Product Documentation

Known Issues

Mar 25, 2015

The following are known issues for XenMobile in Version 8.6.1.

Worx Apps

  1. When you configure a WiFi policy in Device Manager and users try to connect on a Samsung SAFE device, an authentication error occurs unless users manually edit and save the setting. [#430721]
  2. When split tunneling is enabled, single sign-on (SSO) through Secure Browse in WorxWeb is not supported on Android devices. [#431158]
  3. After users upgrade to Worx Home 8.6, the Worx Home app occasionally reports incorrectly that the Android device is rooted. [#431611]
  4. When users try to open Worx Home on an Android 2.3 device and are prompted for their Worx PIN, the keyboard does not appear. [#433599]

The following are known issues for XenMobile in Version 8.6.

MDX Toolkit

  1. On Android devices, the camera freezes while capturing video for upload and the user must tap the back button to exit the frozen camera. To enable video capture from a MDX-wrapped app, set the Block mic record policy to Off. [#539024]
  2. To wrap apps for Android Version 4.3, you need to install the Java Development Kit (JDK) 1.7. You can download the JDK from Java SE Development Kit 7 Downloads on the Oracle web site. The instructions for installing the JDK on Mac OS X are on the ComputechTips web site.
  3. If you upload a wrapped iOS app two times in App Controller with different file names, when users subscribe to both apps and then delete on instance of the app from their device, the title shows as "GoogleGoogle." Do not upload the same app with different names to App Controller. [#317912, #321386, #323986, #324436]
  4. If you download an application from the Apple App Store, attempts to wrap the app fail. Wrapping apps from the App Store is not permitted. [#320969]
  5. When you upload a wrapped app to App Controller and set the Maximum OS version in the Mobile App Details dialog box, App Controller allows users with a new version to start the app. You must set the maximum OS version when you wrap the app. [#321389]
  6. When you have a wrapped Office2HD app in App Controller with the same application ID as an unwrapped Office2HD app, and you configure the Document exchange (Open In) policy for a WorkMail app as Restricted, when users open a .docx attachment, an unwrapped Office2HD from the App Store appears as an Open In option when only wrapped MDX apps should appear. [#328877]
  7. For this release, using the MDX Toolkit for Microsoft Office Suite is not supported. [#341800]
  8. The MDX Toolkit incorrectly allows the entry of the ampersand (&) character when completing the Minimum and Maximum OS versions. As a result, if you enter an ampersand in the operating system versions for an app, no apps appear in Receiver, including the app that you configured. [#342359]
  9. If you set the block screen policy to On to prevent users from taking screen shots on their Android device, some mobile apps continue to allow users to take screen shots. These apps use the Adobe AIR platform. Preventing screen shots in these apps does not work. [#357240]
  10. Some mobile apps require certificate checks when users start the app. If you wrap an app that requires a certificate check, the app might not start on the user device. [#357368]
  11. App wrapping technology is limited to standard Android applications that are written by using the Android Java SDK. Wrapping, code interception, and data containment do not support or attempt to modify “native code” (low-level code) within the application. Although it is possible that some applications make use of native code, not many do so. This may impact the capability of being able to restrict certain application functionality by using data containment policies. [#357811, #362211, #362749, #362750]
  12. If a mobile app stores data or documents outside the application data area, when you erase the device, the data or documents are not erased. [#358803]
  13. App wrapping technology and data containment technology are limited to intercepting inside the main application’s Dalvik Executable (DEX) file. DEX files are compiled Android Java code that run on the Android operating system. Code that resides outside the main DEX file is not intercepted during wrapping. This may limit the ability to restrict certain application functionality by using data containment policies. [#361404]
  14. On an Android device, when you configure the Initial VPN mode policy as Secure browse, when users start WorxWeb and do not use the app for approximately 30 minutes or longer and the app times out, when they try to open the app again, the home page does not load and a "page not available" error appears. [#428381]
  15. When users try to log on to WorxWeb with an Android device and authenticate through NetScaler Gateway, when you set a policy to require users to log on each time the app opens, the maximum number of attempts they can make is the default of five and a message appears, regardless of the policy you set in App Controller. [#424846]
  16. Occasionally, when users try to log on through Worx Home to a Worx-enabled app and the Android device uses a client certificate for authentication, Worx Home fails. [#428489]
  17. If you edit the Require internal network policy for Android apps to On, when the Android device is connected to the network, if users log off from Worx Home and then change their device to Airplane mode or turn WiFi off, if they try to open an app, users are prompted to log on to the network and the app does not open. [#428540]

App Controller

Important Notes

  1. When you add users to Active Directory, you must enter the first and last name in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
  2. User account requests by using the workflow template with the App Controller workflow feature is not supported for users who connect with Receiver for Web.
  3. User account requests by using the subscription workflow template with the App Controller workflow feature is not supported on Receiver for Mac 11.4. Users need to upgrade to Receiver for Mac 11.6 or 11.7.
  4. The internal URL redirection feature, in which Receiver checks a keyword to determine if the URL requires a connection with the NetScaler Gateway Plug-in, is not available with Receiver for Web. The feature is supported only with Receiver for Windows Versions 3.1, 3.2, 3.3, or 3.4.
  5. If you configure proxy servers to use both HTTP and HTTPS, App Controller uses the secure proxy server for all application connectors. If you configure only HTTP, or only HTTPS, App Controller uses the configured proxy server for all application connectors.
  6. App Controller contains the management console. To open the management console, in a Web browser, enter https://<App ControllerFQDN>:4443/ControlPoint where <App Controller FQDN> is the fully qualified domain name (FQDN) or IP address of App Controller. The default user name is administrator and the password is password.

App Controller Known Issues

  1. After you import a server certificate with the .pem format that contains the root certificates in the chain, only the server certificate uploads successfully. The issue does not occur with the .pfx format. [#411328]
  2. If you use the management console to configure App Controller log transfers instead of using the command-line console, in Remote directory, you must specify the home directory of the user on the SSH server. [#412802]
  3. When you take a snapshot of the App Controller configuration, if you configure a new instance of App Controller with a different IP address and host name, and then if you import the snapshot and select the Configuring only restore check box, after restarting App Controller, the host name from the snapshot is restored in error. To return to the original host name, install the correct certificates.[#418002]
  4. When users try to open Box through single sign-on (SSO) from Worx Home, SSO fails. To enable SSO to work in subsequent logons, users must select the View Full Site option in the app. [#418547]
  5. When users log on with Receiver for Web by using their user name and password and an invalid domain, such as awswsws\ctx3, they can log on successfully. User authentication occurs with the configured domain and not the user-provided domain. If you configure multiple Active Directory domains, you should allow users to log on by using the user principal name (UPN) format, such as [#418608]
  6. When users log on with the NetScaler Gateway Plug-in and try to open the Office365_SAML app, SSO fails and users must enter their credentials. [#419290]
  7. When users upgrade to App Controller 2.9, and view Beacons on the management console Settings panel by using Internet Explorer, the Default store view option does not appear. Citrix recommends logging off and then clearing the browser cache. [#423495]
  8. When users try to open CentralDesktop through SSO from Worx Home, SSO fails and users must enter their credentials. To enable SSO work for subsequent logons, when users log on, they must select the Switch to Full Site option in the account settings for the app. [#424338]
  9. SSO for the Groupon app does not work when users try to open the app from Worx Home. The following error appears: "Oops! That page doesn't exist." To enable SSO to work for subsequent logons, users must select Switch to non-mobile version in the app. [#424341]
  10. When users try to open ShareFile through SSO from Worx Home, SSO fails and users must close and then reopen the app to enable SSO to work for future logons. [#424579]
  11. After you upgrade to App Controller 2.9, in a high availability configuration, occasionally the secondary node restarts and changes to recovery mode. Citrix recommends that you upgrade the primary node to App Controller 2.9, and then install a new virtual image of App Controller 2.9 on your hypervisor and join the node to the primary node. [#428132]

Device Manager

Important Note

  • To increase security in Worx Home on Android devices, the end user password is no longer cached after enrollment. Consequently, you should not use the %EWPASSWORD% macro in device policy definitions. If you used that macro to prepopulate the password field of an ActiveSync configuration policy, for instance, you should edit the policy and remove the password macro. You can replace this type of configuration with a certificate-based authentication to Exchange.
  1. There is a known issue in iOS7 related to launching iOS apps from a web app in full screen mode. If you are using iOS7 and Apple new Volume Purchase Program, do not configure the store webclip to be in full screen mode. To do that, in XenMobile Device Manager, open the iOS Policy called "MyAppStore" and clear the Full Screen check box. [#424876]
  2. Amazon does not support “restrict profiles” in this XenMobile 8.6. This affects the Amazon Kindle version of Worx Home. [#424930]
  3. If you are using Cisco AnyConnect with XenMobile, the following file has a security breach caused by a bug in Cisco's code. For more information, contact Cisco. [#421038] File name:
    • com/cisco/anyconnect/vpn/android/service/helpers/uri/ 384
  4. The Super Admin in Device Manager Role Based Access Control (RBAC) will lose super admin status when upgrading to XenMobile 8.6. There is no loss of functionality but the privileges checkbox for super admin becomes cleared after upgrade. To fix, in the Device Manager web console, click Options, and in the RBAC section, reassign the privileges for the super admin role. [#428009]

XenMobile Mail Manager

  1. XenMobile Mail Manager (XMM) can only allow\block by ActiveSyncDeviceId or user. It is the responsibility the XenMobile Device Manager (XDM) device agent to properly detect the ActiveSyncDeviceId on a given device and to report it to Device Manager so that Device Manager can then deliver it to XMM as policy. There are some devices for which the device agent can't detect the ActiveSyncDeviceId, in which case Device Manager must, if the device is to be allowed, sent policy to XMM that allows the user (all devices of the user). This can be mitigated by installing Touchdown on the device because the Device Agent can detect the ActiveSyncDeviceId of Touchdown.

Worx Apps

  1. In Worx Home on iOS, if you re-enroll, all the Citrix MDM configuration profile should be removed from the device. This is a known issue in the XenMobile 8.6 release. To remove the profile on your iOS device, manually delete the MDM configuration profile by going to Settings > General > Profiles. [#423535]
  2. Devices running Android versions 4.3 and 4.4 are having some compatibility issues with Worx Home 8.6.