November, 2013 XenMobile 8.6 MDM Edition Mobile Device Management Adolfo Montoya, Karen Sciberras, George Ang and Andrew Sandford Lead Support Readiness Specialist
© 2013 Citrix | Confidential – Do Not Distribute Document Management CategoryTracking Information Company:Citrix Systems, Inc. Author(s):Adolfo Montoya Owner(s):Worldwide Support Readiness Last modified:11/22/2013 Version:1.0 Length:4 hours
© 2013 Citrix | Confidential – Do Not Distribute Ground Rules Introduce yourself Expect FULL participation! We will use Polls on GoToTraining Please raise your hand for questions or comments on GoToTraining Type comments and questions in Chat window I will check your work by making you presenter… be ready! I will call you by name
© 2013 Citrix | Confidential – Do Not Distribute Objectives 4 At the end of this course, you will be able to : Module 1: Verify iOS 7 MDM Policies Configure and test some of the new iOS 7 restrictions policies Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering Install XenMobile Mail Manager Configure and test XenMobile Mail Manager to filter ActiveSync traffic against Exchange Server 2010 Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload Configure SSL Offload on NetScaler to load balance HTTP connections to Device Manager server Verify that mobile devices (e.g. iOS/Android) can enroll successfully
© 2013 Citrix | Confidential – Do Not Distribute Objectives 5 Module 4: Integrate XenMobile Device Manager with Microsoft PKI Setup Client Certificate authentication on Windows Configure Client Certificate authentication with XenMobile Device Manager Configure Exchange Server 2010 for Client Certificate authentication Verify mobile devices can enroll and test Client Certificate authentication and access their mailbox Module 5: Learn Samsung KNOX and Amazon MDM Policies Learn and configure new Samsung KNOX and Amazon MDM restriction policies
© 2013 Citrix | Confidential – Do Not Distribute Assessment 6 There would be an assessment at the end of the course, covering the following modules: Module 1: Verify iOS 7 MDM Policies Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload Module 4: Integrate XenMobile Device Manager with Microsoft PKI Module 5: Learn Samsung KNOX and Amazon MDM Policies
Module 1: Verify iOS 7 MDM Policies
© 2013 Citrix | Confidential – Do Not Distribute iOS7 Highlights FeatureDescription Per App VPNManaged apps can initiate a per App VPN tunnel. OpenIn Document ControlRestrict opening of documents in managed apps and accounts. Enterprise SSOSingle Sign On experience for enterprise resources that requires Kerberos authentication. Silent Install/UnInstallOnly applicable to supervised iOS devices. New Volume Purchase Program (VPP) service Workflow based VPP Registration Revoke and Re-Issue VPP licenses Auto Configure AppsPush and auto configure iOS7 apps. Restrictions Prevent device unlock via biometric scanning Prevent document transfer via AirDrop Prevent password syncing via iCloud … (many others) Prevent App UnInstallOnly applicable to supervised iOS devices.
© 2013 Citrix | Confidential – Do Not Distribute iOS7 Policies in XenMobile 8.6
© 2013 Citrix | Confidential – Do Not Distribute Per App VPN
© 2013 Citrix | Confidential – Do Not Distribute OpenIn Doc. Control
Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering
© 2013 Citrix | Confidential – Do Not Distribute Introduction The XenMobile Mail Manager (XMM) allows you to utilize XDM to gain Dynamic Access Control for Exchange Active Sync (EAS) devices. Here are some of the features: To access EAS device partnership information provided by exchange. To perform an EAS Wipe on a mobile device. To access information about Blackberry devices, and To perform control operations such as Wipe, and Password Reset.
© 2013 Citrix | Confidential – Do Not Distribute XMM Components The XenMbile Mail Manager (XMM) consist of three main components: Exchange ActiveSync (EAS) Access Control Management: Communicates with Device Manager to retrieve EAS policies from Device Manager, and then merges this policy with any locally defined policy to determine which EAS devices that should be allowed or denied access to Exchange. Local policies allows extending the policy rules to allow access control by AD Group, User, Device Type, or Device User Agent Remote Powershell Management: Responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by EAS Access Control Management. Mobile Service Provider: Provides a web service interface so that Device Manager can query EAS and/or Blackberry devices, and issue control operations such as Wipe against them.
© 2013 Citrix | Confidential – Do Not Distribute XMM Components
© 2013 Citrix | Confidential – Do Not Distribute System and Software Requirements ComponentRequirement Server Software MS SQL or MS SQL Express 2008/2012 Microsoft.NET Framwork 4.5 Exchange Server 2010 SP2 or higher, OR Exchange 2013 MS Office 365 Blackberry Enterprise Service v5 (optional) Server Machine Requirements Windows Management Framework must be installed PowerShell V2 supported The PowerShell execution policy must be set to RemoteSigned by running “Set-ExecutionPolicy RemoteSigned” from the PowerShell command prompt. Memory1 GB HDDNTFS-formatted with 150 MB disk space
© 2013 Citrix | Confidential – Do Not Distribute Permissions If you are using the XMM with an onsite Exchange Server, you will need to ensure the minimum permissions specified in the Exchange Configuration Management Console must be allowed to execute the following Exchange- specific PowerShell commands: Get-CASMailbox Set-CASMailbox Get-Mailbox Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Clear-ActiveSyncDevice
© 2013 Citrix | Confidential – Do Not Distribute Before Installation… Ensure that the following conditions are met:.NET Framework 4.5 SQL Server (one of the following): MS SQL 2008 MS SQL 2008 Express MS SQL 2012 MS SQL 2012 Express MS SQL 2012 Express\LocalDB XMM “one LDAP Per Domain” Caveat XMM supports only one LDAP configuration per-installation. If you want to manage the traffic of more than one LDAP configuration (such as the root domain, sub-domain), you will need to install XMM for each domain.
© 2013 Citrix | Confidential – Do Not Distribute Installation
© 2013 Citrix | Confidential – Do Not Distribute Installation
© 2013 Citrix | Confidential – Do Not Distribute Installation
© 2013 Citrix | Confidential – Do Not Distribute Installation
© 2013 Citrix | Confidential – Do Not Distribute Configuring XMM You can use the XMM Configuration utility to extend the capabilities of XDM to perform the following configuration: Create access control rules that can either allow of block Exchange ActiveSync (EAS) devices from accessing Exchange services. Build dynamic and statics rules that enforce corporate policies, allowing you to block those users in violation. Perform an EAS wipe out of compliance devices
© 2013 Citrix | Confidential – Do Not Distribute To configure the Exchange Server
© 2013 Citrix | Confidential – Do Not Distribute To configure the Exchange Server
© 2013 Citrix | Confidential – Do Not Distribute To configure the Database Properties
© 2013 Citrix | Confidential – Do Not Distribute To configure the Database Properties
© 2013 Citrix | Confidential – Do Not Distribute To configure the Mobile Service Provider (MSP)
© 2013 Citrix | Confidential – Do Not Distribute To configure the Mobile Service Provider (MSP) hostname in Device Manager
© 2013 Citrix | Confidential – Do Not Distribute XMM and Exchange ‘Quarantine’ Mode XMM when configured in conjunction with MS Exchange ‘Quarantine’ mode, will allow the Exchange Admin to quarantine a user’s device until that device can be determined to be compliant In Exchange quarantine mode, a user’s inbox is blocked, but the user can still see their calendar, appointments, and contacts.
© 2013 Citrix | Confidential – Do Not Distribute Understanding XMM Access Rules XenMobile Mail Manager allows you to configure three types of rules: Default Local XDM (rules from Device Manager)
© 2013 Citrix | Confidential – Do Not Distribute XMM Access Rules – Default Rules Default access control rules serve as a “catch-all” rule that can be set to allow or deny a device that does not meet the criteria of either the XDM rules or local rules. The Default Rule’s desired state may be set to Allow, Block, or Unchanged. If “Unchanged” is selected, the effect will be that XMM will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.
© 2013 Citrix | Confidential – Do Not Distribute To configure Default access rules
© 2013 Citrix | Confidential – Do Not Distribute XMM Access Rules – Local Rules Local rules are defined within XenMobile Mail Manager. Local rules can be configured to allow or block based on any of the following properties: ActiveSync Device Id – Uniquely identifies a specific device. Device Type – A set of devices, such as “iPad”, “WP8”, or “Touchdown”. User Agent – A set of devices identified by platform version, such as “iOS/6.1.2”. User – A specific user.
© 2013 Citrix | Confidential – Do Not Distribute To configure Local rules
© 2013 Citrix | Confidential – Do Not Distribute XMM Access Rules – XDM rules XDM rules are defined within XenMobile Device Manager. These rules are delivered to XenMobile Mail Manager and continuously updated. XDM rules can identify devices by properties known to XDM, such as: Enrolled in Device Manager Jailbroken (iOS) or rooted (Android) devices Forbidden Apps are installed (blacklisted apps) Non-suggested apps are installed Unmanaged Out Of Compliance Non-Compliant Password Revoked status Inactive Device Anonymous status
© 2013 Citrix | Confidential – Do Not Distribute To configure XDM rules
Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload
© 2013 Citrix | Confidential – Do Not Distribute Pre Nike Deployment – SSL Bridge SSL XM DM SSL DMZ
© 2013 Citrix | Confidential – Do Not Distribute Nike Deployment – SSL Offload SSL XM DM DMZ
© 2013 Citrix | Confidential – Do Not Distribute Why change the deployment? Obvious Advantages: NetScaler becomes de-facto authentication point for all XenMobile traffic SSL Offload, reduces load on XDM, and hence better Scalability
© 2013 Citrix | Confidential – Do Not Distribute NetScaler SSL Offload setup XDM DMZ SSL Offload vServer 1 SSL Offload vServer HTTP HTTPS Insert Client Certificate in the HTTP Header Client Cert Auth enabled No Client Auth
© 2013 Citrix | Confidential – Do Not Distribute What’s needed? Two virtual servers 443 8443
© 2013 Citrix | Confidential – Do Not Distribute What’s needed? Bind one or more XDM services on HTTP (80)
© 2013 Citrix | Confidential – Do Not Distribute What’s needed? Steps required for SSL Offload (HTTPS – 443) virtual server Bind both – Devices and Root CA certificates on virtual server This is important for iOS enrollment to work!
© 2013 Citrix | Confidential – Do Not Distribute What’s needed? Steps required for SSL Offload (HTTPS – 443) virtual server Create an SSL Policy that only gets executed when a Client Cert is detected
© 2013 Citrix | Confidential – Do Not Distribute What’s needed? Steps required for SSL Offload (HTTPS – 443) virtual server Configure NetScaler to insert NSClientCert header This is important for iOS enrollment to work!
© 2013 Citrix | Confidential – Do Not Distribute SSL Offload option in NS GUI
© 2013 Citrix | Confidential – Do Not Distribute SSL Offload configuration LB vServer 1 Type – SSLSSL Incoming port 443 Configure and Bind Service – HTTP to XDM Server on 80 Configure Bind Install and Bind a Cert-Key pair (for SSL) Install Bind Configure Client Certificate Authentication – details on next slide Enable passing of Client Certificate to XDM, in HTTP Headers – details in further slide LB vServer 2 Type – SSLSSL Incoming port 8443 Configure and Bind Service – HTTP to XDM Server on 80 ConfigureBind Install and Bind a Cert-Key pair (for SSL) Install Bind
© 2013 Citrix | Confidential – Do Not Distribute Client Certificate Authentication on vServer 1 On LB vServer 1, enable Client Certificate Authenticationenable Mark this certificate check as Optional CA could be XDM / external PKI vServer Next step is, to install and bind the CA certificate(s) on NetScalerinstall and bind required for validation of Client Certificates For XDM as CA: CA has multiple CA Certificates, of which we require the following: -Intermediate CA for Devices -Root CA of XDM Certificates available at: -C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf -cacerts.pem – Contains both certificates -Root CA Certificate representing XDM -Intermediate CA for Device Certificate issuing CA -These certificates will have to be converted from PKCS 12 format to PEM / DERconverted -These certificates need to be linked on NetScalerlinked
© 2013 Citrix | Confidential – Do Not Distribute Insert Client Certificate in HTTP Header Create an SSL Policy Rule Expression - CLIENT.SSL.CLIENT_CERT.EXISTS Create an SSL Action Client Certificate – ENABLED Certificate Tag – NSClientCert Bind SSL Action to SSL Policy Bind SSL Policy to vServer 1 More details available herehere
© 2013 Citrix | Confidential – Do Not Distribute NetScaler CLI Config Vserver 1 > add server XDM > add service HTTP_XDM HTTP 80 > add lb Vserver LB_VS_1 SSL > bind lb Vserver LB_VS_1 HTTP_XDM1
© 2013 Citrix | Confidential – Do Not Distribute NetScaler CLI Config SSL Certificates > add ssl certKey Devices-CA –cert Devices-CA.cer > add ssl certKey Root-CA –cert Root-CA.cer > bind ssl Vserver LB_VS_1 –certKeyName wildcard- TrainingLab > bind ssl Vserver LB_VS_1 –certKeyName Devices-CA -CA > bind ssl Vserver LB_VS_1 –certKeyName Root-CA -CA > link ssl certKey Devices-CA Root-CA
© 2013 Citrix | Confidential – Do Not Distribute NetScaler CLI Config SSL Configuration > set ssl Vserver LB_VS_1 –clientAuth ENABLED –clientCert Optional > add ssl action SSL-Action –clientCert ENABLED – certHeader NSClientCert > add ssl policy SSL-Policy –rule CLIENT.SSL.CLIENT_CERT.EXISTS –action SSL-Action > bind ssl Vserver LB_VS_1 –policyName SSL-Policy – priority 100
© 2013 Citrix | Confidential – Do Not Distribute NetScaler CLI Config Vserver 2 > add lb Vserver LB_VS_2 SSL > bind ssl Vserver LB_VS_2 HTTP_XDM1 > bind ssl Vserver LB_VS_2 –certKeyName wildcard- TrainingLab
© 2013 Citrix | Confidential – Do Not Distribute Copy the a_patch_860_9998.jar file to \XenMobile Device Manager \tomcat\webapps\[instance_name]\WEB-INF\lib (on all cluster nodes, in a clustered ZDM config) Restart XDM service Browse to and confirm the patch shows up under the 'in use' column of the resulting pagehttp://XDMURL/instance/help-patches.jsp NetScaler SSL Offload patch for XDM
Module 4: Integrate XenMobile Device Manager with Microsoft PKI
© 2013 Citrix | Confidential – Do Not Distribute PKI Definitions PKI provides an infrastructure to: Identify – device identity certificates, APNs Encrypt – SSL encryption, APNs Digitally Sign – profile signatures Certificate Authority – creates and publishes digital certificates to an entity (device, user, organization) Registration Authority -- brokers and verifies the request for a certificate from a user or device and communicates with and validates the certificate authority PKI is the basis for connectivity and authentication for MDM
© 2013 Citrix | Confidential – Do Not Distribute XDM PKI Standalone
© 2013 Citrix | Confidential – Do Not Distribute XDM PKI Standalone
© 2013 Citrix | Confidential – Do Not Distribute XDM CAs and Device ID Certificate
© 2013 Citrix | Confidential – Do Not Distribute XDM and Microsoft Certificate Services XDM leverages Microsoft Cert Services Web Enrollment It does not use SCEP The Windows server must be Enterprise version as standard does not work
© 2013 Citrix | Confidential – Do Not Distribute Create a Certificate Service Account XDM will use certificate to authenticate connection to MS Certificate Authority The Certificate used will be tied to a user which in this case will be the service account This protects the XDM connection from account deletion/disabling if the user account were to be disabled, deleted in Active Directory if the Admin leaves the company, etc This account needs no special rights. A standard AD user is sufficient.
© 2013 Citrix | Confidential – Do Not Distribute Install Microsoft Certification Services Sign in as service account that will be running the CA Ensure service account is a local administrator CA Type – Enterprise Configure IIS for CA installation Ensure both Client Cert Mapping and IIS client Cert Mapping are checked
© 2013 Citrix | Confidential – Do Not Distribute CA Configuration for Client Certificate Create certificate for IIS https binding IIS Authentication mode Enable Cert Based Authentication /CertSrv home Configure SSL setting to accept Certificates Create a certificate for Service Account user Create User Template Security tab – grant Service Account user full control Request SSL certificate for Service Account user Install requested certificate Export certificate and private key
© 2013 Citrix | Confidential – Do Not Distribute Disable Windows Auth to Test CA Connection Uncheck Enable Integrated Windows Authentication.
© 2013 Citrix | Confidential – Do Not Distribute Disable Windows Auth to Test CA Connection Uncheck Enable Integrated Windows Authentication. Close and relaunch your browser This tests the certificate that was created to authenticate with CA Test on the certificate server with service account Should be prompted to select certificate
© 2013 Citrix | Confidential – Do Not Distribute Disable Windows Auth to Test CA Connection Uncheck Enable Integrated Windows Authentication. Close and relaunch your browser This tests the certificate that was created to authenticate with CA Test on the certificate server with service account Should be prompted to select certificate Do not proceed with configuration until this part works
© 2013 Citrix | Confidential – Do Not Distribute Setup XDM CA Options Import Users Certificate for Service Account
© 2013 Citrix | Confidential – Do Not Distribute Setup XDM CA Options Service root URL – trailing “/” at the end is needed
© 2013 Citrix | Confidential – Do Not Distribute Configure Available Templates Click New Template Enter the name of the template created for this Note: The Template name is case sensitive
© 2013 Citrix | Confidential – Do Not Distribute Configure Available Templates If the wrong template is specified, the following errors are seen: In the zdm.log file :37:03,736 [http-nio-443-exec-7] DEBUG com.sparus.nps.pki.connector.CertSrvResponseParser - Parsed CrtSrv response, found: error=true ReqId=null Message=Your request was denied. The disposition message is: "Denied by Policy Module 0x , The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: XDM User Template.“
© 2013 Citrix | Confidential – Do Not Distribute Configure Available Templates If the wrong template is specified, the following errors are seen: In the zdm.log file In the event viewer of server running Certificate Authority
© 2013 Citrix | Confidential – Do Not Distribute Configure Available Templates Select the Server cert you recently uploaded. In this case, administrator-user-cert.pfx
© 2013 Citrix | Confidential – Do Not Distribute Define a Credential Provider Name Provider Issuing Entity created in previous set Select SIGN and select your template you entered earlier.
© 2013 Citrix | Confidential – Do Not Distribute Define a Credential Provider Define key size: Must be 2048 Subject Name: $user.username Fill in username and UPN. UPN is used by Exchange to determine rights to a user mailbox for example.
© 2013 Citrix | Confidential – Do Not Distribute Determine Distribution Method
© 2013 Citrix | Confidential – Do Not Distribute Create iOS/Andriod Credential Create an iOS/Andriod Credential Select credential provider and MS CA provider you created.
© 2013 Citrix | Confidential – Do Not Distribute Caveats When creating a certificate template, Windows 2003 must be selected as the certificate template type. This is needed as Windows 2008 templates are not exposed via web enrollment due to changes in the MS CA. There is potentially a workaround by pointing to another enrollment.dll on the MS side, but that hasn't been explored.
© 2013 Citrix | Confidential – Do Not Distribute Set CAS to Accept Certificates Verify in Exchange Management Console. Basic authentication box should be checked if you want to allow both cert and windows based authentication.
© 2013 Citrix | Confidential – Do Not Distribute Verify AD Client Certificates is Enabled Connect to CAS IIS Admin console and enable Client Cert Authenticaiton
© 2013 Citrix | Confidential – Do Not Distribute ActiveSync configured to accept Client Cert
© 2013 Citrix | Confidential – Do Not Distribute Ensure Windows Authentication is Enabled
© 2013 Citrix | Confidential – Do Not Distribute Access Configuration Editor
© 2013 Citrix | Confidential – Do Not Distribute Access Configuration Editor Select system.webServer->Security->authentication->ClientCertificateMappingAuthentication
© 2013 Citrix | Confidential – Do Not Distribute Enable CertificateMappingAuthentication
© 2013 Citrix | Confidential – Do Not Distribute Configure iOS ActiveSync Profile
© 2013 Citrix | Confidential – Do Not Distribute Configure iOS Deployment Package
Module 5: Learn Samsung KNOX and Amazon MDM Policies
© 2013 Citrix | Confidential – Do Not Distribute What is Samsung KNOXKNOX Dual persona approach for device, app, and data security Samsung markets it as the most comprehensive mobile solution for work and play KNOX compatible devices include: Samsung S4 Samsung Note3 Samsung Note 10.1 (2014 Edition)
© 2013 Citrix | Confidential – Do Not Distribute XenMobile 8.6 KNOX Policies Use Case/PolicyDescription Exchange ActiveSync for KNOXProvision EAS profile to the container Browser RestrictionsDisable popup, cookies, auto-fill and Javascript Silent App. UnInstallUninstalls apps that are provisioned to the container Container PasscodeProtect apps in container using a PIN code App. BlacklistingB/L apps and prevent users from launching these apps Enterprise VPNIPSec VPN policy for apps provisioned to the container Lock ContainerAdmin can lock container in case the device is lost or stolen Unlock and Reset PasscodeAdmin can unlock container and reset container passcode Container WipeAdmin can selectively wipe KNOX container from device
© 2013 Citrix | Confidential – Do Not Distribute KNOX Icon on Device Home Screen KNOX is an app on deviceLogin to containerAccess corporate apps
© 2013 Citrix | Confidential – Do Not Distribute Amazon/XenMobile Integration FeatureDescription Silent Install/UninstallInstall and Uninstall Apps w/o user intervention Prevent App UninstallPrevent user from uninstalling apps Device RestrictionsPrevent use of Location Services Factory Reset Bluetooth Turn Off Wi-Fi App. install from Non Amazon app. store
© 2013 Citrix | Confidential – Do Not Distribute Prevent ShareFile Uninstall
© 2013 Citrix | Confidential – Do Not Distribute Device Restrictions
© 2013 Citrix | Confidential – Do Not Distribute Review 96 Module 1: Verify iOS 7 MDM Policies Configure and test some of the new iOS 7 restrictions policies Module 2: Deploy XenMobile Mail Manager for ActiveSync Filtering Install XenMobile Mail Manager Configure and test XenMobile Mail Manager to filter ActiveSync traffic against Exchange Server 2010 Module 3: Integrate XenMobile Device Manager and NetScaler via SSL Offload Configure SSL Offload on NetScaler to load balance HTTP connections to Device Manager server Verify that mobile devices (e.g. iOS/Android) can enroll successfully
© 2013 Citrix | Confidential – Do Not Distribute Review 97 Module 4: Integrate XenMobile Device Manager with Microsoft PKI Setup Client Certificate authentication on Windows Configure Client Certificate authentication with XenMobile Device Manager Configure Exchange Server 2010 for Client Certificate authentication Verify mobile devices can enroll and test Client Certificate authentication and access their mailbox Module 5: Learn Samsung KNOX and Amazon MDM Policies Learn and configure new Samsung KNOX and Amazon MDM restriction policies
Work better. Live better.