- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
Configure FIPS with XenMobile
XenMobile Service server-side components are not FIPS 140-2 compliant.
Federal Information Processing Standards (FIPS) mode in XenMobile supports U.S. federal government customers by using only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile Server with FIPS mode ensures that all data for the XenMobile client and server are fully compliant with FIPS 140-2. That compliance applies to data at rest and data in transit.
Before installing a XenMobile Server in FIPS mode, complete the following prerequisites.
Use an external SQL Server 2012 or SQL Server 2014 for the XenMobile database. The SQL Server also must be configured for secure SSL communication. For instructions on configuring secure SSL communication to SQL Server, see the SQL Server Books Online.
Secure SSL communication requires that you install an SSL certificate on your SQL Server. The SSL certificate can either be a public certificate from a commercial CA or a self-signed certificate from an internal CA. Be aware that SQL Server 2014 cannot accept a wildcard certificate. Citrix recommends, therefore, that you request an SSL certificate with the FQDN of the SQL Server.
If you use a self-signed certificate for SQL Server, obtain a copy of the root CA certificate that issued your self-signed certificate. You import the root CA certificate to XenMobile Server during installation.
You can enable FIPS mode only during the initial setup of XenMobile Server. It is not possible to enable FIPS after installation is complete. Therefore, if you plan on using FIPS mode, you must install the XenMobile Server with FIPS mode from the start. Also, for XenMobile clusters, all cluster nodes must have FIPS enabled. You cannot have a mix of FIPS and non-FIPS XenMobile Servers in the same cluster.
There is a Toggle FIPS mode option in the XenMobile command-line interface that is not for production use. This option is intended for non-production, diagnostic use and is not supported on a production XenMobile Server.
During initial setup, enable FIPS mode.
Upload the root CA certificate for your SQL Server. If you used a self-signed SSL certificate rather than a public certificate on your SQL Server, choose Yes for this option. Then do one of the following:
Copy and paste the CA certificate.
Import the CA certificate. To import the CA certificate, you must post the certificate to a website that is accessible from the XenMobile Server via an HTTP URL. For details, see Uploading the certificate to XenMobile.
Specify the server name and port of your SQL Server, the credentials for logging into SQL Server, and the database name to create for XenMobile.
You can use either a SQL logon or an Active Directory account to access SQL Server, but the logon you use must have the DBcreator role.
To use an Active Directory account, enter the credentials in the format domain\username.
Once these steps are complete, proceed with the XenMobile initial setup.
To confirm that the configuration of FIPS mode is successful, log on to the XenMobile command-line interface. The phrase In FIPS Compliant Mode appears in the logon banner.
The following procedure describes how to configure FIPS on XenMobile by importing the certificate, which is required when you use a VMware hypervisor.
The connection to the SQL instance from XenMobile must be secure and must be SQL Server version 2012 or SQL Server 2014. To secure the connection, see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console.
If the service does not restart properly, check the following: Open Services.msc.
Copy the logon account information used for the SQL Server service.
Open MMC.exe on the SQL Server.
Go to File > Add/Remove Snap-in and then double-click the certificates item to add the certificates snap-in. Select the computer account and local computer in the two pages on the wizard.
Expand Certificates (Local Computer) > Personal > Certificates and find the imported SSL certificate.
Right-click the imported certificate (selected in the SQL Server Configuration Manager) and then click All Tasks > Manage Private Keys.
Under Group or User names, click Add.
Enter the SQL service account name you copied in the earlier step.
Clear the Allow Full Control option. By default the service account will be given both Full control and Read permissions, but it only needs to be able to read the private key.
Close MMC and start the SQL service.
Ensure the SQL service is started correctly.
Internet Information Services (IIS) Prerequisites
Download the root certificate (base 64).
Copy the root certificate to the default site on the IIS server, C:\inetpub\wwwroot.
Check the Authentication check box for the default site.
Set Anonymous to enabled.
Select the Failed Request Tracking rules check box.
Ensure that .cer is not blocked.
Browse to the location of the .cer in an Internet Explorer browser from the local server,
http://localhost/certname.cer. The root cert text appears in the browser.
If the root cert does not appear in the Internet Explorer browser, ensure that ASP is enabled on the IIS server as follows.
Open Server Manager.
Navigate to the wizard in Manage > Add Roles and Features.
In the server roles, expand Web Server (IIS), expand Web Server, expand Application Development, and then select ASP.
Click Next until the install completes.
Open Internet Explorer and browse to
For more information, see Web Server (IIS).
You can use the IIS instance of the CA for this procedure.
When you complete the steps to configure XenMobile for the first time in the command-line console, you must complete these settings to import the root certificate. For details on the installation steps, see Installing XenMobile.
- Enable FIPS: Yes
- Upload Root Certificate: Yes
- Copy(c) or Import(i): i
- Enter HTTP URL to import:
http://<FQDN of IIS server>/cert.cer
- Server: FQDN of SQL Server
- Port: 1433
- User name: Service account which can create the database (
- Password: The password for the service account.
- Database Name: A name of your choice.
By default, FIPS mode is disabled on mobile devices. To enable FIPS mode, go to Settings > Client Properties, edit the Enable FIPS Mode property, and set the value to true. For more information, see Client properties.