Duration 1:09:13

Citrix Synergy TV - SYN136 - Geek's guide to the workspace (part 1): workspace fundamentals

Ana Ruiz
Technical Marketing Architect at Citrix
+ 1 speaker
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Citrix Synergy TV - SYN136 - Geek's guide to the workspace (part 1): workspace fundamentals
In cart
Add to favorites
I like 0
I dislike 0
In cart
  • Description
  • Transcript
  • Discussion

About speakers

Ana Ruiz
Technical Marketing Architect at Citrix
Daniel Feller
Lead Workspace Architect at Citrix

About the talk

Currently, users have a fragmented workspace experience, forcing them to think about what device, what identity, and what content repository to use. Figuring out how to get work done becomes the barrier to actually getting work done. In this initial session, we will create a complete Citrix Workspace experience, incorporating virtual apps and desktops, local and mobile apps, and content apps. We will show how each Workspace service integrates into a cohesive solution that we will build upon in upcoming Geek's guide to the workspace sessions. Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.


I welcome to the fundamentals of work space. So how many you realize that this is a 10 part series? All right. So just so you know, the doors are being locked. So you're stuck here until tomorrow afternoon. So I hope you brought your toothbrushes. Hope you brought your pillows. We're going to be here awhile. So we're going to get us because we have 90 minutes and if you've been into my sessions before, you know, I have lots of slides and and we do so what we're going to do is talk about the work space and we're going to end up is building this entire environment. I'm so in this

session. We are going to put all these pieces together. We will end with a workspace environment that gives you local mobile app SAS webapps. It'll give you the virtual browser apps, even your content applications. And so we're going to build out this entire architecture, you know from beginning to end and show you a video downloads of how you actually in the sections that follow 2 through 10 will dive deeper into each of these different topics and provide additional Neo Clarity additional. Additional functionality and into these different things

another one. I'm going to be presenting analytics and he's introduced passwords or something boring. So who's going to be attending the analytic session and join me tomorrow? Come on. I'm going to be going to Fellers boring password session after lunch. No, no. Salt password. Come on. We haven't we have a Dollar Bet to see if I can get the biggest ears not enforcing. I think he won. All right. So we're going to talk about into the whole workspace thing and and we're going to

start the beginning here. So we look to the beginning of the workspace. There's a lot of first talk about some of my first experiences in my life. Now, these are all you know safe for work experiences. Just so you're aware of those. So this is my first Citrus conference in 1998 was called Synergy. I'm not sure if that was a logo but I couldn't find a Citrix Synergy logo on Google anymore. So I'm not sure what it look like. It was my first tech update session in 2014. And those of you who are going to check update this year. I am not presenting it anymore after that many years. I'm

done but it's still here with other great prisoners in great content. So I would say don't skip it but then it conflicts with the this geek's guide work space Series. So stay here. This is my first Chuck Norris joke that I told in one of my sessions. And then that was my first work space and so a lot of us a lot of it had that start to hear anything about this is actually true your workspace environment is where you get all your apps all your content, you get all your work done on all your devices. I only had one device all my files are

right there. All of my applications are right there. That was my first work space. Now as we move forward things have changed things have grown. So now instead of you know a single Chuck Norris fact, I've done many Chuck Norris facts over the years and that's just a fraction of them and in the concept of a workspace. We now have something like this. We have all these different devices, you know, you got mobile devices you got tablets you got even the smart Alexa devices in Google home devices that are spotting when you constantly you also have all the different applications, you know, you

got your web apps to SAS SAS. Your windows ask just apps on all these different types on the Alexa device. I have the the Chuck box. Skill you can ask Alexa and I'll give you a text back. So I do one every day for my kids. They love it until it did the one where they basically ruined Santa Claus for him. So I got in trouble for that one. And then we have all this content. This content is everywhere you got cloud content and so for me, I'm I'm extremely cheap. I have my files in Google Drive and OneDrive and Dropbox

any place. It's going to give me free storage. I'm going to use it. So my kind of content everywhere and then of course, I also have local network storage as well. So all these things are everywhere and what this ends up is that I have a complete environment that it's just total chaos and I had some time multiple devices what ends up happening is I have multiple workspaces each device becomes its own work space and I'm trying to figure out which of these applications do I have to have on each of my different work spaces and then which of the content from all those different

repositories. Do I need on each of those work spaces? I'm reconfiguring you're adding all these different things on there always devices just a real big pain. So we want to do is is take where a lot of us are right. Now with this whole concept of storefront and we want to expand this out. We want to fill in the blanks here filling was missing. So right now we have here is Windows applications and desktops. We have Linux applications and desktops. We're missing is the web apps. We're missing the SAS applications. We want to look at his part of as part of

this session is is how do we start at storefront? And how do we start incorporating the Assassin weather applications into our store for a model and then expand out further into the whole workspace? So then at the end we end up having plugging into a single workspace that's not tied to a device anymore. Every device can get to the same workspace experience. And then that works pays then get you to all the content that you need for anything that you're trying to access. And to do that we use workspace app space app. I would

hope all of you guys alright, the workplace app is the foundation, right? It is what allows me as a user to have my workspace no matter where whatever device I have and this for me personally. I tell my husband all the time. I am spoiled I will never be able to work anywhere that doesn't give me the flexibility because I'm no longer tied to that device. I can use my Chromebook. I can use my MacBook. I can use my phone. I can use his computer. My mom's computer my sister's computer, whatever it may be and the reason being is because I have work space app workspace app underneath the hood has

different engines that give me that ability to access different types of applications. So I would say most people in the room here are pretty technical. So, you know a different applications have you know live on different back then but most end-users aren't technical right? Have you think about my mom my grandma my grandfather not technical at all? And they just want things to work. They just want to be able to click on the application. They don't care if it's living on one drive Google Drive Cloud. I don't even think they know what a cloud is made. Just wanted to work the other cool

thing about the workspace app is now added auto update. So I know in my previous life when I work a lot. I was a sales engineer and worked with customers one of their biggest pain point was updating receiver. I'm sure a lot of you guys can relate to that. So we've added that auto update functionality into work space app. The workspace app has different flavors, right? So I had the desktop for Windows or Mac and as a mobile for iOS Android and I also have the weather right? So there is the weather. Is it Channel 5 Base? And they serve different purposes. So for example,

I have the desktop app on my corporate device. I have my mobile app on a phone and tablet you can use a web app for like a public kiosk excetera. I personally use that when I need to use someone else's computer like my husband my mom's Etc. I don't want to go and do the full insult the workspace app. So I just used the weather at all. Then I'll send it into its and the resource feed will give me access to all my application again, no matter whether they're SAS web files Etc. I have my full workspace on the go bad thing now Dan my manager. I

have no excuse because I have all my apps and everything on the go so I have no excuse to say that I can't work. We do have sweetheart and I will text soon or Tech inside. If you haven't checked it out. Go check it out. Our team creates that we create XVideos articles all technical for you guys to consume and we actually have one on workspace app. So if you want a deeper dive that's actually a better picture to take there is a QR code or text Owen. Citrix.com and published great articles great videos architecture diagrams for you guys to consume. I

saw with with. When I only have workspace app, we can start expanding our environment to start including the Assassin web applications. Are we going to do this with is using the Gateway service? So it's like Gateway on-prem except it's a lot easier basically flip the switch and it's running. So this is a good for someone like me who knows absolutely nothing about networking actually set up a Gateway. So let's take a look at the scene. What work how we're going to walk through this soon and add additional functionality and I work space environment, so This is what we're going to start

with is have a workspace experience that includes our Windows apps and desktops. So this would be step one. We need to incorporate that on Fram virtual app and desktop environment. We had deployed and incorporate that into our work space experience in running the cloud after that. The second step is to add single sign-on to Sasson web application so that they will appear with an over space environment through the first part of side aggregation. So we end up doing is very high-level user will connect to work space workspace. Will you

side aggregation to pull in all of the resources all the published applications and desktops that you have within your own from deployment. You know, this is your Citrix virtual desktops everything's running on from but we'll be able to try that into the workspace experience. So let's look at an architecture that we're going to be very familiar with we have a user who connects the Gateway is running in the DMZ the Gateway service or the Gateway talk to storefront delivery controllers in talks to all the different resources that we have published at Publix desktops. We also have an

internal user who is accessing environment differently. Of course, they accessed directly from storefront. So after the keynote yesterday, you know, we heard all of the story about Maria and how you know workspace makes her life easier, so I want to introduce you to Chuck so so he hears this environment works really? Well it has for years, but there's ways we can improve this to make to make it even better self some of the challenges we have. There's a network device to manage. There's multiple networks devices to manage cuz you don't want to have one

cuz a single point of failure. That means the virtual desktops admins have to deal with a networking team. Nobody likes dealing with a networking team. So this is an issue. The second thing is that we have fire what role she knows that Chuck is in front of the firewall rules because nobody gets in front of Chuck Norris. We had to move that over to get out of the way. So there's fire Will Roll so we have to open up to let the Gateway talk to storefront delivery controllers to active directory. So we have to again talk to the networking team which we don't want to do. There's also public IP

addresses. You have to have a public IP address to get to that Gateway, you know, fully qualified domain name with certificates that you have to know manage. You also have to deal with multiple sites. Cuz if you're looking to know for single point of failure, you have a you know, a large deployment you going to have multiple sites and how are you going to distribute load across multiple nose is different sites and how you going to do that. And so we wanted to do was going to change the sooner try to make it easier. And so we end up doing is get rid of Gateway that's running the DMZ and use

workspace with the Gateway service. It's raining in citrus cloud. So now it's going to happen is that we deploy a set of cloud connectors within the on Prime environment within the on Frame data center with these will do is when they start up they create an outbound connection to the Citrus clouds Services the workspace in the Gateway service leader outbound connections. I remain open so there's no fire what changes need to be made. So this allows the Gateway into work spaces in talk to and communicate with the internal resources through that outbound control channel. So now

what happens is a user day connect to work space finds their list of resources and then they use the Gateway service that makes that secure connection to to their virtual desktop of the word for application. So we end up having here is your all the issues that we had before there is no networking device to manage. It's gone Citrix manager said, there's no public IP address because the public IP address is workspace experience in the cloud. There are no firewall rule changes because that cloud connector. It's creating outbound channels. So there's no inbound. There's nothing

inbound the inbound stuff goes through those control channels, which are initiated going outbound. That's how we're able to get around to open up all these different firewall ports. The Gateway service is a global deployment. I think it's 12 pops of presents around the globe and then it will automatically direct the user to the most appropriate Gateway service. So you get the best of you end up getting the best experience and then the user get the same experience your internal external. You're still going to hit or base its external. So I was going to follow the same path. It

was going to have the same policies apply to them regardless of where they're being regardless of where they're located. so with this will be end up having now is by adding a Gateway service in here. We're able to do that whole site aggregation for this. So we'll go through the the video demo of how you actually set this up just seeing idea of how easy this actually is. So within the cloud environment. I already have set up a resource location. So I got to plug connector set up for this particular resource location once offline. That's why it's orange, but I have to so

I still have connectivity to that on Prime environment. So then if I I'm just verifying that I can talk to my domain and so you can see my domains available again. It's just telling me it's only reachable by one connector because the other ones offline but it's still available I go ahead and you can see your workspace. I have a public URL I configured for this. So you not remember some crazy alphanumeric think I'm this is very easy for you to remember initially to get connected. And then under the under the the sites we're going to go ahead and incorporate our

site are virtual app and desktop on Prime site with this. So the first thing we do is select a resource location this links with our Cloud connectors. We give it to IP or fully qualified domain him at one of our delivery controllers. And this is just be like admin accounts for your delivery controller to the system can be able to contact it going to test to make sure it's working communicate with it. And once that's done we're going to go ahead and configure the domain so I only have one of the main that's the one I want to use and then which Gateway do I want to use a

non from Gateway what you can but here I want to be very easy because we're talking about is simplifying all this for the admin. I will go ahead and use their the Gateway service. and say finish and done so now When a user launches workspace app, they should get all those applications all those desktops better available within her internal environment. So he's going to go ahead and just quickly do a refresh. So there's nothing there and then when they refresh what was Sia's

distinction just populate with apps and desktops. There's no reason or no favors shift because it's a new user, but he clicking new absent all applications. You'll see the list of of the applications that are available for this particular for this particular user comments about the I like Minecraft in City skylines. So I run a virtual app and desktop environment my house. So my kids stop fighting over who gets to go to computer. So that's why I have all those but that is basically the that the setup of using a site aggregation of of

maintaining your your Red Robin desktop environment you have on Prime not even touching it wouldn't make any changes to it on from environment and we were able to easily incorporate that into into the whole workspace experience. So makes it really easy. Now the second part of this using Gateway is single sign-on. Have you haven't raised their hand that's very shocking because that's applications or something that are growing tremendously. So the Gateway service not only provide taxes to Virtual

apps on desktop like Dan mentioned you can integrate with your on Prime bridge collapse in desktop environment, but it also provide single sign-on for SAS application. So things like concur workday Salesforce you name it. It also provides a single sign-on for web application. So let's take a look of why it's important and how we do this. So like I mentioned just talking to a bunch of my customers has something that's exploding and everyone's environment. A customer service straight up told me and I were to ask first and if that application Camp BFF application then we'll look at delivering

a different way. And so with that with the Sass applications you have different credentials that you're you take me to memorize different URLs at your users need to memorize in order to be productive. And so it's a lot of wasted productivity right? I'm sure we're all familiar with the pain of resetting your password and meeting the specific complexity rules at that specific application requires coming up with crazy passwords and trying to figure out then how do I remember those passwords? Right? So for your end-users it's a pain but also as an organization that can create a security

threat because if they're not meeting these complex passwords or they're writing it down in a Post-It note accept Excel file, whatever. It just opens up your environment for a potential breach and how does it work essentially Gateway service provide single sign-on to your end-users local browser. I'm so behind the hood how it works is for your Treatise on SAS applications. It works using Samuel and then for your weather application. So these are the applications that are living within the four walls of your data center. You need to install something called the gateway connector. This is a

virtual appliance that will go inside your DMC and will provide that secure external outbound traffic to provide that SSO for your what applications to swell. So let's take a look at what setting that up. Looks like you'll go into your cloud services hit Gateway service in order to configure at SSO and you'll go into the single sign-on get started. So Dan already Stood Beside aggregation. So we'll go ahead and look we have templates for over a hundred and fifty South applications probably more at this point, but you also don't need to use a template write. This is just making it easier for

certain staff application. You'll go ahead type in the name. Type in the URL for that specific application in this case. We're doing Humanity. The ones we typed that and you can change the icon for your end users change the description for now. We're going to skip and hand Securities and we'll be covering that shortly. So we're going to go ahead and do that. Once we type in the URL. There's going to be certain configurations that you need to do on the SAS provider and so will click on that link right there that will give you an XML file with all the information that you need to

input into the specific Gas provider. And so right now we're going to go into the humanity app itself as an administrator to set up and complete that SSO. So we're going to go into settings in the upper right-hand corner. Scroll down to single sign-on to complete that configuration again. We make it very easy cuz we'll give you that XML files that you can get all the information that you need including the identity ID as well as a certificate. So you'll see is copying it over and pacing it into the humanity application to complete that set up

still unable sam'l copy that go copy of a certificate and this will allow the single sign-on from Citrix workspace into that specific SAS application. So you would follow a similar process for all your different stats applications out there say fill settings. Go back to the Gateway service in order to complete some of that configuration. And then once we hit stays. We'll go ahead and finish that and now that application will be available within my citrus cloud Library. So the library users to that specific application. And so now

we'll go into the Citrix library and manage my subscribers. You can give access to a specific user or a specific adgroup again. We're pulling those from the cloud connector that Dan showed earlier. So I'm going to give it access to all domain users and now it take a look at what the end-user side looks like. One of the cool things is that you'll notice at Max doesn't have to log out in order to get access to humanity. All he needs to do is refresh those application. So you can dynamically gives users access to their applications without them having to disrupt any of their work day and

you'll go ahead and launch Humanity. And you'll notice that I'll actually open up in his local browser in Firefox, right? Dan will talk about some of the other options when it comes to security that you can give your end users. But there's a great user experience. They don't have to remember their complex passwords anymore. They have everything they need within their work space and they just have to authenticate one. And so Gateway service, right? It has a lot of features and benefits. I think the huge one is at SSL until it's application back applications or something that are very

relevant today. And I think we'll continue to grow I'm within all Enterprises. So the next part of building on top of that in a so, we have the single sign-on we want to increase the security enhance the security for the Assassin web applications and there's a couple reasons. I mean, it's very easy to bring a USB thumb drive and start stealing data, but if you ever put that thing in right the first time go buy a lottery ticket. It is fasting as it's like a 50/50 chance that you should insert that thing. Right and it never comes. It's like for me. I'm like 90% I'm always

Incorrect and there's also phishing attacks, you know, u r l you click on it and then you get a site looks like Facebook, but it's not Facebook because when you actually look at the whole URL that is not the Facebook URL, so we need to protect users not in your room is like to make fun of users and say stupid use my life. But honestly, it's very easy to Fool by something like this, you know, they become really intelligent of a mask many things and look at the bit ly link shortened URLs you get in figure out what they are before you click on them and even some that you see like WWE

Facebook cuz I'm going to go there but you don't look at the full URL to realize that's not the actual when you want to go to we want to do is going to have security for the SAS applications web applications to protect the users. So We just did before is we have work space. We didn't have enhanced secured in the user would be single signed on to that particular Weber SAS out. When do now is when you turn enhanced security on what ends up happening is if you're using workspace app via the desktop version, you know about the three different variations of work space at this would

be the full desktop version. There's the embedded browser you always engine she talked about one of those is an embedded browser. So when it has Securities on using that full workspace app on the desktop that Webber stats that will run with Indian better browser. So it'll feel like a native browser for you all runs locally. And you had that exact same experience except now we're able to do security policies on top of this we can do watermarking we can disable printing navigation do other things to this and also any URLs that you might click within the SAS application.

We're going to assess and Decide whether user has access to it. So either say no you don't or yes you do and will allow it or we can then redirect you to secure browser. So here I'm in the embedded browser, which is that engine inside of workspace app. But then we have a secure browser, which is it's a published browser. It's raining in the cloud and it was essentially doing it. It's breaking that direct connection from your endpoint device the internet. So we're breaking that and running a disposable browser in a cloud environment. So it gets built

when you start it and it gets destroyed when you're when you're close it so disposable browser all your do any data anything you downloaded on there destroyed gets erased when you close that session and then any it until all this is basically is breaking that link. So any malware anything that you get from the internet will not make it down to the endpoint device. So for certain things we want to we might want to redirect instead of allowing it within the embedded browser or denying it out. Right? So that was using workspace app desktop when you use workspace app web or mobile

wins ends up happening is when Han security is turned on they don't have it in better browser engine. So what ends up happening is a launch secure browser instead when you have that when you have that turned on and then the URL filtering the website filtering that we have will follow the same process will deny. It will allow it redirects to secure browser. But because we're already in Secure browser, we're not going to redirect to ourselves we can go ahead and just essentially allow it so allow and redirect has the same end result when you have a secure browser instance running and some

you might be thinking it's like it's a SAS application. This is coming from Salesforce. I trust Salesforce. I trust you Manatee. I trust these stats applications. Why do I need someone to validate is you Outlook is a SAS application with Office 365. Hopefully we all know not to randomly click links that come in Outlook we can trust Salesforce but do you trust that someone put in there cuz you can easily add URLs to all these different SAS applications, you know in messages and comments and users can click on them. So we want to do is protect the user from

that so kind of show you or show you how you were doing this so we didn't turn it on me and turn the hands Security on me crib that Humanity application so we can go back in here and just edit this. And we go through the settings don't change anything except right here. We turn it on and we're going to We won't restrict navigation will restrict everything else but not navigation still be able to navigate within the application. And then with that we go ahead and hit next next next safe. And so we now have enhanced security turned on. The second part is the website filtering. So

here's we going to access control and determine which of these web sites. Do we want to allow denial redirect and you get a break this down on URLs or categories. So here we're going to go ahead and get rid of all the fun stuff that we have on the internet the malware in the spam pier in Torrance adult stuff gambling. So we're going to make the internet born. So we're blocking all this stuff. So if you try to click on this you'll be denied access anything that deals with social networking. We're going to redirect to secure browser. So that is now set up and you

can go back and actually set specific URL so you can just set maybe you want to allow Twitter, but you want to redirect everything else you can do that as well. So here I launch the application but you know, this is this is no longer Chrome or Firefox or Edge. This is now the embedded browser and you can see I have the watermark for my user tried to click on I believe try to click on piratebay. That was blocked we go back users going to go ahead and click on buy member the demo right? I go to Facebook now and My personal belief is Facebook should be blocked too. I don't

like Facebook, but I was just watching a secure browser instance and user will be able to get access to Facebook. But yet it's not running on their own point of ice. It's running in a temporary browser in a cloud. And so they'll be able to use Facebook and do whatever they need when they shut this thing down. Browser instance goes away anything that got pushed down to that machine or the Browns running gets erased from from that device. So we've now expensive us a little bit. We now incorporate Access Control. We've Incorporated secure browser in this whole architecture. And with this

end up doing is the kissing hand security. It's giving us no data Left Behind after those browser instances. It's also incorporating, you know, the website filtering and giving us some analytics that we have for what use are doing on the environment will talk more by analytics later in the session. But so again, there's another whole video on the sickos even deeper on to access control again on the Tech Zone, you'll see this reoccurring theme throughout but now we move into the endpoints. So let's talk about the endpoint themselves and how he can control local and mobile

applications, right Citrix workspace has the ability to connect back to local animal applications as well. So giving the user that fool workspace depending on what endpoints are connecting to write which will talk about so if I'm connecting from a mobile device, I may have access to certain applications that I wouldn't have access if I was connecting from a full desktop. I'm still just a couple of Statistics out there. I think everyone in this room. I would be shocked if I get one person that doesn't have a mobile device. Is there a person in this room that does not have a mobile device

on them? Yeah. That's what I thought. Well, I have it. Why don't we take a famous? Selfie? Come on. Damn. Let's do it. Awesome. So now that we've done that we know that this is very prevalent. Right? And so whether or not your organization has a full on mobile device policy. It's something that should be on the back of your mind right whether you have a proper full BYO policy whether you're giving out corporate devices a reality is that both in corporate devices and personal devices most users have a combination of both person applications as well as work applications,

right? And if you don't give them the tools to be productive, they'll find a loophole and then your environment won't be secure. So what I tell all my customers as you should have nobility is top-of-mind to figure out how can I please my end users and give them the productivity tools that they need while also making sure that my environment and then my intellectual property is secure and this is not just mobile devices right now. We have tablets out there. We have full-on desktop where we also have for some applications and workout plication. So how do we secure these and How do we also make

sure that for those personal devices like the one I just took a picture with that my company isn't being really restrictive right? Because at that point then I won't even want to use those work applications. And once again, I will try to find a loophole so that they're not completely taking over my personal device but still where I can be productive. So how did this work? We have to work space app, which will communicate with Citrix workspace. He'll send more authentication that we did in the full desktop will do this in Mobile. And then once we do that, the resource sheet will talk to the

endpoint Management Service will determine whether this device needs to be enrolled or not in full and point management. If it's a man only devised I think we have a very powerful tool to have only mobile application management or we don't control a device yet still secure work application and then we'll communicate with secure Hub. So secure Hub at the application on mobile devices that is required to push down the device policies as well as the application policies for those mobile application. And once that happens now your end user will be able to download those local no application will

talk a little bit more about at container in this next section and why it's important. If you don't have containerization what happens if you have your work application and your person application coexisting on the same device and sharing a lot of his underlying resources what I liked, you don't need to have militias users or malicious applications in order for your inside. The property to be at risk if you know a little bit about how Facebook Twitter and some of the other common non malicious applications work. They have a p I sat in the background or constantly pulling

information from me on users device. If you have those both applications coexisting you run the risk of Facebook Twitter Amazon etcetera pulling information from some of your corporate devices. So, how do we deal with this? We do it by containerization. So we essentially create an app container for your work application. And now these work applications will have their own underline resources that they talked to the benefit of this is that we now have a specific policy that we can set in order to protect your information will start giving your users the

ability to be productive on mobile devices. Another huge challenge that we run into when we talk about mobile devices is connected to internal resources. So how many times do you got a link in an email and you click on it and you can't actually render that blank because it's an internal site right? I know it happened to me before all the time. And so you could have a full VPN on mobile device, but I can guarantee if there's anyone from secure in the room. So they'll be a big No-No same thing. You don't want to get Facebook Twitter Amazon a full

VPN where they can now access all of your internal resources and sell the way that we feel with it. It's through micro VPN who here is familiar with Marco VPN in our technology that makes me very happy. It creates upper app VPN and the key thing to this is that it does not require a full VPN profile on the device. So a lot of vendors out there in order to give you this functionality. No need to push a full VPN profile. Therefore you need to do a full device management. We don't do that, right? That's if I thought you

saw it right there is not device manager yet. I happy ability to do micro VPN. Therefore I can ask is my internal resources when needed And it's so powerful that Microsoft actually asked to partner with us in order to enable their technology to do this and the underlying resources are ours, right that technology is ours. So let's take a look of what that looks like will go into cloud services going to the endpoint Management Service. And again, this is where we're going to be able to set those a specific policies and later in the presentation will also show you

how to do device management from the endpoint Management Service itself. The first thing that will do as well setup ldap so that that device can communicate to your active directory with Citrus endpoint management. You can actually do local users as well. We won't get into that today. But you have that ability of doing that. If you have users that you need to give app access to these applications that are non ad users. Once we set that up will go into the configuration to configure some of those application what we're going to show here are two applications that come with her endpoint

Management Service, which is our container as an email client or container is what client but you can do the same process for any homegrown applications. You can wrap these applications and you can do follow the same process. So essentially what we do as we upload what we call an empty X-File. This is essentially a policy file, right? So this is where you'll set your trap policies on the device and you could do this for a platform. The reason why was divided at the doubt / platform. It's because different platforms give us access to different thing. So an iOS doesn't have the

same functionality than an Android device does so we give you that granularity to do a prayer platform and / application so you can do things like La copy paste block the camera from that's from that specific application check for jailbroken a rooted devices and like I mentioned something at Very powerful is that you don't need full device management in order to set these restriction and in order to check for things like jailbroken or rooted devices excetera. The ones we go through this. Will hit next and will give access to all

users again. You could restrict this based on user group. So depending who you want to have access to these application will follow a similar process and do it for a secure web browser. So like I mentioned if you have any homegrown mobile applications, you could use our wrapping service in order to have the ability of doing this as well and sending those applications to those homegirl setting these policies to the Homegrown applications. So we'll go ahead and prove that give it to all users another cool thing that you can do here as you can actually do it. So that not only do sign up for user

but you also check things on the device itself. So maybe only allow it on iOS or maybe only allowed on certain versions of an iPhone or a tablet and so it gives me the granularity to do both. So now we're going to go ahead and Mirror Dance Android you actually saw that I have an iPhone. That's okay. We'll talk about that later and we'll launch the workspace application. Right and you'll notice that as soon as I use a refresh Azar application. So I have access to secure mail and secure web is that same user were to log on into the full desktop app, they wouldn't have access to

that because he's her mobile specific application. So against being able to contextually change it depending on the endpoint that the user is coming from Once I click on secure mail redirect me to secure Hub which we talked earlier and architecture diagram and the user doesn't have secure Hub. I'll ask them to download secure Hub. Like I mentioned secure Hub at the application that allows a communication to the endpoint Management Service and allows those specific application policies as well as device policies to be downloaded to the device. And so that the user can follow that So once I

download secure Hub, I'll now have access to the mole application. One of the big changes that we did from a couple of years ago. It's before you actually got to upload the full application to this end to the endpoint Management Service. And that's where the user with downloaded from. Now. We do it through the Google play in the iTunes Store. So making it a lot easier for the end user to do updates and sat down with the applications. The only thing that we're pulling from the actual service itself is a policy. So what we uploaded that MDX file is essentially a policy shelf. I'll I'll ask

the user whether or not they want and roll. So in this case the user rights album, am only situation again, this can be changed from an administrative perspective. So if you want to force the users to enroll in MDM or not, give him the option you can make those configuration changes as well. Once a user Setzer pin there citric spin will now have access to all the applications including that secure mail and secure web application. So when I go to add you'll notice that I'll redirect them to the Google Play Store to download secure mail. A lot of customers ask me what what

happens if I just go straight to the Google Play Store and download it you could but once you launch the application, I actually asked you to download secure Hub and authenticate these applications cannot be used unless you have Citrix endpoint management. The ones we download secure web as well will now have these applications locally living on the device. Right? So these are local applications and I'll be able to utilize them and do my day-to-day work the one of the policies that we decided that app interaction between the applications. We want to restrict how these applications with her work

application interact with those personal application. And so you'll notice that when Dan hear clicks on the link, so now they're talking to her is so but once he actually clicked on the link will open up secure web if it was an internal site. It would actually go through the micro VPN to in order to pull that internal resource. Now then I'm going to try to copy that you are all and pasted into I want to say Google Chrome which is up personal application. And you know that when he died that he won't have the ability of pacing that information. So yeah, this is a URL. It's not a big deal.

But think about if it's actual intellectual property that you want to protect they wouldn't be able to do this. But if they go back into the other containerized applications so insecure male, they would actually be able to copy that information over so you're not restricting the user you're just giving them the tool to be productive while still protecting your information. So it's very powerful and I encourage all of you guys to take a look at it. Alrighty, so that was a lot. So the endpoint Management Service allows you to do.

Vice management, which we'll talk about later. But it also allows you to do applique application management again, most of our customers uses for BYO devices so they can still protected information and still give their users are productivity tools that they need without being super restrictive. I'm the end user. And we do have a full text on video on micro VPN. So if you want to go check that out encourage you guys to do so. So now we're going to talk about device management. Right? And so I just talked about the application side of the house, which I believe is very

important, especially for those BYO devices, but I also understand that there is a need for mobile device management until mobile device management. Is very important especially for those corporate-owned devices where you want to restrict the Angie's or what they're doing blocks are in applications walkthrough and functionality from the end-user and so we're able to do this as well. So we talked about personal devices. Most of my customers would use just mobile application Management in this regard, but we also have worked if I said that we need to lock down and restrict and this is what we're

going to talk about. This now goes beyond just your traditional iOS Android Windows Mac. We're now also able to do this on iot devices and other type of devices and we have a full keep Skype session on it being silver by Frank syrup sitting over there. So I encourage you guys to attend that as well. So how does device management work at a high-level Citrix workspace? The user will authenticate the resource speed will check into the endpoint Management Service and see if that device needs to enroll if the device has an enrolled elbow through the enrollment process. We won't go

through the full enrollment process today just based on time for once at devices and roll. They'll talk to the different microservices within the endpoint Management Service in order to get the device policies application policies and network policies excetera. So I take out the what that looks like now that was configured the applications itself. We're going to go into device policies and add some device policies with broken this down / platform cuz I can like I mentioned we're really dependent on the API that these vendors get out to us. And so we're going to go ahead and create a

policy for Windows Defender if it had more flat ones available. Those would show up on the left hand side. You'll see that in the next policy that we set up. So once we set that up, we'll go ahead and hit neck and get that configured. Again, depending on the specific platform the different policies I will be available for you to configure for you to turn on or turn off will assign that again to all the users or whichever users. You want to find that specific policy to and then be able to do this for the different device policies depending on the platform

itself. So the next one we're going to do we're going to do the control OS updates and watch the show you what the end-user side of that looks like. So we'll do a Watts updates. You can look on the left hand side that we have different platforms available for that. So if you were to do it for the different platforms, you could do it within a single policy so that when you're actually as an administrator looking for your policy if it's easier to manage and to look through so we'll go ahead and set up some of that configuration. That we would go and set that up. Again. They would be different

policies depending on the actual platform itself. Just depending on how that divides and how that platform work. So once we get that configured And we turn on all those things. We're going to go ahead and hit next and assign that to all users. The ones we have time that to all users were going to set up one more device policy and then we'll show how to set up some other types of applications as well. So I'll go ahead and all set I would say probably the most widely used device policy, which is a restriction policy. So this is where you

would be able to block things like your camera Bluetooth Wi-Fi excetera. I would say this is one of those popular device policy is out there for all types of platforms. So again, you would pick that specific platform or platforms that you want to set this for and once you set that up you would be able to do things like turn off during Wi-Fi settings connectivity settings account settings excetera. So all these applicat all these policies are being sent to the full device itself. So you saw earlier that we set it for the specific application and there's a lot of things that match up right

so you can set up turn off the camera for just that application itself, or if you wanted to do it for the full device. You would configure it here at the device policy versus a nap. Chase and policy but you do have that ability and flexibility of depending on your youth case doing it in one place. Where the other So we're going to go ahead and assign that to all users and say that now we're going to go back to apps and talk about delivering different types of application. So not just your containerized application. You can also push down especially for enrolled

devices other types of applications such an Enterprise application so that you force users faster and applications on that device. So in this case fan is going to go ahead and upload Google Chrome in this case. You would upload either that yet see file the IPA file depending on what type of application it is. So I'm going to go ahead and select the Google Chrome Yahtzee and then once it gets uploaded you'll notice that in this side because it's not an MDX application. You don't have all that granularity of the app restrictions are a policy that we

had earlier. You just have a couple of things that you can put the description the app first and excetera it just to let the user knows what that application is itself. The ones we go ahead and do that. Wellhead next and then assign it to all the users out there. Once with a sign in to all the users were actually going to go into delivery groups and there's two types of applications that we can deliver you're going to notice that we're going to have required applications as well as optional application. The required applications

are applications at 4 enroll devices actually get pushdowns. The device were at the optional applications will still be within the Citrix workspace within the user's catalog but they're optional. So the user can go in South take whatever want they want to download. So now we're going to go ahead and launch dance Windows 10. This device is already enrolled like in mentioned due to time. We're not going to go through the floor and opponent process. The one I think that you'll notice if we made a chroma required application, and if you look on the left hand side and a couple of seconds

Chrome will actually appear. So without Dan having to do anything go to the install process were able to push that application through the endpoint Management Service in half an application being installed the same process what happened with mobile applications on mobile devices. for other types of applications, so Drum roll GIF we could have spent that up. Three two, one note promise on that that Windows device itself and the end-user can launch. It's just like they would if they had downloaded the application to the device itself just to let you know that we actually have

this device managed and is now going to go into the settings and show you that this device is already pre-enrolled and he's going to show you that those OS update policies that we set our actually being applied to this device itself. So if you look at the update policy, if you'll notice that it's being managed by a device management, which would be Citrix endpoint management. And so we're able to do those updates as well. Now we got into a little bit of the funny part where we go back into the administrative console and we'll take a look at the devices that are enrolled within the

device. So you see the Android tablet that I talked about earlier as well as the Windows desktop. The Android tablet is mam only so it does not have device management where has a Windows desktop has full device management and you'll see that Dan can actually go in and completely do a full wipe of the device. And so this is the number one reason why I will not enroll my BYO devices because I don't want someone accidentally doing a full wipe on my device. But if it's a corporate device, right we need that ability sometimes to do a full wipe on the device and we could do this will actually

notice that is going on right now on the Windows 10, you can do this manually or you can also actually said actions were you say? Hey if this condition is Matt, I want an action to take place. So the system will take will actually do the full wipe the selectively Petcetera. So you'll see in a second. I'll actually be rebooting and doing a full factory reset up the device just do the time. We won't go through that. Actor. He's at but I do want you guys to see in a second. I'll come up and you'll see it that is starting the three-step process of that machine. So it's a very powerful tool

and something that you can utilize for those corporate-owned application for those corporate on divisive. Excuse me. So you'll see that it's actually resetting not PC. So do the time we're going to go ahead and get out of that damn though, but I'm Point management, right? It gives you the ability not only to do the mobile application management, but also for those specific mobile device management use cases, you do have those tools and functionality within Citrix workspace to do that. And so now I need a break. So I'm going to turn it over to Dan to talk about content is

how do we incorporate all of our content into this environment? And so we build this out we're going to look at how all these different types of content repositories how to incorporate them into our into our environment whether we're doing a virtual map of virtual desktop more using local applications. How do we get to that content? And so, you know you always hear about how big is our Digital Universe how much content is actually out there and it just look at it on 2015. There was four

zettabytes and now they expecting in 2020 before T4. And so you might be thinking what the hell is that a bite so that money gigabytes or bytes kilobytes. Megabytes gigabytes terabytes in a petabyte exabyte zettabytes in yesterday in the keynote. So that's the So you looking at how do you incorporate all the stuff in stuff? And the challenge we have is that what the experience like for these different devices? So I've got virtual machines. I got physical machines. I got mobile devices. You can't have the same way of accessing the content across all

these different devices because they have unique characteristics if we go over in a little bit. You also had the choice you have all this choice of where is the storage where is all this content being located at? Is it on Prime? Is it local time? Is it in one of these different classes lighters or multiple cloud storage providers know where is all this content hat and then finally the security of it what type of security rules and policies apply to different types of content in or do we want to allow people to view it or edited, of course, you know certain people

should be able to share that with somebody new external out of the company. Maybe only leave you access or there should be a watermark on it. So, you know who actually printed this out or distributed to bunch of other people so, you know, who is the culprit for getting that data out and in sharing it where they shouldn't have been So we look at content collaboration. When is it happening here at all? The stuff fits together is that you know, your Vice connects the workspace app, which talks to work space. You should see this coming out across all these different services that we have. The

next part here is that you know, we talked the resource team microservice and it talks to content collaboration service which gives us the give us that link back into work space add gives us the files on guest access to all of our files with in the workspace app. Now from the content collaboration Services a bunch of microservices that gives us additional functionality know we can review the content say that the connector service that allows it to link to all these different storage providers as well as the collaboration microservice. So let's look at these little bit closer.

So the first one is the connector this would allow you to use local storage using storage zones. So, you know, we talked about this car connectors in the beginning that talked about I'm going to incorporate my on trim environment to Sixers Cloud without Alabama connection you it's going to allow us to talk to The Uncommon vitamin E ointment and being able to use your own from active directory to authenticate with contenders. This whole thing called a storage Zone and you have data connectors. This is a very similar concept is it's making that link from the content

collaboration microservice to Iran crime environment to get to those file servers. That's how we're able to be able to talk to his arm from environment. Do I have new do crazy firewall Port changes and opening times of stuff up to the environment. The other part of this is there's connectors for I guess we can call put your personal storage cloud in all these different types of cloud providers like OneDrive box Dropbox Google Drives us to all integrated into the users work space environment. The second microservice take a look at is the

viewing service the content doing service. So the content collaboration service has built-in viewer. So he gets sent a link for Word document. You might not have word installed in your device you depending on which device you're using might not have it. So there are viewers in there that lets you view that document Vizio documents video files PowerPoint presentation. So you don't have to have those applications installed to be able to view the content. Of course, you can't make changes to it. It's just a view it's a read-only situation here. But now she need to edit

it. What you can end up doing is there's this all is based on where's the content stored at? So if my content is hosted in the cloud storage providers somewhere. I can either edit this with Office 365. You know, one of the one of the SAS application is part of 365 I can edit this on the endpoint or I could use a virtual application, you know something you're published application now it's a content is stored within a storage Zone to file share. I can access it from the endpoint. I can access it from a virtual Obsession or from the office of web app server, but not from Office 365 SAS out

because it doesn't have access to that repository. So you could actually build a web server internally that host your office web applications and then you'd be able to use something like Office 365 know within a browser to edit those applications. No, last part is a collaboration service. So this is changing your workflow and your people don't like change and they're used to when they need when they need to send a document out. Usually it's for something like this. They want feedback on the document or they need approval for something or they are

they are trying to gather request. And when is it happening here is you send an email out with an attachment. It's like hey, can you review this now? I'll send you start getting replies back and some people respond with with you. No notion document other people just delete it and ignore and now you've always different Files come you don't know you don't know if you actually got everything you needed you might have deleted them. You might have saved them somewhere and you forgot where they start losing all this information from people who actually did work for you and help you out and you

lost you lost their valuable insights. So this is Mike with these collaboration. Services can do for you. Is it just the change of the workload basically brings everything together. So instead of sending the document out you start this workflow and you send this you send this workflow out all these users and they can actually go into an online document and start making comments and was actually really interesting about it. It's actually forces other people to make comments as well or tax review it because what you end up seeing is reviewing it you see who's actually

reviewing it and you see who submitted who submitted their their feedback and you see at least a list of other people who haven't submitted anything and of course, I'm somebody submit feedback it goes out to the whole email list. So you so you start things like, oh crap my manager replied to their sins already provide feedback. I better go back to so it's a good way to actually force people to I provide feedback on this type of documents cuz there's this there's a trail of who's who's actually, you know, looking at these things and making comments and trying to provide value. This

information. So it's only his work clothes. It's it's so easy to send an email. Once you start using something like this. You don't go back to email you start using these new type of work clothes. So let's take a look at you know how this all gets incorporated into into our environment. So I hit the button in the back up powerful liquor. All right, so is it start again? Mario I told going to the content collaboration service here and we're going to set this up for a particular user and set this up for her for one of our users. So we haven't added any environment.

So we'll go ahead and add Max and add him as a new user within our content collaboration service. So give it to the email address for this particular. Why would I have a password or why wouldn't you require a password? So this is allowing you to get into the website itself to make a direct connection that website, you know to the sharefile.com site and see go ahead and give the password you can give different user settings there different levels of access to user has Amy typically for right now. We're going to leave it as the default. It's good enough for what we need to

do. But there's a lot of capabilities we can set for this particular user what they can and what they cannot do within the collaboration service. Storage location you can have multiple storage locations were here. We just we have one associate with this user and we'll go ahead and create this and these are going to go ahead and now have content content repository. I should say for this particular user. So if we flip back over to work space a from the user perspective wait till now seems before we had apps and desktops now we have files

and they had their personal folders in then there's nothing there yet. It's a brand new environment so we can go ahead and add content in there. If we want to do for this particular user and this is where they start storing all their content in in one of the other sections in the geek's guide section. They're going to go in a lot more detail on the different connector setting up storage on connector setting up those as personal cloud connectors to connect into like OneDrive and Google Drive, so,

This is what the read-only viewers you can see what the doc meal with this is a PowerPoint presentation. You can kind of see what's what's in this without actually downloading and editing the file you scroll through different different slides from here. You can download it. You can edit it. You know, if you have. Like I said, he have Office 365 you let it within their or it'll at it with the local application. So this one I went ahead and said that in this is actually doing 365 and what you'll notice is this actually using the embedded browser cuz I had an enhanced

security turned on because that is the embedded browser and not Firefox or Edge or Chrome and go ahead and make the change and go ahead and save it. I mean, that's basically what you're doing is you're allowing user to access this content directly from their work space. so we now Incorporated content into this whole thing. And now the last thing we want to look at the really tired everything together and all these different services to to look at Analytics. I'm so we're going to talk briefly about analytics today. But like I mentioned I'll be delivering the floor full 45

minute session tomorrow and analytic that will do a very deep dive a lot of demos within the analytic service. So very exciting stuff. So Citrus analytics essentially as with ties everything together and gives you the ability to take care of your environment proactively. I think yesterday at me know what you guys saw some of the announcement that we had around performance analytics, which is very exciting for all our customers because you can start utilizing that today and so like I mentioned will do a deeper dive on that tomorrow quick joke. Dan Addis and this to me just goes to show that

females are better than males. But that maybe I'm biased to know so we'll just go with that analytics. Is that it can be divided into three parts to Lemon Tree analysis an accident. So I'm a tree is essentially grabbing all that information from your entire Citrix workspace from all the different services that you enabled, right? Tomorrow we'll also talk about some of the third-party integration and some of the data sources of information that you could pull from external sources that aren't coming from Citrix. There are now is that so basically this is machine learning

artificial intelligence that will really get to know who this user is and what they do on their day today. So think about it like a credit card company write your credit card company is extremely Familiar of the types of purchases that you do where you do them excetera and if you deviate from that behavioral have and action associated with it, so maybe I'll give you a call. Maybe they'll block your credit card send you a text message excetera similar things around security analytics will analyze the user and check for any behavior that outside of the user's Norm or outside of the

organization's norms. And once with you that we have we have actions that we can take in order to protect your environment. So whether that's starting session recording Lawton the user off notifying an administrator walking that user out in order to Check that environment so that if you do have a malicious user or someone coming in and trying to infiltrate your environment, you can protect that proactively. We do this by creating risk for so we'll have risky users medium users and low users. And again, this is all done through machine learning algorithm that we have until we'll look at the

user behavior and then based on that put them in different buckets and based on that have different Associated patterns for actions that will take place in order to protect your environment today right now. We won't talk about the performance analytics for tomorrow. We will be talking about the performance analytics and how you can proactively give your users a better Behavior based on some of that performance analytics information. And so I think analytics is something that's very cool. It's something that allows you as administrators to protect your environment proactively

versus reactive Lee and we're doing all of this through machine learning artificial intelligence. So don't let me down tomorrow. I expect to see more of you then today at the end session. All right. I'm counting on you guys. And so now he's going to take us home and talk a little bit about what we talked in the past almost 45-50. I don't even know. My name is Missy what the next nine sessions are going too much deeper on here. So we have your gateway. It's incorporating our own from virtual app and desktop

environment. It's also providing a single sign-on from there you incorporate access control and secure browsing that's going to give you the enhanced security for this weapon stats applications to give you that website filtering, you know, locking down restricting what for user Canon. I do with a nose types of applications expand that to the Ln point is looking at the managing our local mobile applications and then going beyond that managing the devices themselves with different device space policies as opposed to Apple policies incorporating the content from the different

repository. So a user only has to go to a single place to get all their content regards to work cell stored at and pulling all this information together using your the machine learning understanding what the user doing how they interact with the data how they interact with the applications to make sure that who's actually doing this type of stuff is the person who should be doing it so that you don't have all the status after date has been encrypted or accessing things that they shouldn't be or the performance is right for the environment. So it doesn't just have to sit there and mandra

constantly. So that's the overall architecture rebuild Mets will be going to more detail and the next sessions. So they're very next one which will be right here. Right after lunch is where we will be looking at identity. So it's going to be basically spring your own identity to bring your own devices and bring your own identity. So using workspace, you aren't limited to active directory and Azure active directory. You can use pretty much any idea what you want now and we're going to go through this topic and talk a little more about the End of Time base one time passwords to Federated

authentication Service. So I know how many you know Martin's used act, but he's going to be up here with me. So it should be quite an interesting interesting session. There might be one or two more Chuck Norris jokes in that section 2, but with that I'd like to thank everyone for attending. That's my slow.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN136 - Geek's guide to the workspace (part 1): workspace fundamentals”
In cart

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
In cart

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
app store, apps, development, google play, mobile, soft

Buy this video


Access to the talk “Citrix Synergy TV - SYN136 - Geek's guide to the workspace (part 1): workspace fundamentals”
In cart

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
525 conferences
20515 speakers
7489 hours of content