Você está na página 1de 152

Citrix XenMobile

Technical Overview

Feb, 2013

Enterprise Mobility in Numbers


BYO Devices

Multiple Locations App Proliferation

Unmanaged Data

65%

200+

80%+

Devices

Employees

Apps

Fortune 500

Average per
Employee

Work in multiple
locations

Average Citrix
customer portfolio

Use unmanaged
cloud storage

Source: Citrix and leading analysts

2013 Citrix | Confidential Do Not Distribute

50%
43%
40%
32%

work from home


work from client
sites
work while traveling
work at public sites
Forrsights Networks And Telecommunications
Survey

2013 Citrix | Confidential Do Not Distribute

By 2015:
Mobile app development
projects will outnumber
native PC projects by a
ratio of 4-to-1
Gartner

Mobile; 13%
Win; 38%
Mobile; 5% SaaS; 25%
SaaS; 16%Win; 40%
Other; 39%

Other; 24%

2011
2013 Citrix | Confidential Do Not Distribute

2015
IDC

How Mobile Feels Today

2013 Citrix | Confidential Do Not Distribute

User Needs
Want access to all apps and data
from any of their devices

2013 Citrix | Confidential Do Not Distribute

A complete stack for


Wipe selectively apps, data
managing and
Smartphones
& devices remotely
securing
apps, data,
Tablets
Follow
me apps & data on
PCs
and Macs
and devices
any device with federated
SSO
Clientless secure remote
access

2013 Citrix | Confidential Do Not Distribute

AccessGateway&&SSO
SSO
AccessGateway

Control access polices for


apps, data and devices

AppManagement
Management
App

Introducing XenMobile
Business
BusinessApps
Apps

Productivity and Collaboration

Secure
SecureMail
Mail

Data
DataManagement
Management

Device
DeviceManagement
Management

Two Simple Packages


XenMobile
XenMobile
XenMobile MDM
MDM
MDM
Edition
Edition
(CloudEdition
or On-premise)

XenMobile
Mobile
Solutions
Mobile
Solutions
Enterprise
Edition
Bundle
Bundle

Secure, simple to use


Mobile Device
Management
for SMB & Enterprise

Mobile Device
Management

2013 Citrix | Confidential Do Not Distribute

Comprehensive
Enterprise
Mobility Management
for all apps, data &
devices

Email encryptrion
Internal Web Apps
SaaS Apps
Wrapped Native Apps
Secure Data with
ShareFile

MDM Edition
Installed client-side

Installed server-side

Enroll and Connect. Connect


= Device management client

XenMobile Gateway

MDM Server. Policy server and admin


console for device management
AppController. Mobile, SaaS, and
web apps and data. Includes MDX
technology for centralized app mgmt
and security
Netscaler Access Gateway. SSL VPN
with scenario-based remote access
and Micro VPN (Netscaler sold
separately)
StoreFront. App Controller, remote
desktop, and Windows/DC apps

ShareFile. Follow-me data


2013 Citrix | Confidential Do Not Distribute

Mobility Bundle (with Data Add-On)


Installed client-side

Installed server-side

Enroll and Connect. Connect


= Device management client

MDM Server. Policy server and admin


console for device management

Receiver. Unified app store,


single sign on

AppController. Mobile, SaaS, and web


apps and data. Includes MDX
technology for centralized app mgmt and
security.

@WorkMail, @WorkWeb.
Secure email client and web
browser
SharePoint. Secure
SharePoint Access
ShareFile. Follow-me data
(sold separately)
2013 Citrix | Confidential Do Not Distribute

Netscaler Access Gateway. SSL VPN


with scenario-based remote access and
Micro VPN (NetScaler sold separately)
(Optional) StoreFront. Only for Citrix
XenDesktop/XenApp customers. Nextgeneration Web Interface that unifies
the app store for XD/XA & AppController

NetScaler appliance & ShareFile sold separately

Secure and
manage my
devices

My users are bringing in all


types of devicesI need to set
PIN codes, WiFi, etc..

issuing shared tablets to shift


workers in hospital/retail
stores/restaurants/dist centers

need to manage
personal and corporate
devices alongside each
other

MDM Edition

2013 Citrix | Confidential Do Not Distribute

Want to give device


choicebut what do I do
if devices are lost or
stolen?

Secure and
manage my
devices

MDM Edition

2013 Citrix | Confidential Do Not Distribute

Enterprise-grade MDM:
Manage & configure corporate and
BYO devices
Detect jailbreak, blacklist/whitelist
apps
Full/selective device wipe
Easy to setup:
Fully wizard-driven
Extensible:
Enterprise integration (e.g.: LDAP
and PKI)
Upgrade to Enterprise for mail or
app mgmt any time

Mobile Device Manager


XM ActiveSync Controller
TMG

MDM Client

XM Device Manager

DMZ
2013 Citrix | Confidential Do Not Distribute

Native Mail
Encryption

Mobile
Device
Managem
ent

Give me mail
that users
love and
IT embraces

Using Good, but the


user experience stinks

make my users lives


better with email thats
beautiful, yet secure
replacing BlackBerrys,
but need similar policy
controls for iOS and
Android devices
provision an emailspecific PIN code

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

Beautiful email client, sandboxed for


Give me mail
IT
2
that users
Native mobile mail, calendar, and
love and
contacts
IT embraces Attach and save data to ShareFile
One touch access to internal sites
with @WorkWeb
Calendar invites with GoToMeeting
using free/busy
Encrypted email, attachments,
contacts
Available on iPhone, iPad, Android
Phone & Tablet
Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

Secure Mail

Receiver

Access
Gateway
Netscaler

2013 Citrix | Confidential Do Not Distribute

XM AppController

Web &
Mobile
SaaS
Secure
Apps
Data

Mobilize my
apps and data

give employees mobile


access to our intranet and
web apps

need SSO for my


field who use
SalesForce/Evernote

give users easy


access to content onthe-go

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

need to secure and


manage custom and offthe-shelf iOS / Android
apps

Good Dynamics
is too hard to
implement

extend my
enterprise to partners
and contractors.

Secure email to any iOS/ Android


Mobilize my
apps and data device
Secure intranet web browsing with
micro VPN
Enterprise iOS/ Android app with
MDX controls
Integrated ShareFile data
accessibility
SAML Federation and AD based
identity management
Scenario-based access controls

Mobile Solutions Bundle

2013 Citrix | Confidential Do Not Distribute

Mobile Apps & Data

XM Device Manager

Receiver

Access
Gateway
Netscaler
DMZ

2013 Citrix | Confidential Do Not Distribute

XM AppController

Web &
Mobile
SaaS
Secure
Apps
Data

All Apps & Data -XA & XD Integration

Receiver

Access
Gateway

StoreFront
Services

XM AppController

Deskto
ps
Apps

Netscaler
DMZ
2013 Citrix | Confidential Do Not Distribute

Web &
Mobile
SaaS
Secure
Apps
Data

XD / XA

Complete Mobility Infrastructure Apps, Data, and Devices


XM ActiveSync Controller
TMG

Native Mail
Encryption

MDM Client

Receiver

XM Device Manager

Access
Gateway

StoreFront
Services

XM AppController

2013 Citrix | Confidential Do Not Distribute

Web &
Mobile
SaaS
Secure
Apps
Data

Deskto
ps
Apps

Netscaler
DMZ

Mobile
Device
Managem
ent

XD / XA

XenMobile

iOS and Android device security control


Device access provisioning
MDM
Native iOS and Android store app delivery
Locating a lost device and wipe/selective wipe
Edition
Pushing apps automatically
Automating actions on the device (wipe when user is
disabled in AD)

Secure email to any iOS/ Android device


Secure intranet web browsing with micro VPN Mobility
Enterprise iOS/ Android app with MDX controls Bundle
Integrated ShareFile data accessibility

22 SAML Federation and AD based identity management


2013 Citrix | Confidential Do Not Distribute

Citrix The Most Complete Mobile Portfolio


Optimized Mobile Enterprise

Mobile ROI

Mobile Device
Management

Sandboxed
Mail and Web

2013 Citrix | Confidential Do Not Distribute

Mobile App
Security

Mobile Data
Control

Mobile Network
Control

SSO and Identity


Management

Desktop
and App
Virtualization

Collaboration

XenMobile MDM Edition


Mobile Device Management

Complete Mobility Infrastructure Apps, Data, and Devices


XM ActiveSync Controller
TMG

MDM Client

XM Device Manager

DMZ
2013 Citrix | Confidential Do Not Distribute

Native Mail
Encryption

Mobile
Device
Managem
ent

XenMobile Device Manager


Actively manage policy and configuration for iOS, Android, Windows Mobile/CE
and Symbian
Deploy and administer mobile applications
Functionality varies by app and platform

Control data access with DLP add-on


Receives connections directly from mobile devices
Makes connections to:
Database Server (MS SQL Server or Postgres)
Directory Server (AD or any other LDAP based system)

2013 Citrix | Confidential Do Not Distribute

XM MDM Installation tips


Installation is supported on 64bit Windows Server 2005, 2008 and 2008R2
2003 supported until EOL

You will need an external DNS record and APNS cert


Only install the recommended version of Java
Be sure to include the Unlimited Strength crypto jar files

If you do not have MS SQL, the installer includes PostgresSQL for PoCs

2013 Citrix | Confidential Do Not Distribute

XenMobile MDM Pre-requisites


Windows Server (Standard or Enterprise) 2003 64 bit, 2008 64 bit, or 2008 R2 64 bit
Service Accounts
Installation account must be local admin of server
Does not require SQL rights directly
Account with database creation permissions in SQL
Intended MDM server does not need to be a member of the domain
Do not install IIS. Uninstall IIS if it exists on this server
External DNS record for the MDM server
(ex. Mobile.yourcompany.com)
Apple APNS certificate
required during the install, obtained using the XenMobile APNS Certificate Setup Guide
Java SE 7
Java Cryptography Extension (JCE) files Unlimited Strength Jurisdiction Policy Files
copy local_policy.jar and US_export_policy.jar to /Java/jdk1.6.0_x/jre/lib/security
Software License

2013 Citrix | Confidential Do Not Distribute

XM MDM Directory Services


Real-time access to LDAP (AD, Domino, etc..) source
Can configure multiple connections to multiple servers
Supports LDAP and LDAPS with certificate management
Wizard driven configuration

2013 Citrix | Confidential Do Not Distribute

XM MDM Role Based Access Control


Roles can be created as desired
For example, multiple helpdesk tiers, devices managed by business units, etc..

Access is granular by admin function or group


Roles are selected by group
Groups can be defined locally or referenced from AD

2013 Citrix | Confidential Do Not Distribute

SAM Account vs. User Principal Name (UPN)

sAMAccount is used to support


older OS WindowsNT4.0,
Windows95, Windows98, and
LAN Manager

When configuring an LDAP connection, you can


choose the User Search option of either
sAMAccount Name or userPrincipalName.
Any user enrolling their device will need to know
the format of their username see opposite
2013 Citrix | Confidential Do Not Distribute

By convention, UPN should map


to the user email name (Use
This)

User Tips
Remember: Users may belong to multiple groups and this can affect which
packages are deployed
Be sure to create at least 1 local account for emergency use
This account should not be in AD and be sure to protect this password. This may be
your only way to log into the server if the AD connection is severed somehow.

ZDM does not crawl the entire LDAP tree looking for users. Deeply buried user
accounts may not be able to log in if the LDAP connection simply references
the root.

2013 Citrix | Confidential Do Not Distribute

Secure Mobile Gateway


ISAPI filter, installed at point of access for mobile devices
Internet Server Application Programming Interface

Active Sync Controller automatically filters devices as specified by XM MDM


Static rules may be configured on individual Active Sync Controller instances if
required

2013 Citrix | Confidential Do Not Distribute

Zenprise Security at the Network


Secure Mobile Gateway
ZDM Secure Mobile Gateway

Mail

2 Rules, Device,
User Properties,
Applications

5 Block User from


Intranet
Internal
Resources

3G / 4G
4 Monitored traffic
flow
1 Normal traffic flow
3 Blacklisted App
Install

Block
Block on
on blacklisted
blacklisted apps,
apps, rooted
rooted devices,
devices, unmanaged
unmanaged devices,
devices,
user/group
user/group

2013 Citrix | Confidential Do Not Distribute

Secure Mobile Gateway - Installation


Installed at point of access for mobile devices

ISA Server 2006 SP1


TMG Server 2010 SP1 Update 1
Exchange CAS 2010, IIS 7.5
Exchange CAS 2007, IIS 7.0
Exchange CAS 2003, IIS 6.0

ISAPI filter screens all ActiveSync http requests from mobile devices
according to the set of rules configured by XenMobile MDM
Installation process
As simple as possible

Download, double click setup.msi, Next, Agree, Next, Next, Close

2013 Citrix | Confidential Do Not Distribute

Secure Mobile Gateway Rules


Use the rule set in ZDM to configure device allow/block on
the SMG.

2013 Citrix | Confidential Do Not Distribute

Active Sync Controller Installation Tips


Supported servers

ISA Server 2006 SP1


TMG Server 2010 SP1 Update 1
Exchange CAS 2010, IIS 7.5
Exchange CAS 2007, IIS 7.0
Exchange CAS 2003, IIS 6.0

Active Sync Controller must be reinstalled on every new Active Sync server
Installation on CAS server requires manually adding ZenpriseIsapi.dll
Dont forget to configure it
Secure Mobile Gateway Configuration Tool

2013 Citrix | Confidential Do Not Distribute

Device Support
Citrix XenMobile MDM allows you to manage the following mobile device platforms:
Apple handheld devices (iPhone, iPad) using iOS 5.0 or higher
Android handheld devices using 2.2 or higher
Microsoft Windows 8 Phone and Windows 8 Tablet

Windows Mobile and its derivatives, including Smartphone and PocketPC


Windows Mobile 5.x or 6.x (PocketPC or Smartphone Edition)
Pocket PC 2003
Windows CE 4.x, 5.x or 6.x

BlackBerry handheld devices using BlackBerry OS versions 5.x, 6.x, and 7.x
Symbian
BB10
2013 Citrix | Confidential Do Not Distribute

Device Functionality Matrix (1 of 4)


Feature

Mobile

Windows8
Windows 8 Phone

Dashboard

--

Enhanced Enrollment
Modes (OTP, Multifactor,
Invitation-based)

--

--

--

--

--

Invitation Client
Download

--

--

--

--

--

Email Attachment
Encryption

--

--

--

--

--

--

--

--

--

--

--

--

--

--

App Lock ('Kiosk Mode')

App Tunnels
Mobile SSL VPN

2013 Citrix | Confidential Do Not Distribute

--

Device Functionality Matrix (2 of 4)


Feature

Mobile

Storage Card
Encryption Policy
Auto discovery Logon

--

Windows8
Windows 8 Phone

--

--

--

--

---

Automated Actions

--

--

--

Notifications

--

--

--

Agent Notification

--

--

--

--

--

Enterprise App Store

--

--

--

--

--

--

--

--

LocateDevice

2013 Citrix | Confidential Do Not Distribute

Device Functionality Matrix (3 of 4)


Feature

Mobile

Geo-Tracking, GeoFencing
Secure SharePoint

--

---

Windows8
Windows 8 Phone

--

---

--

--

--

Remote client
installation (OTA)

--

--

--

Provisioning of
devices & users

--

--

--

Hardware Inventory

--

Software Inventory

--

Security Jailbreak
detection

2013 Citrix | Confidential Do Not Distribute

--

--

--

--

--

Device Functionality Matrix (4 of 4)


Feature

Mobile

Remote Wipe & Lock

Windows8
Windows 8 Phone

(limited)

Software download &


install

--

File transfer

--

Device Remote
Control

--

--

Roaming Management
Reports (activity &
devices inventory)
Local device data
encryption (option)

2013 Citrix | Confidential Do Not Distribute

--

--

--

---

--

---

--

--

--

How Citrix defines Policies


Policies are all the individual elements of configuration or restriction available
for definition
Policies do not take effect unless deployed to a device
In the event of a policy conflict, the more restrictive policy is applied

2013 Citrix | Confidential Do Not Distribute

Policies

Policies are all the individual elements of configuration or restriction


available for definition
Policies do not take effect unless deployed to a device
In the event of a policy conflict, the more restrictive policy is applied

MDM Policies
Device specific configuration and restriction
policies
Application Tunnels
Automated Actions
Server Groups
XenMobile Policies
Application access policies (black/white lists)
XM SDK enabled app control
SharePoint configuration
2013 Citrix | Confidential Do Not Distribute

Policy Tips
Name policies with descriptive names
When browsing lists, the policy name is the only information you have to tell what the
policy does
One common technique is to prefix the policy with the people who should receive it
i.e.: Corp HQ Wi-Fi or Engineering Password Policy

Remember that you can define as many policies as you like


Policies only take effect when they are deployed to a device

Variables can be used to create more dynamic policies


For example, ${user.domainname}, ${user.userprincipalname}, etc.
A complete list is available at http://docs.zenprise.com

2013 Citrix | Confidential Do Not Distribute

Lock Screen Policies

Common requirements (in order)


1.
2.
3.
4.
5.

Have a passcode defined


Disallow simple passcodes
Set auto-lock time
Set maximum password age
Set maximum password length

2013 Citrix | Confidential Do Not Distribute

Restriction Policies
Can be very useful for Corporate Owned devices
Not recommended for BYOD
Common restrictions
1.
2.
3.
4.

Disable installation of apps


Disable camera
Disable iCloud
Disable Google Play / App Store

2013 Citrix | Confidential Do Not Distribute

iOS Restrictions
Full list of restrictions

2013 Citrix | Confidential Do Not Distribute

Automated Actions
Special policies which automatically triggers actions based
on data
All automated actions require devices to re-connect to the
Zenprise Device Manager
To trigger an automated action for a blacklisted application,
the application to be blacklisted in Policies / Blacklist.

2013 Citrix | Confidential Do Not Distribute

Example Automated Task


Alerting a user when their access to email access has been blocked.

Choose the trigger type

Choose the action, in this


case we want to contact a
user using a contact
template
Finally, choose your
squelching parameters for
the alert
2013 Citrix | Confidential Do Not Distribute

Notification Template
Notification templates are configured under the
Options menu

You will need to have a notification


server defined for each type of
notification you would like to send

2013 Citrix | Confidential Do Not Distribute

Notification Templates, continued


Remember to use template
variables, they come in very
handy here

2013 Citrix | Confidential Do Not Distribute

Other Automated Actions


Here are a few other automated actions
Selective wipe when a device leaves geofence
Warn users for any type of violation of their terms of use
Set a out of compliance flag when a blacklisted app is installed
Subsequent deployments can be based on this flag, eg, remove wifi access when
wikileaker is installed

Automatically revoke a jailbroken device

2013 Citrix | Confidential Do Not Distribute

Deployments
Deployment packages are used to push policies to devices

2013 Citrix | Confidential Do Not Distribute

Packages are comprised


of:
A package name
Groups of users
Resources which are
a combination of
A server group
App tunnels
Registry config.
XML
configurations
Software
inventory
Applications
Files
Zenprise
Knowledge Base URL
Deployment
schedule

Deployment Tips
There are 2 schools of thought for deployment best practice
Create multiple deployment packages with few policies
Benefits:
Control users policies and exceptions in a clear way
Failed policies do not block other policies

Drawback:
Many packages to create and manage

Create few packages with many policies


Benefits:
Control users policies en masse
Clear groupings of policies. (e.g., everyone in Asia gets Policy 1 2 and 4.)

Drawback:
Failed policy blocks remaining policies in the package
Exceptions require creating alternate packages

2013 Citrix | Confidential Do Not Distribute

Location Services

A location services policy must be pushed to a device in order to track the


device or use the geofencing functionality
Location services policies only apply to iOS devices currently

2013 Citrix | Confidential Do Not Distribute

Geotracking results
Once enabled, ZDM can store up to 6 hours of
movement for each device

2013 Citrix | Confidential Do Not Distribute

XenMobile Mobility Bundle


MDX Technologies & Mobile Application Management

Complete Mobility Infrastructure Apps, Data, and Devices


XM ActiveSync Controller
TMG

MDM Client

Receiver

XM Device Manager

Access
Gateway
Netscaler
DMZ

2013 Citrix | Confidential Do Not Distribute

Native Mail
Encryption

XM AppController

Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data

Citrix Mobile App Management


Full support for both personal and corporate usage (BYOD)
Corporate apps and data secure even on employee-owned devices
New consumer-driven devices supported immediately

No risk of corporate data loss or compliance exceptions when:


Device is lost or stolen or employee leaves organization
Collaboration / file sharing apps used on the device

Governance is built-in
Policies can be updated on hundreds of apps with no requirement to change source
code

No requirement for developers to change the way they develop apps or learn
mobile security standards
2013 Citrix | Confidential Do Not Distribute

MDX
Controller

MDX
App Vault

MDX
Access

MDX
InterApp

Secure container
that enables app
and data
containment, wipe
and lock

Secure access to
Intranet resources

Trusted application
communication
fabric

2013 Citrix | Confidential Do Not Distribute

MDXVault
MDX InterApp

Citrix Receiver

Native
Native Mobile
Mobile
Apps
Apps
Deny
DenySMS
SMS
Disable
DisableiCloud
iCloud
Disable
screenshots
Disable screenshots
Force
Forceauthentication
authentication
Block
jailbroken
Block jailbroken
device
device

MDX
MDX Policies
Policies
during
during app
app
wrapping
wrapping
app
private
data vault

app
private
data vault

private
data

XenMobile
XenMobile

2013 Citrix | Confidential Do Not Distribute

MDXInterapp
MDX InterApp

Citrix Receiver

Open
with
Deny
access
to insecure
applicatio
ns

XenMobile
XenMobile

2013 Citrix | Confidential Do Not Distribute

private
data

MDXAccess
MDX InterApp

Citrix Receiver

private
data

2013 Citrix | Confidential Do Not Distribute

MDXAccess
MDX InterApp

Citrix Receiver
SaaS
Web
Mobile
Data

SSL3 00100011 SSL3 001000111010101 SSL3 00100101 SSL3 001000111010101

SSL3 00100011 SSL3 001000111010101 SSL3 00100101 SSL3 001000111010101

Access Gateway
C-VPN Mode
private
data

2013 Citrix | Confidential Do Not Distribute

XenMobile

MDX Architecture
Private
MDX
Private
MDX
mobile
mobile
app
mobile
mobile
appapp
app

network files clipboard

Policy
Policyaware
aware
interception
interceptionfunctions
functions

network files clipboard

mobile
mobileOS
OS

2013 Citrix | Confidential Do Not Distribute

encryptedencrypted
micro-VPN
storage clipboard

Citrix
Citrixmobile
mobileservices
services

Data Containment Policies


Containm
ent
Feature

Policy Keyword(s)

Defaul
t Value

Description

Pasteboard

DisableCopy
DisablePaste
AppSecurityGroup
PasteFromSystemClipb
oard

TRUE

Prevents user from using copy/cut in the managed app.


Prevents user from using paste in the managed app.
App security group for shared clipboard
Allows paste from either system or shared clipboard

Open-In

DisableOpenIn

TRUE

Prevents user from opening documents with other apps from within
the managed app.

iCloud

DisableiCloud

TRUE

Prevents managed app from using iCloud storage for documents


and settings.

Printing

DisablePrinting

TRUE

Prevents user from printing documents from the managed app.

Camera

DisableCamera

TRUE

Prevents user from using the devices camera within the managed
app.

SMS/Text

DisableSms

TRUE

Prevents user from using iOS text interface from within the
managed app.

Email

DisableEmail

TRUE

Prevents user from using iOS Email interface from within the
managed app.

GPS

DisableLocation

TRUE

Prevents app from using the GPS or location services within the
managed app.

Microphone

DisableMicrophone

TRUE

Prevents app from using the microphone for audio recording within

2013 Citrix | Confidential Do Not Distribute

None
TRUE

Data Containment Preliminary iOS Policies

2013 Citrix | Confidential Do Not Distribute

AppWrapper
Mobile App Wrap tool runs on Mac OS X
Mobile App Wrap tool for Android Beta Available
Takes a pre-compiled iOS native application bundle
(.IPA) as input
Produces repackaged iOS application bundle with Citrix
app wrapper logic inserted (.MDX)
Recertifies the repacked app with using a customer
provided enterprise distribution profile

2013 Citrix | Confidential Do Not Distribute

App Preparation Process


Secure app
with App
Preparation
Tool

Upload app to
XenMobile

QuickOffice.ip
a

App
available as
a secure,
managed
app

QuickOffice Enterprise

Push App via


ZP Client

App is visible
on iOS home
screen

QuickOffice
Enterprise
QuickOffice

2013 Citrix | Confidential Do Not Distribute

mobile
app
Me@Work
family

@WorkWe @WorkMail ShareFile GoToMeetin


Email, calendar Follow-me
b
g
Secure
Browsing

Data

& contacts

2013 Citrix | Confidential Do Not Distribute

Podio

Social
Team
Integrated
Collaboration Collaborati
on

2013 Citrix | Confidential Do Not Distribute

@ Life

@ Work

MDX
App Vault

2013 Citrix | Confidential Do Not Distribute

@ Life
MDX
InterApp

2013 Citrix | Confidential Do Not Distribute

MDX
Policy

InterApp Sharing

iCloud Backup

Enable DLP

Require Authentication
Trusted Network Only
Disable printing

Restrict outbound URL


Allow Camera

@ Life

Offline lease period

2013 Citrix | Confidential Do Not Distribute

24 h

MDX
Policy

@ Life

Lock and wipe


Enable DLP

Inter-app controls Require Authentication


Trusted Network Only
Conditional access policies
Disable printing

Restrict outbound URL


Allow Camera
Secure app containers
InterApp Sharing
Micro VPN
iCloud Backup

Offline lease period

2013 Citrix | Confidential Do Not Distribute

24 h

@WorkMail

Mail, calendar, contacts


Enterprise class security
Beautiful native
experience
Full inter-app integration
MDX-secured
2013 Citrix | Confidential Do Not Distribute

@WorkWeb

Secure browser
Internal web app access
Full inter-app integration
Consumer experience
MDX-secured

Secure Exchange
connectivity
@WorkMail

No new messaging
infrastructure
Connected/
disconnected access

@WorkWeb

Any intranet site


access
Native browser
2013 Citrix | Confidential Do Not Distribute

experience

@Work Mail

@WorkMail
Mail, calendar, contacts
Enterprise class security
Beautiful native experience
Full inter-app integration
MDX-secured

2013 Citrix | Confidential Do Not Distribute

Secure email body and attachment


Open in control to provide data leak
protection
NO Exchange server exposure to internet
Send email with ShareFile attachments
Integrated calendars and Exchange GAL
NOTE: Release candidate available now

@Work Mail - Topology


Firewall

@WorkMa
il

Internet

Micro VPN

2013 Citrix | Confidential Do Not Distribute

NetScaler/
Client Access Server (CAS)
Access Gateway

@Work Web
iOS and Android device intranet web
browsing
Easy accesst to SharePoint, Intranet Portal etc
@WorkWeb
Secure browser
Internal web app access
Full inter-app integration
Consumer experience
MDX-secured

81
2013 Citrix | Confidential Do Not Distribute

Similar look/ feel as native browser


Safari on iOS; Chrome on Android

Single sign-on via NetScaler


Respond to HTTP 401

@Work Web - Topology


Firewall

@WorkWeb

Internet

Micro VPN

2013 Citrix | Confidential Do Not Distribute

NetScaler/
Access Gateway

Mobile Application Policies

2013 Citrix | Confidential Do Not Distribute

Federated Single Sign-on


Active
Directo
ry

AppControlle
r
Web/SaaS
Administration

Define Roles

Configure Applications

Roles map to AD groups

Connectors for federated


access or user accounts

Extracts memberof
attribute

MAP

Long list of built-in


connectors
Wizards for custom
federated access

2013 Citrix | Confidential Do Not Distribute

Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine

Role-based User Account Management


Active
Directo
ry
Master
Employee
List

2013 Citrix | Confidential Do Not Distribute

Syn
c
AppController

1. Standard enterprise provisioning


systems create user accounts on
AD

AppC supports programmatic integration with


PeopleSoft, SAP, Oracle HRMS and other
systems, in addition to LDAP sync

2. Sync to identify user-group


association
3. Create user accounts with
associated privileges on external
applications

If user is disabled on AD, all external accounts


can be disabled too

Role-based User Account Management

2013 Citrix | Confidential Do Not Distribute

Automatic Account Provisioning


Active
Directo
ry
Auth

Syn
c
Create
AppControll
Users
er
Log
Reporting
Systems

2013 Citrix | Confidential Do Not Distribute

What privilege on
application?
Any app specific
security rules?
Additional approvals
required before
creating account?

Automatic Account Provisioning

2013 Citrix | Confidential Do Not Distribute

Workflow Management
1. User self-service application
request

Workflow
Workflow and
and Provisioning
Provisioning
Engine
Engine

2
Approver

3
Approver

Approver

2013 Citrix | Confidential Do Not Distribute

AppControll
er

All app requests and subscriptions


consolidated on the Citrix Receiver

2. Request triggers AppC


workflows
3. Approvers get mail
notifications and approve
request
4.4Application account gets
provisioned for user

Workflow Management

2013 Citrix | Confidential Do Not Distribute

Scenario-based controls

2013 Citrix | Confidential Do Not Distribute

Certificate Management
Certificates
We can host multiple certificates in
AppController
Server
Root CA
SAML

Only one Server Certificate can be


active
Only one SAML Certificate can be
active

2013 Citrix | Confidential Do Not Distribute

Device registration
First time logon: lightweight mobile device registration
Receiver silently registers device with AppController
Receiver provides device unique token and selected device information

AppController issues unique device ID Receiver


AppController links device ID/tokens to users
Admins can view all devices registered to users
Devices can be locked or marked for app data wipe
Receiver and MDX apps poll CG current lock/wipe status
Gateway must be reachable, but no logon needed
2013 Citrix | Confidential Do Not Distribute

User authentication and roles


Receiver is the primary authenticator of users seeking access to
enterprise resources for
Hosted apps (ICA/HDX)
SaaS/Web applications
Managed mobile applications for Android and iOS

AppController roles are always linked to Active Directory users and

groups
Users are entitled to specific apps through the roles they belong to
Deep AD integration allows for automatic provision/de-provision of SaaS
accounts when AD users are removed or added
2013 Citrix | Confidential Do Not Distribute

Device and app authentication


Receiver registers and track devices to users
Permits lock and wipe of corporate data/apps on selected devices

Receiver also serves as access manager for MDX managed applications


Strongly identifies applications
Determine app entitlements and policies
Brokers permitted data exchanges between managed apps

MDX applications can parlay their Receiver auth context into other
credentials for single-sign
NTLM challenge/response (or the real AD domain, username, & password)
User and device certificates
Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
2013 Citrix | Confidential Do Not Distribute

Single sign-on
Receiver and AppController directly provide SSO for
Hosted applications (ICA/HDX)
Web/SaaS applications

MDX applications can parlay their Receiver authentication context


into other credentials and access rights
Gateway tickets for micro-VPN access
NTLM challenge/response (or even the real AD domain, username, &
password)
User and device certificates
Specialty tokens like Sharefile SAML token
Eventually credentials for auth systems kerberos tokens, Oauth/OpenID ,
etc.
2013 Citrix | Confidential Do Not Distribute

AppController
Direct or Integrated Mode

What is Direct vs. Integrated?


Direct connectivity mode allow users use Citrix Receiver or
Receiver for Web to connect to the AppController store for
Web/SaaS/Docs/Mobile resources
Ideal for customers that only want access to
Web/SaaS/Mobile/Docs resources
Integrated connectivity mode allow users connect to
Web/SaaS/Docs plus Windows resources
Integrated mode requires StoreFront running on Windows
AppController does not have the capability to communicate
with XenApp/XenDesktop farms unless a Citrix StoreFront
running on Windows exist
2013 Citrix | Confidential Do Not Distribute

Direct Mode
XM ActiveSync Controller
TMG

MDM Client

Receiver

XM Device Manager

Access
Gateway
Netscaler
DMZ

2013 Citrix | Confidential Do Not Distribute

Native Mail
Encryption

XM AppController

Mobile
Device
Managem
ent
Web &
Mobile
SaaS
Secure
Apps
Data

Integrated Mode
XM ActiveSync Controller
TMG

Native Mail
Encryption

MDM Client

Receiver

XM Device Manager

Access
Gateway

StoreFront
Services

XM AppController

2013 Citrix | Confidential Do Not Distribute

Web &
Mobile
SaaS
Secure
Apps
Data

Deskto
ps
Apps

Netscaler
DMZ

Mobile
Device
Managem
ent

XD / XA

Citrix Receiver

Access Your Apps and Data From


Any Device

2013 Citrix | Confidential Do Not Distribute

All appson a single pane of glass

2013 Citrix | Confidential Do Not Distribute

Simple setup of receiver (AG 10+)


receiver.mycompany.com

Validate Certificate
Login
Setup

2013 Citrix | Confidential Do Not Distribute

Access
Gatewa
y

StoreFro
nt
or
AppC

Email based configuration


me@mycorp.com

_citrixreceiver.tcp.mycorp.com
Access Gateway or Account Service
hostname

Validate Certificate
Login
Get Account

2013 Citrix | Confidential Do Not Distribute

DNS

Access
Gatewa
y

Account Service

Access Gateway

What is Access Gateway?


Citrix Access Gateway is the only secure application and desktop access
solution that provides administrators with application-level control while
empowering users with access from anywhere.
Secure
Secure Single
Single
Sign-on
Sign-on to
to
StoreFront
StoreFront
Services
Services

2013 Citrix | Confidential Do Not Distribute

Ticket-based
Ticket-based
Connection
Connection
Authorization
Authorization

VPN-less
VPN-less
Remote
Remote Access
Access
from
from Any
Any Device
Device

Endpoint
Endpoint
Analysis
Analysis &
&
SmartAccess
SmartAccess

Introducing Access Gateway


Trusted
Single
Sign-on
Access
Gateway
and
StoreFront
Trusted
Single
Sign-on
Access
Gateway
and
StoreFront
Services
Services verify
verify the
the existence
existence of
of each
each
other
other to
to ensure
ensure credentials
credentials are
are passed
passed
from
from aa trusted
trusted source
source

Endpoint
SmartAccess
and
SmartAccess
Endpoint analysis
analysis
and session
session policy
policy
controls
controls allow
allow for
for server-side
server-side filtering
filtering of
of
resource
resource lists
lists are
are passed
passed from
from aa
trusted
trusted source
source

Secure
Secure Ticketing
Ticketing

Network
Network Access
Access

Connections
Connections are
are authorized
authorized using
using aa
secure
secure single-use
single-use ticket.
ticket. This
This prevents
prevents
man-in-the-middle
man-in-the-middle as
as well
well as
as replay
replay
attacks
attacks

Anywhere
Anywhere Access
Access

Allows
Allows users
users to
to securely
securely access
access
desktops
desktops and
and applications
applications using
using any
any
device
device in
in any
any Application,
Application, including
including
home
home computers
computers and
and mobile
mobile devices
devices
2013 Citrix | Confidential Do Not Distribute

Allows
Allows users
users to
to access
access network
network
resources
resources using
using aa traditional
traditional SSL
SSL VPN
VPN
with
with strict
strict authorization
authorization policies
policies and
and
split
split tunneling
tunneling controls
controls

VPN-less
VPN-less Access
Access

Enables
Enables secure
secure remote
remote access
access to
to
critical
critical web
web applications
applications from
from users
users
browsers
browsers without
without requiring
requiring additional
additional
client
client components
components

Micro-VPN
Policy controlled per-application tunneling technology
Relies on Citrix Receiver for authentication and SSO
Network access policy choices:
Blocked
Application network APIs are blocked and fail as if network is not available

Unconstrained
Application network APIs work normally

Tunneled
Application network APIs are tunneled through XenMobile to enterprise intranet

Full power of Access Gateway Enterprise 10.x to configure VPN behavior


Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back into
enterprise intranet
Powerful rules engine for constraining access for external applications
2013 Citrix | Confidential Do Not Distribute

What Is SmartAccess?
Single logon experience to Web
Interface
Certificate/Token Required
SecurePre-authorization
Application and
Desktop
scan
Virtualization
Allow client drives connected
Delivery applications and desktops
based on Allow
trust USB devices
Dynamically
Turn
off Virtual
clipboardChannels
filter
based Connect
on endpoint
conditions
client printers
Automatically deploy client
Allow with
Remote
AERO
components
Citrix
Receiver

2013 Citrix | Confidential Do Not Distribute

Secure Ticketing
SFS sends
XenApp
Policy
User clicks Inspection info to STA
and
an app
receives
SFS ticket
sends ICA
Browser
AG validates
file with STA
invokes ICA
ticket info and
ticket and AG
plug-in and
sets up ICA
info to client
sends ticket
tunnel
info to AG

Receiver
2013 Citrix | Confidential Do Not Distribute

Access
Gateway

StoreFront
Services

XenDesktop

AppController

XenApp

SmartAccess Corporate Laptop

Policy
Request Inspection
Resource
MS Word
Financial
App
SAP
Win7
Desktop Access

Receiver

2013 Citrix | Confidential Do Not Distribute

Gateway

XenDesktop
Policy
Result
MS Word
Financial
App
SAP
Win7
Desktop

AppController

StoreFront
Services

XenApp

VPN-less Remote Access

Policy
Request Inspection
Resource
SSL 001000111010101 SSL 00

SSL
0010
0

0111
0101
0

Secure Connection to requested


resource only

Receiver
2013 Citrix | Confidential Do Not Distribute

Access
Gateway

XenDesktop

Request
Resource
1 SS
L 00
1000
1110
1010
1S

AppController
SL 0
0100
0111
0101

StoreFront
Services

01

XenApp

Remote Access
Basic scenarios
NetScaler Access Gateway + StoreFront
(no AppController)
NetScaler Access Gateway + AppController
(no StoreFront)
NetScaler Access Gateway + StoreFront +
AppController
Note: All the scenarios described that use Citrix StoreFront are using Single
Server deployment mode.

2013 Citrix | Confidential Do Not Distribute

Remote Access
StoreFront only (no AppController)
Ideal for XenApp / XenDesktop customers
No need for clientless access (CVPN)
NetScaler Access Gateway needs Platform
License only
Access Gateway vserver can be set to Basic
mode

2013 Citrix | Confidential Do Not Distribute

Remote Access
StoreFront only (no AppController)
Case 1: Remote access Mobile users
Native connection to stores

Case 2: Remote access for Windows/Mac users


Native connection to stores
Receiver for Web connection

2013 Citrix | Confidential Do Not Distribute

Case 1: Remote Access


Mobile
New Mobile Receivers will contact
Account Services from StoreFront
Account Services will provide the
following information:
Store URL
Beacons
Access Gateway(s)

Alternatively, Mobile Receivers can


execute Provisioning File from
StoreFront

2013 Citrix | Confidential Do Not Distribute

Case 2: Remote Access


Windows and Mac Receiver Connections
New generation of Citrix Receivers
for Windows/Mac devices contain a
new Header value: X-Citrix-Gateway
The value CitrixReceiver becomes
part of the HTTP Header when
accessing the store from StoreFront
or AppController
When connecting via Receiver for
Web site, CitrixReceiver and XCitrix-Gateway are not part of the
HTTP Header
2013 Citrix | Confidential Do Not Distribute

POST /cgi/login HTTP/1.1


X-Citrix-Gateway: agzeus.adolfolab.ctx
User-Agent: CitrixReceiver
Windows/6.1 AuthManager/3.0.0.47031
(Release)
Accept-Language: en-US
Content-Type: application/x-www-formurlencoded
Host: agzeus.adolfolab.ctx
Content-Length: 28

Case 2: Remote Access


Windows and Mac Receiver Connections
New Citrix Receivers for Windows/Mac will
contact Account Services from StoreFront
Account Services will provide the following
information:
Store URL
Beacons
Access Gateway(s)

Alternatively, Receivers can execute


Provisioning File from StoreFront or
users can enter the FQDN of Access
Gateway

2013 Citrix | Confidential Do Not Distribute

Remote Access
AppController only (no StoreFront)
Ideal for Enterprise customers that want
Application and User Management via
AppController
Customers do not have XenApp /
XenDesktop, hence, no StoreFront is needed
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses

2013 Citrix | Confidential Do Not Distribute

Remote Access
AppController only (no StoreFront)
Case 1: Remote access Mobile users
Native connection to stores

Case 2: Remote access for Windows/Mac users


Native connection to stores
Receiver for Web connection

2013 Citrix | Confidential Do Not Distribute

Remote Access
StoreFront + AppController
Ideal for Enterprise customers that leverage
the entire XenMobile solution to access
Windows apps/desktops, Web/SaaS and
mobile apps
Clientless access (CVPN) is required
NetScaler Access Gateway needs Universal
Licenses

2013 Citrix | Confidential Do Not Distribute

Remote Access
StoreFront + AppController
Case 1: Remote access Mobile users
Native connection to stores

Case 2: Remote access for Windows/Mac users


Native connection to stores
Receiver for Web connection

2013 Citrix | Confidential Do Not Distribute

Licenses/Policies CG Use Cases


Cloud Gateway Express (Store Front)

Ica Proxy VIP set to Basic (no Universal License requiered it uses
XD/XA license) see Policy
Cloud Gateway Enterprise Receiver Web

Receiver Header Policy = User-Agent NOTCONTAINS


CitrixReceiver&&Referer EXISTS
RfWeb Rewrite Policy This policy hits for all RfWeb traffic and
essentially turns Server side Rewrite ON. See Policy
2013 Citrix | Confidential Do Not Distribute

Cloud Gateway Enterprise Apps,SaaS Web,Micro vpn

AGEE VIP set to Smart Access (universal license needed)


Cloud Gateway Enterprise Receivers

User-Agent CONTAINS CitrixReceiver&&X-Citrix-Gateway EXISTS


Applies to
Receiver Header Policy= RfWin >= 3.3 .x
RfMac >= 11.6x
RfAndroid >= 3.1.x
RfIOS >= 5.6.1x
See policy
No Rewrite policy This policy is hit for all non-RfWeb traffic, and essentially
turns off server side Rewrite. This is done since, Receivers will provide Client side
rewrite
2013 Citrix | Confidential Do Not Distribute

Access Gateway is licensed Types


Platform License &Universal License

Platform Licenses

Every Access Gateway (VPX/MPX) comes with a Platform license, which


enables all the basic functionality in Access Gateway. After purchasing an
appliance, this license is automatically made available in your MyCitrix
account, and can be easily downloaded and installed on your appliance.
Platform licenses can be used to provide seamless access to:
ICAProxy access to XenApp / XenDesktop, using Web Interface
ICAProxy access to XenApp / XenDesktop, using Storefront (XenMobile
Express
2013 Citrix | Confidential Do Not Distribute

Universal Licenses
Universal Licenses are used to enable additional/advanced functionality on
access gateway appliances. These are add-on licenses and work along with
the Platform licenses to provide seamless access to your Citrix deployments.
Universal licenses are purchased separately from the appliance, and can be
installed in the same manner as the platform license.
Universal licenses can be used to turn on the following advanced
functionalities:
End Point Analysis
Smart Access to XenApp/XenDesktop
CVPN Clientless access to internal web resources
Full Tunnel (SSL VPN)
MDX Micro VPN
2013 Citrix | Confidential Do Not Distribute

Universal License use case


Universal Licenses are required to support the
following Citrix deployments:
ICAProxy access to XenApp / XenDesktop with
Smart Access (both Web Interface and Storefront)
XM Mobility Bundle Mobility (AppController)
XM Mobility Bundle (AppController + Storefront)
2013 Citrix | Confidential Do Not Distribute

Virtual Server Modes


Basic vs Smart Access

Basic Mode vServer


A basic mode vServer is a server that consumes
platform licenses and hence can be used to provide
ICAProxy access to your XenApp / XenDesktop
deployments, both via Web Interface and Storefront. A
basic mode vServer essentially works out of the box,
without the need to purchase any additional licenses
2013 Citrix | Confidential Do Not Distribute

Smart Access mode vServer


A smart access mode vServer essentially consumes Universal licenses and
can be used to provide access to any Citrix deployment. Including XenApp /
XenDesktop / XenMobile. Hence one can set up such a vServer only if
additional Universal licenses are purchased, or are received as a bundles
offering with XM Mobility Bundle / Xen Desktop platinum offerings. Note that a
Smart Access vServer can only consume Universal licenses and will start
dropping connections, once all universal licenses are consumed

2013 Citrix | Confidential Do Not Distribute

Mobile ROI

Citrix- Competitive
The Most Comprehensive
Solution
Citrix
Position

Device
Managemen
t

MDM

Sandboxed
mail and
web

MDM Edition
2013 Citrix | Confidential Do Not Distribute

Mobile
network
control

SSO &
Id Mgmt

Enterprise

Enterprise

Collaboratio
Mobile app Desktop & Secure data
n
control
security
App
Virtualizatio
Mobility Management
n

GoToMeeting
GoToAssist
Podio

Why Citrix?

2013 Citrix | Confidential Do Not Distribute

Comprehensive

Any device with MDM


Any app with MAM & XenApp
Any data with file sync & share

Compelling

Beautiful, simple user experience


Stunning apps for email & web
Easy to use admin interface

Compliant

Device, app & data security


Policy compliance across platforms & apps
Scenario-based controls

Our Tier-1 Competition The Usual Suspects


Facts
The low price leader

Point solution for MDM

Legacy mobile
email
133 with bad user
2013 Citrix | Confidential Do Not Distribute

Founded in 2003 and based in Atlanta


Funded by founders
Started in wireless LAN management software before
MDM
Offers primarily cloud based MDM
Aggressive marketing/awareness spend
Founded in 2007 and based in SF Bay Area
Venture funding from Sequoia Capital, Norwest Venture
Partners, Storm Ventures and Foundation Capital
Shipping products since Q4 2009
AT&T partnership is primary route to market

Started with wireless email access for corporate users


Based in SF Bay Area
Specializes in secure email and PIM
Acquired (2006) and sold (2009) by Motorola
Recent acquisitions include Copiun (data) and
AppCentral (apps)

Our Tier-1 Competition The Usual Suspects


Strengths
Win customers at all
cost
High awareness
The low price leader
Aggressive with new
features

Point solution for MDM

Legacy mobile
email
134 with bad user
2013 Citrix | Confidential Do Not Distribute

Weaknesses
Weak on-prem offering
Poor reliability
Poor support

Strong 1st gen MDM


Execution focus

Playing catch-up in
MDM 2.0
Poor customer
satisfaction

One of the early


players
Secure mobile email
FIPS certification

Niche solution
Restrictive container
approach
Poor user experience

How They Will Position Against Citrix + Zenprise


Lose Focus or
Dismantle Company
Zenprise CEO GM of mobile BU
100% of Zenprise team on-boarded
Mobile is top priority with 2x dev
team
Citrix solid track record 45% of
Revenue from acquisitions

Lose All the


Best People
Strong team built on customer
success
Key employees have large/small
exp
2013 Citrix | Confidential Do Not Distribute

Wont Integrate
Highly complementary roadmap
Strong technology integration track
record with prior acquisitions (e.g.,
XenSource, Netscaler, ShareFile)

Support Will Decline


Both companies have strong
commitment to CSAT
Both have top loyalty ratings
(NPS in mid-+60s Nordstrom

Summary Competitive Plays

The low price leader

Point solution for MDM

Legacy mobile email


with bad user
experience
2013 Citrix | Confidential Do Not Distribute

Lead with on-premise differentiation


Future proof mobile strategy with
comprehensive solution from established
vendor
Highlight quality/reliability and support
differentiators
Lead with comprehensive vs. point products
message
Manage apps and data beyond smartphones and
tablets
Highlight scalability and follow-the-sun support
Lead with comprehensive, superior user
experience message
Ability to provide MDM, MAM or both
True follow me data and Any app on any
device

Our Strategic Features vs. Competitors


Strategic feature

Citrix

AirWatch

MobileIron

Good

via a third party

Mail, docs, browser.


Sandboxed, yet stunning

Docs and browser


(no DLP controls);
no mail

Docs and mail


(attachmts only; no
DLP controls); no
browser

Mobile app containers via MDX.


BYO apps secured

None

Roadmap

Good Dynamics
SDK

Unified app store.


Any app, any device

Mobile only

Mobile only

Mobile only

Federated identity & single sign


on. Login once

SAML only; not


across all apps

No SSO

Only between Good


apps

Scenario-based access
controls. Dynamic network
protection

No context-based
access

No context-based
access

Enterprise grade MDM.


All devices managed

2013 Citrix | Confidential Do Not Distribute

ShareFile & Follow-Me-Data

Why ShareFile?
Enable workforce mobility & BYOD
Address the Dropbox-Problem
Simple and secure data sharing
Fellow employees
Team collaboration
Clients, 3rd party collaboration

Enhanced productivity

2013 Citrix | Confidential Do Not Distribute

Enables file sharing with anyone


Syncs data across all devices
Online file sharing spaces for virtual teams
Selective offline access on mobile devices

Store

Sync

Data protection

Encryption
Device lock
Remote wipe
Poison-pill

2013 Citrix | Confidential Do Not Distribute

Share

Citrix XenMobile & ShareFile


Advanced Authentication & Provisioning
XenApp Integration
Data protection Encrypt, Lock & Wipe
Policy-based Control
Offline Access and 2 way
Synchronization
Single Sign On
AD / Role based provisioning

141
2013 Citrix | Confidential Do Not Distribute

Security Information
SSAE 16 audited data centers
SSL Encryption in transit
AES 256-bit encryption at rest
All uploaded files scanned for viruses
Daily scans for McAfee SECURE accreditation
All ShareFile servers protected by dedicated firewalls

2013 Citrix | Confidential Do Not Distribute

Enterprise Active Directory Options


SAML 2.0 Support
Requires customer provided and
configured SAML provider
Microsoft ADFS Support
Also supports popular Identity
Providers such as:

OneLogin
CA SiteMinder
PingIdentity PingFederate
SalesForce

2013 Citrix | Confidential Do Not Distribute

Xen Mobile
Selective data wipe
Instant user provisioning and deprovisioning
Real-time SaaS application monitoring
Comprehensive access control policies
Unified storefront for all applications, data
and services

StoreFront Services
XenMobile Enterprise + XD / XA

Integrated Mode with StoreFront Services


XM ActiveSync Controller
TMG

Native Mail
Encryption

MDM Client

Receiver

XM Device Manager

Access
Gateway

SF

XM AppController

2013 Citrix | Confidential Do Not Distribute

Web &
Mobile
SaaS
Secure
Apps
Data

Deskto
ps
Apps

Netscaler
DMZ

Mobile
Device
Managem
ent

XD / XA

StoreFront Services
Search to quickly find, subscribe to, or launch
apps, documents or services
Role based Follow-me Subscriptions for
applications and data
Request applications
Single authentication
Integrated with Citrix Online GoTo Products
Apps can be:
Hosted
Streamed (App-V or Citrix)
Web (SaaS)

2013 Citrix | Confidential Do Not Distribute

Enterprise-ready Storefront
Infrastructure
t
Fron
Store

t
Fron
Store

Credential Wallet
Replicated
t
Fron
Store

SQ
L
Central
Subscription
2013 Citrix | Confidential Do Not Database
Distribute

t
Fron
Store

Centralized administration
Leverages SQL Server
Easy to scale out

Resources
Tools to be successful

148

From Demo Center to onsite PoC


Provision DC environment (Allow 24h for completion)
https://demo.citrix.com
Log on with your citrite / citrix credentials

Receive automated email with instructions for DC


Usernames and Passwords
Links to all documentation needed for DC

Demo solution to customer using step by step Demo Guide


Schedule onsite PoC and make use of the XenMobile PoC Kit
https://www.citrix.com/skb/articles/RDY9633

2013 Citrix | Confidential Do Not Distribute

Sales Resources Available


Sales Knowledge Base/Success Kits
www.citrix.com/skb
www.citrix.com/successkits

Customer Overview Deck


Customer Tech Deck (for technical IT audiences)
Pricing & Licensing Deck
Product Reference Card/Battlecards
Selling & Positioning Deck
Citrix Mobile Solutions Bundle/XenMobile MDM D&Q Card
POC Kit
Competitive
Executive Checklist whitepaper on building an enterprise mobility strategy
10 Must-Haves whitepaper on secure enterprise mobility

Demo Center
http://demo.citrix.com
http://www.citrix.com/skb/articles/RDY9505

2013 Citrix | Confidential Do Not Distribute

Useful presentations
Citrix Mobile Solutions Bundle/XenMobile MDM Technical Deck
http://www.citrix.com/skb/articles/RDY9400

Citrix Mobile Solutions Bundle/XenMobile MDM Selling & Positioning Deck


http://www.citrix.com/skb/articles/RDY9502

Citrix Mobile Solutions Bundle/XenMobile MDM Customer Deck


http://www.citrix.com/skb/articles/RDY9401

Citrix Mobile Solutions Bundle/XenMobile MDM Pricing & Licensing Deck


http://www.citrix.com/skb/articles/RDY9612

XenMobile MDM & Citrix Mobile Solutions Bundle Reference Architecture


http://www.citrix.com/skb/articles/RDY9604

2013 Citrix | Confidential Do Not Distribute

Prepare for a Successful POC


XenMobile PoC Kit
http://www.citrix.com/skb/articles/RDY9633

Make use of the Prerequisite


Checklist
It will save your life!!!

2013 Citrix | Confidential Do Not Distribute