Citrix has released their latest version of their Enterprise Mobile Device Management software, XenMobile 8.6.
The upgrade, now integrates more tightly into Citrix’s GoToMeeting web-hosted video conferencing, and also with its ShareFile and GoToAssist cloud-based IT admin controls.
With the new one-touch feature, users can automatically launch and join an online meeting — using Citrix GoToMeeting or other meeting services — directly from their calendars. Or a dial-in option can be used to auto-dial the conference number and participant code for mobile users.
Also, Citrix is now offering a new multi-site support infrastructure that includes global load-balancing. The XenMobile upgrade allows businesses to quickly mobilize remote offices by using Citrix cloud servers in their geographic region to bring new business units or subsidiaries of acquired companies online with multi-domain support.
What’s New in XenMobile
The following are the main new features in the 8.6 version of XenMobile.
App Controller 2.9 contains the following new features:
- Client certificate authentication for SSO to HDX apps. App Controller now accepts client certificates for authentication through NetScaler Gateway so users can access HDX apps by using single sign-on.
- Multiple Active Directory domains. You can map multiple Active Directory domains in App Controller 2.9. You configure the initial Active Directory domain during the First-time Use configuration. Then, you can configure additional domains.
- Multiple beacons for Citrix Receiver. Receiver uses beacons to determine whether users are connected to internal or public networks to then determine the appropriate connection method. You can now configure internal and external beacons in App Controller 2.9.
- Multiple NetScaler Gateway appliances. You can configure more than one NetScaler Gateway appliance in App Controller 2.9. You can then enable the default appliance or another NetScaler Gateway appliance to act as a proxy for remote user connections. You can also configure an app hosted in the internal network to require the connection to route through a particular NetScaler Gateway appliance.
- Native IPA and APK files. You can now upload native, IPA and APK files to App Controller 2.9 for publication to Worx Home and the Worx Store.
- Paid apps. If users click an app in the Worx Store that requires payment, the Apple store or Google Play store opens depending on the app type.
- Restoring saved network settings. When you use the App Controller 2.9 snapshot feature to restore your configuration settings, when you import a saved snapshot, you can import the network settings from the earlier configuration.
- Step-up authentication policy. You can configure a policy for an MDX app to specify that users authenticate through a particular NetScaler Gateway appliance before they open the app. In doing so, users are asked to enter additional credentials, such as an RSA token.
To use the following features, you must install NetScaler Gateway 10.1, Build 120.1316.e:
- Advanced endpoint analyis. NetScaler Gateway contains built-in scans for a wide variety of applications and services with the Endpoint Analysis Plug-in.
- Client certificate authentication for Mac OS X and Worx Home. NetScaler Gateway supports client certificate authentication for Mac OS X computers. When users log on with the NetScaler Gateway Plug-in for Mac, they can choose from a list of client certificates for authentication. If the certificate is accepted, they can then save the certificate to use in future sessions. This way, the next time users log on, NetScaler Gateway uses the same certificate and users do not receive another prompt for the certificate.
- Client certificate authentication for Worx Home. Worx Home can use client certificates to authenticate users when they log on. User devices must enroll in Device Manager. When the device enrolls, Device Manager sends the client certificate to the user device and the certificate is stored in Worx Home. When users log on, NetScaler Gateway requests the client certificate and authenticates the user.
- Device certificates. You can install PKCS#12 certificates on NetScaler Gateway. Device certificates support Windows-based and Mac OS X computers. Device certificates also work with endpoint analysis.
- Kerberos Constrained Delegation (KCD). You can configure KCD support on NetScaler Gateway virtual servers. This feature provides single sign-on to Kerberos-based applications.
- NetScaler Gateway Plug-in support. The NetScaler Gateway Plug-in runs on Windows 8.1 and Mac OS X Version 10.9.
- Proxy support. NetScaler Gateway supports a traffic policy-based proxy configuration that facilitates seamless redirection of secure (HTTPS) and unsecure (HTTP) network traffic from WorxWeb to proxy servers in your network.
- ShareFile Setup Wizard. This wizard allows you to configure secure access to your ShareFile Storage Zone controllers that reside in the internal network.
- XenMobile Deployment Page. NetScaler Gateway supports a consolidated XenMobile deployment page that allows you to configure a XenMobile deployment from a single page.
- Client certificate authentication. Users can now authenticate their devices to XenMobile using client certificates, giving administrators the choice of authenticating their users using Active Directory credentials or client certificates. By using client certificates, users will only need to use their own chosen PIN number to log in to any of the Worx-enabled apps.
- MDM policy support for iOS 7. XenMobile 8.6 now provides support for iOS 7 MDM policies, which includes such key capabilities as Per-App VPN, OpenIn document controls, Enterprise SSO (Kerberos) Account, Silent Install/Uninstall, AirPrint and AirPlay, Font, Web Content Filters, Personal Hotspot restrictions, Organization Info, and more.
- VPP support for iOS 7. This release supports Apple’s Volume Purchase Program (VPP) for bulk purchased of iOS 7 apps. With this version, al apps purchased through VPP only require a single license code.
- Worx Home on Amazon Kindle MDM policies. You can now use the following new MDM policies on Worx Home for Amazon Kindle:
- App uninstall restriction. You can define a list of apps that you do not want a user to uninstall. You can also specify a list of apps that a user can uninstall.
- Amazon Kindle restrictions policy. This policy allows you to apply certain security restrictions for your Worx Home for Kindle users, such as the ability to allow or disallow non Amazon apps to be installed, device factory reset, social networks, cellular networks, and more.
- Samsung Knox Support. This release of XenMobile 8.6 supports the ability to enable and manage the Samsung Knox Container on Samsung Knox Devices (Samsung S4 devices that support the Knox API version 1.0). Your MDM administrator has the ability to instantiate the Samsung Knox Container by deploying the following XenMobile MDM Policies:
- Exchange ActiveSync Configuration. Allows you to remotely configure Exchange Email settings, such as server configuration and advanced mail server settings (SSL, synchronize contacts, synchronize calendar, make default email account).
- Password Policy. Provides the ability to configure device passcode for the Knox container, to meet the standards of your IT department.
- Unlock and Reset Passcode. The administrator can also remotely unlock and reset the contain passcode.
- Enterprise VPN. Configure corporate VPN settings so apps launched from inside the Knox secure container (such as the browser) use a secure connection.
- App Restriction. Configure app blacklists to block apps from being installed in the Knox Container.
- Remote Wipe of Knox Container. Selective wipe all apps and content from the Knox Container.
- App Uninstall. Ability to preform silent app removal from the Knox Container.
- App Install. Ability to deploy Samsung Knox apps to the Knox Container.
- Geo-fencing on Android. Now, MDM geo-fencing capabilities for devices are available on the Android platform. Geo-fencing features include:
- Geo-fencing. Allows you to define a geographic perimeter for an Android device and then choose to perform a selective or full wipe upon perimeter breach set. You have the option of setting a delay before the device is wiped, which gives the user time to return to the allowed GPS location perimeter.
- Geo-tracking. Provides the ability to view the locations of a device and to track its locations an device over periods of up to six hours at a time.
- Symantec PKI. XenMobile 8.6 now supports Symantec PKI.
- XenMobile Mail Manager (XMM) – Supported on Exchange 2013. XMM now supports Microsoft Exchange 2013.
You can configure the following new policies in MDX mobile apps that you create with the MDX Toolkit.
For both iOS and Android apps, you can:
- Provide a NetScaler Gateway address to specify an alternate gateway to be used for stronger authentication.
- Specify the preferred micro VPN connection mode – secure browse (reverse web proxy) or full VPN tunnel – to use depending on the authentication type that users encounter.
- Intercept and redirect system or console logs from an app to the Worx app diagnostic facility.
For iOS apps exclusively, you can:
- Prevent an app from using dictation services.
- Prevent an app from using AirDrop.
- Prohibit an app from using the Worx diagnostic logging facility.
For Android apps exclusively, you can:
- Determine exclusions to the types of documents that can be exchanged between the app and other apps.
- Specify an encryption version to be used for public and private file encryption.
- Specify a label to identity the specific certificate required for an app for use with a public key infrastructure (PKI).
- Enable Kerberos, client certificate authentication.
For Worx apps, you can:
- Prevent an app from using the Worx app diagnostic logging facility to record and collect logs with the Worx Home email support feature.
- Determine if the Worx app diagnostic logging facilities use either the file, console, or both output mediums.
- Set the level of logging ranging from logging no information to logging detailed informational messages.
- Set a limit for the number of log files that the Worx app diagnostic logging facility keeps before rolling over.
- Limit the size in megabytes of the log files that the Worx app diagnostic logging facility keeps before rolling over.
For WorxMail exclusively, you can:
- Enable or prevent a one-way synchronization of WorxMail contacts to a device and the sharing of WorxMail contacts as vCards.
- Enable WorxMail to accept all SSL certificates, valid or not, and allow access, or you can make sure WorxMail blocks access when a certificate error appears.
- Enable WorxMail to support Exchange Information Rights Management (IRM) capabilities, which allows a sender to prevent recipients from forwarding, modifying, printing, faxing, saving, or cutting and pasting the message content.
For WorxWeb exclusively, you can:
- Determine if WorxWeb users can view but cannot edit the browser address field, or you can hide the address bar completely. You can also hide the entire toolbar.
- Enable WorxWeb to filter web links by configuring a list of allowed or blocked sites.
- Provide a list of preloaded bookmarks that include a folder name, friendly name, and web address.
The following are new features for Worx Apps.
- Worx Home is supported on iOS 7.
- Worx Home supports enrollment. You no longer need a separate app (Citrix Mobile Enroll) to enroll devices into XenMobile. Now, iOS users can enroll using Worx Home and gain access to all of their apps, documents, and support features.
- Single step simplified enrollment for iOS. The enrollment process has been simplified into a single step. After logging on with your network credentials, you only need to perform a single step to enroll your device.
- Ability to refresh Worx Store. You can now refresh the Worx Store on Worx Home and see any app updates provided by your administrator.
- Enhanced auto-discovery for easier enrollment. Worx Home enrollment now supports two types of auto-discovery, so a user can enter either their corporate email address (such as, email@example.com) or their UPN name (username@companydomain) and enroll through auto-discovery.
- Client certificate authentication. This release of Worx Home supports client certificate authentication (in addition to Active Directory-based authentication). You configure client certificate authentication on NetScaler Gateway. When users log on, NetScaler Gateway sends the client certificate to the user device.
- WorxMail is supported on iOS 7.
- Out of Office Support. You can now set your own custom Out of Office replies from WorxMail.
- ActiveSync policy support. WorxMail 1.3 now supports several ActiveSync policies for iOS and Android.
- ShareFile single sign-on. No need to log on to ShareFile more than once.
- Client certificates. No need to enter Active Directory credentials more than once.
- Multi-select. You can now multi-select emails for mass delete operations.
- Export WorxMail contacts for Caller ID. You can now export your WorxMail contacts to your iPhone or Android devices so those contacts can be seen in Caller ID.
- Support for Office 365 Exchange.
- Picture attachments on emails. You can now access your device’s pictures and send them as WorxMail email attachments.
- Sending files to WorxMail from MDX apps. You can securely send file attachments that originate from MDX-enabled apps, such as files from WorxWeb, ShareFile, and more.
- Join GoToMeeting directly from calendar invites. With the WorxMail Fast Join feature, you can now dial directly into a GoToMeeting conference from the WorxMail calendar invite.
- Conversation view. You can sort your Inbox emails by conversation, or you can choose to view your emails chronologically, in a flat list.
- Support for emails as attachments – (.msg and .eml files).
- Information Rights Management (IRM) on Android. Allows you to use IRM to apply persistent protection to messaging content, and allows mobile device users to be able to create and consume IRM-protected content.