Planning your XenMobile MDM Pilot

Mobile Device Management has been around for a few years now for iPads and Androids devices, and of course BlackBerry has been doing BES for much longer. I have been doing a few MDM installs recently with Citrix XenMobile MDM. This is now in version 8.6 and was already in version 7 when Citrix purchased Zenprise, one of the market leaders in December 2012.

If you’re looking at deploying Citrix XenMobile MDM in a pilot make sure you check through the installation guide, the References Architecture and the MDM Deployment kit if you can get your hands on one. These will help you plan for the infrastructure you need to put in place.

You also need to decide the limits of your POC. Do you just want to look at the device management, security and inventory? Or do you want the whole Enterprise solution with your own corporate app store, micro-vpn into the LAN and secure apps that you can sandbox and have full control over?

For Enterprise MDM, Citrix have bundled ShareFile Enterprise which make the whole solution even more appealing if you want to enable secure file access into your corporate shares and encrypted ShareFile repository. Indeed, the combined features of XenMobile MDM, Worx corporate app store and ShareFile make the enterprise solution very appealing as it would take 2-3 other vendors’ products to do all of these.

Some questions to start you off..

  • What infrastructure servers will I need?
  • Have I got external IPs?
  • What type of devices will I need to control? (Apple, Android, Windows Mobile etc)
  • What users will I target for the pilot?
  • Will I let them use their own device?
  • Have you updated any use policies and got users to sign?
  • What are the implications for controlling personnel devices?
  • Will the project include ShareFile?
  • What SSL certs will I need?
  • Is there a budget for installation and licensing?
  • Have I got a project plan and success criteria sorted?



Once you have worked out the answer to the questions’ll need to get the following sorted out well in advance of installation.

  • External IP/ports – get your change control submitted to Firewall manager in good time.
  • DNS – make sure you have external DNS records for CAG,MDM and ShareFile.
  • SSL – You will need at least two external SSL certs or wildcard. You will also need another 2-3 internal certs for App Controller and StoreFront internally.
  • DUNS Number – Dun and Bradstreet ID from – for Apple Dev Kit
  • Apple Enterprise Developer Kit from Apple at $299 + APNS Certificate
  • NetScaler – you will need a NetScaler with virtual CAG

The last two go together, and you need to get that DUNS number 4-5 weeks before you apply for the Apple Ent. Dev kit.

When Applying for that Apple Dev Kit, make sure you are the project manager or someone who can say they have authority to purchase the kit from Apple – otherwise they won’t talk to you if you need to call support.

The Apple kit is required for pushing secure apps to iOS devices and for packaging the Worx app son iOS and Android. The Apple Push Notification Service (APNS) is required for installation. This is a certificate for your MDM server that you need to email to Citrix, then post into your Apple account to generate an APNS certificate. This is required just to install the MDM software.

If you don’t already have one –you’ll need NetScaler to provide secure access into the Worx Store which resides on the App Controller component, and the StoreFront server for XenApp/XenDesktop access. It also provides the micro-vpn for access to internal web and mail.


Beware of any documentation or sales blurb that promises that any MDM solution will work on every device with every OS. The dream of BYOD for everyone may be possible, just –  but probably with some limitations to certain functionality.

For example, HTC Desire X and 500 models with android 4.1.2 simply won’t load the Citrix Worx Mail client, while a Samsung model with 4.1.2 works perfectly. All the MDM policies work fine. Documentation for the various components in the Enterprise MDM has different supported levels of Android OS and Android SDK API for Worx apps and the micro-vpn so worth checking.

If possible, make sure your Android device has latest build and is at least in support and not End Of Life in terms of downloads and updates to core OS components.

Apple devices are easier to support as there is only one hardware platform, albeit with 2-3 iOS version out there. MDM 8.6 has support for latest iOS 7.


Citrix, (2013) MDM Editions Data Sheet [Online] Available from:

Citrix (2013) Reference Architecture for Mobile Device and App Management [Online] Available from:

Citrix (2013) Compare XenMobile to the competition [Online] Available from:

Dun and Bradstreet (2013) DUNS Number [Online] Available from:

Apple (2013) iOS Developer Enterprise Program [Online] Available from:


How to – Cert requests on NetScaler for CAG

When setting up a virtual CAG on NetScaler – you can apply a certificate in a couple of different ways.

One option is to use IIS and request the certificate, return the request from the vendor and then use openssl on the IIS server, to convert the IIS to .PEM format.

Another option is to use the NetScaler admin tools to generate the request. To do this, you first must have your NetScaler license applied.

When requesting a cert from the NetScaler you have to generate a private key file. This is attached in the code of the cert request file, and then used to verify the source when you re-import.

You can also use a wildcard certificate. This is likely to be one that is used in other web servers so it’s important you know the private key password so you can import. You may also have to carry out the openssl conversion on IIS server before you can use on the NetScaler.

NetScaler can of course host multiple CAG vm, and act as a proxy for other internal sites –as well as perform SSL of loading for secure site traffic – so you could have more than one certificate on NetScaler.

I’m going to create my certificate request on the NetScaler using the admin gui.

  • Go to Traffic Management and SSL – look for Create RSA Key
  • This prompts for filename – which is held on the NetScaler file system.
  • Give the file a name, a bit size – usually 2048 and then format – PEM and Encoding DES.
  • Enter a passphrase and then confirm this – make sure you record it or use a familiar phrase.
  • You can check the location of the file using Manage Certificates – which lists the folder location of the certificate and key files.
  • Next, generate the certificate request using Create CSR.
  • In the next screen, enter the details of the cert request as shown here.
  • Give the cert request a name – and Browse to the key file.
  • Enter the passphrase, and fill in the Distinguished Name Fields.

Make sure that the cert or domain name you are requesting is actually associated with the company.

This can cause issues if the company name is not precise – so worth checking the domain in a whois lookup.

Also make sure you enter the fields marked “*” – an error will prompt you if you miss any. Also, before going to site – do the cert request at least a week in advance – it can take several days to get certs approved by some vendors in relation to government organisations for example.

When confirmed, click OK – then go into Manage Certificates to locate the request.

At this stage, you will need to either download the file OR select View and copy the text.

Your request is now ready to be submitted to a certificate authority.

On return, download the certificate and.

You should also apply the intermediate certificate chain and link it to your main cert.

To do this, get the intermediate cert from the vendor, and save to local folder.

  • Click on Install and browse to the folder – give the intermediate cert a name eg DaddyBundle, and click on Create then Close.
  • In the main cert screen – you can then right click on main CAG cert and select Link – then select the DaddyBundle.
  •  Click ok
  • You can now assign the ssl cert to your virtual CAG.

The process is pretty easy once you do it a few times, so do practice it before you go to site or get stuck with a support call.


Generate SSL Cert Request

Converting CAG pfx to PEM

OpenSSL Commands

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

When converting from IIS – you need to import on the IIS server you generated the request from  – otherwise export with key will fail.

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Backing up NetScaler

NetScaler stores its configuration in a file called “ns.conf” stored in the unix file system.

It would be good practice to take a copy of this file before any major work, version upgrades or migration of the virtual appliances to another data centre for example.

You can back up the config in two ways:

· Using the Generate Support File wizard in the GUI – I mostly use this for sending support files to Citrix.

· Using ftp or secure FTP tools like WinScp or Bitvise

I prefer to use WinSCP/Bitvise and usually install this on the Web Interface or Storefront server.

Method 1

Login to your NetScaler through the management gui.


Go to System, Diagnostics and click on Generate Support File

Click on Run, takes a minute to run. You can then click on Download to export a unix tar file

And also save the config to a text file.

image image

Click download to get the .tar file.


Click on Select to select the recent version


Select a suitable path for the backup and click on Download.


Method 2

The 2nd method, and one I prefer to use is through a Windows based ftp/secure Ftp tool


Login to the NetScaler IP with the nsroot other admin account.


This then presents you with an explorer interface into the NetScaler file system,

and of course my local PC.

Browse to a suitable location on the left pane, and then browse on the right to find the /nsconfig folder – drag the ns.conf over to the right.

**Other files called ns.conf.0 are the previous versions, which you may rename to ns.conf if required to get back to previous settings.