Introduction:
As we move away from cliché VDI debates and statements to a new end user computing era, a secure unified digital workspace offering becomes more relevant. This overall offering makes more business and technical sense to customers and partners alike enabling the real digitalization of businesses.
Mobile Device Management, Mobile Application Management, and Mobile Content Management are amongst the hottest terms in the Unified Endpoint Management and Security space, yet they do not, on their own, power users to completely conduct their work from any location using any device having the same experience as an office desk.
When combining the power of Desktop Virtualization, Application Virtualization, Mobility, Content Collaboration, Access Control, SaaS Apps and SSO, native 2FA and Analytics, all integrated and correlating with each other , we end up with a mobile and secure unified end-to-end workspace that can be fully utilized to conduct business in a more productive manner.
Citrix Workspace App is intended to be a unified secure digital workspace that allows users to access all of their services required to conduct business in a more productive and secure manner from a unified app. It is a work in progress and part of what’s still missing is full integration with Endpoint Management formerly known as XenMobile.
Citrix Endpoint Management uses an agent called Secure Hub which means when using full Citrix workspace services, one would need to have the Workspace App and the Secure hub agent installed which would defeat the term “unified”. More so, users would still be required to enroll to secure hub and install/open Citrix provided secure applications such as Secure Mail and Secure Web.
Recently, Citrix, utilizing the power of cloud and service integration/correlation, added some integration functionality between Endpoint Management and Workspace App, which allows published MAM applications to appear/open from the Workspace App which if un-enrolled would prompt the user to enroll using Secure Hub but that’s about it for now as still users need to see, interact and sign-in to Secure Hub independently which is essentially another application.
In the future, Secure Hub code would be moved into Workspace App which means all mobility functionality would be built-it and no additional applications such as Secure Hub would be required. For now, I will explore the current functionality of Workspace App integration with Endpoint Management and how users interact between both apps.
On a side note, my Citrix Cloud account was provisioned prior to Q3 2018 which meant that my cloud instance was still being hosted on AWS thus Endpoint Management service integration was not available. I have been working with Citrix Cloud support team for the last month and they have successfully migrated my instance to Azure and enabled the Endpoint Management Integration for the same. If you don’t find Endpoint Management in your service integrations tab that would be the issue so contact Citrix support for the same.
Configuration:
Step 1: Enable Endpoint Management service integration from Citrix Cloud – Workspace Configuration – Service Integrations.
Step 2: In order for applications to be part of Citrix Cloud and be able to assign users access to these applications from Library, navigate to Endpoint Management – Configure – Delivery Groups – Add. Make sure to choose In Citrix Cloud on the Users tab and add the required Applications to published/visible in Workspace App.
Step 3: Navigate to Library and add subscribers to the just recently created group which includes the added mobile applications.
Integration configuration is as simple as just three steps and that’s about it. Users will now have access to mobile applications visible from Workspace App. In the next section we will look into the user experience.
User Experience:
Feedback to Citrix:
-
MAM only enrollment from Workspace App is not currently supported for this integration so using mobility apps from Workspace App will require full MDM/MAM enrollment. MAM-only enrollments only work when enrollement is done independantly from Secure Hub before Workspace App is configured and Endpoint Management Integration enabled..
-
Another really important feature missing from Citrix Workspace Service/App is email based enrollments which would make it easy for users to sign into the workspace URL without using the X.cloud.com URL . It should be as easy as the one already available for Endpoint Management and the Workspace App actually asks to input email but Citrix support has assured me its not currently supported so that’s a bummer.
-
It would be cool for Workspace App to have the same concept as WorxPin which would also support Biometric and face recognition technologies for login instead of AD password for all resources in the Workspace App. Top that with the coming TOTP feature coming soon to Citrix Cloud.
Scenario 1: Workspace App
New User joining the digital workspace requiring full workspace suite experience. Everything is conducted from Citrix Workspace App.
Observations:
-
Enrollment did not ask for authentication when redirecting to Secure Hub. This is a new enrollment conducted from Workspace App so first section of integration in terms of SSO upon enrollement is functional.
-
Enrollment did not ask for MDM URL and was automatically injected into secure hub from Workspace App.
- Opening Secure Hub independently after Workspace App has been configured would also auto-inject MDM URL.
-
Secure Web application asked for credentials in Secure Hub. This can be controlled from the app setting “ App Passcode “. Enabling Worx Pin would make this pretty easy for end-users. Users till have to authenticate to Secure Hub at some point.
Scenario 2: Secure Hub
Citrix Secure Hub was installed (not configured) and users will try to enroll from Secure Hub without the presence of Workspace App.
Observations:
-
Secure Hub will now force new users to enroll using the Workspace App when using the cloud provided Endpoint Management URL. The apps section inside Secure Hub will redirect to Workspace App.
-
Worx Pin was enabled and works fine for Endpoint management applications through Workspace App.
-
Apps are only accessible from Workspace App and Secure Hub does not show any applications except a tab “ Add Apps ” that forwards you to Workspace App.
Scenario 3: MAM-Only Mode
User is already enrolled into MAM-only mode from Secure Hub and now adds Workspace App.
Observations:
-
Users cannot enroll to MAM-only mode if Workspace App is already configured so make sure to enroll to MAM before configuring Workspace App with Citrix Cloud workspace URL.
- Applications can be accessed from both Secure Hub and Workspace App. Users will still have to authenticate to Secure Hub when opening applications from Workspace App and Worx Pin is supported.
Scenario 4: Time-Based One-Time Password
Time-Based One-Time Password has been enabled for Citrix Workspace and users use Workspace App to enroll into Endpoint Management.
Observations:
-
Since users enrolling to endpoint management are forced to use Workspace App, TOTP conceptually applies to all workspace users including endpoint management service which is a native additional layer of security.
- Citrix Cloud TOTP can use Citrix SSO, Microsoft Authenticator, and/or Google Authenticator.
Scenario 5: Disabled Service Integration
Endpoint Management Service integration disabled and users want the legacy experience where Secure hub is completely independent from Workspace App.
Observations:
Conclusion:
Integration has gone a far way and the SSO when enrolling to Endpoint management from Workspace App to Secure Hub is just amazing. I hope some of the notes I listed above are tackled and looking forward to having all Secure Hub code into Workspace App.
I have another post on some recommended features to be added on Citrix Cloud to enhance user experience: Citrix Cloud: Minor Enhancements, Great Experience ! .