the MDM server. You’ll only need one app for this, it’s called Worx Home and is free for download from the various app stores. After launching Worx Home you follow a simple installation / registration wizard completing the enrolment process. Once your device is ‘known’ all communication between the device and the various backend systems will flow through the Worx Home app from then on.
Additional collaboration support
As most of you probably know, Citrix XenMobile has integrated support for various GoTo products including Citrix ShareFile (it’s part of the family as well). As of version 8.6.1 overall app handling has once again been improved. A new feature called Fast join enables users to automatically launch and join GoToMeeting and WebEx sessions directly from their calendar. Another feature named Fast dial allows conference bridge numbers and participant IDs to be auto-dialled and entered, as stated by Citrix. It also supports one-click live support leveraging GoToAssist, it’s fully integrated into XenMobile and offers (almost instant) service desk and remote support capabilities on the users mobile device.
Not to long ago Citrix acquired a company called Framehawk, see the press release here. Although Framehawk offers a similar concept to XenMobile, Citrix is more interested in their Framehawk Lightweight Framebuffer Protocol (LFP). A technology developed and patented by Framehawk. It’s inspired by their experiences working in spacecraft communications at NASA and enables a reliable, secure, high-performance communication channel between the mobile device and the Framehawk back-end systems, it’s specifically designed to excell on low-bandwidth networks such as 3G or less. Citrix will probably blend this (and other Framehawk related) technology into their flagship products like XenApp, XenDesktop and of course XenMobile not to long from now.
Free MDM and 20% off
A few weeks ago Citrix announced their, limited, Mobility Promotion program. It runs from the 31st of January to September 30th, 2014. Quoted: Citrix offers new or existing XenApp or XenDesktop Platinum customers with perpetual licenses current on Subscription Advantage (SA) the ability to receive FREE XenMobile MDM edition licenses or get 20% off XenMobile Enterprise licenses with the purchase of first year Software Maintenance for all licenses obtained via this promotion. Nice right?!
By using XenMobile in combination with Citrix XenDesktop 7.x or XenApp 7.5 IT is now able to mobilize standard Windows based applications. Windows applications, by default, don’t support any of the mobile functions like pop-up keyboards, swipe like functionality or other touch orientated options. Using the Citrix Worx App SDK, this functionality can be added to ‘normal’ Windows applications enhancing the overall user experience. This one isn’t new but definitely worth a mention.
Multiple vendor support
Not ‘just’ iOS and or Android, like a lot of other vendors do, Citrix XenMobile also offers (limited in some cases) support for Windows, Kindle, Symbian, Samsung KNOX and SAFE and BlackBerry phones as well. Making it one of the most flexible platforms on the market today. I realize that support might be limited for some of the device types mentioned, but at least they’re all there!
Simple if you know how!
At Qwise we are also seeing an increased demand for EMM solutions and XenMobile in particular. About two months ago we started our own Citrix XenMobile on tour campaign (it’s in Dutch) and as a result our Pre-Sales team is (almost) fully booked on a daily basis, giving demo’s and advising (potential) customers in their need for secure mobile management. The same goes for XenDesktop 7.x as well. By now we’ve already done multiple successful implementations and the agenda is filling up quickly! Would you like to know more? Please contact us at email@example.com
Cloud based deployments
XenMobile is available in three editions, MDM, APP and Enterprise. All three editions can be deployed, installed and configured on-premises as well as in the cloud. Citrix offers various cloud packages including a 99.95% uptime SLA, daily, monthly backups with a retention time of respectively one month up to a year, full redundancy and HA build-in, SSL data encryption and a lot more. If you go with one of the Citrix cloud offerings Citrix will take care of all the technology involved, you won’t have to build a thing and all weekly / monthly maintenance will be outsourced as well, providing peace of mind, as Citrix likes to call it. Since XenMobile can be tricky to set up, this could prove to be a (very) smart move.
Since Apple iPhones are among one of the most popular devices out there, Citrix, as of version 8.6 and beyond, has already implemented various iOS7 (their latest OS) specific enhancements and will continue to do so in the coming months. A few examples: extended battery life for iOS7 devices, over 60 additional app level policies, including blocking copy and paste actions between secured and unsecured applications, control app level usage based on WiFi networks and backward compatibility with other / older iOS versions and some MDX toolkit specific files have been added for wrapping.
Simplified (PIN based) authentication
I copied this in from one of my previous articles on XenMobile: Instead of using Active Directory (which is used in most cases) based (complex) passwords to launch applications and to access other corporate resources, It’s now possible to use a simple 4 or 5 digit PIN number, including SSO capabilities. The PIN works in conjunction with a digital certificate installed on the end users mobile device which holds the users (Active Directory) credentials. The PIN number is basically used as a form of two factor authentication, complementing the certificate. When somebody leaves the company, or the device gets lost or stolen, IT can delete the digital certificate remotely, which basically leaves the device useless. Even if the PIN number is know it won’t work without the certificate. Another option would be to either remotely wipe the entire device or selectively wipe only the business related apps and data, which will probably be done anyway.
StoreFront, the App Store and application aggregation
XenMobile and StoreFront go hand in hand, one complementing the other. Using StoreFront in combination with the XenMobile AppController (part of the App edition) offers the possibility to aggregate applications and or desktops from XenApp, XenDesktop and the AppController all into one central store. However, it isn’t a necessity, AppController also has its own App Store(s) from which mobile, web and SaaS applications can be accessed, no Windows apps an or desktops though.
Secure (MDX) sandboxed applications
All applications that are ‘published’ or ‘made available’ using AppController first need to be ‘wrapped’ using the Worx App SDK. This will add a so called MDX (Mobile Device Experience) layer to each application. Worx enabled applications, that’s what they’re called, all share a common set of characteristics which are configurable and controllable by IT. For example, once an app is ‘wrapped’ and than published, it will reside in a (MDX) vault, on the mobile device, automatically separating it from any personal apps and or data that might reside on the same device. Wrapped applications can only communicate with other apps residing in the same vault, but only if we want and allow them to. Besides the vault, some of the other MDX techniques that can be applied and controlled by IT are MDX Interapp and MDX Access.
Remote secure Micro VPN connections
MDX Micro VPN’s, in combination with Citrix NetScaler, enable us to set up a secure, one to one, connection between the (mobile) endpoint device and the, mobile, web or SaaS, application running in the datacenter, completely secure as apposed to a full VPN which is still used by some other vendors. Another feature made possible by the MDX (wrapped) technology mentioned above, MDX Access to be precise.
Multi domain & Site support
Before these features were added you had to have a separate AppController for each domain / Site you wanted to service. With multi domain support now build in, primarily used for geographically separated locations, this is no longer necessary. One AppController with multiple Stores servicing multiple domains. Have a look here, this is how you had to configure it before, pretty complex right? Multi Site support lets you set up global load balancing configurations, using the earlier mentioned geographically spread locations for example. Both features have been added with the 8.6 release a few months ago.
Secure web and mail apps
As part of the XenMobile Enterprise or App edition Citrix offers its own Worx enabled application suite. These apps also can (and need) to be wrapped with the MDX bits and bytes mentioned earlier. It consists of Worx Home, Web, Mail, ShareFile and the GoTo app family. They are, just like any other MDX or Worx enabled app, configured and managed from the AppController and depending on the edition you buy you get four (App edition) or five (Enterprise edition) applications to start with.
Worx Mail is a native iOS and Android E-mail, calendar and contacts app. It leverages the security features added by MDX and it’s a 100% compatible with Microsoft Exchange as well as ActiveSync. When configured as your default e-mail client, all mail, including any attachments and or documents, will be securely handled within the MDX vault, not being able to communicate with applications outside of the vault.
Worx Web is a native iOS and Android compatible web browser powered by the MDX technology and as such also resides in the MDX vault, completely separated from all other personal apps and data. When you click on a hyperlink, received through Worx Mail, or from a document opened by ShareFile for example, it will leverage Worx Web since they both reside within the same vault.
Enterprise Mobility Management (EMM) is, and is going to be, huge in the near future. More and more companies are interested in offering their employees a way to either use their privately owned mobile devices, or to offer some sort of company standard, from where they can login and use their corporate desktops, applications and data in secure manner. I’m aware that XenMobile isn’t the only, all in one solution, out there, there might even be better, cheaper or simpler solutions available, but it’s (at least) worth considering :-) Not to long from now I’ll be looking into Mobile Iron as well, which might be a good time to compare the two, the same applies to Windows InTune and Airwatch, if I can find the time.
Bas van Kaam ©
Reference materials used: Citrix.com Google.com and the E-Docs website.