IT administrators looking to give remote workers access to corporate email -- while keeping company data secure -- should consider implementing XenMobile Mail Manager.
XenMobile Mail Manager (XMM) is a component of Citrix's XenMobile enterprise mobility management platform that monitors and manages access control for devices running Exchange ActiveSync (EAS). EAS is an Exchange synchronization protocol based on HTTP and XML that enables mobile devices to access email and other information on an Exchange server.
Microsoft optimized EAS to operate over high-latency and low-bandwidth networks and to allow mobile users to work with their email offline. But it's important for IT to be able to manage that connection between the user and the organization's Exchange servers, especially when users access corporate email and attachments from remote locations.
Working in conjunction with the mobile device management capabilities built into XenMobile, Mail Manager provides a bridge between the XenMobile server and Exchange servers. The component can allow or block mobile device access to the Exchange servers, among other tasks. XMM can also interface with servers running BlackBerry Enterprise Service (BES).
What XenMobile Mail Manager can do
Citrix XenMobile 10 combined the App Controller and Device Manager components into a single server infrastructure for managing mobile devices and apps, but it did not eliminate the need for an additional component to interface with EAS devices.
Enter XenMobile Mail Manager, which integrates with the XenMobile server to extend its mobile device management capabilities. XMM lets IT configure and enforce policies that dynamically control access to corporate email and other information. Administrators can also access EAS device data on the Exchange servers and remotely wipe EAS from users' mobile devices.
In organizations that support BlackBerry devices, IT can also use XMM to access BES servers to retrieve device information, reset passwords or remotely wipe those devices. BES supports a variety of device types, including iOS, Android and Windows devices, but XMM integration with BES is exclusive to BlackBerry devices.
Installing XenMobile Mail Manager
To use XMM to manage EAS or BlackBerry devices, the organization must run Exchange Server 2010 SP2, Exchange Server 2013 or Office 365, or BES version 5 or later.
An XMM installation is made up of three primary components:
- Access Control Management
- Remote PowerShell Management
- The Mobile Service Provider
SQL Server 2008 or later is also required to support XMM's management capabilities. Start by installing XMM on a computer running Windows Server 2008 R2 or later, and ensuring that the .net Framework, Windows Management Framework and PowerShell version 2, 3 or 4 are also installed on the server.
The Access Control Management component retrieves EAS policies from the XenMobile server and merges them with local policies to control which devices are allowed or denied access to the Exchange servers. IT can configure access control based on factors such as Active Directory groups or device types.
The Remote PowerShell Management component takes snapshots of the EAS database to track when XMM has added or updated devices. It also schedules and runs PowerShell commands that enact the policies the Access Control Management component compiles. Set the PowerShell execution policy on the host server to RemoteSigned.
The Mobile Service Provider offers a Web service that enables the XenMobile server to query the EAS and BlackBerry servers for device information and to carry out operations such as remote wipe.
Managing devices with the XMM console
The XenMobile Mail Manager console provides a straightforward interface for setting up server connections and defining local rules to control EAS device access.
The first step is to define the connection to the SQL Server instance that will store the XMM data. The connection can use either SQL Server or Windows authentication.
Next, identify the Exchange servers that XMM will access. They can be on-premises Exchange servers or instances of the Office 365 Exchange service. When defining those connections, admins can also configure the schedule for when XenMobile Mail Manager should take major and minor snapshots. A major snapshot detects every EAS device that's configured through XMM, and a minor snapshot detects only newly created connections.
The next step is to set up the actual EAS access rules, which include the following three types:
Default rule. This rule determines how to treat any device that is not explicitly covered by the other rules.
XDM rules. These are the overall XenMobile Device Manager rules on the XenMobile server. Configuring these rules in XMM defines the connection to the XenMobile server to import those rules.
Local rules: These rules are the access policies defined locally within the XMM environment. Local rules take precedence over the other rules.
Lastly, when setting up the Mobile Service Provider component, specify details such as the service transport -- HTTP or HTTPS -- service port and authorized user or group accounts. Another option is to add one or more BES servers by specifying the SQL Server instances those servers use.
IT can also use the console to monitor and track the installation. For example, admins can view a history of each snapshot, including when the snapshot occurred, how long it took, the number of detected devices and any errors that might have occurred. IT can also view a history of the issued PowerShell commands as well as browse the EAS and BES devices.
How to use XenMobile for EMM
AirWatch vs. XenMobile: Which EMM product is right for you?
Citrix XenMobile 10.3 enters the unified endpoint management arena