What’s new in XenMobile Server 10.11

Important:

To prepare for device upgrades to iOS 12+: The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12+. Delete your VPN device policy and create a new VPN device policy with the Citrix SSO connection type.

The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in XenMobile Server 10.11, during user enrollment.

Support for iOS 13

XenMobile Server supports devices upgraded to iOS 13. The upgrade impacts your users as follows:

  • During enrollment, a few new iOS Setup Assistant Option screens appear. Apple added new iOS Setup Assistant Option screens to iOS 13. The new options are not included in the Settings > Apple Device Enrollment Program (DEP) page in this release. As a result, you can’t configure XenMobile Server to skip those screens. Those pages appear to users on iOS 13 devices.

  • Some Restrictions device policy settings that were available on supervised or unsupervised devices for previous versions of iOS are available only on supervised devices for iOS 13+. The current XenMobile Server console tool tips don’t yet indicate that these settings are for supervised devices for iOS 13+ only.

    • Allow hardware controls:
      • Camera
      • FaceTime
      • Installing apps
    • Allow apps:
      • iTunes Store
      • Safari
      • Autofill
    • Network - Allow iCloud actions:
      • iCloud documents & data
      • iCloud backup
      • iCloud keychain
    • Supervised only settings - Allow:
      • Game Center
      • Multiplayer gaming
    • Media content - Allow:
      • Explicit music, podcasts, and iTunes U material

These restrictions apply as follows:

  • If an iOS 12 (or lower) device already enrolled in XenMobile Server and then upgrades to iOS 13, there are no changes. The preceding settings apply to the device as before.
  • If an unsupervised iOS 13+ device enrolls in XenMobile Server, the preceding settings don’t apply to the device.
  • If a supervised iOS 13+ device enrolls in XenMobile Server, the preceding settings apply to the device.

Requirements for trusted certificates in iOS 13 and macOS 15

Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176. For help with managing certificates, see Uploading certificates in XenMobile.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google removed the GCM server and client APIs on May 29, 2019.

Important requirements:

  • Upgrade to the latest version of XenMobile Server.
  • Upgrade to the latest version of Secure Hub.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.

To continue support for push notifications to your Android devices: If you use GCM with XenMobile Server, migrate to FCM. Then, update XenMobile Server with the new FCM key available from the Firebase Cloud Messaging Console.

The following steps reflect the enrollment workflow when you use trusted certificates.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the XenMobile Server console, go to Settings > Firebase Cloud Messaging and configure your settings.

Devices switch over to FCM the next time they check in with XenMobile Server and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy. For more information about configuring FCM, see Firebase Cloud Messaging.

XenMobile Migration Service

If you’re using XenMobile Server on premises, our XenMobile Migration Service can get you started with Endpoint Management. Migration from XenMobile Server to Citrix Endpoint Management doesn’t require you to re-enroll devices.

For more information, contact your local Citrix salesperson, Systems Engineer, or Citrix Partner. These blogs discuss the XenMobile Migration Service:

New XenMobile Migration Service

Making the Case for XenMobile in the Cloud

Before you upgrade to XenMobile 10.11 (on-premises)

Some systems requirements changed. For information, see System requirements and compatibility and XenMobile compatibility.

  1. Update your Citrix License Server to 11.15 or later before updating to the latest version of XenMobile Server 10.11.

    The latest version of XenMobile requires Citrix License Server 11.15 (minimum version).

    Note:

    If you want to use your own license for the Preview, know that the Customer Success Services date (previously, Subscription Advantage date) in XenMobile 10.11 is April 9, 2019. The Customer Success Services date on your Citrix license must be later than this date.

    You can view the date next to the license in the License Server. If you connect the latest version of XenMobile to an older License Server environment, the connectivity check fails and you can’t configure the License Server.

    To renew the date on your license, download the latest license file from the Citrix Portal and upload the file to the Licensing Server. For more information, see Customer Success Services.

  2. For a clustered environment: iOS policy and app deployments to devices running iOS 11 and later have the following requirement. If NetScaler Gateway is configured for SSL persistence, you must open port 80 on all XenMobile Server nodes.

  3. If the virtual machine running the XenMobile Server to be upgraded has less than 4 GB of RAM, increase the RAM to at least 4 GB. Keep in mind that the recommended minimum RAM is 8 GB for production environments.

  4. Recommendation: Before you install a XenMobile update, use the functionality in your VM to take a snapshot of your system. Also, back up your system configuration database. If you experience issues during an upgrade, complete backups enable you to recover.

To upgrade

You can directly upgrade to XenMobile 10.11 from XenMobile 10.10.x or 10.9.x. To perform the upgrade, use the latest 10.11 binary available on the Citrix Download page. To upload the upgrade, use the Release Management page in the XenMobile console. For more information, see To upgrade using the Release Management page.

After you upgrade

After you upgrade to XenMobile 10.11 (on-premises):

If functionality involving outgoing connections stop working, and you haven’t changed your connections configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer”.

The certificate validation error indicates that you need to disable host name verification on XenMobile Server. By default, host name verification is enabled on outgoing connections except for the Microsoft PKI server. If host name verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

New and updated device policy settings for Android Enterprise devices

Samsung Knox and Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:

Android Enterprise restriction policy

App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. See App inventory device policy.

Access all Google Play apps in the managed Google Play store. The Access all apps in the managed Google Play store server property makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true whitelists the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps.

Enable system apps on Android Enterprise devices. To allow users to run pre-installed system apps in the Android Enterprise work profile mode or fully managed mode, configure the Restrictions device policy. That configuration grants user access to default device apps, such as camera, gallery, and others. To restrict access to a particular app, set app permissions using the Android Enterprise permissions device policy.

Enable system apps

Support for Android Enterprise dedicated devices. XenMobile now supports the management of dedicated devices, previously called corporate owned single use (COSU) devices.

Dedicated Android Enterprise devices are fully managed devices that are dedicated to fulfill a single use case. You restrict these devices to one app or small set of apps required to perform the tasks needed for this use case. You also prevent users from enabling other apps or performing other actions on the device.

For information about provisioning Android Enterprise devices, see Provisioning dedicated Android Enterprise devices.

Renamed policy. To align with Google terminology, the Android Enterprise app restriction device policy is now called Android Enterprise managed configurations. See Android Enterprise managed configurations device policy.

Lock and reset password for Android Enterprise

XenMobile now supports the Lock and Reset password security action for Android Enterprise devices. Those devices must be enrolled in work profile mode running Android 8.0 and greater.

  • The passcode sent locks the work profile. The device is not locked.
  • If no passcode is sent or the passcode sent doesn’t meet passcode requirements:
    • And no passcode is already set on the work profile, the device is locked.
    • And a passcode is already set on the work profile, the work profile is locked but device is not locked.

For more information on the lock and reset password security actions, see Security actions.

New Restrictions device policy settings for iOS or macOS

  • Unmanaged apps read managed contacts: Optional. Only available if Documents from managed apps in unmanaged apps is disabled. If this policy is enabled, unmanaged apps can read data from managed accounts’ contacts. Default is Off. Available as of iOS 12.
  • Managed apps write unmanaged contacts: Optional. If enabled, allow managed apps to write contacts to unmanaged accounts’ contacts. If Documents from managed apps in unmanaged apps is enabled, this restriction has no effect. Default is Off. Available as of iOS 12.
  • Password AutoFill: Optional. If disabled, users cannot use the AutoFill Passwords or Automatic Strong Passwords features. Default is On. Available as of iOS 12 and macOS 10.14.
  • Password proximity requests: Optional. If disabled, users’ devices don’t request passwords from nearby devices. Default is On. Available as of iOS 12 and macOS 10.14.
  • Password Sharing: Optional. If disabled, users can’t share their passwords using the AirDrop Passwords feature. Default is On. Available as of iOS 12 and macOS 10.14.
  • Force automatic date and time: Supervised. If enabled, users can’t disable the option General > Date & Time > Set Automatically. Default is Off. Available as of iOS 12.
  • Allow USB restricted mode: Only available for supervised devices. If set to Off, the device can always connect to USB accessories while locked. Default is On. Available as of iOS 11.3.
  • Force delayed software updates: Only available for supervised devices. If set to On, delays user visibility of Software Updates. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date. Default is Off. Available as of iOS 11.3 and macOS 10.13.4.
  • Enforced software update delay (days): Only available for supervised devices. This restriction allows the admin to set a number of days for a software update on the device to be delayed. The max is 90 days and the default value is 30. Available as of iOS 11.3 and macOS 10.13.4.
  • Force classroom request permission to leave classes: Only available for supervised devices. If set to On, a student enrolled in an unmanaged course with Classroom must request permission from the teacher when attempting to leave the course. Default is Off. Available as of iOS 11.3.

Restriction device policy settings

See Restrictions device policy.

Exchange device policy updates for iOS or macOS

More S/MIME Exchange signing and encryption settings as of iOS 12. The Exchange device policy now includes settings to configure S/MIME signing and encryption.

For S/MIME signing:

  • Signing identity credential: Choose the signing credential to use.
  • S/MIME Signing User Overridable: If set to On, users can turn S/MIME signing on and off in the settings of their devices. The default is Off.
  • S/MIME Signing Certificate UUID User Overridable: If set to On, users can select, in the settings of their devices, the signing credential to use. The default is Off.

For S/MIME encryption:

  • Encryption identity credential: Choose the encryption credential to use.
  • Enable per message S/MIME switch: When set to On, shows users an option to switch S/MIME encryption on or off for each message they compose. The default is Off.
  • S/MIME Encrypt By Default User Overridable: If set to On, users can, in the settings of their devices, select whether S/MIME is on by default. The default is Off.
  • S/MIME Encryption Certificate UUID User Overridable: If set to On, users can turn S/MIME encryption identity and encryption on and off in the settings of their devices. The default is Off.

Exchange OAuth settings as of iOS 12. You can now configure the connection with Exchange to use OAuth for authentication.

Exchange OAuth settings as of macOS 10.14. You can now configure the connection with Exchange to use OAuth for authentication. For authentication using OAuth, you can specify the sign-in URL for a setup that doesn’t use autodiscovery.

See Exchange device policy.

Mail device policy updates for iOS

More S/MIME Exchange signing and encryption settings as of iOS 12. The Mail device policy includes more settings to configure S/MIME signing and encryption.

For S/MIME signing:

  • Enable S/MIME Signing: Select whether this account supports S/MIME signing. The default is On. When set to On, the following fields appear.
    • S/MIME Signing User Overrideable: If set to On, users can turn S/MIME signing on and off in the settings of their devices. The default is Off. This option applies to iOS 12.0 and later.
    • S/MIME Signing Certificate UUID User Overrideable: If set to On, users can select, in the settings of their devices, the signing credential to use. The default is Off. This option applies to iOS 12.0 and later.

For S/MIME encryption:

  • Enable S/MIME Encryption: Select whether this account supports S/MIME encryption. The default is Off. When set to On, the following fields appear.
    • Enable per message S/MIME switch: When set to On, shows users an option to switch S/MIME encryption on or off for each message they compose. The default is Off.
    • S/MIME Encrypt By Default User Overrideable: If set to On, users can, in the settings of their devices, select whether S/MIME is on by default. The default is Off. This option applies to iOS 12.0 and later.
    • S/MIME Encryption Certificate UUID User Overrideable: If set to On, users can turn S/MIME encryption identity and encryption on and off in the settings of their devices. The default is Off. This option applies to iOS 12.0 and later.

See Mail device policy.

Apps notifications device policy updates for iOS

The following Apps notifications settings are available as of iOS 12.

  • Show in CarPlay: If On, notifications display in Apple CarPlay. Default is On.
  • Enable Critical Alert: If On, an app can mark a notification as a critical notification that ignores Do Not Disturb and ringer settings. Default is Off.

See Apps notifications device policy

Support for shared iPads used with Apple Education

The XenMobile integration with Apple Education features now supports shared iPads. Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.

Either you or instructors enroll shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.

Prerequisites for shared iPads:

  • Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
  • At least 32 GB of storage
  • Supervised

For more information, see Configure shared iPads.

Role-based access control (RBAC) permissions change

The RBAC permission Add/Delete Local Users is now split into two permissions: Add Local Users and Delete Local Users.

For more information, see Configure roles with RBAC.