XenMobile 10.7 and 10.8 Installation and Configuration Step By Step Guide

XenMobile can be deployed on Premise or in Citrix Cloud as well. This post will cover the installation and configuration steps for XenMobile 10.7/10.8 to provide Enterprise mobility management for IOS , Android and other devices. XenMobile mainly has two components internally MAM and MDM, where MDM is for mobile device management and MAM is for mobile application management both are embedded on the same XenMobile server.

Pre-Requisites / Infrastructure Details for XenMobile

  1. MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile appliance 10.7 )
  2. MAM URL : mam.sslab.com ( This will be configured on Netscaler config on XenMobile server settings)
  3. XenMobile appliance IP’s: Server 1 – 192.168.1.168, Server 2 – 192.168.1.169
  4. Three Free virtual IP’s for netscaler configuration.
    Virtual IP 1 : 192.168.1.165 ( mam.sslab.com ) – MAM gateway
    Virtual IP 2 : 192.168.1.166 ( mam load balancer) – MAM Load balancer
    Virtual IP 3 : 192.168.1.167 ( mdm.sslab.com ) – MDM load balancer
  5. DNS Records created in DNS server or Netscaler for mam and mdm url. mam internal url can point to ip 166 also.
    192.168.1.165 ( mam.sslab.com )
    192.168.1.167 ( mdm.sslab.com )
  6. Public IP’s and public DNS records :
    Public ip 1 – NAT to – 192.168.1.165 ( mam.sslab.com )
    Public ip 2 – NAT to – 192.168.1.167 ( mdm.sslab.com )
  7. DNS A records : mam.sslab.com – Public IP1, mdm.sslab.com – Public IP2.
  8. LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
  9. Wild card certificate or separate certificate for MAM and MDM url: SSLAB_WILDCARD (SAN Certificate not supported)
  10. Apple APNS Certificate
  11. Google Play – Require gmail account for google play.
  12. APNS , Google Play, Windows store Communication – Firewall ports and URL access
  13. Auto discovery TXT record to be created in public DNS for the domain, detailed steps listed here.

Note: Refer to ports and URL access here https://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html

Apple APNS Certificate for XenMobile Creation

APNS certificate is required to manage IOS devices from XenMobile. This post will cover the detailed steps to create Apple APNS certificate for XenMobile. All you need is just an account with apple and Citrix.

Pre-requisites for APNS certificate:

  1. Netscaler or a Windows server with IIS installed for APNS certificate CSR creation.
  2. My Citrix account to sign the CSR from Citrix.
  3. Apple Account for submitting and downloading APNS Certificate.

Note: step1 and part of Step3 can be done on windows server as well over IIS – Create CSR and complete the cert request on the same windows server.

Step 1: Create Key file & CSR from Netscaler

Navigate to Traffic Management – SSL – SSL files – keys

Select Create RSA Key

  • Provide Key file name
  • Key size: 2048 Bits
  • Public Exponent value: F4
  • Key format : PEM
  • Algorithm : DES3
  • Provide PEM passphrase, this is required while completing and exporting certificate request

Select CSR tab – Click Create CSR

Provide the CSR file Name,browse to key file created above, provide the details as shown below. Common name can be MDM url name.

Download the CSR as shown below.

Step 2: Sign the CSR from Citrix

Login to https://tools.xm.cloud.com/ or https://xenmobiletools.citrix.com with mycitrix credentials.

Select request push notification certificate signature.

Select upload CSR and select the CSR file created in step1

Click sign and it will be signed and a .plist file will be downloaded.

Step 3: APNS certificate Generation from Apple portal

Click on apple certificate request portal as shown below.

login to the portal using your apple ID.

Click on create a certificate

Accept to agree the terms

Select choose file and upload .plist file – Click upload

Download the certificate once done.

Step 4: Complete APNS certificate request and Create APNS pfx file

Below steps will complete the certificate request.

Navigate to Traffic management – SSL – Certificates – server certificates – Click install

  • Provide Name: MDM_APNS
  • Certificate File Name:  PEM file download from apple site.
  • Key file: RSA key file created in step1
  • password: password given for key file in step 1.

The certificate can be found under client certificates as shown below.

APNS Certificate is needed on XenMobile server, its not required on Netscaler. So we need to upload in pfx format and import in XenMobile server.

Select SSL and Click on Export certificate

  • Provide a Name for PFX file
  • Certificate file Name: PEM file installed above.
  • Key file: key file created in step 1
  • Export password: this will be used to import in XenMobile server.
  • PEM Passphrase: key file password given in step 1.

The pfx file will be created in netscaler.

Click on manage key files and download the pfx file

select the pfx file and download. This will be imported in XenMobile server.

 

XenMobile 10.7 Register VM & Initial Configuration

Pre-Requisites for XenMobile server

1. MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile provided in Netscaler Config )
2. MAM URL : mam.sslab.com ( This will be Netscaler Gateway for MAM URL)
3. XenMobile appliance IP’s:
Server 1 – 192.168.1.168
Server 2 – 192.168.1.169
4. DNS Records created in DNS server for mam.sslab.com pointing to MAM gateway VIP in NetScaler
mam.sslab.com – 192.168.1.165
Note: if you don’t host external domain in internal DNS server we can create local host records in XenMobile server. Will cover in this post.
5. LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
6. Wild card certificate for MDM url (SSL Listener): SSLAB_WILDCARD
7. APNS Certificate – Click here for APNS certificate creation steps
8. Google Play – Require gmail account for google play
9. APNS , Google Play, Windows store Communication – Firewall ports and URL access
Refer to ports and URL access here https://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html

Note: to make the pre-reqs simple these are for XenMobile implementation, review the Netscaler pre-reqs as well to get complete idea.

Download Media

Login to Citrix using mycitrix and download the necessary media as shown below.

Download the XenMobile server media for your hypervisor.

Download the IOS and Android MDX files.

 

 

Deploy XenMobile Server with OVA file

Login to your ESXi host or VCenter and register VM – Select register VM with OVA file

Select the OVA file as shown below and provide Name for XenMobile server.

Select datastore.

select Network and next

review and finish

VM will be registered as shown below.

XenMobile Appliance First Time Configuration

Once VM is registered, Power on. First thing to do is to provide the admin user and password for XenMobile appliance console.

Provide the IP, Netmask, Gateway , DNS servers as shown below and press Y to commit changes.

Upgrade  : press N then Enter

Encryption : press Y then Enter (it will generate random passphrase)

FIPS mode: press N then Enter

  • Provide the hostname: mdm.sslab.com  ( this is the MDM URL)
  • Commit changes : Y
  • Communication ports : leave all defaults , if required change. press Enter to take all defaults.
  • Commit changes : Y

Note: during this installation if you press enter the default value shown selected, if you pass a different value it will take that.

Instance Name: leave defaults and Enter. Don’t change this value, if its changed user need to enter this manually while enrolling.

Commit changes : Y

Password for certificate of the PKI : press Y , Provide a password and confirm , Commit changes : Y

This user account is for the GUI admin access, leave administrator as user and provide password and commit changes.

It will take a while to complete all the configuraitons then it will show login prompt as below. this means we are done with the basic config. admin URL is shown as below, admin url is https://IP:4443, in my case https://192.168.1.168:4443

XenMobile Server Set Firewall Ports & Time Zone

The last thing to do in the console is set the time zone and enable firewall ports of xenMobile.

login to console with admin/password-for-admin

Select 0 and enter

select 2 for firewall

leave all defaults and press Y and enter as shown below

now we are back to main menu: go to system 2

select 2 for time zone

provide timezone as shown below and press Y for the system to apply changes and restart.

XenMobile Server GUI Initial Configuration

Once the firewall ports are opened , open the admin console https://IP:4443 and login with administrator account.

Note: even if some details are not available at this point, it can be configured later under settings section.

click start

Click Next, Licensing can be configured later.

We need to import APNS and mdm.sslab.com certificates. Click import

Select Ketstore, PCKS 12, SSL Listener , mdm.sslab.com certificate and password to import. in my case the certificate is wild card.

Wild card certificate creation steps

OK to import

Now we need to import APNS certificate as shown below. Select APNS and the certificate file, password and import.

Steps to Create APNS Certificate is listed here

Click OK to import.

As shown below APNS certificate and SSL Listener certificate is installed, click next

provide the netscaler gateway details for mam and click next

  • Name: Netscaler
  • URL: https://mam.sslab.com

Provide the LDAP details as shown below.

  • Type : microsoft AD
  • primary server : primary DC
  • secondary server:  secondary DC
  • domain alias : sslab.com
  • provide domain user name and credentials
  • user search by: select sam account or upn as per your requirement. this should be same every where ( xenmobile , netscaler)

Provide exchange server details for SMTP, if you have secured select authentication and provide user name and password for SMTP relay. you need to add xenmobile server IP in exchange connector for relay.

review and finish.

XenMobile Post Installation Configuration

All the initial configurations can be done under settings, if you have missed something for not having some info you can do here as shown below.

Now we will configure the actual configuration for xenmobile.

XenMobile Enable Worx PIN

worx pin will simplify lots of things which is disabled by default. this can be enabled as shown below. you need to enter this 6 digit pin instead of username and password everytime.

Click on settings – client properties

the two settings shown below needs to be enabled, if you want to allow touch ID also enable touch ID by editing to true.

edit the property and pass true in the value section

do the same for other settings as well. use true

These settings will enable the WORX pin

 

XenMobile Device policies Creation

the easy way to do things is from left to right in the config window. starting for device policies.

Click add to add necessary device policy.

Click scheduling, this is required for android.

provide name, on the left select only devices that you want to manage in your organization in my case only android. unselect others – next

select always and next

review and finish.

similar way create passcode policy which will allow only mobile with specified passcode strength to enroll.

select passcode

provide name.

click on ON and specify the length min to 4 or 6.

on the left select only devices you wanted to manage , in my case only IOS and android.

review and next

you might be interested in location and app inventory policy also, create those in similar way.

XenMobile Applications

the next step is to add applications, if can be with MDX files or public apps or any other.

For MDX apps open extracted downloaded MDX files for android and IOS as shown below.

MDX Secure Mail

Under apps – click add

Select MDX

Provide Name and select the OS which you manage on left – next

browse the ios secure mail mdx file

leave everything default and scroll down to provide exchange details

provide the Mail server and domain as shown below. the domain short name is same as given for ldap config.

similarly browse for mdx file for android, scroll down

provide the exchange server owa url and domain name.

review and save.

MDX Secure Web App

Similarly select MDX and create secure web as well. provide Name and next

Import the mdx file for IOS and android, a specific url can be provided as home page as shown below.

if required create approvals for app installation and next

click save.

Adding Public App (Receiver) in XenMobile

we can have a public app also added in xenmobile. for android we need to configure the google play credentials as shown below.

All you need to have a gmail account configured in a android mobile. provide gmail user name , password and android mobile device ID.

Note: there is an app called device ID installed on your mobile, device ID is the google serice framework ID

Click on Add apps – select public apps

Provide name

search for the app name like in our case receiver.

select the receiver review and next

do the same for all other platforms as shown below.

save to finish.

Review all the apps, add all the necessary MDX apps

XenMobile Actions

Actions are something very useful , create them if required only. In my case i wanted to block app name VPN

provide Name

select name as VPN as shown below and all the actions are listed.

In my case i am wiping the device.

next

review and save.

XenMobile Enrollment profile creation

Enrollment profiles will control how many devices an user can enroll. click add

provide the name and specify no of devices an user can enroll. you can have multiple profiles for multiple user groups.

save.

XenMobile User Delivery group Creation

The last thing is to create a delivery group. an active group is needed for creating group.

provide display name

select the domain and provide name to search and select the group as shown below.

Now pull all the necessary policies applied to this users as shown below.

policies are selected.

Drag all the required apps to required field and optional as need. Optional apps will not install automatically, it need to selected to installed by user.

apps selected as shown below.

if you have media select else next

actions select

next

select the enrollment profile and next

review the complete delivery group settings and finish

delivery group is created.

Now xenmobile installation and configuration is completed.

 

Netscaler Configuration for XenMobile 10.x

What the Netscaler wizard will do ?

1. It will create XenMobile MAM gateway and necessary policies.
2. It will load balancer MAM services on XenMobile servers.
3. It will load balance MDM services on XenMobile servers.

Pre-requisites for Netscaler configuration.

  1. MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile appliance 10.7 )
  2. MAM URL : mam.sslab.com ( This will be configured on Netscaler config on XenMobile server settings)
  3. XenMobile appliance IP’s: Server 1 – 192.168.1.168, Server 2 – 192.168.1.169
  4. Three Free virtual IP’s for netscaler configuration.
    Virtual IP 1 : 192.168.1.165 ( mam.sslab.com ) – MAM gateway
    Virtual IP 2 : 192.168.1.166 ( mam load balancer) – MAM Load balancer
    Virtual IP 3 : 192.168.1.167 ( mdm.sslab.com ) – MDM load balancer
  5. DNS Records created in DNS server or Netscaler for mam and mdm url. mam internal url can point to ip 166 also.
    192.168.1.165 ( mam.sslab.com )
    192.168.1.167 ( mdm.sslab.com )
  6. Public IP’s and public DNS records :
    Public ip 1 – NAT to – 192.168.1.165 ( mam.sslab.com )
    Public ip 2 – NAT to – 192.168.1.167 ( mdm.sslab.com )
  7. DNS A records : mam.sslab.com – Public IP1, mdm.sslab.com – Public IP2.
  8. LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
  9. Wild card certificate or separate certificate for MAM and MDM url: SSLAB_WILDCARD (SAN Certificate not supported)

Click here for Wild card certificate CSR and installation steps

Netscaler Configuration for XenMobile 10.7

Login to Netscaler – Select XenMobile – Select XenMobile 10 – Click get started.

Select Access through Netscaler and Load balance XenMobile – Both options and click continue

Provide the first virtual IP (1): 192.168.1.165 ( this is mam.sslab.com gateway IP), Port 443 – Continue

Select already installed wild card certificate or MAM url certificate and click continue.

Click here for Wild card certificate CSR and installation steps

Provide below details for LDAP connection, this piece is very important.

  • IP: 192.168.1.xxx (LDAP server IP)
  • Port : 389
  • Server type: plain text
  • Base DN: dc=sslab,dc=com
  • account: nsldap@sslab.com
  • provide and confirm password for nsldap user.
  • Click on test connection – it should be green as shown below.
  • LogonName:  samAccountName or Userprincipalname ( same should be given in both netscaler and xenmobile server)

Provide below information and Continue

  • XenMobile server FQDN: mdm.sslab.com ( Remember this is fqdn of xenmobile server mdm not mam)
  • IP (2) : 192.168.1.166 (mam load balancer IP)

Select the MDM certificate or the wild card certificate.

Click on add servers to add xenmobile servers ip’s.

Provide xenmobile server IP’s, add both IP’s.

both Ip’s to be added as shown – continue

Click on load balance .

Provide the MDM load balancer IP (3) : 192.168.1.167 – Continue

Review Xenmobile server IP’s and Click continue and then done

With this we are done with configuration. Some times the GUI will not show below page straight away, wait for 5 seconds and click on other option and click back on xenmobile , the configuration status is shown below. all the services should show green.

Start enrolling the mobiles with secure hub using mdm.sslab.com url. provide user name and password, and accept every setting to make the life easy.

Will cover user experience settings like auto discovery and all in another post.

Hope this post is useful.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Mobility, Virtualization, VDI, HCI and Network Virtualization products from VMWare, Citrix and Microsoft.

2 thoughts on “XenMobile 10.7 and 10.8 Installation and Configuration Step By Step Guide

  • March 6, 2018 at 4:23 pm
    Permalink

    Excellent Piece of work,

    This is very detailed configuration step by step and also explained each and every step.

    Thanks Siva Bro

    Reply
  • September 25, 2018 at 2:30 pm
    Permalink

    Excellent work for detailed configuration by Siva Garu

    This is very help full for advanced citrix administration .

    Thank you very much .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons