Tuning Endpoint Management operations

The performance and stability of Endpoint Management operations involves many settings across Endpoint Management and depends on your NetScaler and SQL Server database configuration. This article focuses on the settings that are most often configure, related to the tuning and optimization of Endpoint Management. Citrix recommends that you evaluate each of the settings in this article before deploying Endpoint Management.

The following server properties globally apply to operations, users, and devices across an entire Endpoint Management instance.

These tuning guidelines apply to both clustered and non-clustered environments.

hibernate.c3p0.idle_test_period

This Endpoint Management server property, a Custom Key, determines the idle time in seconds before a connection is automatically validated. Configure the key as follows. Default is 30.

  • Key: Custom Key
  • Key: hibernate.c3p0. idle_test_period
  • Value: 30
  • Display name: hibernate.c3p0. idle_test_period
  • Description: Hibernate idle test period

hibernate.c3p0.max_size

This Custom Key determines the maximum number of connections that Endpoint Management can open to the SQL Server database. Endpoint Management uses the value you specify for this custom key as an upper limit. The connections open only if you need them. Base your settings on the capacity of your database server.

Note the following equation in a clustered configuration. Your c3p0 connection multiplied by the number of nodes equals your actual maximum number of connections that Endpoint Management can open to the SQL Server database.

In clustered and non-clustered configuration, setting the value too high with an undersized SQL Server can cause resource issues on the SQL side during peak load. Setting the value too low means you might not be able to take advantage of the SQL resources available.

Configure the key as follows. Default is 1000.

  • Key: hibernate.c3p0.max_size
  • Value: 1000
  • Display name: hibernate.c3p0.max_size
  • Description: DB connections to SQL

hibernate.c3p0.min_size

This Custom Key determines the minimum number of connections that Endpoint Management opens to the SQL Server database. Configure the key as follows. Default is 100.

  • Key: hibernate.c3p0.min_size
  • Value: 100
  • Display name: hibernate.c3p0.min_size
  • Description: DB connections to SQL

hibernate.c3p0.timeout

This Custom Key determines the idle time-out. If you use database cluster failover, Citrix recommends that you add this Custom Key and set it to reduce the idle time-out. Default is 120.

  • Key: Custom Key
  • Key: hibernate.c3p0.timeout
  • Value: 120
  • Display name: hibernate.c3p0.timeout
  • Description: Database idle timeout

Push Services Heartbeat Interval

The Push Services Heartbeat Interval includes the following keys:

  • ios.apns.heartbeat.interval
  • windows.wns.heartbeat.interval
  • gcm.heartbeat.interval

This setting determines how frequently a device checks if an APNs notification is not delivered in the interim. Increasing the APNs heartbeat frequency can optimize database communications. Too large a value can add unnecessary load. This setting applies only to iOS. Default is 20 hours.

If you have a large number of iOS devices in your environment, the heartbeat interval can lead to higher load than necessary. Security actions, such as selective wipe, lock, full wipe, and so on do not rely on this heartbeat, as an APNs notification is sent to the device when these actions are executed. This value governs how quickly a policy updates after Active Directory Group membership changes. As such, it is often suitable to increase this value to something between 12 and 20 hours to reduce load.

iOS MDM APNS Connection Pool Size

An APNs connection pool that is too small can negatively affect APNs activity performance when you have more than 100 devices. Performance issues include slower deployment of apps and policies to devices and slower device registration. Recommended setting is 10 or up to the maximum number of APNs servers for your geographic location. Default is 10.

auth.ldap.connect.timeout

To compensate for slow LDAP responses, Citrix recommends that you add server properties for the following Custom Key.

  • Key: Custom Key
  • Key: auth.ldap.connect.timeout
  • Value: 60000
  • Display name: auth.ldap.connect.timeout
  • Description: LDAP connection timeout

auth.ldap.read.timeout

To compensate for slow LDAP responses, Citrix recommends that you add server properties for the following Custom Key.

  • Key: Custom Key
  • Key: auth.ldap.read.timeout
  • Value: 60000
  • Display name: auth.ldap.read.timeout
  • Description: LDAP read timeout

Other Server Optimizations

     
Server Property Default Setting Why Change This Setting?
Background Deployment 1440 minutes The frequency for background policy deployments, in minutes. Applies only to always-on connections for Android devices. Increasing the frequency of policy deployments reduces server load. Recommended setting is 1440 (24 hours).
Background Hardware Inventory 1440 minutes The frequency for background hardware inventory, in minutes. Applies only to always-on connections for Android devices. Increasing the frequency of hardware inventory reduces server load. Recommended setting is 1440 (24 hours).
Interval for check deleted Active Directory user 15 minutes The standard sync time for Active Directory is 15 minutes. The value 0 prevents Endpoint Management from checking for deleted Active Directory users. Recommended setting is 15 minutes.
MaxNumberOfWorker 3 The number of threads used when importing a large number of VPP licenses. Defaults to 3. If you need further optimization, you can increase the number of threads. However, be aware that with a larger number of threads, such as 6, a VPP import results in very high CPU usage.

Optimizing Deployment Scheduling for Android Devices

You can schedule deployments for Android devices using the Google Firebase Cloud Messaging (FCM, previously named Google Cloud Messaging) or Endpoint Management settings.

If using FCM to schedule deployments

Enabling FCM for your Endpoint Management environment allows for near real-time notifications to Android devices, similar to APNs for iOS devices. With FCM configured, when Endpoint Management needs to connect to a device for a policy update, selective wipe, and so on, Endpoint Management sends a notification message to the FCM server to forward the request to the client device. After the device receives the notification from FCM, the device connects back to Endpoint Management for further instructions. Keep in mind that this method relies on third-party servers (Google) and therefore is subject to service interruptions outside the control of your IT department or Citrix Support.

For information on how to register with the FCM service, refer to Endpoint Management and Firebase Cloud Messaging (FCM) Configuration.

If using FCM for Android, be aware of the following Endpoint Management server properties. The properties still use the prior acronym for Google Cloud Messaging, GCM.

  • GCM API Key: The key created in the Google Developers Console.
  • GCM Sender ID: The Project Number in the Google Developers Console.
  • GCM Registration ID TTL: The delay, in days, before renewing the device FCM registration ID. Defaults to 10.
  • GCM Heartbeat Interval: Defaults to 6 hours.

If using Endpoint Management settings to schedule deployments

To schedule deployments to Android devices, use these Endpoint Management settings:

  • Set the Connection Scheduling Policy (a Endpoint Management device policy) to Always, which keeps the connection alive permanently. This enables you to deploy policies to delivery groups immediately. The open connection also enables the background services defined in the server properties Background Deployment and Background Hardware Inventory to occur per those property settings.
  • Select the Deployment Schedule option Deploy for always-on connection in each policy deployed to the device.

Note:

For Android devices, setting the Deployment condition to Only when previous deployment has failed helps with device usage. Some devices overwrite the policy and some devices reset the policy.

If a device resets the policy, Endpoint Management might prompt users for credentials every time a policy that requires authentication is re-deployed. Enabling this feature also helps with server load and prevents the success reported from bouncing between failed and success when Endpoint Management pushes the policy every time the device connects.