- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
App Provisioning and Deprovisioning
Application provisioning revolves around mobile app lifecycle management, which mainly consists of wrapping, configuring, delivering, and managing mobile apps within a XenMobile environment. In some instances, developing or modifying application code may also be part of the provisioning process. XenMobile is equipped with various tools and processes that you can use for app provisioning.
Before you read this article on app provisioning, it is recommended that you read the articles on Apps and User Communities. When you have finalized the type of apps your organization plans to deliver to users, you can then outline the process for managing the apps throughout their lifecycle.
Consider the following points when defining your app provisioning process:
App profiling: Your organization may start with a limited number of apps; however, the number of apps you manage could rapidly increase as user adoption rates increase and your environment grows. You should define specific app profiles right from the beginning in order to make app provisioning easy to manage. App profiling helps you categorize apps into logical groups from a nontechnical perspective. For example, you can create app profiles based on the following factors:
- Version: App version for tracking
- Instances: Multiple instances that are deployed for different set of users, for example, with different levels of access
- Platform: iOS, Android, or Windows
- Target Audience: Standard users, departments, C-level executives
- Ownership: Department that owns the app
- Type: MDX, Public, Web and SaaS, or Web links
- Upgrade Cycle: How often the app is upgraded
- Licensing: Licensing requirements and ownership
- MDX Policies: Wrapped or unwrapped with MDX security policies
- Network Access: Type of access, such as secure browse or full VPN
|Factor||Secure Mail||In-House||Epic Rover|
|Target Users||VIP Users||Physicians||Clinical Users||Clinical Users|
App versioning: Maintaining and tracking app versions is a critical part of the provisioning process. Versioning is usually transparent to users. They only receive notifications when a new version of the app is available for download. From your perspective, reviewing and testing each app version in a non-production capacity is also critical in order to avoid production impact.
It is also important to evaluate if a specific upgrade is actually required. App upgrades are usually of two types: One is a minor upgrade, such as a fix to a specific bug; the second is a major release, which introduces significant changes and improvements to the app. In either case, you should carefully review the release notes of the app to evaluate if the upgrade is necessary.
- App signing and wrapping: With XenMobile, you can use MDX policies with managed apps to secure the corporate data through app wrapping. For more information about the MDX Toolkit for app wrapping, see MDX Toolkit in the XenMobile documentation. The app provisioning process for a wrapped app is significantly different from the provisioning process for a standard non-wrapped app.
- App security: You define security requirements of individual apps or app profiles as part of the provisioning process. You can map security requirements to specific MDM or MAM policies prior to deploying the apps, which greatly simplifies and expedites app deployment. You may deploy certain apps differently, or you may need to make architectural changes to your XenMobile environment depending on the type of security compliance that the apps require. For example, you may want the device to be encrypted in order to allow the use of a critical business intelligence app, or a certain app may require end-to-end SSL encryption or geo-fencing.
- App delivery: XenMobile allows you to deliver apps as MDM apps or as MAM apps. The MDM apps appear in the XenMobile Store. This store allows you to conveniently deliver public or native apps to users without controlling the app apart from enforcing device level restrictions. On the other hand, the MAM mode of delivering apps allows full control over app delivery and over the app itself. Delivering the apps in MAM mode is more suitable in most cases in which you have an on-premises XenMobile deployment with app management requirements along with MDM. When you deliver apps in MAM mode, the mobile device must be enrolled either into XME (MDM+MAM) or MAM-only mode.
- Perform an initial audit: You should keep track of the app version that is present in your production environment, as well as the last upgrade cycle. Make note of specific features or bug fixes that required the upgrade to take place.
- Establish baselines: You should maintain a list of the latest stable release of each app. This app version should be fall back in case unexpected issues occur post upgrade. You should also develop a rollback plan. You should test app upgrades in a test environment prior to your production deployment; if possible, you should deploy the upgrade to a subset of production users first and then to the entire user base.
- Subscribe to Citrix software update notifications and any third-party software vendor notifications: This is critical in order to keep up to date with the latest release of the apps. In some cases, an early access release (EAR) build may also be available for testing ahead of time.
- Devise a strategy to notify users: You should define a strategy to notify users when app upgrades are available. Prepare users with training prior to deployment. You may send multiple notifications prior to updating the apps. Depending on the app, the best notification method might be email notifications or web sites.
App lifecycle management represents the completed lifecycle of an app from its initial deployment through the retirement of the app. The lifecycle of an app can be broken down into these five phases:
- Requirements for specifications: Start with business case and user requirements.
- Development: Validate that the app meets business needs.
- Testing: Identify test users, issues, and bugs.
- Deployment: Deploy the app to production users.
- Maintenance: Update app version. Deploy the app in a test environment before updating the app in a production environment.
- Requirements for specifications: As a security requirement, you require a mail app that is containerized and supports MDX security policies.
- Development: Validate that the app meets business needs. You must be able to apply MDX policy controls to the app.
- Testing: Assign Secure Mail to a test users group and deploy the corresponding MDX file from the XenMobile Server. The test users validate that they can successfully send and receive email, and have calendar and contact access. The test users also report issues and identify bugs. Based on the test users’ feedback you optimize Secure Mail configuration for production use.
- Deployment: When the testing phase is complete, you assign Secure Mail to production users and deploy the corresponding MDX file from XenMobile Server.
- Maintenance: A new update to Secure Mail is available. You download the new MDX file from Citrix downloads and replace the existing MDX file on the XenMobile Server. Instruct the users to perform the update. Note: Citrix recommends that you complete and test this process in a test environment before uploading the app to a XenMobile production environment and deploying the app to users.