The latest version of XenMobile has these new features and improvements:
- Workspace Hub Device Management
- Apple TV management
- Access XenMobile Tools throughout the XenMobile console
- Support for COSU Android for Work devices
- New Restrictions device policy setting for Android for Work
- Bulk provisioning of Windows 10 devices
- Delivery optimization for Windows 10 updates
- App lock device policy for Windows Desktops and Tablets
- Device Guard information in device status
- Block a VPN connection by using a Network Access Control (NAC) filter
- Fixed issues in this release
Workspace Hub device management
XenMobile can manage Citrix Ready workspace hub devices. Although you’re able to deploy a Citrix Ready workspace hub without XenMobile management, use cases exist where you might want to enroll devices within XenMobile. If you’re already a Citrix customer, it might be easier to manage devices in a familiar environment. You can also remotely manage many devices and perform actions such as full wipes or restarts. For more information on security actions, see Security Actions.
To use a Citrix Ready workspace hub, add the device to the Device Whitelist table in the XenMobile Console. There are two methods for adding devices to the table.
To add a device manually
In the XenMobile console, navigate to Manage > Devices.
Click Device Whitelist at the top.
Click Add. On the page that opens, type the following information.
- Device platform: Select Workspace Hub or Windows.
- Device ID Type: Select the method to identify devices. Options are IMEI, Serial No, MAC address, or Hardware ID.
- Device ID: Type the appropriate identifier you selected previously.
- Associated User: User to associate with the device. This user can be a Local user or LDAP user already configured in XenMobile Server. You can enter user names directly or search for them in the Search for user box. If you enter user names manually, use the format user@domain.com or domain.com\username depending on your LDAP settings.
- Select domain: Select the domain to use when searching for users.
- Search for user: Type the user name you want to associate with this device and click Search. Select the user from the result box below and it displays in the Associated User box.
Click Save. The device is added to the table.
To import or export devices in bulk
In the XenMobile console, navigate to Manage > Devices. Click Device Whitelist and then click Import.
Click Download to download a .csv template for importing devices. The columns in the file are the same as the fields in the previous workflow.
Fill out the form and save it. When finished, click Choose File and select the template.
Click Import. All of the devices in the template file are added to the table.
To export the list of devices for editing, click Export.
To manage Citrix Ready workspace hub devices
To view and manage Citrix Ready workspace hub devices after enrollment, navigate to Manage > Devices. The Devices table appears. Select Workspace Hub on the left to see the newly enrolled device. Choose the device, and then click Edit to view and confirm the device details.
When you select the check box next to a device, the options menu appears above the device list. When you click anywhere else in the list, the options menu appears on the right side of the listing.
The General page lists device Identifiers, such as the serial number, ActiveSync ID, and other information for the platform type. For Device Ownership, select Corporate or BYOD.
The General page also lists device Security properties, such as Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type.
The Properties page lists the device properties that XenMobile is to provision. This list shows any device properties included in the provisioning file used to add the device.
The remaining Device Details sections contain summary information for the device.
Assigned Policies: Displays the number of assigned policies including the number of deployed, pending, and failed policies. Provides the policy name, type and last deployed information for each policy.
Apps: Displays the apps that are installed, pending, or failed.
Delivery Groups: Displays the number of successful, pending, and failed delivery groups. For each deployment, provides the delivery group name and deployment time.
App Configuration device policy
Use the App Configuration device policy to deploy the Citrix Receiver configuration to Citrix Ready workspace hub devices. Go to Configure > Device Policies, add the App Configuration policy, and, under Platforms, select Workspace Hub. Configure the following Workspace Hub settings:
- Connection Mode – Select Citrix Receiver.
- Connection Name – type a descriptive name for your connection.
- Connection Target – type a URL to load upon connection.
Some apps might require extra parameters to function. For each configuration parameter you want to add, click Add and then do the following:
- Parameter name: Type the key name of an application setting for the Citrix Ready workspace hub device.
- Value: Type the value for the specified parameter.
After you complete the configuration, choose delivery groups. For more information, see Add a device policy.
To deploy and update apps for Citrix workspace hub
Because Citrix workspace hub devices only allow for a single file to be deployed and updated, first package all of your apps into a single Squash FS file.
For more information on creating a Squash FS file, see http://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html and http://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html.
Note: When creating the file, ensure that you output an .img file.
In your XenMobile Server, navigate to Configure > Apps and click Add. Click Enterprise.
Type a name and description for your app, and then deselect all platforms except Workspace Hub. Click Next.
On the Workspace Hub Enterprise App page, click Upload. Navigate to the .img file you created previously and click Open.
Click Next. The Approvals page does not function for Citrix workspace hub.
Click Next. The Delivery Group Assignment page appears.
Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.
Note: Apps are always delivered to the device assigned to the delivery group. Whether or not the app is optional or required doesn’t change that behavior because there is no store for Citrix workspace hub devices.
Click Save.
After the apps upload to XenMobile, Citrix workspace hub devices receive the update when restarted.
Apple TV management
You can now enroll Apple TVs in XenMobile as part of the Apple Device Enrollment Program (DEP). As part of this enrollment, users can perform these actions:
- Configure DEP enrollment
- Configure and push the Restrictions policy
- Wipe, revoke, and restart an enrolled Apple TV device
Prerequisites
- Apple DEP account connected to XenMobile. For information on creating an Apple DEP account and connecting it to XenMobile, see Deploying iOS Devices through Apple DEP.
- Apple TV devices are DEP devices.
To configure your Apple TV settings
Follow the steps at Deploying iOS Devices through Apple DEP to assign your Apple TVs to your XenMobile Server.
In the XenMobile console, navigate to Settings > Apple Device Enrollment Program.
On the page that opens, under Settings, select Apple TV. Configure the following settings:
- Require device enrollment: Prevents users from skipping enrollment.
- Require Credentials for device enrollment: Challenges for credentials during enrollment. When this setting is off, Apple TV gets enrolled as the default “Device Enrollment Program user”.
- Wait for configuration to complete setup: The device waits in the Setup Assistant screen until all resources deploy.
- Supervised mode: Gives more capability to the administrator while configuring restrictions.
- Allow enrollment profile removal: Allows users to remove the enrollment profiles.
- Allow device pairing: Allows devices enrolled through the Device Enrollment Program to be managed through Apple tools, such as iTunes and the Apple Configurator.
Under Setup Assistant Options, select Apple TV and select the setup screens you want to skip during the Apple TV Enrollment.
Click Save.
In your server, navigate to Configure > Device Policy. Click Add and select the Restrictionsdevice policy.
Under Platforms, select TV OS and configure the restrictions you want to apply:
- Security and Media Settings – Allow
- Passcode on first AirPlay pairing: Require that AirPlay-enabled devices are verified with a one-time onscreen code before they can use AirPlay (iOS 7.0 and later).
- Explicit sexual content in iBooks: Allow explicit material to be downloaded from iBooks (iOS 6.0 and later).
- Explicit music, podcasts, and iTunes U material: Allow explicit material on users’ devices.
- In-app purchases: Allow users to make in-app purchases.
- Require iTunes password for purchases: Require a password for in-app purchases. The default is to restrict this feature, which means no password is required for in-app purchases (iOS 5.0 and later).
- Supervised only settings – Allow
- Device name modification: Allow users to change the name of their device.
- Allow pairing with Apple TV Remote app: Allow users to pair their device with the Apple TV Remote app.
- Siri profanity filter: Siri profanity filter: Enable the Siri profanity filter. The default is to restrict this feature, which means no profanity filtering is done.
For more information about Siri and security, see Siri and dictation policies. - Enable AirPlay: Allow users to stream content or mirror their iOS device’s screen on this device.
- Restricted App usage: Allow users to use all apps or to use or not use apps, based on the bundle IDs you provide. Applies only to supervised devices.
After you configure the Restrictions device policy to block some apps and then deploy the policy: If you later want to allow some or all of those apps, changing and deploying the Restrictions device policy doesn’t change the restrictions. In this case, iOS doesn’t apply the changes to the iOS profile.
If you change this setting to Only allow some apps: Before deploying this policy, advise users of devices enrolled using Apple DEP to sign in to their Apple accounts from the Setup Assistant. Otherwise, users might have to disable two-faction authentication on their devices to sign in to their Apple accounts and access allowed apps.
- Policy Settings
- Next to Remove policy, click either Select date or Duration until removal (in hours).
- If you click Select date, click the calendar to select the specific date for removal.
- In the Allow user to remove policy list, click Always, Password required, or Never.
- If you click Password required, next to Removal password, type the necessary password.
Click Next and save the policy.
Security actions
After an Apple TV enrolls in XenMobile, administrators can perform security actions on the device. To perform a security action, do the following:
- In your server, navigate to Manage > Devices.
- Select the device you want to manage and click Secure. A popup appears with possible actions.
- Revoke: Removes device management.
- Full Wipe: Wipes the device completely. All the policies and apps installed are lost when this action is performed.
- Restart: Restarts the device.
Access XenMobile Tools throughout the XenMobile console
XenMobile now includes links to XenMobile Tools from the places in the XenMobile console where you need each tool:
- XenMobile Analyzer:
- Why you need it: Identify and triage potential issues with your deployment.
- Where you can access it: Manage > Devices page and Manage > Users page.
- APNs Portal:
- Why you need it: Submit a request to Citrix to sign an APNs certificate, which you then submit to Apple.
- Where you can access it: Settings > Certificates page and certificate configuration pages.
- MDX Service:
- Why you need it: Wraps apps that you can then manage by using XenMobile.
- Where you can access it: Configure > Apps page and the Add App pages.
Support for COSU Android for Work devices
XenMobile now supports the management of corporate owned single use (COSU) Android for Work devices. COSU devices fulfill a single use case, such as digital signage, ticket printing, or inventory management. Administrators restrict these devices to one app or small set of apps. Administrators also prevent users from enabling other apps or performing other actions on the device.
To provision COSU devices:
- Add a role-based access control (RBAC) role to that allows XenMobile administrators to enroll COSU devices to your XenMobile deployment. The role is new in this release of XenMobile Server. Assign this role to users whom you want to enroll COSU devices.
- Add an enrollment profile for XenMobile administrators that you allow to enroll COSU devices to your XenMobile deployment.
- Whitelist the app or apps you want the COSU device to access.
- Optionally, set the whitelisted app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
System requirements
Support for enrolling Android COSU devices begins with Android 6.0.
Add the COSU role
The RBAC role for enrolling COSU devices enables XenMobile to silently provision and activate a managed Google Play account on the device. Unlike managed Google Play user accounts, these device accounts identify a device that is not tied to a user.
You assign this RBAC role to XenMobile administrators to enable them to enroll COSU devices.
To add the RBAC role for COSU devices:
In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.
Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.
Click Add. The Add Role page appears.
Enter the following information.
- RBAC name: Enter COSU or other descriptive name for the role. You cannot change the name of a role.
- RBAC template: Choose the ADMIN template.
- Authorized access: Select Admin console access and COSU devices enroller.
- Console features: Select Devices.
- Apply permissions: Select the groups to which you want to apply the COSU role. If you click To specific user groups, a list of groups appears from which you can select one or more groups.
Click Next. The Assignment page appears.
Enter the following information to assign the role to user groups.
- Select domain: In the list, click a domain.
- Include user groups: Click Search to see a list of all available groups. Or, type a full or partial group name to limit the list to only groups with that name.
- In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.
Click Save.
Add a COSU enrollment profile
When your XenMobile deployment includes COSU devices, a single XenMobile administrator or small group of administrators enroll many COSU devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group containing the administrators who enroll COSU devices. That way, even if the default Global profile has a limited number of devices allowed per user, administrators can enroll an unlimited number of devices. Those administrators must be in the COSU enrollment profile.
Go to Configure > Enrollment Profiles. The default Global profile appears.
To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Ensure that number of devices that members with this profile can enroll is set to unlimited.
Click Next. The Delivery Group Assignment screen appears.
Choose the delivery group or delivery groups containing the administrators who enroll COSU devices. Then click Save.
The Enrollment Profile page appears with the profile you added.
Whitelist apps and set lock task mode
The Kiosk device policy let you whitelist apps and set lock task mode. By default, Secure Hub and Google Play services are whitelisted.
To add the Kiosk policy:
In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.
Click Add. The Add a New Policy dialog box appears.
Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.
Under Platforms, select Android for Work.
In the Policy Information pane, type the Policy Name and an optional Description.
Click Next and then click Add.
To whitelist an app and allow or deny lock task mode for that app:
Select the app you want to whitelist from the list.
Choose Allow to set the app to be pinned to the device screen when open. Choose Deny to set the app not to be pinned. Default is Allow.
Click Save.
To whitelist another app and allow or deny lock task mode for that app, click Add.
Configure deployment rules and choose delivery groups. For more information, see Add a device policy.
New Restrictions device policy setting for Android for Work
XenMobile lets you set a restriction policy to allow users to place work profile app widgets on the device home screen. Support for this policy begins with Android 5.0. We have added the setting, Allow work profile app widgets on home screen.
To set whether users can place work profile app widgets on the device home screen:
Go to Configure > Device Policies and add a Restrictions device policy.
Under Platforms, select Android for Work.
Set Allow work profile app widgets on home screen. If this setting is On, users can place work profile app widgets on the device home screen. If this setting is Off, users cannot place work profile app widgets on the device home screen. Default is Off. (Android 5.0 and later)
If you set Allow work profile app widgets on home screen to On: Select an app whose widgets you want to allow on the home screen from the list. Click Save. Repeat these steps for all the apps whose widgets you want to allow.
Click Next.
Configure deployment rules and choose delivery groups. For more information, see Add a device policy.
Bulk provisioning of Windows 10 devices
XenMobile supports bulk enrollment of Windows 10 devices. With bulk enrollment, you can set up many devices for an MDM server to manage without the need to reimage devices. You can use the provisioning package for bulk enrollment for Windows 10 desktop devices. Follow these steps to set up and perform bulk enrollment.
Before running bulk enrollment, ensure that all devices are assigned to the correct end-user. Perform this assignment by registering the devices per user or by performing a bulk import of devices.
To assign devices
In your XenMobile Server console, navigate to Manage > Device Whitelist.
To add each device manually, click Add.
Type the following information:
- Device platform: Select Windows.
- Hardware ID Type: Select an ID to use to identify the device. Options are IMEI, Serial No, MAC address, and Hardware ID.
- Hardware ID: Type the identification selected previously for the device.
- Associated User: Type the associated user for this device.
Click Save.
To add devices in bulk, click Import.
Click Download to download a template for the device whitelist. Fill out that template using the previous descriptions, and then upload the file using Choose File and Import.
To bulk enroll devices
In your XenMobile Server console, navigate to Settings > Windows Bulk Enrollment.
In the UPN box, type a valid user name to deploy to all devices.
Click Save.
To bulk provision devices, download the Windows Configuration Designer from the Microsoft Store. The Windows Configuration Designer creates provisioning packages used to image devices. As part of these packages, you can include XenMobile bulk enrollment configuration settings so that devices automatically enroll into XenMobile.
For information on configuring the tool, building a provisioning package, and installing a provisioning package, see https://docs.microsoft.com/en-us/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool. For information on including XenMobile bulk enrollment configuration settings, see the section Create and apply a provisioning package for on-premises authentication in that document.
Delivery optimization for Windows 10 updates
Delivery optimization is a peer-to-peer client update service provided by Microsoft for Windows 10 updates. The goal of delivery optimization is to reduce bandwidth issues during the update process. Bandwidth reduction is achieved by sharing the downloading task among multiple devices. For more information, see the Microsoft article, Configure Delivery Optimization for Windows 10 updates.
The Control OS Update device policy for supervised Windows 10 Desktops and Tablets now includes delivery optimization settings. You can manage delivery optimization settings for desktops and tablets running Windows 10 version 1607.
To configure delivery optimization settings, go to Configure > Device Policies and add or edit the Control OS Updates policy.
Configure these settings:
- Configure delivery optimization: Whether to use delivery optimization for Windows 10 Updates. Default is Off.
- Cache size: The maximum size of the delivery optimization cache. A value of 0 means an unlimited cache. Default is 10 GB.
- Allow VPN peer caching: Whether to allow devices to participate in peer caching when connected to the domain network through VPN. When On, the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. Default is Off.
- Download method: The download method that delivery optimization can use for downloads of Windows Updates, app, and app updates. Default is HTTP blended with peering behind the same NAT. Options are:
- HTTP only, no peering: Disables peer-to-peer caching but allows delivery optimization to download content from Windows Update servers or Windows Server Update Services (WSUS) servers.
- HTTP blended with peering behind the same NAT: Enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempt to connect to other peers on the same network by using their private subnet IP.
- HTTP blended with peering across a private group: Automatically selects a group based on the device Active Directory Domain Services (AD DS) site or the domain the device authenticates to. Selection based on AD DS is for Windows 10, version 1607. Selection based on domain is for Windows 10, version 1511. Peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices.
- HTTP blended with Internet peering: Enable Internet peer sources for Delivery Optimization.
- Simple download mode with no peering: Disable the use of Delivery Optimization cloud services. Delivery Optimization switches to this mode automatically during these conditions: When the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching.
- Do not use Delivery Optimization and use BITS instead: Enables clients to use BranchCache. For more information, see the Microsoft article, BranchCache.
- Max download bandwidth: The maximum download bandwidth in KBs/second. Default is 0, which means dynamic bandwidth adjustment.
- Percentage of maximum download bandwidth: The maximum download bandwidth that delivery optimization can use across all concurrent download activities. The value is a percentage of the available download bandwidth. Default is 0, which means dynamic adjustment.
- Max upload bandwidth: The maximum upload bandwidth in KBs/second. Default is 0. A value of 0 means unlimited bandwidth.
- Monthly upload data cap: The maximum size in GBs that delivery optimization can upload to Internet peers in each calendar month. Default is 20 GB. A value of 0 means unlimited monthly uploads.
App lock device policy for Windows Desktops and Tablets
You can create an App Lock device policy that defines the list of blacklisted and whitelisted apps on managed Windows Desktops and tablets. You can allow or block executables, MSI installers, store apps, DLLs, and scripts.
Prerequisites
- In Windows, configure rules in the Local Security Policy editor on a Windows 10 Desktop running Windows 10 Enterprise or Education.
- Export the policy XML file. Citrix recommends that you create Default rules in Windows to avoid locking the default configuration or causing issues on devices.
- Then, upload the XML file to XenMobile. For more information about creating rules, see this Microsoft article: https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview
To configure and export the policy XML file from Windows
Important
When configuring the policy XML file through the Windows policy editor, use Audit Only mode.
- On the Windows computer, start the Local Security Policy editor. Click Start, type local security policy and then click Local Security Policy.
- In the console tree, click Computer Configuration > Windows Settings > Security Settings and then expand Application Control Policies.
- Click AppLocker and then in the center pane, click Configure rule enforcement.
- Select Enforce rules. When you enable a rule, Enforce rules is the default.
- You can create Executable Rules, Windows Installer Rules, Script Rules, and Packaged App Rules. To do so, right-click the folder and then click Create New Rule.
- Right-click AppLocker, click Export Policy, and then save the XML file.
To stop applying an App Lock policy
After you deploy an App Lock policy in XenMobile: To stop applying that App Lock policy, create an empty XML file. Then, create another App Lock policy, upload the file, and deploy the policy. Devices that have an App Lock enabled are not affected. Devices receiving the policy for the first time do not have the App Lock policy in place.
Device Guard information in device status
XenMobile now supports showing Device Guard information in device status. When editing a device, you can now add the following properties:
- LSA Configuration Flags: Displays the status for the Local System Authority credential guard. Possible values are as follows:
- 0 – Running
- 1 – Reboot required
- 2 – Not licensed for Credential Guard
- 3 – Not configured
- 4 – VBS not running
- VBS Hardware Requirement Status: Displays the status for virtualization-based security hardware requirements. Possible values are as follows:
- 0x0 – System meets hardware configuration requirements
- 0x1 – SecureBoot required
- 0x2 – DMA Protection required
- 0x4 – HyperV not supported for Guest VM
- 0x8 – HyperV feature is not available
- VBS Status: Displays the status for virtualization-based security.
- 0 – Running
- 1 – Reboot required
- 2 – 64 bit architecture required
- 3 – not licensed
- 4 – not configured
- 5 – System doesn’t meet hardware requirements
- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
Block a VPN connection by using a Network Access Control (NAC) filter
Through policy settings in NetScaler, XenMobile supports Network Access Control (NAC) as an endpoint security feature for iOS devices. You can enable a NAC filter to block a VPN connection for devices that have non-compliant apps installed. When the VPN connection is blocked, the user cannot access any apps or websites through VPN.
For example, in the App Access Policy, you identify a particular app as Forbidden, or blacklisted. A user installs that app. When the user opens Citrix SSO and tries to connect to the VPN, the connection is blocked. The following error appears: Error while processing request. Contact your administrator.
The configuration requires that you update NetScaler policies to support NAC. In the XenMobile console, you enable NAC filters. You must also deploy the VPN device policy. For this feature to work on devices, users install the Citrix SSO VPN client from the Apple store.
The NAC filters supported are:
- Anonymous Devices
- Forbidden Apps
- Inactive Devices
- Missing Required Apps
- Non-Suggested Apps
- Noncompliant Password
- Out of Compliance Devices
- Revoked Status
- Rooted Android and Jailbroken iOS Devices
- Unmanaged Devices
Prerequisites
- NetScaler 12
- Update NetScaler policies to support NAC, as described in this section.
- XenMobile Server 10.18.2
- Enable NAC filters as described in this section.
- Deploy the VPN device policy.
- Citrix SSO VPN client 1.0.1 installed on devices from the Apple store
To update the NetScaler policies to support NAC
The authentication and VPN sessions policies you configure must be advanced. On your virtual VPN server from a console window, do the following. The IP addresses in the commands and examples are fictitious.
Remove and unbind all classic policies if you are using classic policies on your VPN virtual server. To check, type:
show vpn vserver <VPN_VServer>
You need to remove any result that contains the word Classic. For example: VPN Session Policy Name: PL_OS_10.10.1.1 Type: Classic Priority: 0
To remove the policy, type:
unbind vpn vserver <VPN_VServer> -policy <policy_name>
Create the corresponding advanced session policy by typing the following.
add vpn sessionPolicy <policy_name> <rule> <session action>
For example, add vpn sessionPolicy vpn_nac true AC_OS_10.10.1.1_A_
Bind the policy to your VPN virtual server by typing the following.
bind vpn vserver _XM_XenMobileGateway -policy vpn_nac -priority 100
Create an authentication virtual server by typing the following.
add authentication vserver <authentication vserver name> <service type> <ip address>
For example:
add authentication vserver authvs SSL 0.0.0.0
In the example, 0.0.0.0 means that the authentication virtual server is not public facing.
Bind an SSL certificate with the virtual server by typing the following.
bind ssl vserver <authentication vserver name> -certkeyName <Webserver certificate>
For example:
bind ssl vserver authvs -certkeyName Star_mpg_citrix.pfx_CERT_KEY
Associate an authentication profile to the authentication virtual server from the VPN virtual server. First, create the authentication profile by typing the following.
add authentication authnProfile <profile name> -authnVsName <authentication vserver name>
For example:
add authentication authnProfile xm_nac_prof -authnVsName authvs
Associate the authentication profile with the VPN virtual server by typing the following.
set vpn vserver <vpn vserver name> -authnProfile <authn profile name>
For example:
set vpn vserver _XM_XenMobileGateway -authnProfile xm_nac_prof
Check the connection from NetScaler to a device by typing the following.
curl -v -k https://<XenMobile Server>:4443/Citrix/Device/v1/Check –header “X-Citrix-VPN-Device-ID: deviceid_<device_id>”
for example:
curl -v -k https://10.10.1.1:4443/Citrix/Device/v1/Check –header “X-Citrix-VPN-Device-ID: deviceid_7”
You should see a similar command as the following example.
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Citrix-Device-State: Non Compliant
< Set-Cookie: ACNODEID=181311111;Path=/; HttpOnly; Secure
When the preceding step is successful, create the web authentication action to XenMobile. First, create a policy expression to extract the device ID from the iOS VPN plug-in. Type the following.
add policy expression xm_deviceid_expression “HTTP.REQ.BODY(10000).TYPECAST_NVLIST_T(\’=\’,\’&\’).VALUE(\”deviceidvalue\”)”
Send the request to XenMobile by typing the following.
add authentication webAuthAction xm_nac -serverIP 10.10.1.1 -serverPort 4443 -fullReqExpr q{“GET /Citrix/Device/v1/Check HTTP/1.1\r\n” + “Host: 10.200.60.80:4443\r\n” + “X-Citrix-VPN-Device-ID: ” + xm_deviceid_expression + “\r\n\r\n”} -scheme https -successRule “HTTP.RES.STATUS.EQ(\”200\”) &&HTTP.RES.HEADER(\”X-Citrix-Device-State\”).EQ(\”Compliant\”)”
The successful output for the XenMobile NAC is HTTP status 200 OK. The ‘X-Citrix-Device-State’ header needs to have the value of Compliant.
Create an authentication policy with which to associate the action by typing the following.
add authentication Policy <policy name> -rule <rule> -action <web auth action>
For example:
add authentication Policy xm_nac_webauth_pol -rule “HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”NAC\”)” -action xm_nac
Convert the existing LDAP policy to an advanced policy by typing the following.
add authentication Policy <policy_name> -rule <rule> -action <LDAP action name>
For example:
add authentication Policy ldap_xm_test_pol -rule true -action 10.10.1.1_LDAP
Add a policy label with which to associate the LDAP policy by typing the following.
add authentication policylabel <policy_label_name>
For example:
add authentication policylabel ldap_pol_label
Associate the LDAP policy to the policy label by typing the following.
bind authentication policylabel ldap_pol_label -policyName ldap_xm_test_pol -priority 100 -gotoPriorityExpression NEXT
Connect a compliant device to do a NAC test to confirm successful LDAP authentication. Type the following.
bind authentication vserver <authentication vserver> -policy <webauth policy> -priority 100 -nextFactor <ldap policy label> -gotoPriorityExpression END
Add the UI to associate with the authentication virtual server. Type the following command to retrieve the device ID.
add authentication loginSchemaPolicy <schema policy>-rule <rule> -action lschema_single_factor_deviceid
Bind the authentication virtual server by typing the following.
bind authentication vserver authvs -policy lschema_xm_nac_pol -priority 100 -gotoPriorityExpression END
Create an LDAP advanced authentication policy enable the Secure Hub connection. Type the following.
add authentication Policy ldap_xm_test_pol -rule “HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”NAC\”).NOT” -action 10.200.80.60_LDAP
bind authentication vserver authvs -policy ldap_xm_test_pol -priority 110 -gotoPriorityExpression NEXT
To enable NAC filters in the XenMobile console
- Go to Settings > Network Access Control.
- Next to Set as not compliant, select the filters that you want to enable for detection and then click Save.
To configure the VPN device policy to support NAC
In the VPN policy settings for iOS:
- The Connection type of Custom SSL is required for configuring the NAC filter.
- Specify a Connection name of VPN.
- For Custom SSL identifier, type com.citrix.NetScalerGateway.ios.app
- For Provider bundle identifier, type com.citrix.NetScalerGateway.ios.app.vpnplugin
The values in step 3 and 4 are taken from the required Citrix SSO 1.0.1 installation for NAC filtering. Note that you do not configure an authentication password.
The following figure shows the required VPN settings.
Fixed issues in this release
Users who have an administrator account on XenMobile, and then are provisioned for XenMobile Service (cloud), can’t enroll a device.
On the Manage > Devices page: Sorting by Operating system version doesn’t result in a correctly ordered list.