In this step-by-step blog I will install and configuring Citrix XenMobile MDM 8.6 on a Windows 2012 Server, including the Oracle Java Platform (JDK) 7, configuring XenMobile MDM with the “Getting Started” wizard, create an external SSL Certificate file in .p12 format that includes the root and intermediate part, configuring an external SSL certificate within XenMobile MDM and configuring the Citrix NetScaler 10.1 for use with XenMobile MDM. For the installation and configuration of the AppController I will write a separate blog.
For this installation I will use my current Microsoft SQL 2012 server which is installed on a separate server and my current Citrix NetScaler ADC 10.1.
Preparations
For the Citrix XenMobile MDM 8.6 installation you have to do the following preparations;
- Open these ports in your network environment
- Obtaining a Citrix XenMobile license file
- Download Oracle Java Platform (JDK) 7
- Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
- Create a Service Account
- Create an external DNS record for the XenMobile MDM Server
- On the XenMobile MDM Server, configure a static IP address
- On the XenMobile MDM Server, disable UAC
- On the XenMobile MDM server, disable IPv6 by applying this registry key
- Create an Apple Push Notification service certificate
- Install and Configure Citrix NetScaler 10.1
Service Account
For this installation you need to create a Service Account. This account needs dbcreator rights on the Microsoft SQL Server and Local Administrator rights on the XenMobile MDM server.
Installing Oracle Java Platform (JDK) 7
Run jdk-7u45-windows-x64 and click Next
Click Next
Click Next
Click Close
Copy and preplace local_policy.jar and US_export_policy.jar from the UnlimitedJCEPolicy.zip file to the following locations;
- C:\Program Files\Java\jdk1.7.0_45\jre\lib\security
- C:\Program Files\Java\jre7\lib\security
Installing Citrix XenMobile MDM 8.6
Run XenMobileDeviceManager-8.6.0.33292 and click OK
Click Next
Click I Agree
I will use my existing Microsoft SQL server, so I select only Application Server. Click Next.
Click Install
Select your License file and click Next
Enter the information of your SQL server. Be sure you enter the Services Account with the correct SQL permissions. Click Check the connection.
Click Create
Click OK
Click Next
This keycode is optional to remove watermarks in the reports. Click Next
Click Next
Click Next
Click Next
Click Next
Leave the keystore file path default, enter a password (anything you like) and click Next
Leave the keystore file path default, enter a password (anything you like) and click Next
Leave the keystore file path default, enter a password (anything you like) and click Next
Leave the keystore file path default, enter a password (anything you like), fill in the external FQDN and click Next
Browse to you Apple Push Certificate, enter your password and click Next
Click Next
Enter a username and password for the webadmin console (can be a non-existing user). Click Check the user name.
Click OK
Click Next
Click Finish
Click Close
Click Next
Click Finish
Configure XenMobile MDM with the “Getting Started” wizard
Open Internet Explorer and browse to http://localhost/zdm, login with the account created during the installation.
Click Get Started
Click Next
Enter a package name (anything you like) and click Next
For this blog I will add Passcode and Jailbroken Detection. Drag Passcode to the right.
Click Done
Drag Jailbroken Detection to the righ and click Done.
Click Next
Click Yes, enroll with corporate credentials
Select LDAP and click Next.
Enter the following information:
Directory Type: Microsoft Active Directory
Primary Host [:Port:]: Your domain controller
Root context: DC=Hobo,DC=Lan (for example)
Search user: Admin useraccount
Password: Admin useraccount
Domain alias: Your domain alias
XenMobile lockout limit: 5
Global Catalog TCP port: 3268
User Search By: sAMAccountName
Click Check.
Click OK
Click Next
Click Next
You can specify which users are allowed to use XenMobile and which users have admin rights within the XenMobile console. I will add the Domain Users as XenMobile users for now.
Click Next
Click Finish
Click Next
I don’t have devices in my database at this moment, so I click Skip.
Click Go To Device Manager
At this point you are ready the create policies and deployment packages.
How to create an external SSL Certificate file in .p12 format that includes the root and intermediate part
To use XenMobile MDM with an external SSL Certificate, you need a SSL certificate in .P12 format, issued by a trusted CA, which includes the root and the intermediate parts.
In this part of the blog I will show you how to create that .P12 format certificate. I my case I have configured my SSL certificate on my NetScaler as described in this blog. I will export this certificate, and add the intermediate parts.
Go to the NetScaler admin console and browse to Traffic Management > SSL, on the right side of the screen click on Export PKCS#12
Enter the following information
PKC12 File Name: any name you like with .p12 extension
Certificate File Name: browse to the .crt file
Key Filename: Browse to the .key file
Export Password: Enter a password you like
PEM Passphrase: The passphrase of the PEM
Click OK
Click on Manage Certificates / Keys / CSRs
Download the .p12 file just created
NOTE: In my case this file is 4k in size and does not contain the intermediate certificate(s)
Open a MMC Console and add the Certificates (My user account) Snap-in
Right click Personal and go to All Tasks > Import…
Click Next
Select the exported .p12 file and click Next
Type the password for the private key and select Mark this key as exportable. This will allow you to back up or transport your keys at a later time and click Next
Click Next
Click Finish
Click OK
The certificate is now displayed under Personal > Certificates
Right click the certificate and go to All Tasks > Export…
Click Next
Select Yes, export the private key and click Next
Select Include all certificates in the certification path if possible and click Next
Enter a Password (anything you like) and click Next
Specify a location where you want to save the certificate and click Next
Click Finish
Click OK
Rename the exported .pfx certificate to a .p12 file.
In my case this file is now 6k big in size and contains the intermediate certificate(s)
Configuring an external SSL certificate within XenMobile MDM
To add an external SSL certificate within XenMobile you need to edit two XML files on the XenMobile MDM server. First create a folder on the local disk of the MDM server and copy the certificate file in to it, in my case I will use C:\XenMobile-Cert\XenMobile-RobinHoboCom.p12
Open the following file in an editor (for exemple Notepad++): C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF\classes\pki.xml
Add the following bean to the file:
<bean id=”externalSslCert” class=”com.sparus.nps.pki.def.KeyStoreParams”
p:keyStoreType=”PKCS12″
p:keyStorePath=”C:\XenMobile-Cert\XenMobile-RobinHoboCom.p12”
p:entryAlias=””
p:keyStorePass=”Password you entered during the export of the certificate”
p:publiclyTrusted=”true”
/>
Open the following file in an editor (for exemple Notepad++): C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml
Locate”Connector port=”443 ” and replace the following fields;
keystoreFile=”C:\XenMobile-Cert\XenMobile-RobinHoboCom.p12”
keystorePass=”Password you entered during the export of the certificate”
Locate”Connector port=”8443 ” and replace the following fields;
keystoreFile=”C:\XenMobile-Cert\XenMobile-RobinHoboCom.p12”
keystorePass=”Password you entered during the export of the certificate”
Reboot the XenMobile MDM server after saving the files.
Configuring the Citrix NetScaler 10.1 for use with XenMobile MDM
Login to the NetScaler Admin console. Optional you can logon the the Deployment Type XenMobile MDM.
Go to Traffic Management > Load Balancing. on the right side of the screen click on Load Balance XenMobile Device Managers (MDM Servers)
Enter a name for the MDM Loadbalacer and enter a (new) IP address. Click Continue
NOTE: This is the IP address your external DNS record must point to.
Enter the name and IP address of your XenMobile MDM Server and click Create
Click Done
Excellent article Robin! What’s up next, adding AppController as well?
Thanks! Yes one of my next blogs will be about the AppController and also ShareFile.
Are you still going to blog about AppController and Sharefile?
Keen to read what you’ve got to say.
Yes, I hope I can write that blog soon.
Thanks for the post, really helpful. Just a quick question, where would you recommend or what is the best practice on placing the XenMobile server, in DMZ or LAN.
Hallo Awees, with XenMobile 8.5 you must place the MDM in the DMZ, according the “XenMobile 8.6 new feature list”, XenMobile now support SSL offloading so the MDM server no longer needs to be placed in the DMZ. However according that same document this must be configured on the NetScaler Gateway 10.1, Build 10.1.1308 which has not yet been released. So til then you must place it still in the DMZ…
Hey,
thanks for this post, very usefull. Just FYI .. SSL Offload patch is available now vor XDM 8.6 .
regards
Alex
Great post Robin!
Als tried the SSL offloading patch, but do I need to change the protocol on the NetScaler from SSL_BRIDGE to SSL to get it to work?
That’s correct, see also this blog on how to configure it: http://bretty.me.uk/citrix-xenmobile-mdm-8-6-ssl-offload-via-netscaler-how-to/
Thanks for this guide – this is really helpful for everyone looking at this… saved me a ton of time understanding the installation flow and expectations, and documenting the process 😉
Robin Hobo for President!
Thanks Robin, that was a quite useful post, but I did not understand the use of import certificate on Device Manager Server, Can you please help me to understand the funda behind this.
That’s for the external address, for example; mobile.domainname.com. This certificate must be trusted by an external CA.
So then if your server is server1.corp.local and externally it’s hit via enrollhere.corp.com, the certificate would be issued to the enrollhere address, right? Would that cause any certificate errors given the difference in names? Also, given that you can now offload ssl to the netscaler, this external certificate could live only on the netscaler, correct? If you still use 443 from NS to MDM server, could that be an internal certificate?
Correct, with SSL Offloading you must install the certificate on the NetScaler, and yes, if you want to secure traffic from NetScaler to the MDM server it can be with a internal certificate.
Hi Robin,
Really nice post and Happy New Year.
What about the internet connectivity on the XenMobile Device manager through proxy server. When i’m trying to add any external iOS app it is throwing me an error “The URL for the external iOS App is invalid” but when i am giving the same URL in the next tab of my browser i am able to get the itune page. I am having a proxy server in between and i have full access to internet.
I have also added the proxy server details in device manager. I used the link
http://support.citrix.com/article/CTX136706 for the proxy configuration.
Any help on this issue is really appreciated.
Regards,
Nivesh
Have the same problem here, seems that the Apple traffic not going to the proxy but directly to the firewall where it’s blocked. Seems like a bug to me. Have you already a solution?
[…] have been added to this post, plus (and this is important) when you are installing MDM by following this post DO NOT UPDATE THE CERTIFICATES. Run with the self signed certificates that XenMobile will […]
[…] After installing and configuring the Citrix XenMobile MDM server you can logon to the console from any place you like… even from any external address. In some cases this could lead to a security breach. […]
[…] Setting up Device Manager with Netscaler: http://www.robinhobo.com/installing-configuring-citrix-xenmobile-mdm-8-6/ […]
Hi Robin,
thanks for this article.
Is there any chance to change the password for the webadmin console?
Yes, under settings > Administrators
Is it necessary to have Netscaler in place while wanting using Xenmobile Mail Manger/App controller? – In addition, can Mail manager/app controller be installed on the same server as Xmobile-device manger or do they require their own instance?
I appreciate any feed back on this, great article otherwise!
-Chris
Hi Chris, you can safely install XenMobile MDM and NetScaler Connector on the same server. Did it before..
I have downloaded the Xenmobile MDM for trail ,but could not move further on installation due to license file not available.
is there any option to install without license file ,like trail for 60 days,90 days to learn about MDM.
No, you always need a license key, even for trail.
Hi,
I am new in XenMobile….
Thank you for a great job…. What is the main function for netscaler gateway ?, can i implement just MDM and App controller without using Netscaler… or do i need to deploy all components ?
Thanks for ur Cooperation
If you want to use all the XenMobile features like mail filting, micro VPN connections with applications ect you alway’s need a NetScaler.
Excellent information, is it possible to manage blackberry devices along with android and iOS with this solution?
No that’s not passible.
Hello Robin Hobo!
Thanks for this article!
About apple trafic through proxy. It helped me to solve this problem:
http://support.citrix.com/article/CTX136706
Thanks!
nice for me
Hello Robin
thanks for this blog, i want to be sure that iam understanding this setup, so in order to use MDM we have two options, first one is to install MDM in DMZ and install the ssl certificate to the MDM server. and the other option is to place MD in the lan and apply the SSL certificate to netscaler, correct?
from worx home, the url will be the netscaler public ip address?
Hi Mohamed, that’s correct. You can place the MDM server in the LAN and configure SSL Offloading on the NetScaler, with that configuration you install your external SSL certificate on the NetScaler and traffic from the NetScaler to the MDM server will continue over port 80 (or 443). With the NetScaler in the DMZ you configure SSL Bridge on the NetScaler (you can use the XenMobile wizard for that). For that you must install the SSL certificate on both the NetScaler and the MDM server. For enrollment with WorxHome you always use the external MDM (or AppController) address.
Hi Robin, Is it possible to use internal ssl certificates (from an internal root ca) and just use an external cert on the netscaler?
Currently my xendesktop environment is working using internal certs and just an external cert on the netscaler.
Yes, that’s even the recommended way to do it.
Dead link to Citrix ports config reference…
Thanks, it’s fixed now.
Hi Robin, great Inf. In a sharefile only scenario can i use Storage Zone Controller and Netscalar with out XenMobile and XenApp? Also, have doubts if only one SSL certificate is required for this set up?
Thanks
Hi Miguel, Yes you can use ShareFile without XenMobile. 1 certificate is needed for ShareFile. If you want your traffic from the NetScaler to the StorageZone to be also secure (Citrix best practice) you can use an second certificate for that.
Great article indeed!
I have a question. During Xenmobile 9.0 installation, you get the option to “Enable iOS”, that is when you are prompted for the APNS cert. If you uncheck this option, you bypass the APNS and are able to complete the installation.
So my question is… will you be able to “enable iOS” support and install an APNS cert on the MDM server “after” the installation is completed.. say sometime later after you decide to enroll iOS devices as well? Or do you have to re-install the MDM server from scratch? I can’t seem to find any option on the MDM console for this.
Hi Noman, good question. Yes, you can enable it afterwards by running the iOSenable.cmd script located on the MDM server in c:\program files(x86)\Citrix\XenMobile Device Manager\
Hey.. i am having a weird issue with Xenmobile 9.. the enrollment with iOS devices has been working for for more than 3 months. However, when i tried enrolling iOS devices, i get the error “Verify your credentials and try again” on Worx home, at the main screen after i punch in the MDM server address. However, if i use the AppController’s address (NS Gateway), the device connects to the infrastructure but upon adding any app from the Worx Store, i get the error “Cannot connect to the xxx.xxxx.xx server”. This is only happening with iOS devices.
Any suggestions? A valid APNS server certificate is in place.
Oh and i am currently utilizing self signed certificates throughout the deployment.
Sorry i meant enrollment with Android devices is working fine.
I am now trying iOS 8 devices and facing this issue :/
Nevermind! Got it work! thanks! 🙂
So, what was the problem?
Hi Robin,
Very fruitful document, is there any way where i can able to signup on robinhobo.com ?
Regards,
Nafis Akhtar