What’s new in XenMobile Server 10.9


To prepare for device upgrades to iOS 12: The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Delete your VPN device policy and create a new VPN device policy with the Citrix SSO connection type.

The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in XenMobile Server 10.9, during user enrollment.

XenMobile Migration Service

If you’re using XenMobile Server on premises, our XenMobile Migration Service can get you started with Endpoint Management. Migration from XenMobile Server to Citrix Endpoint Management doesn’t require you to re-enroll devices.

For more information, contact your local Citrix salesperson, Systems Engineer, or Citrix Partner. These blogs discuss the XenMobile Migration Service:

New XenMobile Migration Service

Making the Case for XenMobile in the Cloud

iOS MDM enrollment workflow change

To improve platform security by reducing misleading profile installations, Apple plans to introduce a new workflow for manually enrolling devices in MDM. The new workflow affects all MDM solutions, including Citrix XenMobile Server.

The new enrollment workflow will require that users manually install the MDM profiles. To do that, users navigate to the Settings page, tap General, and then tap Profiles. The list of Profiles available for installation then appears. If the user doesn’t install the profile within 24 hours of downloading it, the profile gets deleted automatically.

There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, the workflow for manually enrolling in MDM does change. Currently, iOS device users receive two prompts during enrollment, for the root CA and the MDM device certificate. As of the update from Apple, iOS device users will receive only the MDM device certificate prompt during enrollment.

If you use trusted certificates: To provide a better user experience once Apple implements the workflow change, Citrix recommends changing the server property ios.mdm.enrollment.installRootCaIfRequired to false. The default value is true. With that change, a Safari window opens during MDM enrollment to simplify the profile installation for users.

Image of Server Property screen

If you use self-signed certificates: Leave the value of the property ios.mdm.enrollment.installRootCaIfRequired set to true. Users will continue to get the prompt to install the Root CA.

For more information, see the blog Changes ahead for Citrix Endpoint Management MDM enrollment process.

Before an upgrade to XenMobile 10.9

  1. Update your Citrix License Server to 11.15 or later before updating to the latest version of XenMobile Server 10.9.

    The latest version of XenMobile requires Citrix License Server 11.15 (minimum version).


    Be aware that the Subscription Advantage (SA) date in XenMobile 10.9 is September 14, 2018. The Subscription Advantage (SA) date on your Citrix license must be later than this date. You can view your SA date next to the license in the License Server. If you connect the latest version of XenMobile to an older license server environment, the connectivity check fails and you can’t configure the license server.

    To renew the SA date on your license, download the latest license file from the Citrix Portal and upload the file to the Licensing Server. For more information, see https://support.citrix.com/article/CTX209580.

  2. For a clustered environment: iOS policy and app deployments to devices running iOS 11 and later have the following requirement. If NetScaler Gateway is configured for SSL persistence, you must open port 80 on all XenMobile Server nodes.

  3. If the virtual machine running the XenMobile Server to be upgraded has less than 4 GB of RAM, increase the RAM to at least 4 GB. Keep in mind that the recommended minimum RAM is 8 GB for production environments.

  4. Recommendation: Before you install a XenMobile update, use the functionality in your VM to take a snapshot of your system. Also, back up your system configuration database. If you experience issues during an upgrade, complete backups enable you to recover.

After an upgrade to XenMobile 10.9

If functionality involving outgoing connections stop working, and you haven’t changed your connections configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name ‘’ does not match the certificate subject provided by the peer”

The certificate validation error indicates that you need to disable hostname verification on XenMobile Server. By default, hostname verification is enabled on outgoing connections except for the Microsoft PKI server. If hostname verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

Access to XenMobile Tools from the console

You can access these XenMobile Tools from the XenMobile console:

  • XenMobile Analyzer: Identify and triage potential issues with your deployment.
  • APNs Portal: Submit a request to Citrix to sign an APNs certificate, which you then submit to Apple.
  • Auto Discovery Service: Request and configure Auto Discovery for XenMobile in your domain.
  • Manage Push Notifications: Manage push notifications for iOS and Windows mobile productivity apps.
  • MDX Service: Wraps apps that you can then manage by using XenMobile.

To access these tools, go to Settings > XenMobile Tools.

New workflow for adding an app from the Google Play Store

Instead of specifying Google Play credentials when you add an app, you now add the package ID of the public store Android app.

  1. From the Google Play Store, copy the package ID. The ID is in the URL of the app.

    Image of searching for app

  2. When adding a Public Store app in the Citrix Endpoint Management console, paste the package ID in the search bar.

    Image of searching for app

  3. If the package ID is valid, a UI appears allowing you to enter app details.

    Image of searching for app

For more information, see Add a public app store app.

New Public REST APIs

  • A new version of the Get Devices by Filters API provides additional details about devices. For information, see section 3.16.2, Get Devices by Filters (version 2), in the XenMobile Public API for REST Services PDF.

  • Ability to regenerate Root CA, Devices CA, Server CA and renew device certificates

    XenMobile Server uses the following certificate authorities internally for PKI: Root CA, device CA, and server CA. Those CAs are classified as a logical group and provided a group name. When a new XenMobile Server instance is provisioned, the three CAs are generated and given the group name “default”.

    You can renew the CAs for supported iOS, macOS, and Android devices by using the XenMobile Server console or the public REST API. For enrolled Windows devices, users must re-enroll their devices to receive a new device CA.

    The following APIs are available for refreshing or regenerating the internal PKI CAs in XenMobile Server and renewing the device certificates which are issued by these certificate authorities.

    • Create new group certificate authorities (CAs).
    • Activate new CAs and deactivate old CAs.
    • Renew the device certificate on a configured list of devices. Already enrolled devices continue to work without disruption. A device certificate is issued when a device connects back to the server.
    • Return a list of devices still using the old CA.
    • Delete the old CA after all devices have the new CA.

    For information, see the following sections in the XenMobile Public API for REST Services PDF:

    • Section 3.16.58, Renew Device Certificate
    • Section 3.23, Refresh XenMobile CA Group

    As part of this feature, a new security action, Certificate Renewal , is available from the Manage Devices console. This action renews the enrollment certificate on that device.


    • By default, these new certificate renewal features are disabled. To activate the certificate renewal features, set the value for the server property refresh.internal.ca to True.


    If your NetScaler is set up for SSL Offload, when you generate a new certificate, ensure that you update your load balancer with the new cacert.perm. For more information on NetScaler Gateway setup, see To use SSL Offload mode for NetScaler VIPs.