How to restrict XenMobile MDM Console Access

After installing and configuring the Citrix XenMobile MDM server you can logon to the console from any place you like… even from any external address. In some cases this could lead to a security breach.

Unfortunately the XenMobile MDM console provides no options to filter access to the console within the graphical interface at this time. I can imagine that some companies only want console access within the corporate network, so a filter on source IP address is very desirable.

The good news is that there is a way to configure such filters, you only have to edit the auth.jsp file.
To do this, open the auth.jsp file located in “C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm” and scroll all the way down.

By default it looks like this:

<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// //                                                                                                                      // //
// //     HERE YOUR CONFIGURATION                                                                     // //
// //                                                                                                                      // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console
// Authorized IP addresses

//    private static final IAccessController accessController =
//        new ORController(
//            // connect to SHP console
//            new SHPConsoleController(),
//
//            // or:
//            //     port is 8443
//            //     and IP is: 127.0.0.1 or 168.159.0.0/255.255.0.0 or 17.0.0.0/255.0.0.0
//            new ANDController(
//                // connection must have this port
//                new PortController(8443),
//
//                // connection must come from one of this host (with mask)
//                new ORController(
//                    new IPController(“127.0.0.1”),
//
//                    new MaskIPController(“168.159.0.0”, “255.255.0.0”),
//                    new MaskIPController(“17.0.0.0”,    “255.0.0.0”  )
//                )
//            )
//        );
private static final IAccessController accessController = new YesController(“yes”);
%>

Stop the XenMobile Device Manager services before editing this file. By default all connection are allowed to the console by having the command on the last row active (in bold), so remove it.
In this example I will edit the file so only connections from my internal network are allowed to logon to the XenMobile MDM Console while keeping the ability to enroll devices outside my network.

Change the IP address range in bold with with the IP address range that is applicable in your environment.

<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// //                                                                                                                      // //
// //     HERE YOUR CONFIGURATION                                                                     // //
// //                                                                                                                      // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console

// Authorized IP addresses

private static final IAccessController accessController =
new ORController(
            new ANDController(
       // connect to SHP console
                new SHPConsoleController(),
                // on any predefined SSL Port
    new SecureController(),
    // coming from 192.168.0.0 – 192.168.0.255
    new MaskIPController(“192.168.0.0″, “255.255.0.0“)
   ),
   new ANDController(
          // Connect to Admin console
          new AdminConsoleController(),
        new ORController(
         // on Port 80
         new PortController (80),
      // or Port 443
      new PortController (443)
     ),
        new ORController(
         // from localhost
         new IPController (“127.0.0.1”),
      // or 192.168.0.0 – 192.168.0.255
      new MaskIPController(“192.168.0.0″, “255.255.0.0“)
     )
            )
  );
%>

After saving this file, start the XenMobile Device Manager services. With this configuration, access to the console is only posible from the internal network but you can still enroll mobile devices outside the company netowrk.

 

2 comments

  • Hi Robin,
    This was quite useful and had a little more detail than the Citrix docs. Thought I’d share what we’ve done to secure the web services url externally. We are presenting internal and external traffic through different pairs of NetScalers which allows us to have this configuration only on the external NetScaler devices.
    We’ve created a responder policy to drop traffic to /zdm/services similar to below.

    add responder policy zdm_services_drop_rsp_policy “HTTP.REQ.URL.PATH.GET(2).CONTAINS(\”services\”)”

  • Hi,

    We are dealing with auth issues after implementing this instructions on XenMobile 9.
    Is this article also compatible for Version 9.00?

    Thanks,

    Miki

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close