Product Documentation

About this release

Oct 20, 2015

What's New in XenMobile 8.7

XenMobile 8.7 includes updates and enhancements to the following components: App Controller, Device Manager, Worx Home, and WorxMail.

To download the XenMobile 8.7 release, as well an update for Device Manager and App Controller, see the Citrix website. To download the latest MDX Toolkit and Worx apps, see the XenMobile website.

Device Manager

  • Shared device management. You can enroll and manage devices that are shared between multiple users. Users' resources are automatically loaded onto the device when they log on and then removed again when they log off. This feature is only available with XenMobile MDM Edition.
  • Windows 8.1 devices. You can enroll and manage devices running Windows 8.1, including Windows RT 8.1. Auto-discovery for user enrollment is required to enable management of Windows 8.1 devices.
  • Amazon device VPN configurations. You can create and deliver policies to configure VPN settings on Amazon devices. This feature is only available with XenMobile MDM Edition.
  • NTLM 2 authentication to the database. The Windows NT LAN Manager (NTLM) version 2 authentication protocol is supported for connections to Device Manager databases hosted on Microsoft SQL Server.

Worx Home

  • PIN history. You can now prevent the reuse of previous PINs. Worx Home supports a PIN history and enables you to configure the number of PIN cycles that must pass before a PIN can be reused.
  • Dutch language. Worx Home now supports the Dutch language.


  • Allow external attachments. You can allow or block the attachment of files from other apps to WorxMail messages. By default, attachments are allowed.
  • Improved attachment download experience for iOS users. Attachments now download in the background, enabling users to read messages and do other activities simultaneously. You can also download multiple attachments at the same time.
  • Improved attachment send experience for iOS users. WorxMail now offers iOS users native support for .png attachments, allows users to review attachments before sending, and sends higher quality .jpg images.
  • Improved calendar functionality. Meeting organizers can now edit their events and revise their invitees in WorxMail.
  • Enhanced Inbox organization. Users can now choose to organize their Inbox by the order messages appear or in Conversation (iOS)/Thread (Android) view.
  • IBM Notes support for iOS. If you use IBM Notes for email, users with iOS devices can now seamlessly receive their mail through the secure WorxMail.
  • SMS functionality to anyone in the Contacts list for iOS. Users with iOS devices can now send text messages to anyone in their WorxMail Contacts list. FaceTime messaging is also supported.
  • Contact list automatic synchronization for iOS. This feature allows a one-way synchronization of users' Contact lists from their WorxMail list to their devices' native Contacts list.
  • Support for Microsoft Lync join links. Users can join Lync audio meetings by tapping a link within the calendar event.
  • Prevent users from changing the mail server setting. You can enter a fully qualified domain name (FQDN) in the WorxMail Exchange Server field on the Policies page of the App Controller management console to keep users from entering their own mail server information, thereby preventing data loss from the container.
  • Enhanced GoToMeeting dial-in functionality. If no dial-in phone numbers are found for the user’s country, but the meeting invite body includes international numbers, a list of these numbers appears before dialing out. This allows the user to decide whether to make an international call. Alternatively, if multiple numbers for the user's country are found, a list of those numbers appears for the user's choice.
  • Inline image support for Android users. Android users can now enhance their messages by adding images in line with the text.
  • Dutch language. WorxMail now supports the Dutch language.

Issues Fixed in XenMobile 8.7.1

  1. You cannot use Remote Support to view and control Android devices from Device Manager. The message, “Reading Data,” appears. [#452292]
  2. When you use a credential policy in Device Manager to push root and intermediate Certification Authority (CA) certificates to users’ Android devices, the certificates may fail to install. Users are prompted for a password associated with the certificate. After they provide the password, they are asked for the password again. The certificate does not install. [#452317]
  3. You cannot enroll devices running iOS 5.x in Device Manager 8.7. [#455574]
  4. After users change their domain password at a domain-joined workstation, when they try to authenticate to Worx Home, authentication fails. A “Please wait” or “Authenticating” message may appear on the screen, but authentication does not succeed. [#457852]

Issues Fixed in XenMobile 8.7

  1. Android 4.x devices may lose their connection with Device Manager and not reconnect on their own. The devices policies must be refreshed in Device Manager to restore the connection. [#443679]
  2. Messages created by users in Outlook and stored in their Draft folder may not contain the text when opened for editing in WorxMail. [#441192]
  3. Synchronization of messages on WorxMail for iOS may stop mid-process. The device must be reenrolled in order to synchronize the remaining messages. [#442177]
  4. The exporting of contacts from the WorxMail Contacts list to the native Contact list on the device may fail. This could result in no contacts being exported or a partial group of contacts being exported. [#43681]
  5. The name of events in the Calendar Event Notification dialog box cannot be read. The title text color matches the background color, making it appear as if there is no text present. [#399130]

Known Issues in XenMobile 8.7

MDX Toolkit

  • On Android devices, the camera freezes while capturing video for upload and the user must tap the back button to exit the frozen camera. To enable video capture from a MDX-wrapped app, set the Block mic record policy to Off. [#539024]
  • On devices running Android 4.4 (KitKat), PKI-enabled websites cannot be accessed in WorxWeb wrapped using the MDX Toolkit when the Enable secure browse policy is set to Off. To resolve this issue, set the Enable secure browse policy to On. [#433562]
  • When users try to sign on to WorxWeb with an Android device and authenticate through NetScaler Gateway, when you set a policy to require users to sign on each time the app opens, the maximum number of attempts they can make is the default of five and a message appears, regardless of the policy you set in App Controller. [#424846]
  • Facebook for Android cannot be wrapped as an MDX file. This is a third-party issue. [#387647]
  • App wrapping technology and data containment technology are limited to intercepting inside the main application Dalvik Executable (DEX) file. DEX files are compiled Android Java code that run on the Android operating system. Code that resides outside the main DEX file is not intercepted during wrapping. This may limit the ability to restrict certain application functionality by using data containment policies. [#361404]
  • If a mobile app stores data or documents outside of the application data area, when you erase the device, the data or documents are not erased. [#358803]
  • App wrapping technology is limited to standard Android applications that are written by using the Android Java SDK. Wrapping, code interception, and data containment do not support or attempt to modify native code (low-level code) within the application. Although it is possible that some applications make use of native code, not many do so. This limitation may impact the capability to restrict certain application functionality by using data containment policies. [#357811, #362211, #362749, #362750]
  • Some mobile apps require certificate checks when users start the app. If you wrap an app that requires a certificate check, the app might not start on the user device. [#357368]
  • If you set the block screen policy to On to prevent users from taking screen shots on their Android device, some mobile apps continue to allow users to take screen shots. These apps use the Adobe AIR platform. Preventing screen shots in these apps does not work. [#357240]
  • The MDX Toolkit incorrectly allows the entry of the ampersand (&) character when completing the Minimum and Maximum OS versions. As a result, if you enter an ampersand in the operating system versions for an app, no apps appear in the store on the user device. [#342359]
  • For this release, using the MDX Toolkit for Microsoft Office Suite is not supported. [#341800]
  • When you upload a wrapped app to App Controller and set the Maximum OS version in the Mobile App Details dialog box, App Controller allows users with a new version to start the app. You must set the maximum OS version when you wrap the app. [#321389]
  • If you download an application from the Apple App Store, attempts to wrap the app fail. Wrapping apps from the App Store is not permitted. [#320969]
  • If you upload a wrapped iOS app two times in App Controller with different file names, when users subscribe to both apps and then delete on instance of the app from their device, the title shows as "GoogleGoogle." Do not upload the same app with different names to App Controller. [#317912, #321386, #323986, #324436]
  • When you have a wrapped Office2HD app in App Controller with the same application ID as an unwrapped Office2HD app, and you configure the Document exchange (Open In) policy for a WorxMail app as Restricted, when users open a .docx attachment, an unwrapped Office2HD from the App Store appears as an Open In option when only wrapped MDX apps should appear.
  • To wrap apps for Android Version 4.3, you need to install the Java Development Kit (JDK) 1.7. You can download the JDK from Java SE Development Kit 7 Downloads on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the ComputechTips web site.

App Controller

Important Notes
  • When you add users to Active Directory, you must enter the first and last name in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
  • User account requests by using the workflow template with the App Controller workflow feature is not supported for users who connect with Receiver for Web.
  • User account requests by using the subscription workflow template with the App Controller workflow feature is not supported on Receiver for Mac 11.4. Users need to upgrade to Receiver for Mac 11.6 or 11.7.
  • The internal URL redirection feature, in which Receiver checks a keyword to determine if the URL requires a connection with the NetScaler Gateway Plug-in, is not available with Receiver for Web. The feature is supported only with Receiver for Windows Versions 3.1, 3.2, 3.3, or 3.4.
  • If you configure proxy servers to use both HTTP and HTTPS, App Controller uses the secure proxy server for all application connectors. If you configure only HTTP, or only HTTPS, App Controller uses the configured proxy server for all application connectors.

Known Issues

  • When users try to open ShareFile through SSO from Worx Home, SSO fails and users must close and then reopen the app to enable SSO to work for future logons. [#424579]
  • SSO for the Groupon app does not work when users try to open the app from Worx Home. The following error appears: "Oops! That page doesn't exist." To enable SSO to work for subsequent logons, users must select Switch to non-mobile version in the app. [#424341]
  • When users try to open CentralDesktop through SSO from Worx Home, SSO fails and users must enter their credentials. To enable SSO work for subsequent logons, when users log on, they must select the Switch to Full Site option in the account settings for the app. [#424338]
  • When users upgrade to App Controller 2.9, and view Beacons on the management console Settings panel by using Internet Explorer, the Default store view option does not appear. Citrix recommends logging off and then clearing the browser cache. [#423495]
  • When users log on with the NetScaler Gateway Plug-in and try to open the Office365_SAML app, SSO fails and users must enter their credentials. [#419290]
  • When users log on with Receiver for Web by using their user name and password and an invalid domain, such as awswsws\ctx3, they can log on successfully. User authentication occurs with the configured domain and not the user-provided domain. If you configure multiple Active Directory domains, you should allow users to log on by using the user principal name (UPN) format, such as [#418608]
  • When users try to open Box through SSO from Worx Home, SSO fails. To enable SSO to work in subsequent logons, users must select the View Full Site option in the app. [#418547]
  • After you import a server certificate with the .pem format that contains the root certificates in the chain, only the server certificate uploads successfully. The issue does not occur with the .pfx format. [#411328]

Worx Apps

  • WorxMail is not supported on Kindle Fire devices running on Android 4.0 or older. [#412071]
  • Single Sign-on is not successful for the Yammer app and results in an error message. [#432959]
  • When users configure a Worx Home account after a required application is installed, updates to the required application are not installed automatically. As a result, users must install updates to the application from the WorxStore. [#448488]
  • Wrapped apps on iOS 7.1 may fail if the apps have been updated from XenMobile 8.6 to XenMobile 8.7 before Worx Home has been upgraded. To avoid this, upgrade Worx Home before upgrading the wrapped apps. [#448021]
  • The Worx Home SSO function does not work with the SugarCRM app. The SugarCRM logon page appears. Users can log on from this page. [#447714]
  • Multiday events that include days at the end of one month and the beginning of the next month in the Microsoft Exchange calendar do not appear in the first month. The days only appear on days in the second month in the WorxMail calendar. [#443845]
  • SSO for the app may fail to connect to the app’s logon page when users access the app through NetScaler Gateway. [#442804]
  • Messages related to the support log in the Worx Home Support chat window may not appear. Although this issue occurs more frequently with the first chat connection attempt, the issue may also occur on subsequent attempts. [#442659]
  • On Android devices, users cannot cancel Mark as Read and Mark as Unread operations on Microsoft Exchange through WorxMail. [#436353]
  • When users start the Medscape app for the first time, SSO does not occur and a blank page appears. SSO occurs successfully when Medscape is started a second time. [#432791]
  • The Worx Home SSO function does not work with the Birst Agile Business Analytics app. The Birst logon page appears. Users can log on from this page. [#432781]
  • When you configure a WiFi policy in Device Manager and users try to connect on a Samsung SAFE device, an authentication error occurs unless users manually edit and save the setting. [#430721]
  • In Worx Home on iOS, if you reenroll your device in XenMobile, all of the Citrix MDM configuration profiles should be removed from the device. This is a known issue in the XenMobile 8.6 release. To remove the profile on your iOS device, manually delete the MDM configuration profile by going to Settings > General > Profiles. [#423535]
  • Users may be asked to provide credentials when launching Worx Home, WorxMail, or WorxWeb from the iOS home page despite having already successfully authenticated. If this occurs, users should provide their credentials. To avoid the need to reauthenticate, users can start WorxMail or WorxWeb from within Worx Home. [#465113]
  • WorxMail notification settings are off by default and, if enabled, cannot be saved. [#470708]

Device Manager

  • The Microsoft MDM agent may still run on a user device after that device has been unenrolled through a revoke or selective wipe command. As a consequence, some policies might not be removed until the device is restarted. [#448746]
  • Windows 8.1 devices cannot be managed when two instances of Device Manager are configured as a high availability pair or cluster. [#448431]
  • Deployment packages delivered to Windows 8.1 devices are always reported as successfully deployed in the Device Manager web console, even if some applications or configurations could not be deployed. [#447932]
  • When upgrading XenMobile, the SuperAdmin permission is removed in the Device Manager web console for the Role Based Access Control (RBAC) SuperAdmin role, no functionality is lost. Edit the SuperAdmin role in the Device Manager web console and restore the SuperAdmin permission. [#428009]
  • Due to a problem with Cisco AnyConnect, the file com/cisco/anyconnect/vpn/android/service/helpers/uri/ 384 has a security issue. For details, contact Cisco. [#421038]