Overview

Citrix is making security enhancements to XenMobile in the form of certificate pinning. This feature includes a new Citrix Auto Discovery Service (ADS) access requirement that must be enabled in every customer environment whether you choose to use the certificate pinning feature or not.

What is ADS?

Citrix Auto Discovery Service (ADS) is a cloud service owned and maintained completely by Citrix. This service plays a crucial part in every XenMobile environment and serves two main purposes:

1. As the name suggests, ADS helps with autodiscovery of XenMobile servers. When an email or UPN is used to initiate enrollment through Secure Hub, Secure Hub calls out to ADS to discover the appropriate XenMobile server for the environment.

2. ADS is also used to pass on environment-specific security settings to Secure Hub. Certificate pinning builds on this security.

We are making security enhancements to the XenMobile ADS that provides an extra layer of security through certificate pinning. Due to the changes we are making, initial enrollment communication must flow through the ADS server. 

What is certificate pinning?

Certificate-pinning is a trusted “first-use” security mechanism during the enrollment process that protects servers from impersonation through fraudulent certificates issued by compromised certificate authorities. It is commonly used to prevent "man in the middle" attacks.

What are the prerequisites for certificate pinning?

1. Customers should open outbound port 443, if not already open, to enable mobile device access for the Citrix ADS service. This port configuration ensures that devices can access ADS when within the corporate network. The ability to access ADS is important when downloading any security updates made available through ADS. These ports must be opened whether you use the certificate pinning feature or not. All customers must complete step 1.

   To enable mobile device connectivity to Citrix ADS, open outbound port 443 from the client (mobile device) to ADS systems in the cloud for the following destination FQDN and IP addresses.

   FQDN	Port	IP and Port Usage
   discovery.cem.cloud.us	443	Secure Hub - ADS Communication via Cloudfront

Note: The IP Address and Ports in the chart are required for the communication of devices on the network.  The chart is not describing the communication for the internal components within XenMobile. The ADS connection may not work with your proxy server. In this scenario, you should allow the ADS connection to be bypassed at the proxy.

If interested in enabling the certificate pinning feature continue with steps below.

1. Collect XenMobile server (or Device Manager server for versions earlier than XenMobile 10) and NetScaler Server certificates. These certificates need to be in PEM format. You must acquire the public certificate and not the private key.
   Note: The exported public certificate must not include the certificate chain (i.e. the intermediate and root certificates).

2. Contact Citrix Support and place a request to enable certificate pinning. During this process, you will be asked for your certificates. A link to Citrix support can be found on the bottom of the page.

I am not interested in certificate pinning. Do I have to do anything?

Yes. ADS access is required from your network by opening the required port. These ports must be opened whether you use the certificate pinning feature or not

Why does certificate pinning require a new port?

The new certificate pinning improvements mandate that any newly enrolling device connect to ADS before the device enrols. This step ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. If ADS is not reachable, Secure Hub does not allow enrollment of the device. Therefore, opening up ADS access within the corporate network is critical to enable devices to enroll.

When are these changes occurring and when do I need to act?

For the next release of Secure Hub 10.2 for Android, currently scheduled for early October. Certificate pinning will initially be supported on Secure Hub for Android with XenMobile 10.2 and on a future release of Secure Hub for iOS.
Customers must open firewall ports to the ADS service to ensure new enrollment continuity.

What information do I need to provide to Citrix Support?

Refer to the Certificate Pinning information available at Citrix Documentation for Secure Hub.

How should we engage Citrix for support on this feature?

Use the following the link - XenMobile Technical Support  to open a support ticket for assistance with ADS configuration. From this link you can locate the support phone number specific to your location.

Questions? Contact your Citrix account manager or authorized Citrix Partner.