daniel künzli cloudgateway.next
TRANSCRIPT
Daniel Künzli
Senior Systems Engineer Networking & Cloud
Citrix CloudGateway . next Enterprise Mobility Management
• End users will win the battle of choice
• BYO will fundamentally transform IT
• Mobile = Heterogeneity
• Managing heterogeneity will create huge value
WE BELIEVE…
Corporate
Devices
BYO
Devices
2000 2012
Enterprise mobility is rapidly changing
Manage Email
Manage Devices
Manage BYO
Customer Needs
•Basic set of secure apps
• App distribution & management
• Centralized policy control
•Service Level Management
• Support for any device - BYOD
Citrix Receiver
NetScaler/
Access Gateway
StoreFront
Citrix
CloudGateway
AppController
FMD
ShareFile
SaaS
Web
XenDesktop/
XenApp
Mobile
CloudGateway Architecture
#CitrixSynergy #SYN203
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
MDX Mission
Permit IT control of enterprise assets on unmanaged mobile
devices
Enterprise assets 1. Enterprise applications
2. Enterprise data 3. Enterprise network access
app private data vault
Authentication
Entitlements & policies
Secure IPC
MDX Framework MDX Framework MDX Framework
app private data vault
app private data vault
shared data vault
Secure Network Tunnel gateway services
Overview of MDX Architecture
Managed Applications
Encrypted data with enterprise key management
MDX Framework provided by either: 1. Wrapping toolset 2. Directly compiled SDK
Mobile Vault Architecture – API interception
mobile app
mobile OS
Mobile Vault Architecture – API interception
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
Mobile Vault Architecture – API interception
App Wrapping (iOS):
• API Interception techniques ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
• MDX Framework code injected via dynamic library
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
Mobile Vault Architecture – API interception
App Wrapping (iOS):
• API Interception techniques ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
• MDX Framework code injected via dynamic library
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
SDK: • Symbols redirected at compile time
• Access to native services reduces need for hooks/swizzling
• MDX Framework statically linked
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
User account discovery
Streamlined first time use experience
• Get Receiver from the app store
• Find your Receiver account details ᵒ Service record delivery by email or web
ᵒ Recommended approach: Receiver account auto-discovery
• Receiver account auto-discovery • User provides email address
• Receiver uses well known DNS names in corporate domain to locate
Storefront
• Similar to process used to auto-discover exchange servers
Device registration
First time logon: lightweight mobile device registration
• Receiver silently registers device with CloudGateway ᵒ Receiver provides device unique token and selected device
information
• CloudGateway issues unique device ID Receiver
• CloudGateway links device ID/tokens to users ᵒ Admins can view all devices registered to users ᵒ Devices can be locked or marked for app data wipe ᵒ Receiver and MDX apps poll CG current lock/wipe status
• Gateway must be reachable, but no logon needed
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
Device and app authentication
• Receiver registers and track devices to users ᵒ Permits lock and wipe of corporate data/apps on selected devices
• Receiver also serves as access manager for MDX managed
applications ᵒ Strongly identifies applications
ᵒ Determine app entitlements and policies
ᵒ Brokers permitted data exchanges between managed apps
• MDX applications can parlay their Receiver auth context into
other credentials for single-sign ᵒ NTLM challenge/response (or the real AD domain, username, & password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
Single sign-on
• Receiver and CloudGateway directly provide SSO for ᵒ Hosted applications (ICA/HDX)
ᵒ Web/SaaS applications
• MDX applications can parlay their Receiver authentication context
into other credentials and access rights ᵒ Gateway tickets for micro-VPN access
ᵒ NTLM challenge/response (or even the real AD domain, username, &
password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
ᵒ Eventually credentials for auth systems… kerberos tokens, Oauth/OpenID ,
etc.
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
100+ connectors built-in
SAML and Form-Fill compatibility
Provisioning for popular SaaS services
Tie all apps to AD
Enforce policies
Single click de-provisioning
End user self-service
End user experience
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
Micro-VPN
• Policy controlled per-application tunneling technology
• Relies on Citrix Receiver for authentication and SSO
• Network access policy choices: ᵒ Blocked
• Application network APIs are blocked and fail as if network is not available
ᵒ Unconstrained • Application network APIs work normally
ᵒ Tunneled • Application network APIs are tunneled through CloudGateway to enterprise intranet
• Full power of Access Gateway Enterprise 9.x and 10.x to configure VPN behavior ᵒ Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back
into enterprise intranet ᵒ Powerful rules engine for constraining access for external applications
Micro-VPN Architecture (iOS)
server
server
corporate intranet
Networking Logic
NSURLRequest CFNetwork BSD Sockets
Tunneler library
Socks Proxy
UDP Proxy
TCP Proxy
network requests (redirected to local proxy)
proxy info
localhost listener
MDX Framework
direct calls (resolve domain, etc.)
mobile app
NSURLRequest Network interception functions
ASIHTTPRequest session ticket
encrypted tunnel
auth
Only with NetScaler or Access Gateway Ent.
27
Citrix Access Gateway™ and Citrix NetScaler™ Providing secure remote access to Windows apps, desktops, and
enterprise web
Adaptive Policy Control
Best Performance & Flexible Deployment
HDX SmartAccess MDX Micro VPN
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
What happens in MDX apps stays in MDX
apps….
• Many ways for information to escape from a managed app ᵒ MDX framework slams the door on these escapes
• Data exchange with other apps ᵒ Copy/Paste ᵒ Document exchange (Open-In) ᵒ Network APIs ᵒ Printing, iCloud, email, SMS, etc…
• Restrict access to sensitive device hardware ᵒ Camera, microphone, location services, screen shots, etc
• All controls are applied at run-time based on current app policies
Containing Data Exchange
• Blocking copy/paste and other types of data exchange is easy ᵒ Gives poor user experience
• Constraining data exchange to managed apps yields far better experience
• By default, MDX framework seeks to constrain many operations to managed apps only: ᵒ Copy/paste ᵒ Document exchange (Open-in) ᵒ Inter-app dispatch (URL Schemes, Intents)
• Administrator can place apps into a named security groups ᵒ If not configured, default is all managed apps
Encryption of persistent app data
• Mobile platforms secure persistent data in application sandboxes ᵒ These protections trivially defeated by jail-breaking or rooting device
• Most mobile platforms can encrypt persistent data… but there are limits ᵒ Encryption keys are held persistently on device ᵒ Keys are often protected by cryptographically weak PIN or passcode ᵒ No means to revoke access if device is not recovered
• Better solution: Encrypted file vaults with keys managed by enterprise
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
Browser
Documents
Mobile Apps Suite
Enterprise
Apps
Citrix
Me@Work
ISV
Apps
Citrix Receiver and CloudGateway delivers enterprise mobility today
• Mobile container for apps, browser, data, and email
• Native iOS, Android, and HTML5 apps wrapped with
policy
• Secure network access from app through Receiver to
CloudGateway
• Remote wipe/lock
Mobile Container
Mobile App Wrapping
Secure Browser
Contained Data
Single Sign-On
Mobile Optimized
Secure Mail
Work better. Live better.