XenMobile

How to restrict XenMobile MDM Console Access

January 13, 2014

4,496 views

After installing and configuring the Citrix XenMobile MDM server you can logon to the console from any place you like… even from any external address. In some cases this could lead to a security breach.

Unfortunately the XenMobile MDM console provides no options to filter access to the console within the graphical interface at this time. I can imagine that some companies only want console access within the corporate network, so a filter on source IP address is very desirable.

The good news is that there is a way to configure such filters, you only have to edit the auth.jsp file.
To do this, open the auth.jsp file located in “C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm” and scroll all the way down.

By default it looks like this:

<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// // // //
// // HERE YOUR CONFIGURATION // //
// // // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console
// Authorized IP addresses

//    private static final IAccessController accessController =
//       new ORController(
//            // connect to SHP console
//            new SHPConsoleController(),
//
//            // or:
//            //     port is 8443
//            //     and IP is: 127.0.0.1 or 168.159.0.0/255.255.0.0 or 17.0.0.0/255.0.0.0
//            new ANDController(
//                // connection must have this port
//                new PortController(8443),
//
//                // connection must come from one of this host (with mask)
//                new ORController(
//                    new IPController(“127.0.0.1”),
//
//                    new MaskIPController(“168.159.0.0”, “255.255.0.0”),
//                    new MaskIPController(“17.0.0.0”,    “255.0.0.0” )
//                )
//            )
//        );
private static final IAccessController accessController = new YesController(“yes”);
%>

Stop the XenMobile Device Manager services before editing this file. By default all connection are allowed to the console by having the command on the last row active (in bold), so remove it.
In this example I will edit the file so only connections from my internal network are allowed to logon to the XenMobile MDM Console while keeping the ability to enroll devices outside my network.

Change the IP address range in bold with with the IP address range that is applicable in your environment.

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console

// Authorized IP addresses

private static final IAccessController accessController =
new ORController(
new ANDController(
// connect to SHP console
new SHPConsoleController(),
// on any predefined SSL Port
new SecureController(),
// coming from 192.168.0.0 – 192.168.0.255
new MaskIPController(“192.168.0.0″, “255.255.0.0“)
),
new ANDController(
// Connect to Admin console
new AdminConsoleController(),
new ORController(
// on Port 80
new PortController (80),
// or Port 443
new PortController (443)
),
new ORController(
// from localhost
new IPController (“127.0.0.1”),
// or 192.168.0.0 – 192.168.0.255
new MaskIPController(“192.168.0.0″, “255.255.0.0“)
)
)
);
%>

After saving this file, start the XenMobile Device Manager services. With this configuration, access to the console is only posible from the internal network but you can still enroll mobile devices outside the company netowrk.

2 comments

Andrew Ritchie says:

June 5, 2014 at 7:03 am

Hi Robin,
This was quite useful and had a little more detail than the Citrix docs. Thought I’d share what we’ve done to secure the web services url externally. We are presenting internal and external traffic through different pairs of NetScalers which allows us to have this configuration only on the external NetScaler devices.
We’ve created a responder policy to drop traffic to /zdm/services similar to below.

add responder policy zdm_services_drop_rsp_policy “HTTP.REQ.URL.PATH.GET(2).CONTAINS(\”services\”)”
Miki Rockey says:

February 22, 2015 at 7:42 pm

Hi,

We are dealing with auth issues after implementing this instructions on XenMobile 9.
Is this article also compatible for Version 9.00?

Thanks,

Miki

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

Robin Hobo Follow

Retweet on Twitter Robin Hobo Retweeted

Nina Desnica @lady___lovelace ·

30 Mar

📅Windows Powers the Future of Hybrid Work
Join us for the keynote address on April 5, 2022 at 17:00 CET (8AM PT).
more info: https://www.microsoft.com/en-us/windows/business/event #memcm #windows #hybridwork #windows11 #mem #msintune

Reply on Twitter 1509165444913111045 Retweet on Twitter 1509165444913111045 7 Like on Twitter 1509165444913111045 6 Twitter 1509165444913111045

Retweet on Twitter Robin Hobo Retweeted

Betsy Weber @betsyweber ·

29 Mar

#MVPBuzz - Some of y'all are giving me anxiety! If you haven't done it yet, please enter your contributions to be considered for MVP Re-Award. It's the final countdown to the March 31 deadline... Sing it with me! https://www.youtube.com/watch?v=9jK-NcRmVcw

Reply on Twitter 1508949755854000133 Retweet on Twitter 1508949755854000133 14 Like on Twitter 1508949755854000133 77 Twitter 1508949755854000133

Retweet on Twitter Robin Hobo Retweeted

Eric Berg - MVP @ericberg_de ·

29 Mar

NC-series Azure Virtual Machines retirement extended to 31 August 2023 https://azure.microsoft.com/en-us/updates/ncseries-azure-virtual-machines-retirement-extended-to-31-august-2023/?utm_source=dlvr.it&utm_medium=twitter

Reply on Twitter 1508880308476669952 Retweet on Twitter 1508880308476669952 1 Like on Twitter 1508880308476669952 1 Twitter 1508880308476669952

How to restrict XenMobile MDM Console Access

2 comments

About Robin Hobo

Categories

Instragram

Twitter

How to setup Citrix XenMobile 10 (including configuring NetScaler)

Configure Citrix NetScaler 10.5 including Gateway and Citrix StoreFront 2.5.2

Installing and Configuring Citrix StoreFront 2.0

Configuring NetScaler Access Gateway VPX and Citrix StoreFront

How to apply Outlook.com rules on the junk folder and How to “stop” Outlook.com from moving Emails to Junk or Spam Folder

Installing and Configuring Citrix XenApp 7.5 and publishing Desktops and Applications

Windows Virtual Desktop (WVD) – Image Management : How to manage and deploy custom images (including versioning) with the Azure Shared Image Gallery (SIG)

Installing and Configuring Citrix Storefront 2.5.2 and configure Load Balancing on NetScaler 10.5

Installing and Configuring Citrix XenMobile MDM 8.6

Configure Citrix NetScaler 10.5 including Gateway and Citrix StoreFront 2.5.2

Configuring NetScaler Access Gateway VPX and Citrix StoreFront

Installing and Configuring Citrix XenApp 7.5 and publishing Desktops and Applications

Installing and Configuring Citrix StoreFront 2.0

How to setup Citrix XenMobile 10 (including configuring NetScaler)

Installing and Configuring Citrix Provisioning Services 7.1

How to deploy Win32 applications with Microsoft Intune

How to create a Mandatory profile with Folder Redirections

Installing and Configuring Citrix Storefront 2.5.2 and configure Load Balancing on NetScaler 10.5

How to restrict XenMobile MDM Console Access

You may also like

2 comments

About Robin Hobo

Categories

Instragram

Twitter