As most of you probably know, one of the main components that makes up Citrix XenMobile App edition is the App Controller. It provides us with our Mobile, Web and SaaS applications including any HTML5 based applications and web links. Applications first need to be signed, than wrapped, adding in the MDX binaries, before being uploaded to App Controller and assigned to your users. A process I’ll describe in more detail in one of my upcoming articles. During this blog I’d like to zoom in on the integration of StoreFront and highlight some of the options we have when it comes to using Worx Home and/or Citrix Receiver in contacting either StoreFront, App Controller or both. I’ll show you how we can launch, not only our Mobile, Web and SaaS apps, but Windows based desktops and applications as well, without using both platforms individually.
Some fundamentals first. When using XenMobile MDM, either stand-alone or as part of the Enterprise edition, mobile devices first need to be enrolled using Worx Home before they can be remotely managed. Worx Home can be downloaded, free of charge, from the Apple or Google Play App store. Once enrolled, Worx Home will handle all communications between the mobile device and the MDM server.
By default, it does the same for App Controller. Once Worx Home is installed and after user authentication has taken place, either through device enrolment by means of MDM, NetScaler, StoreFront or by communicating directly with the App Controller, it will ‘enumerate’ the App Controllers App Store and display all mobile, web and SaaS applications and any related (ShareFile) data resources available to the user, depending on the users permissions. It will also include any configured policies that may apply to that specific user and/or device as well. Of course there’s a bit more to Worx Home than just device enrolment or app enumeration, but for now, this is all you need to know. I’ll address Worx Home as well as Receiver in some more detail as we progress.
Note: Worx Home can only be installed on a mobile device and is designed to only communicate with App Controller and/or the MDM server, not StoreFront, you’ll use Citrix (native or web) Receiver for this, see the above overview. It applies to both internal as well as external application access, juts imagine the firewall and NetScaler to be there as well.
After applications are signed, wrapped and uploaded to App Controller they need to be configured and eventually assigned to users. Once the administrator assigns the applications, they will appear within the App Controller’s App Store, which is also referred to as the Receiver or Worx Home App Store, waiting for users to select them, a.k.a. application subscription. A concept you might be familiar with if you’ve ever used or configured Citrix StoreFront, it uses a similar concept. It will hold and show all applications assigned and available to the user.
Just as with App Controller, StoreFront lets you create your own private App-Stores. Its Store Service takes care of the application enumeration / aggregation process, and it can query different content providers like the XML (broker) service for XenDesktop and XenApp resources as well as App Controller for access to ShareFile data, web, SaaS and mobile applications. Note that you’ll need to configure a trust between these two components for this to work, this is initiated from the App Controller; I’ll show you how it’s done in one of the following sections. Long story short, this is what happens when StoreFront queries App Controller for its resources.
Once a user connects to StoreFront using Citrix Receiver:
1. StoreFront sends a request message to App Controller 2. In the response to the request, App Controller sends the list of enterprise web applications and SaaS applications that are managed by App Controller 3. As part of the request, StoreFront includes the user identifier (user ID or network ID) of the user who started Receiver 4. When App Controller receives the request data along with a user ID, App Controller returns the list of applications that are applicable to the role of the user as defined in App Controller 5. If the user is not assigned to a specific role and is part of the All Users role, the applications that are not assigned to any role appear for that user.
I got this from the E-Docs website: “If users connect with Receiver on a Windows or Mac computer, MDX apps are not available to users” I wonder, does this mean that mobile applications will be available if you connect from a mobile device with Receiver installed?
From there (the App Store) users can easily self-select, or subscribe to, (using Receiver, not Worx Home) their applications from the corporate approved list, or App Store, and access these apps as they roam between devices.
When StoreFront is used as the primary interface to access our Applications, which might include Web, SaaS, HTML5 as well as mobile apps, instead of App Controller, it also looks after the application launch process. In the case of XenDesktop or XenApp resources this happens like we are used to with Web interface; through information obtained via the XML Broker service an ICA file is created and forwarded to the Receiver on the client device. Internal users connect directly, external users through a NetScaler Gateway, or a similar solution. However, some resources managed by AppController are launched differently as discussed during the next section.
When users authenticate at StoreFront the StoreFront authentication service will forward the users credentials to other components like App Controller, creating a single sign-on experience. AppController lets you configure SSO on a per application basis.
Note: SSO isn’t available for every application by default, this will differ per application.
Application launch process – StoreFront → App Controller
When a launch request is received from StoreFront, AppController will first verify that there is a valid credential mapping for the user / app pair in question, assuming there is, AppController authenticates the user using the information forwarded by the StoreFront authentication service mentioned earlier. This way providing a SSO experience to the user, although it still needs to be configured at application level as well.
Internal web, web links and SaaS apps, when launched, will, or can, leverage Worx Web, and thus MDX, so communications will be secured using Micro VPN’s, assuming a NetScaler is part of your configuration as well. Again, more on MDX and its features in one of my upcoming articles.
For external web or SaaS applications a 302 redirect is initiated that establishes a direct connection between the user’s browser (which is still Worx Web but without the added security of Micro VPN’s) and the desired (external) service published from AppController. From this point forward, the NetScaler Gateway is no longer in the communication path, if it was to begin with. And since it’s still Worx Web that is being used, even though the web and/or SaaS applications are external, it operates from within the MDX Vault, offering additional security.
Citrix Receiver vs. Worx Home
This is where it potentially gets complicated and a lot of people lose track of what to configure under which conditions, me included, hopefully I’m able to clear up a few misconceptions. The (StoreFront) application enumeration and launch process we’ve just discussed focuses purely on using Citrix Receiver in combination with StoreFront. Remember that Worx Home can only directly communicate with App Controller with regards to application management, or the MDM server when it comes to device management.
As we all know Citrix likes to change things around every now and again, not a bad thing per se, but it can be confusing from time to time. The same applies to Receiver. Back when the XenMobile Enterprise edition was still referred to as the Citrix CloudGateway, but also after Citrix changed its editions to MDM, App and Enterprise and before they introduced Worx Home, Receiver was able to connect to both StoreFront (or Web Interface) like it still does, as well as App Controller to view and launch our Mobile, Web and SaaS applications. It was basically all they had. Receiver either connected directly to App Controller or indirectly via StoreFront, enumerating and launching its applications. It hasn’t been that long since they’ve ‘replaced’ this functionality with the introduction of Worx Home, which is only capable of communicating with the App Controller.
Nowadays Citrix prefers, and advices its customers, to use Worx Home on your mobile device(s) and Receiver on any other endpoints you might use (to contact StoreFront) like your office desk or laptop for example. Note that your app subscriptions also play a part in this as you’ll find out shortly. According to the Citrix Receiver feature matrix it only supports Web and SaaS (no mobile) apps, but they’re unclear on the setup needed to support such a configuration. Of course this doesn’t mean Receiver is technically incapable of contacting App Controller directly to view or launch MDX, or Worx, enabled (mobile) applications, it’s just not supported, or preferred. At least that’s the way I interpreted it since there seems to be no documentation telling us otherwise. And besides, this is how it worked just a few months ago. So unless they’ve redesigned Receiver and forgot to tell us, you should be fine. Or did I miss something?
Note: StoreFront also has a build-in Receiver, known as; Receiver for web, based on HTML5. Don’t get confused, it’s only used when a native Citrix Receiver isn’t available.
Citrix has big plans for its mobility platform, that’s no secret, and seeing how they are promoting the use of Worx Home in combination with App Controller, as apposed to Receiver, can only mean that change is coming. Perhaps Synergy will tell us more. I also came accross this blog just a few days ago, see quote below, and it clearly indicates that App Controller is going to play a major role in future releases.
“What happens is that the AppC will supersede your existing StoreFront or Web Interface and become the aggregation point for the Windows apps as well as Mobile and Web. Citrix Receivers will talk to AppController in order to find out what’s available and present all four types of applications to the appropriate devices. This means your existing session policies on your NetScaler will need to change as well since those Receivers need to be directed to AppC rather than StoreFront as well as needing to cope with the new application types”
Interesting right? Worx Home isn’t mentioned once throughout the whole article :-) so which one is it going to be? Hold on and let’s not jump to any conclusions just yet. This post isn’t meant to cause any confusion and I’m also not recommending one solution over the other. I suggest to follow Citrix’s recommendations and/or best practices whenever possible, just contact one of your Citrix representatives when in doubt, which I’m sure you are :-) For now I just wanted to highlight some of the key concepts that make up XenMobile, which strangely enough aren’t talked about that much and can be daunting to get your head around. To bad I can’t be there, at Synergy I mean!
Trust is important
As mentioned, when a trust between App Controller and StoreFront is established (see the next section for a ‘How To’ on this part) StoreFront will be able to also aggregate App Controller for its applications, so they, together with the Windows based resources already there, can be viewed and launched from the StoreFront App Store. To refresh, see the ‘StoreFront general overview’ section a few paragraphs back.
Worx Home, or App Controller, by default, can only see and manage its own applications, mobile, web etc. It can’t contact StoreFront or launch Windows based resources in another way. However, XenMobile is under constant development and as such offers some new and interesting features, which, depending on your use case, could prove to be of some value. Before we continue let’s do a short recap first, although not (fully) supported or recommended by Citrix, here’s what we’ve established so far.
Windows-Based Apps from Worx Home
As of App Controller version 2.8 (at the time of writing we are at version 2.10) we can configure App Controller to also display and launch Windows based applications and/or desktops. They will be displayed next to our mobile, web and SaaS apps already there, using Worx Home from our mobile device, like Citrix prefers. It’s mainly because of this feature that the App Controller will potentially play a bigger role within your infrastructure somewhere in the near future.
Let me show you how it’s done.
To start, you’ll first need to setup a trust (which I already mentioned a few times) between App Controller and StoreFront, this will also enable StoreFront to contact App Controller and aggregate its application lists, as described in the ‘StoreFront general overview’ section.
Log on to your App Controller via the web portal:
Once logged in navigate to the ‘Setting’ tab as shown below:
Next, click ‘Edit’ and scroll down to the StoreFront section. Select ‘Yes’ next to ‘Allow StoreFront to aggregate App Controller apps’. Fill in the FQDN of your StoreFront server and click ‘Save’. If you want authentication to take place on StoreFront, for domain joined devices for example, make sure to select ‘Yes’ next to ‘Authentication server’ as well. We’ll leave it at ‘No’ since authentication is configured to take place on the NetScaler. Note that, when both NetScaler and StoreFront are enabled to handle authentication, make sure to configure NetScaler within StoreFront as well. Of course you could also ‘trust’ StoreFront for authentication purposes only, without enumerating its applications. Click ‘Save’.
Almost done, it’s a two step process. Although initiated from the App Controller you also need to configure StoreFront so that it ‘knows’ and trusts your App Controller. Log on to your StoreFront deployment and add the App Controller as a Delivery Controller by following this procedure.
StoreFront is now able to enumerate all Mobile, Web and SaaS applications, including ShareFile, offered by App Controller, and since Worx Home isn’t able to contact StoreFront we’ll need to use Receiver to view and launch them. Again, using this configuration it isn’t a 100% clear if Receiver will, or can, take care of the entire process or that Worx Home needs to be installed as well, specifically when it comes to mobile applications. I’ll try to get this verified as I’m unable to properly test at this moment. We already know the preferred way of handling things, I just like to know if it’s still technically possible and\or supported.
OK great, but we want more, we also want to be able to view and launch our Windows based applications and/or desktops from App Controller using Worx Home. To make this happen we need to configure the so called Windows App Settings within App Controller, this is where the true magic happens.
Windows App Settings
Next I’ll show you how to configure the Windows App Settings within App Controller. When logged in go to the ‘Apps & Docs’ tab and select ‘Windows Apps’ at the bottom.
Click ‘Edit‘ and fill in the requested information. Note the ‘Relative Path’, this enables the PNAgent functionality on StoreFront which we’ll need to present our Windows based resources in App Controller. But that’s it, we’re done!
We can now use Worx Home to contact App Controller and view or launch all our Mobile, Web and SaaS applications together with our Windows based resources, from one central location. Which gives us the following options:
Note: Although, using the above configuration, we can use Worx Home to connect to App Controller to view and launch our Windows based resources, next to our Mobile, Web and Saas apss, you’ll still need to have Citrix Receiver installed as well. Receiver will handle the actual launch request with regards to your Windows based resources. This is due to Worx Home lacking certain XML processing capabilities, which is ‘by design’ and verified by Citrix.
But wait, there’s more
No matter how we configure App Controller, we will still need to set up StoreFront along side it if we want to be able to also view and launch our Windows Based apps and desktops. App Controller doesn’t have the, XML Broker service, application enumeration capabilities that StoreFront has. Without StoreFront, App Controller wouldn’t be able to ‘find’ and show you your (Windows) applications and/or desktops. If mobile, web and SaaS like apps are all you need, go ahead and leave StoreFront out. Perhaps you’d like to separate them, also, no problem. This is what a complete infrastructure, with regards to StoreFront and App Controller, might look like.
Of course we can also implement both components without any trusts configured, or implement one without the other. Just keep in mind, that, no matter which combination you implement, even if it’s just StoreFront for example, you’ll always need Worx Home for mobile device enrolment if MDM is implemented as well. Once enrolled, you’ll continue to use Worx Home to contact App Controller from your mobile device, assuming it’s implemented, and Receiver to contact StoreFront to access your Windows applications and desktops, as recommended by Citrix. At least for now :-)
In this case I would recommend pushing the Citrix Receiver native app during device enrolment. Using this configuration you’ll end up with two separate URL’s, one for StoreFront and one for App Controller.
For now let’s assume that StoreFront is used and that we have the proper App Controller trusts configured, and, to keep things simple, it will be the default way your employers will view, subscribe to, and launch all applications, using Citrix Receiver or perhaps Receiver for Web, with or without Worx Home installed. Since your users are already familiar with either Web Interface and/or StoreFront, this will probably be the preferred way of handling thins anyway. Again, keeping things as simple as we possible can. And besides, StoreFront also offers some additional features like Session Pre-launch, Lingering, smart cards and a few more, that App Controller can’t.
Beware of your subscriptions
However, according to Citrix, mobile users don’t necessarily want the same applications / subscriptions on their mobile devices as they have on their corporate endpoints. And to be honest, I have to agree, that’s what I would prefer as well. I mean, I don’t want to access my desktop remotely using my iPhone, so why bother showing it as a subscribed resource? Keep it clean. There’s an easy way to work around this. I’ve already mentioned application subscriptions a few times, it’s when a user logs on to his or her App Store, either through StoreFront or App Controller, and starts selecting applications; this is also referred to as subscribing to applications. Check out this Citrix Blog as well.
App Controller and StoreFront both handle their subscriptions independently from each other, creating separate lists. Depending on your configuration, as we’ve seen, you can subscribe to exactly the same applications using either one. However, when using Receiver to contact StoreFront, either natively installed or Receiver for Web, it will leverage StoreFronts’ (Windows) Extensible Storage Engine database to store its subscriptions. They are stored locally and are automatically propagated to other StoreFront servers by the subscription store service.
Meaning that, as long as you’ll use StoreFront, you’ll always end up with the exact same set of applications to choose from, with or without trusts configured. No matter if you’re on your mobile device, office laptop, desktop or whatever endpoint you might be using.
When using Worx Home to connect to App Controller, unless you subscribe to the exact same applications, you’ll build up a separate set of subscribed applications which will differ from StoreFront. Your subscriptions will be handled and stored by App Controller. With this is the back of our heads, and following Citrix’s recommendations, you might want to use Worx Home on your mobile device(s) and subscribe to all the Mobile, Web and SaaS apps you need, while using Receiver, to connect to StoreFront, on all your other endpoints. This way you’ll end up with two separate application subscription lists, one for your mobile device(s) and one for your office workstation or laptop for example.
Since app subscriptions are handled, and stored, by either StoreFront or App Controller it doesn’t really matter which client, Receiver of Worx Home, is used, it’s the underlying ‘platform’ you need to be aware of. For example, if you only use Receiver to contact both StoreFront and App Controller, you’d still end up with two seperate applications subscription lists. Again, although technically Receiver might do the trick, Worx Home is the preferred client to use on your mobile device.
I must admit, it probably isn’t the most ‘Plug and Playable’ product out there, which is also due to some history and product development, but it’s powerful for sure! Keep an eye out for Synergy (won’t be long now), I’m sure they’ll come up with some interesting announcements since mobility is going to be one of the main topics this year. I hope this post at least gives you an idea on some of the options you have when deploying and accessing your mobile, Web and SaaS apps together with your Windows based resources, using a mix of App Controller, StoreFront, Receiver and Worx Home.
Knowing all this it’s up to you to come up with a valid use case, at least these configurations give us some flexibility with regards to the software we’d like to use to view and launch our applications, and at the same time enable us to manage our subscriptions the way we feel fit. I guess a lot will depend on our application subscription wishes, do we need separate lists per device type, mobile vs. office desktops? Also, do you want to keep StoreFront and App Controller separated with regard to application aggregation etc.? I’m keen to find out which role App Controller / Worx Home will play in the (near) future.
Bas van Kaam ©
Reference materials used: Citrix.com, Support.citrix.com and the E-Docs website.