Site icon Robin Hobo

How to restrict XenMobile MDM Console Access

After installing and configuring the Citrix XenMobile MDM server you can logon to the console from any place you like… even from any external address. In some cases this could lead to a security breach.

Unfortunately the XenMobile MDM console provides no options to filter access to the console within the graphical interface at this time. I can imagine that some companies only want console access within the corporate network, so a filter on source IP address is very desirable.

The good news is that there is a way to configure such filters, you only have to edit the auth.jsp file.
To do this, open the auth.jsp file located in “C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm” and scroll all the way down.

By default it looks like this:

<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// //                                                                                                                      // //
// //     HERE YOUR CONFIGURATION                                                                     // //
// //                                                                                                                      // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console
// Authorized IP addresses

//    private static final IAccessController accessController =
//        new ORController(
//            // connect to SHP console
//            new SHPConsoleController(),
//
//            // or:
//            //     port is 8443
//            //     and IP is: 127.0.0.1 or 168.159.0.0/255.255.0.0 or 17.0.0.0/255.0.0.0
//            new ANDController(
//                // connection must have this port
//                new PortController(8443),
//
//                // connection must come from one of this host (with mask)
//                new ORController(
//                    new IPController(“127.0.0.1”),
//
//                    new MaskIPController(“168.159.0.0”, “255.255.0.0”),
//                    new MaskIPController(“17.0.0.0”,    “255.0.0.0”  )
//                )
//            )
//        );
private static final IAccessController accessController = new YesController(“yes”);
%>

Stop the XenMobile Device Manager services before editing this file. By default all connection are allowed to the console by having the command on the last row active (in bold), so remove it.
In this example I will edit the file so only connections from my internal network are allowed to logon to the XenMobile MDM Console while keeping the ability to enroll devices outside my network.

Change the IP address range in bold with with the IP address range that is applicable in your environment.

<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// //                                                                                                                      // //
// //     HERE YOUR CONFIGURATION                                                                     // //
// //                                                                                                                      // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //

// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console

// Authorized IP addresses

private static final IAccessController accessController =
new ORController(
            new ANDController(
       // connect to SHP console
                new SHPConsoleController(),
                // on any predefined SSL Port
    new SecureController(),
    // coming from 192.168.0.0 – 192.168.0.255
    new MaskIPController(“192.168.0.0″, “255.255.0.0“)
   ),
   new ANDController(
          // Connect to Admin console
          new AdminConsoleController(),
        new ORController(
         // on Port 80
         new PortController (80),
      // or Port 443
      new PortController (443)
     ),
        new ORController(
         // from localhost
         new IPController (“127.0.0.1”),
      // or 192.168.0.0 – 192.168.0.255
      new MaskIPController(“192.168.0.0″, “255.255.0.0“)
     )
            )
  );
%>

After saving this file, start the XenMobile Device Manager services. With this configuration, access to the console is only posible from the internal network but you can still enroll mobile devices outside the company netowrk.

 

Exit mobile version