XenMobile Security Overview - Citrix
White PaperCitrix Endpoint ManagementSecurity OverviewUnderstanding thetechnology usedby CEM to delivercomprehensive,end-to-end security.Citrix.com
Table of contentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Citrix Endpoint Management Service . . . . . . . . . . . . . . . . . . . . . . . . 6Endpoint management security details . . . . . . . . . . . . . . . . . . . . . 7How is my data protected at rest? . . . . . . . . . . . . . . . . . . . . . . . . . . 8How is my data protected in transit? . . . . . . . . . . . . . . . . . . . . . . . 13Operational security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14MDM enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Post enrollment (Day-to-day connectivity) . . . . . . . . . . . . . . . . . 16Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Citrix.com White Paper Citrix Endpoint Management Security Overview2
Citrix Endpoint Management Security OverviewUnderstanding the technology used by CEM to delivercomprehensive, end-to-end security .Mobility initiatives are a top priority for I .T . organizations . More employeesthan ever are demanding access to applications and data that help them achievemaximum productivity outside the office. But satisfying mobility requirementsare becoming more challenging as employee expectations continue rising .Today, employees want access to all their apps from any mobile device, includingtheir devices . Modern mobile apps have expanded beyond conventional toolsand use cases, such as mobile email . They now include Windows, web, and nativemobile apps, delivered both from the cloud as well as the company datacenter .These apps are also being distributed broadly across different locations andmobile endpoints .Allowing users to access all their apps and data from untrusted devices andunpredictable locations raises security concerns for I .T . The Citrix Secure DigitalWorkspace offers the most complete and integrated solution to enable peopleto access their apps, desktops and data from anywhere securely . And only aCitrix Workspace provides you a comprehensive choice of devices, cloud, andnetwork, streamlined for I .T . control and simple, secure access for users . EndpointManagement is the cornerstone of mobility management in the Citrix Secure DigitalWorkspace . This white paper will help mobile technologists understand criticalmobility requirements concerning security. It also explains the technology used byEndpoint Management to deliver comprehensive, end-to-end mobile protection .Citrix secure digital workspace solutionsNetworkDelivery ControllersApps & DataResource LocationDesktopsXenDesktopWindows AppsCitrix AppsCitrix GatewayOn-PremisesSecure BrowserHybrid CloudStoreFrontSaaS & Web AppsCEMMobile AppsCitrix FilesCloud (Public or Private)DataService ManagementMonitoringAnalyticsAutomationCitrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of ContentsProvisioning3
The evolution of mobile managementEnterprises initially turned to Mobile Device Management (MDM) solutions tomanage their devices . MDM not only centralized device management, but it alsogave I.T. the ability to perform remote configurations and updates, and efficientlydeliver applications and data to mobile endpoints . MDM helped I .T . organizationsovercome early bring-your-own-device (BYOD) challenges, such as onboardingand large-scale management .Mobile Application Management (MAM) emerged soon after MDM and focusedon securing and managing applications as individual components . MAM offersa similar set of policies and user experience management as MDM, but at adifferent application level rather than the device level . Since then, MAM hasexpanded to encompass app-level control of secured Micro VPN, inter-containercommunication, and secure containers .MAM has also gained in popularity as a standalone (MAM-only) alternativeto MDM for enterprises that want to roll out Bring Your Own Device (BYOD)policies . Employees are becoming increasingly resistant to enrolling to corporateMDM environments because of user privacy concerns and putting their personalinformation at risk to an accidental or deliberate wipe by I .T .Unified Endpoint Management (UEM) has recently emerged as an approachto securing and controlling desktop computers, laptops, smartphones, andtablets, in a connected, cohesive manner from a single console. Unified endpointmanagement typically relies on the mobile device management (MDM) applicationprogram interfaces (APIs) in desktop and mobile operating systems .Of course, an EMM/UEM solution alone is not enough to ensure the successof mobile initiatives . I .T . organizations still need the right network infrastructurein place to ensure that applications and data are delivered across differentdevices securely, while also addressing performance, management, and scalerequirements. This includes protecting data on-premises, in transit, and onmobile devices .Standard network infrastructure components and management tools usedfor mobile initiatives include: Firewalls Enterprise Proxies VPNs Wi-Fi networks Application management/push technology Monitoring products Intrusion Detection System Workflow automation Policy managementAn EMM/UEM solution also benefits from the evaluation of business needs, userneeds, and work/life considerations . Many organizations are using their mobileinitiatives to re-think the way they provide all I .T . services to end-users . Theyare now implementing public/private clouds, application/desktop virtualization,application layer firewalls/network gateways, security assertion markup language(SAML), and certificate services to assist and secure service delivery.Citrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents4
Enterprise Mobility Management (EMM)/Unified Endpoint Management (UEM)functionality of the Citrix Secure Digital Workspace is a crucial component of areasonable General Data Protection Regulation (GDPR) compliance program: Citrix Workspace allows enterprises to establish a clear boundary betweenpersonal and business data on the device . I .T . doesn’t have access or visibility topersonal content on the device, such as personal email or photos . Personal datais critical to the data minimization as well as the integrity and confidentialityprinciple of GDPR . Citrix Workspace gives I .T . visibility into which devices and apps are accessingbusiness services . In the case of a data breach, the I .T . administrator cannavigate through audit logging to identify what actions took place leading upto the compromise and what, if any, actions I .T . took as a result . Audit loggingprovides a clear record of any unauthorized access to business services andsupports the GDPR principle of integrity and confidentiality, as well as ofaccountability . Citrix’s solution enables I .T . to: Manage inventory – Identify authorized and unauthorized devices and apps Allow applications – Establish a subset of applications that are authorizedto run on a device and access business services Protect access – Allow only authorized users, devices, and apps to accessbusiness services, whether on-premises or in the cloud Provide audit logging – Monitor administrative actions and businessdata flows Citrix Workspace allows the I .T . administrator to protect the device from securitythreats, which is vital for the principle of integrity and confidentiality, as wellas of accountability . Citrix’s solution enables the I .T . administrator to enforcecompliance: Apply appropriate security configurations and policies to the devicesand applications Actively Monitor the security compliance of the endpoint and applications,including attacks on the integrity of the operating system to jailbreak or rootthe device Take remediation actions if the device or application is out of compliancevia automated actionsCitrix mobility solution—Endpoint ManagementCitrix Endpoint Management (CEM) provides comprehensive, end-to-endsecurity, and delivers the full breadth of UEM capabilities along with an engaginguser experience .CEM leverages the enterprise-proven knowledge and technologies of Citrixand the platforms to provide a complete, integrated, and scalable solution fordelivering apps and data to any device while maintaining security and a highperformance end-user experience from any location .In the sections that follow, we will discuss critical components that enablesecurity without compromising the user experience .Citrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents5
Citrix Endpoint Management ServiceThe CEM Service is the central hub for managing devices in Citrix Cloud . Citrixoffers a single console for management of devices, apps, and data .Mobile Device Management (MDM)MDM allows you to manage mobile devices, set mobile policies and compliancerules, and gain visibility to the mobile network . It also provides control over mobileapps and data and shields your internal network from mobile threats . With a “oneclick” dashboard, simple administrative console, and real-time integration withMicrosoft Active Directory and other enterprise infrastructure such as public keyinfrastructure (PKI), Endpoint Management simplifies the management of mobiledevices . CEM can be used to manage Android, iOS/iPadOS, MacOS, Windows 10,Chrome Books, and other devices like Workspace Hub.Mobile Application Management (MAM)Citrix Endpoint Management provides the industry’s most comprehensive setof MAM capabilities to secure information at the application level . CEM MAMcapabilities allow you to protect enterprise apps and data with policy-basedcontrols, such as restricting access to authorized users, automatic account deprovisioning for terminated employees, and remote wipe for data and apps storedon lost devices .CEM takes advantage of platform security capabilities to provide a secure BYOexperience to users. Google’s Android Enterprise Work Profiles is an excellentexample of leveraging the platform to create a separation of work and personaldata on the device and only allow management of the work profile to theorganization .With CEM MAM, you can provide the following benefits for each application type: Centralized user account creation and management for applications A unified enterprise app store to enable the publishing and distribution ofAndroid-, iOS-, and Windows Phone-based applications for authorized usersto download and install on mobile devices Access to virtual Windows applications and desktops with seamless SSO(no redundant prompts for credentials) Centralized policy controls to secure applications and data, with easy removalof user accounts, erase and lock of Citrix-delivered applications and data, andconsolidated auditing and reporting of application access .Endpoint Management MAM also includes the Citrix MDX app containertechnology: Mobile applications can have their network access controls managed by thesolution to ensure network connections are routed appropriately thru secureSSL channels (MicroVPN) based on application, domain name, etc . Isolation from other user-owned apps on mobile devices is also available .Each application may receive its dedicated SSL encrypted tunnel that canonly be leveraged by that application Applications inherit all MDX security features, including SSO, secure inter-appcommunication, information/data containment, restrictions based on device statesCitrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents6
Endpoint management security detailsApplication authentication controlsEach application under management retrieves its policy check-in times fromthe Secure Hub application . The applications will then verify timers across eachapplication/resource on the device .When a user is successfully authenticated, an application-specific key is generatedwith an associated expiration time applied . This key further encrypts and protectsaccess to any user- based certificate delivered to the MDX framework.This key is validated and stored in memory to encrypt/decrypt data for thatspecific application in the secure vault. When the key expires, the app will obtaina new key based on current authentication status and policy .FIPS 140-2 compliance (Available on-premises only)The Federal Information Processing Standard (FIPS), issued by the U .S .National Institute of Standards and Technologies (NIST), specifies the securityrequirements for cryptographic modules used in security systems. FIPS 140-2is the second version of this standard .Endpoint Management release v10 has achieved broad end-to-end FIPS 140-2compliance . Data-at-rest and transit cryptographic operations are using FIPScertified cryptographic modules.Endpoint Management MDX overviewEncryption / Decryption Key RetrievalMDX PolicyUser AuthenticationMDX AppMDX Policy RetrievalCEM InfrastructureNetworkRead/WriteSecure HubCopy/PasteClipboardMobile OSMicro VPNMicro VPNCitrix Mobile ServicesDevice data at rest—at a glancePlatformLocationStrengthKey LocationsiOSMDX ApplicationsAES-256Citrix Secure VaultAndriodMDX ApplicationsAES-256Citrix Secure VaultCitrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents7
How is my data protected at rest?Most employees today do their best to protect company interests. But the stressof work and the need for productivity can drive employees to make bad decisions .This situation often arises in the form of users leveraging applications and cloudstorage systems that are not under company control, or who copy/paste sensitivecontent to unprotected email systems . These applications make the mobile enduser experience more productive, but raise the risk of losing control of the data .At the opposite end of the spectrum are malicious users who may be attemptingto steal company assets . Regardless of the motive, I .T . needs tools to protectcompany property .Considerations: Control copy/paste: MDX can prevent copy/paste or only allow it to happenacross company-wrapped applications resulting in a separation of company/private data . Restrict open-in: Controls are available so that opening documents can onlybe occur within company-wrapped applications . When an employee receivesan email with an attachment, all personal apps on the device with the abilityto open the document will be made unavailable . Only company-approved appswill be able to perform this function . Links to web sites can also enabled toonly open within a secure browser. (Administrators can set specific exceptionsto this policy when needed, such as for Office 365 mobile applications.)Data containment has been outlined below in a functional diagram:Data containmentMDX App 1MDX App 2Open-inMDX PoliciesInterception LayerMobile OSOn iOS platforms, Endpoint Management leverages strong platform-specificFIPS-validated cryptographic services and libraries such as keychain . OpenSSLis also well known for providing FIPS-validated modules for a variety of platforms,further securing data in motion as well as certificates needed to manage andenroll devices . CEM uses our proprietary secure vault for storing sensitive datain the keychain and leverages the platform device encryption for everything else .There are MAM controls at the app level that check for compliance to validatedevice encryption is enabled at every app launch . These MAM controls are apart of the Encryption Management feature .Citrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents8
Secure vaultSecure Vault is a strong encryption layer that is used by Secure Hub, and otherCitrix MDX/MAM SDK enabled applications to persist their sensitive data, suchas passwords and encryption keys on the device .CEM stores sensitive data in the secure vault of platform-native stores suchas the iOS keychain . The data persisted in secure vault include Active Directoryusername/ password, pkcs12 (certificate/private-key) and its protectionpassword, key material, pasteboard encryption key, SAML token, STA ticket,and Citrix PIN history .Platform securityApple and Google both provide a comprehensive security architecture thathas improved greatly with each version release . iOS and Android both providecertified FIPS140-2 data protection and use a hardware-based secure enclave forencrypting all files written to disk. Encryption keys are always stored in the secureenclave, and keys never leave the enclave .Both platforms also provide app sandboxes that don’t allow other applicationsfrom gaining access to the app data . If applications follow the best practiceguidelines and save data only to the app sandbox, there is no way to accessthat data from other 3rd party rogue applications .iOS provides an MDM policy for supervised devices to enforce USB restrictedmode. Enforcing USB restricted mode does not allow devices to be pluggedinto debuggers for access .For more information about device encryption, refer to Apple’s and Google’ssecurity guides .Android EnterpriseAndroid Enterprise is the modern management platform with in-built security thatprotects the device from different layers:Hardware backed security: Includes features like Verified Boot, Trusted ExecutionEnvironment (TEE), Keystore, Tamper-resistant hardware support .Verified Boot verifies the system software before running it, each boot stageis cryptographically signed, and every phase of the boot process verifies theintegrity of the next phase before executing code .TEE makes sure that untrusted code is separated from the most security-criticaltasks like lock screen, biometrics, DRM, etc .O.S. level security: Includes features that maintain the device integrity protectingthe device from running a tampered or compromised operating system . One keyfeature there is:App sandboxing: Android runs all apps in a sandbox preventing malicious appsfrom impacting other apps or system components. By default, apps cannotinteract with each other and have limited access to the O .S .User and data privacy: Starting Android 9, followed by 10 and 11, the O .S . hadadded many features to protect end-user privacy from limiting background accessto device sensors, restriction information gathered from Wifi-scans, and so on.Citrix.com White Paper Citrix Endpoint Management Security OverviewGo to Table of Contents9
Application SecuritySafety Net attestation is a set of anti-abuse API’s that Secure Hub leveragesto assess the integrity of the device . This information can then be used to setup device compliancy checks to protect corporate data .Safety Net Verify Apps API allows Secure Hub to interact programmaticallywith Google Play to check if there are known potentially harmful apps installedon the device .Managed Google Play: Content marketplace for Android Enterprise, allows usersto browse public and private apps approved by the organization and enables theadmin to pick and choose the apps that will be available to the end-user in thework environment .Data protection (Encryption)Starting Android 6 encryption is mandatory on all devices; there are two formsof encryption:File-based: Storage areas are encrypted with different keys available sinceAndroid 7 . There are two kinds of storage locations for apps:Device Encrypted (D.E.) storage: Available once the device boots and beforethe user enters the credentials . Protected by hardware secret and softwarerunning in Trusted Execution Environment .Credentials Encrypte
Understanding the technology used by CEM to deliver comprehensive, end-to-end security . Mobility initiatives are a top priority for I .T . organizations . More employees than ever are demanding access to applications and data that help them achieve maximum productivity outside the office. But satisfying mobility requirements
mobile operating system (requiring a device PIN code to be set) to protect data on the device. However, XenMobile's MAM Only solution provides its own AES 256-bit encryption using FIPS 140-2-validated OpenSSL libraries across all its mobile platforms. There's no need to enroll a device to take advantage of XenMobile's separate encryption, and
There is no Citrix Client after update push for upgrade from Citrix Plug-in 11.2 to Citrix Receiver 3.3. Issue. SCCM successfully uninstalled Citrix Plug-in 11.2, but the install of Citrix Receiver 3.3 did not process. Resolution. Run the "Citrix Receiver 3.3 Up
Citrix Receiver 3.3 correctly, all older version of the Citrix Client must be uninstalled. The following steps should be taken to make sure The all old Citrix Clients are uninstalled, and then install the new Citrix Receiver 3.3. . Once you uninstall a
Verify Citrix Workspace version a. Click on the desktop to bring up Finder and then click "Applications" under the "Go" menu. b. Locate and click on "Citrix Workspace" and verify the version is at least 18.9.0. The Citrix client was recently renamed from Citrix Receiver to Citrix Workspace. If Citrix Receiver is currently installed
Citrix Receiver 使得圖示可置於 Windows � 開啟 Citrix Receiver︰ 在「開始」畫面,輸入 Citrix,然後選取搜尋結果中的 Citrix Receiver。 針對 Citrix Receiver 啟用單一登入 1. 解除安裝預先安裝的 Citrix Receiver。 2. 從 HP 支援網站下載 Citrix .
Citrix App Delivery and Security (CADS) service is a part of Citrix Cloud services, and it uses Citrix Cloud as the platform for signup, onboarding, authentication, administration, and licensing. Citrix collects and stores data in Citrix Cloud as part of the CADS service. For more information about what data is collected
mobility solutions draw on more than 25 years of innovation and experience delivering remote . Pacific Headquarters Hong Kong, China . UK Development Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is a leader in virtualization, networking and cloud services to enable new ways for people to work better. Citrix
Citrix Online Division 6500 Hollister Avenue Goleta, CA 93117, USA T 1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help people work and play from anywhere on any device. More than 230,000 enterprises rely on Citrix to create better ways for people, IT and .
