Transcript Document
XenMobile MDM Edition Nike Training Jared Engskow December 2013 MDM 8.6 New Features MDM 8.6 Architecture Changes MDM 8.6 New Device Policies 3 © 2013 Citrix | Confidential – Do Not Distribute MDM 8.6 New Features Project Nike Theme: Remove Sales Blockers New Key Features © 2013 Citrix | Confidential – Do Not Distribute • Single Device Agent • iOS7 Related enhancements • Amazon Device Support • Samsung KNOX Container Enhancements • Android Location Services Enhancements • Netscaler SSL Offload Support for MDM Single Device Agent • • • • iOS 7 Support Enrollment Support WorxStore Refresh Enhanced Auto-Discovery © 2013 Citrix | Confidential – Do Not Distribute iOS7 Related enhancements • AirPlay / Air Print profile • Per-App VPN profile • App Lock profile • Restrictions profile • SSO Account profile • Web Content Filter profile • WiFi profile • App Attributes • Personal Hotspot profile © 2013 Citrix | Confidential – Do Not Distribute Amazon Device Support • Allow Non-Amazon Apps • Allow Factory Reset • Allow Profiles • Allow Location Services • Allow Social Networks • Allow Bluetooth • WiFi settings • Allow cellular data • Allow roaming data © 2013 Citrix | Confidential – Do Not Distribute Samsung KNOX • Lock / Unlock secure container © 2013 Citrix | Confidential – Do Not Distribute Android Location Services • Geo-fencing support • Geo-tracking support © 2013 Citrix | Confidential – Do Not Distribute Device Manager SSL Offloading • Relieves Processing Cycles • Behind corporate Fire Wall • Configured on Netscaler © 2013 Citrix | Confidential – Do Not Distribute MDM 8.6 Architecture Changes Components, Functions XenMobile 8.5 MDM Only Architecture MDM Mobile Enroll Netscaler WorxHome DMZ © 2013 Citrix | Confidential – Do Not Distribute XenMobile 8.6 MDM Only Architecture MDM WorxHome Netscaler DMZ © 2013 Citrix | Confidential – Do Not Distribute Load Balancing MDM Servers with SSL Offloading MDM Cluster Load Balancer MDM WorxHome MDM Netscaler SQL DMZ © 2013 Citrix | Confidential – Do Not Distribute SSL Offload option in NS GUI © 2013 Citrix | Confidential – Do Not Distribute NetScaler SSL Offload setup HTTPS 443 SSL Offload vServer1 MDM HTTP 80 WorxHome Netscaler HTTPS 8443 SSL Offload vServer2 DMZ © 2013 Citrix | Confidential – Do Not Distribute SSL Offload configuration • LB vServer 1 ᵒ ᵒ ᵒ ᵒ ᵒ ᵒ Type – SSL Incoming port 443 Configure and Bind Service – HTTP to XDM Server on 80 Install and Bind a Cert-Key pair (for SSL) Configure Client Certificate Authentication – details on next slide Enable passing of Client Certificate to XDM, in HTTP Headers – details in further slide • LB vServer 2 ᵒ ᵒ ᵒ ᵒ Type – SSL Incoming port 8443 Configure and Bind Service – HTTP to XDM Server on 80 Install and Bind a Cert-Key pair (for SSL) © 2013 Citrix | Confidential – Do Not Distribute Client Certificate Authentication on vServer 1 • • • • On LB vServer 1, enable Client Certificate Authentication Mark this certificate check as Optional CA could be XDM / external PKI vServer Next step is, to install and bind the CA certificate(s) on NetScaler ᵒ required for validation of Client Certificates ᵒ For XDM as CA: • CA has multiple CA Certificates, of which we require the following: - Intermediate CA for Devices - Root CA of XDM • Certificates available at: - C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf - cacerts.pm – Contains both certificates - Root CA Certificate representing XDM - Intermediate CA for Device Certificate issuing CA - These certificates will have to be converted from PKCS 12 format to PEM / DER - These certificates need to be linked on NetScaler © 2013 Citrix | Confidential – Do Not Distribute Insert Client Certificate in HTTP Header • Create an SSL Policy ᵒ Rule Expression - CLIENT.SSL.CLIENT_CERT.EXISTS • Create an SSL Action ᵒ Client Certificate – ENABLED ᵒ Certificate Tag – NSClientCert • Bind SSL Action to SSL Policy • Bind SSL Policy to vServer 1 © 2013 Citrix | Confidential – Do Not Distribute MDM 8.6 New Device Policies iOS7, Android, Amazon, Samsung KNOX iOS 7 MDM Features © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Restrictions © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Wi-Fi and Personal Hotspot © 2013 Citrix | Confidential – Do Not Distribute iOS 7 VPN, App Specific VPN, App Specific VPN to App mapping Specify multiple VPNs, allow Per App VPN Map each configuration with an App under app attributes. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Global HTTP Proxy New flag in iOS7. If enabled, allows device to bypass the proxy server to display the login page for captive networks. What are captive networks? © 2013 Citrix | Confidential – Do Not Distribute iOS 7 App Lock App Lock feature allows administrator to restrict the device to only ONE app. A number of additional restrictions have been added in iOS7. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 AirPlay The AirPlay feature allows streaming video and audio content wirelessly to Apple TV. New (in iOS7) AirPlay payload allows device administrator to specify allowed AirPlay destinations. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 AirPrint New (in iOS7) AirPrint payload allows device administrator to specify AirPrint destinations so that end user need not have to do this task. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Font Install new Fonts. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 SSO via Kerberos SSO to (internal) URLs and Apps via Kerberos. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Web Content Filter Allows management to specify blacklist and whitelist URLs and populate Bookmarks. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Cellular Replaces the Acess Point Name (APN) payload prior to iOS7. Similar functionality as APN. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 App Configuration “Dictionary content” has data about the configuration to be “pushed” to the application. © 2013 Citrix | Confidential – Do Not Distribute iOS 7 Organization Info Administrator can enforce the organization information to be persisted on the device. © 2013 Citrix | Confidential – Do Not Distribute XenMobile MDM for Amazon Feature Description Silent Install/UnInstall Install and Uninstall Apps w/o user intervention Prevent App UnInstall Prevent user from uninstalling apps Device Restrictions Prevent use of • Location Services • Factory Reset • Bluetooth • Turn Off WiFi • App. install from Non Amazon app. store © 2013 Citrix | Confidential – Do Not Distribute XenMobile MDM for Amazon Device Level Restrictions App Level Restriction (Uninstallation Allowed/Denied) © 2013 Citrix | Confidential – Do Not Distribute Prevent ShareFile Uninstall © 2013 Citrix | Confidential – Do Not Distribute MDM for Android © 2013 Citrix | Confidential – Do Not Distribute MDM for Android © 2013 Citrix | Confidential – Do Not Distribute What is Samsung KNOX • Dual persona approach for device, app, and data security • Samsung markets it as the most comprehensive mobile solution for work and play • KNOX compatible devices include: • Samsung S4 • Samsung Note3 © 2013 Citrix | Confidential – Do Not Distribute XenMobile 8.6 MDM KNOX Policies Use Case/Policy Description Exchange ActiveSync for KNOX Provision EAS profile to the container Browser Restrictions Disable popup, cookies, auto-fill and Javascript Silent App. UnInstall Uninstalls apps that are provisioned to the container Container Passcode Protect apps in container using a PIN code App. Blacklisting B/L apps and prevent users from launching these apps Enterprise VPN IPSec VPN policy for apps provisioned to the container Lock Container Admin can lock container in case the device is lost or stolen Unlock and Reset Passcode Admin can unlock container and reset container passcode Container Wipe Admin can selectively wipe KNOX container from device © 2013 Citrix | Confidential – Do Not Distribute Work better. Live better.