Managed configurations policy
The Managed configurations device policy controls various app configuration options and app restrictions. The app developer defines the options and tooltips available for an app. If a tooltip mentions using a “templated value,” use the corresponding XenMobile macro instead. For more information, seeRemote configuration overview(on the Android developer site) andMacros.
The app configuration settings can include items such as:
- App email settings
- Allow or block URLs for a web browser
- Option to control app content sync through a cellular connection or only by a Wi-Fi connection
For information about the settings that appear for your apps, contact the app developer.
Prerequisites
- Complete Android Enterprise setup tasks on Google and connect Android Enterprise to managed Google Play. For more information, seeAndroid Enterprise.
- Add Android Enterprise apps to XenMobile. For more information, seeAdding Apps to XenMobile.
To add or configure this policy, go toConfigure > Device Policies. For more information, seeDevice policies.
Requirements for per-app VPNs
创建一个每个应用VPN AE,你需要perform extra steps, in addition to configuring the Managed configurations policy. Also, you must verify that the following prerequisites are met:
- On-premises Citrix Gateway
- The following applications are installed on the device:
- Citrix SSO
- Citrix Secure Hub
A general workflow to configure a per-app VPN for AE devices is as follows:
Configure a VPN profile as described in this article.
Configure Citrix ADC to accept traffic from the per-app VPN. For details, seeFull VPN setup on Citrix Gateway.
Android Enterprise settings
After you choose to add a Managed configurations device policy, a prompt to select an app appears. If there are no Android Enterprise apps added to XenMobile, you cannot proceed.
当你选择一个应用程序,然后配置政策settings. The settings are specific to each app.
Configure VPN profiles for Android Enterprise
Make VPN profiles available to Android Enterprise devices using the Citrix SSO app with the Managed configuration device policy.
Start by adding Citrix SSO to the XenMobile console as a Google Play store app. SeeAdd a public app store app.
Create an Android Enterprise managed configuration for Citrix SSO
Configure the Managed configurations device policy for Citrix SSO to create VPN profiles. Devices that have the Citrix SSO app installed and the policy deployed have access to the VPN profiles you create.
You need your Citrix Gateway FQDN and port.
In the XenMobile console, clickConfigure > Device Policies. ClickAdd.
SelectAndroid Enterprise. ClickManaged Configurations.
When theSelect Application IDwindow appears, chooseCitrix SSOfrom the list and clickOK.
Type a name and description for your Citrix SSO VPN configuration. ClickNext.
Configure VPN profile parameters.
VPN Profile Name.Type a name for the VPN profile. If you are creating more than one VPN profile, use a unique name for each. If you don’t provide a name, the address you put in theServer Addressfield is used as the VPN profile name.
Server Address(*).Type your Citrix Gateway FQDN. If your Citrix Gateway port is not 443, also type your port. Use URL format. For example,
https://gateway.mycompany.com:8443.Username (optional).Provide the user name that end users use to authenticate to the Citrix Gateway. You can use the XenMobile macro {user.username} for this field. (SeeMacros.) If you don’t provide a user name, users are prompted to provide a user name when the connect to Citrix Gateway.
Password (optional).Provide the password that end users use to authenticate to the Citrix Gateway. If you don’t provide a password, users are prompted to provide a password when the connect to Citrix Gateway.
Certificate Alias (optional).Type a certificate alias. The certificate alias makes it easier for the app to access the certificate. When the same certificate alias is used with the Credentials device policy, the app retrieves the certificate and authenticates the VPN without any action by users.
Per-App VPN Type (optional).If you are using per-app VPN to restrict which apps use this VPN, you can configure this setting. If you selectAllow, network traffic for app package names listed in thePerAppVPN app listare routed through the VPN. The network traffic of all other apps is routed outside the VPN. If you selectDisallow, network traffic for app package names listed in thePerAppVPN app listare routed outside the VPN. The network traffic of all other apps is routed through the VPN. Default isAllow.
PerAppVPN app list.A list of apps whose traffic is allowed or blocked on the VPN, depending on the value ofPer-App VPN Type. List the app package names separated by commas or semicolons. App package names are case sensitive and must appear on this list exactly as they appear in the Google Play store. This list is optional. Keep this list empty for provisioning device-wide VPN.
Default VPN profile.Type the name of the VPN profile to use when users tap the connect switch in the user interface of the Citrix SSO app instead of tapping a specific profile. If this field is left empty, the main profile is used for connection. If only one profile is configured, it is marked as default profile. For always-on VPN, this field must be set to the name of the VPN profile to be used for establishing always-on VPN.
Disable User Profiles.If this setting is ON, users can’t create their own VPNs on their devices. If this setting is OFF, users can create their own VPNs on their devices. Default is OFF.
Block Untrusted Servers.This setting is OFF when using a self-signed certificate for Citrix Gateway or when the root certificate for the CA issuing the Citrix Gateway certificate is not in the system CA list. If this setting is ON, the Android operating system validates the Citrix Gateway certificate. If the validation fails, the connection is not allowed. Default value is ON.
Optionally, create custom parameters. The custom parametersXenMobileDeviceIdandUserAgentare supported. Select the current VPN configuration and clickAdd.
Create a custom parameter:
Parameter name.TypeXenMobileDeviceId. This field is the device ID to use for Network Access Check based on device enrollment in XenMobile. If XenMobile enrolls and manages the device, the VPN connection is allowed. Otherwise, authentication is denied at the time of VPN establishment.
Parameter valueFor XenMobile to determine the enrollment and management state of the devices, the value of XenMobileDeviceID set to
DeviceID_${device.id}.
To create another custom parameter, clickAddagain. Create this custom parameter.
Parameter name.TypeUserAgent. This text appended to the User-Agent HTTP header for performing an extra check on Citrix Gateway. Value of this text is appended to the User-Agent HTTP header by the Citrix SSO app while communicating with the Citrix Gateway.
Parameter value.Type the text you want to append to the User-Agent HTTP header. This text must conform to the HTTP User-Agent specifications.
Optionally, create more VPN profile configurations. ClickAddunder the list of configurations. A new configuration appears in the list. Select the new configuration and repeat step 5 and, optionally, step 6.
When you have created all the VPN profiles you want, clickNext.
Configure deployment rules for this managed configuration for Citrix SSO.
ClickSave.
This managed configuration for Citrix SSO now appears in your list of configured device policies.
To enable always-on for the VPN profiles you configured, set theXenMobile options device policy.
Note:Citrix Secure Hub 19.5.5 or higher is required for always-on VPN for Android Enterprise.
Accessing VPN profiles from the device
To access the VPN profiles you created, Android Enterprise users install Citrix SSO from the Google Play store.
The VPN profile or profiles you configured appear in theManaged Connectionsarea of the app. Users tap the VPN profile to connect using that VPN profile.
After users have authenticated and connected, a check mark appears next to the VPN profile. The key icon indicates the VPN is connected.
Manage Zebra Android devices using Zebra OEMConfig
Manage Zebra Android devices using the Zebra Technologies OEMConfig administrative tool. For information about the Zebra OEMConfig app, see theZebra Technologies website.
XenMobile supports Zebra OEMConfig version 9.2 and higher. For information about system requirements for installing Zebra OEMConfig on devices, seeOEMConfig Setupon the Zebra Technologies website.
Start by adding the Zebra OEMConfig app to the XenMobile console as a Google Play store app. SeeAdd a public app store app.
Create an Android Enterprise managed configuration for the Zebra OEMConfig app
Configure the Managed configurations device policy for the Zebra OEMConfig app. The policy applies to Zebra devices that have the Zebra OEMConfig app installed and the policy deployed.
In the XenMobile console, clickConfigure > Device Policies. ClickAdd.
SelectAndroid Enterprise. ClickManaged Configurations.
When theSelect Application IDwindow appears, chooseZebraOEMConfig powered by MXfrom the list and clickOK.
斑马OEMConf键入一个名称和描述ig configuration. ClickNext.
Type a name for the Zebra OEMConfig configuration.
Configure the available parameters. For example:
- To disable the camera on the front of the device, selectCamera Configurationand setUse of Front CameratoOff.
- To change the devices time format, selectClock Configurationand setTime Formatto12for 12-hour format or24for 24-hours format.
For a list and descriptions of all available configuration, seeZebra Managed Configurationson the Zebra Technologies website.
Optionally, create more Zebra OEMConfig configurations. ClickAddunder the list of configurations. A new configuration appears in the list. Select the new configuration and configure the parameters.
When you have created all the Zebra OEMConfig configurations you want, clickNext.
Configure deployment rules for this managed configuration for Zebra OEMConfig.
ClickSave.