Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Daniel künzli cloudgateway.next
1. Citrix CloudGateway . next
Enterprise Mobility Management
Daniel Künzli
Senior Systems Engineer Networking & Cloud
2. WE BELIEVE…
• End users will win the battle of choice
• BYO will fundamentally transform IT
• Mobile = Heterogeneity
• Managing heterogeneity will create huge value
4. Customer Needs
•Basic set of secure apps
• App distribution & management
• Centralized policy control
•Service Level Management
• Support for any device - BYOD
6. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
7. MDX Mission
Permit IT control of enterprise
assets on unmanaged mobile
devices
Enterprise assets
1. Enterprise applications
2. Enterprise data
3. Enterprise network access
8. Overview of MDX Architecture
Managed Applications
Secure Network Tunnel gateway
Secure IPC
services
Authentication
MDX Framework MDX Framework MDX Framework Entitlements & policies
app private app private app private
data vault data vault data vault
shared data vault
MDX Framework provided by either:
Encrypted data with enterprise key management 1. Wrapping toolset
2. Directly compiled SDK
10. Mobile Vault Architecture – API interception
mobile app
network files clipboard
Policy aware
interception functions
network files clipboard
micro-VPN encrypted encrypted
storage clipboard
mobile OS
Citrix mobile services
11. Mobile Vault Architecture – API interception
App Wrapping (iOS):
mobile app • API Interception techniques
ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
network files clipboard
• MDX Framework code injected via dynamic library
Policy aware
interception functions
network files clipboard
micro-VPN encrypted encrypted
storage clipboard
mobile OS
Citrix mobile services
12. Mobile Vault Architecture – API interception
App Wrapping (iOS):
mobile app • API Interception techniques
ᵒ Direct modification of app binary (replace symbol references)
ᵒ Runtime hook injection for system calls & native libraries
ᵒ Objective-C categories with method swizzling
network files clipboard
• MDX Framework code injected via dynamic library
Policy aware
interception functions
network files clipboard
SDK:
• Symbols redirected at compile time
micro-VPN encrypted encrypted
storage clipboard
• Access to native services reduces need
mobile OS for hooks/swizzling
Citrix mobile services • MDX Framework statically linked
13. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
14. User account discovery
Streamlined first time use experience
• Get Receiver from the app store
• Find your Receiver account details
ᵒ Service record delivery by email or web
ᵒ Recommended approach: Receiver account auto-discovery
• Receiver account auto-discovery
• User provides email address
• Receiver uses well known DNS names in corporate domain to locate
Storefront
• Similar to process used to auto-discover exchange servers
15. Device registration
First time logon: lightweight mobile device
registration
• Receiver silently registers device with CloudGateway
ᵒ Receiver provides device unique token and selected device
information
• CloudGateway issues unique device ID Receiver
• CloudGateway links device ID/tokens to users
ᵒ Admins can view all devices registered to users
ᵒ Devices can be locked or marked for app data wipe
ᵒ Receiver and MDX apps poll CG current lock/wipe status
• Gateway must be reachable, but no logon needed
16. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
17. Device and app authentication
• Receiver registers and track devices to users
ᵒ Permits lock and wipe of corporate data/apps on selected devices
• Receiver also serves as access manager for MDX managed
applications
ᵒ Strongly identifies applications
ᵒ Determine app entitlements and policies
ᵒ Brokers permitted data exchanges between managed apps
• MDX applications can parlay their Receiver auth context into
other credentials for single-sign
ᵒ NTLM challenge/response (or the real AD domain, username, & password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
eventually kerberos, Oauth/OpenID , etc.
18. Single sign-on
• Receiver and CloudGateway directly provide SSO for
ᵒ Hosted applications (ICA/HDX)
ᵒ Web/SaaS applications
• MDX applications can parlay their Receiver authentication context
into other credentials and access rights
ᵒ Gateway tickets for micro-VPN access
ᵒ NTLM challenge/response (or even the real AD domain, username, &
password)
ᵒ User and device certificates
ᵒ Specialty tokens like Sharefile SAML token
ᵒ Eventually credentials for auth systems… kerberos tokens, Oauth/OpenID ,
etc.
19. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
20. 100+ connectors
built-in
SAML and Form-Fill
compatibility
Provisioning for
popular SaaS
services
21. Tie all apps to AD
Enforce policies
Single click de-provisioning
End user self-service
24. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
25. Micro-VPN
• Policy controlled per-application tunneling technology
• Relies on Citrix Receiver for authentication and SSO
• Network access policy choices:
ᵒ Blocked
• Application network APIs are blocked and fail as if network is not available
ᵒ Unconstrained
• Application network APIs work normally
ᵒ Tunneled
• Application network APIs are tunneled through CloudGateway to enterprise intranet
• Full power of Access Gateway Enterprise 9.x and 10.x to configure VPN
behavior
ᵒ Split-tunnel based on IP address ranges or domain suffix -OR- route all traffic back
into enterprise intranet
ᵒ Powerful rules engine for constraining access for external applications
26. Micro-VPN Architecture (iOS)
mobile app
Networking Logic
NSURLRequest CFNetwork BSD Sockets
corporate intranet
NSURLRequest Network interception functions
direct calls
(resolve domain, etc.)
server
proxy info Tunneler library session ticket auth
ASIHTTPRequest
Socks UDP TCP
Proxy Proxy Proxy
localhost listener
server
network requests (redirected to local proxy)
encrypted tunnel
MDX Framework
28. Citrix Access Gateway™ and Citrix NetScaler™
Providing secure remote access to Windows apps, desktops, and
enterprise web
Adaptive Best Performance
HDX SmartAccess MDX Micro VPN Policy Control & Flexible Deployment
29. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
30. What happens in MDX apps stays in MDX
apps….
• Many ways for information to escape from a managed app
ᵒ MDX framework slams the door on these escapes
• Data exchange with other apps
ᵒ Copy/Paste
ᵒ Document exchange (Open-In)
ᵒ Network APIs
ᵒ Printing, iCloud, email, SMS, etc…
• Restrict access to sensitive device hardware
ᵒ Camera, microphone, location services, screen shots, etc
• All controls are applied at run-time based on current app
policies
31. Containing Data Exchange
• Blocking copy/paste and other types of
data exchange is easy
ᵒ Gives poor user experience
• Constraining data exchange to managed
apps yields far better experience
• By default, MDX framework seeks to
constrain many operations to managed
apps only:
ᵒ Copy/paste
ᵒ Document exchange (Open-in)
ᵒ Inter-app dispatch (URL Schemes, Intents)
• Administrator can place apps into a
named security groups
ᵒ If not configured, default is all managed apps
32. Encryption of persistent app data
• Mobile platforms secure persistent data in application sandboxes
ᵒ These protections trivially defeated by jail-breaking or rooting device
• Most mobile platforms can encrypt persistent data… but there are
limits
ᵒ Encryption keys are held persistently on device
ᵒ Keys are often protected by cryptographically weak PIN or passcode
ᵒ No means to revoke access if device is not recovered
• Better solution: Encrypted file vaults with keys managed by
enterprise
33. Elements of the Solution
• Common MDX architecture (iOS and Android)
• User & device enrollment
• SSO with AD integration
• App delivery and management
• App specific VPN
• Information containment
• Core mobile apps
36. Citrix Receiver and CloudGateway delivers enterprise mobility today
• Mobile container for apps, browser, data, and email
Mobile Container
• Native iOS, Android, and HTML5 apps wrapped with
Mobile App policy
Wrapping
• Secure network access from app through Receiver to
Secure Mail
CloudGateway
Secure Browser
• Remote wipe/lock
Contained Data
Single Sign-On
Mobile Optimized