What’s new in XenMobile Server 10.10

Important:

To prepare for device upgrades to iOS 12: The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Delete your VPN device policy and create a new VPN device policy with the Citrix SSO connection type.

The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in XenMobile Server 10.10, during user enrollment.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google will remove the GCM server and client APIs as soon as May 29, 2019.

Important requirements:

  • To avoid disruptions, upgrade to XenMobile Server 10.10 before May 29.

  • Upgrade to Secure Hub 19.3.5 or later.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.

To continue support for push notifications to your Android devices: If you currently use GCM with XenMobile Server, migrate to FCM. Then, update XenMobile Server with the new FCM key available from the Firebase Cloud Messaging Console.

The following steps reflect the enrollment workflow when you use trusted certificates.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the XenMobile Server console, go to Settings > Firebase Cloud Messaging and configure your settings.

Devices switch over to FCM the next time they check in with XenMobile Server and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy. For more information about configuring FCM, see Firebase Cloud Messaging.

XenMobile Migration Service

If you’re using XenMobile Server on premises, our XenMobile Migration Service can get you started with Endpoint Management. Migration from XenMobile Server to Citrix Endpoint Management doesn’t require you to re-enroll devices.

For more information, contact your local Citrix salesperson, Systems Engineer, or Citrix Partner. These blogs discuss the XenMobile Migration Service:

New XenMobile Migration Service

Making the Case for XenMobile in the Cloud

iOS MDM enrollment workflow change

To improve platform security by reducing misleading profile installations, Apple released a new workflow for manually enrolling devices in MDM. This new workflow affects all MDM solutions, including XenMobile Server.

There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. The workflow changes are only for manual enrollment in MDM.

If you use trusted certificates, Citrix now lets you further simplify enrollment. Previously, iOS device users received two prompts during enrollment: A prompt for the root CA and a prompt for the MDM device certificate. iOS device users can now receive only the MDM device certificate prompt during enrollment. To support this change:

  • If you use trusted certificates, go to Settings > Server Properties and change the value of the property ios.mdm.enrollment.installRootCaIfRequired to false. With that change, a Safari window opens during MDM enrollment to simplify the profile installation for users. iOS device users receive only the MDM device certificate prompt during enrollment. That prompt is labeled “XenMobile Profile Service”.
  • If you use self-signed certificates, leave the value of the property ios.mdm.enrollment.installRootCaIfRequired set to true. Users will continue to also get the prompt to install the XenMobile CA.

Image of Server Property screen

For more information, see Enroll iOS devices and the following YouTube video:

iOS enrollment video

Before you upgrade to XenMobile 10.10 (on-premises)

Some systems requirements changed. For information, see System requirements and compatibility and XenMobile compatibility.

  1. Update your Citrix License Server to 11.15 or later before updating to the latest version of XenMobile Server 10.10.

    The latest version of XenMobile requires Citrix License Server 11.15 (minimum version).

    Note

    The Subscription Advantage (SA) date in XenMobile 10.10 is April 9, 2019. The Subscription Advantage (SA) date on your Citrix license must be later than this date. You can view your SA date next to the license in the License Server. If you connect the latest version of XenMobile to an older license server environment, the connectivity check fails and you can’t configure the license server.

    To renew the SA date on your license, download the latest license file from the Citrix Portal and upload the file to the Licensing Server. For more information, see https://support.citrix.com/article/CTX134629.

  2. For a clustered environment: iOS policy and app deployments to devices running iOS 11 and later have the following requirement. If NetScaler Gateway is configured for SSL persistence, you must open port 80 on all XenMobile Server nodes.

  3. If the virtual machine running the XenMobile Server to be upgraded has less than 4 GB of RAM, increase the RAM to at least 4 GB. Keep in mind that the recommended minimum RAM is 8 GB for production environments.

  4. Recommendation: Before you install a XenMobile update, use the functionality in your VM to take a snapshot of your system. Also, back up your system configuration database. If you experience issues during an upgrade, complete backups enable you to recover.

To upgrade

Citrix will provide a ShareFile link to the upgrade file.

You can directly upgrade to XenMobile Server 10.10 from XenMobile 10.9 or 10.8. Use the Release Management page in the XenMobile console. For more information, see To upgrade using the Release Management page.

After you upgrade

After you upgrade to XenMobile 10.10 (on-premises):

If functionality involving outgoing connections stop working, and you haven’t changed your connections configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer”.

The certificate validation error indicates that you need to disable host name verification on XenMobile Server. By default, host name verification is enabled on outgoing connections except for the Microsoft PKI server. If host name verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

RBAC enhancement to restrict administrator groups permissions

On the Manage > Users and Manage > Enrollment Invitations pages: The user information shown is now restricted by an RBAC administrator’s group permissions. Previously, the XenMobile Server console included information for all local users and domain users on those pages.

To specify which user groups an RBAC administrator has permission to view and manage: Edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.

New policies for Android Enterprise devices

The latest version of XenMobile Server has these new policies for Android Enterprise devices.

  • WiFi device policy. You can create WiFi device policies for Android Enterprise devices. See WiFi device policy.
  • Custom XML device policy. You can create Custom XML device policies for Android Enterprise devices. See Custom XML device policy.
  • Location device policy. You can define location settings for devices that enroll in Android Enterprise device owner mode or profile owner mode. See Location device policy.
  • Files device policy. You can add files to XenMobile Server to perform functions on Android Enterprise devices. See Files device policy.
  • New Restrictions device policy settings. New settings for the Restrictions device policy allow users to access the following features on Android Enterprise devices. See Restrictions device policy.
    • File transfer
    • Tethering
    • Android beam
    • Allow copy and paste
    • Enable app verification
    • Allow user control of application settings
    • Allow work profile contracts in device contacts
    • Allow screen capture
    • Allow use of camera
    • Allow work profile app widgets on home screen
    • Allow Account Management
    • Allow location services
    • Disable Applications

Note:

Ensure that you are using the latest Google Play version of Secure Hub to access the latest Android Enterprise policies.