XenMobile Server

Server properties

XenMobile has many properties that apply to server-wide operations. This article describes many of the server properties and details how to add, edit, or delete server properties.

Some properties are Custom Keys. To add a custom key, click Add and then, from Key, choose Custom Key.

For information about the properties typically configured, see Server Properties in the XenMobile virtual handbook.

Server Property Definitions

Add Device Always

  • If true, XenMobile adds a device to the XenMobile console, even if it fails enrollment, so that you can see which devices tried to enroll. Defaults to false.

AG Client Cert Issuing Throttling Interval

  • The grace period between generating certificates. This interval prevents XenMobile from generating multiple certificates for a device in a short time period. Citrix recommends that you don’t change this value. Defaults to 30 minutes.

Audit Log Cleanup Execution Time

  • The time to start the audit log cleanup, formatted as HH:MM AM/PM. Example: 04:00 AM. Defaults to 02:00 AM.

Audit Log Cleanup Interval (in Days)

  • The number of days that XenMobile retains the audit log. Defaults to 1.

Audit Logger

  • If False, does not log user interface (UI) events. Defaults to False.

Audit Log Retention (in Days)

  • The number of days that XenMobile retains the audit log. Defaults to 7.

auth.ldap.connect.timeout and auth.ldap.read.timeout

  • To compensate for slow LDAP responses, Citrix recommends that you add server properties for the following Custom Keys.

    • Key: Custom Key
    • Key: auth.ldap.connect.timeout
    • Value: 60000
    • Display Name: auth.ldap.connect.timeout
    • Description: LDAP connection timeout

    • Key: Custom Key
    • Key: auth.ldap.read.timeout
    • Value: 60000
    • Display Name: auth.ldap.read.timeout
    • Description: LDAP read timeout

Certificate Renewal in Seconds

  • The number of seconds before a certificate expires that XenMobile starts to renew certificates. For example, if a certificate will expire December 30 and this property is set to 30 days: If the device connects between December 1 and December 30, XenMobile tries to renew the certificate. Defaults to 2592000 seconds (30 days).

Connection Timeout

  • The session inactivity timeout, in minutes, after which XenMobile closes the TCP connection to a device. The session remains open. Applies to Android devices and Remote Support. Defaults to 5 minutes.

Connection Time out to Microsoft Certification Server

  • The number of seconds that XenMobile waits for a response from the certificate server. If the certificate server is slow and has much traffic, increase this value to 60 seconds or more. A certificate server that doesn’t respond after 120 seconds requires maintenance. Defaults to 15000 milliseconds (15 seconds).

Default deployment channel

  • Determines how XenMobile deploys a resource to a device: At the user-level (DEFAULT_TO_USER) or device-level. Defaults to DEFAULT_TO_DEVICE.

Deploy Log Cleanup (in Days)

  • The number of days that XenMobile keeps the deployment log. Defaults to 7.

Disable Host Name Verification

  • By default, host name verification is enabled on outgoing connections except for the Microsoft PKI server. When host name verification fails, the server log includes errors such as: “Unable to connect to the volume purchase Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer”. If host name verification breaks your deployment, change this property to true. Defaults to false.

Disable SSL Server Verification

  • If True, disables SSL server certificate validation when all the following conditions are met:
    • You enabled certificate-based authentication on your XenMobile Server.
    • The Microsoft CA server is the certificate issuer.
    • An internal CA, whose root XenMobile Server doesn’t trust, signed your certificate.

Defaults to True.

Enable Console

  • If true, enables user access to the Self-Help Portal Console. Defaults to true.

Enable Crash Reporting

  • If true, Citrix collects crash reports and diagnostics to help troubleshoot issues with Secure Hub for iOS and Android. If false, no data is collected. The default value is true.

Enable/Disable Hibernate statistics logging for diagnostics

  • If True, enables Hibernate statistics logging to assist with troubleshooting application performance issues. Hibernate is a component used for XenMobile connections to the Microsoft SQL Server. By default, the logging is disabled because it impacts application performance. Enable logging only for a short duration to avoid creating a huge log file. XenMobile writes the logs to /opt/sas/logs/hibernate_stats.log. Defaults to False.

Enable macOS OTAE

  • If false, prevents the use of an enrollment link for macOS devices, meaning macOS users can enroll only by using an enrollment invitation. Defaults to true.

Enable Notification Trigger

  • Enables or disables Secure Hub client notifications. The value true enables notifications. Defaults to true.

force.server.push.required.apps

  • Enables the forced deployment of required apps on Android and iOS devices in situations such as the following:
    • You upload a new app and mark it as required.
    • You mark an existing app as required.
    • As user deletes a required app.
    • A Secure Hub update is available.

Forced deployment of required apps is false by default. Create the custom key and set Value to true to enable forced deployment. During forced deployment, MDX-enabled required apps, including enterprise apps and public app store apps, upgrade immediately. The upgrade occurs even if you configure a MDX policy for an app update grace period and the user chooses to upgrade the app later.

  • Key: Custom Key
  • Key: force.server.push.required.apps
  • Value: false
  • Display Name: force.server.push.required.apps
  • Description: Force required apps to deploy

Full Pull of ActiveSync Allowed and Denied Users

  • The interval in (in seconds) that XenMobile pulls a complete list (baseline) of ActiveSync allowed and denied users. Defaults to 28800 seconds.

hibernate.c3p0.idle_test_period

  • This XenMobile Server property, a Custom Key, determines the idle time in seconds before a connection is automatically validated. Configure the key as follows. Default is 30.

  • Key: Custom Key
  • Key: hibernate.c3p0. idle_test_period
  • Value: 30
  • Display Name: hibernate.c3p0. idle_test_period =nnn
  • Description: Hibernate idle test period

hibernate.c3p0.max_size

  • This Custom Key determines the maximum number of connections that XenMobile can open to the SQL Server database. XenMobile uses the value that you specify for this custom key as an upper limit. The connections open only if you need them. Base your settings on the capacity of your database server. For more information, see Tuning XenMobile Operations. Configure the key as follows. Default is 1000.

  • Key: hibernate.c3p0.max_size
  • Value: 1000
  • Display Name: hibernate.c3p0.max_size
  • Description: DB connections to SQL

hibernate.c3p0.min_size

  • This Custom Key determines the minimum number of connections that XenMobile opens to the SQL Server database. Configure the key as follows. Default is 100.

  • Key: hibernate.c3p0.min_size
  • Value: 100
  • Display Name: hibernate.c3p0.min_size
  • Description: DB connections to SQL

hibernate.c3p0.timeout

  • This Custom Key determines the idle time-out, in seconds. Default is 120.

  • Key: Custom Key
  • Key: hibernate.c3p0.timeout
  • Value: 120
  • Display Name: hibernate.c3p0.timeout
  • Description: Database idle timeout

Identifies if telemetry is enabled or not

  • Identifies if telemetry (Customer Experience Improvement Program, or CEIP) is enabled. You can opt in to CEIP when you install or upgrade XenMobile. If XenMobile has 15 consecutive failed uploads, it disables telemetry. Defaults to false.

Inactivity Timeout in Minutes

  • If the WebServices timeout type server property is INACTIVITY_TIMEOUT: This property defines the number of minutes after which XenMobile logs out an inactive administrator who did the following:
    • Used the XenMobile Public API for REST Services to access the XenMobile console
    • Used the XenMobile Public API for REST Services to access any third-party app. A timeout of 0 means that an inactive user is still logged in.

Defaults to 5.

iOS Device Management Enrollment Auto-Install Enabled

  • If true, this property reduces the amount of user interaction required during device enrollment. Users must click Root CA install (if needed) and MDM Profile install.

iOS Device Management Enrollment First Step Delayed

  • After a user enters their credentials during device enrollment, this value specifies how long to wait before prompting for the root CA. Citrix recommends that you edit this property only for network latency or speed issues. In that case, don’t set to the value to more than 5000 milliseconds (5 seconds). Defaults to 1000 milliseconds (1 second).

iOS Device Management Enrollment Last Step Delayed

  • During device enrollment, this property value specifies the amount of time to wait between installing the MDM profile and starting the Agent on the device. Citrix recommends that you edit this property only for network latency or speed issues. In that case, don’t set to the value to more than 5000 milliseconds (5 seconds). Defaults to 1000 milliseconds (1 second).

iOS Device Management Identity Delivery Mode

  • Specifies whether XenMobile distributes the MDM certificate to devices using SCEP (recommended for security reasons) or PKCS12. In PKCS12 mode, the key pair is generated on the server and no negotiation is done. Defaults to SCEP.

iOS Device Management Identity Key Size

  • Defines the size of private keys for MDM identities, iOS profile service, and XenMobile iOS agent identities. Defaults to 1024.

iOS Device Management Identity Renewal Days

  • Specifies the number of days before the certificate expiration that XenMobile starts renewing certificates. For example: If a certificate expires in 10 days and this property is 10 days, when a device connects 9 days before expiration, XenMobile issues a new certificate. Defaults to 30 days.

iOS MDM APNS Private Key Password

  • This property has the APNs password which is required for XenMobile to push notifications to Apple servers.

Length of Inactivity Before Device Is Disconnected

  • Specifies how long a device can stay inactive, including the last authentication, before XenMobile disconnects it. Defaults to 7 days.

MAM Only Device Max

  • This Custom Key limits the number of MAM-only devices that each user can enroll. Configure the key as follows. A Value of 0 allows unlimited device enrollments.

  • Key = number.of.mam.devices.per.user
  • Value = 5
  • Display name = MAM Only Device Max
  • Description = Limits the number of MAM devices each user can enroll.

MaxNumberOfWorker

  • The number of threads used when importing many volume purchase licenses. Defaults to 3. If you need further optimization, you can increase the number of threads. However, with a larger number of threads, such as 6, a volume purchase import results in high CPU usage.

Citrix ADC Single Sign-On

  • If False, disables the XenMobile callback feature during single sign-on from Citrix ADC to XenMobile. If the Citrix Gateway configuration includes a callback URL, XenMobile uses the callback feature to verify the Citrix Gateway session ID. Defaults to False.

Number of consecutive failed uploads

  • Displays the number of consecutive failures during Customer Experience Improvement Program (CEIP) uploads. XenMobile increments the value when an upload fails. After 15 upload failures, XenMobile disables CEIP, also called telemetry. For more information, see the server property Identifies if telemetry is enabled or not. XenMobile resets the value to 0 when an upload succeeds.

Number of Users Per Device

  • The maximum number of users who can enroll the same device in MDM. The value 0 means that an unlimited number of users can enroll the same device. Defaults to 0.

Pull of Incremental Change of Allowed and Denied Users

  • The number of seconds that XenMobile waits for a response from the domain when running a PowerShell command to get a delta of ActiveSync devices. Defaults to 60 seconds.

Read Timeout to Microsoft Certification Server

  • The number of seconds that XenMobile waits for a response from the certificate server when doing a read. If the certificate server is slow and has much traffic, you can increase this value to 60 seconds or more. A certificate server that doesn’t respond after 120 seconds requires maintenance. Defaults to 15000 milliseconds (15 seconds).

REST Web Services

  • Enables the REST Web Service. Defaults to true.

Retrieves devices information in chunks of specified size

  • This value is used internally for multithreading during device exports. If the value is higher, a single thread parses more devices. If the value is lower, more threads fetch the devices. Reducing the value might increase the performance of exports and device list fetches, yet might reduce available memory. Defaults to 1000.

Session Log Cleanup (in Days)

  • The number of days that XenMobile keeps the session log. Defaults to 7.

Server Mode

  • Determines whether XenMobile runs in MAM, MDM, or ENT (enterprise) mode, corresponding to app management, device management, or app and device management. Set the Server Mode property according to how you want devices to register, as noted in the following table. Server Mode defaults to ENT, whatever the license type is.

If you have a XenMobile MDM Edition license, the effective server mode is always MDM regardless of how you set the server mode in Server Properties. If you have an MDM Edition license, you cannot enable app management by setting the server mode to either MAM or ENT.

     
Your licenses are this Edition You want devices to register in this mode Set Server Mode property to
Enterprise / Advanced MDM mode MDM
Enterprise / Advanced MDM+MAM mode ENT
MDM MDM mode MDM

The effective server mode is a combination of the license type and server mode. For an MDM license, the effective server mode is always MDM regardless of the server mode setting. For Enterprise and Advanced licenses, the effective server mode matches the server mode, if the server mode is ENT or MDM. If the server mode is MAM, the effective server mode is ENT.

XenMobile adds the server mode to the server log for each of these activities: A license is activated, a license is deleted, and you change the server mode in Server Properties. For information about creating and viewing log files, see Logs and View and analyze log files in XenMobile.

ShareFile configuration type

  • Specifies the Citrix Files storage type. ENTERPRISE enables Citrix Files Enterprise mode. CONNECTORS provides access only to storage zone connectors that you create through the XenMobile console. Defaults to NONE, which shows the initial view of the Configure > ShareFile screen where you choose between Citrix Files Enterprise and Connectors. Defaults to NONE.

Static Timeout in Minutes

  • If the WebServices timeout type server property is STATIC_TIMEOUT: This property defines the number of minutes after which XenMobile logs out an administrator after using the following:
    • The XenMobile Public API for REST Services to access the XenMobile console.
    • The XenMobile Public API for REST Services to access any third-party app.

Defaults to 60.

Trigger Agent Message Suppression

  • Enables or disables Secure Hub client messaging. The value false enables messaging. Defaults to true.

Trigger Agent Sound Suppression

  • Enables or disables Secure Hub client sounds. The value false enables sounds. Defaults to true.

Unauthenticated App Download for Android Devices

  • If True, you can download self-hosted apps to Android devices running Android Enterprise. XenMobile needs this property if the Android Enterprise option to provide a download URL in the Google Play Store statically is enabled. In that case, download URLs can’t include a one-time ticket (defined by the XAM One-Time Ticket server property) which has the authentication token. Defaults to False.

Unauthenticated App Download for Windows Devices

  • Used only for older Secure Hub versions which don’t validate one-time tickets. If False, you can download unauthenticated apps from XenMobile to Windows devices. Defaults to False.

Use ActiveSync ID to Conduct an ActiveSync Wipe Device

  • If true, the Endpoint Management connector for Exchange ActiveSync uses the ActiveSync identifier as an argument for the asWipeDevice method. Defaults to false.

Users only from Exchange

  • If true, disables user authentication for ActiveSync Exchange users. Defaults to false.

VP baseline interval

  • The minimum interval that XenMobile reimports volume purchase licenses from Apple. Refreshing license information makes sure that XenMobile reflects all changes such as when you manually delete an imported app from volume purchase. By default, XenMobile refreshes the volume purchase license baseline a minimum of every 720 minutes.

If you have many volume purchase licenses installed (for example, more than 50,000): Citrix recommends that you increase the baseline interval to reduce the frequency and overhead of importing licenses.

If you expect frequent volume purchase license changes from Apple: Citrix recommends that you lower the value to keep XenMobile updated with the changes. The minimum interval between the two baselines is 60 minutes. Also, XenMobile does a delta import every 60 minutes to capture the changes since the last import. So, if the volume purchase baseline interval is 60 minutes, the interval between baselines might be delayed up to 119 minutes.

WebServices Timeout Type

  • Specifies how to expire an authentication token retrieved from the public API. If STATIC_TIMEOUT, XenMobile considers an authentication token as expired after the value specified in the server property Static Timeout in Minutes.

If INACTIVITY_TIMEOUT, XenMobile considers an authentication token as expired after the token is inactive for the value specified in the server property Inactivity Timeout in Minutes. Defaults to STATIC_TIMEOUT.

Windows WNS Channel - Number of Days Before Renewal

  • The renewal frequency for the ChannelURI. Defaults to 10 days.

Windows WNS Heartbeat Interval

  • How long XenMobile waits before connecting to a device after connecting to it every three minutes five times. Defaults to 6 hours.

XAM One-Time Ticket

  • The number of milliseconds that a one-time authentication token (OTT) is valid for downloading an app. This property and the properties Unauthenticated App download for Android and Unauthenticated App download for Windows work together. Those properties specify whether to allow unauthenticated app downloads. Defaults to 3600000.

XenMobile MDM Self-Help Portal console max inactive interval (minutes)

  • The number of minutes after which XenMobile logs out an inactive user from the XenMobile Self-Help Portal. A timeout of 0 means that an inactive user remains logged in. Defaults to 30.

Adding, Editing, or Deleting Server Properties

In XenMobile, you can apply properties to the server. After making changes, make sure that you restart XenMobile on all nodes to commit and activate changes.

Note:

To restart XenMobile, use the command prompt through your hypervisor.

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Server, click Server Properties. The Server Properties page appears. You can add, edit, or delete server properties from this page.

    Server properties

To add a server property

  1. Click Add. The Add New Server Property page appears.

    Server properties

  2. Configure these settings:

    • Key: In the list, select the appropriate key. Keys are case-sensitive. Contact Citrix Support before you edit property values or to request a special key.
    • Value: Enter a value depending on the key that you selected.
    • Display Name: Enter a name for the new property value that appears in the Server Properties table.
    • Description: Optionally, type a description for the new server property.
  3. Click Save.

To edit a server property

  1. In the Server Properties table, select the server property you want to edit.

    When you select the checkbox next to a server property, the options menu appears above the server property list. Click anywhere else in the list to open the options menu on the right side of the listing.

  2. Click Edit. The Edit New Server Property page appears.

    Server properties

  3. Change the following information as appropriate:

    • Key: You cannot change this field.
    • Value: The property value.
    • Display Name: The property name.
    • Description: The property description.
  4. Click Save to save your changes or Cancel to leave the property unchanged.

To delete a server property

  1. In the Server Properties table, select the server property you want to delete.

    You can select more than one property to delete by selecting the checkbox next to each property.

  2. Click Delete. A confirmation dialog box appears. Click Delete again.

Server properties