- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
To configure clustering, configure the following two load balancing virtual IP addresses on NetScaler.
- Mobile device management (MDM) load balancing virtual IP address: An MDM load balancing virtual IP address is required to communicate with the XenMobile nodes that are configured in a cluster. This load balancing is done in SSL Bridge mode.
- Mobile app management (MAM) load balancing virtual IP address: MAM load balancing virtual IP addresses are required for NetScaler Gateway to communicate with XenMobile nodes that are configured in a cluster. In XenMobile, by default, all traffic from NetScaler Gateway routes to the load balancing virtual IP address on port 8443.
The procedures in this article explain how to create a new XenMobile virtual machine (VM) and joining the new VM to an existing VM. Those steps create a cluster setup.
- You have fully configured the required XenMobile node.
- Configure NTP on all cluster nodes and the XenMobile database. For clustering to work properly, all of those servers must have the same time.
- One public IP address for MDM load balancer and one private IP address for MAM.
- Server certificates.
- One free IP for NetScaler Gateway virtual IP address.
- With XenMobile deployed in a cluster setup and in MDM-only or Enterprise mode (MDM+MAM): Modify your NetScaler load balancer configuration to use Source IP persistence for all NetScaler MDM load balancers, that is, virtual servers set up for ports 8443 and 443. Complete that configuration before user devices upgrade to iOS 11. For more information, see this Citrix Knowledge Center article: https://support.citrix.com/article/CTX227406.
- To install apps from the XenMobile Store on iOS 11 devices, you must enable port 80 on XenMobile Server.
For reference architectural diagrams for XenMobile 10.x in clustered configurations, see Architecture.
Based on the number of nodes you require, you create XenMobile VMs. You point the new VMs to the same database and provide the same PKI certificate passwords.
Open the command-line console of the new VM and enter the new password for the administrator account.
Provide the network configuration details as shown in the following figure.
If you want to use the default password for data protection, type y; or, type n and enter a new password.
If you want to use FIPS, type y; or, type n.
Configure the database so that you point to same database that the earlier fully configured VM pointed to. You see the message: Database already exists.
Enter the same passwords for the certificates that you provided for the first VM.
After you have entered the password, the initial configuration on second node will complete.
When the configuration is complete, the server restarts and the logon dialog box appears.
The logon dialog box is identical to the logon dialog box of the first VM. The match is a way for you to confirm that both VMs are using the same database server.
Use the fully qualified domain name (FQDN) of XenMobile to open the XenMobile console in a web browser.
In the XenMobile console, click the wrench icon in the upper-right corner of the console.
The Support page opens.
Under Advanced, click Cluster Information.
All of the information about the cluster, including cluster member, device connection information, tasks, and so on, appear. The new node is now a member of the cluster.
You can add other nodes by following the same steps. The first cluster added to the node has a Role of OLDEST. Clusters added after that show a Role of NONE or null.
After you add the required nodes as members of the XenMobile cluster, load balance the nodes so you can access the clusters. Load balancing is done by running XenMobile Wizard available in NetScaler. The following steps describe how to load balance XenMobile by running the wizard.
Log on to NetScaler.
On the Configuration tab, click XenMobile and then click Get Started.
Select the Access through NetScaler Gateway check box and the Load Balance XenMobile Servers check box and then click Continue.
Enter the IP address for NetScaler Gateway and then click Continue.
Bind the server certificate to the NetScaler Gateway virtual IP address by doing one of the following and then click Continue.
- In Use existing certificate, choose the server certificate from the list.
- Click the Install Certificate tab to upload a new server certificate.
Enter the Authentication server details and then click Continue.
Ensure the Server Logon Name Attribute is same as you provided in the XenMobile LDAP configuration.
Under XenMobile settings, enter the Load Balancing FQDN for MAM and then click Continue.
Ensure the FQDN of the MAM load balancing virtual IP address and the FQDN of XenMobile are the same.
If you want to use SSL Bridge mode (HTTPS), select HTTPS communication to XenMobile Server. However, if you want to use SSL offload, select HTTP communication to XenMobile Server, as shown in the preceding figure. For the purposes of this article, the choice is SSL Bridge mode (HTTPS).
Bind the server certificate for the MAM load balancing virtual IP address and then click Continue.
Under XenMobile Servers, click Add Server to add the XenMobile nodes.
Enter the IP address of the XenMobile node and then click Add.
Repeat steps 10 and 11 to add more XenMobile nodes that are part of the XenMobile cluster. You see all the XenMobile nodes that you have added. Click Continue.
Click Load Balance Device Manager Servers to continue with the MDM load balancing configuration.
Enter the IP address to be used for MDM load balancing IP address and then click Continue.
Once you see the XenMobile nodes in the list, click Continue and then click Done to finish the process.
You see the virtual IP address status on the XenMobile page.
To confirm if the virtual IP addresses are up and running, click the Configuration tab and then navigate to Traffic Management > Load Balancing > Virtual Servers.
You also see that the DNS entry in NetScaler points to the MAM load balancing virtual IP address.