Tuesday, February 5, 2013

Deploying iOS Apps with AppController 2.5

Perhaps the biggest draw of Citrix CloudGateway Enterprise is its MDX Technology. Combined with it's proprietary mobile apps, or with your own home grown apps, it allows us IT folks a very granular level of control over what the mobile apps we deploy via CloudGateway can and cannot do. It's really the centerpiece of CloudGateway's value proposition to those of us that would embrace BYOD. Especially if we were to work within a field that deals regularly with sensitive data, say for instance, health care. If that happens to be you, or more likely if you just happen to be curious and want to give it a go, you are in the right place.

So first thing's first, in order to do this you are going to need a paid Apple developer account. It costs about 100$ and enables you to generate the necessary certificates and profiles to build and wrap your apps for use within the AppController. Also, you can only run the Citrix App Prep tool from OSX 10.7 or later, so you are going to need an newish Apple computer, a VM, or a Hackintosh to get this done. Once you've got that all set up, you will need to log in and generate some certificates and profiles. 

Certificate and Profile Generation

I am going to assume if you are an iOS developer that you are already more familiar with this process than I am, so the certificate process is mainly geared towards those of us that just want to wrap up the Citrix email and web browse apps. Plus I am completely unqualified to instruct anyone, anywhere on how to develop, build, and archive even simple iOS apps, it took me quite a while to even get my hello world app going.

Before we can get started on creating profiles, you have to get a distribution certificate in place, these steps are pretty straightforward and there is good documentation from Apple out there too:


Once this is done we can move onto profile creation:

First we need an App ID, so you guessed it, click App IDs within the nav bar in the provisioning portal


From here, click the New App ID button


Now we are getting to the fun part, lets name our App ID, I went the generic route cause this is a test App ID, for our Bundle Identifier we want to use an * - this will stop us from having to create a new app ID for every app we package.


This brings us back to the App IDs screen, but now our new App ID is listed! This means we can move onto creating our provisioning profile, so lets do that. Click Provisioning, then select the Distribution tab (ignore my existing profiles!). Now click the New Profile button.


Go ahead and name your profile something exciting, you should see your distribution certificate listed here, select the App ID you just created from the dropdown box and submit.


Your profile will show as pending for a moment, but a quick refresh in the web browser should take care of that. Go ahead and click download to retrieve your profile, save it to the desktop or somewhere easy to find.



Application Packaging

Ok so now onto the proverbial meat and potatoes. We need to download and install some software. 

First, if not already installed, grab and install the latest version of xcode which is a prerequisite to the wrap utility we will be using. Also for good measure, install the command line tools from the same page, I got a wacky error without them being installed.

Next, we need some mobile apps, good test candidates are the "@WorkWeb" and "@WorkMail" apps from Citrix. Available currently on the CloudGateway Enterprise download page. In addition to the apps, we need the App Preparation Tool for iOS Applications from this same page. Go ahead and unzip and install the App Prep Tool and run it. Here's what you should see:


So let's not male things overly complicated, browse for your IPA file and select it, then hit next. You should see a screen similar to what I have, prepopulated with some values. These are pulled from the application's metadata and are usually pretty accurate, so don't change anything unless you are certain you know what you are doing, then hit next.


Now we have to dig up that provisioning profile we downloaded, so browse and select it, your app prep tool should have recognized the certificate you installed earlier as well, if so, hit create. You will be prompted for a save location/name for your new mdx file, modify however you see fit and hit create.


A progress bar will appear and hopefully everything goes smoothly, if it does you will see the picture below. If it does not, a window should appear with a command line string you can run to get more verbose output. I've found that running it in CLI mode and doing some intensive googling on whatever error it throws will usually point me in the right direction. If it does fail, feel free to post here or tweet me and I will try to help you out.



Application Deployment

Now we are getting somewhere! We have a MDX wrapped iOS app all ready to go. So onto new business, log into your AppController, Select the Apps & Docs tab, and select iOS in the nav bar, last but not least hit the big green "+". 


Now we have an Upload Mobile App wizard and the first thing it wants is the path to your MDX file, browse and select the mdx we just created, then hit next.



It will take a moment to upload the mdx file, then it valiate and prompt you with a details page, here you can see a lot of the same stuff that we saw in the packaging utility, as well as category and role assignments similar to what you would see when deploying SaaS apps. I am going to leave everything default, but you could very well assign this app to a specific role here as well as give it some sort of special category. Go ahead and hit next.



Now you are presented with a workflow tab, this is also very similar to the SaaS app deployment process. You can enable an approval workflow here so that joe snuffy's manager has to approve the app install. Click next.



Since I skipped the workflow process the wizard goes straight to the policies definitions. This is where all the magic happens for mobile apps. First of all be aware that you can actually scroll down in this window. OSX hides the scroll bar but if you mouse over and use the scroll wheel or two finger touchpad scroll on the window here you will see all the options below, some of which (the email related ones) are specific to the app that I am using in this example.






I would love to tell you what all of these policies do specifically but that would take forever, they are geared around implementing the MDX features listed here and include things like sandboxing the MDX app from sharing data with non MDX apps, blocking email and SMS compose, blocking screenshots, forcing VPN tunnel based connectivity back through the datacenter, encrypting local app data, restricting use only when on specific wifi networks, and forcing periodic re-authentication and updates before allowing the user to use the app. Basically a BYOD admin's dream. 

One thing I can tell you that I had to do in order to get my applications to work is to disable the "Enable Database Encryption" setting. Without it disabled, I was constantly told "Your app will become active again once Citrix Receiver starts" over and over again when launching the app. Even with the setting disabled, I get the prompt once when first starting the app, I then have to go into receiver and relaunch the app, at which point a black screen appears, if I close this screen and relaunch the app it works fine from them on. In fact, it may just be the installation process finalizing and me being too hasty trying to launch the app.

Anyhow, you should now be able to install the iOS app on your device of choice through Receiver and eventually launch it. Play around with some of the timeout settings if you are constantly getting prompted to log back in. Heck, play around with some of the security settings and let me know how they all work! Appreciate you taking the time out to read this long post. Please feel free to post or tweet me with questions.