It has been a while since my two first blog posts in this series, as I have been kept very busy lately. The plan for my third post, is to show how you can customize enrollment into XenMobile to fit your special needs!
First things first: Here is my first blog post, showing the technique.
And here is the second one, which contains a few useable examples.
What I want to show you today (and provide downloadable examples of) is one complete, customized portal to enable users to perform self-enrollment, and one script, that I have used with some customers for performing bulk enrollment. Sound good?
As most people who have worked with XenMobile know, there is a self-service portal built into the product, which works well. However, there is no option to customize the self-service portal to make it fit your specific scenario. Therefore, to demonstrate how to script XenMobile through PHP, I have created a simple portal, based on the look and feel of StoreFront/XenMobile, which can be placed behind a NetScaler, in order to provide the authentication method of your choosing.
The first part you get to, is obviously the NetScaler login page:
This is the regular NetScaler Gateway login page, only slightly modified, using the XenMobile colors, logos, and background image. My NetScaler Gateway session profile is set up to point to this homepage: “http://<webserver>/enrollment/enrollmentportal.php?key=<my-key>“, where “my-key” points to a specific key that I have created in the PHP code, just to make sure the page cannot easily be reached by bypassing NetScaler Gateway. The session policy is also set to use clientless VPN, and obscure the URL, so the secret key will not be visible. There is also a traffic policy set, to enable SSO, so that the portal will be logged onto automatically.
After passing through the portal, the user will reach a page as shown below:
The code behind this page is heavily inspired by our skillful StoreFront team, and it also supports being read on mobile devices. As I don’t have any current enrollment invitations, I press “Enroll new device”, to do just that. I am then presented with this view:
Here, I can choose whether I’m enrolling a corporate, or a personal device, and which OS it runs. I can then choose to return (no changes saved), or to create a new enrollment invitation. When creating a new enrollment, you come to this page:
From here, you can either click on the “Click here” link, if you are running the portal from a device that you are enrolling, or you can scan the QR code. When pressing “return”, you get back to the original page, which now also shows the pending enrollment invitation:
This sample portal is downloadable at the end of this post. It contains a few files, where the “config.php” file is the most important to modify to your needs. However, the purpose of posting this, is not for you to use this portal directly, but rather to inspire you to create something that your company can use, that fits into your specific use case.
There are certainly sides of this portal that could be written more cleanly, and I am currently only using the “authentication” to extract the username from the SSO, so there is actually no real authentication directly to the portal. Because of this, I set up a “two-factor authentication” between NetScaler and web server, where the web server will only accept requests from the SNIP of the NetScaler, and the NetScaler
Bulk Enrollment Script
My second item for today, is my bulk enrollment script. Within Citrix Consulting, we are often helping customers set up XenMobile as a replacement for another MDM solution, or even as an upgrade from on-prem XenMobile to XenMobile Service. As soon as the solution has been set up, the customers typically want to enroll devices in bulks, based on data extracted from the existing MDM solution. In order for this to work properly, I saw the need to create an enrollment script, which can take a CSV file of devices as input. The script is based on my previous script samples, as you may have read in my previous blogs, but has expanded over time, based on customer need. The very first version of this was actually based on the old SOAP API for XenMobile, which was deprecated after REST for XenMobile became more mature.
The script can be run in many different ways. You can either run it fully automated, or interactively. You can specify that it should save the parameters being used, which means they will be automatically read the next time you run the script. (You can edit or delete the ini-file, or run in interactive mode if you want to change any of the parameters.)
The functionality provided is:
- List all available enrollment modes
- Create a single device enrollment
- Create bulk enrollments based on a CSV file as input
- Send enrollment notifications, using the templates specified either as default for enrollment method, or as specified when the script is run
- Send HTML-based email with QR code, using an SMTP server
- List pending enrollments
- Output enrollments created (including token and PIN code) to a CSV file
If you are importing from CSV, use headers in the CSV file. The following headers will be read by the script: “Serial”,”IMEI”,”OS”,”User”,”email”,”Phone”,”ownership”. Additional headers may be in the file, but will not be used. (Ownership needs to be set to either “personal”, or “corporate”.)
Below is a sample of running the script in interactive mode:
So, that was it. I have now completed my three-part series on scripting, using XenMobile REST API. I sincerely hope my posts have inspired someone to start scripting XenMobile, and to discover all the possibilities that are built right into the product!
As always, I am a consultant, and NOT associated with Citrix Product Management, or Engineering. Therefore, I cannot give any other guarantees than that what I present here works in my own test environment, and in the customer environments where I have tested it.
So, if you want to download the files, head right over to ShareFile via these links:
Enrollment Portal: https://citrix.sharefile.com/d-s43a550719784605a
Enrollment Script: https://citrix.sharefile.com/d-s8e5a1c1e49c4c9fb
This concludes my three-part blog series about XenMobile scripting through REST API. I hope I have inspired at least some of you to go out, and try to make something wonderful for our favorite EMM solution, XenMobile Enterprise!