Working in Citrix Public Sector, we find one of the top priorities for Federal agencies is enabling secure mobility.
For agency users, mobility is a no brainer; it only makes their jobs and lives easier. For the security and information assurance engineers at an agency, mobility is another matter altogether. It presents an attack vector they must secure.
In the Federal space, mobility has been commonly referred to as Mobile Device Management (MDM).
This conversation recently started to shift into other areas including Mobile Application Management (MAM), Enterprise App Stores (EAS) and Enterprise File Sharing and Sync (EFSS). Now agencies are using acronyms like GFE, BYOD, COPE, GOPE, etc. to describe their mobility initiatives.
Before we get too far into it, let’s define these terms up front:
- GFE – Government Furnished Equipment: devices and carrier plans owned and maintained by the government agency
- BYOD – Bring Your Own Device: devices and carrier plans owned and maintained by the users
- COPE/GOPE – Corporate/Government Owned, Personally Enabled: very similar to GFE but allows more personal functionality on the device
For the sake of simplicity, I will make a few assumptions that will not always fit every scenario perfectly, but should apply to many agencies.
The differences in the program types above typically come down to how much risk an agency is willing to accept.
Based on my experience in the federal space, most security teams are willing to allow “data-at-rest” from a “sensitive-but-unclassified” (SBU) network if the equipment is owned and managed by the agency. That way, if a device is lost or compromised, the agency can geo-locate and recover the device or wipe everything without worrying about liability implications like if it was a user’s personal device.
Most agencies in the federal space still see BYOD with data-at-rest as too risky because there has not been a lot of guidance on what is acceptable, especially when it comes to liability of the government managing a user’s personal device.
When Citrix talks about mobility, we talk about the “mobile workspace.”
The mobile workspace should include secure access to the user’s corporate desktop, enterprise applications (Mobile apps, Web/SaaS apps, Windows apps) and user data. One way Citrix differentiates from traditional mobility vendors is by enabling the mobile workspace from any device, whether it be a laptop, desktop, tablet, phone, etc. Traditional mobility vendors mainly focus on phone or tablet devices so when you are at your laptop or desktop you will not get access to your workspace without buying a third-party solution like Citrix XenApp, XenDesktop, VPN, etc.
This brings us to Citrix Workspace Suite, commonly referred to as CWS.
Citrix introduced CWS in May 2014 as the industry’s first end-to-end mobile workspace solution. Citrix Workspace Suite is a single license suite that offers a unified mobile workspace solution built on top of components that are individually recognized as best-of-breed platforms for Virtual Desktops/Applications, Enterprise Mobility Management, Enterprise File Sync and Sharing and Application Delivery. These components include Citrix XenDesktop, XenApp, XenMobile and ShareFile. Citrix Workspace Suite offers agencies the flexibility of having a secure GFE program where they can offer users a native mobile experience with data-at-rest while offering a BYOD program with a near-native mobile experience and no data-at-rest.
This a high-level architecture view of a CWS deployment; take a look.
Essentially, each component has a delivery controller that feeds different functionality to the mobile workspace, and NetScaler will aggregate them all to be presented to the user in a single interface.
The interface for a user on a mobile device will come from the Citrix Worx Home application, which can be found in any of the app stores (Apple/Google/Microsoft). Worx Home will present a unified application store called “Worx Store” where users can get access to Mobile apps, Web/SaaS apps and Windows Apps & Desktops. You will notice in the screenshot below that a user can access all these different resources from one unified interface.
Now, let’s talk about how CWS helps a GFE mobility program deliver a native mobile experience.
With broad device support, CWS offers agencies the ability to give their user’s options when picking a device for the GFE program (iOS, Android, Windows Phone, etc.).
Included with CWS is the Citrix Worx App suite. The Worx App suite is delivered from the XenMobile server shown in the architecture diagram above. It’s a set of mobile applications that has been built with security and user experience in mind. If you are familiar with mobile application management and containerization technologies then that is how you can think of the Worx Apps.
One thing that differentiates the Worx App suite from other container solutions is that each app has granular policy options and uses end-to-end FIPS 140-2 encryption for data-in-transit and data-at-rest. This security gives an agency the ability to prevent any agency data from leaking from the Worx apps in to any other non-managed apps on the device. There are dozens of mobile app specific security policies that can be applied including restrict cut/copy/paste, restrict “Open-In” to other apps, restrict any non-managed apps like Facebook from sending content into the managed apps, and many more.
On top of the security, one of the primary differentiators for the Worx apps is how much Citrix invested in the end user experience and workflow design in order to make users more productive. The following Worx apps are included with CWS…
WorxMail – WorxMail is a containerized email, calendar and contacts app with a rich user experience.
WorxWeb – WorxWeb is a consumer like browser that provides access to internet and intranet sides according to IT policy.
WorxNotes – WorxNotes is a business-class secure note taking application with email and calendar integration for streamlined workflows.
WorxEdit – WorxEdit is an easy-to-use editing tool on your mobile devices, allowing you to edit documents, spreadsheets and presentations.
WorxTasks – WorxTasks is an easy-to-use time management tool that allows you to securely manage and sync tasks and to-do lists from Microsoft Outlook.
ShareFile – ShareFile allows users to securely share, sync and edit documents from any device.
In addition to the Worx apps above, Citrix has a number of new productivity apps on the roadmap, as well as the Worx App partner ecosystem of apps that are Worx ready. Once a user enrolls their device using the Worx Home app mentioned above, IT can push the Worx apps to the device.
In combination with the app level security provided by Worx Apps, CWS allows agencies to manage security policies for the device. An example of device level management includes device password enforcement, disabling the camera, enabling geo-location, enforcing white/black/grey list app policies and many more.
The great thing for agency administrators is that they are able to manage all the mobile app policies, mobile devices policies, track devices, wipe/lock devices, etc. all from a single administrative console. On top of enabling GFE devices with a native mobile experience, CWS allows agencies to offer up access to the user’s virtual desktop and Windows apps. CWS includes the latest version of Citrix XenDesktop and XenApp which are the technologies that allow you offer a virtual desktop and Windows apps respectively. As mentioned earlier, users can access their virtual desktops and Windows apps from Worx Home, along with their Mobile apps and Web/SaaS apps.
Now that we have talked a bit about mobile GFE, let’s talk about a BYOD.
In the commercial space, companies are a little more forgiving when it comes to a paradigm shifts like mobility. For example, our commercial counterparts at Citrix see a common scenario where companies will leverage mobile application management and Worx Apps for their BYOD program.
When a user joins the company, they can enroll in the system and get the Worx app suite delivered to their device. If the user loses the device or leaves the company, the IT team can selectively wipe the corporate apps from the device and be confident no corporate data is compromised. The problem we usually see with that model in the federal space is that agencies are not comfortable with allowing data-at-rest on user’s personal device for a number of reasons, including liability of managing and tracking a users personal device.
If your agency falls into the bucket where data-at-rest and managing users personal devices is not accepted yet then let’s talk about how CWS can enable BYOD options for you.
Referring back to the architecture diagram above, CWS also includes Citrix XenDesktop and XenApp. XenDesktop and XenApp offer the ability to deliver Windows desktops and applications to any device running iOS, Android, Windows Phone, BlackBerry, Mac OSX, Windows XP/Vista,/7/8 and Linux without leaving any data-at-rest or needing to manage the device.
CWS allows agencies to offer up an app store, like the one show above, and advertise Windows virtual desktops and apps to users.
While a virtual desktop works well on a laptop and tablet, it does not work as well on a phone because of the limited screen real estate. Phone users can just use the specific Windows app they need via XenApp. The nice thing in this scenario is that CWS offers a single interface (Worx Home) where users can launch the best resource needed to get the job done.
Here is a great example of one customer, Defense Logistics Agency (DLA), who leveraged these technologies for BYOD and Telework. On top of being able to deliver any Windows app or desktop to any device, CWS also includes unique functionality specifically for mobile devices. This includes the mobile SDK for Windows apps. The Mobile SDK allows agencies, ISVs, and system integrators to easily make existing Windows app more mobile friendly without needing to rewrite the application. Examples of this include adjusting screen orientation on the fly; having the virtual keyboard pop up on a mobile device when clicking somewhere in the Windows app that requires text input; integrating your Windows app with the mobile devices email, SMS and photo library; and so on.
You can read more about the mobile SDK included with CWS here, https://www.citrix.com/go/mobile-sdk-for-windows-apps.html.
Leveraging the power of the mobile SDK and basic Windows app development, Citrix built an Email application for customers that want to offer a mobile email experience, but still have no data-at-rest for their BYOD program. This application is called Hosted MobileMail (HMM), and it is of course included with CWS. Hosted MobileMail allows agencies to provide a close to native Email experience to their BYOD users and not have worry about data-at-rest because it hooks into our XenApp technology and just presents screen-scrapes of the app.
You can learn more about Hosted MobileMail here, https://www.citrix.com/go/hosted-mobilemail.html
In summary, Citrix Workspace Suite offers a lot of flexibility to agencies looking to offer GFE and BYOD programs.
We believe there is no other solution that can meet the vast number of mobility use cases that CWS can. If you want to offer a native mobile experience for GFE users, you leverage XenMobile for mobile device management and the Worx app suite for productivity. You also have the option to give GFE users access to their work desktop and legacy Windows apps via XenDesktop and XenApp in the same unified app store interface.
If you want to offer a BYOD program you can do so by providing access to just the resources hosted on XenDesktop and XenApp so there is no data-at-rest left on the device. Many agencies offer both options. If you have any questions, topic ideas, or if you would like us to come talk to your agency about mobility please leave a comment below.