Is Microsoft on the road to becoming the next EMM leader?

With the movement to the cloud, Microsoft has done alot of stuff right with its Office365 offering and also done a lot with Azure, the problem that has been over the last years has been their forgotten child… Intune.

Now the concept was good, built up a fully cloud based MDM/ PC management solution as an extension to Office365, the execution how ever hasn’t been all that great at first. While Office365 and Azure got most of the focus, Intune was left behind in terms of features and focus.

But now this has changed, last year Microsoft announced their EMS (Enterprise Mobility Suite) which was a combo of Identity service with Azure AD premium, data protection with Azure RMs and MDM with Intune, Microsoft got serious with their MDM/EMM solution, and one piece that Microsoft has that none of their MDM competitors has is the identity features, which is crucial in a BYO strategy, because if people wish to use their device and using their same ID and with the strong increase of SaaS applicaitons we need a common identity provider in place (Where traditional Active Directory does not cut it, because of its limitations)

This is from the latest report from Gartner on Identity and Access Management as a service

With their offerings from within Azure AD and with many customers already using it with Office365, Microsoft has an advantage that none of their competitors have.

Gartner also released their new report on MDM/EMM as well (Where we again see Vmware, Citrix and MobileIron) note that of these 4, Microsoft is the only one that has their own mobile hardware platform and their own personal operating system which allows them go get a bit of an advantage since Microsoft is also pushing Windows 10 as a more mobile operating system and more features will be directly integrated into Intune and Azure AD.

• Windows Update for buisness
• Windows Store for buisness
• Enterprise Data Protection

and note its been a little bit over a year ago that Microsoft launched their EMS package (even thou Intune has been available for some time, it hasn’t been until recently that Microsoft started focusing on this, and with Microsoft pushing updates to Intune almost each month it shows their are serious with this offering.

And moving forward Microsoft will continue to create more and more direct integration between Office365 (where there are about 80 mill customers) which make it a winning combo and become the natural choice for many customers, since in most cases it will just be as any other addon to Office365.

(Crappy drawning I know..)

And with the integration possibilities that Microsoft has with their on-premise solution (System Center Configuration Manager) it makes sense to get access to direct manage all regular computers and mobile devices from the same solution since a device is a device and should be managed by the same staff.

Microsoft has also stated alot of new features which are coming to Azure AD, Intune and Office365, which can be seen here on their own roadmap –> http://www.microsoft.com/en-us/server-cloud/roadmap/Indevelopment.aspx?TabIndex=2&dropValue=AllProducts

#airwatch, #intune, #microsoft-mdm, #xenmobile

Citrix XenMobile and Microsoft Cloud happily ever after ?

There is no denying that Microsoft is moving more and more focus into their cloud offerings, even with solution such as Office365, EMS (Enterprise Mobility Suite) and of course their Azure platform.

EMS being the latest product bundle in the suite gives customers Intune, Azure Rights Management and Azure Active Directory Premium. So if a customer already has Office365 (their users are already placed with Azure AD and can then easily be attached to EMS for more features)

We are also seeing that Microsoft is adding more and more management capabilities against Office365 into their Intune suite (Which is one of the keypoints which no other vendors have yet) but is this type of management something we need ? or is it just to give it a “key” selling point?

Now Microsoft has added alot of MDM capabilities to Intune, but they are nowhere close to the competition yet. Of course they have other offerings in the EMS pack, like Azure Rights Management, which are quite unique on the way it functions and integrates with Azure AD and Office365. As of 2014 Microsoft isn’t even listed on the Gartner quadrant for EMM (which they stated would be the goal for 2015)

But it will be interesting to se if Microsoft’s strategy is to compete head-to-head on the other vendors or if they wish to give the basic features and dvelve more into the part of Azure AD and identity management across clouds and SaaS offerings.

Citrix on the other hand, have their XenMobile offering which is a more complete EMM product suite (MDM and MAM, Follow me data with Sharefile, and so on) Now Citrix has a lot of advantages for instance over using Sharefile against OneDrive.  Sharefile has encryption of data even thou it is locally and running on a sandboxed application( on a mobile device), while the only option that OneDrive has is using as a part of Rights Management Service (of course OneDrive has extensive data encryption in-transit and at rest https://technet.microsoft.com/en-us/library/dn905447.aspx

Citrix also has MicroVPN functionality and secure browser access running VPN access using Netscaler, while Microsoft also has a secure browser application which is much more limited to restricting which URLs to open and what content can be viewed from that browser.

So from a customer side you need to ask yourself.

• what kind of requirement does my buisness have?
• Do I use Office365 or a regualr on-premise setup?
• Do I need the advanced capabilities ?
• How are my users actually working ?

Is there a best of both worlds using both of these technologies ?

While yes!

Now of course there are some feature that overlaps using Offic365 and EMS + XenMobile, but there are also some features which are important to be aware of.

• Citrix has Sharefile storage controller templates in Azure (Meaning that if a customer has an IaaS in Azure, they can setup a Sharefile connector in Azure and use that to publish files and content without using OneDrive)

• Citrix has a Sharefile connector to Office365 (Which allows users to use Sharefile almost as a file aggregrator for communicating between Office365 and their regular fileservers) which allows for secure editing directly from ShareFile.

• Citrix XenMobile has alot better MDM features for Windows Phone that Intune has at the moment.

• Azure AAD has a lot of built-in SSO access to many of Citrix web based applications (Sharefile, GTM, GTA and so on) since users are already in Azure AD premium it can be used to grant access to the different applications using SSO)

• Netscaler and SAML iDP (If we have an on-premise enterprise solution we can use the Netscaler to operate as an SAML identity provider against Office365 which allows for replacement for ADFS which is required for full SSO of on-premise AD users to Office365

• Office365 ProPlus with Lync is supported on XenApp/XD with Lync optimization pack (Note that this is not part of XenMobile but of Workspace suite)

• Netscaler and Azure MFA (We can use Azure MFA against Netscaler to publish web based applications with traffic optimization)

• Netscaler will also soon be available in Azure which allows for setting up a full Citrix infrastructure in Azure

But in the future I would be guessing that Microsoft is moving forward with the user collaboration part, it is going to become the heart of identity management with Azure AD directory and rights management, while Citrix on the other hand will focus more and enabling mobility using solutions like EMM ( MAM ) and follow me data aggregator and secure file access and devices. Citrix will also play an important part in hybrid setup using Netscaler with Cloud bridge and as an identity provider on-premise

#citrix, #ems, #intune, #microsoft, #office365, #xenmobile

XenMobile vs Configuration Manager & Intune

So this is a discussion I often meet, and will come across more the next weeks and months ahead I belive
Many of the customers I work with are often a full blowen Citrix customer or more forwards Microsoft.

Many are facing the discussion mobility how do we embrace it ? (or from another point of view, how do we manage it ?) and they are doing some research and find often that XenMobile or Intune shows up. So whats the difference between the two ?

Citrix has a long time been the master of delivering workspaces to a user and to any type of device, and with the release of CloudGateway Enterprise they were entering towards delivering mobile based features (for instance allowing them to deliver mobile based applications to a user device trough Citrix client) and with the purchase of ZenPrise last year they went full in. Zenprise was a fullblown MDM solution and now they have integratet CloudGateway (Cloudgateway was the old product which included Storefront, Gateway and AppController) with ZenPrise which is now known as XenMobile Enterprise.

This fits well for Citrix’s image (any device anywhere) and now they can manage any device as well (as long as it is mobile). Also they have developed sandboxed based applications under the category Worx and they can also deploy any applications from the vendors different stores. These Worx applications use Micro-VPN functionality to connect to the infrastructure and are completely seperated from other apps inside the mobile client.
To break it down in components XenMobile (Enterprise) consists of
* Netscaler (Gateway)
* Storefront
* AppController
* XenMobile MDM
* Sharefile

Then on the other side you have Microsoft, which is coming from a client management standpoint, and they have been there for quite some time. With the latest release of Configuration Manager, Microsoft released a connection with Intune which allowed buisneses to manage mobile devices via Intune directly from Configuration Manager.
So all mobile devices needed to be setup to talk to Intune in order to be managed.
Configuration Manager has also expanding it support to include Linux / Mac / Thin Clients as well as mobile devices with Intune, so microsoft has operated in the management part for a long time.
Instead of aiminig for a on-premise solution Microsoft har put everything in their cloud. So whenever Microsoft deployes a new feature to Intune every customer of Intune gets it without needing to do anything.
They also have an integration to exchange to allow the IT-guys to control mobile devices trough Active Sync (this also includes Office 365)
There is a new intune release coming with a new release of Configuration Manager the 18th of October.

But can these two products compete?
Well… they have some of the same features which is device management, Citrix has more advanced features with XenMobile and with Worx and Micro-VPN etc. Microsoft has full support for Windows phone and Windows RT (And coming with iOS and Android with an company portal app pretty soon) and Intune might have what you need but nothing fancy.

What we need to remember is that Configuration Manager is a fullblown client management suite, with patching, deploying operating systems, applications, baselining, antivirus, with Intune it gets mobile device management capability. XenMobile is not in this category, it gives you mobile management, mobile application management, sandboxing applications, give any device application delivery trough Citrix Receiver.

So if you are a System Center customer with Configuration Manager and your IT-guys use ConfigMgr for management, adding Intune might be an easy way to go ahead, and by using Intune you leave the feature set to Microsoft, they need to continue development and will add more features as new release become available (So you will get the new releases for free since its a cloud based solution which you get buy a monthly basis). For other customers which needs advanced features such as selective wipe and the ability to seperate buisness and private data and more advanced security features and deep suppor for all vendors (Except Windows) XenMobile is for you. Zenprise was one of the market leading vendors before Citrix bought them up.

If you compare the cost (for Intune the cost pr user is 6$ pr month so for one year you have 72 USD. You also need Configuration Manager for it to make any sense.) You can also get a discount if you are EAS or EA agreement already which makes Intune more viable.
XenMobile Enterprise on the other hand is not so much more expensive then a regular Intune subscribtion of course it requires alot more infrastructure then Intune does.

So hopefully you got a bit more understanding on what seperates Intune from XenMobile!

#citrix, #configuration-manager, #intune, #sysctr, #system-center-2012, #xenmobile

Setup Netscaler for XenDesktop 7 and AppController 2.8

This is going to be a long one
Always wanted to document this myself but never had the time, so I figured why not knock two birds with one stone and blog it as well since many are probably wondering about the same thing.

This is a typical deployment for many right? You have your internal XA/XD which are tied to a StoreFront web server and for remote access you have Netscaler Gateway/AG

And depending on the setup you might have a Netscaler in DMZ behind a NAT firewall, or directly connected to the internet from the DMZ or you might have a double hop network where you have multiple DMZ sones and firewalls.

So how to tie them together ?
First I suggest you read my previous post regarding XenDesktop 7 with StoreFront and Appcontroller deployment.
https://msandbu.wordpress.com/2013/06/26/xendesktop-7-setup-and-appcontroller-setup/

Lets head over to our Netscaler deployment. We can start by cheching our network connection.

We have different types of networking within the NS, we have VIP( Virtual IP) which are typically tied to load balanced service. We have SNIP (Subnet IP) which are used to initiate a connection to the back-end servers (XenDesktop Servers, Storefront etc) and you have a NSIP (Netscaler IP which is used for management)

So for a user the connection will look like this.

User –> VIP –> SNIP –> XenDesktop (Servers)

Typical deployment is that you have a netscaler with two interfaces, one in to the DMZ and one into the backend servers. (In my case I have all interfaces connected to the same subnet.

Next we can add authentication.
Go into Netscaler Gateway –> Policies –> Authentication –> LDAP –> Add

For named expression I choose General and True and choose Add.
((What does this do ? specifies that IF the traffic is going trough the NS appliance then this policy should be applied)

Then give it a name and choose new server and enter the information to the AD server. After you have entered the info “Press Retrieve Attributes”
Remember that this command uses the IP address of the server you are using the browser on.

If you are having trouble with authentication fire up console to the Netscaler Appliance type in shell then cd /tmp then type the command cat aaad.debug
This will display in real time information regarding the authentication tries.

After that is done, add a DNS server.

Now lets add a certificate (for this purpose I have a Enterprise Root CA on Windows Server 2012 which I used to create a web server certificate which contained the host name of the access gateway) nsgw.msandbu.local in my case and I choose to export it as a PFX file including the private key (You will need the private key!!) In production you should use a third party CA to isse a certificate to you.

You can upload the PFX file under Traffic Management –> SSL –> Manage Certificates –> then you can upload the PFX.

After this is done open Netscaler console and extract the certificate and the key from the PFX.
This can be done by running openssl from the Netscaler Console

openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem (Extract keys)
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem (Extract Certs)

After that is done you can install the certificate

Next we create a virtual server under Netscaler Gateway and assosiate it with an IP-address.
Since we just want ICA-proxy and no VPN (Smart Access solution) we can choose Basic Mode.
Under Protocol choose SSL (After this is done the service will go down unless you have a valid ceritificate installed)

If you go into the Authentication Tab (mark the Enable Authentication)
and under Primary Authentication Policiess choose insert policy. (By default the one we created earlier will appear)

Now if you wish to have two-factor authentication you can add another Primary authentication policy.

After this is done head over to policies. We need to add a Session Policy, here as well we use ns_true as an expression. Give it a name and press create New Request Profile.

Here we enter the information about the backend storefront servers. (NOTE I already have one stored there this is because I have created this earlier

Now there are a couple of options here we need to define.
First under Published Applications.

1: We have to define ICA-proxy, this will tunnel ICA traffic via port 443 back to the user.
2: Web Interface address this has to be Storefront web address.
3: Single sign-on domain should be your local AD domain. (Don’t enter anything here in case you have multiple domains)

Next is under Client Experience –>
Define Single Sign-ON to web applications using Primary Credentials, this allows the Netscaler gateway to authenticate to the Storefront site.

We have to define at the NS should use SSO to the storefront web adress using the Primary authentication mechanism which is AD in my case.

Last but not least, Security so we can allow users to actually enter.

You should also enable TCP profile for this virtual server set to nstcp_default_xa_xd_profile (This profile works best for internal usage and high bandwidth networks)

Then we also have to add STA (Of the XD controllers in my case) Go back to Published Applications.

Click Add and enter the URL of the XD controller. After you save and refresh the page it will show up like mine did now.

Remember to save the config!
After that is done we have head over to Storefront

Now there are a couple of things we need to fix there. First we need to add an authentication option from Netscaler.

This will allow the Storefront to authenticate users coming from  Netscaler. (To pass the credentials forward)

Next we have to go to Stores –> Enable Remote Access –> Choose Add netscaler appliance –>

Here enter the info regarding your netscaler.
SNIP here is the one that you entered inn earlier on the Netscaler, StoreFront uses this to validate that any incoming connections comes from a trusted host.
The CallBack URL is the Internal IP-address of the Netscaler.

Then you setup it as a NO VPN Tunnel and choose the Gateway appliance to use.
You also have to add the STA’s here as well.

And last but not least, Beacons.
Beacons are used to identify if the end-user comes from an internal or external connection.
For instance you can put an external beacon for a public accessable website and internal for a website that is ONLY available for internal users.

This is what decides if the ICA-file the end-user receives is going to be used via ICA-proxy or a plain ICA-connection straight to the server.

In this case since it’s a demo enviroment all are on the same network. But I could remove the nsgw as an external beacon. And just have www.citrix.com and another external site.

Now since the AppController connected to the Storefront service we don’t need to anything else inorder to view Apps deployed from AppController.

NOTE: There is a couple of things if you are doing to deploy for instnace WorX apps from appcontroller and going to use mVPN solution to iOS and Andriod.

You will need to enable a couple of things here.
* Split-tunneling
* Clientless Access URL Encoding = Clear

You also need to enable Secure Browsing

After this is done, we can open up our virtual IP URL.
In my case it is https://nsgw.msandbu.local

Login with my username and password and start a desktop connection (For the purpose of this demonstration I have also added a weblink from AppController that points to yammer.com

If you open resource monitor you can see that traffic is tunneled in port 443

And if we open resource monitor on the desktop I just launched I can see that the servers speaks via the session reliability port to the SNIP ip (Which is 60.114)

#appcontroller, #netscaler, #netscaler-gateway, #storefront, #xendesktop, #xenmobile