Implementing Citrix XenMobile 10.1 - typical pitfalls

For a succesful implementation of Citrix XenMobile, a sophisticated mobile device management (MDM) and mobile application management (MAM) solution, some prerequisits are necessary. These are outlined at the Citrix Docs and are discussed in various articles across the net. Nevertheless we would like to draw your attention to some of these points. These are those we found not understood correctly or difficult to prepare in various customer projects.

 

1) Networking and firewals

First and foremost you should have a clear idea where and how the XenMobile appliance should be integrated into your network. It is usually located in your DMZ (as proposed by Citrix). This results in quite a bunch of necessary firewall rules and sometimes even routing configuration.

Citrix provides us with a comprehensive PoC-sheet in which you must specify all necessary data, especially IP addresses. This documents then automates the description for your firewall rules. Prepare and use this document, it spares you a lot of time!

Additionally, as of begin of October 2015 and Worx Home 10.2, you need access from the mobile devices to the Citrix Auto Discovery Service (ADS) on port 443. Check for the necessary destination hosts!

TLDR: Evaluate the necessary firewall and routing configuration and prepare it with your network department.

2) Deploying XenMobile

XenMobile comes as a VM image for the three big hypervisors (ESXi, XenServer, Hyper-V). Make sure you download and import the appropriate image. For ESXi you get an ova-file you can import with the vSphere client. Therefore the downloaded image has to be on your client, not on a remote datastore.

TLDR: Ask your infrastructure department to prepare and deploy the appropriate VM-image of XenMobile.

3) Database access

XenMobile ships with a built-in PostgreSQL database. Be aware that this is only advisable for a PoC. For production use Citrix only supports Microsoft SQL Server.

Prepare your database server (Microsoft SQL Server Express does work for a PoC, too!) and setup a user with DBCreator role. Do not create a database beforehand – the installer does this and all required work in the database for you!

TLDR: Have a database user with role DBCreator at hand. Do not create a database beforehand.

4) Licensing

XenMobile is licensed as most other Citrix products via a licensing server. Therefore you should have your Citrix XenMobile licenses assigned (to the hostname of you license-server, nothing else), downloaded and imported in your license server. This server must meet the minimum version requirements of the XenMobile version to be installed. This often is a quite recent one which sometimes causes problems in older environments.

TLDR: Have an up-to-date license server at hand in which you have installed the necessary licenses.

5) Apple-ID

You definetely should have an Apple-ID created before you start. You need the Apple-ID later on to have acess to the Apple App Store both on MacOS for the Apple Configuration Utility and iOS for Worx Home. During installation you need to create an APNS-certificate which is done with the Apple-ID, too. For the APNS-certificate you need an installed Microsoft IIS to create the certificate signing request (CSR) which you then upload to Citrix, get it signed, upload it to Apple (hence the Apple-ID), get it signed and finally import it to your applicance.

TLDR: You need an Apple-Id to create an APNS-certificate and to login to the Apple stores to download the Apple Configuration Utility and Worx Home.

6) SSL certificate

Have a public wildcard certificate prepared for your domain you want to use for MDM. A wildcard certificate is preferable because later on you might create another hostname for MAM. Then you would need another certificate if you had not created a wildcard one in the first place. The procedure to have you, the organisation or a domain validated can take up to some days so you shuld start quite some time before you installation date.

TLDR: Issue a public certificate for your domain name and take into account that the validation process can take some days.

7) DNS resolution

Make sure your DNS resolves the future MDM hostname (and when you are at it, maybe you could check the MAM hostname, too). When you check this think about a possible diffeence between „internal“ and „external“ DNS servers – depending on your implementation both servers might have to be set up accordingly. The DNS propagation might take some time so ask your network department well ahead of time!

TLDR: Prepare the needed DNS entries well before installation time.

8) Apple Developer Enterprise Program

If you want to do not just MDM but MAM too with Apple-devices you need an account with the Apple Developer Enterprise Program. This account is not for free, you have to pay a annually fee. Depending on the size of your organisation the necessary procedure to register including the payment processing might take some days!

TLDR: Think of your Apple Developer Enterprise Program membership which needs to be paid for.

 

These are the points we came about most frequently. Do you have additions or questions about this? Do not hesitate to contact us! Get in touch with Andreas at andreas.bockhold@base2itc.de!