XenMobile Server

Server properties

Server properties are global properties that apply to operations, users, and devices across an entire XenMobile instance. Citrix recommends that you evaluate for your environment the server properties covered in this article. Be sure to consult with Citrix before changing other server properties.

A change to some server properties requires a restart of each XenMobile Server node. XenMobile notifies you when a restart is required.

Some server properties help improve performance and stability. For details, see Tuning XenMobile Operations.

Deliver legacy Android apps to Android Enterprise devices: If afw.allow.legacy.apps is set to true, Android Enterprise devices receive both legacy Android apps and Android Enterprise apps. If false, Android Enterprise devices only receive Android Enterprise apps. The default is true.

Allow file extensions for the file policy: Configure file.extension.allowlist with a comma-separated list of file types that admins can upload using the Files device policy. The following file types can’t be uploaded even if you add them to this allow list:

  • .cab
  • .appx
  • .ipa
  • .apk
  • .xap
  • .mdx
  • .exe

The default value is 7z,rar,zip,csv,xls,xlsx,jad,jar,pdf,bmp,gif,jpg,png,pps,ppt,pptx,bsh,js,lua,mscr,pl,py,rb,sh,tcl,txt,htm,html,doc,docx,rtf,xap.

Access all apps in the managed Google Play store: If true, XenMobile makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true allows the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps. Defaults to false.

Android Enterprise work profile on corporate-owned devices enrollment: When afw.work_profile_for_corporate_owned_device.enrollment_mode.enabled is set to true, devices running Android 11 or later can enroll in the work profile on corporate-owned devices (WPCOD) mode. The XenMobile Server console reflects the changes for this enrollment mode. If set to false, no WPCOD settings are available. The default value is true.

Additional Android Enterprise restrictions settings: If the property afw.restriction.policy.v2 is set to true, the following restriction settings are available for Android Enterprise devices:

  • Allow app uninstall
  • Allow Bluetooth sharing

For more information about these settings, see Restrictions device policy.

Android Enterprise restrictions for COPE devices: Set afw.restriction.cope to true to enable the Apply to fully managed devices with a work profile/Work profile on corporate-owned devices setting in the restrictions device policy. The default is true. For more information about this setting, see Restrictions device policy.

Allow hostnames for iOS App Store links: Property ios.app.store.allowed.hostnames is a list of allowed host names used when uploading public app store apps to the server using the public APIs. If you plan on uploading public app store apps using the public APIs rather than uploading the apps through the server, configure this property. The default value is itunes.apple.com,vpp.itunes.apple.com,apps.apple.com.

Alternative APNs port: You can use port 2197 instead of port 443 to send and receive APNs notifications from api.push.apple.com. The port uses the HTTP/2-based APNs provider API. Set the property apns.http2.alternate.port.enabled to true to use port 2197. The default value of the server property apns.http2.alternate.port.enabled is false.

Enable password validation to prevent local users with weak passwords: If enable.password.strength.validation is set to true, you can’t add local users with a weak password. If set to false, you can create local users with a weak password. The default is true.

Block Enrollment of Rooted Android and Jailbroken iOS Devices: When this property is true, XenMobile blocks enrollments for rooted Android devices and jailbroken iOS devices. Default is true. Recommended setting is true for all security levels.

Enrollment required: wsapi.mdm.required.flag, which applies only when the XenMobile Server Mode is ENT, specifies whether you require users to enroll in MDM. The property applies to all users and devices for the XenMobile instance. Requiring enrollment provides a higher level of security. However, that decision depends on whether you want to require MDM. By default, enrollment is not required.

When this property is false, users can decline enrollment, but can still access apps on their devices through the XenMobile Store. When this property is true, any user who declines enrollment is denied access to any apps.

If you change this property after users enroll, the users must re-enroll.

For a discussion about whether to require MDM enrollment, see Device Management and MDM Enrollment.

Enable multimode enrollment: Property enable.multimode.xms allows you to create enrollment profiles on one XenMobile Server that controls enrollment settings for both device and app management for Android and iOS devices. Also, the new enhanced enrollment profiles feature enables enrollment of dedicated devices for Android and MAM-only enrollment for Android and iOS devices. When this property is false, those enrollment options aren’t available when setting up enrollment profiles. The default value is true. Devices that enroll when this property is true still work if you change the property to false.

Enable the Self-Help Portal: If shp.console.enable is false, it prevents access to the Self-Help Portal. Users who navigate to the Self-Help Portal on port 443 get a 404 error. Users who navigate to the portal on port 4443 get an “Access Denied” message. If true, provides access to the Self-Help Portal over port 443. Defaults to false.

Local user account lockout limit: Using the restriction policy, you can set a limit on sign-in attempts for Active Directory users. Use the key local.user.account.lockout.limit to do the same for local user accounts. After users try to sign in the number of times you specify, they can’t try again until an amount of time passes. Configure that time with the Local user account lockout time property. The default value is 6.

Local user account lockout time: Property local.user.account.lockout.time allows you to set some minutes that must pass before a locked out local user account can try to sign in again. The default value is 30 minutes.

Maximum size of file upload restriction enabled: Enable restricting the maximum file size for uploads setting max.file.size.upload.restriction to true. If you enable this restriction, configure the maximum file size using max.file.size.upload.allowed. The default value for this property is true.

Maximum size of file upload allowed: With max.file.size.upload.allowed, you can specify a maximum file size for any uploads. Example values include 500 B, 1 KB, 1 MB, 1 MiB, 1 G, or 1 GiB. The default value is 5 MB.

Inactivity Timeout in Minutes: The number of minutes after which XenMobile logs out an inactive user who used the XenMobile Server Public API to access the XenMobile console or any third-party app. A time-out value of 0 means that an inactive user stays logged in. For third-party apps that access the API, being logged in is typically necessary. Default is 5.

iOS Device Management Enrollment Install Root CA if Required: The latest enrollment workflow from Apple requires that users manually install the MDM profiles. That workflow doesn’t apply to MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, during manual enrollment in MDM, iOS device users receive only the MDM device certificate prompt during enrollment.

To provide a better user experience during manual enrollment, Citrix recommends changing the server property ios.mdm.enrollment.installRootCaIfRequired to False. The default value is True. With that change, a Safari window opens during MDM enrollment to simplify the profile installation for users.

VPP baseline interval: Property vpp.baseline sets the minimum interval that XenMobile reimports Volume purchase licenses from Apple. Refreshing license information makes sure that XenMobile reflects all changes, such as when you manually delete an imported app from Volume Purchase. By default, XenMobile refreshes the Volume Purchase license baseline a minimum of every 1440 minutes.

If you have many Volume Purchase licenses installed (for example, over 50,000), it is recommended that you increase the baseline interval to reduce the overhead of importing licenses. If you expect frequent Volume Purchase license changes from Apple, it is recommended that you lower the value to keep XenMobile updated with the changes. The minimum interval between the two baselines is 60 minutes. Because the cron job runs every 60 minutes, if the Volume Purchase baseline interval is 60 minutes, the interval between baselines can be delayed up to 119 minutes.

XenMobile MDM Self Help Portal console max inactive interval (minutes): This property name reflects the older XenMobile versions. The property controls the XenMobile console max inactive interval. That interval is the number of minutes after which XenMobile logs an inactive user out of the XenMobile console. A time-out of 0 means that an inactive user stays logged in. Default is 30.

Deprecated support for the Nexmo SMS gateway: Property deprecate.carrier.sms.gateway removes the support for the Nexmo SMS gateway, which is set to True by default. Nexmo SMS is also deprecated in the Self-Help Portal.

Deprecated support for the Mobile Service Provider (MSP) interface: Property deprecate.mobile.service.provider removes the MSP interface from the XenMobile Server console, which is set to True by default.

Deprecated support for the Windows Information Protection policy: As per the Windows announcement, XenMobile Server has deprecated support for Windows Information Protection (WIP). The server property windows.wip.deprecation removes the support for WIP, which is set to True by default.

Deprecated support for “Control Enterprise FOTA” field in the Control OS Update policy for Android Enterprise: If the property afw.disable.osupdate.efota is set to True, then the Control Enterprise FOTA field gets deprecated in the Control OS Update policy for Android Enterprise. The default value is set as True.

Support for Enterprise apps on macOS devices: If the property mac.app.push is set to True, the Enterprise apps are automatically installed when downloaded on devices running macOS. The default value is set to True.

Support for eSim on iOS devices: If the property ios.esim.support is set to True, then XenMobile Server gets the eSim information from the iOS devices and displays the eSim related device properties on the user interface.

Support for “Domain” field in the Wi-Fi policy for 802.1x settings for Android Enterprise: If the property afw.network.domain.support is set to True, then the Domain field gets added in the 802.1x settings for Android Enterprise.

Support for auto-update of optional apps in iOS: If the apple.ios.optional_app_update property is set as True, then the optional apps in iOS subscribed from the Citrix Secure Hub store also update automatically. The default value is set as False.

Device report enhancement for Total App Deployment Attempts and Top 100 Installed Apps: If the property device.report.enhancement.enabled is set to True, then two new columns Operating system version and Device model are added in Total App Deployment Attempts, and the new device report Top 100 Installed Apps is added to show top 100 apps installed for each platform.

Support for always-on VPN option in the VPN policy for Android Enterprise: if the property afw.policy.vpn_always_on_lockdown is set to True, then the Enable always-on VPN and Enable lockdown options are added in VPN policy for Android Enterprise platform. The default value is True.

Deprecated support for always-on VPN option in the option policy for Android Enterprise: Property afw.policy.hide_vpn_always_on removes the always-on VPN option from XenMobile Options policy in Android Enterprise platform. The default value is True.

Legacy MDX Deprecation Alert: If the property legacy.mdx.deprecation.alert is set to True, then an alert appears on XenMobile Server console if you have MDX apps with legacy MDX mode published. The default value is True.

Support for Firebase Cloud Messaging migrated to use new http v1 API: If the property afw.fcm.httpv1.migration is set to True, then you can use Firebase Cloud Messaging with new HTTP v1 API. The default value is False.

Server properties

In this article