Nowadays, everyone is talking about MDM (Mobile Device Management), which is a technique to secure, monitor and manage mobile devices like smart phones and tablets. By controlling and protecting data and configuration settings, it can reduce support costs and business risks. The MDM’s approach of taking control of the whole device differentiates it from MAM (Mobile Application Management) – a strategy which aims to control and secure access to data by a fine-grained management of the application side.
In our case, MDM was used to enforce policies like an unlock code and to push some applications to the devices. Furthermore, access to emails should only be granted to managed (company owned) devices while there is no web-access to Exchange. The choice for a MDM solution went in favor for Citrix’s XenMobile MDM as it integrates MDM, MAM (formely known as CloudGateway) and the ability to share and sync data seamlessly (ShareFile).
add server [DEVICEMANAGER-FQDN] [DEVICEMANAGER-FQDN] add server [EXCHANGESERVER-FQDN] [EXCHANGESERVER-FQDN] add service 0301_lb_sv_mdm [DEVICEMANAGER-FQDN] HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service 0302_lb_sv_mdm [DEVICEMANAGER-FQDN] SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service 0303_lb_sv_exchange [EXCHANGESERVER-IP] SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service 0304_lb_sv_xnc [XNCSERVER-IP] HTTP 9080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add lb vserver 1201_lb_vs_mdm_80 HTTP [PUBLIC-IP] 80 -persistenceType NONE -cltTimeout 120 add lb vserver 1202_lb_vs_mdm_8443 SSL [PUBLIC-IP] 8443 -persistenceType NONE -cltTimeout 120 add lb vserver 1203_lb_vs_mdm_exchange SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 add lb vserver 1204_lb_vs_mdm_xnc SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 bind lb vserver 1201_lb_vs_mdm_80 0301_lb_sv_mdm bind lb vserver 1202_lb_vs_mdm_8443 0301_lb_sv_mdm bind lb vserver 1203_lb_vs_mdm_exchange 0303_lb_sv_exchange bind lb vserver 1204_lb_vs_mdm_xnc 0304_lb_sv_xnc bind ssl vserver 1203_lb_vs_mdm_exchange -certkeyName [PUBLICCERTIFICATE-NAME] bind ssl vserver 1204_lb_vs_mdm_xnc -certkeyName [PUBLICCERTIFICATE-NAME]
add cs vserver cs_vs_mdm_01 SSL [PUBLIC-IP] 443 -cltTimeout 180 add cs policy cs_vs_mdm_01 -rule true add cs policy cs_vs_mdm_exchange_01 -rule "HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync")" bind cs vserver cs_vs_mdm_01 -policyName cs_vs_mdm_exchange_01 -targetLBVserver 1203_lb_vs_mdm_exchange -priority 100 bind cs vserver cs_vs_mdm_01 -policyName cs_vs_mdm_01 -targetLBVserver 1201_lb_vs_mdm_80 -priority 110 set ssl vserver cs_vs_mdm_01 -clientAuth ENABLED -clientCert Optional add ssl action SSL_act -clientCert ENABLED -certHeader NSClientCert add ssl policy SSL_pol_mdm -rule "CLIENT.SSL.CLIENT_CERT.EXISTS && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync").NOT" -action SSL_act bind ssl vserver cs_vs_mdm_01 -certkeyName [PUBLICCERTIFICATE-NAME] bind ssl vserver cs_vs_mdm_01 -certkeyName CA_XenMobile_Device_CA -CA -ocspCheck Optional bind ssl vserver cs_vs_mdm_01 -certkeyName CA_XenMobile_Root_CA -CA -ocspCheck Optional bind ssl vserver cs_vs_mdm_01 -policyName SSL_pol_mdm -priority 100
add policy httpCallout httpCalloutXNC
set policy httpCallout httpCalloutXNC -vServer 1204_lb_vs_mdm_xnc -returnType TEXT -hostExpr ""callout.asfilter.internal"" -urlStemExpr ""/services/ActiveSync/Authorize"" -parameters user(HTTP.REQ.HEADER("authorization").AFTER_STR("Basic ").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE) agent(HTTP.REQ.HEADER("user-agent").HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url(("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType("json") DeviceId(HTTP.REQ.URL.QUERY.VALUE("DeviceId")) -scheme http -resultExpr "HTTP.RES.BODY(20)"
The device manager configuration and the mobile device rollout followed the standard procedures. Only the devices with access to Active Sync have to be defined in a few additional steps.
In our case, the communication was configured to be over HTTP, port 9080. With the initial startup of the XNC, it is strongly recommended to start the requested Windows services.
Now, the XNC policy has to be configured
Configure the provider properties, then test the connection to the Device Manager
Finally, the access scenario had to be tested. This was accomplished by using a managed iPhone and an unmanaged iPad.