Management Modes
For each XenMobile instance (a single server or a cluster of nodes), you can choose whether to manage devices, apps, or both. XenMobile uses the following terms for device and app management modes:
- Mobile device management mode (MDM mode)
- Mobile app management mode (MAM mode)
- MDM+MAM mode (Enterprise mode)
Mobile device management (MDM Mode)
Important:
If you configure MDM mode and later change to ENT mode, be sure to use the same (Active Directory) authentication. XenMobile doesn’t support changing the authentication mode after user enrollment. For more information, see Upgrade.
With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices and data on devices at a system level. You can configure policies, actions, and security functions. For example, you can wipe a device selectively if the device is lost, stolen, or out of compliance. Although app management is not available with MDM mode, you can deliver mobile apps, such as public app store and enterprise apps, in this mode. The following are common use cases for MDM mode:
- MDM is a consideration for corporate-owned devices where device-level management policies or restrictions, such as full wipe, selective wipe, or geo-location are required.
- When customers require management of an actual device, but do not require MDX policies, such as app containerization, controls on app data sharing, or micro VPN.
- When users only need email delivered to their native email clients on their mobile devices, and Exchange ActiveSync or Client Access Server is already externally accessible. In this use case, you can use MDM to configure email delivery.
- When you deploy native enterprise apps (non-MDX), public app store apps, or MDX apps delivered from public stores. Consider that an MDM solution alone might not prevent data leakage of confidential information between apps on the device. Data leakage might occur with copy and paste or Save As operations in Office 365 apps.
Mobile app management (MAM Mode)
MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With XenMobile configured for MAM mode, you can use MDX-enabled mobile apps to provide per-app containerization and control. The term MAM mode is also called MAM-only mode. This term distinguishes this mode from a legacy MAM mode.
By using MDX policies, XenMobile provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.
MAM is often suitable for bring-your-own (BYO) devices because, although the device is unmanaged, corporate data remains protected. MDX has many MAM-only policies that don’t require an MDM control.
MAM also supports the mobile productivity apps. This support includes secure email delivery to Citrix Secure Mail, data sharing between the secured mobile productivity apps, and secure data storage in Citrix Files. For details, see mobile productivity apps.
MAM is often suitable for the following examples:
- You deliver mobile apps, such as MDX apps, managed at the app level.
- You are not required to manage devices at a system level.
MDM+MAM (Enterprise Mode)
MDM+MAM is a hybrid mode, also called Enterprise Mode, which enables all feature sets available in the XenMobile Enterprise Mobility Management (EMM) solution. Configuring XenMobile with MDM+MAM mode enables both MDM and MAM features.
XenMobile lets you specify whether users can choose to opt out of device management or whether you require device management. This flexibility is useful for environments that include a mix of use cases. These environments might or might not require management of a device through MDM policies to access your MAM resources.
MDM+MAM is suitable for the following examples:
- You have a single use case in which both MDM and MAM are required. MDM is required to access your MAM resources.
- Some use cases require MDM while some do not.
- Some use cases require MAM while some do not.
You specify the management mode for the XenMobile Server through the Server Mode property. You configure the setting in the XenMobile console. The mode can be MDM, MAM, or ENT (for MDM+MAM).
The XenMobile edition for which you have a license determines the management modes and other features available, as shown in the following table.
XenMobile MDM Edition | XenMobile Advanced Edition |
MDM features | MDM features |
- | MAM features |
- | MAM SDK |
Secure Hub | Secure Hub |
- | Secure Mail |
- | Secure Web |
Management modes and enrollment profiles
The management modes and enrollment profiles work together. You use an enrollment profile to configure device management and app management enrollment options for Android and iOS devices. For Android, the enrollment options available for the MDM+MAM server mode differ from the options for MDM mode. For more information, see Enrollment profiles.
Device Management and MDM Enrollment
A XenMobile Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources. Before deploying mobile productivity apps to users, fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, it is likely that users must re-enroll their devices.
Note:
To specify whether you require users to enroll in MDM, use the XenMobile Server property Enrollment Required in the XenMobile console (Settings > Server Properties). That global server property applies to all users and devices for the XenMobile instance. The property applies only when the XenMobile Server Mode is ENT.
The following is a summary of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment in a XenMobile Enterprise mode deployment.
When MDM enrollment is optional
Advantages:
- Users can access MAM resources without putting their devices under MDM management. This option can increase user adoption.
- Ability to secure access to MAM resources to protect enterprise data.
- MDX policies such as App Passcode can control app access for each MDX app.
- Configuring Citrix ADC, XenMobile Server, and per-application time-outs, along with Citrix PIN, provide an extra layer of protection.
- While MDM actions do not apply to the device, some MDX policies are available to deny MAM access. The denial would be based on system settings, such as jailbroken or rooted devices.
- Users can choose whether to enroll their device with MDM during first-time use.
Disadvantages:
- MAM resources are available to devices not enrolled in MDM.
- MDM policies and actions are available only to MDM-enrolled devices.
Mitigation options:
- Have users agree to a company terms and conditions that hold them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.
- Manage application access and security by using application timers. Decreased time-out values increase security, but might affect user experience.
- A second XenMobile environment with MDM enrollment required is an option. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.
When MDM enrollment is required
Advantages:
- Ability to restrict access to MAM resources only to MDM-managed devices.
- MDM policies and actions can apply to all devices in the environment as desired.
- Users are not able to opt out of enrolling their device.
Disadvantages:
- Requires all users to enroll with MDM.
- Might decrease adoption for users who object to corporate management of their personal devices.
Mitigation options:
- Educate users about what XenMobile actually manages on their devices and what information administrators can access.
- You can use a second XenMobile environment, with a Server Mode of MAM (also called MAM-only mode), for devices that don’t need MDM management. When considering this option, keep in mind the additional overhead of managing two environments and the additional resources required.
About MAM and Legacy MAM Modes
XenMobile 10.3.5 introduced a new MAM-only server mode. To distinguish the prior and new MAM modes, the documentation uses these terms. The new mode is called MAM-only or MA, the prior MAM mode is called legacy MAM mode.
MAM-only mode is in effect when the Server Mode property of XenMobile is MAM. Devices register in MAM mode.
Legacy MAM functionality is in effect when the Server Mode property of XenMobile is ENT and users choose to opt out of device management. In that case, devices register in MAM mode. Users who opt out of MDM management continue to receive the legacy MAM functionality.
Note:
Previously, setting the Server Mode property to MAM had the same effect as setting it to ENT: Users who opted out of MDM management received the legacy MAM functionality.
The following table summarizes the Server Mode setting to use for a particular license type and desired device mode:
Your licenses are for this edition | You want devices to register in this mode | Set the Server Mode property to |
Enterprise/ Advanced/MDM | MDM mode | MDM |
Enterprise/Advanced | MAM mode (also called MAM-only mode) | MAM |
Enterprise/Advanced | MDM+MAM mode | ENT (Users who opt out of device management operate under the legacy MAM mode.) |
MAM-only mode supports the following features that were previously available only for ENT.
- Certificate-based authentication: MAM-only mode supports certificate-based authentication. Users experience continued access to their apps even when their Active Directory password expires. If you use certificate-based authentication for MAM devices, you must configure your Citrix Gateway. By default, in XenMobile Settings > Citrix Gateway, Deliver the user certificate for authentication is set to Off, meaning that user name and password authentication is used. Change that setting to On to enable certificate authentication.
- Self Help Portal: To enable users to do their own app lock and app wipe. Those actions apply to all apps on the device. You can configure the App Lock and App Wipe actions in Configure > Actions.
- All enrollment security modes: Including High Security, Invitation URL, and Two Factor, configured through Manage > Enrollment Invitations.
- Device registration limit for Android and iOS devices: The Server Property Number of Devices Per User has moved to Configure > Enrollment Profiles and now applies to all server modes.
- MAM-only APIs: For MAM-only devices, you can call REST services by using any REST client and the XenMobile REST API to call services that the XenMobile console exposes.
- The MAM-only APIs enable you to:
- Send an invitation URL and a one-time PIN.
- Issue app lock and wipe on devices.
The following table summarizes the differences between the legacy MAM and MAM-only functionality.
Enrollment Scenarios and Other Features | Legacy MAM (server mode is ENT) | MAM-only mode (server mode is MAM) |
Certificate authentication | Not supported. | Supported. For certificate authentication, Citrix Gateway is required. |
Deployment requirement | XenMobile Server does not need to be directly accessible from devices. | XenMobile Server does not need to be directly accessible from devices. |
Enrollment option | Use the Citrix Gateway FQDN or, when using MDM FQDN, opt not to enroll. | Use XenMobile Server FQDN. |
Enrollment methods* | User name + Password | User name + Password, High Security, Invitation URL, Invitation URL+PIN, Invitation URL + Password, Two Factor, User name + PIN |
App lock and wipe | Supported. | Supported. |
Self-Help Portal options for app lock and wipe | Not supported. | Supported. |
App wipe behavior | Apps remain on the device but are not usable. XenMobile deletes the account on the client only. | Apps remain on the device but are not usable. XenMobile deletes the account on the client only. |
Automated actions for MAM-only users. | Event, device property, user property actions are supported. Doesn’t support installed app-based automated actions. | Supports event, device property, user property, and some app-based actions, including app wipe and app lock. |
Built-in action when an Active Directory user is deleted | Supports app wipe. | Supports app wipe. |
Enrollment limit | Supported; configured through an enrollment profile. | Supported; configured through an enrollment profile. |
Software inventory | Supported. XenMobile lists apps installed on a device | Not supported. |
*Regarding notifications: SMTP is the only supported method for sending enrollment invitations.
Important:
For MAM-only mode, previously enrolled users must re-enroll their devices. Be sure to provide users with the XenMobile Server FQDN they need for enrollment. In MAM-only mode, like the ENT mode, devices enroll using the XenMobile Server FQDN. (In the legacy MAM mode, devices enroll using the Citrix Gateway FQDN.)