SmartAccess for HDX apps
This feature allows you to control access to HDX apps based on device properties, user properties of a device, or applications installed on a device. You use this feature by setting automated actions to mark the device as out of compliance to deny that device access. HDX apps used with this feature are configured in Virtual Apps and Desktops by using a SmartAccess policy that denies access to out-of-compliance devices. XenMobile communicates the status of the device to StoreFront using a signed, encrypted tag. StoreFront then allows or denies access based on the access control policy of the app.
To use this feature, your deployment requires:
- Virtual Apps and Desktops 7.6
- StoreFront 3.7 or 3.8
- XenMobileServer configured to aggregate HDX apps from a StoreFront server
- XenMobileServer configured with a SAML certificate to be used for signing and encrypting tags. The same certificate without private key is uploaded on StoreFront server.
To start using this feature:
- Configure the XenMobile Server certificate to the StoreFront store
- Configure at least one Virtual Apps and Desktops delivery group with the required SmartAccess policy
- Set the automated action in XenMobile
Export and configure the XenMobile Server certificate and upload it to the StoreFront store
SmartAccess uses signed and encrypted tags to communicate between the XenMobile and StoreFront servers. To enable that communication, you add the XenMobile Server certificate to the StoreFront store.
For more information about integrating StoreFront and XenMobile when XenMobile is enabled with domain and certificate-based authentication, see theSupport Knowledge Center.
Export the SAML certificate from the XenMobile Server
在XenMobile控制台,点击the gear icon in the upper-right corner. TheSettings页面出现。点击Certificates.
Locate the SAML certificate for XenMobile Server.
Ensure thatExport private keyis set toOff. ClickExportto export the certificate to your download directory.
找到证书your download directory. The certificate is in PEM format.
Convert the certificate from PEM to CER
Open the Microsoft Management Console (MMC) and right-clickCertificates > All Tasks > Import.
When the certificate import wizard appears, clickNext.
Browse to the certificate in the download directory.
SelectPlace all certificates in the following storeand selectPersonalas the certificate store. ClickNext.
回顾你的选择和clickFinish. ClickOKto dismiss the confirmation window.
In the MMC, right-click the certificate and then chooseAll Tasks > Export.
When the certificate export wizard appears, clickNext.
Choose the formatDER encoded binary X.509 (.CER). ClickNext.
Browse to the certificate. Type a name for the certificate and then clickNext.
Save the certificate.
Browse to the certificate and clickNext.
回顾你的选择和clickFinish. ClickOKto dismiss the confirmation window.
找到证书your download directory. Note that the certificate is in CER format.
Copy the certificate to the StoreFront Server
On the StoreFront server, create a folder calledSmartCert.
Copy the certificate to theSmartCertfolder.
Configure the certificate on the StoreFront store
On the StoreFront server, run this PowerShell command to configure the converted XenMobile Server certificate on the store:
Grant-STFStorePnaSmartAccess –StoreService $store –CertificatePath “C:\xms\xms.cer” –ServerName “XMS server”
If there are any existing certificates on the StoreFront store, run this PowerShell command to revoke them:
Revoke-STFStorePnaSmartAccess –StoreService $store –All
Alternatively, you can run any of these PowerShell commands on the StoreFront server to revoke existing certificates on the StoreFront store:
- Revoke by name:
$store = Get-STFStoreService –VirtualPath /Citrix/Store Revoke-STFStorePnaSmartAccess –StoreService $store –ServerName “My XM Server"
- 由thumbpr撤销int:
$store = Get-STFStoreService –VirtualPath /Citrix/Store Revoke-STFStorePnaSmartAccess –StoreService $store –CertificateThumbprint “ReplaceWithThumbprint”
- Revoke by server object:
$store = Get-STFStoreService –VirtualPath /Citrix/Store $access = Get-STFStorePnaSmartAccess –StoreService $store Revoke-STFStorePnaSmartAccess –StoreService $store –SmartAccess $access.AccessConditionsTrusts[0]
Configure the SmartAccess policy for Virtual Apps and Desktops
To add the required SmartAccess policy to the delivery group delivering the HDX app:
On the Virtual Apps and Desktops server, open Citrix Studio.
SelectDelivery Groupsin the Studio navigation pane.
Select a group delivering the app or apps you want to control access to. Then selectEdit Delivery Groupin theActionspane.
On theAccess Policypage, selectConnections through NetScaler GatewayandConnection meeting any of the following.
点击Add.
Add an access policy whereFarmisXMandFilterisXMCompliantDevice.
点击Applyto apply any changes you made and keep the window open, or clickOKto apply changes and close the window.
Set automated actions in XenMobile
The SmartAccess policy that you set in the delivery group for an HDX app denies access to a device when the device in out of compliance. Use automated actions to mark the device as out of compliance.
From the XenMobile console, clickConfigure > Actions. TheActions页面出现。
点击Addto add an action. TheAction Information页面出现。
On theAction Informationpage, type a name and description for the action.
点击Next. The行动的细节页面出现。In the following example, a trigger is created that immediately marks devices as out of compliance if they have the user property nameeng5oreng6.
In theTriggerlist, chooseDevice property,User property, orInstalled app name. SmartAccess doesn’t support event triggers.
In theActionlist:
- ChooseMark the device as out of compliance.
- ChooseIs.
- ChooseTrue.
- To set the action to mark the device as out of compliance immediately when the trigger condition is met, set the time frame to0.
Choose the XenMobile delivery group or groups to apply this action to.
Review the summary of the action.
点击Nextand then clickSave.
When device is marked out of compliance, the HDX apps no longer appear in the Secure Hub store. The user is no longer subscribed to the apps. No notification is sent to the device and nothing in the Secure Hub store indicates that the HDX apps were previously available.
If you want users to be notified when a device is marked out of compliance, create a notification and then create an automated action to send that notification.
This example creates and sends this notification when a device is marked out of compliance: “Device serial number or telephone number no longer complies with the device policy and HDX applications will be blocked.”
Create the notification users see when a device is marked as out of compliance
在XenMobile控制台,点击the gear icon in the upper-right corner of the console. TheSettings页面出现。
点击Notification Templates. TheNotification Templates页面出现。
点击Addto add on theNotification Templatespage.
When prompted to set up the SMS server first, clickNo, set up later.
Configure these settings:
- Name:HDX Application Block
- Description:Agent notification when device is out of compliance
- Type:Ad Hoc Notification
- Secure Hub:Activated
- Message:Device ${firstnotnull(device.TEL_NUMBER,device.serialNumber)} no longer complies with the device policy and HDX applications will be blocked.
点击Save.
Create the action that sends the notification when a device is marked out of compliance
From the XenMobile console, clickConfigure > Actions. TheActions页面出现。
点击Addto add an action. TheAction Information页面出现。
On theAction Informationpage, enter a name and description for the action:
- Name:HDX blocked notification
- Description:HDX blocked notification because device is out of compliance
点击Next. The行动的细节页面出现。
In theTriggerlist:
- ChooseDevice property.
- ChooseOut of compliance.
- ChooseIs.
- ChooseTrue.
In theActionlist, specify the actions that occur when the trigger is met:
- ChooseSend notification
- ChooseHDX Application Block, the notification you created.
- Choose0. Setting this value to 0 causes the notification to be sent as soon as the trigger condition is met.
Select the XenMobile delivery group or groups to apply this action to. In this example, chooseAllUsers.
Review the summary of the action.
点击Nextand then clickSave.
For more information on setting automated actions, seeAutomated actions.
How users regain access to HDX apps
Users can gain access to HDX apps again after the device is brought back into compliance:
On the device, go to the Secure Hub store to refresh the apps in the store.
Go to the app and tapAddto the app.
After the app is added, it appears in My Apps with a blue dot next to it, because it is a newly installed app.