Authentication 编辑

In an Endpoint Management deployment, several considerations come into play when deciding how to configure authentication. This section describes the various factors that affect authentication:

  • The main MDX policies, Endpoint Management client properties, and Citrix Gateway settings involved with authentication.
  • The ways these policies, client properties, and settings interact.
  • The tradeoffs of each choice.

This article also includes three examples of recommended configurations for increasing degrees of security.

Broadly speaking, stronger security results in a less-optimal user experience, because users have to authenticate more often. How you balance those concerns depends on your organization’s needs and priorities. Review the three recommended configurations to understand the interplay of the various authentication options.

Authentication Modes

Online authentication: Allows users into the Endpoint Management network. Requires an Internet connection.

Offline authentication: Happens on the device. Users unlock the secure vault and have offline access to items, such as downloaded mail, cached websites, and notes.

Methods of Authentication

Single Factor

LDAP: You can configure a connection in Endpoint Management to one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). This method is commonly used to provide single sign-on (SSO) for company environments. You might opt for Citrix PIN with Active Directory password caching to improve the user experience with LDAP. At the same time, you can provide the security of complex passwords on enrollment, password expiration, and account lockout.

For more details, see Domain or domain plus security token authentication.

Client certificate: Endpoint Management can integrate with industry-standard certificate authorities to use certificates as the sole method of online authentication. Endpoint Management provides this certificate after user enrollment, which requires either a one-time password, invitation URL, or LDAP credentials. When using a client certificate as the primary method of authentication, a Citrix PIN is required in client certificate-only environments to secure the certificate on the device.

Endpoint Management supports Certificate Revocation List (CRL) only for a third-party Certificate Authority. If you have a Microsoft CA configured, Endpoint Management uses Citrix Gateway to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix Gateway Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step makes sure that a device enrolled only in MAM can’t authenticate using an existing certificate on the device. Endpoint Management reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

For a diagram that shows the deployment needed for certificate-based authentication or the use of your enterprise Certificate Authority (CA) to issue device certificates, see Architecture.

Two-factor authentication

LDAP + Client Certificate: This configuration is the best combination of security and user experience for Endpoint Management. Using both LDAP and client certificate authentication:

  • Has the best SSO possibilities coupled with security provided by two-factor authentication at the Citrix Gateway.
  • Provides security with something users know (their Active Directory passwords) and something they have (client certificates on their devices).

Secure Mail can automatically configure and provide a seamless first-time user experience with client certificate authentication. That feature requires a properly configured Exchange client access server environment.

For optimal usability, you can combine LDAP and client certificate authentication with Citrix PIN and Active Directory password caching.

LDAP + Token: This configuration allows for the classic configuration of LDAP credentials, plus a one-time password, using the RADIUS protocol. For optimal usability, you can combine this option with Citrix PIN and Active Directory password caching.

Important policies, settings, and client properties for authentication

The following policies, settings, and client properties come into play with the following three recommended configurations:

MDX policies

App passcode: If On, a Citrix PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in the Endpoint Management console in Client Properties on the Settings tab. The default is 15 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

micro VPN session required: If On, the user must have a connection to the enterprise network and an active session to access the app on the device. If Off, an active session isn’t required to access the app on the device. Default is Off.

Maximum offline period (hours): Defines the maximum period that an app can run without reconfirming app entitlement and refreshing policies from Endpoint Management. An iOS app retrieves new policies for MDX apps from Endpoint Management without any interruption to users after meeting the following conditions:

  • You set the Maximum offline period and
  • Secure Hub for iOS has a valid Citrix Gateway token.

If Secure Hub doesn’t have a valid Citrix Gateway token, users must authenticate through Secure Hub before app policies can update. The Citrix Gateway token can become invalid because of Citrix Gateway session inactivity or a forced session time-out policy. When users sign on to Secure Hub again, they can continue running the app.

Users are reminded to sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users sign on. Default is 72 hours (3 days). Minimum period is 1 hour.

Note:

Keep in mind that in a scenario in which users travel often and use international roaming, the default of 72 hours (3 days) might be too short.

Background services ticket expiration: The time period that a background network service ticket stays valid. When Secure Mail connects through Citrix Gateway to an Exchange Server running ActiveSync, Endpoint Management issues a token. Secure Mail uses that token to connect to the internal Exchange Server. This property setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default is 168 hours (7 days). When this time-out expires, mail notifications stop.

micro VPN session required grace period: Determines how many minutes a user can use the app offline until the online session is validated. The default is 0 (no grace period).

For information about authentication policies, see:

Endpoint Management client properties

Note:

Client properties are global settings that apply to all devices that connect to Endpoint Management.

Citrix PIN: For a simple sign-on experience, you might choose to enable the Citrix PIN. With the PIN, users do not have to enter other credentials repeatedly, such as their Active Directory user names and passwords. You can configure the Citrix PIN as a standalone offline authentication only, or combine the PIN with Active Directory password caching to streamline authentication for optimal usability. You configure the Citrix PIN in Settings > Client > Client Properties in the Endpoint Management console.

Following is a summary of a few important properties. For more information, see Client properties.

ENABLE_PASSCODE_AUTH

Display name: Enable Citrix PIN Authentication

This key allows you to turn on Citrix PIN functionality. With the Citrix PIN or passcode, users are prompted to define a PIN to use instead of their Active Directory password. Enable this setting if ENABLE_PASSWORD_CACHING is enabled or if Endpoint Management is using certificate authentication.

Possible values: true or false

Default value: false

ENABLE_PASSWORD_CACHING

Display name: Enable User Password Caching

This key lets you allow the users’ Active Directory password to be cached locally on the mobile device. When you set this key to true, users are prompted to set a Citrix PIN or passcode. The ENABLE_PASSCODE_AUTH key must be set to true when you set this key to true.

Possible values: true or false

Default value: false

PASSCODE_STRENGTH

Display name: PIN Strength Requirement

This key defines the strength of the Citrix PIN or passcode. When you change this setting, users are prompted to set a new Citrix PIN or passcode the next time they’re prompted to authenticate.

Possible values: Low, Medium, or Strong

Default value: Medium

INACTIVITY_TIMER

Display name: Inactivity timer

This key defines the time in minutes that users can leave their devices inactive and then access an app without being prompted for a Citrix PIN or passcode. To enable this setting for an MDX app, you must set the App Passcode setting to On. If the App Passcode setting is set to Off, users are redirected to Secure Hub to do a full authentication. When you change this setting, the value takes effect the next time users are prompted to authenticate. The default is 15 minutes.

ENABLE_TOUCH_ID_AUTH

Display name: Enable Touch ID Authentication

Allows the use of the fingerprint reader (in iOS only) for offline authentication. Online authentication still requires the primary authentication method.

ENCRYPT_SECRETS_USING_PASSCODE

Display name: Encrypt secrets using Passcode

This key lets sensitive data be stored on the mobile device in a secret vault instead of in a platform-based native store, such as the iOS keychain. This configuration key enables strong encryption of key artifacts, but also adds user entropy (a user-generated random PIN code that only the user knows).

Possible values: true or false

Default value: false

Citrix Gateway Settings

Session time-out: If you enable this setting, Citrix Gateway disconnects the session if Citrix Gateway detects no network activity for the specified interval. This setting is enforced for users who connect with the Citrix Gateway Plug-in, Citrix Workspace, Secure Hub, or through a web browser. Default is 1440 minutes. If you set this value to zero, the setting is disabled.

Forced time-out: If you enable this setting, Citrix Gateway disconnects the session after the time-out interval elapses no matter what the user is doing. When the time-out interval elapses, there’s no action the user can take to prevent the disconnection. This setting is enforced for users who connect with the Citrix Gateway Plug-in, Citrix Workspace, Secure Hub, or through a web browser. If Secure Mail is using STA, a special Citrix Gateway mode, this setting doesn’t apply to Secure Mail sessions. Default is no value, which means sessions are extended for any activity.

For more information about time-out settings for Citrix Gateway, see the Citrix Gateway documentation.

For more information on the scenarios that prompt users to authenticate with Endpoint Management by entering credentials on their devices, see Authentication Prompt Scenarios.

Default configuration settings

These settings are the defaults provided by the:

  • NetScaler for XenMobile wizard
  • MAM SDK or MDX Toolkit
  • Endpoint Management console
SettingWhere to Find the SettingDefault Setting
Session time-outCitrix Gateway1440 minutes
Forced time-outCitrix GatewayNo value (off)
Maximum offline periodMDX Policies72 hours
Background services ticket expirationMDX Policies168 hours (7 days)
micro VPN session requiredMDX PoliciesOff
micro VPN session required grace periodMDX Policies0
App passcodeMDX PoliciesOn
Encrypt secrets using passcodeEndpoint Management client propertiesfalse
Enable Citrix PIN AuthenticationEndpoint Management client propertiesfalse
PIN Strength RequirementEndpoint Management client propertiesMedium
PIN TypeEndpoint Management client propertiesNumeric
Enable User Password CachingEndpoint Management client propertiesfalse
Inactivity TimerEndpoint Management client properties15
Enable Touch ID AuthenticationEndpoint Management client propertiesfalse

Recommended Configurations

This section gives examples of three Endpoint Management configurations that range from the lowest security and optimal user experience to the highest security and more intrusive user experience. These examples provide you with helpful reference points to determine where on the scale you want to place your own configuration. Modifying these settings might require you to alter other settings. For instance, the maximum offline period must not go past the session time-out.

Highest Security

This configuration offers the highest level of security but has significant usability trade-offs.

    
SettingWhere to Find the SettingRecommended SettingBehavior Impact
Session time-outCitrix Gateway1440Users enter their Secure Hub credentials only when online authentication is required-every 24 hours.
Forced time-outCitrix GatewayNo valueSessions are extended if there’s any activity.
Maximum offline periodMDX Policies23Requires policy refresh every day.
Background services ticket expirationMDX Policies72 hoursTime out for STA, which allows for long-lived sessions without a Citrix Gateway session token. For Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop. In that case, Secure Mail doesn’t prompt the user if they don’t open the app before the session expires.
micro VPN session requiredMDX PoliciesOffProvides a valid network connection and Citrix Gateway session to use apps.
micro VPN session required grace periodMDX Policies0No grace period (if you enabled micro VPN session required).
App passcodeMDX PoliciesOnRequire a passcode for an application.
Encrypt secrets using passcodeEndpoint Management client propertiestrueA key derived from user entropy protects the vault.
Enable Citrix PIN AuthenticationEndpoint Management client propertiestrueEnable Citrix PIN for simplified authentication experience.
PIN Strength RequirementEndpoint Management client propertiesStrongHigh password complexity requirements.
PIN TypeEndpoint Management client propertiesAlphanumericPIN is an alphanumeric sequence.
Enable Password CachingEndpoint Management client propertiesfalseActive Directory password isn’t cached and a Citrix PIN is used for offline authentications.
Inactivity TimerEndpoint Management client properties15If a user doesn’t use MDX apps or Secure Hub for this period, prompt for offline authentication.
Enable Touch ID AuthenticationEndpoint Management client propertiesfalseDisables Touch ID for offline authentication use cases in iOS.

Higher Security

A more middle-of-the-road approach, this configuration requires users to authenticate more often - every 3 days, at most, instead of 7 - and stronger security. The increased number of authentications lock the container more often, providing data security when devices aren’t in use.

    
SettingWhere to Find the SettingRecommended SettingBehavior Impact
Session time-outCitrix Gateway4320Users enter their Secure Hub credentials only when online authentication is required - every 3 days
Forced time-outCitrix GatewayNo valueSessions are extended if there’s any activity.
Maximum offline periodMDX Policies71Requires policy refresh every 3 days. The hour difference is to allow for refresh ahead of session time-out.
Background services ticket expirationMDX Policies168 hoursTime out for STA, which allows for long-lived sessions without a Citrix Gateway session token. For Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop without prompting the user.
micro VPN session requiredMDX PoliciesOffProvides a valid network connection and Citrix Gateway session to use apps.
micro VPN session required grace periodMDX Policies0No grace period (if you enabled micro VPN session required).
App passcodeMDX PoliciesOnRequire a passcode for an application.
Encrypt secrets using passcodeEndpoint Management client propertiesfalseDo not require user entropy to encrypt the vault.
Enable Citrix PIN AuthenticationEndpoint Management client propertiestrueEnable Citrix PIN for simplified authentication experience.
PIN Strength RequirementEndpoint Management client propertiesMediumEnforces medium password complexity rules.
PIN TypeEndpoint Management client propertiesNumericPIN is a numeric sequence.
Enable Password CachingEndpoint Management client propertiestrueThe user PIN caches and protects the Active Directory password.
Inactivity TimerEndpoint Management client properties30If a user doesn’t use MDX apps or Secure Hub for this period, prompt for offline authentication.
Enable Touch ID AuthenticationEndpoint Management client propertiestrueEnables Touch ID for offline authentication use cases in iOS.

High Security

This configuration, the most convenient to users, provides base-level security.

    
SettingWhere to Find the SettingRecommended SettingBehavior Impact
Session time-outCitrix Gateway10080Users enter their Secure Hub credentials only when online authentication is required - every 7 days
Forced time-outCitrix GatewayNo valueSessions are extended if there’s any activity.
Maximum offline periodMDX Policies167Requires policy refresh every week (every 7 days). The hour difference is to allow for refresh ahead of session time-out.
Background services ticket expirationMDX Policies240Time out for STA, which allows for long-lived sessions without a Citrix Gateway session token. For Secure Mail, making the STA time-out longer than the session time-out avoids having mail notifications stop. In that case, Secure Mail doesn’t prompt the user if they don’t open the app before the session expires.
micro VPN session requiredMDX PoliciesOffProvides a valid network connection and Citrix Gateway session to use apps.
micro VPN session required grace periodMDX Policies0No grace period (if you enabled micro VPN session required).
App passcodeMDX PoliciesOnRequire a passcode for an application.
Encrypt secrets using passcodeEndpoint Management client propertiesfalseDo not require user entropy to encrypt the vault.
Enable Citrix PIN AuthenticationEndpoint Management client propertiestrueEnable Citrix PIN for simplified authentication experience.
PIN Strength RequirementEndpoint Management client propertiesLowNo password complexity requirements
PIN TypeEndpoint Management client propertiesNumericPIN is a numeric sequence.
Enable Password CachingEndpoint Management client propertiestrueThe user PIN caches and protects the Active Directory password.
Inactivity TimerEndpoint Management client properties90If a user doesn’t use MDX apps or Secure Hub for this period, prompt for offline authentication.
Enable Touch ID AuthenticationEndpoint Management client propertiestrueEnables Touch ID for offline authentication use cases in iOS.

Using Step-Up Authentication

Some apps might require enhanced authentication. For example, a secondary authentication factor, such as a token or aggressive session time-outs. You control this authentication method through an MDX policy. The method also requires a separate virtual server to control the authentication methods (on either the same or on separate Citrix Gateway appliances).

SettingWhere to Find the SettingRecommended SettingBehavior Impact
Alternate Citrix GatewayMDX PoliciesRequires the FQDN and port of the secondary Citrix Gateway appliance.Allows for enhanced authentication controlled by the secondary Citrix Gateway appliance authentication and session policies.

If a user opens an app that uses the alternate Citrix Gateway, all other apps use that Citrix Gateway instance to communicate with the internal network. The session only switches back to the lower security Citrix Gateway instance when the session times out from the Citrix Gateway instance with enhanced security.

Using micro VPN session required

For certain applications, such as Secure Web, you can make sure that users run an app only when they have an authenticated session. This policy enforces that option and allows for a grace period so users can finish their work.

SettingWhere to Find the SettingRecommended SettingBehavior Impact
micro VPN session requiredMDX PoliciesOnMakes sure that a device is online and has a valid authentication token.
micro VPN session required grace periodMDX Policies15Allows a 15-minute grace period before the user can no longer use apps

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:9 次

字数:29926

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文