daniel künzli cloudgateway.next
TRANSCRIPT
![Page 1: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/1.jpg)
Daniel Künzli
Senior Systems Engineer Networking & Cloud
Citrix CloudGateway . next Enterprise Mobility Management
![Page 2: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/2.jpg)
• End users will win the battle of choice
• BYO will fundamentally transform IT
• Mobile = Heterogeneity
• Managing heterogeneity will create huge value
WE BELIEVE…
![Page 3: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/3.jpg)
Corporate
Devices
BYO
Devices
2000 2012
Enterprise mobility is rapidly changing
Manage Email
Manage Devices
Manage BYO
![Page 4: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/4.jpg)
Customer Needs
•Basic set of secure apps
• App distribution & management
• Centralized policy control
•Service Level Management
• Support for any device - BYOD
![Page 5: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/5.jpg)
Citrix Receiver
NetScaler/
Access Gateway
StoreFront
Citrix
CloudGateway
AppController
FMD
ShareFile
SaaS
Web
XenDesktop/
XenApp
Mobile
CloudGateway Architecture
#CitrixSynergy #SYN203
![Page 6: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/6.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 7: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/7.jpg)
MDX Mission
Permit IT control of enterprise assets on unmanaged mobile
devices
Enterprise assets 1. Enterprise applications
2. Enterprise data 3. Enterprise network access
![Page 8: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/8.jpg)
app private data vault
Authentication
Entitlements & policies
Secure IPC
MDX Framework MDX Framework MDX Framework
app private data vault
app private data vault
shared data vault
Secure Network Tunnel gateway services
Overview of MDX Architecture
Managed Applications
Encrypted data with enterprise key management
MDX Framework provided by either: 1. Wrapping toolset 2. Directly compiled SDK
![Page 9: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/9.jpg)
Mobile Vault Architecture – API interception
mobile app
mobile OS
![Page 10: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/10.jpg)
Mobile Vault Architecture – API interception
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
![Page 11: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/11.jpg)
Mobile Vault Architecture – API interception
App Wrapping (iOS):
• API Interception techniques ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
• MDX Framework code injected via dynamic library
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
![Page 12: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/12.jpg)
Mobile Vault Architecture – API interception
App Wrapping (iOS):
• API Interception techniques ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
• MDX Framework code injected via dynamic library
mobile app
mobile OS
network files clipboard
Policy aware interception functions
Citrix mobile services
network files clipboard
micro-VPN encrypted storage
encrypted clipboard
SDK: • Symbols redirected at compile time
• Access to native services reduces need for hooks/swizzling
• MDX Framework statically linked
![Page 13: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/13.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 14: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/14.jpg)
User account discovery
Streamlined first time use experience
• Get Receiver from the app store
• Find your Receiver account details ᵒ Service record delivery by email or web
ᵒ Recommended approach: Receiver account auto-discovery
• Receiver account auto-discovery • User provides email address
• Receiver uses well known DNS names in corporate domain to locate
Storefront
• Similar to process used to auto-discover exchange servers
![Page 15: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/15.jpg)
Device registration
First time logon: lightweight mobile device registration
• Receiver silently registers device with CloudGateway ᵒ Receiver provides device unique token and selected device
information
• CloudGateway issues unique device ID Receiver
• CloudGateway links device ID/tokens to users ᵒ Admins can view all devices registered to users ᵒ Devices can be locked or marked for app data wipe ᵒ Receiver and MDX apps poll CG current lock/wipe status
• Gateway must be reachable, but no logon needed
![Page 16: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/16.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 17: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/17.jpg)
Device and app authentication
• Receiver registers and track devices to users ᵒ Permits lock and wipe of corporate data/apps on selected devices
• Receiver also serves as access manager for MDX managed
applications ᵒ Strongly identifies applications
ᵒ Determine app entitlements and policies
ᵒ Brokers permitted data exchanges between managed apps
• MDX applications can parlay their Receiver auth context into
other credentials for single-sign ᵒ NTLM challenge/response (or the real AD domain, username, & password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
![Page 18: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/18.jpg)
Single sign-on
• Receiver and CloudGateway directly provide SSO for ᵒ Hosted applications (ICA/HDX)
ᵒ Web/SaaS applications
• MDX applications can parlay their Receiver authentication context
into other credentials and access rights ᵒ Gateway tickets for micro-VPN access
ᵒ NTLM challenge/response (or even the real AD domain, username, &
password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
ᵒ Eventually credentials for auth systems… kerberos tokens, Oauth/OpenID ,
etc.
![Page 19: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/19.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 20: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/20.jpg)
100+ connectors built-in
SAML and Form-Fill compatibility
Provisioning for popular SaaS services
![Page 21: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/21.jpg)
Tie all apps to AD
Enforce policies
Single click de-provisioning
End user self-service
![Page 22: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/22.jpg)
![Page 23: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/23.jpg)
End user experience
![Page 24: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/24.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 25: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/25.jpg)
Micro-VPN
• Policy controlled per-application tunneling technology
• Relies on Citrix Receiver for authentication and SSO
• Network access policy choices: ᵒ Blocked
• Application network APIs are blocked and fail as if network is not available
ᵒ Unconstrained • Application network APIs work normally
ᵒ Tunneled • Application network APIs are tunneled through CloudGateway to enterprise intranet
• Full power of Access Gateway Enterprise 9.x and 10.x to configure VPN behavior ᵒ Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back
into enterprise intranet ᵒ Powerful rules engine for constraining access for external applications
![Page 26: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/26.jpg)
Micro-VPN Architecture (iOS)
server
server
corporate intranet
Networking Logic
NSURLRequest CFNetwork BSD Sockets
Tunneler library
Socks Proxy
UDP Proxy
TCP Proxy
network requests (redirected to local proxy)
proxy info
localhost listener
MDX Framework
direct calls (resolve domain, etc.)
mobile app
NSURLRequest Network interception functions
ASIHTTPRequest session ticket
encrypted tunnel
auth
![Page 27: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/27.jpg)
Only with NetScaler or Access Gateway Ent.
27
![Page 28: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/28.jpg)
Citrix Access Gateway™ and Citrix NetScaler™ Providing secure remote access to Windows apps, desktops, and
enterprise web
Adaptive Policy Control
Best Performance & Flexible Deployment
HDX SmartAccess MDX Micro VPN
![Page 29: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/29.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 30: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/30.jpg)
What happens in MDX apps stays in MDX
apps….
• Many ways for information to escape from a managed app ᵒ MDX framework slams the door on these escapes
• Data exchange with other apps ᵒ Copy/Paste ᵒ Document exchange (Open-In) ᵒ Network APIs ᵒ Printing, iCloud, email, SMS, etc…
• Restrict access to sensitive device hardware ᵒ Camera, microphone, location services, screen shots, etc
• All controls are applied at run-time based on current app policies
![Page 31: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/31.jpg)
Containing Data Exchange
• Blocking copy/paste and other types of data exchange is easy ᵒ Gives poor user experience
• Constraining data exchange to managed apps yields far better experience
• By default, MDX framework seeks to constrain many operations to managed apps only: ᵒ Copy/paste ᵒ Document exchange (Open-in) ᵒ Inter-app dispatch (URL Schemes, Intents)
• Administrator can place apps into a named security groups ᵒ If not configured, default is all managed apps
![Page 32: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/32.jpg)
Encryption of persistent app data
• Mobile platforms secure persistent data in application sandboxes ᵒ These protections trivially defeated by jail-breaking or rooting device
• Most mobile platforms can encrypt persistent data… but there are limits ᵒ Encryption keys are held persistently on device ᵒ Keys are often protected by cryptographically weak PIN or passcode ᵒ No means to revoke access if device is not recovered
• Better solution: Encrypted file vaults with keys managed by enterprise
![Page 33: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/33.jpg)
Elements of the Solution
•Common MDX architecture (iOS and Android)
•User & device enrollment
•SSO with AD integration
•App delivery and management
•App specific VPN
• Information containment
•Core mobile apps
![Page 34: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/34.jpg)
Browser
Documents
Mobile Apps Suite
![Page 35: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/35.jpg)
Enterprise
Apps
Citrix
Me@Work
ISV
Apps
![Page 36: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/36.jpg)
Citrix Receiver and CloudGateway delivers enterprise mobility today
• Mobile container for apps, browser, data, and email
• Native iOS, Android, and HTML5 apps wrapped with
policy
• Secure network access from app through Receiver to
CloudGateway
• Remote wipe/lock
Mobile Container
Mobile App Wrapping
Secure Browser
Contained Data
Single Sign-On
Mobile Optimized
Secure Mail
![Page 37: Daniel künzli cloudgateway.next](https://reader033.vdocuments.mx/reader033/viewer/2022042821/55d536b1bb61eba10f8b45c1/html5/thumbnails/37.jpg)
Work better. Live better.