Citrix XenMobile – Before you get started!
Citrix XenMobile, before you get started. Although this might sound boring I’ll assure you you’ll thank me when you are truly getting started.
In this article I’ll guide you through every step you’ll have to take before you start implementing Citrix XenMobile. There are several great “getting started” articles available that show you how to run the first run wizards of Citrix XenMobile and NetScaler. Although this will lead you through the initial setup phase and will help you getting the XenMobile console and network connections up and running this does not mean the solution is delivered to your end users.
Before you start implementing Citrix XenMobile you need to be aware of some of the less technical requirements and the associated initial and recurring costs.
These requirements are related to Mobile Device Management in general and not XenMobile specific.
Make sure to have this all in place before you do anything else as this will definitely delay your project!
- Developer accounts
- Certificates
- Auto Discovery actions
- DNS Registrations
- Network connections
Costs
When implementing Enterprise Mobility Management you need to be able to prove your company identity to your users, their devices and their device vendors. This process requires SSL certificates and device vendor specific developer accounts. The requirements are explained in detail later on in this article. The following table shows the associated yearly costs and an estimation of the time needed for processing the application.
| Description | Price | Time |
|---|---|---|
| Apple Developer Account | $299 | 1 week |
| Dun & Bradstreet number | $0 | 2 weeks |
| Microsoft Developer Account | $99 | 1 week |
| Symantec Enterprise Certificate | $299 | 1 week |
| Wildcard SSL Domain Certificate | $595 | 2 days |
| Standard SSL Certificate (Windows Phone specific) | $175 | 2 days |
| Total Yearly costs and total duration | $1467 | 2 weeks |
Any device
To be able to fully manage and deploy (wrap) applications to any device we need developer accounts from the vendors of these devices. This process will take both time and money. By doing this before starting your project you won’t be bothered and delayed while implementing Citrix XenMobile, or any other Enterprise Mobility Management vendor.
Apple
To completely manage Apple devices with Citrix XenMobile you’ll need an Apple Enterprise Developer account. You’ll need this account to be able to sign Worx applications like WorxMail and re wrap 3rd party applications for secure delivery.
To register for an Apple Enterprise Developer Account your company needs to be listed with a D-U-N-S number from Dun & Bradstreet. Apple only allows usage of the top level D-U-N-S number of your organization. To find out if your company is already registered with Dun & Bradstreet you can search for your company in their database https://mycredit.dnb.com/search-for-duns-number/ .
If you want to find out what that number is it’s most likely that your CEO or CFO is able to retrieve that number.If your company is not registered for a Dun & Bradstreet D-U-N-S number you can register for one at http://www.dnb.com/ this will take up to a week to process.
Now that we know the D-U-N-S number we can register for an Apple Enterprise developer account. After submitting all your company and personal information Apple will start the validation process. This will take anywhere from a day to a couple of weeks depending on the information provided.
Apple push Notification Certificate (APN)
The process of creating an APN is fairly easy and described in detail by Robin Hobo here so I’ll only cover the basic steps.
- Create a certificate signing request (csr)
- Upload the csr to Citrix for vendor signing, this process has changed since Robin published his article. Citrix simplified the process by creating a signing website
- Upload the signed csr (plist file format) to Apple for final APN signing, link
- Complete the certificate request in IIS by importing the cer downloaded from Apple.
- With the complete certificate now in place export the certificate from IIS in PFX format and import the certificate in XenMobile.
Microsoft
To completely manage Microsoft Windows Phone devices with Citrix XenMobile you’ll need a Microsoft Company developer account.
To register for a Microsoft Company developer account you need a Symantec Enterprise certificate.
Certificates
A Citrix XenMobile solution consists of two external entry points:
1) Mobile Device Management (Reverse Proxy / SSL Offload VIP), fe mdm.domain.com
2) Mobile Application Management (Citrix NetScaler Gateway which could or should be combined with XenApp/XenDesktop), fe citrix.domain.com
Both entry points need an SSL Certificate from a trusted certificate provider. I always use Digicert because of their great community support and flexible pricing. If you need a certificate I can get you a 25% discount, just drop me an e-mail!
The easiest way to do this is order a wildcard certificate but a single domain certificate will also work, you just need two.
If you want users to auto configure and enroll for Mobile Device Management on a Microsoft Windows Phone you’ll need a third, non wildcard, publicly signed certificate “enterpriseenrollment.domain.com“.
Auto discovery
Auto discovery enables a user to completely configure Citrix XenMobile with nothing more then their own e-mail address. The Worx Home application will strip the domain part from the e-mail address (which of course technically is the userPrincipalName) and uses a DNS query for auto discovery of server names and configuration.
To enable auto discovery you have to create a support call with Citrix and supply Citrix with the following information:
- The External domain name used by users (the part after the @ in the e-mail address)
- The Fully Qualified Domain Name of the XenMobile implementation, fe mdm.domain.com
- The XenMobile instance name, default zdm (case sensitive)
- The user id type, UPN or E-mail
- Ports used, leave them default please!
For Windows phone specific you’ll need to provide Citrix with the enterpriseenrollment.domain.com certificate and private key. Don’t forget to give Citrix the PEM password for extraction of the private key. Technically your domain wildcard certificate would work as well but I hope you agree that it’s not a very great idea to share the private key of a wildcard certificate.
DNS Registration
Citrix XenMobile needs at least two DNS records, if you need to implement Citrix ShareFile as well you’ll need a third DNS record.
- mdm.domain.com (Mobile Device Management)
- citrix.domain.com (Mobile Application Management, likely to be shared with Citrix XenApp and/or XenDesktop)
- sharefile.domain.com
Specificaly for Microsoft Windows Phone auto discovery a CNAME record is required.
- enterpriseenrollment.domain.com to autodisc.zc.zenprise.com
Connections
Citrix XenMobile needs at least two external IP addresses , if you need to implement Citrix ShareFile as well you’ll need a third external IP address.
- mdm.domain.com
- citrix.domain.com
- sharefile.domain.com
Considering new functionality on the Citrix NetScaler E release, where we are able to add a Content Switch to Citrix NetScaler Gateway instances, we should be able to get this down to a single external IP address in the near future.
| Item | Destination IP | Port |
|---|---|---|
| mdm.domain.Com | mdm.domain.com (IP) | 443 |
| mdm.domain.com | mdm.domain.com (IP) | 8443 |
| citrix.domain.com | citrix.domain.com (IP) | 443 |
| sharefile.domain.com | sharefile.domain.com (IP) | 443 |
Service accounts
To be able to authenticate users Citrix XenMobile and NetScaler need an Active Directory service account for browsing Active Directory
| Service account | Description |
|---|---|
| Citrix XenMobile LDAP | |
| Citrix NetScaler LDAP | Could be combined with XenMobile LDAP |
Got any questions, improvements or other information please use the comments section.
Other items: SQL database. Service account for SQL database access. Terms & Conditions PDF document. Login credentials to citrix.com to download licenses. Google account for browsing Google Play. Certificates on domain controllers for LDAPS (recommended). AD groups for role based access control. If integrating with Microsoft CA, need cert template, service account, and signing cert.
NetScaler its own set of prerequisites. So does StoreFront (XenApp/XenDesktop).
We are currently looking into XenMobile for implementation at our company in hopes of using it under our ideas around and hopeful implementation of BYOD by end of the year. We are also interested in ShareFile, and was wondering if you were aware how that ties into XenMobile from a licensing/cost standpoint. I saw the information you provided above pricing and thought you or someone else checking out this page may be able to clear that up for me. For the most part I have been using this site as well as the link mentioned below as I have been completing my research. Thanks Barry, for all the great content, this has been a huge value add for me and my company!
– Levi
http://techfusioncbt.com/citrix-netscaler-vpx-mpx-sdx-networking-network/citrix-xenmobile-mdm-citrix-mobile-device-management-mdm/