- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
iOS Volume Purchase Program
You can manage iOS app licensing by using the Apple iOS Volume Purchase Program (VPP). The VPP solution simplifies the process to find, buy, and distribute apps and other data in bulk for an organization.
With VPP, you can use XenMobile to distribute public app store apps. VPP is not supported for XenMobile Apps or for apps wrapped by using the MDX Toolkit. Although you can distribute the XenMobile public store apps with VPP, the deployment is not optimal. Further enhancements to the XenMobile Server and the Secure Hub store are required to address the limitations. For a list of known issues with deploying the XenMobile public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center.
With VPP, you can distribute the applicable apps directly to your devices. Or, you assign content to your users by using redeemable codes. You configure settings specific to the iOS VPP in XenMobile.
XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from VPP. By default, XenMobile refreshes the VPP license baseline a minimum of every 720 minutes. You can change the baseline interval through the server property, VPP baseline interval (vpp.baseline). For information, see Server properties.
This article focuses on using VPP with managed licenses, which enables you to use XenMobile to distribute apps. If you currently use redemption codes and want to change to managed distribution, see this Apple Support document: Migrate from redemption codes to managed distribution with the Volume Purchase Program.
For information about the iOS VPP, see http://www.apple.com/business/vpp/. To enroll in VPP, go to https://deploy.apple.com/qforms/open/register/index/avs. To access your VPP store in iTunes, go to https://vpp.itunes.apple.com/?l=en.
After you save these iOS VPP settings in XenMobile, the purchased apps appear on the Configure > Apps page in the XenMobile console.
In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
Under Platform, click iOS Settings. The iOS Settings configuration page appears.
Configure these settings:
- Store user password in Secure Hub: Select whether to store a user name and password in Secure Hub for XenMobile authentication. The default is to store the information by using this secure method.
- User property for VPP country mapping: Type a code to allow users to download apps from country-specific app stores.
XenMobile uses this mapping to choose the property pool of the VPP. For example, if the user property is United States, that user cannot download apps if the VPP code for the app is for the United Kingdom. Contact your VPP plan administrator for more information about the country mapping code.
For each VPP account you want to add, click Add. The Add VPP account dialog box appears.
Configure these settings for each account you add:
Note: If you use Apple Configurator 1, upload a license file: Go to Configure > Apps, go to a platform page, and then expand Volume Purchase Program.
- Name: Type the VPP account name.
- Suffix: Type the suffix to appear with the names of apps obtained through the VPP account. For example, if you enter VPP, the Secure Mail app appears in the apps list as Secure Mail - VPP.
- Company Token: Copy and paste the VPP service token obtained from Apple. To obtain the token: In the Account Summary page of the Apple VPP portal, click the Download button to generate and download the VPP file. The file contains the service token and other information, like the country code and expiry. Save the file in a secure location.
- User Login: Type an optional authorized VPP account administrator name used to import custom B2B apps.
- User Password: Type the VPP account administrator password.
Click Save to close the dialog box.
Click Save to save the iOS settings.
A message appears stating that XenMobile adds the apps to the list on the Configure > Apps page. On that page, notice that the app names from your VPP account include the suffix you provided in the preceding configuration.
You can now configure the VPP app settings and then tune your delivery group and device policy settings for VPP apps. After you complete those configurations, users can enroll their devices. The following notes provide considerations for those processes.
When configuring VPP app settings (Configure > Apps), enable Force license association to device. An advantage of using Apple VPP and DEP with supervised devices: The ability to use XenMobile to assign the app at the device (rather than user) level. As a result, you don’t have to use an Apple ID device. Also, users don’t receive an invitation to join the VPP program. Users can also download the apps without signing into their iTunes account.
To view the VPP info for that app, expand Volume Purchase Program. Notice in the VPP ID Assignment table, the license is associated with a device. The device serial number appears in the Associated Device column. If the user removes the token and then imports it again, the word Hidden appears instead of the serial number, due to Apple privacy restrictions.
To disassociate a license, click the row for the license and then click Disassociate.
If you associate VPP licenses with users, XenMobile integrates users into your VPP account and associates their iTunes ID with the VPP account. The iTunes ID of users is never visible to your company or to the XenMobile Server. Apple transparently creates the association to retain user privacy. You can retire a user from the VPP program, to disassociate all licenses from the user account. To retire a user, go to Manage > Devices.
- When you assign an app to a delivery group, by default XenMobile identifies the app as an optional app. To ensure that XenMobile deploys an app to devices, go to Configure > Delivery Groups. On the Apps page, move the app to the Required Apps list.
When an update for a public app store app is available: When VPP pushes the app, the app doesn’t automatically update on devices until you check for updates and apply them. To push an update for Secure Hub, when assigned to device and not to a user, do the following. In Configure > Apps, on a platform page, click Check for Updates and apply the update.
XenMobile displays a License Expiration Warning when Apple VPP tokens are nearing expiration or have expired.