We at Citrix are extremely fond of buzz words, which couples nicely with the DoD’s love of acronyms. Today we are formally introducing the CACdroid. Hrmmm. That sounds like a robot. How about the CAC Receiver Android Mobile Platform and SmartCard (CRAMPS). No, That sounds uncomfortable. Citrix CAC Android Receiver (C2AR). No, that’s too military sounding.

OK, we’ll just call it Receiver for Android. After all, it’s the same Citrix Receiver, not a specialized version. It’s available for download from the Google Play store today at the low price of FREE. Here’s a little demonstration of the technology:

With this release, we are supporting the Biometric Associates, Inc Mobile 3000 MP Bluetooth Smart Card Reader. This reader is already in use in the DoD today supporting certain applications, and we’re happy to add Citrix Receiver to that list. The reader has been approved by DISA for use in the DoD and meets both the NSA and DISA requirements for secure Bluetooth communications. ‘The device pairs to an Android phone or tablet via Bluetooth. The Citrix Receiver communicates through the stack to pass the credentials back to a XenDesktop or XenApp framework on the back end, and securely authenticates a user via their CAC credentials to a session running safely in the datacenter. When coupled with a Netscaler to provide FIPS 140-2 Level 2 hardware encryption, every session is safe, secure, and there is no resident data on the Android that could be used to compromise security. If your Android gets too far away from the Bluetooth reader or from you, it will lock and disconnect the session without a trace of your sensitive data.

And while we’re all very excited over this release, we’re really pumped because this is part of a larger story that we call mobility. Can you deploy this new Receiver automatically to all the Androids in your department with a few clicks? Can you wipe this Receiver off of  BYOD Android when an employee or contractor leaves you? Did you know that Android Receiver is not just an ICA client?

When combined with MDM or EMM technologies such as Citrix XenMobile and Citrix CloudGateway for example, the Receiver has even more capability. Not only can it connect to remote desktop and applications, but it can also get native Android applications from your agency app store when used with Cloud Gateway. Cloud Gateway turns Receiver from an ICA client into a “killer app” with access to native applications, web and SAAS applications, and with follow-me data through Sharefile.

Now before everyone goes wild trying to make this work in their Citrix environment, you should always check with your IT department to determine if they can support this. Chances are they will want to test their environment out and bless it before they let you run with this, and this may require a minor modification on their back end to accommodate Android devices that they probably had never needed to make.

The important thing to remember is that this is supported on Windows 2008R2, and that means the backend site should be running XenDesktop 5.6 or newer, or XenApp 6.5 or newer. The first change is that if you’ve never serviced Android endpoints before, you will probably want to ensure that Androids have their own URL or Web Interface PNA Services site. You can create a new site for this, but it must be a PNA site. This site should also be set up with IIS requirements to Require SSL and to Require or Accept Client Certificates. It’s just like setting up a PNA site to support Smart Cards on a Wyse Xenith. Additionally, you will also need to ensure that the IIS server can negotiate the client certificates, which is not a default setting. This requires that you modify the sslcert using the following commands:

 

netsh http show sslcert

netsh http delete sslcert ipport=0.0.0.0:443

netsh http add sslcert

netsh http add sslcert ipport=0.0.0.0:443 certhash=<previous hash> appid=<{previous appid}> clientcertnegotiation=enable

These settings should not have any negative impact on other PNA or Web Interface sites that support CAC authentication. This is a requirement only for Androids at the moment. The next requirement is that the BAI middleware must also be present on the Android device as well. This is a service called Android PC/SC Lite and is available through BAI, but must version 3.5 or higher. Once these requirements are satisfied, then you should be ready for testing.

The support for CAC cards through the Android Receiver makes a compliment to other projects that many of our DoD customers are already working on as well. If you’re working on any pilot projects that use a BAI mobile CAC reader, you can work this into your pilot as well. If you are testing this for secure browsing to restricted CAC enable sites, or testing with Good For Government, then imagine being able to access enterprise applications as well! That’s what Citrix Public Sector account reps and sales engineers are here for, to help you maximize your investments in these technologies, so please let us know if you would like us to help you understand the impact this can have on your BYO and mobility plans. You’ll see that this is the tip of the iceberg when it comes to mobility. Please e-mail me directly and I can connect you with the resources to help you plan this.

Also know that this is the first in many announcements we’ll make this year around Smart Card support. We have lots of exciting things in the works so keep an eye on our Federal Blogs for more great Federal focused topics.