Daniel künzli cloudgateway.next

648 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
648
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Daniel künzli cloudgateway.next

  1. 1. Citrix CloudGateway . nextEnterprise Mobility ManagementDaniel KünzliSenior Systems Engineer Networking & Cloud
  2. 2. WE BELIEVE…• End users will win the battle of choice• BYO will fundamentally transform IT• Mobile = Heterogeneity• Managing heterogeneity will create huge value
  3. 3. Enterprise mobility is rapidly changing Manage BYO BYO Devices Manage Devices Manage Email Corporate Devices 2000 2012
  4. 4. Customer Needs•Basic set of secure apps• App distribution & management• Centralized policy control•Service Level Management• Support for any device - BYOD
  5. 5. CloudGateway Architecture Citrix CloudGateway Mobile Web NetScaler/ StoreFront AppController Access Gateway SaaSCitrix Receiver FMD XenDesktop/ ShareFile XenApp #CitrixSynergy #SYN203
  6. 6. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  7. 7. MDX Mission Permit IT control of enterprise assets on unmanaged mobile devices Enterprise assets 1. Enterprise applications 2. Enterprise data 3. Enterprise network access
  8. 8. Overview of MDX ArchitectureManaged Applications Secure Network Tunnel gateway Secure IPC services Authentication MDX Framework MDX Framework MDX Framework Entitlements & policies app private app private app private data vault data vault data vault shared data vault MDX Framework provided by either: Encrypted data with enterprise key management 1. Wrapping toolset 2. Directly compiled SDK
  9. 9. Mobile Vault Architecture – API interception mobile app mobile OS
  10. 10. Mobile Vault Architecture – API interception mobile app network files clipboard Policy aware interception functions network files clipboard micro-VPN encrypted encrypted storage clipboard mobile OS Citrix mobile services
  11. 11. Mobile Vault Architecture – API interception App Wrapping (iOS): mobile app • API Interception techniques ᵒ Direct modification of app binary (replace symbol references) ᵒ Runtime hook injection for system calls & native libraries ᵒ Objective-C categories with method swizzling network files clipboard • MDX Framework code injected via dynamic library Policy aware interception functions network files clipboard micro-VPN encrypted encrypted storage clipboard mobile OS Citrix mobile services
  12. 12. Mobile Vault Architecture – API interception App Wrapping (iOS): mobile app • API Interception techniques ᵒ Direct modification of app binary (replace symbol references) ᵒ Runtime hook injection for system calls & native libraries ᵒ Objective-C categories with method swizzling network files clipboard • MDX Framework code injected via dynamic library Policy aware interception functions network files clipboard SDK: • Symbols redirected at compile time micro-VPN encrypted encrypted storage clipboard • Access to native services reduces need mobile OS for hooks/swizzling Citrix mobile services • MDX Framework statically linked
  13. 13. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  14. 14. User account discoveryStreamlined first time use experience• Get Receiver from the app store• Find your Receiver account details ᵒ Service record delivery by email or web ᵒ Recommended approach: Receiver account auto-discovery• Receiver account auto-discovery • User provides email address • Receiver uses well known DNS names in corporate domain to locate Storefront • Similar to process used to auto-discover exchange servers
  15. 15. Device registrationFirst time logon: lightweight mobile deviceregistration• Receiver silently registers device with CloudGateway ᵒ Receiver provides device unique token and selected device information• CloudGateway issues unique device ID  Receiver• CloudGateway links device ID/tokens to users ᵒ Admins can view all devices registered to users ᵒ Devices can be locked or marked for app data wipe ᵒ Receiver and MDX apps poll CG current lock/wipe status • Gateway must be reachable, but no logon needed
  16. 16. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  17. 17. Device and app authentication• Receiver registers and track devices to users ᵒ Permits lock and wipe of corporate data/apps on selected devices• Receiver also serves as access manager for MDX managed applications ᵒ Strongly identifies applications ᵒ Determine app entitlements and policies ᵒ Brokers permitted data exchanges between managed apps• MDX applications can parlay their Receiver auth context into other credentials for single-sign ᵒ NTLM challenge/response (or the real AD domain, username, & password) ᵒ User and device certificates ᵒ Specialty tokens like Sharefile SAML token eventually kerberos, Oauth/OpenID , etc.
  18. 18. Single sign-on• Receiver and CloudGateway directly provide SSO for ᵒ Hosted applications (ICA/HDX) ᵒ Web/SaaS applications• MDX applications can parlay their Receiver authentication context into other credentials and access rights ᵒ Gateway tickets for micro-VPN access ᵒ NTLM challenge/response (or even the real AD domain, username, & password) ᵒ User and device certificates ᵒ Specialty tokens like Sharefile SAML token ᵒ Eventually credentials for auth systems… kerberos tokens, Oauth/OpenID , etc.
  19. 19. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  20. 20.  100+ connectors built-in SAML and Form-Fill compatibility Provisioning for popular SaaS services
  21. 21.  Tie all apps to AD Enforce policies Single click de-provisioning End user self-service
  22. 22. End user experience
  23. 23. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  24. 24. Micro-VPN• Policy controlled per-application tunneling technology• Relies on Citrix Receiver for authentication and SSO• Network access policy choices: ᵒ Blocked • Application network APIs are blocked and fail as if network is not available ᵒ Unconstrained • Application network APIs work normally ᵒ Tunneled • Application network APIs are tunneled through CloudGateway to enterprise intranet• Full power of Access Gateway Enterprise 9.x and 10.x to configure VPN behavior ᵒ Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back into enterprise intranet ᵒ Powerful rules engine for constraining access for external applications
  25. 25. Micro-VPN Architecture (iOS)mobile app Networking Logic NSURLRequest CFNetwork BSD Sockets corporate intranet NSURLRequest Network interception functions direct calls (resolve domain, etc.) server proxy info Tunneler library session ticket auth ASIHTTPRequest Socks UDP TCP Proxy Proxy Proxy localhost listener server network requests (redirected to local proxy) encrypted tunnelMDX Framework
  26. 26. Only with NetScaler or Access Gateway Ent. 27
  27. 27. Citrix Access Gateway™ and Citrix NetScaler™ Providing secure remote access to Windows apps, desktops, and enterprise web Adaptive Best PerformanceHDX SmartAccess MDX Micro VPN Policy Control & Flexible Deployment
  28. 28. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  29. 29. What happens in MDX apps stays in MDXapps….• Many ways for information to escape from a managed app ᵒ MDX framework slams the door on these escapes• Data exchange with other apps ᵒ Copy/Paste ᵒ Document exchange (Open-In) ᵒ Network APIs ᵒ Printing, iCloud, email, SMS, etc…• Restrict access to sensitive device hardware ᵒ Camera, microphone, location services, screen shots, etc• All controls are applied at run-time based on current app policies
  30. 30. Containing Data Exchange• Blocking copy/paste and other types of data exchange is easy ᵒ Gives poor user experience• Constraining data exchange to managed apps yields far better experience• By default, MDX framework seeks to constrain many operations to managed apps only: ᵒ Copy/paste ᵒ Document exchange (Open-in) ᵒ Inter-app dispatch (URL Schemes, Intents)• Administrator can place apps into a named security groups ᵒ If not configured, default is all managed apps
  31. 31. Encryption of persistent app data• Mobile platforms secure persistent data in application sandboxes ᵒ These protections trivially defeated by jail-breaking or rooting device• Most mobile platforms can encrypt persistent data… but there are limits ᵒ Encryption keys are held persistently on device ᵒ Keys are often protected by cryptographically weak PIN or passcode ᵒ No means to revoke access if device is not recovered• Better solution: Encrypted file vaults with keys managed by enterprise
  32. 32. Elements of the Solution• Common MDX architecture (iOS and Android)• User & device enrollment• SSO with AD integration• App delivery and management• App specific VPN• Information containment• Core mobile apps
  33. 33. Mobile Apps Suite Mail Browser Documents
  34. 34. Enterprise Citrix ISV Apps Me@Work Apps
  35. 35. Citrix Receiver and CloudGateway delivers enterprise mobility today • Mobile container for apps, browser, data, and email Mobile Container • Native iOS, Android, and HTML5 apps wrapped with Mobile App policy Wrapping • Secure network access from app through Receiver to Secure Mail CloudGateway Secure Browser • Remote wipe/lock Contained Data Single Sign-On Mobile Optimized
  36. 36. Work better. Live better.

×