Historically the workplace defined the workspace, but trends in mobility have impacted both. Ten years ago, Cisco published a CVD that expanded the workplace to include the home office, which allowed employees to join the corporate network securely, allowing them to remain productive even when not physically on campus. This transformed the workplace, but the devices limited the solution. Often the employee would carry the same laptop back and forth between the campus and the home office out of necessity. While the expanded network kept the devices connected, the data (e.g., an Office document, email, etc.) physically resided on a hard drive in the device. Corporate policy required that only a specific device could be trusted for use by a specific employee.
This Cisco Mobile Workspace Solution with Citrix design guide finally addresses that limitation. A single device no longer binds a user to their work. Instead the device is a tool or a conduit that allows employees to interact with their content. In the ever-continuing effort to maximize productivity gains, organizations are responding by removing restrictions that limit how a user interacts with data, yet still recognize that this content represents intellectual property and is a corporate asset that must be protected. When thinking about productivity, work is user interaction with data. This interaction has context. For example, creating a spreadsheet is a different activity than looking up data in a spreadsheet. The data itself should not be bound by the application, which is especially true in organizations that have developed legacy in-house applications that now must be extended to additional mobile platforms. This design guide explores how users can better interact with data by abstracting the layers that separate them. Conceptually this is accomplished with a mobile workspace. The term is dual purpose: first, the workspace is accessible on mobile devices but, more importantly, the workspace is not tied to any single device or platform. Users can interact with their work securely from any device, anytime, anywhere.
The CVD is broken into several sections that cover on-campus and remote devices using both native applications and virtualized desktops, however these are not mutually-exclusive deployment models. A comprehensive solution includes a range of components to enable a truly fluid mobile experience while securing both the network and the device without compromising the user experience. Cisco and Citrix offer a unique solution that leverages a full range of products that can now integrate together in ways not previously possible. For example, Citrix XenMobile Device Manager and Cisco Identity Services Engine (ISE) can integrate over an API to ensure that network policy and device policy complement one another. The device manager is responsible for establishing mobile policy on hand-held compute devices such as smartphones and tablets. XenMobile device manager is also capable of establishing policy on MacBooks and limited policy on Window devices, although they are not the focus of this guide.
Cisco ISE sets network policy with respect to what level of access a particular device has on the corporate network and the compliance conditions that must be met prior to gaining network connectivity. Cisco ISE can enforce device policy by restricting access to the corporate network, ensuring that mobile devices do not pose a security threat to corporate resources. This is accomplished by setting access appropriate for both the user’s role and asset class of the networked device. Active Directory group membership defines the users role, while the ownership of the device sets the asset class. The CVD builds on concepts introduced in the BYOD design guide and covers employee-owned and corporate-owned devices. The same user in AD does not get the same access level on their personal device as they do on their corporate device. This is true both on campus as well as for remote users that attach to a VPN head-end device. Remote access is covered in a later section.
Citrix XenMobile is a comprehensive solution to manage mobile applications, data, and devices. Users have single-click access to all of their apps from a unified corporate app store and IT can easily configure, secure, and support mobile devices. With XenMobile, IT can meet their compliance and control requirements while giving users the freedom to experience work and life their way.
Citrix is a leading provider of enterprise mobility management (EMM) software used to establish and enforce device policy on hand-held endpoints, which might include corporate- and employee-owned phones and tablets. Devices manufactured by all the major equipment providers are supported at some level. Apple and Android devices are the primary focus, but XenMobile also supports Blackberry and Windows 8 mobile devices.
Enterprise mobility management is a relatively new phenomenon and is in a constant state of expansion. Features can be thought of in several categories:
Citrix XenMobile consists of two core function, XenMobile Device Manager and XenMobile Application Controller. Together they are known as XenMobile Enterprise Edition. The XenMobile Device Manage provides MDM functionality, including traditional device management through the use of policy profiles. XenMobile AppController is a full application life cycle management tool that can integrate into Citrix StoreFront and, by extension, XenDesktop. Citrix offers XenMobile Mobile Device Manager Edition and XenMobile App edition to allow enterprises to customize their deployment to meet their needs. This CVD incorporates device and application management and requires XenMobile Enterprise edition, which includes both components.
Beyond these, there are additional components for enterprise integration, such as WorxMail for secure email, WorxWeb for secure Web browsing, and ShareFile for secure collaboration. Together these components integrate to form a comprehensive mobile policy framework that enables the mobile workforce.
Until recently, many organizations may have simply chosen to grant restricted access to the network and allow only communications between the mobile device and a virtual desktop infrastructure. In doing so, the organization can be sure that access to corporate applications and sensitive data can only be accomplished through the use of a secured, unalterable virtual desktop environment with no data stored locally. When considering this approach, the XenDesktop family of products is the leading solutions in Desktop Virtualization. When combined with WAN Optimization technologies such as Cisco WAAS, protocol enhancements through “Citrix HDX” and Citrix Receiver, the user experience from mobile devices even over slower Internet connections is greatly enhanced.
This CVD brings together components from Cisco with those from Citrix and details how the complementary mobility offerings can work together to provide a flexible and customizable solution that can meet the full set of requirements needed for a successful mobile workspace program. The CVD presents several use cases to further illustrate the application of this solution to likely business needs. The following use cases are covered:
These use cases generally extend those presented in the most recent version of the Cisco BYOD CVD ( http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/own_device.html ). The intent of the use cases is to illustrate the flexibility of the system and is not meant to restrict how the features of the system can be configured. Within solution design, there is often a trade-off between an extremely secure system and those that deliver a very open user experience. Specific use cases have been chosen to explore how a balance can be achieved by weighing corporate risk against employee productivity.
Although the system is composed of products from both Cisco and Citrix, the foundation is built from the Cisco BYOD CVD, which describes how to provide secure network access to a wide variety of devices, both wired and wireless. A REST API that is supported between the system components makes the integration between Cisco ISE and the XenMobile Device Manager possible. The device manager responds to requests from ISE with respect to a device’s operational parameters, including for example the presence of a PIN Lock on the device and the version of the OS. ISE uses this information to establish the level of network access to which the device and user are entitled. In addition, ISE can request that the device manager execute several tasks on the behalf of ISE, such as removing all corporate data from the device or locking the device.
There is a focus on mobile productivity. Users want to interact with their work from a wide range of device, including smartphones and tablets. With the exception of images and video, most smartphones consume data. Mobile devices are unique because they are always connected either via LTE or WiFi and can be used almost instantly without lengthy boot-up times. They also have ready-to-use video, GPS location, accelerometers, piezo compasses, and a range of other physical sensors they may be attached via Bluetooth. These attributes make mobile devices a compelling platform for a range of new business applications that were not possible on legacy devices such as laptops. Mobile applications offer context around data that is unique. This context has the potential to deliver large productivity gains when fully leveraged, usually through the use of in-house-developed mobile applications. For example, an insurance company could create a claims application that allowed adjusters to include high-resolution pictures or video, GPS location information, or the customer’s verbal statement could be attached to a claim that is filed from the field in real-time. Other companies may already have a Windows-based application that is installed on laptops mounted in the adjuster’s car and may want to port those applications quickly onto a new mobile tablet. The Cisco Mobile Workspace Solution with Citrix enables both scenarios.
There are several components required to enable Cisco Mobile Workspace Solution with Citrix. Some components described here could be replaced or substituted with similar products that provide equivalent functionality, such as a Certificate Store. Other components are core to this solution, for example ISE and the WorkHome client. In addition, there is some product overlap between Cisco and Citrix and there may be more than one way to accomplish a specific goal. Not all possible configurations are presented here. In addition, some essential components are not discussed that are a prerequisite for the solution, including DHCP Servers, DNS, NTP, route protocols, and other fundamental network services.
Cisco Identity Services Engine (ISE) is a core component of the Cisco Mobile Workspace (CMW) solution architecture. It delivers the necessary services required by enterprise networks, such as Authentication, Authorization, and Accounting (AAA), profiling, posture, and guest management on a common platform. The ISE provides a unified policy platform that ties organizational security policies to business components.
The ISE also empowers the user to be in charge of on-boarding their device through a self-registration portal in line with CMW policies defined by IT. Users have more flexibility to bring their devices to their network with features such as sponsor-driven guest access, device classification, CMW on-boarding, and device registration.
Cisco Integrated Services Routers (ISR), including the ISR 2900 and ISR 3900 families, provide WAN and LAN connectivity for branch and home offices. The LAN includes both wired and wireless access. In addition, ISRs may provide direct connectivity to the Internet and cloud services, application and WAN optimization services, and may also serve as termination points for VPN connections by mobile devices.
The WLC automates wireless configuration and management functions and provides visibility and control of the WLAN. The WLC extends the same access policy and security from the wired network core to the wireless edge while providing centralized access point configuration. The WLC interacts with the Cisco Identity Services Engine (ISE) to enforce authentication and authorization policies across device endpoints. Multiple WLCs may be managed and monitored by Cisco Prime Infrastructure. Wireless LAN controller functionality can be within standalone appliances, integrated within Catalyst switch products, or run virtually on Cisco Unified Computing System (UCS).
Cisco Aggregation Services Routers (ASR), available in various configurations, provide aggregate WAN connectivity at the campus WAN edge. In addition, ASRs may provide direct connectivity to the Internet and cloud services and may also serve as a firewall. The ASR runs Cisco IOS XE software and offers Flexible Packet Matching (FPM) and Application Visibility and Control (AVC).
Cisco Catalyst ® switches, including the Catalyst 3000, Catalyst 4000, and Catalyst 6000 families, provide wired access to the network and handle authentication requests to the network via 802.1X. In addition, when deployed as access switches, they provide power-over-Ethernet (PoE) for devices such as thin client workstations, IP phones, and access points.
Cisco Nexus switches, including the Cisco Nexus 7000 and 5000 families, serve as the data center switches within the CVD. The Cisco Nexus 7000 switches provide 10GE Layer 3 connectivity between the Campus Core, Data Center Core, and Aggregation Layers and 10GE Layer 2 connectivity, utilizing VPC, for the Cisco Nexus 5000 switches in the Data Center Access Layer to which all servers are attached.
The following Citrix products are used in Cisco Mobile Workspace Solution with Citrix.
Citrix XenMobile is a comprehensive solution to manage mobile devices, apps, and data. Users have single-click access to all of their mobile, SaaS, and Windows apps from a unified corporate app store, including seamlessly-integrated email, browser, data sharing, and support apps. IT gains control over mobile devices with full configuration, security, provisioning, and support capabilities. Flexible deployment options give IT the choice to manage XenMobile in the cloud or on-premise. In addition, XenMobile securely delivers Worx Mobile Apps, mobile apps built for businesses using the Worx App SDK and found through the Worx App Gallery.
Unified App Store together with XenMobile AppController provide applications services to both Citrix Receiver and WorkHome Mobile Applications for Windows-based virtual application support. Storefront maintains a list of application subscriptions and can synchronize this between devices.
WorxHome is the mobile client that runs on the hand-held device. It provides access to XenMobile AppController and also works in conjunction with the XenMobile Device Manager. The Android version of WorxHome interfaces with the device administrator APIs found on Android devices. The iOS version augments the built in MDM protocol found in Apple devices. WorxHome is the user portal into the solution.
The Receiver application provides access to virtualized applications and desktop hosted on XenDesktop and is the primary user interface for all hosted applications. Installed on user devices, Citrix Receiver provides users with quick, secure, self-service access to applications, desktops, and data from any of the user’s devices, including smartphones, tablets, and PCs. Receiver provides on-demand access to Windows, Web, and Software as a Service (SaaS) applications. Receiver integrates directly with AppController and WorxHome.
Citrix XenDesktop delivers Windows apps and desktops as secure mobile services. With XenDesktop, IT can mobilize the business, while reducing costs by centralizing control and security for intellectual property. Incorporating the full power of XenApp, XenDesktop can deliver full desktops or just the apps to any device. HDX technologies enable XenDesktop to deliver a native touch-enabled look-and-feel that is optimized for the type of device, as well as the network.
ShareFile is a secure and robust enterprise data synchronization and sharing service solution that empowers users to share data with anyone and synchronize data across all of their devices. ShareFile seamlessly integrates with workflow tools and provides a rich user experience on any device to enhance productivity.
In addition to Cisco and Citrix, the solution depends on a number of products from other market leaders.
The solution uses Microsoft’s CA server to distribute user certificates. These certificates are used to authenticate users for both WiFi using EAP-TLS and remote access using Cisco AnyConnect. Other CA servers could be used although only Microsoft’s has been validated in this CVD.
Microsoft Active Directory (AD) is a core component of the solution. It binds together policy and is set up on various components of the system. Users are placed in various AD groups that define the user’s role within the enterprise. All policy decisions are tied to these roles through LDAP integration. These roles constitute the various use cases covered within the CVD.
Push services are required for MDM functionality with Apple products. Push serves as a middle-man between the MDM and the devices. The only configuration requirement is to install an APNS certificate on the MDM to allow it access to this service.
Although somewhat obvious, mobile hand-held devices are a core component of the solution. Like the other components, mobile devices require minimum software levels and appropriate configuration settings to be fully functional. The mobile device provides the user experience. Apple software includes a device management stack as an integral component of the operating system.
As is the case with iOS device, Android devices are also a core component. Android represents a unique challenge because of the wide range of devices and software levels found in the field. Complicating matter somewhat, users are not always able to update the software on their phone and are dependent on their carrier. This can present a unique challenge if a defect is discovered that could compromise the device’s security. Android, which is owned by Google, also has a push service but is not required for device management.