XenMobile 10.7 and 10.8 Installation and Configuration Step By Step Guide
XenMobile can be deployed on Premise or in Citrix Cloud as well. This post will cover the installation and configuration steps for XenMobile 10.7/10.8 to provide Enterprise mobility management for IOS , Android and other devices. XenMobile mainly has two components internally MAM and MDM, where MDM is for mobile device management and MAM is for mobile application management both are embedded on the same XenMobile server.
Contents of the Post
Pre-Requisites / Infrastructure Details for XenMobile
- MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile appliance 10.7 )
- MAM URL : mam.sslab.com ( This will be configured on Netscaler config on XenMobile server settings)
- XenMobile appliance IP’s: Server 1 – 192.168.1.168, Server 2 – 192.168.1.169
- Three Free virtual IP’s for netscaler configuration.
Virtual IP 1 : 192.168.1.165 ( mam.sslab.com ) – MAM gateway
Virtual IP 2 : 192.168.1.166 ( mam load balancer) – MAM Load balancer
Virtual IP 3 : 192.168.1.167 ( mdm.sslab.com ) – MDM load balancer - DNS Records created in DNS server or Netscaler for mam and mdm url. mam internal url can point to ip 166 also.
192.168.1.165 ( mam.sslab.com )
192.168.1.167 ( mdm.sslab.com ) - Public IP’s and public DNS records :
Public ip 1 – NAT to – 192.168.1.165 ( mam.sslab.com )
Public ip 2 – NAT to – 192.168.1.167 ( mdm.sslab.com ) - DNS A records : mam.sslab.com – Public IP1, mdm.sslab.com – Public IP2.
- LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
- Wild card certificate or separate certificate for MAM and MDM url: SSLAB_WILDCARD (SAN Certificate not supported)
- Apple APNS Certificate
- Google Play – Require gmail account for google play.
- APNS , Google Play, Windows store Communication – Firewall ports and URL access
- Auto discovery TXT record to be created in public DNS for the domain, detailed steps listed here.
Note: Refer to ports and URL access here https://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html
Apple APNS Certificate for XenMobile Creation
APNS certificate is required to manage IOS devices from XenMobile. This post will cover the detailed steps to create Apple APNS certificate for XenMobile. All you need is just an account with apple and Citrix.
Pre-requisites for APNS certificate:
- Netscaler or a Windows server with IIS installed for APNS certificate CSR creation.
- My Citrix account to sign the CSR from Citrix.
- Apple Account for submitting and downloading APNS Certificate.
Note: step1 and part of Step3 can be done on windows server as well over IIS – Create CSR and complete the cert request on the same windows server.
Step 1: Create Key file & CSR from Netscaler
Navigate to Traffic Management – SSL – SSL files – keys
Select Create RSA Key
- Provide Key file name
- Key size: 2048 Bits
- Public Exponent value: F4
- Key format : PEM
- Algorithm : DES3
- Provide PEM passphrase, this is required while completing and exporting certificate request
Select CSR tab – Click Create CSR
Provide the CSR file Name,browse to key file created above, provide the details as shown below. Common name can be MDM url name.
Download the CSR as shown below.
Step 2: Sign the CSR from Citrix
Login to https://tools.xm.cloud.com/ or https://xenmobiletools.citrix.com with mycitrix credentials.
Select request push notification certificate signature.
Select upload CSR and select the CSR file created in step1
Click sign and it will be signed and a .plist file will be downloaded.
Step 3: APNS certificate Generation from Apple portal
Click on apple certificate request portal as shown below.
login to the portal using your apple ID.
Click on create a certificate
Accept to agree the terms
Select choose file and upload .plist file – Click upload
Download the certificate once done.
Step 4: Complete APNS certificate request and Create APNS pfx file
Below steps will complete the certificate request.
Navigate to Traffic management – SSL – Certificates – server certificates – Click install
- Provide Name: MDM_APNS
- Certificate File Name: PEM file download from apple site.
- Key file: RSA key file created in step1
- password: password given for key file in step 1.
The certificate can be found under client certificates as shown below.
APNS Certificate is needed on XenMobile server, its not required on Netscaler. So we need to upload in pfx format and import in XenMobile server.
Select SSL and Click on Export certificate
- Provide a Name for PFX file
- Certificate file Name: PEM file installed above.
- Key file: key file created in step 1
- Export password: this will be used to import in XenMobile server.
- PEM Passphrase: key file password given in step 1.
The pfx file will be created in netscaler.
Click on manage key files and download the pfx file
select the pfx file and download. This will be imported in XenMobile server.
XenMobile 10.7 Register VM & Initial Configuration
Pre-Requisites for XenMobile server
1. MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile provided in Netscaler Config )
2. MAM URL : mam.sslab.com ( This will be Netscaler Gateway for MAM URL)
3. XenMobile appliance IP’s:
Server 1 – 192.168.1.168
Server 2 – 192.168.1.169
4. DNS Records created in DNS server for mam.sslab.com pointing to MAM gateway VIP in NetScaler
mam.sslab.com – 192.168.1.165
Note: if you don’t host external domain in internal DNS server we can create local host records in XenMobile server. Will cover in this post.
5. LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
6. Wild card certificate for MDM url (SSL Listener): SSLAB_WILDCARD
7. APNS Certificate – Click here for APNS certificate creation steps
8. Google Play – Require gmail account for google play
9. APNS , Google Play, Windows store Communication – Firewall ports and URL access
Refer to ports and URL access here https://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html
Note: to make the pre-reqs simple these are for XenMobile implementation, review the Netscaler pre-reqs as well to get complete idea.
Download Media
Login to Citrix using mycitrix and download the necessary media as shown below.
Download the XenMobile server media for your hypervisor.
Download the IOS and Android MDX files.
Deploy XenMobile Server with OVA file
Login to your ESXi host or VCenter and register VM – Select register VM with OVA file
Select the OVA file as shown below and provide Name for XenMobile server.
Select datastore.
select Network and next
review and finish
VM will be registered as shown below.
XenMobile Appliance First Time Configuration
Once VM is registered, Power on. First thing to do is to provide the admin user and password for XenMobile appliance console.
Provide the IP, Netmask, Gateway , DNS servers as shown below and press Y to commit changes.
Upgrade : press N then Enter
Encryption : press Y then Enter (it will generate random passphrase)
FIPS mode: press N then Enter
- Provide the hostname: mdm.sslab.com ( this is the MDM URL)
- Commit changes : Y
- Communication ports : leave all defaults , if required change. press Enter to take all defaults.
- Commit changes : Y
Note: during this installation if you press enter the default value shown selected, if you pass a different value it will take that.
Instance Name: leave defaults and Enter. Don’t change this value, if its changed user need to enter this manually while enrolling.
Commit changes : Y
Password for certificate of the PKI : press Y , Provide a password and confirm , Commit changes : Y
This user account is for the GUI admin access, leave administrator as user and provide password and commit changes.
It will take a while to complete all the configuraitons then it will show login prompt as below. this means we are done with the basic config. admin URL is shown as below, admin url is https://IP:4443, in my case https://192.168.1.168:4443
XenMobile Server Set Firewall Ports & Time Zone
The last thing to do in the console is set the time zone and enable firewall ports of xenMobile.
login to console with admin/password-for-admin
Select 0 and enter
select 2 for firewall
leave all defaults and press Y and enter as shown below
now we are back to main menu: go to system 2
select 2 for time zone
provide timezone as shown below and press Y for the system to apply changes and restart.
XenMobile Server GUI Initial Configuration
Once the firewall ports are opened , open the admin console https://IP:4443 and login with administrator account.
Note: even if some details are not available at this point, it can be configured later under settings section.
click start
Click Next, Licensing can be configured later.
We need to import APNS and mdm.sslab.com certificates. Click import
Select Ketstore, PCKS 12, SSL Listener , mdm.sslab.com certificate and password to import. in my case the certificate is wild card.
Wild card certificate creation steps
OK to import
Now we need to import APNS certificate as shown below. Select APNS and the certificate file, password and import.
Steps to Create APNS Certificate is listed here
Click OK to import.
As shown below APNS certificate and SSL Listener certificate is installed, click next
provide the netscaler gateway details for mam and click next
- Name: Netscaler
- URL: https://mam.sslab.com
Provide the LDAP details as shown below.
- Type : microsoft AD
- primary server : primary DC
- secondary server: secondary DC
- domain alias : sslab.com
- provide domain user name and credentials
- user search by: select sam account or upn as per your requirement. this should be same every where ( xenmobile , netscaler)
Provide exchange server details for SMTP, if you have secured select authentication and provide user name and password for SMTP relay. you need to add xenmobile server IP in exchange connector for relay.
review and finish.
XenMobile Post Installation Configuration
All the initial configurations can be done under settings, if you have missed something for not having some info you can do here as shown below.
Now we will configure the actual configuration for xenmobile.
XenMobile Enable Worx PIN
worx pin will simplify lots of things which is disabled by default. this can be enabled as shown below. you need to enter this 6 digit pin instead of username and password everytime.
Click on settings – client properties
the two settings shown below needs to be enabled, if you want to allow touch ID also enable touch ID by editing to true.
edit the property and pass true in the value section
do the same for other settings as well. use true
These settings will enable the WORX pin
XenMobile Device policies Creation
the easy way to do things is from left to right in the config window. starting for device policies.
Click add to add necessary device policy.
Click scheduling, this is required for android.
provide name, on the left select only devices that you want to manage in your organization in my case only android. unselect others – next
select always and next
review and finish.
similar way create passcode policy which will allow only mobile with specified passcode strength to enroll.
select passcode
provide name.
click on ON and specify the length min to 4 or 6.
on the left select only devices you wanted to manage , in my case only IOS and android.
review and next
you might be interested in location and app inventory policy also, create those in similar way.
XenMobile Applications
the next step is to add applications, if can be with MDX files or public apps or any other.
For MDX apps open extracted downloaded MDX files for android and IOS as shown below.
MDX Secure Mail
Under apps – click add
Select MDX
Provide Name and select the OS which you manage on left – next
browse the ios secure mail mdx file
leave everything default and scroll down to provide exchange details
provide the Mail server and domain as shown below. the domain short name is same as given for ldap config.
similarly browse for mdx file for android, scroll down
provide the exchange server owa url and domain name.
review and save.
MDX Secure Web App
Similarly select MDX and create secure web as well. provide Name and next
Import the mdx file for IOS and android, a specific url can be provided as home page as shown below.
if required create approvals for app installation and next
click save.
Adding Public App (Receiver) in XenMobile
we can have a public app also added in xenmobile. for android we need to configure the google play credentials as shown below.
All you need to have a gmail account configured in a android mobile. provide gmail user name , password and android mobile device ID.
Note: there is an app called device ID installed on your mobile, device ID is the google serice framework ID
Click on Add apps – select public apps
Provide name
search for the app name like in our case receiver.
select the receiver review and next
do the same for all other platforms as shown below.
save to finish.
Review all the apps, add all the necessary MDX apps
XenMobile Actions
Actions are something very useful , create them if required only. In my case i wanted to block app name VPN
provide Name
select name as VPN as shown below and all the actions are listed.
In my case i am wiping the device.
next
review and save.
XenMobile Enrollment profile creation
Enrollment profiles will control how many devices an user can enroll. click add
provide the name and specify no of devices an user can enroll. you can have multiple profiles for multiple user groups.
save.
XenMobile User Delivery group Creation
The last thing is to create a delivery group. an active group is needed for creating group.
provide display name
select the domain and provide name to search and select the group as shown below.
Now pull all the necessary policies applied to this users as shown below.
policies are selected.
Drag all the required apps to required field and optional as need. Optional apps will not install automatically, it need to selected to installed by user.
apps selected as shown below.
if you have media select else next
actions select
next
select the enrollment profile and next
review the complete delivery group settings and finish
delivery group is created.
Now xenmobile installation and configuration is completed.
Netscaler Configuration for XenMobile 10.x
What the Netscaler wizard will do ?
1. It will create XenMobile MAM gateway and necessary policies.
2. It will load balancer MAM services on XenMobile servers.
3. It will load balance MDM services on XenMobile servers.
Pre-requisites for Netscaler configuration.
- MDM URL: mdm.sslab.com ( It should be same as hostname of XenMobile appliance 10.7 )
- MAM URL : mam.sslab.com ( This will be configured on Netscaler config on XenMobile server settings)
- XenMobile appliance IP’s: Server 1 – 192.168.1.168, Server 2 – 192.168.1.169
- Three Free virtual IP’s for netscaler configuration.
Virtual IP 1 : 192.168.1.165 ( mam.sslab.com ) – MAM gateway
Virtual IP 2 : 192.168.1.166 ( mam load balancer) – MAM Load balancer
Virtual IP 3 : 192.168.1.167 ( mdm.sslab.com ) – MDM load balancer - DNS Records created in DNS server or Netscaler for mam and mdm url. mam internal url can point to ip 166 also.
192.168.1.165 ( mam.sslab.com )
192.168.1.167 ( mdm.sslab.com ) - Public IP’s and public DNS records :
Public ip 1 – NAT to – 192.168.1.165 ( mam.sslab.com )
Public ip 2 – NAT to – 192.168.1.167 ( mdm.sslab.com ) - DNS A records : mam.sslab.com – Public IP1, mdm.sslab.com – Public IP2.
- LDAP server IP and domain user name for LDAP policy configuration : nsldap@sslab.com
- Wild card certificate or separate certificate for MAM and MDM url: SSLAB_WILDCARD (SAN Certificate not supported)
Click here for Wild card certificate CSR and installation steps
Netscaler Configuration for XenMobile 10.7
Login to Netscaler – Select XenMobile – Select XenMobile 10 – Click get started.
Select Access through Netscaler and Load balance XenMobile – Both options and click continue
Provide the first virtual IP (1): 192.168.1.165 ( this is mam.sslab.com gateway IP), Port 443 – Continue
Select already installed wild card certificate or MAM url certificate and click continue.
Click here for Wild card certificate CSR and installation steps
Provide below details for LDAP connection, this piece is very important.
- IP: 192.168.1.xxx (LDAP server IP)
- Port : 389
- Server type: plain text
- Base DN: dc=sslab,dc=com
- account: nsldap@sslab.com
- provide and confirm password for nsldap user.
- Click on test connection – it should be green as shown below.
- LogonName: samAccountName or Userprincipalname ( same should be given in both netscaler and xenmobile server)
Provide below information and Continue
- XenMobile server FQDN: mdm.sslab.com ( Remember this is fqdn of xenmobile server mdm not mam)
- IP (2) : 192.168.1.166 (mam load balancer IP)
Select the MDM certificate or the wild card certificate.
Click on add servers to add xenmobile servers ip’s.
Provide xenmobile server IP’s, add both IP’s.
both Ip’s to be added as shown – continue
Click on load balance .
Provide the MDM load balancer IP (3) : 192.168.1.167 – Continue
Review Xenmobile server IP’s and Click continue and then done
With this we are done with configuration. Some times the GUI will not show below page straight away, wait for 5 seconds and click on other option and click back on xenmobile , the configuration status is shown below. all the services should show green.
Start enrolling the mobiles with secure hub using mdm.sslab.com url. provide user name and password, and accept every setting to make the life easy.
Will cover user experience settings like auto discovery and all in another post.
Hope this post is useful.
Excellent Piece of work,
This is very detailed configuration step by step and also explained each and every step.
Thanks Siva Bro
Excellent work for detailed configuration by Siva Garu
This is very help full for advanced citrix administration .
Thank you very much .
Very good detailed explanation. Thank you for the effort and time you put in.
Thanks
Hi Siva Sankar – Great article. Thank you for the details.
I believe it requires an additional APNS certificate for iOS Secure mail configuration. Is there a process to create APNS certificate for iOS – Secure mail configuration?.
Thanks,
Sen
Hi Siva – Nice Article. Thanks for the details.
I believe it requires an additional APNS certificate for iOS – Secure mail configuration or is it covered by MDM APNS certificate itself?. Can you please let me know the process for APNS certificate creation for secure mail configuration.
Regards,
P Shanmugam
Dear
APNS for secure mail is different, its mainly for the near real time notifications. below article can help.
https://support.citrix.com/article/CTX201026
Thanks,
Siva
Excellent work!
I’m still confused on the ports. can you help me on this? I have Netscaler & xenmobile on DMZ. What ports do I need to open from Outside to DMZ ? & from DMZ to inside? I read document from Citrix but I’m still confuse by all these. thanks
Dear
I will share with you one to one.
Thanks
siva
Hi Siva,
Thanks for your good blog for XenMobile!!
I have followed your instruction and prepared the same environment on XenMobile 10.8.
I am getting error “can not access your corporate network” while accessing mam.domain.com from both side external and internal.
Since, I am new in XenMobile I need your help to fix this issue.
Please not that I am using default certificate on xenmobile server.
Regards,
Ilyas Ahmed
Dear
Your mam and MDM url’s are accessible from outside, check natting, publicip and DNS. If yes, try to login and check.
Thanks
Siva
Hi Siva,
You are correct the issue was related to natting. Appreciate your work and knowledge!!!
I have a XenMobile requirement that need to be configure as MAM only. can you please let know how I can configure MAM only feature.
Also, I need to have clarification on MAM only feature, do we still need MDM configuration on Netsacler? If yes, where do I need to point our enternal URl MDM or MAM gateway.
I am waiting for your reply. Please help
Regards,
Ilyas Ahmed
Dear
There is no harm configuring MDM on Netscaler for MAM only as both will be done with Netscaler wizard. MAM only mode mam url is pointed to gateway not LB vserver. Users will enroll with MAM url.
I recommend have both MDM and MAM url’s pointed to LB vServer and Gateway respectively. user will enroll with MAM url in your case.
If you still have issues drop an email to siva@sivasankar.org with your contact and skype details so that we can have a look at your environment.
Thanks,
Siva
Dear Siva,
Thanks for your reply.
I already checked NAT is working from the outside and do the telnet on mdm and mam we are able to telnet.
Even If I am accessing the URLs from internal side the same error is coming “Access to your company network is not currently available”.
Please find the following configuration details of XenMobile environment.
XenMobile Server: 192.168.100.168 mdm.domain.com – Created DNS record in internal DNS
MAM Gateway: 192.168.100.165 mam.domain.com – Create Public DNS record – on port 443
MAM Load Balancing: 192.168.100.166 – Created DNS record in internal DNS
MDM Load Balancing: 192.168.100.167 – Created DNS record in Public DNS – on Port 444
Using wildcard certificate which is signed by external CA for both XenMobile server and netscaler.
I am putting mdm.domain.com:444 while testing over secure hub. it is asking for enrollment and password then show the network error.
Please note that I am using custom port 444 for mdm access. Kindly let me know if I missed out anything.
Regards,
Ilyas Ahmed
Hi…on XenMobile 10.12 there isn’t Google Play section….
In this release is still possible add app from play store ?
If, not, is there another way for add public app ?
Thansk for all…
Hello Siva,
I am new to the Xen Mobile and Netscaler. We are planning to do the POC for Xen Mobile and I was able to set up 30 days trial using Hyper V Appliance. Below are the details. I can not enroll the devices.
Every thing is internal
192.168.2.13 (Xen Mobile Gateway) – mam.infoweb.com
192.168.2.14 (MAM LB)
192.168.2.15 (MDM LB) mdm.infoweb.com
192.168.2.43 is the Xen Mobile appliance
mdm.infoweb.com is host name of the appliance
DNS Record :
mam.infoweb.com points to 192.168.2.13
mdm.infoweb.com points to 192.168.2.15
I have point Xen Monile to DNS Server and when I do DNS Check test in Xen Mobile appliance it fails with DNS Server has errors in record.
I tried also putting Same DNS entries on Netscaelr to see if it helps but that did not help either.
I am using internal issues ca cert with wild card.
I can not figure out what is causing the issue. I can access mam.infoweb.com and login with user but I see Http Status 404 – Not found which is expected behavior as per what I read. same error I get when I try to go mdm.infoweb.com from windows machine.
Can you please help.
Thank you in advance for your help and guidance.
Dear
Kindly check below. Your POC should work for Android. Make sure you follow all the steps i had given, its worth reading 2-3 times. particularly when to use mdm url.
1. XM server can reach internet.
2. XM server to DNS server, ( remove ipv6 on DNS, firewall and stuff)
3. Netscaler to DNS ( try adding both TCP and UDP DNS)
4. create local host record on netscaler for mdm point to mdm lb vip.
5. try xenmobile connectivity checks, everything should work.
6. make sure your dns server has forwarder configured for internet dns resolution.
7. make sure you install mdm certificate on XM and configure it
thanks
Siva Sir you rocks!!! Thanks for sharing.