Don’t underestimate the power of prerequisites! No really, although this may seem like a straightforward topic, there’s a lot to think about, for example, we have to deal with firewall ports and protocols, IP numbers, DNS, AD, certificates, authentication, hard and software, licensing and more. By pre inspecting the prerequisites section, and thinking things through, not only will it tell you if you got what it takes, so to speak, it will also save you a lot of time once you start building and deploying your XenMobile infrastructure. And since I’ve been on the subject for the past few weeks, I thought I’d summarize some of the more important sections and subjects to focus on during the prerequisites and deployment phase, and ultimately show you how it all fits together (Visio included) from an architectural point of view.
What do we really need?
In practice, you see a lot of companies, who haven’t been properly advised, implement the XenMobile Enterprise Edition without even thinking. Although I must admit, with Citrix currently offering a 20% discount on the Enterprise edition, it’s tempting to do so. But what I mean to say is, you really need to think about your needs and options on forehand. For example, if it’s pure hardware (read, mobile devices) that you’d like to manage and perhaps push some native apps along the way, than MDM might be all you need. If you need, or want, to be able to manage and secure all your business related applications and data separate from any personal applications and / or data that might reside on the same device, than you’ll need the App Controller and ShareFile (Enterprise edition) functionality as well, it all depends (there it is again ;-).
It doesn’t end there
When you think about getting into XenMobile, or any other mobility management platform for that matter, there’s a lot to consider. Now this article isn’t about making strategic decisions or forming corporate policies, that’s is something you should have thought about before getting into mobility, but just to give you an idea on what I’m talking about, here are some of the most common questions you’ll need to ask yourself when, or before, implementing mobile management: Usually it all starts with, what do we (really) need, or want, to manage and do we allow our employees to bring in their own personally owned devices? Closely followed by what types of devices are we actually talking about, do they include laptops, tablets, various kinds of Smart phones etc? If they’re company owned, do we allow any personal apps and data? How do we separate the two? And what happens if a device get’s lost, stolen or somebody leaves the company? How secure do our corporate applications really need to be, does all data need to be encrypted?
And once you’re done figuring it all out…
Do we allow remote access from mobile devices onto our internal network to interact with other, Windows based, applications and/or desktops for example? Who is responsible, or owns, the data? It’s often is a fine line between personal and corporate data. What other types of applications (web, SaaS, Windows) do we allow, or do our employees need, too do their daily jobs? Are there any current security strategies, or data management policies, in place that we need to consider when bringing mobile devices into our network? If not, do we need to think about creating new ones? And you can probably think of a few more. So you see, this is serious content to consider as part of your mobile IT strategy!
Most of you probably know about the application wrapping process associated with mobile applications which are hosted on, and published from, the XenMobile App Controller. Application wrapping uses the so called MDX toolkit to ‘wrap’ or ‘inject’ MDX technology, which stand for Mobile Device Experience by the way, around or into the application, making it fully manageable by IT App, a.k.a. Worx enabled applications. It will add in features like: data encryption, password authentication, secure lock and wipe, inter-app policies and micro VPN’s to mobile apps (you’ll need to have a NetScaler in place for this). This MDX library, can be embedded into any app with just a single line of code, it’s that easy. However, due note that for this MDX (wrapping) Toolkit to work you’ll need a MacBook or iMac running OS X Version 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks). It won’t run on anything else, something to be aware of since not all companies and or IT admins own a Mac.
The MDX Toolkit requires the Java Development Kit (JDK) 1.7. You can download the JDK 1.7 from the Java SE Development Kit Downloads on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the Computech Tips web site:
Unfortunately there’s a bit more to it before you can start publishing out iOS and Android applications. Before a mobile application can be wrapped it first needs to be ‘signed’ by Apple or Android. Once your app gets signed, Apple will provide you with a provisioning profile and a corresponding certificate. In the case of Android you’ll receive a digital certificate whose private key is held by the application’s developer.
Make sure to check out the ‘Lessons learned from the field’ section as well (scroll down a few paragraphs), it has a short but helpful section on APNS (Apple Push Notification Services) which is used to contact and update iOS devices. It uses certificates that need to signed by both Citrix as well as Apple. Something that needs to done.
Once signed by Apple, you will be legally allowed to distribute the application to your users according to Apple’s EULA. Before you wrap an iOS application, download and install the iOS Distribution Provisioning Profile and Distribution Certificate to your computer, both first need to be requested (and thus signed) with Apple, as mentioned above.
“Any app that runs on a physical iOS device (other than apps in the Apple App Store) needs to be signed with a provisioning profile and a corresponding certificate. There are two kinds of profiles: Enterprise: allows you to run the app on unlimited devices and Ad Hoc: allows you to run the app on up to about 100 devices. Provisioning files and certificates may differ depending on the app, consult with Apple about the kinds of profiles and certificates Apple may require for a particular app”
When using the Ad Hoc profile the above process is free of charge. However, Citrix recommends the Enterprise profile to wrap your applications, which isn’t free. Check out Apple’s website (https://developer.apple.com/programs/start/ios/) or consult with one of Apple’s representatives for some more, detailed, information. Unfortunately this process tends to change from time to time so I can’t give you a detailed ‘steps to take’ manual on this. For Android applications the process is much alike, it’s free of charge and Android provides you with a detailed ‘steps to take’ manual on their website: http://developer.android.com/tools/publishing/app-signing.html
Be aware that application signing also applies to applications that are developed in-house. This goes for both iOS and Android. And for those of you already familiar with the Worx application suite, yes, Worx Web, Mail and the recently introduced Worx Notes, Edit and Desktop also need to be signed and wrapped.
Each time you purchase a Citrix product you’ll receive an e-mail containing a link to your licenses. Following the link you’ll either log in directly using your ‘My Citrix’ account, or create a new account first. You’ll need these ‘My Citrix’ credentials to obtain and or manage your license files. For those of you who might be unfamiliar with the ‘My Citrix’ concept, have a look here for some more information.
Note that you’ll need to have your license file at hand when installing, or you won’t be able to finish, you’ll be annoyed for sure!
There are two license models available, per user and per device. Both models are based on the total number of users or devices that access the software regardless of whether or not they use the software simultaneously. User licenses are best used when people use more than one device, its one license per user and unlimited devices. Device licenses are best used when people only use one device. One license per device but unlimited users. Citrix has different programs available. Although XenMobile is available as a cloud service as well this won’t influence your licensing strategy. Due note that you’ll need to have a minimum number of users before you can make use of Citrix’s cloud offering. I’m not a 100% sure but I think it’s around 300 for the Enterprise edition.
Lessons learned from the field
While working on this article another community member named Rink Spies, also wrote a very useful article on, sort of, the same subject, it’s named: Citrix XenMobile: Lessons learned in real life. Although he took a slightly different approach, you may find that we talk about the same subjects here and there. Very helpful either way if you ask me! Of course you’ll find some other tips and tricks, that I don’t mention, in there as well.
Perhaps not a real prerequisite per se, but definitely something to have a look at. Be aware that this is as secure as it gets. There is no way to guarantee a 100% secure device, since technology can only go so far, but it’s a huge step in the right direction for sure! Make sure you have your users read and understand your company security policies and have them sign some sort of user agreement before handing out your devices or giving them access to your corporate resources. I’m aware that this may sound like an ancient approach but it will definitely hold up in court, think about it.
Before we have a look at some of the pre-install inventory tasks involved, it’s important to know which firewall ports need to be opened and with what reason! Make sure to involve the network team as soon as possible and ask them to open up the necessary ports if you can’t, or aren’t allowed to, do it yourself. Make this one of your high priority ‘things that need to done’. Although opening a few ports is a 2 minute job, in practice these things can take days, networking teams are ‘known’ for that ;-) Take my word for it, you’ll thank me in the end! Let’s start with a general overview. Click to sharpen, this goes for all tables throughout the article by the way.
Before installing and configuring XenMobile, certain infrastructural components already need to be up and running. Therefore it’s considered a good practice to inventory certain names and IP addresses on forehand so you’ll have them ready when needed. Make sure to, at least, inventory the FQDN’s and IP addresses of the following components:
- Database server(s) including the database names you’d like to use.
- NetScaler Gateway, including the NSIP, SNIP and virtual IP addresses.
- Active Directory, DNS, NTP and SMTP server addresses.
Complementary to the above, if not there or done already, you may also need to reserve or request (make sure to start this process in time) the following Internal and external IP addresses. It’s important to note that these names and addresses already need to be up and running (resolvable) when installing / configuring XenMobile, otherwise you’ll get stuck along the way.
- NetScaler Access Gateway
- Device Manager
Certificates are used to secure connections, communication and to authenticate users. Therefore make sure to have a internal Certificatie Authority (CA) up and running before installing / configuring XenMobile. Again, depending on the components you are going to implement, here’s an overview on the certificates needed including the accompanying XenMobile components for which they are used. Note that when using SSL Offloading, and you’re going to, you’ll need to install a trusted public SSL certificate on your NetScaler.
Hard and software
Of course none of this will work without the proper hard and software in place. Each XenMobile component has it’s own specific hardware, software and sizing requirements. Below you’ll find the basics to help you get started. Note that, If you’re planning on integrating SharePoint for example, or the Secure Mobile Gateway, to name a few, there might be some other specific requirements you need to be aware of, consult with one of your Citrix representatives, or have a look at the Citrix E-Docs website for some more details.
Citrix recommends to deploy the XenMobile components in a certain order, have a look here: http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-understand-deploy-architecture-wrapper-n-con.html
All NetScaler platforms are supported and can be used, these include: MPX, VPX and SDX. The specific types and models used will differ per organization, type of deployment and the amount of users connecting. In most cases a NetScaler gateway will be sufficient. Due note that when setting up MDM you don’t necessarily need a NetScaler, it will function just fine without. However, using this set up the MDM server will ‘live’ in your DMZ, creating a potential security issue. NetScaler is able to offload SSL traffic for your MDM server so it can be placed on your, more secure, corporate LAN. Something to think about if you don’t already have a NetScaler in place!
As of version 10.1 NetScaler also includes a XenMobile setup deployment wizard to help ease the setup and configuration of XenMobile MDM, App Controller, Exchange and ShareFile in combination with NetScaler. Configure them one by one, or all at once. Check out Robin’s article on the XenMobile App Controller setup, it also includes a short section on the 10.1 XenMobile wizard.
Software requirements: as stated on their E-Docs website, Citrix has tested and provides support for Device Manager installations on the following platforms. Most companies love high availability, and rightfully so, think about this before you start building your MDM infrastructure, start with one server and go from there.
- Windows Server 2012 Enterprise and Standard editions
- Windows Server 2008 R2 Service Pack 1 Enterprise and Standard editions
- Windows Server 2008 Service Pack 2 Enterprise and Standard editions
Windows Server 2012 R2 is, at least at the time of writing, not supported.
Database requirements, one of the following versions is supported:
- Microsoft SQL Server 2012
- Microsoft SQL Server 2008 R2
- Microsoft SQL Server 2008
Hardware requirements: Device Manager can be deployed on physical as well as virtual environments (for an overview of supported Hypervisors see the AppController section next). You’ll need either an Intel Xeon 3 GHz or AMD Opteron 1,8 GHz processor combined with at least 4 GB RAM and 500 GB of free disk space. It will need a static IP address and Citrix advises to disable both IPv6 and UAC on the MDM server. Below you’ll find Citrix’s recommendations based on a specific number of connecting devices:
It’s about the number of devices not users!
Java requirements: before taking off, you’ll need to download and install the following Java components, this is a separate process # Java Standard Edition 7 Development Kit (minimum version 1.7.0_11) and # Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7. You can find both on: http://www.oracle.com/technetwork/indexes/downloads/index.htm
As stated by Citrix, do not enable the Web Server (IIS) role on the server on which you plan to install Device Manager. If this role is already enabled, make sure to remove it before installing Device Manager.
AppController is installed as a virtual machine. It goes without saying that your hypervisor of choice must be equipped with proper virtual computing recourses as shown in the below table. As with the MDM server, think about HA before installing / configuring. The App Controller software is supported on the following Hypervisors: XenServer 6.2 # XenServer 6.0 # XenServer 6.1 # XenServer 5.6 with a minimum of Service Pack 1 # Microsoft Server 2012 with Hyper-V enabled # Microsoft Hyper-V Server 2012 # VMware ESXi 5.0.1 # VMware ESXi 5.1 and VMware ESXi 4.x
AppController Virtual computing (minimum) requirements:
- Memory 4 GB
- Virtual CPU (VCPU) 2 vCPUs
- Virtual Network Interfaces 1
How it all fits together
As promised. Although I didn’t include every single option, no FTP, Syslog, RADIUS or NTP server for example, this overview should still give you a good idea on how a complete XenMobile infrastructure might look. More often than not, you will probably have two NetScalers, StoreFront, MDM and App Controller servers etc, but you get my point right? Just imagine that they’re there as well. If you feel like there’s anything missing, just let me know and I’ll include it. Here goes, click to enlarge (and sharpen):
Once user devices are enrolled and ‘known’ by the MDM server, changing the authentication mechanism afterwards will mean that all of your (enrolled) users will need to re-enrol! You can probably imagine the frustration this might case among your users, not to mention, your IT admins. So give this some thought! To give you an idea, XenMobile supports the following authentication methods:
- Active Directory or LDAP
- Two-factor authentication
- Client certificates
- And Worx PIN
During the setup and configuration of XenMobile you’ll need several (service) accounts with (local) administrator privileges. For example, you’ll need a SQL service account with administrative privileges local to the SQL server and its instances, including Creator, Owner, and Read/Write permissions. We’ll also need a MDM server service account with local administrative privileges, although it doesn’t need to be a member of Active Directory. The same applies to App Controller, you’ll need a Administrative account for installation and configuration purposes.
Out of scope
Although out of scope, I still like to, at least, mention both technologies, since there un-doubtfully are companies who use, or support (BYOD) them. As stated on their corresponding E-Docs page: XenMobile also supports Amazon Kindle devices running Fire OS 3.0 and earlier versions running proprietary operating systems based on Android. If the device is marked as compatible, Samsung for Enterprise (SAFE) and Samsung KNOX policies are supported as well. However, you’ll need to enable the SAFE’s API’s by deploying the build-in Samsung Enterprise License Management (ELM) key to a device before you can deploy SAFE policies and restrictions. Samsung KNOX also uses the key concept and will require you to deploy a so-called ELM key to your devices. In addition you’ll also have to purchase a Samsung KNOX license using the Samsung KNOX License Management System (KLMS).
Before anything else
Make sure to set up a decent PoC (Proof of Concept) environment and, again, take it one step at the time. XenMobile is, or can be, complex to set up and configure, so think about your needs and implement and test them one at the time. This way you won’t lose focus or get overwhelmed with all that’s out there. Citrix advices, depending on the numbers involved and size of the company, to take at least two weeks to inventory and set up a PoC infrastructure. Make sure to involve your customer(s) on as many levels as possible, technically as well as strategically, so they know what’s going on. This will also help once you hand over your administrative tasks to the companies IT department, which we all know can be a challenge. As a side note, Citrix has several PoC kits available, they’re free for download from SalesIQ and a great help to get you up and running in no time.
To finalize, I’d like to point out Citrix’s Pre-Installation Checklist. It will help you to organize all your findings throughout the inventory process. It will also remind you of what and where to check. It’s split up in easy to read sections.
Throughout this article I highlighted some, if not all, of the most important prerequisites needed to install and configure Citrix XenMobile. We looked at, IP addresses, names, port numbers, hard and software requirements including NetScaler and multiple Hypervisors, Java and certificates. I’m aware that this might look like a lot to some, and perhaps it is, but don’t worry, take it one step at the time and you’ll be fine. Use the Pre-Installation Checklist from Citrix; it’s a big help. Note that the MDM sizing numbers mentioned are meant to give you an indication, proper testing is still a requirement. Don’t forget about the MDX toolkit as well, you’ll need a Mac (so get one already) for that!
Bas van Kaam ©
Reference materials used: Citrix.com, Support.citrix.com and the E-Docs website.