XenMobile Server

Architecture

The device and app management requirements of your organization determine the XenMobile components in your XenMobile architecture. The components of XenMobile are modular and build on each other. For example, your deployment includes Citrix Gateway:

  • Citrix Gateway gives users remote access to mobile apps and tracks user device types.
  • XenMobile is where you manage those apps and devices.

Deploying XenMobile components: You can deploy XenMobile to enable users to connect to resources in your internal network in the following ways:

  • Connections to the internal network. If your users are remote, they can connect by using a VPN or micro VPN connection through Citrix Gateway. That connection provides access to apps and desktops in the internal network.
  • Device enrollment. Users can enroll mobile devices in XenMobile so you can manage the devices in the XenMobile console that connect to network resources.
  • Web, SaaS, and mobile apps. Users can access their web, SaaS, and mobile apps from XenMobile through Secure Hub.
  • Windows-based apps and virtual desktops. Users can connect with Citrix Receiver or a web browser to access Windows-based apps and virtual desktops from StoreFront or the Web Interface.

To achieve any of those capabilities for an on-premises XenMobile Server, Citrix recommends deploying XenMobile components in the following order:

  • Citrix Gateway. You can configure settings in Citrix Gateway to enable communication with XenMobile, StoreFront, or the Web Interface by using the Quick Configuration wizard. Before using the Quick Configuration wizard in Citrix Gateway, you must install one of the following components to set up communications: XenMobile, StoreFront, or the Web Interface.
  • XenMobile. After you install XenMobile, you can configure policies and settings in the XenMobile console that allow users to enroll their mobile devices. You can also configure mobile, web, and SaaS apps. Mobile apps can include apps from the Apple App Store or Google Play. Users can also connect to mobile apps you wrap with the MDX Toolkit and upload to the console.
  • MAM SDK or MDX Toolkit. The MDX wrapping technology is scheduled to reach end of life (EOL) in July 2023. To continue managing your enterprise applications, you must incorporate the MAM SDK.

    The Mobile Application Management (MAM) SDK provides MDX functionality that isn’t covered by the iOS and Android platforms. You can MDX-enable and secure iOS or Android apps. You make those apps available in either an internal store or public app stores. See MDX App SDK.

  • StoreFront (optional). You can provide access to Windows-based apps and virtual desktops from StoreFront through connections with Receiver.
  • Citrix Files (optional). If you deploy Citrix Files, you can enable enterprise directory integration through XenMobile, which acts as a Security Assertion Markup Language (SAML) identity provider. For more information about configuring identity providers for ShareFile, see the ShareFile support site.

XenMobile provides device management and app management through the XenMobile console. This section describes the reference architecture for the XenMobile deployment.

In a production environment, Citrix recommends deploying the XenMobile solution in a cluster configuration for both scalability and server redundancy. Also, using the Citrix ADC SSL Offload capability can further reduce the load on the XenMobile Server and increase throughput. For more information about how to set up clustering for XenMobile by configuring two load-balancing virtual IP addresses on Citrix ADC, see Clustering.

For more information about configuring XenMobile for a disaster recovery deployment, see the Deployment Handbook Disaster Recovery article. That article includes an architecture diagram.

The following sections describe different reference architectures for the XenMobile deployment. For reference architecture diagrams, see the XenMobile Deployment Handbook articles, Reference Architecture for On-Premises Deployments and Architecture. For a complete list of ports, see Port requirements (on-premises) and Port requirements (cloud).

Mobile device management (MDM) mode

Important:

If you configure MDM mode and later change to ENT mode, be sure to use the same (Active Directory) authentication. XenMobile doesn’t support changing the authentication mode after user enrollment. For more information, see Upgrade from XenMobile MDM Edition to Enterprise Edition.

XenMobile MDM Edition provides mobile device management. For platform support, see Supported device operating systems. If you plan to use only the MDM features of XenMobile, you deploy XenMobile in MDM mode. For example, if you want to do the following.

  • Deploy device policies and apps.
  • Retrieve asset inventories.
  • Carry out actions on devices, such as a device wipe.

In the recommended model, the XenMobile Server is positioned in the DMZ with an optional Citrix ADC in front, which provides more protection for XenMobile.

Mobile app management (MAM) mode

MAM, also called MAM-only mode, provides mobile app management. For platform support, see Supported device operating systems. If you plan to use only the MAM features of XenMobile without having devices enroll for MDM, you deploy XenMobile in MAM mode. For example, if you want to do the following.

  • Secure apps and data on BYO mobile devices.
  • Deliver enterprise mobile apps.
  • Lock the apps and wipe their data.

The devices cannot be MDM enrolled.

In this deployment model, XenMobile Server is positioned with Citrix Gateway in front, which provides more protection for XenMobile.

MDM+MAM mode

Using MDM and MAM modes together provides mobile app and data management and mobile device management. For platform support, see Supported device operating systems. If you plan to use the MDM+MAM features of XenMobile, you deploy XenMobile in ENT (enterprise) mode. For example, if you want to:

  • Manage a corporate-issued device by using MDM
  • Deploy device policies and apps
  • Retrieve an asset inventory
  • Wipe devices
  • Deliver enterprise mobile apps
  • Lock apps and wipe the data on devices

In the recommended deployment model, the XenMobile Server is positioned in the DMZ with Citrix Gateway in front, which provides more protection for XenMobile.

XenMobile in the internal network: Another deployment option is to position an on-premises XenMobile Server in the internal network, rather than in the DMZ. This deployment is used if your security policy requires that only network appliances can be placed in the DMZ. In this deployment, the XenMobile Server is not in the DMZ. Therefore, there is no requirement to open ports on the internal firewall to allow access to SQL Server and PKI servers from the DMZ.

Architecture