Product Documentation

Add apps

Nov 01, 2017

Important

The MDX 10.7.5 release is the final release that supports the wrapping of XenMobile Apps. You cannot use the MDX Toolkit or the MDX Service 10.7.10 and later to wrap 10.7.5 or later versions of the XenMobile Apps. You must access XenMobile Apps from the public app stores.

You add apps to XenMobile for management. You add the apps to the XenMobile console, where you can then arrange the apps in categories and deploy the apps to users.

You can add the following types of apps to XenMobile:

  • MDX. These apps are wrapped with the MDX Toolkit. You deploy MDX apps that you get from internal and public stores.
  • Public App Store. These apps include free or paid apps available in a public app store, such as iTunes or Google Play. For example, GoToMeeting.
  • Web and SaaS. These apps include apps accessed from an internal network (web apps) or over a public network (SaaS). You can create your own apps, or choose from a set of app connectors for single sign-on authentication to existing Web apps. For example, GoogleApps_SAML.
  • Enterprise. These apps are native apps that are not wrapped with the MDX Toolkit and do not contain the policies associated with MDX apps.
  • Web Link. These apps are Web addresses (URLs) to public or private sites, or to web apps that don't require single sign-on.

Note

Citrix supports the silent installation of iOS and Samsung Android apps. Silent installation means that users are not prompted to install apps that you deploy to the device. The apps install silently in the background.

Prerequisites to implement silent installation:

How Mobile and MDX Apps Work

Important

The MDX 10.7.5 release is the final release that supports the wrapping of XenMobile Apps. You cannot use the MDX Toolkit or the MDX Service 10.7.10 and later to wrap 10.7.5 or later versions of the XenMobile Apps. You must access XenMobile Apps from the public app stores.

XenMobile supports iOS, Android, and Windows apps, including XenMobile Apps, such as Secure Hub, Secure Mail and Secure Web, and the use of MDX policies. Using the XenMobile console, you can upload apps and then deliver the apps to user devices. In addition to the XenMobile Apps, you can add the following types of apps:

  • Apps you develop for your users.
  • Apps in which you want to allow or restrict device features by using MDX policies.

To distribute XenMobile Apps for iOS and Android, follow these general steps:

1. Download the public-store MDX files from https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-enterprise-edition-worx-apps-and-mdx-toolkit.html

2. Upload those files to the XenMobile console (Configure > Apps), updating MDX policies as needed.

3. Upload the MDX files to the public app stores. For more information, see Add an MDX app in this article.

To distribute XenMobile Apps for Windows, follow these general steps:

1. Download the app files from Citrix.

2. Wrap the app files using the MDX Toolkit.

3. Upload the wrapped apps to the XenMobile console, modifying the MDX policies as needed.

4. Deliver the apps to user devices through delivery groups. For details, see Public App Store Delivery of XenMobile Apps in the XenMobile Apps documentation.

The MDX Toolkit wraps apps for iOS, Android, and Windows devices with Citrix logic and policies. The tool can securely wrap an app that was created within your organization or an app created outside the company.

About required and optional apps

When you add apps to a delivery group, you choose whether they are optional or required. For apps marked as required, users can promptly receive updates in situations such as:

  • You upload a new app and mark it as required.
  • You mark an existing app as required.
  • As user deletes a required app.
  • A Secure Hub update is available.

Requirements for forced deployment of required apps

  • XenMobile Server 10.6 (minimum version)
  • Secure Hub 10.5.15 for iOS and 10.5.20 for Android (minimum versions)
  • MDX Toolkit 10.6 (minimum version)
  • Custom server property, force.server.push.required.apps

The forced deployment of required apps is disabled by default. To enable the feature, create a Custom Key server property. Set the Key and Display name to force.server.push.required.apps and set the Value to true.

  • After you upgrade XenMobile Server and Secure Hub: Users with enrolled devices must sign off and then sign on to Secure Hub, one time, to obtain the required app deployment updates.

Examples

The following examples show the sequence of adding the Secure Tasks app to a delivery group and then deploying the delivery group.

localized image
localized image

After the sample app, Secure Tasks, deploys to the user device, Secure Hub prompts the user to install the app.

localized image
localized image

Important

MDX-enabled required apps, including enterprise apps and public app store apps, upgrade immediately, even if you configure an MDX policy for an app update grace period and the user chooses to upgrade the app later.

iOS required app workflow for enterprise and public store apps

  1. Deploy the XenMobile App during initial enrollment. The required app is installed on the device.
  2. Update the app on the XenMobile console.
  3. Use the XenMobile console to deploy required apps.
  4. The app on the home screen is updated. And, for public store apps, the upgrade starts automatically. Users are not prompted to update.
  5. Users open the app from the home screen. Apps upgrade immediately even if you set an App update grace period and the user taps to upgrade the app later.

Android required app workflow for enterprise apps

  1. Deploy the XenMobile App during initial enrollment. The required app is installed on the device.
  2. Use the XenMobile console to deploy required apps.
  3. The app is upgraded. (Nexus devices prompt for install updates, but Samsung devices do a silent install.)
  4. Users open the app from the home screen. Apps upgrade immediately even if you set an App update grace period and the user taps to upgrade the app later. (Samsung devices do a silent install.)

Android required app workflow for public store apps

  1. Deploy XenMobile App during initial enrollment. The required app is installed on the device.
  2. Update the app on the XenMobile console.
  3. Use the XenMobile console to deploy required apps. Or, open the Secure Hub Store on the device. The update icon appears in the store.
  4. App upgrade starts automatically. (Nexus devices prompt users to install the update.)
  5. Open the app on the home screen. The app is upgraded. Users are not prompted for a grace period. (Samsung devices do a silent install.)

How Web and SaaS Apps Work

XenMobile comes with a set of application connectors, which are templates that you can configure for single sign-on to web and SaaS apps. Sometimes you can configure the templates for user account creation and management. XenMobile includes Security Assertion Markup Language (SAML) connectors. SAML connectors are used for web applications that support SAML protocol for SSO and user account management. XenMobile supports SAML 1.1 and SAML 2.0.

You can also build your own enterprise SAML connectors.

For more information, see Add a Web or SaaS app in this article.

How Enterprise Apps Work

Enterprise applications typically reside in your internal network. Users can connect to the apps by using Secure Hub. When you add an enterprise app, XenMobile creates the app connector for it. For more information, see Add an enterprise app in this article.

How the Public App Store Works

You can configure settings to retrieve app names and descriptions from the Apple App Store, Google Play, and the Windows Store. When you retrieve the app information from the store, XenMobile overwrites the existing name and description. For more information, see Add a public app store app in this article.

How Web Links Work

A web link is a web address to an internet or intranet site. A web link can also point to a web application that doesn't require SSO. When you finish configuring a web link, the link appears as an icon in the XenMobile Store. When users log on with Secure Hub, the link appears with the list of available apps and desktops. For more information, see Add a Web Link app in this article.

Add an MDX app

When you receive a wrapped MDX mobile app for an iOS, Android, or Windows Phone device, you can upload the app to XenMobile. After you upload the app, you can configure app details and policy settings. For more information about the app policies that are available for each device platform type, see MDX Policies at a Glance. Detailed policy descriptions also in that section.

1. In the XenMobile console, click Configure > Apps. The Apps page appears.

localized image

2. Click Add. The Add App dialog box appears.

localized image

3. Click MDX. The MDX App Information page appears.

4. On the App Information pane, type the following information:

  • Name: Type a descriptive name for the app. The name appears under App Name on the Apps table.
  • Description: Type an optional description of the app.
  • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see Create app categories.

5. Click Next. The App Platforms page appears.

6. Under Platforms, select the platforms you want to add. If you are only configuring for one platform, clear the others.

When you finish configuring the settings for a platform, see Step 11 for how to set the platform deployment rules.

7. Select an MDX file to upload by clicking Upload and navigating to the file location.

  • If you are adding an iOS VPP B2B app, click Your application is a VPP B2B application?. Then, in the list, click the B2B VPP account to use.

8. Click Next. The app details page appears.

9. Configure these settings:

  • File name: Type the file name associated with the app.
  • App Description: Type a description for the app.
  • App version: Optionally, type the app version number.
  • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
  • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
  • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  • Remove app if MDM profile is removed: Select whether to remove the app from a device when the MDM profile is removed. The default is ON.
  • Prevent app data backup: Select whether to prevent users from backing up app data. The default is ON.
  • Force app to be managed: Select whether, when the app is installed unmanaged, to prompt users to allow the app to be managed on unsupervised devices. The default is ON. Available in iOS 9.0 and later.
  • App deployed via VPP: Select whether to deploy the app by using VPP. If ON, and you deploy an MDX version of the app and use VPP to deploy the app, Secure Hub shows only the VPP instance. Default is OFF.

10. Configure the MDX Policies. MDX policies vary by platform and include options for such policy areas as Authentication, Device Security, Encryption, App Interaction, and App Restrictions. In the console, each of the policies has a tooltip that describes the policy.

For more information about app policies for MDX apps, see MDX Policies at a Glance. That article includes a table showing which policies apply to each platform.

11. Configure the deployment rules. For information, see Deploy resources

12. Expand XenMobile Store Configuration.

localized image

Optionally, you can add an FAQ for the app or screen captures that appear in the XenMobile Store. You can also set whether users can rate or comment on the app.

  • Configure these settings:
    • App FAQ: Add FAQ questions and answers for the app.
    • App screenshots: Add screen captures to help classify the app in the XenMobile Store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
    • Allow app ratings: Select whether to permit a user to rate the app. The default is ON.
    • Allow app comments: Select whether to permit users to comment about the selected app. The default is ON.

13. Click Next. The Approvals page appears.

localized image

You use workflows when you need approval when creating user accounts. If you don't need to set up approval workflows, you can skip to Step 15.

Configure this setting if you need assign or create a workflow:

  • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
  • If you select Create a new workflow, configure these settings. For more information, see Create and manage workflows.
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
    • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
        • Click Search to see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then click Search to limit the search results.
        • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

14. Click Next. The Delivery Group Assignment page appears.

localized image

15. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

16. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

17. Click Save.

Create app categories

When users log on to Secure Hub, they receive a list of the apps, web links, and stores that you set up in XenMobile. You can use app categories to let users access only certain apps, stores, or web links. For example, you can create a Finance category and then add apps to the category that only pertain to finance. Or, you can configure a Sales category to which you assign sales apps.

You configure categories on the Apps page in the XenMobile console. Then, when you add or edit an app, web link, or store, you can add the app to one or more of the configured categories.

1. In the XenMobile console, click Configure > Apps. The Apps page appears.

2. Click Category. The Categories dialog box appears.

localized image

3. For each category you want to add, do the following:

  • Type the name of the category you want to add in the Add a new category field at the bottom of the dialog box. For example, you might type Enterprise Apps to create a category for enterprise apps.
  • Click the plus sign (+) to add the category. The newly created category is added and appears in the Categories dialog box.
localized image

4. When you're done adding categories, close the Categories dialog box.

5. On the Apps page, you can place an existing app into a new category.

  • Select the app you want to categorize.
  • Click Edit. The App Information page appears.
  • In the App category list, apply the new category by selecting the category check box. Clear the check boxes for any existing categories that you don't want to apply to the app.
  • Click the Delivery Groups Assignments tab or click Next on each of the following pages to step through the remaining app set-up pages.
  • Click Save on the Delivery Groups Assignments page to apply the new category. The new category is applied to the app and appears in the Apps table.

Add a public app store app

You can add free or paid apps to XenMobile that are available in a public app store, such as iTunes or Google Play. For example, GoToMeeting. Also, when you add a paid public app store app for an Android for Work, you can review the Bulk Purchase licensing status. That status is the total number of licenses available, the number currently in use, and the email address of each user consuming the licenses. The Bulk Purchase plan for Android for Work simplifies the process of finding, buying, and distributing apps and other data in bulk for an organization.

1. In the XenMobile console, click Configure > Apps. The Apps page appears.

localized image

2. Click Add. The Add App dialog box appears.

localized image

3. Click Public App Store. The App Information page appears.

4. On the App Information pane, type the following information:

  • Name: Type a descriptive name for the app. This name appears under App Name on the Apps table.
  • Description: Type an optional description of the app.
  • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see Create app categories.

5. Click Next. The App Platforms page appears.

6. Under Platforms, select the platforms you want to add. If you are only configuring for one platform, clear the others.

When you finish configuring the settings for a platform, see Step 10 for how to set the platform deployment rules.

7. Select an app to add by typing the app name in the search box and clicking Search. Apps matching the search criteria appear. The following figure shows the result of searching for podio.

localized image

8. Click the app you want to add. The App Details fields are pre-populated with information related to the chosen app (including the name, description, version number, and associated image).

localized image

9. Configure these settings:

  • If necessary, change the name and description for the app.
  • Paid app: This field is preconfigured and cannot be changed.
  • Remove app if MDM profile is removed: Select whether to remove the app if the MDM profile is removed. The default is ON.
  • Prevent app data backup: Select whether to prevent the app from backing up data. The default is ON.
  • Force app to be managed: Select whether, when the app is installed unmanaged, to prompt users to allow the app to be managed on unsupervised devices. The default is OFF. Available in iOS 9.0 and later.
  • Force license to association to device: Select whether to associate an app that has been developed with device association enabled to a device rather than to a user. Available in iOS 9 and later. If the app you chose does not support assignment to a device, this field can't be changed.

10. Configure the deployment rules. For information, see Deploy resources

11. Expand XenMobile Store Configuration.

localized image

Optionally, you can add an FAQ for the app or screen captures that appear in the XenMobile Store. You can also set whether users can rate or comment on the app.

  • Configure these settings:
    • App FAQ: Add FAQ questions and answers for the app.
    • App screenshots: Add screen captures to help classify the app in the XenMobile Store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
    • Allow app ratings: Select whether to permit a user to rate the app. The default is ON.
    • Allow app comments: Select whether to permit users to comment about the selected app.

12. Expand Volume Purchase Program or, for Android for Work, expand Bulk Purchase.

For the Volume Purchase Program, complete the following steps.

a. In the VPP license list, click Upload a VPP license file if you want to enable XenMobile to apply a VPP license for the app.

b. In the dialog box that appears, import the license.

For Android for Work Bulk Purchase, expand the Bulk Purchase section.

The License Assignment table shows the number of licenses in use for the app, out of the total licenses available.

For Android for Work, you can select a user and then click Disassociate to end their license assignment and free up a license for another user. You can only disassociate the license, however, if the user is not part of a delivery group that contains the specific app.

localized image

For Android for Work, you can disassociate a license only if the user is not part of a delivery group that contains the specific app.

For iOS, you can disassociate Volume Purchase Program licenses for an individual user, user groups, or for all assignments. Doing so ends the license assignments and frees licenses.

localized image

Clicking Disassociate groups opens a dialog box where you select groups.

localized image

13. After you complete the Volume Purchase Program or Bulk Purchase settings, click Next. The Approvals page appears.

You use workflows when you need approval when creating user accounts. If you don't need to set up approval workflows, you can skip to the next step.

Configure these settings if you need to assign or create a workflow:

  • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
  • If you select Create a new workflow, configure these settings:
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
    • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
      • Click Search to see a list of all the persons in the selected domain.
      • Type a full or partial name in the search box, and then click Search to limit the search results.
      • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

14. Click Next. The Delivery Group Assignment page appears.

15. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

16. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

17. Click Save.

Add a Web or SaaS app

Using the XenMobile console, you can give users single sign-on (SSO) authorization to your mobile, enterprise, web, and SaaS apps. You can enable apps for SSO by using application connector templates. For a list of connector types available in XenMobile, see Application connector types. You can also you build your own connector in XenMobile when you add a Web or SaaS app.

If an app is available for SSO only: After you save the settings, the app appears on the Apps tab in the XenMobile console.

1. In the XenMobile console, click Configure > Apps. The Apps page opens.

2. Click Add. The Add App dialog box appears.

localized image

3. Click Web & SaaS. The App Information page appears.

localized image

4. Configure an existing or new app connector, as follows.

To configure an existing app connector

In the App Information page, Choose from existing connectors is already selected, as shown above. Click the connector you want to use in the App Connectors list. The app connector information appears.

Configure these settings:

  • App name: Accept the pre-filled name or type a new name.
  • App description: Accept the pre-filled description or type one of your own.
  • URL: Accept the pre-filled URL or type the web address for the app. Depending on the connector you choose, this field may contain a placeholder that you must replace before you can move to the next page.
  • Domain name: If applicable, type the domain name of the app. This field is required.
  • App is hosted in internal network: Select whether the app is running on a server in your internal network. If users connect from a remote location to the internal app, they must connect through NetScaler Gateway. Setting this option to ON adds the VPN keyword to the app and allows users to connect through NetScaler Gateway. The default is OFF.
  • App category: In the list, click an optional category to apply to the app.
  • User account provisioning: Select whether to create user accounts for the application. If you use the Globoforce_SAML connector, you must enable this option to ensure seamless SSO integration.
  • If you enable User account provisioning, configure these settings:
    • Service Account
      • User name: Type the name of the app administrator. This field is required.
      • Password: Type the app administrator password. This field is required.
    • User Account
      • When user entitlement ends: In the list, click the action to take when users are no longer allowed access to the app. The default is Disable account. Possible options are:
        • Disable account
        • Keep account
        • Remove account
    • User Name Rule
      • For each user name rule you want to add, do the following:
        • User attributes: In the list, click the user attribute to add to the rule.
        • Length (characters): In the list, click the number of characters from the user attribute to use in the user name rule. The default is All.
        • Rule: Each user attribute you add is automatically appended to the user name rule.
  • Password Requirement
    • Length: Type the minimum user password length. The default is 8.
  • Password Expiration
    • Validity (days): Type the number of days the password is valid. Valid values are 0-90. The default is 90.
    • Automatically reset password after it expires: Select whether to reset the password automatically when it expires. The default is OFF. If you don't enable this field, users can't open the app after their passwords expire.

To configure a new app connector

In the App Information page, select Create a new connector. The app connector fields appear.

localized image

Configure these settings:

  • Name: Type a name for the connector. This field is required.
  • Description: Type a description for the connector. This field is required.
  • Logon URL: Type, or copy and paste, the URL where users log on to the site. For example, if the app you want to add has a logon page, open a web browser and go to the logon page for the app. For example, it might be http://www.example.com/logon. This field is required.
  • SAML version: Select either 1.1 or 2.0. The default is 1.1.
  • Entity ID: Type the identity for the SAML app.
  • Relay state URL: Type the web address for the SAML application. The relay state URL is the response URL from the app.
  • Name ID format: Select either Email Address or Unspecified. The default is Email Address.
  • ACS URL: Type the Assertion Consumer Service URL of the identity provider or service provider. The ACS URL gives users SSO capability.
  • Image: Select whether to use the default Citrix image or to upload you own app image. The default is Use default.
    • If you want to upload your own image, select it by clicking Browse and navigating to the file location. The file must be a .PNG file. You can't upload a JPEG or GIF file. When you add a custom graphic, you can't change it later.
    • When you're finished, click Add. The Details page appears.

5. Click Next. The App Policy page appears.

localized image
  • Configure these settings:
    • Device Security
      • Block jailbroken or rooted: Select whether to block jailbroken or rooted devices from accessing the app. The default is ON.
    • Network Requirements
      • WiFi required: Select whether a WiFi connection is required to run the app. The default is OFF.
      • Internal network required: Select whether an internal network is required to run the app. The default is OFF.
      • Internal WiFi networks: If you enabled WiFi required, type the internal WiFi networks to use.

6. Expand XenMobile Store Configuration.

localized image

Optionally, you can add an FAQ for the app or screen captures that appear in the XenMobile Store. You can also set whether users can rate or comment on the app.

  • Configure these settings:
    • App FAQ: Add FAQ questions and answers for the app.
    • App screenshots: Add screen captures to help classify the app in the XenMobile Store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
    • Allow app ratings: Select whether to permit a user to rate the app. The default is ON.
    • Allow app comments: Select whether to permit users to comment about the selected app. The default is ON.

7. Click Next. The Approvals page appears.

localized image

You use workflows when you need approval when creating user accounts. If you don't need to set up approval workflows, you can skip to Step 8.

Configure these settings if you need to assign or create a workflow:

  • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
  • If you select Create a new workflow, configure these settings:
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
    • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
        • Click Search to see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then click Search to limit the search results.
        • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

8. Click Next. The Delivery Group Assignment page appears.

9. Next to Choose delivery groups, type to find a delivery group or select a group or groups. The groups you select appear in the Delivery groups to receive app assignment list.

10. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

11. Click Save.

Add an enterprise app

Enterprise apps in XenMobile represent native apps that are not wrapped with the MDX Toolkit and do not contain the policies associated with MDX apps. You can upload an enterprise app on the Apps tab in the XenMobile console. Enterprise apps support the following platforms (and corresponding file types):

  • iOS (.ipa file)
  • Android (.apk file)
  • Samsung KNOX (.apk file)
  • Android for Work (.apk file)
  • Windows Phone (.xap or .appx file)
  • Windows Tablet (.appx file)
  • Windows Mobile/CE (.cab file)

1. In the XenMobile console, click Configure > Apps. The Apps page opens.

2. Click Add. The Add App dialog box appears.

localized image

3. Click Enterprise. The App Information page appears.

4. On the App Information pane, type the following information:

  • Name: Type a descriptive name for the app. This name is listed under App Name on the Apps table.
  • Description: Type an optional description of the app.
  • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see Create app categories.

5. Click Next. The App Platforms page appears.

6. Under Platforms, select the platforms you want to add. If you are only configuring for one platform, clear the others.

When you finish configuring the settings for a platform, see Step 10 for how to set the platform deployment rules.

7. For each platform you chose, select the file to upload by clicking Browse and navigating to the file location.

8. Click Next. The app information page for the platform appears.

9. Configure the settings for the platform type, such as:

  • File name: Optionally, type a new name for the app.
  • App description: Optionally, type a new description for the app.
  • App version: You can't change this field.
  • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
  • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
  • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  • Remove app if MDM profile is removed: Select whether to remove the app from a device when the MDM profile is removed. The default is ON.
  • Prevent app data backup: Select whether to prevent the app from backing up data. The default is ON.
  • Force app to be managed: If you are installing an unmanaged app, select ON if you want users on unsupervised devices to be prompted to allow management of the app. If they accept the prompt, the app is managed. This setting applies to iOS 9.x devices.

10. Configure the deployment rules. For information, see Deploy resources

11. Expand XenMobile Store Configuration.

localized image

Optionally, you can add an FAQ for the app or screen captures that appear in the XenMobile Store. You can also set whether users can rate or comment on the app.

  • Configure these settings:
    • App FAQ: Add FAQ questions and answers for the app.
    • App screenshots: Add screen captures to help classify the app in the XenMobile Store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
    • Allow app ratings: Select whether to permit a user to rate the app. The default is ON.
    • Allow app comments: Select whether to permit users to comment about the selected app. The default is ON.

12. Click Next. The Approvals page appears.

You use workflows when you need approval when creating user accounts. If you don't need to set up approval workflows, you can skip to Step 13.

Configure these settings if you need to assign or create a workflow:

  • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
  • If you select Create a new workflow, configure these settings:
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
    • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
        • Click Search to see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then click Search to limit the search results.
        • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

13. Click Next. The Delivery Group Assignment page appears.

14. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

15. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

16. Click Save.

Add a Web link

In XenMobile, you can establish a web address (URL) to a public or private site, or to a web app that doesn't require single sign-on (SSO).

You can configure web links from the Apps tab in the XenMobile console. When you finish configuring the web link, the link appears as a link icon in the list in the Apps table. When users log on with Secure Hub, the link appears with the list of available apps and desktops.

To add the link, you provide the following information:

  • Name for the link
  • Description of the link
  • Web address (URL)
  • Category
  • Role
  • Image in .png format (optional)

1. In the XenMobile console, click Configure > Apps. The Apps page appears.

2. Click Add. The Add App dialog box appears.

localized image

3. Click Web Link. The App Information page appears.

4. Configure these settings:

  • App name: Accept the pre-filled name or type a new name.
  • App description: Accept the pre-filled description or type one of your own.
  • URL: Accept the pre-filled URL or type the web address for the app. Depending on the connector you choose, this field may contain a placeholder that you must replace before you can move to the next page.
  • App is hosted in internal network: Select whether the app is running on a server in your internal network. If users connect from a remote location to the internal app, they must connect through NetScaler Gateway. Setting this option to ON adds the VPN keyword to the app and allows users to connect through NetScaler Gateway. The default is OFF.
  • App category: In the list, click an optional category to apply to the app.
  • Image: Select whether to use the default Citrix image or to upload you own app image. The default is Use default.
    • If you want to upload your own image, select it by clicking Browse and navigating to the file location. The file must be a .PNG file. You can't upload a JPEG or GIF file. When you add a custom graphic, you can't change it later.

5. Expand XenMobile Store Configuration.

localized image

Optionally, you can add an FAQ for the app or screen captures that appear in the XenMobile Store. You can also set whether users can rate or comment on the app.

  • Configure these settings:
    • App FAQ: Add FAQ questions and answers for the app.
    • App screenshots: Add screen captures to help classify the app in the XenMobile Store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
    • Allow app ratings: Select whether to permit a user to rate the app. The default is ON.
    • Allow app comments: Select whether to permit users to comment about the selected app. The default is ON.

6. Click Next. The Delivery Group Assignment page appears.

7. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

8. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

9. Click Save.

Enable Microsoft 365 apps

You can open the MDX container to allow Secure Mail, Secure Web, and ShareFile to transfer documents and data to Microsoft Office 365 apps. For details, see Allowing Secure Interaction with Office 365 Apps.

Create and manage workflows

You can use workflows to manage the creation and removal of user accounts. Before you can use a workflow, identify individuals in your organization who have the authority to approve user account requests. Then, you can use the workflow template to create and approve user account requests.

When you set up XenMobile for the first time, you configure workflow email settings, which must be set before you can use workflows. You can change workflow email settings at any time. These settings include the email server, port, email address, and whether the request to create the user account requires approval.

You can configure workflows in two places in XenMobile:

  • In the Workflows page in the XenMobile console. On the Workflows page, you can configure multiple workflows for use with app configurations. When you configure workflows on the Workflows page, you can select the workflow when you configure the app.
  • When you configure an application connector in the app, you provide a workflow name and then configure the individuals who can approve the user account request.

You can assign up to three levels for manager approval of user accounts. If you need other persons to approve the user account, you can search for and select persons by name or email address. When XenMobile finds the person, you then add them to the workflow. All individuals in the workflow receive emails to approve or deny the new user account.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

2. Click Workflows. The Workflows page appears.

localized image

3. Click Add. The Add Workflow page appears.

localized image

4. Configure these settings:

  • Name: Type a unique name for the workflow.
  • Description: Optionally, type a description for the workflow.
  • Email Approval Templates: In the list, select the email approval template to be assigned. You create email templates in the Notification Templates section under Settings in the XenMobile console. When you click the eye icon to the right of this field, the following dialog box appears.
localized image
  • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
    • Not Needed
    • 1 level
    • 2 levels
    • 3 levels
  • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
  • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
  • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
    • To remove a person from the Selected additional required approvers list, do one of the following:
      • Click Search to see a list of all the persons in the selected domain.
      • Type a full or partial name in the search box, and then click Search to limit the search results.
      • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

5. Click Save. The created workflow appears on the Workflows page.

After you create the workflow, you can view the workflow details, view the apps associated with the workflow, or delete the workflow. You cannot edit a workflow after you create the workflow. If you need a workflow with different approval levels or approvers, you must create another workflow.

To view details and delete a workflow

1. On the Workflows page, select a workflow by clicking the row in the table or by selecting the check box next to the workflow.

2. To delete a workflow, click Delete. A confirmation dialog box appears. Click Delete again.

Important: You cannot undo this operation.