Transcription
Citrix XenMobile Enterprise EditionClaudio MascaroSenior Systems EngineerBCD-Sintrag AGDaniel KuenzliSenior Systems EngineerCitrix Systems GmbH
Productivity andCollaborationEMMData ManagementApp ManagementEnterprise Mobility ManagementDevice Management2 2014 Citrix
Technical Preparation: Architecture3 2014 Citrix
What’s new in XenMobile 9.04 2014 Citrix
New in XenMobile 9.0 - PlatformXDM cluster simplificationExpanded MDM support for Win 8.1 (Phone and Tablet)Sony MDM extensionsModified license files with Citrix v6 compatibilitySupport options and TaaS IntegrationNetScaler 10.5 – Simpler configuration for XenMobile5 2014 Citrix
What’s new in XenMobile 9.0Redesigned Worx AppsWorxMail WorxWeb ShareFile WorxNotes WorxEdit WorxDesktop Simpler navigation Fast triage iOS backgroundmode Admin notificationcontrol Server-sidesearch (iOS) Landscape/Portrait6 2014 Citrix Consistent look/feel Offline pagesupport Downloadpersistence Secure EFSS Secure notes Mobile contentediting Team notebooks SharePoint &network files Email and calendarintegration Offline contentedit Review ,comment andcollaborate ondocuments Secure VDI likeaccess tophysical desktop Access work filesand apps
9.0 MDX security enhancementsNew containerization policies Prevent backup to iCloud Prevent file backup Block Airprint Block AirDrop/NFC Block Social Features App screen is obscured when it goesto background7 2014 Citrix
Infrastructure and Client Considerations8 2014 Citrix
Key XenMobile ConceptsEnrollment considerationsWorxWeb SSO and Proxy considerationsWorxMail, STA, microVPN and BatteryCertificates and PKIiOS 8 support considerationsSecrets Vault and User EntropySSL Settings on NetScaler and Troubleshooting9 2014 Citrix
EnrollmentMDM, MAM, ADS, 2FA, SHP etc10 2014 Citrix
Enrollment modes and mechanismsAuto-discovery is easiest for user onboarding ADS security setting for public certificate trust (MITM protection) MAM only mode supported as wellUPN is recommended for user authentication Local users are available for MDM only, but not for MAM and Enterprise Explicit UPN gets away from implicit UPN complications2-factor is available for both MDM and MAM authentication XenMobile generated OTP for MDM enrollment RADIUS OTP support for MAM authenticationInvitation URLs seems popular with customers Sent via SMS to user’s mobile number from AD Self-Help portal for user self-service enrollment11 2014 Citrix
WorxWeb, Proxy and Topology12 2014 Citrix
TYPICAL CLIENT INTERACTION - RECAPGatewayAuthNWorx HomeWorxIPCWorxMailControl flowData flowWorxWeb 13Worx Home responsible for control flow and session ticket generation Responsible for full Gateway authentication at the NetScalerWorx apps responsible for data flow with backend servers Only need valid session ticket to open connection to NetScaler (STA or NS AAAC) 2014 Citrix
WorxWeb EinsatzszenarienInfrastrukturWorxWeb direkt zu WebServer „no-brainer“Kein Vorteil für externe BenutzerWorxWeb mit mVPN Tunnel WorxHome authentifiziert TunnelBenutzer am SSLVPN angemeldetHTTPs vom Client zum WebServerSSO nur für HTTP möglichWorxWeb mit SecureBrowse 14 2014 CitrixUmschreiben am Client (Aufwand)SSO auch für HTTPs möglich
WorxWebAnmeldung am VServerÜberprüfen der PoliciesXM AppCWorxHomeHTTPs 443Aufbauen einesTunnels15 2014 CitrixSSLVPNDMZHTTP(s) Verbindung gehtvon Client zum Server
WorxWeb SSOBei HTTPs kein SSOmöglichBei HTTP beantwortetCNS SSO RequestXM AppCHTTPs 443WorxHomeSSLVPNHTTP40DMZBei HTTPs kann Verbindung nichtunterbrochen werden am CNS16 2014 Citrix1
WorxWeb mit SecureBrowseSecureBrowse schreibt HTTP Traffic am Client um aus URL: http://sharepoint/huhu.html wird
Yes - Strong proprietary encryption, on top of OS protection If device stolen: 1st hurdle - Jailbreak device and access KeyChain 2nd hurdle - Identify the right element in keychain for attack 3rd hurdle - Secrets Vault appears to be a meaningless blob
