Read other articles in the series:
Citrix XenMobile is a Mobile Device Management software that allows you to control ActiveSync devices at the corporate level. While many people assume this means pushing email profiles to the device and controlling ActiveSync access, it is in fact much more than that. You have the ability to control and push applications to the devices, security on the devices among many other things. That being said, there can be a lot of complexity and moving parts to get the solution working. I thought it would be good, for my own sanity, but also for others to see the steps to set up a real world example. I’ll do it in the style of a business case so we can outlay what the business requirements are, how the architecture looks, and then go about installing and configuring the necessary items.
There are several goals for the SOA Corporation that they want to achieve out of this Mobile Device Management implementation.
- Restrict unmanaged devices from being able to connect to the Exchange environment using ActiveSync.
- Force all devices, employee owned or not, to first be registered with XenMobile before they are allowed to receive corporate resources such as ActiveSync profiles and applications.
- Management wants to be able to wipe just the corporate data off of the devices and leave the rest of the employee owned device alone.
- Management would like to minimize the helpdesk from having to manually allow devices for users.
The existing Exchange architecture is simple for this case. We have a single, multi-role Exchange server sitting in our datacenter. We also are utilizing Citrix Netscalers to publish Exchange resources to the internet. Users access ActiveSync currently by using the namespace mobilemail.accessabacus.com.
Now, after we implement the XenMobile Solution, are architecture will look like the following:
Now, there are a couple things to note. First off, I stink at Visio, so I did the best that I could. After our installation though, we will have the following servers:
- PHDC-SOAEXC1 – Exchange Multi Role Server
- PHDC-XENDM01 – XenMobile Device Manager Server
- PHDC-XENNC01 – XenMobile Netscaler Connector Server
- PHDC-XENMM01 – XenMobile Mail Manager Server
- PHDC-SQL01 – SQL Server to host the XenMobile Device Manager and XenMobile Mail Manager Databases
The external namespaces will be:
- Mobilemail.accessabacus.com – Exchange ActiveSync URL
- Mobile.accessabacus.com – XenMobile Device Registration Site
What Does Each Component Do?
XenMobile Device Manager Server
This is the “brains” of the XenMobile operation. It is the management server where you device policies, manage user devices and have visibility into the environment. This server hosts the Mobile.accessabacus.com web page, and is where we need to point our mobile devices at in order to register them with XenMobile.
XenMobile Netscaler Connector
This server runs a service that will be responsible for “intercepting” Exchange ActiveSync requests from end user devices. It does this via HTTP callouts in the Netscaler (which we will explain and discuss later in the article). When it intercepts, it will then ask the XenMobile Device Manager server about the device in question. Based on the policies in place, the Device Manager server will tell the Netscaler Connector whether the ActiveSync device should be allowed or not. If it shouldn’t be allowed, it will tell the Netscaler to drop the connection and the users device will get a “cannot connect to error” message. If it should be allowed, the Netscaler Connector tells the Netscaler to allow the device to connect to the Exchange Server as normal. Think of Netscaler Connector has a network level firewall for Exchange ActiveSync.
XenMobile Mail Manager
This server runs a service that interrogates Exchange through remote PowerShell. It allows XenMobile to see all devices that have Exchange ActiveSync connections, regardless of if they are managed by XenMobile or not. It essentially is running the Get-ActiveSyncDevice command for every mailbox in the environment and reporting back to XenMobile Device Manager. It also though will get updates from Device Manager about whether a device should be allowed or not. For instance, a user device connects to ActiveSync, then violates a company rule, say removing the passcode from their device. XenMobile Device Manager will realize this, and send a command to Mail Manager. Mail Manager will then, using PowerShell, apply an Exchange ActiveSync block on this particular device for the user, stopping it from connecting to ActiveSync. Just how the Netscaler Connector is a network level firewall for Exchange ActiveSync, think of Mail Manager as an application level firewall for Exchange ActiveSync.
Mail Manager also works with Exchange’s Quarantine functionality. This means that you set Exchange to quarantine every new device that starts an ActiveSync relationship. Usually, an admin needs to go in and manually allow each device. In XenMobile, if that user registers their device with XenMobile Device Manager, Device Manager will then send a command to Mail Manager to create an ActiveSync allow rule for that user, automating the entire process!
As of this writing though, Mail Manager does not yet support Exchange 2013 so you need to point it to a server running the Exchange Management Tools for Exchange 2010. Just an FYI.
Well, that is the basic architecture and overall goal of the project. Next, we will jump into install XenMobile Device Manager.