Benefits of Enterprise Mobility Management with Citrix XenMobile
In my previous articles, I have casually mentioned the software products for managing corporate mobility. Today I will try to tell in more detail about why such software is needed, when it should be applied and what restrictions and features should be paid attention to when choosing it. And also briefly consider the distinctive features of Citrix XenMobile in its three editions. All interested - ask under the cat.
Let's start with the fact that we divide technologies: there are mobile workplaces from the point of view of business organization as such. If the company has employees who are forced to spend most of their time outside the office, and at the same time they need access to corporate data, this is the main prerequisite for introducing corporate mobility. The simplest example is a large storage room, where an employee makes an inventory, and if he does not have the means of mobility, he will have to write all the data on a piece of paper, and then enter this information into a stationary computer from a sheet. In this situation, a mobile workplace should appear, a specialized device that allows it to read tags from the corresponding box. Specifying its exact location in the warehouse, the system will automatically update the information in the database.
When an enterprise has the appropriate prerequisites for the introduction of mobile workplaces, the question of how to implement this concept arises. One of the implementation possibilities is XenMobile. The main nuance of using this software is that the application is executed locally on the user device. Consequently, the company must either already have applications written for this platform, or a prerequisite should be the support by the working applications of the software platform on which XenMobile is installed. There is a second option: you can take a tablet and remotely connect to virtual desktops. In this case, the mobile user device is a kind of "TV", a display device of those processes that are performed in the data center. Both are remote access. The main difference is that in the case of XenMobile we can work with the application even when there is temporarily no connection to the network (provided that the programmers have provided such an opportunity).
')
There are strict limitations for the mobile platform: a supported OS must be installed, and the list of functions will strongly depend on versioning (Android 6 is very good, but version 2.2. Theoretically, you can integrate old versions of XenMobile into it, but their support Citrix side is no longer underway). If the company does not have a business application for an existing platform, it will need to be specially written. You may have to change the business processes that were originally built on the basis of the fact that the user is sitting in his workplace. It will be necessary to change any equipment (the simplest option is that the user had a PC + scanner, but now the scanner must be built into the mobile workstation in order for it to be able to automatically and with one device scan and enter data into the system). It is necessary to carefully analyze which of the ways of introducing mobile workplaces to choose. If we go from the use of XenMobile as the main means of ensuring employee mobility, from the point of view of the load on the channel, it is recommended to provide for the development of an application function of accumulating information in the buffer. So, if a data channel is not available for some time, then when developing an application, you can make it so that the system will be able to work in offline mode.
In the case of terminal access to any remote applications or virtual desktops, something is constantly transmitted over the channel, at least work packets of an open session. In the case when the application is running locally, nothing can be transmitted through the channel at all until the forced data transfer begins. From the point of view of virtual desktops and terminal applications, the amount of data transferred is highly dependent on the application. If it contains any multimedia functions (Flash, training videos), then the load on the channel will be very significant. It’s good if the user is literate enough that while working in terminal mode, one should not have to swipe a finger on the screen, when any cursor movement actually has to give a reverse response to redrawing this cursor on the data center side. As a result, in the case of virtual desktops and terminal access, the load on the channel may be greater. In practice, it all depends on the specific implementation: how the application is written, whether large amounts of data are required, and so on.
When discussing this issue, we make a start from whether we distribute corporate devices to employees or they use their own. In stock, most likely, we distribute, because the device must be combined with a scanner or barcode reader, RFID tags. If the mobile employee has more office functions, he may well use his own mobile device. And on this device you will need to draw a line between the user's personal data and the fact that it is delivered from the corporate server. Speaking about the device, issued by the company, the employer has more legal and ethical opportunities to fully manage the device and prohibit certain actions. In the case of BYOD, such restrictions on the functionality of the entire device cannot be made, since this will affect the personal data and user applications.
By and large, the data protection in both cases will not change much, except for the fact that the device issued by the company, politicians blocked part of the potential opportunities that the user has. If we write the application ourselves using the SDK that Citrix supplies as part of XenMobile, then we can “wrap” the data and the application in the container. When using personal devices is a must. When working remotely, not within the company's internal network, you need to think about protecting the user's external connection to internal corporate resources.
Citrix recommends putting a NetScaler solution in front of the “entrance” to the data center, then when using XenMobile from a specific application, a micro-VPN tunnel is built only to the resource that the application needs. As part of a mobile device, dozens of applications can work that go outside, and if this application is corporate, then as soon as the need arises, it “knocks” in the direction of the data center. NetScaler determines which internal resource is needed by this application, and builds a tunnel only for this application to the resource. All normal user applications use the usual data transmission channel and their traffic does not fall into the internal network. You can be sure that unlawful or malicious user software will not get into the corporate network. The network administrator has the ability to bind to the container certain policies: for example, whether to allow Copy-Paste operations with external applications or not. In the case of business critical applications that are extremely sensitive to the information being processed, resolving such an operation would not be the best idea. A trivial example: within the company, they make a mailing list congratulating employees on winning a large tender. Officially, this has not yet been announced, the contract has not been signed, but the employees have already been notified. In many companies, there are people who, without thinking, are ready to share this information in social networks with their friends. However, since this is not officially confirmed, the publication of such information may violate certain obligations of the company. Employees did it not out of evil intentions, but by stupidity.
Of course, in the case of a targeted attack, or simply with a great desire to steal data - no one bothers to rewrite it from the screen of a mobile device with a pen on paper. However, the use of policies greatly helps us to remove a huge number of simple user errors related to carelessness, negligence, etc. To counter a targeted attack with only one XenMobile application is not serious and it is impossible to expect that a non-specialized application will protect you from a targeted attack. Under such scenarios, echelon defense is required.
When storing data on a mobile device, it is worth proceeding from who owns this data. In the case of corporate data, when stored locally, it must be located in a secure container and be inaccessible to other unauthorized applications. This avoids the situation when we open a standard mail client and try to send corporate documents as an attachment. This function can be blocked initially. When transferring data between the client and the data center, all data is encrypted. XenMobile uses standard encryption protocols, the container and the data are encrypted using AES256, the solution is certified by NIST for use in foreign government agencies. Russian users need to consider that the system does not use GOST encryption algorithms. If the customer needs such an opportunity (for example, transfer of personal data via a public channel), then in this case you can use a joint solution with partner companies such as S-Terra, Digital Design - which have solutions to protect the data channel using Russian cryptographic algorithms.
If a mobile device is located in the company's internal network (closed perimeter), there are almost no restrictions on cryptography, so you can use XenMobile standard cryptography. When developing an application, understanding the specifics of work, it is possible initially to completely prohibit some functionality or limit their use - to prohibit taking a screenshot when working with a financial application, prohibit the use of the camera when the user is inside the application, prohibit opening links with an external browser, etc. P.
In the case of remote access built on virtual desktops and terminal services, it becomes even easier. Along with the launch of the application, a special file is transferred to the device - a description of how to connect to the corresponding resource. This file is one-time and it will be impossible to connect via it a second time. Having connected to the systems that are located in the data center, the channel is closed by standard cryptography, and all data is only in the data center. The administrator applies policies that govern the exchange of data with the local device. The user is not limited in the choice of device, but it is possible to open the clipboard between the user device and the data center, in the right direction from device to data center, from data center to device or in both directions, as well as to regulate that through this buffer it is possible to transmit: only text, either graphics only or other data format. This part is entirely managed by the data center, and nothing is stored on the client device by default.
Speaking of terminal access and VDI in relation to their use on a mobile device, one of the important technical parameters is the screen size, which determines how comfortable it will be for the user to work on a device with a small diagonal. The problem is that we connect to traditional applications that are written taking into account the peculiarities of the PC and keyboard input and the selection of menu items using the mouse. Modern mobile devices have a good graphic resolution, but at the same time the screen has a small diagonal of 4-7 inches and it is quite difficult to get a finger to its desired area. When using a mobile device with applications written specifically for the mobile platform, the specifics of the device are taken into account. Here the technical characteristics (processor / memory) will be more important than when using terminal access.
Much depends on the mobile OS. Basically, what and how we will write for this platform, what features the OS provides in terms of the functioning of applications. Plus, very important are the versions of the mobile OS, which change quite often, and with them the set of libraries and available functions change. For most manufacturers of MDM solutions, the functionality of their products is about the same for one simple reason - they only do what the OS and its application programming interfaces (API) allow. If the operating system has the function of blocking certain features - fine, if not - MDM will not add anything. Therefore, the more modern the version of the "OS", the more opportunities it provides for MDM. If you take a relatively old device, then technically it can work, you can deliver a data container to it, but in terms of protection it will be a much more vulnerable device than with the latest OS version. When an application is written for a mobile platform, it is necessary to take into account the amount of RAM in the device, since the application runs locally. It may turn out that not every device can fully function in the case of BYOD, because its characteristics will not allow corporate applications to work. In this case, at the organizational level of the company, a restriction is imposed on the technical characteristics of the employees' personal devices: the OS is older than a certain version and the technical characteristics are not worse than a certain level.
From the point of view of the data transmission channel, everything is also very much dependent on the applications themselves - how often it communicates. If we talk about the initial download of the application on a mobile device, then this is a one-time action until the next update of the application. The capabilities of conventional 3G / LTE cellular networks are quite enough to monitor the device or issue control commands.
When the IT department, in addition to managing mobile devices and applications, is tasked with ensuring the secure exchange of documents, special attention will be paid to information exchange management solutions. And here, the customer either solves this problem using a separate product (but here the question of integration with existing solutions arises), or buys XenMobile Enterprise, which includes the functionality of a secure file exchange, and where the ShareFile agent is present, which can remotely edit on a mobile device preview the document, save it to a protected area. In the event that the administrator receives a signal that the device is stolen / lost, he can remotely clear the memory of those files that the user has stored on his device. Citrix-supplied applications are already written with this in mind. In all other cases, you can take a solution like Google Drive or Microsoft OneDrive, but the question will arise how to integrate mobile business applications and file services.
If we are talking about ordinary corporate "file services", FTP directories, file servers or SharePoint - all this is also easy to integrate into XenMobile Enterprise, where an external resource can be connected to a closed user area. Moreover, the external is not only relative to ShareFile, but also external to the company. Here you can also get Microsoft OneDrive and a number of other systems that perform similar functions. But you need to understand that external cloud storage resources do not provide the level of security that ShareFile, part of the Enterprise edition.
Editor's choice of XenMobile depends on the tasks. Editorial MDM provides exclusively mobile device management functionality. When it is necessary to give users the ability to connect to an internal Wi-Fi using digital certificates, these certificates should be automatically distributed to the device. If we want to understand where the user is, and if it is not prohibited by law, it is possible to track his movement. In order for users to use complex passwords on their device, it is necessary to set security policies. In fact, these are the main tasks solved with the help of XenMobile MDM. Most often, when it comes to corporate mobility, you need to take the next step, towards the active use of mobile applications. In this case, the Advanced edition is recommended, which includes MDM functionality and adds MAM functionality — Mobile Application Management. In addition to the SDK with a set of policies that can be applied to the corresponding application, there is a number of standard mobile applications that Citrix has developed and delivers as part of its own solution: secure mail, a secure web browser, and a number of additional solutions. They are designed to ensure safe work with the internal resources of the corporation, and then everything depends on the requirements and capabilities of the customer - whether he will write business applications for his tasks under the mobile platform or his main tasks are to provide access to mail, the calendar and internal portals.
Enterprise edition includes a number of additional applications, plus the most significant part - the ability to use ShareFile. This is a corporate cloud storage that integrates with Active Directory and is used by company employees to exchange files with external contractors and between their own devices. When using ShareFile, an agent is installed on the device, which creates a special partition in the system, and if the file is saved to this partition, then it is transferred to the data center and from there it is replicated to all connected user devices. Summing up all the above, the process of choosing the required revision can be reduced to the following algorithm. If the task is only related to the registration, registration and ensuring the physical security of user devices, remote cleaning capabilities, blocking, then XenMobile MDM is sufficient; if the task is to distribute and manage mobile applications, protect them, work with internal corporate resources in a protected form, then the right choice - Advanced edition. If, in addition to all this, you also need to ensure secure file exchange not only within the company, but also with external counterparties - an Enterprise edition is required.
XenMobile can be delivered as a separate solution in one of three editions, but if a company needs to use not only corporate mobility management, but also provide remote access to a virtual desktop or terminal applications for all users of the organization, then it is recommended to use the Citrix Workspace Suite package. where all these features are present initially. But suppose the situation looks different: for a hundred users, you need to ensure corporate mobility, and one and a half thousand employees work with terminal applications from thin clients. In this case, the Workspace Suite would not be the most economically viable option, it would be cheaper to just buy separate XenApp or XenDesktop licenses for these 1,500 people and an additional one hundred licenses for XenMobile.
From the point of view of MDM solutions, all players on the market are approximately the same. The main differences will mainly consist in how comfortable it is for the administrator to maintain the system, how easy it is to register and manage devices, and make changes to existing policies. If the customer considers only MDM, then it is necessary to decide which product is closer to its administrators, more clearly, how quickly they can start working in this or that system. In fact, this will be the key difference. From the point of view of application management (MAM), the nuances begin - working with third-party vendors, whether “wrapping” their applications into a container is supported, is there any possibility of integration with DLP systems, IRM systems, what else is supplied besides management systems, is there an SDK available, Is it possible to build micro-VPN tunnels?
Additional features Citrix XenMobile provides rich security policy functionality, as well as the supplied SDK and additional mobile applications.
Depending on which edition is chosen, there is a certain basis on which to rely in the calculations. From the point of view of calculating the cost of implementing XenMobile, it is worth looking at its two main parameters - what is performed in the data center, and what is on the user device. Is everything that is delivered to the user device, is it already included in the license or is it developed by the customer company independently? How do devices appear in the system: does the company distribute them to employees, or does the BYOD approach apply? How are external channels used? If this is a warehouse or part of a division that uses only the internal network of the company, the network costs can in principle be ignored, it is already there, only new traffic is added. If the employee works in the "fields", then it is also necessary to provide compensation for expenses on the mobile Internet.
If we are talking about MDM, then there only XenMobile MDM is needed, which is licensed either by users (then the user can use an unlimited number of devices) or by devices (an unlimited number of users).If there is a multi-shift operation with the transfer of devices from shift to shift, then it does not make sense to use a licensing scheme for users. In terms of infrastructure costs, this is one virtual machine that is included in the Citrix license. You can install it on an existing virtualization platform or download the free XenServer and deploy it there. This is the minimum cost.
MAM, NetScaler – , , SSL -VPN . NetScaler , MAM. VPN-, VPN , -VPN . . NetScaler . NetScaler XenMobile 500 . – . , . , : , , . , , . . – .
Business background for the introduction of mobile workplace delivery systems
Let's start with the fact that we divide technologies: there are mobile workplaces from the point of view of business organization as such. If the company has employees who are forced to spend most of their time outside the office, and at the same time they need access to corporate data, this is the main prerequisite for introducing corporate mobility. The simplest example is a large storage room, where an employee makes an inventory, and if he does not have the means of mobility, he will have to write all the data on a piece of paper, and then enter this information into a stationary computer from a sheet. In this situation, a mobile workplace should appear, a specialized device that allows it to read tags from the corresponding box. Specifying its exact location in the warehouse, the system will automatically update the information in the database.
When an enterprise has the appropriate prerequisites for the introduction of mobile workplaces, the question of how to implement this concept arises. One of the implementation possibilities is XenMobile. The main nuance of using this software is that the application is executed locally on the user device. Consequently, the company must either already have applications written for this platform, or a prerequisite should be the support by the working applications of the software platform on which XenMobile is installed. There is a second option: you can take a tablet and remotely connect to virtual desktops. In this case, the mobile user device is a kind of "TV", a display device of those processes that are performed in the data center. Both are remote access. The main difference is that in the case of XenMobile we can work with the application even when there is temporarily no connection to the network (provided that the programmers have provided such an opportunity).
')
There are strict limitations for the mobile platform: a supported OS must be installed, and the list of functions will strongly depend on versioning (Android 6 is very good, but version 2.2. Theoretically, you can integrate old versions of XenMobile into it, but their support Citrix side is no longer underway). If the company does not have a business application for an existing platform, it will need to be specially written. You may have to change the business processes that were originally built on the basis of the fact that the user is sitting in his workplace. It will be necessary to change any equipment (the simplest option is that the user had a PC + scanner, but now the scanner must be built into the mobile workstation in order for it to be able to automatically and with one device scan and enter data into the system). It is necessary to carefully analyze which of the ways of introducing mobile workplaces to choose. If we go from the use of XenMobile as the main means of ensuring employee mobility, from the point of view of the load on the channel, it is recommended to provide for the development of an application function of accumulating information in the buffer. So, if a data channel is not available for some time, then when developing an application, you can make it so that the system will be able to work in offline mode.
In the case of terminal access to any remote applications or virtual desktops, something is constantly transmitted over the channel, at least work packets of an open session. In the case when the application is running locally, nothing can be transmitted through the channel at all until the forced data transfer begins. From the point of view of virtual desktops and terminal applications, the amount of data transferred is highly dependent on the application. If it contains any multimedia functions (Flash, training videos), then the load on the channel will be very significant. It’s good if the user is literate enough that while working in terminal mode, one should not have to swipe a finger on the screen, when any cursor movement actually has to give a reverse response to redrawing this cursor on the data center side. As a result, in the case of virtual desktops and terminal access, the load on the channel may be greater. In practice, it all depends on the specific implementation: how the application is written, whether large amounts of data are required, and so on.
Protection of corporate data during the delivery of mobile workstations
When discussing this issue, we make a start from whether we distribute corporate devices to employees or they use their own. In stock, most likely, we distribute, because the device must be combined with a scanner or barcode reader, RFID tags. If the mobile employee has more office functions, he may well use his own mobile device. And on this device you will need to draw a line between the user's personal data and the fact that it is delivered from the corporate server. Speaking about the device, issued by the company, the employer has more legal and ethical opportunities to fully manage the device and prohibit certain actions. In the case of BYOD, such restrictions on the functionality of the entire device cannot be made, since this will affect the personal data and user applications.
By and large, the data protection in both cases will not change much, except for the fact that the device issued by the company, politicians blocked part of the potential opportunities that the user has. If we write the application ourselves using the SDK that Citrix supplies as part of XenMobile, then we can “wrap” the data and the application in the container. When using personal devices is a must. When working remotely, not within the company's internal network, you need to think about protecting the user's external connection to internal corporate resources.
Citrix recommends putting a NetScaler solution in front of the “entrance” to the data center, then when using XenMobile from a specific application, a micro-VPN tunnel is built only to the resource that the application needs. As part of a mobile device, dozens of applications can work that go outside, and if this application is corporate, then as soon as the need arises, it “knocks” in the direction of the data center. NetScaler determines which internal resource is needed by this application, and builds a tunnel only for this application to the resource. All normal user applications use the usual data transmission channel and their traffic does not fall into the internal network. You can be sure that unlawful or malicious user software will not get into the corporate network. The network administrator has the ability to bind to the container certain policies: for example, whether to allow Copy-Paste operations with external applications or not. In the case of business critical applications that are extremely sensitive to the information being processed, resolving such an operation would not be the best idea. A trivial example: within the company, they make a mailing list congratulating employees on winning a large tender. Officially, this has not yet been announced, the contract has not been signed, but the employees have already been notified. In many companies, there are people who, without thinking, are ready to share this information in social networks with their friends. However, since this is not officially confirmed, the publication of such information may violate certain obligations of the company. Employees did it not out of evil intentions, but by stupidity.
Of course, in the case of a targeted attack, or simply with a great desire to steal data - no one bothers to rewrite it from the screen of a mobile device with a pen on paper. However, the use of policies greatly helps us to remove a huge number of simple user errors related to carelessness, negligence, etc. To counter a targeted attack with only one XenMobile application is not serious and it is impossible to expect that a non-specialized application will protect you from a targeted attack. Under such scenarios, echelon defense is required.
When storing data on a mobile device, it is worth proceeding from who owns this data. In the case of corporate data, when stored locally, it must be located in a secure container and be inaccessible to other unauthorized applications. This avoids the situation when we open a standard mail client and try to send corporate documents as an attachment. This function can be blocked initially. When transferring data between the client and the data center, all data is encrypted. XenMobile uses standard encryption protocols, the container and the data are encrypted using AES256, the solution is certified by NIST for use in foreign government agencies. Russian users need to consider that the system does not use GOST encryption algorithms. If the customer needs such an opportunity (for example, transfer of personal data via a public channel), then in this case you can use a joint solution with partner companies such as S-Terra, Digital Design - which have solutions to protect the data channel using Russian cryptographic algorithms.
If a mobile device is located in the company's internal network (closed perimeter), there are almost no restrictions on cryptography, so you can use XenMobile standard cryptography. When developing an application, understanding the specifics of work, it is possible initially to completely prohibit some functionality or limit their use - to prohibit taking a screenshot when working with a financial application, prohibit the use of the camera when the user is inside the application, prohibit opening links with an external browser, etc. P.
In the case of remote access built on virtual desktops and terminal services, it becomes even easier. Along with the launch of the application, a special file is transferred to the device - a description of how to connect to the corresponding resource. This file is one-time and it will be impossible to connect via it a second time. Having connected to the systems that are located in the data center, the channel is closed by standard cryptography, and all data is only in the data center. The administrator applies policies that govern the exchange of data with the local device. The user is not limited in the choice of device, but it is possible to open the clipboard between the user device and the data center, in the right direction from device to data center, from data center to device or in both directions, as well as to regulate that through this buffer it is possible to transmit: only text, either graphics only or other data format. This part is entirely managed by the data center, and nothing is stored on the client device by default.
Requirements for the technical parameters of the mobile device and data transmission channel
Speaking of terminal access and VDI in relation to their use on a mobile device, one of the important technical parameters is the screen size, which determines how comfortable it will be for the user to work on a device with a small diagonal. The problem is that we connect to traditional applications that are written taking into account the peculiarities of the PC and keyboard input and the selection of menu items using the mouse. Modern mobile devices have a good graphic resolution, but at the same time the screen has a small diagonal of 4-7 inches and it is quite difficult to get a finger to its desired area. When using a mobile device with applications written specifically for the mobile platform, the specifics of the device are taken into account. Here the technical characteristics (processor / memory) will be more important than when using terminal access.
Much depends on the mobile OS. Basically, what and how we will write for this platform, what features the OS provides in terms of the functioning of applications. Plus, very important are the versions of the mobile OS, which change quite often, and with them the set of libraries and available functions change. For most manufacturers of MDM solutions, the functionality of their products is about the same for one simple reason - they only do what the OS and its application programming interfaces (API) allow. If the operating system has the function of blocking certain features - fine, if not - MDM will not add anything. Therefore, the more modern the version of the "OS", the more opportunities it provides for MDM. If you take a relatively old device, then technically it can work, you can deliver a data container to it, but in terms of protection it will be a much more vulnerable device than with the latest OS version. When an application is written for a mobile platform, it is necessary to take into account the amount of RAM in the device, since the application runs locally. It may turn out that not every device can fully function in the case of BYOD, because its characteristics will not allow corporate applications to work. In this case, at the organizational level of the company, a restriction is imposed on the technical characteristics of the employees' personal devices: the OS is older than a certain version and the technical characteristics are not worse than a certain level.
From the point of view of the data transmission channel, everything is also very much dependent on the applications themselves - how often it communicates. If we talk about the initial download of the application on a mobile device, then this is a one-time action until the next update of the application. The capabilities of conventional 3G / LTE cellular networks are quite enough to monitor the device or issue control commands.
Interaction with customer file resources and third-party services in mobility management
When the IT department, in addition to managing mobile devices and applications, is tasked with ensuring the secure exchange of documents, special attention will be paid to information exchange management solutions. And here, the customer either solves this problem using a separate product (but here the question of integration with existing solutions arises), or buys XenMobile Enterprise, which includes the functionality of a secure file exchange, and where the ShareFile agent is present, which can remotely edit on a mobile device preview the document, save it to a protected area. In the event that the administrator receives a signal that the device is stolen / lost, he can remotely clear the memory of those files that the user has stored on his device. Citrix-supplied applications are already written with this in mind. In all other cases, you can take a solution like Google Drive or Microsoft OneDrive, but the question will arise how to integrate mobile business applications and file services.
If we are talking about ordinary corporate "file services", FTP directories, file servers or SharePoint - all this is also easy to integrate into XenMobile Enterprise, where an external resource can be connected to a closed user area. Moreover, the external is not only relative to ShareFile, but also external to the company. Here you can also get Microsoft OneDrive and a number of other systems that perform similar functions. But you need to understand that external cloud storage resources do not provide the level of security that ShareFile, part of the Enterprise edition.
Functional differences in XenMobile editions: MDM, Advanced and Enterprise Edition
Editor's choice of XenMobile depends on the tasks. Editorial MDM provides exclusively mobile device management functionality. When it is necessary to give users the ability to connect to an internal Wi-Fi using digital certificates, these certificates should be automatically distributed to the device. If we want to understand where the user is, and if it is not prohibited by law, it is possible to track his movement. In order for users to use complex passwords on their device, it is necessary to set security policies. In fact, these are the main tasks solved with the help of XenMobile MDM. Most often, when it comes to corporate mobility, you need to take the next step, towards the active use of mobile applications. In this case, the Advanced edition is recommended, which includes MDM functionality and adds MAM functionality — Mobile Application Management. In addition to the SDK with a set of policies that can be applied to the corresponding application, there is a number of standard mobile applications that Citrix has developed and delivers as part of its own solution: secure mail, a secure web browser, and a number of additional solutions. They are designed to ensure safe work with the internal resources of the corporation, and then everything depends on the requirements and capabilities of the customer - whether he will write business applications for his tasks under the mobile platform or his main tasks are to provide access to mail, the calendar and internal portals.
Enterprise edition includes a number of additional applications, plus the most significant part - the ability to use ShareFile. This is a corporate cloud storage that integrates with Active Directory and is used by company employees to exchange files with external contractors and between their own devices. When using ShareFile, an agent is installed on the device, which creates a special partition in the system, and if the file is saved to this partition, then it is transferred to the data center and from there it is replicated to all connected user devices. Summing up all the above, the process of choosing the required revision can be reduced to the following algorithm. If the task is only related to the registration, registration and ensuring the physical security of user devices, remote cleaning capabilities, blocking, then XenMobile MDM is sufficient; if the task is to distribute and manage mobile applications, protect them, work with internal corporate resources in a protected form, then the right choice - Advanced edition. If, in addition to all this, you also need to ensure secure file exchange not only within the company, but also with external counterparties - an Enterprise edition is required.
XenMobile can be delivered as a separate solution in one of three editions, but if a company needs to use not only corporate mobility management, but also provide remote access to a virtual desktop or terminal applications for all users of the organization, then it is recommended to use the Citrix Workspace Suite package. where all these features are present initially. But suppose the situation looks different: for a hundred users, you need to ensure corporate mobility, and one and a half thousand employees work with terminal applications from thin clients. In this case, the Workspace Suite would not be the most economically viable option, it would be cheaper to just buy separate XenApp or XenDesktop licenses for these 1,500 people and an additional one hundred licenses for XenMobile.
Features of Citrix XenMobile software compared to peers
From the point of view of MDM solutions, all players on the market are approximately the same. The main differences will mainly consist in how comfortable it is for the administrator to maintain the system, how easy it is to register and manage devices, and make changes to existing policies. If the customer considers only MDM, then it is necessary to decide which product is closer to its administrators, more clearly, how quickly they can start working in this or that system. In fact, this will be the key difference. From the point of view of application management (MAM), the nuances begin - working with third-party vendors, whether “wrapping” their applications into a container is supported, is there any possibility of integration with DLP systems, IRM systems, what else is supplied besides management systems, is there an SDK available, Is it possible to build micro-VPN tunnels?
Additional features Citrix XenMobile provides rich security policy functionality, as well as the supplied SDK and additional mobile applications.
Calculating the cost of mobile workplace delivery
Depending on which edition is chosen, there is a certain basis on which to rely in the calculations. From the point of view of calculating the cost of implementing XenMobile, it is worth looking at its two main parameters - what is performed in the data center, and what is on the user device. Is everything that is delivered to the user device, is it already included in the license or is it developed by the customer company independently? How do devices appear in the system: does the company distribute them to employees, or does the BYOD approach apply? How are external channels used? If this is a warehouse or part of a division that uses only the internal network of the company, the network costs can in principle be ignored, it is already there, only new traffic is added. If the employee works in the "fields", then it is also necessary to provide compensation for expenses on the mobile Internet.
If we are talking about MDM, then there only XenMobile MDM is needed, which is licensed either by users (then the user can use an unlimited number of devices) or by devices (an unlimited number of users).If there is a multi-shift operation with the transfer of devices from shift to shift, then it does not make sense to use a licensing scheme for users. In terms of infrastructure costs, this is one virtual machine that is included in the Citrix license. You can install it on an existing virtualization platform or download the free XenServer and deploy it there. This is the minimum cost.
MAM, NetScaler – , , SSL -VPN . NetScaler , MAM. VPN-, VPN , -VPN . . NetScaler . NetScaler XenMobile 500 . – . , . , : , , . , , . . – .
Source: https://habr.com/ru/post/322088/
All Articles