After installing and configuring the XenMobile MDM server it’s time for the step-by-step blog about XenMobile App Controller. In this blog I will install (upload) the Citrix XenMobile App Controller 2.9 to the Citrix XenServer. After that I will configure the basic settings from the console and run the configuration wizard from the administrator web console. I will also create a server certificate for the App Controller, connect the XenMobile MDM server to the App Controller and publish an application.
XenMobile and the NetScaler
The Citrix NetScaler (10.1) now includes a XenMobile setup deployment wizard. With this wizard you can configure XenMobile MDM, App Controller, MS Exchange with Email Filtering and ShareFile at once. For the App Controller the wizard will create a NetScaler Gateway. Make sure you enter the correct Gateway FQDN (App Controller URL) and that you configure the correct certificate (for the external DNS name).
Preparations
For the Citrix XenMobile App Controller installation/configuration you have to do the following preparations;
- Open these ports in your network environment
- Create an external DNS record for the XenMobile App Controller
- Install and Configure Citrix NetScaler 10.1 (but then with running the XenMobile wizard)
- (Optional) Install and Configure XenMobile MDM
- Have an internal Certificate Authority (CA) up and running
- Have a Microsoft Exchange server up and running
Active Directory Requirements
Fill in (at least) the following fields in the user account properties;
- User Logon Name (and not only the pre-Windows 2000 one)
- First Name
- Last Name
Downloading and Uploading the XenMobile App Controller to the XenServer
For this installation I will download “App Controller 2.9 Virtual appliance for XenServer” from the Citrix website.
After downloading the XenMobile App Controller, open XenCenter, open the File menu and choose the option Import…
Browse to the downloaded App Controller and click Next
Select your XenServer and click Next
Select the storage you want to upload the App Controller to and click Import
Select the network interface you want to use for the App Controller and click Next
Click Finish
Configuring the XenMobile App Controller
Start the XenMobile App Controller and go to the Console tab of the virual machine (XenCenter). Login with the default admin account (account name: Admin, Password: password).
Type 0 to start the Express Setup
Type 1 to configure the IP Address
Enter the IP Address you want to assign to the App Controller
Enter the correct Netmask
Type 2 to configure the Default Gateway
Enter the correct Default Gateway IP address
Type 3 to configure the DNS Server(s)
Enter the correct IP Address of the DNS server(s)
Type 4 to configure the NTP Server
Enter the correct IP Address of the NTP server
Type 5 to commit the changes
Type y to reboot the App Controller
Open a web browser and type the following address: https://<ip of appcontroller>:4443/ControlPoint. Login with username: administrator (NOT admin !) password: password.
When logging on for the first time, a Configuration Wizard will be appear. The first step is to change the default administrator password. Fill in the default password (password) and enter a new one (twice). Click Next
Enter a hostname. In my case I will use appcontroller.hobo.lan. NOTE: you must create an inernal DNS record for this hostname manually.
Enter the requested Active Directory information. Leave “Use secure connection” unselected for now. We will configure the certificates for the secure connection later. Click Next.
Configure the correct Time Zone and DNS suffixes. Click Next
Enter the requested mail server settings and click Next
Click Save
Click Yes
Creating and Installing a server certificate
The Citrix XenMobile App Controller requires the root and a server certificate to communicate between the App Controller and the Management console, Applications and StoreFront. Note: this is not the SSL certificate for use with the external DNS record, that certificate must be trusted by an external CA and must be installed on the NetScaler.
For the creation of the server certificate I will use Internet Information Services (IIS). Go to Server Certificates and click Create Domain Certificate
Enter the requested information and click Next
Select the correct (intern) Certification Authority (CA), enter a Friendly name and click Finish
Right click the certificate and click Export
Export the certificate to an .pfx file and set an password. Click Ok
Open an MMC console and add the Certificates snap-in (My User Account)
Browse to Certificates – Current User > Personal > Certificates. Right click Certificates and browse to All Tasks > Import
Click Next
Browse to the certificate and click Next
Type the password for the private key and select Mark this key as exportable. This will allow you to back up or transport your keys at a later time. Click Next.
Click Next
Click Finish
Click OK
Right click the certificate and browse to All Taks > Export
Click Next
Click Next
Make sure you select Include all certificates in the certification path if possible and click Next
Set a password and click Next
Browse to the path you want to save the certificate to and click Next
Click Finish
Click OK
Logon to the XenMoble App Controller web console and go to Settings, Certificates
Go to Import and select Server (.pfx)
Enter the password you set while exporting the certificate and click OK
Select the certificate and click Make Active. Note that the root CA is also imported automatically and is added to the Certificate Chain.
Click Yes
You can now browse to the AppController Admin Console via HTTPS
Allow the XenMobile MDM server to communicate with the XenMobile App Controller
To allow the XenMobile MDM server to communicate with the XenMobile App Controller configure the following;
Logon to the XenMobile MDM admin console and go to Options
Go to App Controller. Enter the Host Name and a Shared Key (anything you like without special characters) and click Close
Click Yes
Open the XenMobile App Controller admin console, go to Settings, XenMobile MDM and click Edit
Enter the requested information and click Test Connection
Click Close
Click Save
Go back to the XenMobile MDM Console and click Check connection
Click OK
Publish an Application
Within the Citrix XenMobile App Controller you can deploy a lot of different types of applications including Android Apps (APK files or MDX files for wrapped), iOS Apps (IPA files or MDX files for wrapped), Web & SaaS, Web Links or Apps directly from iTunes or the Google Play store. For this blog I show you how to publish a SaaS application.
Logon to the App Controller administrator panel and go to the tab Apps & Docs
Go to Web & SaaS and click on the big green plus sign
For this example I will use the LinkedIn SaaS app, click Add
Click Next
You can define Workflows within the App Controller if, for example, approval is required from a manager. In this case I let everything default. Click Next
Click Save
The LinkedIn application is now published from the App Controller
To see if it works, open a web browser and enter the App Controller URL
Click on the plus sign to add the LinkedIn application
Select the LinkedIn application
Click on the LinkedIn icon
The App Controller will save the credentials for the user.
It is also possible to add XenApp / XenDesktop application and desktops by connecting StoreFront to the App Controller.
Hi Robin ,
Thanks for the effort . Great article.
One question : I followed the exact same steps and I still get the following :
there are no apps or desktops assigned to you at this time.
I have added to your steps new AD group and giving permissions but getting the same message on all users .
any ideas ?
Hi Robin,
After filling the User Logon Name as you stated in your article it all worked fine.
Thanks again.
Great article, you helped me a lot. Thanks!
[…] installing and configuring the App Controller 2.9 it is time to start with application wrapping. With application wrapping you sign the application […]
I am trying to follow the same process but it looks like the screens are different now. At least in my case. The Netscaler login portal for XenMobile only shows the options for Xenmobile and Exchange. I am on build 124.13 and this is brand new install.
That’s correct, the other two wizard options are only available in the enhanced version of the NetScaler.
Thanks Robin, this is awesome.
BTW app controller address should be
https://App ControllerIPaddress:4443/ControlPoint
port is 4443 and not 4333
I figured it out though, thanks!
Hello Sachin, thanks for reporting, I have changed it!
First of all thanks for this great post. I configured the appcontroller and used your article for wrapping WorxMail and WorxWeb for both Android and IOS. On Android the WorxMail works great. However on IOS there are no mails visible in the app. When I configure the native app with the same credentials all mails are retrieved properly.
Any ideas what the issue might be?
You can check the policy tab from the published iOS WorxMail app. What are the network settings, is “Tunneled to the internal network” selected? And is the Inital VPN mode correct configured?
Hi Robin,
no the configuration was ok. Problem was that WorxMail is incompatible with Exchange 2003.
gr, F
Hi…
Just wanted to ask if you are able to push out in-application settings with the App Controller?
For example if an application had an email address and a port number – could this be automatically populated for each user?
Great post!
Thanks
That depends on the application, the application must be Worx ready and must be wrapped.
Hi Robin,
Your article on App Controllers and MDM was extremely useful.
Yesterday I did HA on the App Controllers here and I finally worked it out. I thought I would send the steps through to you in the event someone visited your website and it could help them. Here are the steps.
For anyone else struggling with this, this is the simple way I did it. (This is my own experience and you need to test yourself)
Install the 1st controller and the 2nd controller, configure the IP address, subnet mask and gateway for both. Then configure the Role preference for each controller, along with the VIP address and the peer address. (This is the other controllers IP) Create a DNS entry for the VIP address
Then sign into the controller via the VIP address. So https://appcontroller.companyname.com:4443 and configure the hostname for the controller as the DNS VIP address and enter all the other settings as required. (You can skip the certificates for now) You will then logged out of the website. Log back in and import the certificate for the VIP address. (Don’t forget to import root cert and chain it if required) You will now be able to log out and back in and should have no certificate errors.
You can now either turn off the 1st controller and sign back into the website and you should be able to see that you are signed in via the 2nd controller as the overview will show the 2nd controllers IP, or you can just force failover to the second controller in the app controller console.
Thanks
Clinton.
Thanks for this info Clinton!
Hi Robin,
Thank you for the great article. I have a related question.
Scenario: upgrade 2.8 went wrong & you implement 2.9 (fresh install) to eventually replace the old App Controllers.
Question: Do you need to add all your Weblinks & other Applications manually or is there a way to bulk import all the apps?
Thank you in advance.
Best regards,
Reza
Never test that scenario, but with the same versions you can create/export a snapshot for that.
I Robin
First of all thanks for your help.
I´m trying to have my App Controller apps to appear on Storefront, but so far I´be been failing at this.
Storefront works ok, users are able to logon,and launch XenApp and XenDesktop apps without any issues.
App controller is running, I can create apps, assign them to groups, and everything looks to be ok. I´ve configured the Deployment, and Windows Apps tabs as everyone seems to say its required (tried different choices), but they are not appearing.
I´ve also tried adding AC server to Storefront Store as Delivery Controller wtthout success.
So far, this environment doens´t have netscaler available (we´re waiting for the purchase of the public cert)
Also, if I try to logon to AC Web Store, I can´t, every user gets rejected no matter what they input there.
Thanks Ribin
Sorry, where can I find the Shared Key for XenMobile and the AppController?
That is a key you can create by yourself. So anything you like as long as they are equal.
Hi Robin
It is a very great article to learn and understand the Citrix XenMobile and its components configuration.
I would like to know that how i can register devices on MAM directly (any enrollment doc available) . I am not using MDM.
Regards
Sumeet
Just connect to the MAM external address with WorxHome should work.