Using Citrix XenMobile to Manage Corporate Email Access

In the old days, IT departments would usually just expose Microsoft ActiveSync externally and allow anyone that could authenticate to connect and sync corporate mail. Sure Exchange brought some control over these devices, including the ability to enforce a security PIN number lock and wipe them (full wipe) if they ever tried to connect after the wipe request was issued.

But this still presents a problem: all of your corporate email data, including the top secret plans for the next super big project are now on some employee’s mobile device that he just left on the table in the cafe down the street.

That’s where a Citrix XenMobile solution steps in. The XenMobile Enterprise solution contains 3 products, 2 of which will be discussed here: mobile device management and mobile application management. These 2 products take care of the 2 most common scenarios for mobility in the corporate world: Bring-your-own-devices (BYOD) and corporate-owned devices.

BYOD devices are simple – use the AppController product to deliver secure, sandboxed mobile apps that provide controllable access to mail (among other things). The WorxMail app from Citrix allows a corporation to provide email to a device inside an app that looks and feels like a native mail client on both the iOS and Android platform. Policy can be applied to control such things as attachments in and out of the app and prevent the use of screenshots while the app is open. All data within the WorxMail container is encrypted and can be wiped at a moments notice – and this isn’t a full device wipe either, it can be a selective wipe, removing only the corporate data and not the thousands of family photos on the CEO’s mobile phone.

Enterprise devices are a bit more tricky. First, use the XenMobile device manager server to secure, control and track the devices – this allows you to deploy an ActiveSync policy to iOS devices. Android devices can be more complicated – due to a limitation of the Android OS itself, you cannot directly deploy an ActiveSync policy to the device. You need to use a 3rd party tool such as TouchDown or some of the built in tools such as Samsung Safe or Knox to get an ActiveSync policy deployed from device manager.

Alternatively, there is a third option for mail – the XenMobile NetScaler connector (XNC) and XenMobile Mail Manager (XMM). These products allow for granular control of ActiveSync connections that can incorporate checks against the device manager server for device compliance.

XNC works in conjunction with a NetScaler that is load balancing connections to the ActiveSync server – by communicating with the XNC service, the NetScaler will dynamically determine if the ActiveSync connection should be allowed or blocked.

XMM does not require a NetScaler as it communicates directly with the ActiveSync server using PowerShell to allow or prevent device connections to the ActiveSync server.

The XenMobile solution allows for several different secure mail delivery scenarios that can be mixed an matched to fit the needs of your environment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.