Jump to content
Welcome to our new Citrix community!
  • 0

MDM Arch Questions


Joe Cooper

Question

We have recently deployed with MAM using securemail.  Aside from some issues this is working pretty well.  However, users do not like securemail and some of the issues/etc.  They want to be able to use the built-in apps or Outlook.  We are Office 365 with Cloud endpoint management.  I have lots of questions..

 

-Can you tunnel the built-in apps (apple mail, android email) back through netscalers?  How is this done?

-Can you tunnel outlook back through netscalers?  How is this done?

-We would like to ensure only users coming through MAM/MDM have access to activesync, so in the future our plan was to put in a restriction in o365 to only allow connections from the internet IP of our netscaler.  Is this the advised method?  I have seen information about office365 connectors through my searches and it has just muddied the waters further.

 

-For basic MDM deployment on Iphone i believe my steps are the following:
1. Setup a device policy that enforces a PIN and encryption
2. Configure app policies for built-in apps and Outlook (mdx wrapped?)

3. Configure deployment group with the policies and apps from above.

Link to comment

1 answer to this question

Recommended Posts

  • 0

Hi Joe,

 

I hope the following answers help...

 

-Can you tunnel the built-in apps (apple mail, android email) back through netscalers?  How is this done?

....although it is not possible to carry traffic from the built-in apps using MDX microVPN, it 'is' possible to do this using the Citrix SSO app.

 

-Can you tunnel outlook back through netscalers?  How is this done?

....no microVPN for this app, Citrix SSO can also carry this traffic instead if required

 

-We would like to ensure only users coming through MAM/MDM have access to activesync, so in the future our plan was to put in a restriction in o365 to only allow connections from the internet IP of our netscaler.  Is this the advised method?  I have seen information about office365 connectors through my searches and it has just muddied the waters further.

...this is a method I have seen used elsewhere, in general terms, send 'all' client email traffic through to the NetScaler and allow 'only' the corporate WAN IP address access to O365

 

-For basic MDM deployment on Iphone i believe my steps are the following:
1. Setup a device policy that enforces a PIN and encryption [iOS encrypts by default anyway...https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf]
2. Configure app policies for built-in apps and Outlook (mdx wrapped?) [no MDX wrapping of built-in apps or Outlook can be performed]

3. Configure deployment group with the policies and apps from above. [MDM enrolment allows for the use of Device Policies and apps which do not use MDX]

 

Also worth noting is the difference between Outlook, using 'Streaming Notifications' and Secure Mail, using 'Push Notifications'. Because Citrix use Push Notifications in Secure Mail, only the user knows the password for the mailbox account. The use of 'Streaming Notifications' in Outlook means that Microsoft must keep some details of the password on their notifications platform to help drive the process. This may or may not be in agreement with your corporate security policies. (https://docs.citrix.com/en-us/citrix-secure-mail/push-notifications.html#secure-mail-push-notifications-faqs)

 

Many thanks,

David

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...