Product Documentation

Managing Devices

Apr 09, 2015

You can manage devices by using the following:

  • Tagging devices to identify ownership of the device. You can tag devices with a script or by using the Device Manager web console.
  • Adding devices to Device Manager either manually or by using the Device Provisioning tool.
  • Locking and unlocking devices by using the Device Manager web console.
  • Revoking device certificates to prevent devices from accessing Device Manager.
  • Wiping information from devices that includes removing some or all data on the device.

Adding a device to Device Manager manually

The Device Manager server repository database stores a list of mobile devices. Each mobile device is defined by a unique serial number and/or IMEI. There are a number of methods to populate Device Manager with your devices:
  • Adding devices manually.
  • Import a list of devices from a file by using Device Provisioning tool (Windows Mobile and Symbian devices only) or Device Auto Discovery (only available with the Secure Device option).
  1. Click New device.
  2. Select the device type.

Importing a list of devices by using a file

Develop a text file according to the following format by using a utility application such as a text editor, spreadsheet application, or note taker.

Element Notes

Serial Number

Device serial number (required if IMEI is not given)


Device IMEI identifier (required if serial number is not given)

Operating System Family

Required to be WINDOWS, ANDROID, or iOS.

Property name 1


Property value 1


Property name (n)


Property value (n)


Many mobile operators or device manufacturers provide lists of authorized mobile devices, and you can utilize these to avoid having to enter a long list of mobile devices manually. Device Manager supports an import file format that is common to all three of the supported device types.

Note the following:

  • File charset must be UTF-8/
  • Semi-colon (;) is used as the field delimiter so it must be escaped if it is present in the data.
  • For iOS device import, Serial Number is mandatory. Serial Number is the identifier for iOS devices.

For example:

1050BF3F517301081610065510590391;15244201625379901;WINDOWS;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value 

Importing a task file

  1. Click the Import tab.
  2. Browse to the corresponding provisioning file.
  3. Click Import.

Viewing the Device Properties

When you click a device name in Device Manager and click Edit, you can view device overview information for a device type. The tabs that appear may differ slightly depending on the device.

The main tabs that appear and the information they contain are as follows:

  • General. On this tab, you can view device properties, such as the software inventory, the device serial number, IMEI, as well as the Strong ID if the Secure Device option is available in the license installed on the server. You can also display the status of the Device Lock and Device Wipe commands:
    • The statement No device lock/wipe, if no command was sent.
    • A description and the date and time at which the command was sent or carried out.
  • Properties. The hardware inventory appears on this tab. The list is updated automatically each time the device connects to Device Manager. For devices that use the Secure Device Option, additional tabs appear, such as Certificates and Master Keys.
  • Software. The software inventory appears on this tab. The list includes all applications and software packages installed on a device, such as package name, author, size, installation date, and version of the software. You must request an inventory if you want to display the applications deployed through Device Manager as well as user-installed apps. To request an inventory, you need to configure a deployment from the Deployment tab. Under Resources to be deployed, select Software Inventory.
    Note: For Windows Mobile devices exclusively, only software programs available in the Add/Delete program menu on the device appear on the Software tab.
  • iOS Profiles. You can view the profiles for an iOS device on the iOS Profiles tab. Profiles may include web clips, mobile device management (MDM) configurations, access permissions, and more.
    Note: When working with iOS configuration profiles generated with Apple’s iOS Configuration Utility (IPCU), such as profiles for Exchange ActiveSync, WiFi, and VPN access with a certificate, Device Manager cannot prompt the device unless you include the certificate password in the profile when you create the certificate. You must include the certificate password in the IPCU steps, and then use Device Manager to import the profiles with the certificates.
  • Certificates.
  • Deployment. You can view a complete real-time view of package deployment, on a per-device basis, on the Deployment tab. You can view of all packages assigned to a device, and the status of the deployment.
    Note: The status of pending is the same as remaining. The status means that the package has not yet been deployed.
  • Connection. The Connections tab displays the users who have authenticated against a device. It lists the user name, and last two authentication times.
  • MDM Status. On this tab, you can review the mobile device management (MDM) status for iOS devices. The information that appears is as follows:

    MDM status:

    • INACTIVE. The server does not expect the device to connect to it any time soon, nor does it consider it necessary.
    • ENQUEUED. The server is attempting to communicate with the device, but a push notification has yet to be sent to the Apple Push Notification service (APNs).
    • ACTIVE. The server is either currently handling a device request, or it expects the device to reply to a previously sent command.
    • PENDING. The server is waiting for a connection from the device.

    Last push initiation. The time of the most recent push notification initiated by Device Manager.

    Last notification completion. The time of the most recent completed push notification to the device.
    Note: The message "Completion of a Push notification attempt" means the notification payload was successfully sent to the server running APNs and the server did not reply with an error (which would indicate syntax errors and so on).

    Last reply device time. The time that a device connected to Device Manager following a push notification.

Viewing Device Management Status

For each device you manage, Device Manager provides information on device management status, whether or not the device has been jailbroken, device operating system and hardware information, serial number and IMEI/MEID number, user of the device, device phone number, and so on.

Three of the most commonly used and important statuses for your device indicate whether or not a device is managed or not: Jailbroken/Rooted, SMG Status, and Managed.

The following table describes the status information and colored icons that you see on the Devices tab in Device Manager:

Status Explanation


A green light means that the device is NOT jailbroken (iOS) or rooted (Android).

A red light means that the device has been jailbroken or rooted.

Secure Mobile Gateway Status

A green light means that Secure Mobile Gateway recognizes the device as legitimate and allows the device to access your Exchange email infrastructure.

A red light means that Secure Mobile Gateway recognizes the device as a potential threat to your email Exchange email infrastructure and is blocking the device.

A gray light means that your instance of Device Manager does not have Secure Mobile Gateway installed and configured.

Device Managed

A green light means that the device is managed by Device Manager, which means that the device has the XenMobile agent installed on it and that it is enrolled (and can communicate) with the server running Device Manager.
Note: In some cases, a device will appear as "managed" even though it does not have the XenMobile agent installed. This means that the device has likely been recognized by Device Manager through an ActiveSync connection. For example, if you import users into Device Manager who own a BlackBerry or Palm device, or if they connect to their email server through Active Sync, their devices will appear in Device Manager as "managed." Even though these devices cannot have a Device Manager agent installed, their communication with Device Manager Is limited, and they cannot have policies deployed to them, it is possible to issue an ActiveSync or Blackberry wipe to them.

A red light means that the device is not currently being managed by Device Manager for the following possible reasons:

  • If you perform a revoke, wipe, or selective wipe on a device.
  • If the device has an agent installed on it, but it was never enrolled.
  • If the device has an agent installed on it, but the user profile or corporate certificate has been removed.


Under the User column, a status of Anonymous can occur if a user authentication fails (wrong credentials).

When this happens, Windows Mobile and Symbian devices switch to anonymous mode. It can also happen if the user can no longer be used to authenticate from a device.

iOS and Android devices authenticate by using a client certificate, so those devices will only become Anonymous if the user is deleted or disabled in Active Directory.

Searching for and editing device properties

From the Devices tab in the Device Manager web console, you can search for a device in the list. You can also edit the device properties to add additional properties.

Searching for a device

The Search option under the Devices tab is a free-form search field, in which you can search for a device by typing in information you know about a device and you can narrow your search within certain criteria as well.

  1. Click the search icon and then specify one or more of the following criteria:
    • The name of one of the device’s users
    • The device serial number
    • The device IMEI
    • The model of the device
    • Device platform
    • Operating system version
    Note: For each search criteria, you can enter the first letters or numbers of the item you are looking for.
  2. To narrow the search to specific criteria, in the Search list, select one or more of the following check boxes:
    • User
    • Model
    • Platform
    • OS version
    • Serial number

To restore the complete list of devices, click x next to the Search field.

Editing the device properties

After you have added one or more devices into the repository database, you can populate additional comprehensive device data into the repository database. This ability allows administrators to maintain a detailed hardware inventory of their field devices within Device Manager. This process mirrors that of adding additional user information, minimizing training requirements.

  1. Click the Devices tab.
  2. Highlight the device to which you want to add additional hardware information and then click Edit.
  3. Click the Properties tab and then click New Property.
  4. Select either one of the included fields, or select Other to create a custom data field. This field is free form, and can contain up to a maximum of 256 characters.

Showing or hiding device statuses

Under System Configuration in the Device Manager web console, you can change the parameters of how the devices status appears. In the Devices column, you can also choose which columns to show or hide.

The following procedure describes how to show or hide the device status for jailbroken or rooted, Secure Mobile Gateway, and Device Manager management statuses.

  1. In Device Manager, click Options.
  2. In the Options dialog box, click General.
  3. Under General Parameters, you can click to enable or disable the following statuses:
    • Highlight "Jailbroken/Rooted" column
    • Highlight "SMG Status" column
    • Highlight "Managed" column
    • Enable device triangulation
    • Enable WebEAS for iOS

Adding or removing device status columns

  1. Click the Devices tab.
  2. Click the arrow in a status column to show a list of the possible columns that you can display. Each selected item appears in the Devices table.
  3. Clear a check box to hide a status column.

Locking a Device Remotely

If the device is lost, but you are not sure it was stolen, you can remotely "lock" the device. To do so, select the device in Device Manager and then on the Security menu, click Lock.

For Android and Windows Mobile devices, the system will then generate a PIN code that will be set in the device if the user had not set a PIN code already. To access the device, the user will have to type that PIN code.

When the device is found again, you can remove the lock by using the Cancel the lock option.

Selectively Wiping a Device

You can perform a selective wipe in Device Manager if you only want to clear corporate data from the device while retaining personal information and selected settings. A selective wipe removes the mobile device management (MDM) profiles. All packages pushed by Device Manager to the device are also removed. The device can be re-enrolled at a future time.

Select Selective Wipe command from the Devices tab > Security menu > Selective wipe. Selective Cancel Wipe to undo the operation request.

Selective Wipe for iOS and Android Devices

Performing a selective wipe from the if you only want to clear corporate data from the device while retaining personal information and selected settings. The MDM profiles and all packages pushed by Device Manager to the hand held are removed. The device can be re-enrolled at a future time.

Note: Selectively wiping an Android devices does not completely disconnect the device from Device Manager and a user's corporate network. In order to break the connection between the device and the corporate network, you also need to revoke the Android device.

Selective Wipe for Windows 8 Devices

When you perform a selective wipe on a Windows 8 device from Device manager, it will remove all contents from the currently logged on user’s profile folder.

Selective Wipe for Windows Phone 8 Devices

When you selective wipe a Windows Phone 8 device using Device Manager, the following is removed from the device:

  • The enterprise token that allows apps to be installed on the device by Device Manager.
  • All Device Manager certificates.
  • All Device Manager configurations that have been deployed to the device.

Requesting a Full Wipe for a Device

If a device is stolen or lost, you can send a request to have all data on a device be erased. For Android devices, this also includes the option to include any memory cards.

To fully wipe a device, from the Devices tab inside the XenMobile Device Manager web console, select Secuirty > Full Wipe.
Note: Erasing a device may not complete in full if the "current holder" of the device has time to turn the device off before the content of the memory card is completely deleted. As such, they may still have access to data on the device.

If the wipe of the device is not done and it is retrieved, you can cancel the wipe command by selecting the Cancel wipe menu item.

For Android devices, you can choose to wipe only the device, which removes any internally stored data, or choose to wipe the device, plus any externally connected storage data (memory cards).

For Windows Phone 8 Devices, a full wipe removes all MDM information plus all user data, including all personal content such as apps, emails, contacts, and media files.

For Windows Mobile devices that are not running Windows Mobile 6 or later, after wiping, it may be required to send the device back to the manufacturer to reload the original operating system and/or software.

Tagging User Devices Automatically

You can tag your users' devices as either corporate-owned or employee-owned to keep track of your company's Bring Your Own Device (BYOD) program, either automatically with a script, or manually by using the Device Manager web console. To enable employee and corporate device tagging, you will need to download a Microsoft PHP, add device IDs to a CSV file, and execute the given XenMobile scripts that will automate the device tagging process. After setting up the device tagging, you will schedule the script as a repeating Windows Task to run every minute.
Note: For on-premise deployments, the tagDevices.php script is located at C:\Program Files (x86)\Citrix\XenMobile Device Manager\samples\WebServices.

Setting up device tagging

  1. In a browser, go to the Windows PHP download site at
  2. Download the installer package named php 5.3 (VC9 x86 Thread Safe (2012-Feb-02 21:56:19).
  3. Install the package on your local system at c:\php5.
  4. Copy the two files named tagDevice.php and devices.csv to c:\temp (this PHP script is host, location and platform agnostic).
  5. Open the tagDevice.php file in a text editor and replace the default information (highlighted) with the following parameters:
    • For an on-site Device Manager implementation:
      $soap_url = "<servername>/zdm/services/EveryWanDevice?wsdl"  
      $client = new SoapClient(null, array( 
      'location' => $soap_url, 
      'url' => "<servername>", 
      'login' => "demo", 
      'password'=> "XXXXX")); 
      For example:
      $soap_url = "" 
      $client = new SoapClient(null, array( 
      'location' => $soap_url, 
      'url' => "", 
      'login' => "demo", 
      'password'=> "XXXXX")); 

      where is the name of the Device Manager server and zdm is the Device Manager instance name.

    • For a cloud deployment ​implementation:
      $soap_url = "<instance><instance>/services/EveryWanDevice?wsdl"; 
      $client = new SoapClient(null, array( 
      'location' => $soap_url, 
      'url' => "<instance>", 
      'login' => "demo", 
      'password'=> "XXXXX")); 
      For example:
      $soap_url = ""; 
      $client = new SoapClient(null, array( 
      'location' => $soap_url, 
      'url' => "", 
      'login' => "demo", 
      'password'=> "XXXXX")); 
  6. Edit the devices.csv file and add the serial numbers of all corporate devices, on separate lines.
  7. Open a DOS command prompt and cd to c:\temp and run the following command tagDevice.php as follows:
    c:\temp>c:\php5\php.exe tagDevice.php 
    device:7R043870A4S is a personal asset 
    device:82835PLWY7K is a personal asset 
    device:88025X9PA4T is a personal asset 
    device:880277VSA4S is a personal asset 
    device:99000052027603 is a personal asset 
    device:A1000013555FD9 is a personal asset 
    device:A10000138B2613 is a personal asset 
    device:A1000017B0A311 is a personal asset 
    device:C329030326CC33E is a corporate asset 
    device:GB0262YCETV is a personal asset 
    device:GB0289L3ETV is a personal asset 

To configure a device tagging script to run as a repeating task

  1. Create a file named tagDevice.cmd under c:\temp (where you previously had copied tagDevice.php and devices.csv) and add the following line: cd c:\temp && c:\php5\php.exe tagDevice.php
  2. Create an MS Scheduled task to execute this command once every minute (/MO 1). For example: c:\> schtasks /create /TN tagDevice c:\temp\tagDevice.cmd /MO 1
  3. Query the tasks to verify that it exists by executing the following command: c:\ schtasks /query /TN tagDevice
  4. To delete the task, execute this command: c:\ schtasks /delete /TN tagDevice

Tagging User Devices Manually

There are three ways you can manually tag a device:
  • Tag the device during the invitation-based enrollment process (iOS-only).
  • Tag the device during the Self Help Portal enrollment process.
  • Tag the device by adding device ownership as a device property (any device).

When you enroll an iOS device. You have the option of tagging the device as either corporate- or employee-owned. When using the Self Help Portal to self-enroll a device, you can also tag the device as either corporate- or employee-owned. You can also tag a device manually by adding a property to the device from the Devices tab in Device Manager, creating the property named Device Ownership and choosing either Corporate or Employee.