In almost every production environment you will implement Citrix Storefront on more than one servers to provide high availability (HA) and for load balancing (LB). In this step-by-step guide I will show you how implement Citrix Storefront 2.5.2 on multiple servers and how to configure the load balancing on a NetScaler 10.5 from beginning to the end.

Requirements

For this setup you need the following;

• At least two servers with static IP address for the installation of Citrix Storefront
• A Citrix NetScaler 10.x up and running with the basic configuration
• A free IP address for the Load Balance vServer on the NetScaler
• A DNS record pointing to the free IP address for the vServer
• A server with the Certification Authority and Certification Authority Web Enrollment roles installed on it

My environment

For this setup I will use the following components;

• Citrix Storefront server 1 running Win2012R2, IP 192.168.1.40
• Citrix Storefront server 2 running Win2012R2, IP 192.168.1.41
• Citrix NetScaler 10.5
• Free IP address for Load Balancing vServer: 192.168.1.6
• DNS Record: Storefront (pointing to 192.168.1.6)
• My internal CA is running on server DC1

Certificate

It’s a Citrix best practice to configure Storefront with HTTPS to secure the traffic. If you use the newest Citrix Receiver or wants to integrate the Citrix AppController with Storefront it’s even a requirement. To secure the traffic you need a SSL certificate, and in a situation where you implement more than one Storefront servers and will load balance these servers as in this case, all Storefront servers including the NetScaler needs a SSL certificate for the same hostname. Therefore use a generic hostname, for example storefront.domain.lan.

You can generate an SSL certificate for each server or generate one SSL certificate on a server and export it so you can install it on the other servers, both ways will work.

In this case I will create a certificate on the NetScaler and export it so I can install it on the Storefront servers. Keep in mind that you also need to install the internal Root CA on the NetScaler, these steps are also included in this guide.

Step 1 – Create and install a SSL Certificate on the NetScaler

In the following steps I will create and install a SSL Certificate on the NetScaler and I will also install the internal Root CA on the NetScaler.

Login to the Citrix NetScaler web GUI and browse to Traffic Management > SSL. On the right side click Create RSA Key

Fill in the following information;

Key Filename: storefront.key
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Ok

Click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: storefront.txt
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Scroll to the bottom of the page and fill in the following information;

Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name of  your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: storefront.hobo.lan (replace with your hostname and domain name)
Challenge Password: A password you like
Company Name: Your Company Name

Click OK

To download the request file click on Manage Certificates / Keys / CSRs 

NOTE: If using a version below NetScaler 10.5 build 51.x use another tool for downloading files like WinSCP. There is a bug in version 10.5 build 50.x that adds a error line in every file!

Select the storefront.txt file and click Download

Open a web browser and go to your Certification Authority Web Enrollment page (for example https://dc.hobo.lan/certsrv)

To download the Root CA first, click on Download a CA certificate, certificate chain, or CRL

Select Base 64 and click Download CA certificate

Go back to the main screen and click on Request a certificate

Click on advanced certificate request

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Copy the text from the storefront.txt (request file) into the Saved Request window. Select Web Server as Certificate Template. Click Submit

Select Base 64 encoded and click on Download certificate

Open the Citrix NetScaler console and browse to Traffic Management > SSL > Certificates. Click Install

Fill in a Certification name, for example <domain>-CA. Browse (local) to the Root certificate and click Intall

Click on Install again

Fill in a certificate name, for example storefront.<domain>.lan. Browse (local) to the storefront.cer file and browse (appliance) to the storefront.key file.

Enter the Password and click Install.

Right click the storefront.<domain>.lan certificate and click Link

Select the Root CA certificate and click OK

Browse to Traffic Management > SSL and click on Export PKCS#12

Fill in a File Name, in this case storefront.pfx, and select the storefront.cer and the storefront.key files. Enter the Export Password and the PEM Passphrase. Click OK

Click on Manage Certificates / Keys / CSRs 

Select the storefront.pfx file and click Download

Copy the storefront.pem file to both Storefront servers.

Step 2 – Install Citrix Storefront 2.5.2 (on both Citrix Storefront servers)

In the next steps I will install Citrix Storefront 2.5.2, this needs to be done on both Storefront servers

Start the Storefront setup. Select I accept the terms of this license agreement and click Next

Click Next

Click Install

Click Finish

When the Storefront console starts (automatically) close it.

Step 3 – Install the SSL certificate on the Storefront servers (on both Citrix Storefront servers)

The next step is to install the SSL certificate on both Storefront servers before starting with the Storefront configuration.

Open the Internet Information Services (IIS) Manager. On the left side select the server. In the middle of the screen dubble click on Server Certificates

Click on Import

Select the storefront.pfx file and fill in the Password. Click OK

On the left side, browse to the Default Web Site, on the right side, click Bindings

Click Add

Select https as type and select the storefront SSL certificate. Click OK

Step 4 – Configuring Citrix Storefront 2.5.2 (on server 1)

In the following steps I will configure only the basic settings in Citrx Storefront (for configuring Citrix Storefront for remote access see my blog about that here). These steps must only apply on the first server.

Open the Citrix Storefront console and click on Create a new deployment

The base url is automatic configured with the HTTPS URL. Click Next

Fill in a Store name and click Next

Click Add to add your Delivery Controllers

Fill in the information of your delivery controller and click OK

Click Next

I will skip Remote Access for now. Click Create

Click Finish

Step 4 – Joining the second Storefront server to the Server group

Once you configured the first Citrix Storefront server you can join the second one. The second Storefront server will receive the complete configuration of the Citrix Storefront Server Group.

To do so, follow these steps;

On the first server, open the Server Group page and click on Add Server

You now see an Authorizing Server and a Authorization code. These info must be entered on the second server when joining.

On  the second server, open the Citrix Storefront console. Click on Join existing server group.

Fill in the information from the first server and click Join

Click OK

After a refresh you will see that the server is synchronized and that all the servers now have the same configuration.

Step 5 – Configure Storefront Load Balancing on the Citrix NetScaler

Now that Citrix Storefront is up and running on two servers it’s time to configure the Load Balancing on the NetScaler. For that, I will create 2 servers, 1 monitor, 1 services group and the Load Balancing vServer.

On the Citrix NetScaler, open the Configuration tab and browse to Traffic Management > Load Balancing > Servers

Click Add

Fill in a Server Name, for example “Citrix Storefront 1”. Select IP Address and fill in the IP Address of the first Citrix Storefront server and click Create

Click on Add again to add the second Storefront server.

Fill in a Server Name, for example “Citrix Storefront 2”. Select IP Address and fill in the IP Address of the second Citrix Storefront and click Create

Browse to Traffic Management > Load Balancing > Monitors

Click Add

Fill in a Name, for example “Storefront Monitor” select STOREFRONT as Type.

Browse down to the bottom and enable Secure. Browse back to the top.

Open the Special Parameters tab. Fill in the Storefront Store Name and click Create

Browse to Traffic Management > Service Groups. Click Add

Enter a Name, for example Storefront Group. Select SSL as Protocol and click Continue

Click Settings

Click on the Settings edit button

Enable Client IP and enter the following Header: X-Forwarded-For. Click Save.

Click on Members

Click on the arrow on the right side of the Service Group Members

Click Add

Select Server Based and select the first Citrix Storefront server. Configure 443 as port and click Save

Click Add again

Select Server Based and select the second Citrix Storefront server. Configure 443 as port and click Save

Click Close

Click on Monitors

Click on the arrow on the right side of the Members

Click Add

Select the Storefront Monitor and click Insert

Click Save

Click Done

The Storefront Services Group is now created, if everything is correct the Effective state is UP

Browse to Traffice Management > Virtual Servers and click Add

Fill in a Name, for example Storefront LB. Configure SSL as Protocol. Select IP Address Type, IP Address and enter an available (free) IP Address for the Storefront Load Balancing vServer.

Set the port to 443 and click Continue

Click Continue

Click on Services Group

Click on the arrow on the right side of the Services Group

Click Bind

Select the Storefront Group and click Insert

Click Save

Click on Persistence

Select SOURCEIP as Persistence and set the Time-out (mins) at 20. Click Save

Click SSL Certificate

Click on the arrow on the right side of Certificates, Server Certificates

Click Bind

Select the storefront.domain.lan and click Insert

Click Save

Click on the arrow on the right side of Certificates, CA Certificates

Click Bind

Select the internal Root CA and click Insert

Click Save

Click Done

Testing

The final step is to test the configuration. For that I have changed the backgrounds of the Citrix Storefront servers. Citrix Storefront 1 will be the one with the red background, Citrix Storefront 2 will be the one with the blue background.

For this test I will browse to my Storefront Load Balancing address: https://storefront.hobo.lan/Citrix/HoboWeb

As you can see I’m landing on the first Citrix Storefront server.

To test the load balancing I turned off Citrix Storefront server 1. When looking at the Server Group Members, you can see that the first Citrix Storefront has the Down Service State.

When reloading the Storefront page I’m now landing on the second Citrix Storefront server, as you can see with the blue background. So, Load Balancing is working fine!

Troubleshooting

Storefront Services Group down state

If using NetScaler 10.5 50.9 and NetScaler 10.5 50.10 there is a problem with the Storefront Monitor over SSL. This problem is fixed in NetScaler 10.5 51.10.

If upgrading to this version is not an option, there is a workaround for it, see for more information this topic http://discussions.citrix.com/topic/353366-105-build-509-storefront-monitor-insecure-only/

The post Installing and Configuring Citrix Storefront 2.5.2 and configure Load Balancing on NetScaler 10.5 appeared first on RobinHobo.com.

I recently ran into the problem that the Citrix MDX Toolkit could not find the Android SDK. Normally you have the option to select the main folder of the Android SDK, but this option was not available for me. Fortunately there is a good workaround for this problem.

To solve this problem, open Finder and browse to the Android SDK folder. Open the build-tools folder and start searching for the zipalign program which is located somewhere in a subfolder (depending on the Android SDK version you are using).

Right click the zipalign file and open the file Info. Highlight the file location path (after Where) and copy it.

In Finder browse to Programs > Citrix > MDXToolkit and open the android_settings.txt

Remove the // in front of the PATH statement and past the file location path of the zipalign after the = sign (see screenshot above) and save the file.

This solved my problem and I was able to wrap Android applications again.

The post Citrix MDX Toolkit – Cannot find Android SDK appeared first on RobinHobo.com.

The Citrix XenMobile MDM Server and the Citrix XenMobile AppController have both a great web based console. With these consoles you can do almost everything to configure, manage and troubleshoot the XenMobile environment. Did I say almost? Yes, there are options / features that are not in the consoles by default. These features are available in what I call the “hidden pages”. In this blog I will show them to you…

XenMobile MDM Helper

XenMobile MDM has the “hidden” Helper admin page. This page is reachable after you logged on to the main XenMobile MDM administrator panel (for example https://mdm.robinhobo.com/zdm). After logging in the URL ends with /zdm/console/ now change this to /zdm/helper.jsp to open the XenMobile MDM Helper page.

On this page you have a lot of troubleshooting options like checking the XenMobile MDM Patch level, connectivity check with Apple and to download all the available log files.

XenMobile AppController “Hidden” pages

XenMobile AppController have some more “hidden” admin pages. The first two are the XenMobile AppController Admin page(s) which are reachable by changing :4443/ControlPoint for :4443/admin (for example https://appcontroller.hobo.lan:4443/admin ). This login page gives you two options;

XenMobile AppController Admin Configuration Page

The first option brings you to the “hidden” Configuration page. On this page you can configure the LDAP settings, use the SAML Troubleshooter, upload new Connectors, Build a SAML Connector and some other things.

XenMobile AppController 9 Admin Manage Users Page

The second option brings you to the “hidden” Manage Users page. Like the title of the page is saying, here you can manage the users. You can check if an account is locked or not,  check the Pending Workflows, see the Entitled Apps for this user and see to which Roles the user belongs.

On the second tab, Apps, you can browse all the Apps and when opening the Application properties you can see information like the Total Users and Roles . You also have the option the Un-Reconcile or Reconcile a user.

XenMobile Server Support Page

The last one is the XenMobile AppController Support Page. Just like the XenMobile MDM Helper page, you first need to log in to the AppController Console itself. After that, change the URL to access the Support page. Do this by adding /support after :4443/ControlPoint

This page gives you the possibility to make diagnosis, and not only for the XenMobile AppController but also for the NetScaler Gateway and the XenMobile MDM server. After adding the components (you need all the administrator credentials) you are able to generate support bundles and download to clients, perform connectivity checks and generate support bundles and upload to Citrix Insight Services (TaaS.citrix.com).

Citrix XenMobile Hidden Pages summary

XenMobile MDM Helper : http(s)://<mdm fqdn>/zdm/helper.jsp
XenMobile AppController Admin : https://<appcontroller fqdn>:4443/admin
XenMobile AppController Server Support : https://<appcontroller fqdn>:4443/ControlPoint/support

The post Citrix XenMobile Hidden Admin Pages appeared first on RobinHobo.com.

In a previous post I described how to install and configure the ShareFile Windows Sync client and the ShareFile Outlook Plugin. In a few previous projects I needed to implement these clients into a Citrix XenApp / XenDesktop environment where they also use RES Workspace Manager for user personalization. Another challenge was that not every user within the XenApp / XenDesktop environments would get a ShareFile account, so access to the ShareFile clients should be limited.

In this blog I will show you to accomplish this in a few easy steps.

ShareFile Sync for Windows

Other than on a local desktop or laptop, you will need to install the ShareFile Sync for Windows On-Demand version (Certified for XenApp and XenDesktop). The main difference between this version and the local desktop/laptop version is that files are not automatically be available offline. The file will be downloaded on the moment the user opens the file.

Installation

Click Install

Select I accept the terms in the License Agreement and click Install

Click Finish

Click Close

Policies

The Windows Sync client can be configured by policies. This can be done via the ShareFileOn-demand.admx templete which is located on a computer where the Windows Sync client is installed on in the following path C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions\

Install the ShareFileOn-demand.admx in the Policy Definitions directory of the Active Directory so that it is possible to set these settings global.

For almost every ShareFile implementation I configure SAML integration for authentication (XenMobile AppController or ADFS). Therefor I set the following policy settings so that the Windows Sync client will automatically configured without interaction of the end user.

Policies > Administrative Templates > ShareFile > Enterprise Sync

User policies;

Machine policies;

RES Workspace Manager : Hide all Drives

There are a few things that needs to be set within the RES Workspace Manager, but first check if the following setting is applied under Drive and Port Mappings;

Hide all drives (unless otherwise specified)

This makes it impossible for the Windows Sync client to open the ShareFile file location of the user. If this is the case add the following mapping;

Fill in the following information;

Enabled: Yes
Administrative note: Only for Sharefile use
Action: Do not perform mapping operation
Device: C:
Friendly name: System Drive (only for Sharefile)
Hide drive: Always hide, but allow access
Access Control: <domain>\<ShareFile AD Usergroup>

RES Workspace Manager : Capture Windows Sync settings

For the ShareFile Sync clients, settings needs to be captured to make the settings roaming, for that the following User Settings are added under Composition > User Settings;

Fill in the following information;

Name: Sharefile Sync
Zero Profile mode: Capture targeted items on session end
Enabled: Yes
Preserve: Roam settings for user to any device
Apply: Load on session start
Capturing: Registry Key: HKEY_CURRENT_USER\Software\Citrix\Sharefile\Sync

RES Workspace Manager : Limit access to the Windows Sync

If not every Citrix XenApp or XenDesktop user gets a ShareFile account we need to limit access to the Windows Sync client. This can be easily done with the RES Workspace Manager, but as an alternative you can configure this also with GPO’s.

The first step is to make an export and then remove the following registry keys from the vDisk (or every server if PVS is not being used);

• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Monitor
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Session Agent

To make the ShareFile Sync client work for a selected ShareFile user group, the registry keys removed from the HKEY_LOCAL_MACHINE must be added to the HKEY_CURRENT_USER by using User Registry in RES Workspace Manager.

Fill in the following information;

Name: Anything you like
Administratrative note: Automatic startup ShareFile Sync client (or something you like)
Enabled: Yes
Required connection state: Both online and offline connections
Access Control:  <domain>\<ShareFile user group>

ShareFile Outlook Plug-in

For the ShareFile Outlook Plug-In 3.3 use the Per-machine MSI version. This is a silent installation without any installation dialogs. Also the automatic update function is not available in this version. This is also not recommended in a XenApp / XenDesktop environment where also a read only vDisk is used.

RES Workspace Manager : Limit access to the ShareFile Outlook Plug-in

To limit access to the ShareFile Outlook Plug-in export and remove the following registry key from the XenApp / XenDesktop vDisk (or every server if PVS is not used);

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule]
“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000003

Within RES Workspace Manager make a new User Registry with the above registry key but then for the HKEY_CURRENT_USER and add an Access Control filter for the ShareFile Active Directory user group.

For the non-ShareFile users create also a User Registry and apply the following registry keys under HKEY CURRENT USERS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule]
“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000002

Add an Access Control filter for non-sharefile users, for example; NOT in <domain>\<ShareFile user group>

Keep in mind the Load Behavior registry key. If it is set to 3 the plugin will be loaded, if it is set to 2, the plugin will be disabled.

RES Workspace Manager : SAML Configuration

To auto configure the ShareFile Outlook Plugin for the end user with the correct authentication method, a registry key can be applied for the ShareFile users. With this registry key applied, the end user will no longer gets the “Getting Started” wizard and the Plugin is silent configured.

Within RES Workspace Manager configure an User Registry with an access filter for the ShareFile Active Directory user group. In the next example an .eu ShareFile account is used and SAML authentication integration is applied (ADFS).  Add the following registry key;

[HKEY_CURRENT_USER\Software\Citrix\ShareFile\SSO]
“Method”=”saml-integrated”
“UserConfigurable”=dword:00000000
“Subdomain”=”<subdomain>”
“Domain”=”sharefile.eu”
“ApiCP”=”sf-api.eu”

 
RES Workspace Manager : Capture ShareFile Outlook Plug-in settings

To make the ShareFile Outlook Plug-in settings roaming capture the following file;

%appdata%\ShareFile\Outlook\config.cfg

The post Installing and Configuring Citrix ShareFile clients in a XenApp / XenDesktop environment and limit access with RES Workspace Manager appeared first on RobinHobo.com.

On February, 17 Citrix released the long awaited XenMobile 10. The big difference with its previous versions is that the XenMobile 10 now consists of one component, the XenMobile Server (XMS), so no longer a XenMobile MDM installation on a Windows Server and configuring a separate App Controller.

The XenMobile Server is, just like the old App Controller, an Unix appliance running on XenServer, Hyper-V or a VMWare hypervisor. Because it’s now one component you need 50% less resources then in previous versions and it is much faster to implement (see blog below). And in addition to this you have one Administrator console for both MDM and MAM.

I will show you to setup Citrix XenMobile 10 in a few steps, including the NetScaler configuration. But for I begin, lets talk about the XenMobile 10 requirements.

XenMobile 10 Requirements

• Ports needs to be open in the firewalls (see Citrix eDocs)
• A XenServer, Hyper-V of VMWare hypervisor
• Microsoft SQL Server 2012 or 2014 (for production environments)
• XenMobile License
• Apple Push Notification Services Certificaat (APNS) (If managing Apple devices)
• Service account with DBCreator rights on the SQL Server and AD read rights
• 4 free IP Addresses in the DMZ (When implementing XenMobile with NetScaler)
• 2 free public IP addresses
• 2 SSL certificates (can also be a wildcard certificate)
• NetScaler Gateway (NetScaler Standard or Higher when using Load Balancing)
• Microsoft Exchange (Optional)

For publishing applications you need some more requirements, but I will talk about that in an others blog.

My Environment

First let me say something about my environment, I got the same external and internal domain name, robinhobo.com. For the Citrix XenMobile 10 setup I use a wildcard certificate. Two external DNS records have been created;

• MDM.ROBINHOBO.COM
• MAM.ROBINHOBO.COM

In my DMZ I have the following four free IP addresses for XenMobile 10;

• 192.168.1.40 (XenMobile Server)
• 192.168.1.41 (MAM Gateway)
• 192.168.1.42 (MAM Load Balancer)
• 192.168.1.43 (MDM Load Balancer)

 Setting up Citrix XenMobile 10

After uploading the Citrix XenMobile appliance to the hypervisor, start the virtual machine and open the command window.

Enter a new password for the command line admin account, this is another account than the Webinterface Administrator.

Fill in the following information;

IP address: <the IP address for the XMS, in my case 192.168.1.40>
Netmask: <the Netmask>
Default gateway: <IP of the default gateway in the DMZ>
Primary DNS server: <IP of the DNS server>
Secondary DNS server: <Optionally a secondary DNS server IP>

Press Y and enter to commit the settings

To generate a random passphrase, type Y and enter

Press y or n to enable FIPS mode, for this setup I press N and enter

For production environment always use an external database server. For PoC / Test environments you can use a local database for a quick setup. In my case I enter L and press enter

Enter the XenMobile Server FQDN, this must be the external MDM address. In my case mdm.robinhobo.com and press enter. Press Y to commit.

Now you have the option the change the default ports. If you don’t want to change the default ports. Hit the enter button four times and press y to commit the settings.

Press y to set the same password for all the certificates of the PKI

Then enter the new password and press y to commit the settings

Fill in the webinterface administrator information. Give up an administrator username and password. Type y to commit the settings

The last step in the command line setup is the question if you want to upgrade from a previous release. In this case I will setup a new environment. Type N and enter

After that XenMobile 10 will be configured. After a few minutes the XenMobile 10 appliance is ready for the webinterface setup. The webinterface URL is displayed above “Starting monitoring..” . It will be the XenMobile Server IP:4443. In my case HTTPS://192.168.1.40:4443

Open a browser and open the URL from previous step. Login with the configured administrator account.

Press the Start button

You can use a local or a remote License server. If you don’t upload a license you will be run in a 30 day trial period. Click Next

The next step is to upload the certificates. If you are going to manage iOS devices you need to upload a APNS certificate beside a SSL Listener certificate. Click on the Import button.

For the APNS certificate, make the following selections;

Import: Keystore
Keystore type: PKCS#12
Use as: APNs

Browse to the Keystore file (APNS .pfx file) and fill in the Password.

Click Import

Click on OK

Click on Import again

Make the following selections;

Import: Keystore
Keystore type: PKCS#12
Use as: SSL Listener

Browse to the Keystore file (SSL .pfx file) and fill in the Password.

Click Import

Click Ok

Click Next

Fill in the following information;

Name: <anything you like>
Alias: <anything you like>
External URL: <external mam adres, for example https://mam.robinhobo.com>
Logon Type: Domain only

Click Next

Fill in the following information;

Primary server: <first DC>
Secondary server: <second DC (optional)>
Port: 389 (is using unsecure LDAP)
Domain name: <domain name>
User base DN: for example dc=robinhobo,dc=com
Group base DN: for example dc=robinhobo,dc=com
User ID: <the service account @domain.name>
Password: <service account password>

Scroll down the page..

Fill in the following information;

Domain alias; <for example robinhobo.com>

Click Next

Fill in your Microsoft Exchange server / Notification Server (optional) information and click Next

Click Finish

Click Start Managing Apps and Devices

Restart the Citrix XenMobile server so the certificates will be become active.

The Citrix XenMobile server is now in basic configured. At this point you can start configure Deployment Groups, Policies, Actions and Applications.

Configuring the NetScaler for Citrix XenMobile 10

Since Citrix NetScaler 10.5 build 54.9 there is a Citrix XenMobile 10 wizard available. This wizard will create a Gateway virtual server for MAM, a Load Balancer for MDM and a Load Balancer for MAM. Therefor you need a NetScaler Standard or higher. In the following steps I will guide your through the wizard. I assume that the SSL certificates are already installed on the NetScaler.

On the left side, click on XenMobile. On the right side select XenMobile 10 and click on Get Started

On the left side select Access through NetScaler Gateway and Load Balance XenMobile Servers and click Continue

Fill in the following information;

NetScaler Gateway IP Address: <a free IP in the DMZ, in my case 192.168.1.41>
Port: 443

Click Continue

Select the MAM SSL certificate or the wildcard certificate and click Continue

Fill in the following information;

IP Address: <IP Address of your DC>
Port: 389 (if using unsecure LDAP)
Base DN: <for example dc=robinhobo,dc=com>
Service account: <your XenMobile service account>
Password: <the service account password>
Server Logon Name Attribute: userPrincipalName or samAccountName

Click Continue

Now here is the tricky part. The wizard asks for a xms.internal.net server address for MAM.. however you will need to fill in the external mdm address / XenMobile Hostname. In my case: mdm.robinhobo.com

Fill in the Load Balancing IP address for MAM, in my case 192.168.1.42. The port is 8443

Click Continue

Select the wildcard certificate and click Continue

Click Add Server

Fill in the IP address of the XenMobile server and click Add

Click Continue

Click Load Balance Device Manager Servers

Fill in the following information;

IP Address: <a free IP address in the DMZ segment, in my case 192.168.1.43>

Click Continue

Click Continue

Click Done

The post How to setup Citrix XenMobile 10 (including configuring NetScaler) appeared first on RobinHobo.com.

Last year Microsoft announced the Microsoft Enterprise Mobility Suite. This suite consists of Azure Active Directory Premium, Microsoft Intune and Azure Rights Management Service. With Microsoft Intune you can manage mobile devices, and not only Mobile Device Management (MDM) but Mobile Application Management (MAM) as well. In the latest Microsoft Intune updates it is now possible to create a separate application layer / app isolation for the corporate apps and prevent data exchange between corporate and non-corporate apps.

With Microsoft new announcements about this new features I became curious about Microsoft Intune and all it’s possibilities. Beside that I’m getting more and more questions about Microsoft Intune from customers. I know Microsoft Intune integrates perfectly with Microsoft Office 365 and Microsoft System Center Configuration Manager (SCCM). But what about the Mobility management features in Microsoft Intune as a “stand alone” product? Time for a first look and lets find out!

Setting up a Microsoft Intune account

The first step is to create a Microsoft Intune account. You can create a free trail account at the Microsoft Intune website (link).

After creating a Microsoft Intune account it’s time to create users, or configuring Single Sign-on by using AD FS or Azure Active Directory.

For this blog I will create a test user manual, but first I will add my domain so I can create users at @robinhobo.com

 Navigate to Domains and click Add a domain

Fill in you domain name (in my case robinhobo.com) and click Next

Next you need to verify your domain. You can do this by creating a TXT or a MX DNS record. In this window you can see which DNS record must be created. Click Verify after the DNS record is created.

Click Close

Now we can create users for the @robinhobo.com domain. Navigate to Users and click New > User

Fill in the required information of the user you want to create and click Next

Optionally you can Assign an Administrator role to this user. Fill in the country and click Next

Select the correct user group (license) and click Next

Optionally fill in a email address where the temporary password can send to. Click Create

Click Finish

Set Mobile Device Management Authority

Before you can manage mobile devices you need to set the Mobile Device Management Authority. This can be set to Intune itself or Microsoft System Center Configuration Manager (SCCM).

Login to manage.microsoft.com and navigate to Admin > Mobile Device Management.At the right click on Set Mobile Device Management Authority

Select Us Microsoft Intune to manage my mobile devices and click OK

Prepare for Mobile Device Management

For some type of Mobile Devices we need to do some preparations before they can be managed. For example, for Windows Phone 8 you need to get a code signing certificate from Symantec and for iOS you need to create and sign an APNs Certificate.

For this blog I will enrol an iOS device. Therefore I will show you the steps to create an APNs Certificate. Before you do this make sure you have an Apple Account. If you don’t have one you can create it here for free. Click on Enable the iOS platform.

Click on Download the APNs Certificate Request. After downloading the Certificate click on Apple Push Certificates Portal

Logon with your Apple ID

Click on Create a Certificate

Select I have read and agree to these terms and conditions and click Accept

Browse to the downloaded certificate and click Upload

Click on Download to download the signed APNs Certificate

Click on Upload the APNs Certificate

Browse to the download signed APNs certificate and click Upload

Now your ready to manage iOS devices

Customize the Company Portal

You have the ability to customize the Company Portal with logo’s and custom information. I will show some options in the following steps.

Browse to Admin > Company Portal. Here you can fill in the information that will be visible on the Company Portal

Click Save

You can also apply custom Terms And Conditions. Therefore browse to Admin > Company Portal > Terms And Conditions. This will be displayed and must be accepted when the user enrols his device.

Creating Configuration Policies

In the next steps I will create some policies, starting with the Common Mobile Device Security Policy.

Browse to POLICY > Configuration Policies. On the right side of the screen click on Add..

Navigate to Common Mobile Device Settings > Mobile Device Security Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy

For this blog I configured the following;

Name : Default Mobile Device Policy

Require a password : Yes

Required password type : Numeric

Minimum password length : 4

Allow simple passwords : Yes

Number of repeated sign-in failures : 4

Allow web browser : No

Click on Save Policy

Click Yes

Add the All Mobile Devices and hit OK

In the next step I will create an iOS Configuration Policy.

Click on Add..

Navigate to iOS > iOS Configuration Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy

For this blog I will give it the name iOS Configuration Policy. Select Report noncompliance when users install the listed app. Click Add..

For this test I will add the Dropbox App. Fill in the correct information and hit OK

Click on Save Policy

Click Yes

Add the All Mobile Devices and click OK

The second last policy I will add for this test is the Managed Browser Policy. Select the Managed Browser Policy and Create a Custom Policy. Click on Create Policy

For this test I will block https://www.facebook.com and https://www.dropbox.com.

Click Save Policy

In the last policy that I will create for this test I will configure the Mobile Application Management Policy. This one is to restrict data exchange between the applications.

Select Mobile Application Management Policy (iOS 7 and later) under Software and select Create a Custom Policy on the right side of the dialog window. Click on Create Policy

I leave everything default so that data exchanges is prevented.

Click on Save Policy

Publishing Applications

After creating all the policies its time to publish the applications. You can apply the Mobile Application Management Policies to Managed Apps from the public store (iTunes, Play) without the need to wrap the application first. But not every application can be managed from the public store, to see which application is manageable from the store, see this page: https://technet.microsoft.com/en-us/library/dn708489.aspx

Go to APPS > Apps. On the right side of the screen click on Add App

Select Add software

Klik Next

Select Managed iOS App from the App Store and copy the URL from the specific application (store URL to app). In this case to the Microsoft Intune Managed Browser app from the iTunes store.

Fill in the Application Information (not filled in automatically) and click Next

You can filter the target device, for example, publish the application to iPads only and not iPhones. Click Next

Click Upload

Click Close

You can repeat these steps for all the applications you want to publish, for now I will publish the Managed Browser, Word, Excel and PowerPoint for both iOS and Android.

Manage Deployments

So we created the policies and added the applications. The next step is to link these two and make the applications with the correct policies available in the Intune Portal on the mobile device.

Select the application you want to publish (in this example I will use the Intune Managed Browser) and click on Manage Deployments

Select the Users or Devices group where you want to publish the application to and click Next

Managed applications from the iTunes store cannot be published as Available Install at this time. You can only select Required Install the make the application manageable. Click Next

Select the Mobile Application Management Policy created in one of the first steps in this blog and click Next

Optionally you can apply a VPN Profile / Policy. Click Next

In the last step you can apply the Managed Browser Policy select it and click on Finishd

Device Enrollment (iPad) and testing the policies

It’s time to test all the policy settings on a device. For this test I will enroll my iPad with Microsoft Intune.

The first step is to intall the Microsoft Intune Company Portal. Therefore open the App Store

Search for Company Portal and install the App

After install the App open the Company Portal

Login with an Intune User Account

Press the Enroll button

Press the Install button

Press the Install button

Press the Install button

Press the Trust button

Press the Done button

Wait a sec…

The first policy had arrived, the passcode policy. Press Continue

Now the Apps will be installed, press Install for all the required applications

In published a link to my website as will. The link is visible in the Company Portal so I can “Install” it

After Installing all the Apps (inluding the link) my iPad looks like this. Note that the Safari browser app has disappeared, which is good.

The copy and past function between managed apps is possible and between managed apps and non-managed apps not, so that policy works great! Also when opening the Intune Managed Browser and open the Facebook.com or Dropbox.com website I get the Alert as shown above. So that policy works as well.

Conclusion

Microsoft Intune is easy to setup without the need to enroll new servers in your current infrastruction. I had it up and running in a few minutes (see blog above). The webinterface / console is easy to use and requires almost no explanation. Beside mobile devices it’s also possible to manage Windows updates for Windows devices and configure end point protection.

For Mobile Device Management (MDM) the basic features are available and works fine. I can wipe/retire my device, do a remote lock and do a password reset and see the device properties . Personally I miss the option to locate the device and to do a software inventory (for all apps and not only the installed apps from the Company Portal) but that is a deliberately choice of Microsoft to omit these options.

The only thing that was missing was the Terms and Conditions that didn’t show up when enrolling my device. And yes, the “Require users to accept company terms and conditions before using the Comapny Portal” is enabled.

For the Mobile Application Management (MAM) it’s greate that you have the option the create a policy and apply the same policy to several applications. Also to option to create a VPN policy so that you have the option the make a “Per-App” VPN connection is a great feature. The Managed Browser policy works really good, and totally in combination with the option to disable the native browser on the device (Safari). I was able to block some websites (see blog above). The only drawback is that the published links from the Company Portal do not want to open with the Managed Browser, these just do not work anymore.

Also the Managed Application policy works good, I was  able to block data exchange between managed and non-managed apps and set a pincode on the managed apps. However, it was a major disappoint that Managed iOS can only be published as “Required App” and can not be published as “Optional App”. Olso the Managed iOS apps are not visible in the Company App store and I was not able the reinstall an “Required App” once it was removed from the device without re-enrolling. On my Android device all the Managed Apps did show up. I had one Managed App (Microsoft Word) published as an “Required App”, but was not able to install it because my Android version was to low. To bad the “Required App” notification cannot be removed. Apparently there is no check whether the device is suitable for the required app or not.

So the conclusion for me is that Microsoft Intune is a good MDM solution with the basic featues, that part works good and the setup is really simple. The MAM part needs some improvements but has a lot of potential. The fact that you can managed applications with policies without the need to wrap them first is really really cool! Microsoft has a monthly update schedule so I think it‘s a matter of time that these points have been resolved. All keep you informed…

NOTE: The opinions in this blog are my own and not those of my employer

The post How to setup Microsoft Intune appeared first on RobinHobo.com.

One of the great features of Citrix XenMobile is that you can integrate it perfectly with your current Citrix XenApp / XenDesktop environment. When this integration is enabled users will see their XenApp / XenDesktop applications within their WorxHome application on a mobile device. After adding the XenApp / XenDesktop published App or Desktop to WorxHome they can launch it and the user will be authenticated using single sign-on (SSO). The only extra step what’s needed on the mobile device is that the Citrix Receiver has to be installed, but you don’t have to configure it.

This is a great user experience, all their applications and desktop from Citrix on a single place. On the back end you have to configure some things before this fully works. Off cause you need a working XenMobile 10.x environment and also a working Citrix StoreFront environment. If that is the case, the following steps need to be configured for the integration;

Citrix NetScaler

On the Citrix NetScaler open the Gateway vServer that is used for Citrix XenMobile. If you are used the NetScaler 10.5 XenMobile wizard the default name is _XM_XenMobileGateway.

Go to the STA Server Bindings and make sure both the XenApp / XenDesktop controllers and the XenMobile Server are added.

Citrix StoreFront

The next step is to configure some additional settings in Citrix StoreFront. For the following steps, open the Citrix StoreFront console.

Within the Citrix StoreFront console, go to Stores. On the left side of the screen, click on Enable Remote Access

At this moment, the Store is only configured with the current Gateway (for the XenApp/XenDesktop apps). To let it also work with the XenMobile Gateway we have to add that Gateway too. Therefore, click on Add

Fill in the information about the XenMobile Gateway vServer as shown above and click Next

Add the XenApp and or XenDesktop controllers as STA’s. This must be the same as the STA’s configured in the XenMobile Gateway vServer on the NetScaler. Click on Create

Make sure both the “StoreFront” Gateway and the XenMobile Gateway are selected and click OK

Within the StoreFront console and the Stores page, click on Configure XenApp Services Support on the left side. Copy the XenApp Service URL to a Notepad or something. You need this path when enabling the XenApp / XenDesktop integration within XenMobile.

Citrix XenMobile

The final step is to enable the Citrix XenApp / XenDesktop integration within the Citrix XenMobile configuration. After this step the XenApp and / or XenDesktop published Apps and Desktops will be visible within the WorxHome application on the mobile devices. Just like XenApp / XenDesktop, the applications and desktops will only visible when the user has the rights for that particular app / desktop.

To enable the integration, open the Citrix XenMobile console and login as an Administrator.

Open the Configure tab and go to the Setting page and click on XenApp/XenDesktop.

Fill in the Host, Port and Relative Path as shown above (the URL you copied in the previous step). If you are using HTTPS for your StoreFront make sure that you enable the Use HTTPS button.

Click Save

Testing it on a mobile device

Now it’s time to test it on a mobile device to see if it works. In my case I will test it on my iPad. I have already installed the Citrix Receiver app without any configuration. Open the Citrix WorxHome App, click on the + sign to open the Worx App Store.

As you can see the Windows Server 2012 Shared Desktop and the Windows 8.1 Pooled Desktop is visible, click on the + sign to add them to the device.

I will launch the Windows Server 2012 Shared Desktop for this test.

After clicking on the Windows Server 2012 Shared Desktop icon the Citrix Receiver will open and automatically will start making the connection.

After that the Windows Server 2012 Shared Desktop is launched without the need to re-authenticate myself.

The post How to integrate Citrix XenApp / XenDesktop with Citrix XenMobile 10.x appeared first on RobinHobo.com.

On Juni, 29 Citrix released XenMobile 10.1. XenMobile 10.1 has a number of bugfixes and new features and enhancements. For example the possibility to change the Resource deployment ordering, exporting table data to a .csv file, Role-Based Access Control (RBAC) changes, extend capabilities of the Volume Purchasing Program (VPP) for iOS, Android for Work support and much more. The upgrade from XenMobile 10.0 to XenMobile 10.1 is very simple and can be done within a few minutes. This blog describes step-by-step instructions on how to apply the upgrade.

Because XenMobile 10 is always a virutal server, it is wise to make a snapshot of the virtual before applying the upgrade and to make a backup of the Microsoft SQL Database.

To upgrade Citrix XenMobile 10.0 to XenMobile 10.1, take the following steps;

Go to Citrix.com and download the Upgrade Tool from 10.0 to 10.1

Login as Administrator on the XenMobile web console and navigate to Configure > Settings > Release Management

On the Release Management page click on Update

Browse to the downloaded update (.bin file) and click Update

After the upload is complete the dialog above will be displayed. Click OK

The final step is to reboot the XenMobile server. Login as Admin in the command line interface.

Choise option 2

Choise option 7

Enter Y to reboot the server

During reboot the update will be applied

After te reboot you can check the current version of the XenMobile server on the Release Management page (or at the bottom of the login page)

The post Upgrading XenMobile 10.0 to XenMobile 10.1 appeared first on RobinHobo.com.

Last week Citrix released  the long awaited StoreFront 3.0 together with the new Receiver 4.3 / Receiver X1. With Citrix StoreFront 3.0 we finally say goodbye to the Green Bubble theme, at least, if you disable the Classic Receiver Experience (I will show you how to do that in this blog). StoreFront 3.0 has a completely new web interface which can be easily modified in the Storefront console. Also the Citrix Receiver interface has exactly the same customized layout as the web interface, a great user experience improvement!

In this blog I show you step-by-step how to install, creating the deployment and configure Citrix StoreFront 3.0 including the customizations.

My Environment

I will use the following resources in my environment;

Server OS : Windows Server 2012 R2
Name : RHSF01
IP : 192.168.1.29
Internal Domain name : robinhobo.com
SSL Cert : wildcard for robinhobo.com
XenDesktop controller : RHXD01

Creating the DNS record

In one of my previous blogs (see here) I showed you how to configure Citrix StoreFront in a Load Balanced environment. I will skip that part in this blog, but for future configuration I will configure the StoreFront Base URL to a generic name and not to the name of the first StoreFront server. Therefore I will create a DNS record pointing to my first StoreFront server first.

On the domain controller open the DNS Console and add an A Record. In my case I will create the record StoreFront pointing to the IP of my first StoreFront server.

Installing Citrix StoreFront 3.0

Start the setup, select I accept the terms of this license agreement and click Next

Click Next

Click Install

Click Finish

The StoreFront administration console will now start automatically, but close it for now. To enable a secure connection over HTTPS, it is important to first install the server certificate and configure the default site bindings before configuring StoreFront (The StoreFront Base URL can be changed afterwards, but why not configure it with the right Base URL in the first place?)

Installing the SSL certificate 

Using a secure connection to Citrix StoreFront over SSL is optional, however it is a Citrix best practice and it is easy to implement.

Open the Internet Information Services (IIS) Manager and open Server Certificates

On the right side of the window click Import. To import your existing (wildcard) certificate. If you don’t have a SSL certificate already you can create one by clicking on Create Certificate Request. See my Citrix StoreFront 2.0 blog (here) to see the particular steps to create a new SSL certificate.

Browse to the certificate file, fill in the Password and click OK

Within the Internet Information Services (IIS) Manager, navigate to the Default Web Site. On the right side of this window, click Bindings

Click Add

Select https as Type, select the imported certificate and click OK

Click Close

Creating the Deployment in Citrix StoreFront 3.0

The next step is to configure Citrix StoreFront 3.0. For that, open the Citrix StoreFront console.

Click on Create a new deployment

Fill in the Base URL in my case https://storefront.robinhobo.com and click Next

Fill in a Store name, in my case RobinHobo

Click Add to add a Delivery Controller like you XenApp or XenDesktop controller

Fill in the information of your XenApp, XenDesktop, AppController (XenMobile) or VDI-in-a-B0x server and click OK

Click Next

For this blog I will skip the Remote Access part. For information on how to configure remote access with the NetScaler see this blog of me (click here)

Click Create

Click Finish

Configuring Citrix StoreFront 3.0

In this part of the blog I will configure Citrix StoreFront 3.0 including the customizations and the new enhanced features.

If you are upgrading from an older version of StoreFront the Classic Receiver Experience is enabled by default. This means that the Green Bubbles layout is still active and the new enhanced features like the customizations and featured app groups are not available. The enable this, go to the Receiver for Web page within the StoreFront console and click on Disable Classic Receiver Experience on the right side of the screen.

Click Disable

I will walk though the configuration of StoreFront 3.0 starting with the Authentication page. Click on Add/Remove Methods on the right side of the window.

Select what is applicable for you and click OK

Click on Configure Trusted Domains

My internal domain name is robinhobo.com. Fill in your domain name information and click OK

Click on Manage Password Options

Select what is appropriate for you and click OK

Open the Stores page and click on Set Unified Experience as Default

As the dialog describes, here you can set the default website for the store that will be used (including the customizations). Click OK

Click on Customize Receiver Appearance

Here you can customize the StoreFront webinterface (including in the Citrix Receiver) with custom logo’s and text and link colors. Click OK

Click on Manage Featured App Groups

Click Create

Give it a Name (anything you like, but it will be displayed for the user). You select the following definition methods;

Keyword ; Must be divined in the application properties within XenApp / XenDesktop

Application Category ;  Must be divined in the application properties within XenApp / XenDesktop

Application Name ; Fill in the list of Applications you want in this group

For now I choose Application catagory and select the Microsoft Office 2010 group (configured in XenDesktop)

Click OK

For this blog I will add a second App Group, so I click Create.. one more time

This time I will add the AppSense Application category. Click OK

Click OK

Testing Citrix StoreFront 3.0

Now it’s time to test Citrix StoreFront 3.0. When I open a browser and navigate to the StoreFront webinterface I see the new layout with the custom logo.

After logon, I see the customized page, with the logo and the custom colors. The default landing page is the Favorites page. On the Desktop and Apps page you can add resources to this Favorites page.

On the Apps page you can see the Application Category Groups and the other published applications.

As you can see on the screenshot above, you have the same interface now integrated in the new Citrix Receiver!

The post Installing and Configuring Citrix StoreFront 3.0 appeared first on RobinHobo.com.

On more and more Citrix XenMobile projects I see Windows Phone 8.1 devices. The enrollment of a Windows Phone 8.1 device is a little bit different than those of iOS and Android, and so is the application wrapping process. You have to enroll a Windows Phone device via the Workplace (under settings). By default, there is no WorxHome application available. You have to download it from the Citrix.com website, sign it with your Symantec certificate and publish it as Enterprise Hub policy within the XenMobile console. Once the WorxHome Enterprise Hub is installed on the Windows Phone device, users can start with installing the published Citrix Worx applications. At this moment only WorxMail and WorxWeb are available for Windows Phone 8.1 but I hope that more Worx applications will be available as Windows 10 for Phone is official released.

The wrapping process is also different than for of iOS and Android. There is a MDX Toolkit, but it’s command-line based. No worries, in this blog I will show you all the necessary steps and requirements to wrap and publish Windows Phone 8.1 applications.

Requirements:

• Microsoft Company Developer Account (see: Registration Info)
• Enterprise Certificate from Symantec (see: Enterprise Mobile Code Signing Certificate)

Software Requirements:

• Microsoft .NET Framework 4.5.1 (see: Microsoft .NET Framework 4.5.1 – Offline Installer)
• Microsoft Silverlight 5 runtime and SDK (see: Get Silverlight 5)
• Visual Studio 2013 (Express version is fine) (see: Visual Studio Download page)
• MDX Toolkit for Windows Phone 8.1 (see: MDX Toolkit)

Get the following information:

• Windows Phone publisher ID (see: Account settings)

Step 1 : Install the software requirements

Install the software requirements as listed above (.NET, Silverlight and Visual Studio Express). All these installations are straightforward (next, next, finish), so I don’t add screenshots from these installations in this blog. All download links are provided in the list.

Step 2 : Install the Symantec certificates

See: How to install the Windows® Phone Private Enterprise Root and Intermediate certificates for the step-by-step instructions. After importing these two certificates you need to import your own Enterprise Mobile Code Signing Certificate. To get this certificate see: Enterprise Mobile Code Signing Certificate.

Step 3 : Create an Application Enrollment Token (AET)

First export your Symantec Code Signing Certificate (see: How to Export a Certificate with the Private Key). To make things easy, I create a folder in the root of my C drive called “AET” and copied my exported Code Signing Certificate in .PFX format in this folder.

Next, localize the AetGenerator.exe path. On my Windows 10 machine it was installed in this folder:

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.1\Tools\AETGenerator

Open a Command Prompt (as Administrator) and navigate to C:\AET

Run the following command (Replace data between ” < > ”  with the correct information) ;

<PATH TO AETGenerator.exe> <PFX File> <Password>

In my case it is:

“C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.1\Tools\AETGenerator\AETGenerator.exe” Symantec.pfx MyPassword

After running this commando an AET.xml, AET.aet and AET.aetx file are generated.

Step 4 : Extract the MDX Toolkit and Wrap WorxHome for Windows Phone

 To wrap WorxHome of Windows Phone 8.1, download the following items;

 Download the MDX Toolkit for Windows Phone 8.1 from the Citrix.com website

Download the Worx Home for Windows Phone 8.1 App

Extract the MDX Toolkit zip file. To make things easy, I extract the files to C:\MDXToolkit. I have saved the WorxHome .xap file into the C:\WorxHome folder.
Note: Create also a folder for the destination (signed WorxHome), this cannot be the same folder as the source because all the files in the destination folder will first be deleted. Therefor I also created a C:\WorxHome-signed folder.

Open a Command Prompt (as Administrator) and navigate to C:\MDXToolKit (the folder were the MKX Toolkit is extracted) and run the following command (Replace data between ” < > ”  with the correct information) ;

CGAppPrepTool.exe -in:”<Path to WorxHome.xap file>” -out:”<output location>” -C:”<path to Symantec cert>” -password:<certificate password> -verbose -resign -PhonePublisherId:<PhonePublisherID> -mdmServerURL:”<MDM URL>”

In my case;

CGAppPrepTool.exe -in:”C:\WorxHome\WorxHome_10.0.3.69.xap” -out:”C:\WorxHome-Signed\WorxHome_Signed_10.0.3.69.xap” -C:”C:\AET\Symantec.pfx” -password:MyPassword -verbose -resign -PhonePublisherId:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -mdmServerURL:”https://mdm.robinhobo.com/zdm”

Step 5 : Wrap WorxMail and WorxWeb for Windows Phone

Download the WorxMail and WorxWeb for Windows Phone 8.1 applications from the Citrix.com website. I will save the WorxMail application to the C:\WorxMail folder and WorxWeb application to C:\WorxWeb folder.

Note: Create also a folder for the destination, this cannot be the same folder as the source because all the files in the destination folder will first be deleted. In this case I have created a C:\WorxMail-Signed and a C:\WorxWeb-Signed folder.

Open a Command Prompt (as Administrator) and navigate to C:\MDXToolKit (the folder were the MKX Toolkit is extracted) and run the following command (Replace data between ” < > ”  with the correct information) ;

CGAppPrepTool.exe -in:”<path to WorxMail.xap>” -out:”<path to output file>” -T:”<path to WorxMail icons and manifest>” -C:”<path to Symantec Certificate>” -password:<cert password> -verbose -resign -phonePublisherId:<Publisher ID>

In my case;

CGAppPrepTool.exe -in:”C:\WorxMail\WorxMail_10.0.7.31.xap” -out:”C:\WorxMail-Signed\WorxMail_10.0.7.31.mdx” -T:”C:\MDXToolkit\Templates\WorxMail” -C:”C:\AET\Symantec.pfx” -password:MyPassword -verbose -resign -phonePublisherId:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Repeat this step for WorxWeb.

Step 6 : Publish WorxHome, WorxMail and WorxWeb in Citrix XenMobile 10.x

The final step is publishing WorxHome, WorxWeb and WorxMail in Citrix XenMobile 10.x. First we need to create an Enterprise Hub policy to publish WorxHome for Windows Phone 8.1.

Login to the Citrix XenMobile 10.x console. Go to the Configure tab and open the Device Policy page. Click Add to create a new policy

Click on Enterprise Hub

Fill in the Policy Name and optionally the Description. Klik Next

First browse to your AET.aetx file created in step 3, then browse to the signed WorxHome application. Click Next

Select the correct Delivery Group you want the Enterprise Hub assign to and click Save

Browse to Configure > Apps to Add the WorxMail and WorxWeb application. When adding the new application, select Windows Phone on the left side under Platform and upload the .mdx file

Configure the policies you want to configure and click Next 3 times (assign the correct Delivery Group if not already configured) and then click finish.

Now you are able to install WorxHome, WorxMail and WorxWeb with an enrolled Windows Phone 8.1 device as shown below.

The post Wrapping and Deploying Windows Phone 8.1 Apps with Citrix XenMobile 10.x appeared first on RobinHobo.com.

I’m a big fan of Microsoft Windows 10. From the very beginning I took part of the Windows Insider program and tested build by build. So far this was only the Windows 10 Professional version but when Windows 10 was official released, I got my hands on the Windows 10 Enterprise edition. The first time I was using Windows 10 Enterprise I was a little surprised about the built-in apps which were installed by default. Apps like Microsoft Solitaire Collection, a Weather App and even a Xbox App which you can not even remove.

The following Apps cannot be removed by default (see screenshot below) ; Calendar, Camera, Contact Support, Groove Music, Mail, Maps, Movies & TV, OneNote, People, Weather, Windows Feedback and Xbox.

(no uninstall option when right click on Xbox App) 

OneNote, Calendar and Mail are very useful Apps, but by most companies there will always be a Microsoft Office Suite be installed on the device. And that makes these applications superfluous, the removal of these applications must therefore always be an option is my opinion.

How to remove the built-in applications?

The way to remove the built-in applications is pretty easy, it consists of two steps. In step one, you remove the application from the base Windows 10 image so that new users will not get the applications at all. In the second step the applications will be removed for the current user who has already got the applications installed before it was removed from the base image.

Step 1 

Open the Windows PowerShell application as Administrator (Run as Administrator) and enter the following command;

Get-AppxProvisionedPackage -Online

That command will display a list of built-in applications with their DisplayName. This DisplayName is needed for the next command. Here is a list of the Built-in Apps with their DisplayName;

Tekst3D Builder = Microsoft.3DBuilder
Calendar and Mail = microsoft.windowscommunicationsapps
Camera = Microsoft.WindowsCamera
Get Office = Microsoft.MicrosoftOfficeHub
Get Skype = Microsoft.SkypeApp
Get Started = Microsoft.Getstarted
Groove Music = Microsoft.ZuneMusic
Maps = Microsoft.WindowsMaps
Microsoft Solitaire Collection = Microsoft.MicrosoftSolitaireCollection
Money = Microsoft.BingFinance
Movies & TV = Microsoft.ZuneVideo
News = Microsoft.BingNews
OneNote = Microsoft.Office.OneNote
People = Microsoft.People
Phone Companion = Microsoft.WindowsPhone
Photos = Microsoft.Windows.Photos
Sports = Microsoft.BingSports
Weather = Microsoft.BingWeather
Xbox = Microsoft.XboxApp

With the following command you can remove a built-in app from the Windows base image;

Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In <DisplayName> | Remove-ProvisionedAppxPackage -Online

Replace <DiskplayName> with the DisplayName of the App, for example;

Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In Microsoft.XboxApp | Remove-ProvisionedAppxPackage -Online

After running the command for the app you want to remove you see the output like shown in the screenshot above. After removing the all the apps you want, the first command (Get-AppxProvisionedPackage -Online) to see if they are all removed from the base image.

Step 2

The second step is to remove the built-in apps that are already installed in the current user profile. For that, run the following command;

Get-AppxPackage -AllUsers

This will display a list wat looks like this;

The PackageFullName is needed for the next command, here is the list with the built-in apps with their PackageFullName. Check before removing if the version is still the same;

Tekst3D Builder = Microsoft.3DBuilder_10.9.6.0_x64__8wekyb3d8bbwe
Calendar and Mail = microsoft.windowscommunicationsapps_17.6306.42251.0_x64__8wekyb3d8bbwe
Camera = Microsoft.WindowsCamera_2015.1064.10.0_x64__8wekyb3d8bbwe
Get Office = Microsoft.MicrosoftOfficeHub_17.6307.23501.0_x64__8wekyb3d8bbwe
Get Skype = Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c
Get Started = Microsoft.Getstarted_2.3.4.0_x64__8wekyb3d8bbwe
Groove Music = Microsoft.ZuneMusic_3.6.13281.0_x64__8wekyb3d8bbwe
Maps = Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe
Microsoft Solitaire Collection = Microsoft.MicrosoftSolitaireCollection_3.4.9241.0_x64__8wekyb3d8bbwe
Money = Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe
Movies & TV = Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe
News = Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe
OneNote = Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe
People = Microsoft.People_1.10241.0.0_x64__8wekyb3d8bbwe
Phone Companion = Microsoft.WindowsPhone_10.1509.17010.0_x64__8wekyb3d8bbwe
Photos = Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe
Sports = Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe
Weather = Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe
Xbox = Microsoft.XboxApp_9.9.28033.0_x64__8wekyb3d8bbwe

Run the following command to remove a built-in app from the current user profile;

Remove-AppxPackage -package <PackageFullName>

Replace <PackageFullName> with the PackageFullName of the App, for example

Remove-AppxPackage -package Microsoft.XboxApp_9.9.28033.0_x64__8wekyb3d8bbwe

After running this command, the app will be removed and the following dialog will be displayed;

And that’s about it. Your Start Menu should now look a lot clearer

The post How to remove built-in apps in Windows 10 Enterprise appeared first on RobinHobo.com.

In the last week of 2015 Citrix released Provisioning Services 7.7. One of the best new features is that it is now official supporting Windows 10 (Enterprise and Professional Edition) as target device. Another cool new feature is that you can do an in-place upgrade (from version 7.6.1 or higher) and thus reverse-imaging belongs to the past!

In this blog I will show you step-by-step how to install the Console, the Provisioning Services Server itself, the Target device installation, and how to make a new vDisk. Of course I will use a Windows 10 target device.

My Environment

For this blog I setup a new lab with the following servers and clients;

• SRV001 : IP 192.168.1.20 – DC, SQL 2014 and Citrix License server
• SRV002 : IP 192.168.1.21 – Will be used for PVS
• A Windows 10 Target Device (Master, clean install)

This all runs on a Citrix XenServer 6.5 SP1 hypervisor and internal domain name is “robinhobo.com”. I know it is not recommended to install SQL on a Domain controller, but at this moment I’m limited in my resources and it is for test purposes and blogging only.

Before you begin

Before you begin, make sure you have the following in place;

• An up-and-running Microsoft SQL Database server (2008, 2012 or 2014)
• A Citrix License server with the proper (demo) licenses
• Windows Server 2012 / R2 with latest Windows updates
• A Target System like a Windows 10 desktop for making the vDisk

Windows Server 2012 Prerequisites

• Microsoft .NET 3.5 SP1 (when using it with XenDesktop)
• Microsoft .NET 4.0
• Windows PowerShell 2.0

Target device Prerequisites

• Microsoft .NET 4.0

Service account

Create a Service Account with the following permissions.

On the Microsoft SQL Server;

• db_datareader
• db_datawriter
• Execute permissions on stored procedures

System permissions on the Provisioning Services server(s);

• Run as service
• Registry read access
• Full control on folder : Program Files\Citrix\Provisioning Services
• Read/Write access to the vDisk Store location(s)

Install account

Make sure the user that will be uses for the Provisioning Services installation has the following Microsoft SQL permissions;

• dbcreator
• securityadmin

Citrix Best Practice

Citrix wrote a Best Practice for Configuring Citrix Provisioning Services (CTX204107) and Provisioning Services Antivirus Best Practices (CTX124185). It is recommended to apply the steps in these articles.

DHCP Scope options, PXE or Boot ISO

There are several ways to let a target device connect to the Provisioning Services during boot process.  If PXE is not an option in your environment, you can configure the DHCP services to delivers the bootstrap file location. You can do this with the following DHCP scoop options;

• 66: Boot Server Host Name
• 67: Bootfile Name (ARDBP32.BIN)

However, you can only configure one boot server in the DHCP options. Therefore, it is recommended to fill in a load balance address. If you don’t have a good load balance solution in your environment (like a Citrix NetScaler) you always can use the “Boot Device Management” tool to create a bootable ISO file for your target devices.

Installing the Citrix Provisioning Services Console

Mount the PVS_7.7 ISO, browse to the Console folder and start the PVS_Console / PVS_Console_x64 program. Click on Install

Click Next

Select I accept the terms in the license agreement and click Next

Fill in the User Name and Organization and click Next

Click Next

Click Install

Click Finish

Installing the Citrix Provisioning Services Server

Browse to the Server folder and start the PVS_Server / PVS_Server_x64 program. Click Install

Click Yes

Click Next

Select I accept the terms in the license agreement and click Next

Fill in the User Name and Organization and click Next

Click Next

Click Install

Click Finish

Configuring the Citrix Provisioning Services

This Welcome to the Configuration Wizard start automatically after the PVS Server Installation. Click Next

My DHCP services runs on another machine so I select The service that runs on another computer but select what is applicable for you. Click Next

Select what is applicable for you and click Next

Because this is the first server of a new farm I select Create farm and click Next

Select your SQL Server and click Next

Fill in the requested information and click Next

Select the folder that you want to use for the vDisk(s) and click Next

Fill in the Citrix License server information and click Next

Select Specified user account and fill in the service account information. Click Next

Click Next

Click Next

Select Use the Provisioning Services TFTP service and click Next

Click Next

Select Automatically Start Services and click Finish

Click Done

Installing the Citrix Provisioning Services Target Device (on a Windows 10)

On the Windows 10 (Master) device, start the PVS_Device / PVS_Device_x64 and click Install

Click Next

Select I accept the terms in the license agreement and click Next

Fill in the User Name and Organization and click Next

Click Next

Select Custom and click Next

If you want, you can install the Session Record Support feature. Click Next

Click Install

Select Launch Imaging Wizard and click Finish

Running the Imaging Wizard and create a new vDisk

Before starting the Imaging Wizard, make sure the Windows 10 Master device is set to boot from Hard Disk (not vDisk) within the Provisioning Services console.

Click Next

Fill in the Provisioning Server information and click Next

Select Create a vDisk and click Next

Fill in a name for a Target Device and click Next

Give the vDisk a name, select the vDisk Store and select a vDisk type. Click Next

Select what is applicable and click Next

Select to Optimize the hard disk for Provisioning Services before imaging and click on Edit Optimization Settings

Select / De-select the options you want to apply and click OK

Click Next

Click Create

Click Continue

Click Yes or shutdown this target device

Final Steps

As you can see in the Provisioning Services console, the vDisk is created. Make sure that no devices are currently using this vDisk and open the properties of it.

Put the vDisk in Standard Image mode (read only) with the proper configuration (Cache type).

Also the Target Device is created during the Image Wizard. Open the properties.

Configure the Target Device to bood from the new vDisk.

The post Installing and Configuring Citrix Provisioning Service 7.7 and creating a vDisk appeared first on RobinHobo.com.

A while ago, Apple has determined no longer to allow wildcard Application ID’s for new Apple Developer Accounts. This means that you need to create an Apple ID for every application you wanted to wrap for use with Citrix XenMobile. In the meanwhile, Citrix updated there MDX Toolkit so that you can change the App ID during wrapping. In this step-by-step blog I will explain how to create the provisioning profiles that are needed for iOS Application Wrapping in three easy steps.

Step 1 : Create an Apple Certificate

The first step is the create an Apple Certificate, follow these steps to create one. 

Browse to http://developer.apple.com/membercenter/ and login with your Apple Developers Account. Click on Certificates, Identifiers & Profiles

On the left side under iOS Apps, click on Certificates

Click on the + (plus sign) at the right-hand corner

Select In-House and Ad Hoc. Scroll down and click Continue

Open the Keychain Access program (we come back here later)

Select the following menu item: Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority

Fill in the User Email Address and the Common Name. Select Saved to disk and click Continue

Select a folder you want to save the request file to and click Done

Click Continue

Click Choose File, browse to the saved request file and click Generate

Download the certificate and click Done

The certificate is now created

Go back to the Keychain Access program and select the following menu item: File > Import Items

Select the saved Certificate to import. After import, make sure the Private Key is linked to the certificate

Step 2 : Creating Identifiers (App IDs)

In this part of the blog I will show you how to create unique App IDs for every App. This is with one exception, and that is WorxMail. Citrix WorxMail need some additional steps that will be covered in this Citrix Blog : https://www.citrix.com/blogs/2015/06/11/mobility-experts-a-step-by-step-guide-to-configuring-worxmail-apns/

Open the App IDs page under Identifiers and click on the + (plus sign) at the right-hand corner

Enter an application name, for this example I use WorxWeb

Scroll down and select Explicit App ID. Fill in a unique Bundle ID, best practice is to use your external domain name backwards + app name, for example com.robinhobo.worxweb

Scroll down, leave everything default and click on Continue

Click Submit

Click Done

Repeat these steps for every application you want to wrap.

Step 3 : Creating Distribution Provisioning Profiles

The last step is to create Provisioning Profiles. These profiles are needed when wrapping an application with the Citrix MDX Toolkit and needs to be downloaded to the Apple Macintosh device.

On the left side under Provisioning Profiles, click on Distribution. Click on the + (plus sign) at the right-hand corner.

Select In House and click Continue

Select an App ID created in step 2 (in this example I select the WorxWeb App ID). Click Continue

Select the iOS Distribution certificate created in step 1 and click Continue

Fill in a Profile Name and click Generate

Download the certificate and click Done or Add Another. Repeat these steps for every unique App ID. After this, you are ready to start wrapping the applications.

The post Create an Apple Certificate, Identifiers and Provisioning Profiles to use for Citrix XenMobile Application Wrapping appeared first on RobinHobo.com.

Citrix recently released Citrix XenDesktop 7.8. The releases follow each other rapidly lately and there are quite a few improvements and new features in the latest releases like, session recording, Linux Virtual Desktop support, Framehawk Virtual Channel, AppDisk, Windows 10 support (since version 7.7) and Zones.

My last “step-by-step” blog about Citrix XenDesktop was about version 7.1 so it is time to make a new version with this latest XenDesktop 7.8 release. In this blog I will cover the XenDesktop 7.8 installation and configuration including the installation of the VDA Agent on a Windows 10 master image and how to publish it as a Pooled PVS desktop. There will be separate blogs in the future about the new features. If you want to know how to configure zones in XenDesktop 7.7 / 7.8 you can check this very good blog of Bas van Kaam about zones.

My Environment

SRV001 – DC, SQL Server, Citrix License Server
SRV002 – Provisioning Services server, StoreFront and it will be the XenDesktop Controller
PVSWIN10-01 – Windows 10 Master machine

All machines are running on Citrix XenServer 6.5 with the latest SP’s and patches.

System Requirements

It is imported that you have already setup a Citrix License server with the proper licenses and a Microsoft SQL Server (alternatively you can use SQL Express). See for the full list of Citrix XenDesktop 7.8 System Requirement this article on the Citrix eDocs.

Installing and Configuring the Citrix XenDesktop 7.8 Delivery Controller

Start the installation and click Start

Click on Delivery Controller (Under the Get Started section)

Select I have read, understand, and accept the terms of the license agreement and click Next

I have already a Citrix License Server and StoreFront server up and running in my environment, therefore I only select the Delivery Controller, the Studio and the Director. Click Next

A Microsoft SQL Server is already up and running in my environment so I only select Install Windows Remote Assistance. Click Next.

Select Automatically and click Next

Click Install

Click Finish

Click on Deliver applications and desktops to your users

Select A fully configured, production-ready Site and click Next

Enter the Database name and location for the Site, Monitoring and Logging database and click Next

Connect to your Citrix License server and select your XenDesktop license. Click Next

Connect to your Hypervisor (in my case my XenServer) by filling in the correct connection information. Select Next

Select the network you want to use, give it a resource name and click Next

Select the storage you want to use and click Next 

Select the features you want to use (for this blog I skip these options) and click Next

Click Finish

Installing the Virtual Delivery Agent (VDA) on a Windows 10 Master Image

Before creating a machine catalog, I first want to install the VDA agent on a Windows 10 master machine. Therefor logon on the Microsoft Windows 10 Master Image and mount the Citrix XenApp and XenDesktop 7.8 ISO.

Start the XenApp / XenDesktop installation and click on Start

Click on Virtual Delivery Agent for Windows Desktop OS

Select Create a Master Image and click Next

You can select the Citrix Receiver if you want it in you master image, otherwise click Next

Fill in the XenDesktop Controller address and click Test connection

Click Add and Next

Click Next

Click Next

Click Install

Click Finish to restart the machine

You now have installed the VDA Agent within the master image. At this point you can create a vDisk from this master machine (when using PVS) or use it as the master source machine (when using MCS). For this blog I have created an vDisk from this master machine with PVS. See my previous blog on how to create a vDisk here.

Setting up Machine Catalogs and Delivery Groups

Go back to the XenDesktop Controller and open the Studio Console.

Click on Set up machines for desktops and applications or remote PC access

Click Next

Select Desktop OS

Select Machines that are power managed and Deploy machines using Citrix Provisioning Services (PVS). Click Next

Select Users will connect to a random desktop each time they log on to create a random desktop pool. Click Next

Connect to your Provisioning Services server and select the Windows 10 device collection. Click Next

Fill in a Machine Catalog name and the Machine Catalog description for administrators (anything you like) and click Finish

Click on Set up Delivery Groups to assign desktops and applications to your users

Click Next

Select the Machine Catalog, choose the number of machines you want to add to the delivery group and click Next

Click Next (not using AppDisk at this moment)

Add a AD security group (or users) for this delivery group and click Next

If you want to publish any application Add them here, otherwise click Next (for this blog I will only publish the Windows 10 desktop).

Click Add to assign users or groups to the desktop

Fill in a Desktop name and a Description. Select Allow everyone with access to this Delivery Group to use a desktop. Make sure that Enable desktop is selected and click OK

Click Next

Click Finish

If you have your StoreFront configured correctly, you can now connect to your Windows 10 Pooled Desktop

Testing the new published Windows 10 Desktop

Login to your StoreFront site. The Windows 10 Pooled desktop is now visible.

And it works fine!

The post Installing and Configuring Citrix XenDesktop 7.8 and publishing a Windows 10 PVS Desktop appeared first on RobinHobo.com.

There are a few ways to provision users in a Microsoft Azure AD directory. The most common is with the use of the Azure AD Connect tool which syncs your on-premises AD directory with Azure AD. The simplest way (and good for Cloud Only scenarios) is to create users directly in Azure AD. If you want to create a user in Azure AD with the UPN of your domain name, you first need to validate the domain name. In this blog I will show you step-by-step how to do this.

To add a new domain name, login the the Azure Classic portal (https://manage.windowsazure.com/) and open the Active Directory page.

Click the arrow to the right of the Default Directory

Click on Add domain

Fill in the Domain Name and click Add. If you are planning to enable single sign-on with ADFS for this domain you can select “I plan to configure this domain for single sign-on with my local Active Directory”. For this blog I skip this step.

Create the TXT record for your external domain as displayed in the Verify <domain name> dialog. It may take up to 24 hours before the DNS record is known everywhere so the chances are that verification is not immediately possible. No problem, this can still be done later (see next steps).

To verify the domain name after a few hours select the domain name and click VERIFY at the bottom of the screen.

Click Verify

The domain is now verified. To make the domain the primary domain, click on Change Primary at the bottom of the screen.

Select the new domain as new primary domain and click on the checkmark.

The domain name is now verified and set to primary domain.

Add a new user for the new domain name

Open the USERS tab and click the ADD USER button at the bottom of the screen.

Fill in the USER NAME, in this example Joe. Click the right arrow.

Fill in the FIRST NAME, LAST NAME and DISPLAY NAME. Select a user roll (default is user) and if you want to enable Multi-Factor Authentication you can enable that right away on this page (will be covered in one of my next blogs). Click the right arrow.

A temporary password will be created. Click on Create. (password will be displayed)

The user is now created and can be assigned to resources and Microsoft Online services like Azure RemoteApp or Microsoft Intune.

The post How to add a domain name to Microsoft Azure Directory and add users appeared first on RobinHobo.com.

In this blog I will guide you step-by-step on how to setup Microsoft Azure RemoteApp with a custom image. First I will create a custom image with a few custom applications installed on it. In the following steps I will show you how to import this image to RemoteApp, publish the applications and give users access to these applications. For this blog I will use a clean Azure environment (with nothing configured yet) and keep everything basic. For the user provisioning I have validated my robinhobo.com domain and manually created a test user. You can find these step-by-step instructions in my previous blog (click here).

At this moment Azure RemoteApp is only available within the Classic Azure portal, however, most parts of the preparation can be made from the new portal, so if possible, I will use the new Azure Portal for this blog.

Step 1 : Create a Resource Group

The first step is to create a Azure Resource Group. Within this resource group we will create a Virtual Network and a Virtual Machine in later steps.
Login to the Microsoft Azure portal ( https://portal.azure.com/ ) and open the Resource groups page.

Click the Plus (Add) button in the upper left corner.

Fill in a Resource group name (anything you like). Select a Subscription and a Resource group location. Click Create.

 Step 2 : Create a Virtual Network

The second step is to create a Virtual network. For this blog I keep it simple and apply all the default settings but we have to make sure we build this Virtual network for the Classic Azure environment so we can easily use the images we are going to create for RemoteApp in the next few steps. Therefor open the Virtual networks (classic) page.

Click the Plus (Add) button in the upper left corner.

Fill in a Name (anything you like), I leave the Name, Address space, Subnet name and Subnet address default. Select the Resource Group we created in step 1. Click Create.

Step 3 : Create a Storage Account

Just like in step 2 with the Virtual Network, we need to create a Storage Account in the Classic environment of Azure. Therefore open the Storage accounts (classic) page.

Click the Plus (Add) button in the upper left corner.

For this blog I keep it simple and as cheap as possible Make sure you select the Classic Deployment model and that you select the Resource group created in step one. Click Create.

Step 4 : Create a Virtual Machine (for master image)

In this step I will create the Virtual Machine used for creating the custom image. Open the Virtual Machines (classic) page.

Click the Plus (Add) button in the upper left corner.

Search for remote or RemoteApp and select Windows Serer Remote Desktop Session Host with Microsoft Office 365 proPlus or Windows Server Remote Desktop Session Host on Windows Serer 2012 R2 (without Office pre-installed).

Make sure the Classic deployment model is selected and click Create

Fill in a Host Name, User Name and a Password

By default the Standard D3 pricing Tier is selected. For this blog I select a cheaper one, the A2 Basic.

Select Optional Configuration (Network, Storage, diagnostics) > Network (Review default settings)

Select Virtual Network and then select the existing virtual network created in step 2

Select Subnet and then select the existing subnet created in step 2

For this blog I keep the domain name default and leave the IP address set to dynamic

Select Storage Account and select the existing storage account created in step 3 and click OK

Click Create

Step 5 : Customize the master image

The next step is to customize the base/master image. For this blog I will install FileZilla and Notepad++ on it.

After a few minutes the server created in step 4 is up and running. Open the Virtual machines (classic) page to see if the serer status is Running.

If that is the case, double click on it.

Take a look at the DNS name, in my case this is “ra-master1.cloudapp.net”. In the first place you don’t need to remind this name, but I got some errors when connecting to this server (see next steps) when clicking on the Connect button. So I had to connect with a alternative method. Click Connect to see if it works for you.

After entering the User account information to logon I got this error message; The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license. Please contact the server administrator.

Open a run dialog and run the following command; mstsc /admin

Connect to your server DNS name, in my case ra-master1.cloudapp.net

Login with the created user account and you will see that you now can logon successful.

If you check the installed application, you see that Adobe Reader XI and Microsoft Office (including Visio) is already installed.

Now is the time to install some custom applications. For this blog I have installed the FileZilla Client and Notepad++ (just for testing)

If you are done installing and configuring apps double click the PowerShell ValidateAzureRemoteAppImage located on the desktop

Press Y by the question to launch Sysprep

After Sysprep is completed, the system will be shut down.

After a few minutes the server status will change to Stopped. When that is the case, double click on it.

Click on Capture. Fill in a Image name and Image Label and select I’ve run Sysprep on the virtual machine.

Click OK

After a few minutes the status will change to Success

Step 6 : Import the customized image to RemoteApp

Click on the RemoteApp collections menu item. This will launch the Azure Classic portal. After login, the RemoteApp page is displayed.

Open the Template Images tab and click on Import or upload a template image

Click on Import an image from your Virtual Machines library (recommended).

Select the custom image and select I confirm that I followed these steps to create my image. Click on the arrow to the right.

Give it a name and click the checkmark

After a while the Import is complete.

Step 7 : Create a RemoteApp Collection

The last step before we can test the custom image is to create a Microsoft Azure RemoteApp Collection with the custom image.

Open the RemoteApp Collections tab and click Create A RemoteApp Collection

Select Create with VNET. Give the collection a name, select een PLAN and select the correct Virtual Network and Subnet.

Click the Checkmark

Click on the arrow to the right next to the Collection name when the status is changed to Input Required

Click Link a template image

Click on Link an existing template image

Select the custom image imported in step 6 and click the checkmark

The collection will now be provisioned. Click on the big arrow to the left in the upper left corner.

The Provisioning of the Azure RemoteApp Collection can take up to one hour.

Click on the arrow to the right next to the Collection name when the status is changed to Active

Click on Publish RemoteApp programs

Select the applications you want to publish and click the checkmark

After a few minutes the applications are published. Open the User Access page.

Add the users you want to give access to your published applications and click Save

Step 8 : Test the Azure RemoteApp collection

In this final step I will test the Azure RemoteApp Collection. To do this, download the Microsoft Azure RemoteApp app : https://www.remoteapp.windowsazure.com/en/clients.aspx

Login with a user you added in the previous step.

The published apps are now displayed. For the test I will launch Notepad++

The application is starting up..

..and started without any problems.

The post How to setup Microsoft Azure RemoteApp with a custom image (step-by-step) appeared first on RobinHobo.com.

In the last few years I have mostly implemented ShareFile Enterprise as part of the XenMobile Enterprise edition and therefor configured the XenMobile server as a SAML identity provider for ShareFile SSON. In the last few months I also see some companies that were only interested in the Citrix ShareFile solution without XenMobile. In this case there are some alternative ways to provide users single sign-on (SSON) to ShareFile, for example ADFS.

Another very good alternative is to provide SSON with Microsoft Azure AD. Most companies already have an Azure AD up and running these days if they use products like Microsoft Office 365 or the Microsoft Enterprise + Security suite. And in addition, it is pretty easy to configure as I will show you in this blog.

Microsoft Azure AD

Before you can configure Citrix ShareFile SSON with Microsoft Azure AD you need to make sure Azure AD is configured correctly. This means that the domain name used for the end users email address is added to the list of domains. I highly recommend to configure directory integration to automatically synchronize on-premise user accounts to Azure AD with the Azure AD Connect tool. For instructions how to configure Azure AD directory integration see :  Integrating your on-premises identities with Azure Active Directory

My Environment

For this blog I use my own test environment. I have an on-premise Domain Controller on which I have created a ShareFile security group and two test users which are member of that ShareFile security group.

Note: Make sure that all users have a valid E-mail address.

I have configured directory integration with Azure AD so the test users and the ShareFile security group is synchronized to Azure AD.

Configuring the ShareFile User Management Tool

For user synchronization between you on-premise domain and the ShareFile Control Plane install the Citrix ShareFile User Management Tool (UMT). The installation is straight forward (next, next, finish). The configuration steps are specified below.

Open the ShareFile User Management Tool and login with the ShareFile superuser / admin account

Login with your on-premise domain administrator account and click Connect

Click on Groups

Search for the ShareFile AD Group and click Add Rule

Click Close

Click Yes

In the Edit Users Rule dialog, make sure that How will your employees log in? is set to AD-Integrated. Configure the other settings like Storage Zone and user rights and click on Save and Close.

Click on Commit Now. The users and group are now created in the ShareFile Control Plane. It’s also recommended to Schedule this task so users will be automatically provisioned at a scheduled time.

As you can see, the uses are now created in the Citrix ShareFile Control Plane.

Configure ShareFile Single Sing-on with Azure AD

Open a web browser and navigate to the classic Microsoft Azure portal : http://manage.windowsazure.com

Navigate to Active Directory > <Your Directory> > Applications

On the bottom of the screen, click on Add

Click on Add an application from the gallery

Search for the ShareFile app and click on the checkmark

Click on Configure single sign-on

Select Microsoft Azure AD Single Sign-On and click the next button.

Select the option Show advanced settings and fill in the following information;

SIGN ON URL : https://<account name>.sharefile.com/saml/login

IDENTIFIER : https://<account name>.sharefile.com/saml/info

REPLY URL : https://<account name>.sharefile.com/saml/acs

Download the certificate, open it in notepad, select all the text and copy it (CTRL+C)

Open a second tab (do not close the first one) in your webbrowser and navigate to the Citrix ShareFile Admin Plane (https://<account name>.sharefile.com). Login with the administrator account, and go to: Admin > Configure Single Sign-On

By X.509 Certificate click Import or Change and past all the text from the certificate file

Fill in the following information;

Your IDS Issuer / Entity ID : copy/past the ENTITY ID URL from the Configure SSON Azure AD browser tab

ShareFile Issuer / Entity ID : https://<account name>.sharefile.com/saml/info

Login URL : copy/past the REMOTE LOGIN URL from the Configure SSON Azure AD browser tab

Logout URL : copy/past the REMOTE LOGOUT URL from the Configure SSON Azure AD browser tab

Scroll down and configure the following;

Require SSO Login: Enabled

SP-Initiated SSO certificate : HTTP Redirect with no signature

Enable Web Authentication : Enabled

SO-Initiated Auth Context : Unspecified – Exact

Click Save

Go back to the first browser tab and select Confirm that you have configured single sign-on as described above and click the next button.

Check if the Notification E-Mail address is correct and click on the checkmark

Click on Assign accounts

Search for the ShareFile group, select it and click on Assign

Click Yes

Test if ShareFile SSON with Azure AD is working

The final step is to test the configuration.

Open a browser and navigate to https://myapps.microsoft.com and login with a test user / test account

If everything is correct the Citrix ShareFile application is displayed in the Microsoft My Apps portal.

Click on Citrix ShareFile

The user will automatically login to the ShareFile portal within the need to re-enter his account credentials.

The post How to configure Citrix ShareFile SSON with Microsoft Azure AD appeared first on RobinHobo.com.

It’s almost a year ago, that I wrote an installation guide / step-by-step guide about Citrix XenDesktop. XenDesktop releases arrived at a rapid pace in the past year. At this moment, the current release is version 7.12 which was released in December 2016. So, it’s time for an up-to-data step-by-step blog about the latest XenDesktop release. This time I want to do something different, till now I always used Citrix Provisioning Services (PVS) for the XenDesktop Hosts. Since version 7.11 it’s also possible to use the Microsoft Azure Resource Manager for the XenDesktop Hosts, lets take a closer look on how to configure that.

In this blog, I will show you how to install and configure the Citrix XenDesktop 7.12 controller and how to create a Windows Server 2016 master image that can be hosted in Microsoft Azure.

My Environment

First let me tell you something about my environment, it is important to do some preparations before starting with the XenDesktop 7.12 installation. For example, you must have a configured Citrix License Server with the proper licenses available and a Microsoft SQL server up and running (or install SQL Express during XenDesktop installation).  If using Microsoft Azure, make sure you have your Azure tenant up and running, configured with a network and a storage account.

This is the complete overview of my environment with components that will be used during this XenDesktop 7.12 implementation;

• Microsoft Azure Tenant with network and storage account configured
• DC01 : Windows Server 2016 with Domain Controller role and Citrix License Server (running in Azure)
• SQL01 : Windows Server 2016 with Microsoft SQL Server 2016 up and running (running in Azure)
• XDC01 : Windows Server 2016, the Citrix XenDesktop 7.12 Delivery Controller software will be installed on this server (running in Azure)
• SF01 : Windows Server 2016 with Citrix StoreFront 3.8 up and running (running in Azure)
• On-premise Windows Server 2016 running the Hyper-V role.

System Requirements

Make sure you check the system requirements for each XenDesktop component before you start with the implementation. You can find the Citrix XenDesktop 7.12 requirements here

Preparing the Windows Server 2016 Master Image

There are two ways to prepare your Windows Server 2016 XenDesktop Host master image. The first one is the easiest one, just go the Azure Marketplace and select the [HUB] (Hybrid Use Benefit) version of the Windows Server 2016 Datacenter image/template. Deploy a new Virtual Machine with this template, install the XenDesktop VDA agent and all the applications you want to publish with XenDesktop.

After installing all the applications and the XenDesktop VDA Agent, shut down the VM. Within the Azure Portal Stop (deallocate) the server. For these steps you need an Azure portal with an EA (Enterprise Subscription) otherwise you are not able to deploy a [HUB] template image.

Unfortunately, I don’t have an Azure tenant with an Enterprise Agreement, what brings us to option two. With option two we must create our own Windows Server 2016 Datacenter image with a Windows Server 2016 Datacenter license that include software assurance. In my case I will install this server in my on-premise Microsoft Hyper-V environment.

Because I cannot create a new Virtual Machine with a new hard disk image that has the .vhd extension (by default it has the .avhdx file extension), I first create a new virtual hard disk manually (.vhd is needed for Microsoft Azure in combination with Citrix XenDesktop).

In the Windows Server 2016 Hyper-V Manager, right click the server name, go to New > Hard Disk.. in the Before You Begin dialog, click Next

Select VHD and click Next

Select Dynamically expanding and click Next

Fill in the Virtual Hard Disk name and the location and click Next

Fill in the desired Virtual Hard Disk size (default is 127 GB) and click Next

Click Finish

The next step is to create a new Virtual Machine (VM) and attache the just created Virtual Hard Disk.

In the Windows Server 2016 Hyper-V Manager, right click the server name, go to New > Virtual Machine.. in the Before You Begin dialog, click Next

Give the new Virtual Machine a name, in my case XD-Master. Select a location and click Next

Select Generation 1, otherwise you cannot attache the just created Virtual Hard Disk with the .vhd file extension

Assign the desired Memory and click Next

Select the correct network and click Next

Select Use an existing virtual hard disk, select the just created Virtual Hard Disk and click Next

Click Finish

Start the Virtual Machine and install Microsoft Windows Server 2016 and the application baseline you want to publish with Citrix XenDesktop 7.12

After the Microsoft Windows Server 2016 installation and the application baseline, start Windows PowerShell as Administrator. You need to install the Azure PowerShell modules. To install this run the following command;

Install-Module AzureRM

When asked to install Untrusted repository enter Y

After the installation, run the following command;

Install-Module Azure

We also need to install the Windows Azure VM Agent, you can download this agent here

Start the installation and click Next

Select I accept the terms in the License Agreement (if you do ) and click Next

Click Finish

Install the Citrix XenDesktop 7.12 Virtual Delivery Agent for Windows Server OS

The next step is to install the Citrix XenDesktop 7.12 Virtual Delivery Agent for Windows Server OS. Mount the XenDesktop 7.12 ISO file and start the installation.

Next to XenDesktop, click Start

Click Virtual Delivery Agent for Windows Server OS

Select Create a Master Image, and click Next

Optionally you can install the Citrix Receiver. Click Next

Fill in the FQDN of your Citrix XenDesktop Controller (we are going to install this server later, but that is not a problem, just fill in the FQDN of your future XenDesktop Controller) and click Test connection

The test is always successful, even if the server does not exist.  Click Add

Click Next

Select the features you want to use and click Next

Select Automatically and click Next

Click Install

For this PoC installation I select I do not want to participate in Call Home, click Next

Select Restart machine and click Finish

After the restart, shut down the server.

Upload the custom Windows Server 2016 image to Azure

 Now it’s time to upload the custom Windows Server 2016 image file to your Microsoft Azure Storage Account. Make sure you have installed Azure PowerShell on your computer/server from where you can upload the Virtual Hard Disk file (.vhd file). You can install Azure PowerShell with the “Install-Module AzureRM” and “Install-Module Azure” commands.

Login to your Azure tenant and go to Storage accounts. Open the Storage Account you want to upload the Virual Hard Disk to, and select Containers. At the right you see the Storage Account URL. This URL is needed in the next step.

As an Administrator, open PowerShell and run the following commands;

Login-AzureRmAccount (and login with your Global Azure Administrator Account)

After that, run: Add-AzureRmVhd -ResourceGroupName “(Resource Groupname)” -LocalFilePath “(full path to Virtual Hard Disk)” -Destination “(Storage Accont URL + container name + Image name)”

In my case the command is: Add-AzureRmVhd -ResourceGroupName “RobinHoboLAN” -LocalFilePath “D:\HyperV\HardDisks\XD-Master.vhd” -Destination “https://robinhobostorage.blob.core.windows.net/vhds/XD-Master.vhd”

After that the Virtual Hard Disk file will be uploaded to Microsoft Azure.

Installing and Configuring the Citrix XenDesktop 7.12 Delivery Controller

Now it’s time to install and configure the Citrix XenDesktop 7.12 Delivery Controller itself. Login to the server and mount the Citrix XenDesktop 7.12 ISO File.

Next to XenDesktop, click Start

On the left side of the screen click on Delivery Controller

Select I have read, understand, and accept the terms of the license agreement and click Next

I have already setup a Citrix License Server and a StoreFront server in my environment. Therefore I only select the Delivery Controller, Studio and the Director. Click Next

A Microsoft SQL Server is already up and running in my environment, so I only select Install Windows Remote Assistance. Click Next.

Select Automatically and click Next

Click Install

This is for a test lab only, so I select I do not want to participate in Call Home. Click Next

Select Launch Studio and click Finish

Click Deliver applications and desktops to your users

Select A fully configured, production-ready Site (recommended for new users). Fill in a Site name and click Next

Select Create and set up databases from Studio, fill in the desired database names fill in the SQL Server. Click Next

Make a connection to your Citrix License server and select your XenDesktop License. click Next

This is the part were we going to make a connection to Microsoft Azure. You can make a connection to the Classic Azure portal, or the Azure Resource Manager. I have all my Azure resources created within the Azure Resource Manager, so I select Microsoft Azure. As Azure environment I select Azure Global. The virtual machines will be created using the Studio tools (Machine Creation Services). Click Next

Fill in your Azure Subscription ID and give the connection a name. Click Create new..

Login with your Azure Global Administrator account

Click Next

Select your Azure Region and click Next

Fill in the resource name for your Network connection and select the correct Subnet. Click Next

Select the Additional Features you are going to use in your environment and click Next

Click Finish

Now it’s time for the second step, click on Set up machines for desktops and applications or remote PC access

Click Next

Select Server OS and click Next

Select This Machine Catalog will use: Machines that are power managed (for example, virtual machines or blade PCs). We are going to deploy machines using Citrix Machine Creation Services. Click Next

Select the uploaded master virtual hard disk from the previous step and click Next

Click Close

Select the desired storage type and select Yes to use an existing on-premises Windows Server license. Click Next

Enter the number of virtual machines you want to create. For this blog I will create three VM’s. Select the machine size you want to use for your host servers and click Next

This is a tricky one. By default both settings are enabled. In my case, when both option where selected, the deployment of the host servers failed. I found this Citrix article ( CTX220026 ) that described my problem and tells me to disable these two settings. Click Next

Select your network cards and click Next

Select the Microsoft Active Directory OU you want to create the Computer Accounts in. Fill in a Account naming scheme, in my case I will use XDHOSTS##. Click Next

Fill in a machine Catalog Name and a Machine Catalog description for administrators. In my case I will use Windows Server 2016 Desktop. Click Finish.

The deployment of the host servers will now begin. It will take a long time, in my case over 30 minutes!

Step 3, the final one. Click on Set up Delivery Groups to assign desktops and applications to your users

Click Next

Add all of the available servers (in my case three) and click Next

I will restrict access for this Delivery Group for the SharedDesktop Active Directory security group, configure your desired configuration and click Next

I will not publish any applications at this moment, I you want to publish applications from the host servers click Add otherwise click Next

I will publish the Desktop only, click Add

Fill in a Display name and a Description, I select Allow everyone with access to this Delivery Group to use a desktop, and off course, make sure that Enable desktop is enabled. Click OK

Click Next

Fill in a Delivery Group name and optionally a Delivery Group description. In my case, this will be Windows Server 2016 Shared Desktop.

Click Finish

Final step : See if it works

The final step is to see if it all works. First lets take a look at the Machine Catalog within Citrix Studio.

As you can see, all three servers are created, they are up and running and have a Registered state

In the Microsoft Azure Resource Manager you can see that the three servers are created in there own Resource Group

Let’s open a user session to one of the new host servers running in Azure. Login to your StoreFront site.

As you can see the Windows Server 2016 Shared Desktop is visible

And after starting the user session, you can see that I have a session to the XDHOSTS03 server.

With Microsoft Intune you can do great things. You can enroll all kind of mobile devices to enforce MDM policies, push applications and even configure managed mobile applicaties like the Microsoft Office applications. You can add an additional security layer to these managed applications by applying an additional access pincode and encrypt the data within the applications. Data can be isolated, so it can only be exchanged between other managed apps. In this way you can prevent that users can save email attachments to the local device if they use the management Microsoft Outlook application.

But what makes this all useful if you can just configure mail in an unmanaged native mail client on your iPhone or Android device?

For that, we have the option to configure Conditional Access. With Conditional Access you can control under what conditions the user or device has access to SaaS applications like SharePoint and Exchange Online. The most common Conditional Access policies that I use are;

• Enforce the user to enroll the device before access to email is granted (any mail client)
• Enforce the user to use the managed Microsoft Outlook app for email (native mail clients cannot be used to access email anymore)

In this blog I will show you how to configure Conditional Access to Exchange Online. First I will show you how to enforce device enrollment and second how to enforce the use of the Microsoft Outlook application. You must know that in both cases you need to configure two separate Conditional Access to let this fully work! I show you why…

Configuring Conditional Access to enforce device enrollment (Part 1)

The first step for this blog is to create a Conditional Access policy to enforce device enrollment for modern apps (apps that support modern authentication like Microsoft Outlook).

Within the Microsoft Azure Portal, navigate to Intune > Conditional access

Click Policies and click the “+ New policy” button.

Give the new policy a name. For this blog I will give it the name : CA-ExchangeOnline-ModernApps

Under Assignment click Users and groups and select an Azure AD security group if you want to apply this policy to a selected group of users (optional). All users is also an option. Click Done

Click on Cloud apps, click Select apps en search for Office 365 Exchange Online. Click on Select and Done

Select Conditions, and then choose for Client apps. On the right hand side click Select client apps and select both Browser and Mobile apps and desktop clients. Click Done twice.

Under Access controls select Grant. On the right hand side of the screen click Grant access and select Require device to be marked as compliant. Click on Select in the bottom of the screen.

Make sure that Enable policy is set to On and click on Create

Testing the Conditional Access policy to enforce device enrollment (Part 1)

I will now show you what the effect of this policy is on a Apple iPad device within the Microsoft Outlook app and also the native Mail app.

Open the Microsoft Outlook app and click Get Started

Fill in your email address and click Add account

Enter your password and click Sign in

As you can see, the user is forced to Enroll the device before access to email is granted. So far so good…

Let’s do the same test with the native Mail client. Start the Mail app and click Exchange

Fill in your email address and click Next

This is an important step. If you choose for Sign In the modern authorization method will be used with Autodiscovery. If you choose for Configure Manually.. well just like the name says. You have to configure everything yourself without Autodiscovery but also not with modern authorization. We will come back to that later. For now choose Sign In.

Fill in the password en click Sign in

As you can see, this time the user is also enforced to enroll the device, so that’s OK. But what if you hit the Cancel button or if you had chosen Configure Manually in the previous step? Lets find out.. Hit the Cancel button.

Click Ok

Manually fill in the requested information and click Next

Everything is correct

Click Save

And now I have access to my email without enrolling the device. To solve this “problem” we need to configure a second policy.

Configuring Conditional Access to enforce device enrollment (Part 2)

Within the Microsoft Azure portal go back to Intune > Conditional access. Select Policies and click the “+New Policy” botton.

Give the new policy a name. For this blog I will give it the name : CA-ExchangeOnline-EAS

Under Assignment click Users and groups and select an Azure AD security group if you want to apply this policy to a selected group of users (optional) Click Done

Click on Cloud apps, click Select apps en search for Office 365 Exchange Online. Click Select and Done

Select Conditions, and then choose for Client apps. This time select Exchange ActiveSync. Click Done twice.

Under Access controls select Grant. On the right hand side of the screen click Grant access and select Require device to be marked as compliant. Click on Select in the bottom of the screen.

Make sure that Enable policy is set to On and click on Create

Testing the Conditional Access policy to enforce device enrollment (Part 2)

I will now show you what the effect of this policy is on a Apple iPad device within the native Mail app with manual configuration.

Start the native Mail app and click Exchange

Fill in your email address and click Next

Click Configure Manually

Fill in the password en click Next

Fill in the requested information and click Next

Click Save

As you can see, the policy is applied and no mail can be received before enrolling the device.

Configuring Conditional Access to enforce the Microsoft Outlook App (and block the use of the native mail apps)

In the next step I show you how to enforce the use of the (managed) Microsoft Outlook app and blocking the use of any native mail client. If you are using Microsoft Intune and configure Mobile Application Management (MAM) policies to protect company data (like email and documents) this would be the minimum Conditional Access policy to configure.

The steps of this Conditional Access policy are, except for one step, the same as the previously made Conditional Access policies to enforce device enrollment. Therefore, I only show you the setting that is different. Create also two policies for this scenario, one for the modern apps, and one for Exchange ActiveSync! You can also combine the settings into one policy (Enrollment enforcement and Outlook enforcement, but again, you still need to create two policies, one for ModernApps, one for EAS).

Create a new Conditional Access policy (or edit the first one) and walk through the same steps as with the first created CA policy. The only difference is under Access controls. Select Grant. On the right hand side of the screen click Grant access and select Require approved client app. Click on Select in the bottom of the screen and Save. Repeat this step for both policies (EAS and Modern Apps).

Test the Microsoft Outlook Conditional Access enforcement policy

Lets take a look at the results of the second Conditional Access policy.

These are the results when you choose the Sign In option (Autodiscovery) when configuring the native mail client

These are the results when you choose the Configure Manually option when configuring the native mail client.

Conclusion

When using Microsoft Intune to manage mobile devices and manage applications in combination with Microsoft Office 365 / Exchange Online, Conditional Access policies are a very powerful way to protect company email and data. Enforcing the end user to enroll their mobile devices or to force the end user to use a managed version of the Microsoft Outlook mobile app (instead of the unmanaged native mail client) gives the company the power to keep in control of the company data at any time.

Citrix Secure Mail is a feature-rich mail client that comes with Citrix Endpoint Management (a.k.a. Citrix XenMobile). With Citrix Secure Mail you can enforce Mobile Application Management (MAM) policies to secure and containerize business data. You can also pre-configure the users mail account.

When publish Citrix Secure Mail with default settings (including the users mail account), the end user is asked to enter their password the first time the Secure Mail App is started as shown in the following screenshot.

However, it is possible to configure Secure Mail with SSO in a few simple steps. This so that users no longer have to enter their password when they start Secure Mail for the first time. In this blog I will show you step-by-step how to configure this.

Autodiscovery

The first step is to configure Citrix XenMobile Autodiscovery. You can do this via the XenMobile tools site (link here). You can find the step-by-step instructions for Autodiscovery here.

For Secure Mail SSO it is important that User ID Type is set to E-mail address on the WorxHome Info page when configuring Autodiscovery. See also the next screenshot.

Client Properties

The second step is to configure and create some Citrix XenMobile Client Properties. Within the Citrix XenMobile admin console go to the settings page.

Open Client Properties

Make sure that the value of ENABLE_PASSCODE_AUTH and ENABLE_PASSWORD_CACHING are set to true

Click the Add button and add the following Client Property;

Key: Custom Key

Key: ENABLE_CREDENTIAL_STORE

Value: true

Name: Credential Store

Description: Credential Store

Click Save

Click the Add button one more time and add the following Client Property;

Key: Custom Key

Key: SEND_LDAP_ATTRIBUTES

Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}, displayName= ${ user.displayName} ,mail= ${ user.mail}

Name: LDAP Attributes

Description: LDAP Attributes for SSON

Click Save

Server Properties

The next step is to create some Citrix XenMobile Server Properties. Within the Citrix XenMobile admin console go to the settings page.

Open the Server Properties page.

Click the Add button

Add the following Server Property;

Key: Custom Key

Key: MAM_MACRO_SUPPORT

Value: true

Display name: MAM Macro Support

Description: MAM Macro Support

Click Save

Restart the XenMobile server via CLI (in case of a XenMobile cluster, restart all the XenMobile nodes).

Configure Citrix Secure Mail

In the final step we need to set some special settings within the Citrix Secure Mail client policies.

Within the Citrix XenMobile admin console navigate to; Configure > Apps

Select Secure Mail and click Edit

Open the iOS page (repeat this steps for Android) page and browse to App Settings. Make sure the Secure Mail Exchange Server and Secure Mail user domain are empty.

Scroll down a little bit further and configure the following settings;

Initial authentication mechanism: User email address

Initial authentication credentials: userPrincipalName (or sAMAccountName if that is the authentication type used to authenticate against the Exchange Server)

Save the configuration of Secure Mail after changing also the Android settings.

Test the new configuration

For this test I reinstalled Secure Mail so that the new configuration is active immediately.

When I open Secure Mail for the first time I need to Authorize the app as you can see on the right.

After the Secure Mail is authorized, Secure Mail is automatically restarting and starts configuring my mail account. A few seconds later the folders are downloading and my mailbox is ready for use without the need to enter my password.