Product Documentation

What's new in XenMobile Server 10.5

Sep 27, 2017


For the full set of product documentation for XenMobile Server 10.5, see the PDF.

For updates and corrections to the XenMobile Server 10.5 PDF, see XenMobile Server 10.5 documentation errata.

XenMobile Server 10.5 included the following new features. For information about known and fixed issues, see Known issues and  Fixed issues later in this article. 

Simplified management and deployment of ShareFile StorageZone Connectors

You can now use the XenMobile console to configure StorageZone Connectors. Offered as an alternative to using XenMobile with ShareFile Enterprise, the option to use XenMobile with StorageZone Connectors:

  • Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. Doesn't require that you set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data.
  • Provides users with mobile access to data through the ShareFile XenMobile Apps for iOS. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
  • File access is limited to the connectors. Users don't have access to other ShareFile functionality such as data sharing or syncing.
  • Complies with security restrictions against leaking user information outside of the corporate network.
  • Provides simple setup of StorageZone Connectors through the XenMobile console. If you later decide to use the full ShareFile functionality with XenMobile, you can change the configuration in the XenMobile console.
  • Requires XenMobile Enterprise Edition.

The following diagram shows the high-level architecture for XenMobile use with StorageZone Connectors.

localized image

On your first visit to the Configure > ShareFile page, a description of the differences between using XenMobile with ShareFile Enterprise and with StorageZone Connectors appears.

localized image

If you click Configure Connectors, you provide information about the connectors and the StorageZones Controller.

localized image
localized image

You can associate connectors with delivery groups when you create the connector.

localized image

You can also associate connectors with delivery groups by using the Configure > Delivery Groups page.

For more information about integrating StorageZone Connectors with XenMobile, see ShareFile use with XenMobile.

Renamed client properties

XenMobile client property names related to Citrix PIN have changed:

Old property name

New property name

Enable Worx PIN Authentication

Enable Citrix PIN Authentication

Worx PIN Type

PIN Type

PIN Strength Requirement

PIN Strength Requirement

Worx PIN Length Requirement

PIN Length Requirement

Worx PIN Change Requirement

PIN Change Requirement

Worx PIN History

PIN History

The property keys remain the same, as shown in the following sample:

localized image

Dashboard improvements

The XenMobile Analyze > Dashboard page has a responsive design for improved viewing on smaller devices. Other improvements include:

  • The Installed Apps widget now shows the top 10 apps. To view other apps, use the search bar.
  • To export Installed Apps as a CSV file:
    • Choose an app and then export it to get a report for that app only.
    • Choose no apps to get a report for all apps.
    • The reports include the following information for an app: Name, Owner, Version, Size, ID, and Install time.
  • The VPP Apps License Usage widgets now show all apps from the software inventory. You no longer have to search for an app.
localized image
  • The charts show counts in descending order.
  • Each widget uses the best chart type for the information.
  • The actions available for each widget appear in an Actions menu, which now includes only the actions most commonly performed from the dashboard:
    • View Devices - Opens the Manage > Devices page.
    • Export as CSV - Saves the data to a CSV file.
localized image
  • The Export as CSV action exports the following information for each installed app:
    • Name
    • Version
    • Owner
    • Size
    • ID
    • Install time
  • You can drill down to two levels of details for the following charts: Click a platform to see a bar chart for the version counts and then click a version to open the Manage > Devices page.
    Devices By Platform
    Managed Devices By Platform
    Unmanaged Devices By Platform
    Installed Apps

  • To open the Manage > Devices page, click any of these charts:
    Devices By Carrier
    Devices By ActiveSync Gateway Status
    Devices By Ownership
    Android TouchDown License Status
    Failed Delivery Group Deployments
    Devices By Blocked Reason
    VPP Apps License Usage
localized image

Test Connection buttons added to XenMobile console

The XenMobile console now includes a Test Connection button on these pages:

  • Configure > ShareFile: You can use the Test Connection button to verify that the user name and password for the ShareFile administrator account authenticate to the specified ShareFile account.
localized image
  • Settings > XenApp/XenDesktop: You can use the Test Connection button to verify that XenMobile can connect to the specified XenApp and XenDesktop server.
localized image

Windows Defender device policy for Windows 10 for desktop and tablet

Windows Defender is malware protection included with Windows 10. You can use the XenMobile device policy, Defender, to configure the Microsoft Defender policy. To add the Defender policy, go to Configure > Device Policies, click Add, start typing Defender, and then click that name in the search results.

localized image

WiFi device policy support for Windows 10

The WiFi device policy now includes support for Windows 10, enabling you to use client certificate authentication for your WiFi network. To update WiFi device policies, go to Configure > Device Policies.

localized image

Bulk enrollment of macOS devices

The Apple Device Enrollment Program (DEP) setting in XenMobile now supports macOS devices running OS X 10.10 or later. You follow the same process as described in Bulk enrollment of iOS and macOS devices. If you add a DEP account from Settings > Apple Device Enrollment Program (DEP), the Settings and Setup Assistant Options now includes a page for macOS.

localized image

Enrollment settings

  • Require device enrollment: Whether to require users to enroll their devices. The default is Yes.
  • Wait for configuration to complete setup: If you enable this setting, the macOS device doesn't continue in the Setup Assistant until the MDM resource passcode deploys to the device. The MDM resource passcode deployment occurs before the local account is created. This setting is available for macOS 10.11 and later devices. The default is No.

Device settings

  • Allow enrollment profile removal: Whether to allow devices to use a profile that you can remove remotely. The default is No.
localized image
  • Set up as New or Restore: Set up the device as new or from an iCloud or iTunes backup.
  • Location services: Set up the location service on the device.
  • Apple ID: Set up an Apple ID account for the device.
  • Terms and conditions: Require users to accept terms and conditions for use of the device.
  • Siri: Use or not use Siri on the device.
  • FileVault: Use FileVault to encrypt the startup disk. XenMobile applies the FileVault setting only if the system has a single local user account that is signed in to iCloud.

    You can use the macOS FileVault Disk Encryption feature to protect the system volume by encrypting its contents. See the Apple support article, If you run the Setup Assistant on a late-model portable Mac on which FileVault is off, you might be prompted to turn on this feature. If the system meets the following requirements, the prompt appears on new systems and on systems upgraded to OS X 10.10 or 10.11:

    • The system has a single local administrator account
    • That account is signed in to iCloud
  • App analytics: Set up whether to share crash data and usage statistics with Apple.
  • Registration: Require users to register their device.

Registration information setup was available through OS X 10.9. The registration process enabled you to send system registration information to Apple. This information associated your contact information with the Mac hardware. Apple primarily used the information to assist Apple support. If you previously specified an Apple ID, Setup Assistant optionally submitted the registration based on your Apple ID account. If you didn't specify an Apple ID, you can manually type your contact information.

  • Under Local account setup options, specify the settings to create an administrator account, which is required for macOS. XenMobile creates the account, using the specified information.

Support for multiple Apple Device Enrollment Program accounts for iOS and macOS devices

You can now define multiple Apple Device Enrollment Program (DEP) accounts. This feature enables you to use different enrollment settings, device settings, and Setup Assistant options. You can specify those settings and options by country, department, and other structures. You then associate DEP accounts with different device policies and different apps through deployment rules.

For example, you might centralize all your DEP accounts from different countries on the same XenMobile Server. You can then import and supervise all DEP devices. By customizing enrollment settings per country or other structure, you ensure that policies provide appropriate functionality across your organization. By customizing Setup Assistant options per country or other structure, you ensure that device users receive the appropriate setup assistance.

To accommodate support for multiple DEP accounts, the following pages replace Settings > iOS Bulk Enrollment:

  • Settings > Apple Device Enrollment Program (DEP): Use this page is to:
    • Create DEP accounts.
    • Configure enrollment settings, iOS and macOS device settings, and Setup Assistant options per each account.
localized image

Settings > Apple Configurator Device Enrollment: Used to prepare iOS and macOS devices and to configure policies.

localized image

iOS Home screen layout

Use the new Home Screen Layout device policy to specify the layout of apps and folders for the iOS Home screen. This policy is supported on iOS 9.3 and later supervised devices. To add the policy, go to Configure > Device Policies.

localized image
localized image

More feature restriction options for iOS devices

The Restrictions Policy for iOS now includes these additional restriction options:

  • News: Allow users to use the News app (available in iOS 9.0 and later). Applies only to supervised devices.
  • Apple Music service: Allow users to use the Apple Music service (available in iOS 9.3 and later). If you don't allow Apple Music service, the Music app runs in classic mode. Applies only to supervised devices.
  • iTunes Radio: Allow users to use iTunes Radio (available in iOS 9.3 and later). Applies only to supervised devices.
  • Notifications modification: Allow users to change notification settings (available in iOS 9.3 and later). Applies only to supervised devices.
  • Restricted App usage: Allow users to use all apps or only the apps allowed or denied by bundle ID (available in iOS 9.3 and later). Applies only to supervised devices.
  • Diagnostic submission modification: Allow users to change the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings (available in iOS 9.3.2 and later). Applies only to supervised devices.
  • Bluetooth modification: Allow users to change Bluetooth settings (available in iOS 10.0 and later). Applies only to supervised devices.
localized image

More feature restriction options for macOS devices

The Restrictions Policy has the following added restriction options for macOS 10.12 and later. By default, XenMobile allows these features.

  • Allow Apple Music: If you don't allow Apple Music service, the Music app runs in classic mode. Applies only to supervised devices.
  • Allow iCloud Keychain Sync
  • Allow iCloud Mail
  • Allow iCloud Contacts
  • Allow iCloud Calendars
  • Allow iCloud Reminders
  • Allow iCloud Bookmarks
  • Allow iCloud Notes
localized image

Support for iOS 9.3 Managed Lost Mode

In iOS 9.3 or later, you can use Apple MDM to place a supervised device into Managed Lost Mode, a dedicated mode. You can use Managed Lost Mode to block or locate supervised devices that are lost or stolen.

XenMobile now has a Lost Mode device property. Unlike Apple Managed Lost Mode, XenMobile Lost Mode doesn't require a user to perform either of the following actions to enable locating their device: Configure the Find My iPhone/iPad setting or enable the Location Services for Citrix Secure Hub.

The XenMobile Lost Mode feature is similar to the XenMobile device lock feature. However, in XenMobile Lost Mode, only the XenMobile Server can unlock the device. By using device lock, users can unlock the device directly by using a PIN code provided by their administrator.


In iOS 7 and later, you can also use iOS Device Lock to lock lost or stolen supervised or unsupervised devices remotely. Apple recommends that you avoid using iOS Device Lock for other purposes.

To enable or disable lost mode: Go to Manage > Devices, choose a supervised iOS device, and click Secure. Then, click Enable Lost Mode or Disable Lost Mode.

localized image

Use any of the following methods to check Lost Mode status:

  • In the Security Actions window, verify if the button is Disable Lost Mode.
  • From Manage > Devices, on the General tab under Security, see the last Enable Lost Mode or Disable Lost Mode action.
localized image
  • From Manage > Devices, on the Properties tab, verify the value of the setting MDM lost mode enabled.
localized image

If you enable XenMobile Lost Mode on an iOS device, the XenMobile console also changes as follows:

  • In Configure > Actions, the Actions list doesn't include these automated actions: Revoke the device, Selectively wipe the device, and Completely wipe the device.
  • In Manage > Devices, the Security Actions list no longer includes the Revoke and Selective Wipe device actions. You can still use a security action to perform a Full Wipe action, as needed.

For iPads running iOS 7 and later: iOS appends the words "Lost iPad" to what you type in the Message box of the Security Actions dialog box. For iPhones running iOS 7 and later: If you leave the Message box empty and provide a phone number, Apple displays the message "Call owner" on the device lock screen.

SmartAccess for HDX apps

The SmartAccess feature allows you to control access to HDX apps based on device properties, user properties, or installed applications. You can control access by using automated actions to mark the device as out of compliance. To use SmartAccess, configure HDX apps in XenApp and XenDesktop with a SmartAccess policy that denies access to out-of-compliance devices. XenMobile communicates device status to StoreFront using a signed, encrypted tag. StoreFront allows or denies access based on the access control policy of the app.

Other improvements

  • More languages supported. The XenMobile console is now available in Japanese. Secure Hub is now available in Arabic and Russian.
  • WiFi device policy. The WiFi device policy now includes support for Windows 10, enabling you to use client certificate authentication for your WiFi network. To update WiFi device policies, go to Configure > Device Policies.
  • Test Connection button added to the PKI Entities page. When you add a Microsoft Certificate Services entity, you can test the connection to ensure that the server is reachable.
  • Improved stability through database optimizations.
  • Last access time changes for MAM-only devices. Previously, the device statistics for devices registered in MAM mode used the device registration time as the last access time. XenMobile now uses the most recent of the last online authentication or last activity for the last access time. The Manage > Devices page now includes the last access time.
  • Managed Domains policy now includes Safari password autofill domains. For iOS 9.3 and later supervised devices, you can now specify the URLs from which users can save passwords in Safari. To do that, go to Configure > Device Policies. Then, add or open the Managed Domains Policy, and complete the settings under Safari Password AutoFill Domain.
localized image
  • TLS 1.2 required for Secure Hub. Apple now requires App Transport Security (ATS) for all apps submitted to the Apple App Store. ATS uses the Transport Layer Security (TLS) protocol version 1.2, which is now the required server protocol for Secure Hub.
  • Console interface improvements for managing enrollment invitations. To clarify the terminology, the XenMobile console has the following improvements:
    • The page Manage > Enrollments changed to Manage > Enrollment Invitations.
    • The Enrollment Status column changed to Status. As before, that column contains enrollment invitation status, not enrollment status.
    • The terminology used when you manage an enrollment invitation now matches the terminology used when creating the invitation. We changed these labels:
      The Type column is now Platform.
      The Mode column is now Enrollment Mode.
      In the filter, the Invitations Status is now Status.
      In the filter, the Invitations Mode is now Enrollment Mode.
    • The value labels in the Mode column are now the same labels used when you create an invitation. For example, the Mode column now shows "User name" instead of "classic".
localized image
  • New server property to set the VPP license baseline minimum interval. XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from VPP. By default, XenMobile refreshes the VPP license baseline a minimum of every 720 minutes. You can now change the baseline interval through the new server property, VPP baseline interval (vpp.baseline).

If you have more than 50,000 VPP licenses installed, Citrix recommends that you increase the baseline interval to reduce the frequency and overhead of importing licenses. If you expect frequent VPP license changes from Apple, Citrix recommends that you lower the value to keep XenMobile updated with the changes. The minimum interval between two baselines is 60 minutes.

In addition, XenMobile performs a delta import every 60 minutes, to capture the changes since the last import. Setting the VPP baseline minimum interval to 60 minutes might delay the interval between baselines up to 119 minutes.

  • The Certificates tab for Manage > Devices now includes the number of days before NetScaler Gateway certificates expire.
localized image
  • The Manage > Devices page and the Properties tab for devices now include the XenMobile agent revision and version numbers.
localized image
localized image
  • The Troubleshooting and Support page has been rearranged to improve usability.
localized image
  • Log messages. Log messages generated when a user can't be found now include the possible reasons. For example: Invalid credentials, LDAP configuration, or user missing from the LDAP domain or user base DN.
  • List pagination. Lists on Manage > Devices, Manage > Enrollment Invitations, Manage > Users, Configure > Device Policies, Configure > Apps, Configure > Actions, Configure > Enrollment Profiles, and Configure > Delivery Groups are now paginated. You can choose the number of items to show on a page.
localized image
  • New REST API parameter to support remove license servers. The license REST API now has a new parameter, serverPort, to support remote license servers. For the full REST API reference, see this PDF. In addition, the documentation for the license API is updated. The documentation includes the license server and license notification response information for Save License Info. The documentation also includes other corrections.
  • Additions to the XenMobile Public API for REST Services. The REST API now sends all device properties in a device call that uses a filter. The API wraps device properties in a JSON object and includes the properties as part of the response.

The REST API now includes calls for ShareFile Enterprise, ShareFile StorageZones, and ShareFile StorageZone Connectors.

For more information, see the XenMobile Public API for REST Services PDF.

Deprecated items

Windows 8.1 tablets are no longer supported. XenMobile Server no longer supports Windows 8.1 tablets.

Device policies for Windows 8.1 tablets are removed. The Sideloading key and Signing certificate device policies are deprecated.

Known issues in version 10.5

With NetScaler, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. The issue is fixed in NetScaler 12.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]

When you integrate StoreFront with XenMobile and deploy HDX apps, after you change an Active Directory password, the HDX apps disappear from the XenMobile Store. [CXM-9859]

After you upgrade to XenMobile 10.4.2, Android for Work apps don't appear on the device for a user in a nested Active Directory group. [CXM-19930]

An upgrade from XenMobile 10.3.6 to XenMobile 10.5 might change the device owner to "anonymous" for enrolled devices running Android for Work. [CXM-19933]

Users can renew certificates even if Renew certificates when they expire is OFF in your XenMobile configuration. [CXM-20923]

For Active Directory users in a group with permissions for StorageZone Connectors: If you move users out of the group, ShareFile for iOS users can still access Network shares associated with those connectors. To work around this issue, reinstall the ShareFile for iOS app. [CXM-21859]

If you move a StorageZone Connector from delivery group A to B, ShareFile for iOS users in delivery group A can continue to use the connector. [CXM-21860]

If XenMobile uses self-signed certificates, users can’t enroll iOS 10.3 devices into XenMobile. This limitation results from a change in iOS 10.3. To enroll devices running iOS 10.3 or later into XenMobile, you must use trusted SSL certificates in XenMobile. [CXM-24120]

When deploying apps, a prompt tells users to install the app if it is already installed on the device but has never been opened. As part of a fix for this issue, if an app is updated on the server, it is not updated on the user's device until they launch the app. [CXM-32193]

Upgrade Tool known issues

After you upgrade to XenMobile 10.4 from XenMobile 9, some policies for Windows devices appear in the XenMobile console, even after XenMobile deploys them. Specifically, the policies remain on the Pending tab of the Assigned Policies page of Manage > Devices. As a workaround, edit and then redeploy any policies shown as pending. That action clears the policies for Windows phones from the Pending tab. The Webclip policy for Windows tablets remains on the Pending tab although it works properly on the devices. [CXM-21769]

Fixed issues in version 10.5

XenMobile 10.5 includes the following fixed issues. Fixed issues for the Upgrade Tool appear in XenMobile Upgrade Tool in this article.

For iPhone6 devices, when users try to enroll devices using one-time password invitations that are bound to the device IMEI/MEID, the first profile installs successfully. The second MDM profile installation fails with the error message, "Profile Installation Fails. A connection to the server could not be established." On iPhone devices, the one-time password binds to the MEID number instead of the IMEI number. [#606162]

You cannot locate your Android ID by typing *#*#8255#*#* on your phone, as instructed on the Settings > Google Play Credentials page. Use a device ID app from the Google Play store to look up your device ID. [#633854]

After upgrading to XenMobile Server 10.4:

  • If you open a ShareFile tab, the page might not load and the information does not appear.
  • If you attempt to add or edit a delivery group, the following error message might appear: 500 Internal Server error. [663344, 663788, CXM-19085]

After using the MDX Toolkit to wrap an app that was developed using the Mowbly framework, the app navigation buttons no longer work. [#654962]

Accessing aggregated HDX apps in Secure Hub might fail with the error message, Failed to get application detail, please try again later. [#658058]

When Citrix Launcher is deployed to devices, apps don't appear under background tasks. [#680978]

If the web proxy JSON file for App Controller 9.0 includes an unescaped backslash character in the web proxy user name, XenMobile Server can't start. [CXM-13721]

In clustered XenMobile deployments managed by Hazelcast, a node in the cluster might intermittently fail to appear in the Hazelcast member list. [CXM-16537]

If you configure an IPsec VPN device policy, the group name and shared secret isn't saved and is missing on the device. [CXM-17002]

After an upgrade to 10.3.6, devices with multiple valid identities can't renew. If there are many renewal failures, XenMobile might crash repeatedly. [CXM-17358]

An issue might occur with an intermediate CA certificate used for client certificate authentication. The issue causes a network access error to appear on Android devices. [CXM-17401]

Issues might occur with SQL database configuration when updating XenMobile from version 10.3.5 to 10.3.6. [CXM-17565]

The on-premises version of XenMobile periodically synchronizes the license server with licenses that XenMobile checked out. The synchronization ensures that the count matches the number of devices and users. In this way, if XenMobile detects a mismatch, the issue is resolved within 24 hours. [CXM-18129]

The XenMobile console requires that you specify a password for the WiFi policy, although a password is optional. [CXM-18249]

XenMobile isn't deploying user profiles because the date format has the wrong format. [CXM-18250]

If using the XenMobile console with an Internet Explorer 11 browser, you cannot add or edit an LDAP configuration. [CXM-18324]

If you create an Exchange policy for all device types, and the policy includes a macro for the domain $user.dnsroot, the policy doesn't deploy. [CXM-18545]

If a delivery group name includes an ampersand (&), assigning a policy to that delivery group results in an error. [CXM-18768]

After configuring DEP settings for the first time in Settings > iOS Bulk Enrollment, this error appears when you click Save: Resources bag (container) with name 'Worx Home by Citrix' doesn't exist. To work around this issue, create a delivery group (Configure > Delivery Groups) after you configure the DEP settings and click OK on the error page. The delivery group must include the following:

  • The user group named Device Enrollment Program Group
  • The policy DEP Software Inventory
  • The required app Secure Hub by Citrix

This issue doesn't affect existing enrollments if DEP was configured before Citrix Secure Hub appeared in the Apple Store on October 6, 2016. [CXM-19158]

For Enrollment Invitation or Enrollment PIN templates: If the message in a template includes certain macros, the message sent to users includes the macro instead of the user information. Those macros are enrollment URL (${enrollment.url}) and enrollment PIN (${}). [CXM-19210]

Sometimes you can't upload an Enterprise app because XenMobile is unable to find the application icon although the icon is available. [CXM-19213]

In the Settings > PKI Entities > Discretionary CA page, you can view only the first page of CA certificates if there are multiple pages of certificates. [CXM-19736]

For a delivery group deployed to multiple devices: If you click a delivery group on Configure > Delivery Groups, and then click a button under Deployment, the Manage > Devices page shows an incorrect device list. [CXM-19737]

If a XenMobile App update is available in the iOS App Store or the Google Play Store: Prompts for app updates don't appear in the XenMobile Store after a user opens the app. [CXM-19927]

A XenMobile macro that includes $user.dnsroot does not resolve for domains where the parent and child domains are in a tree-root trust relationship. [CXM-20366]

If the sAMAccountName differs from the name portion of the UPN, macro resolution for the client property SEND_LDAP_ATTRIBUTES fails. For example: The sAMAccountName is samplename and the UPN is [CXM-20414]

If XenMobile is in MDM mode and you're using DEP enrollment with user credentials supplied during the DEP phase: If a user removes Secure Hub from the device within a short interval after enrollment, the server gets into an inconsistent state. A short interval might be one hour. [CXM-20924]

A device doesn't automatically go into compliance after an automated action. [CXM-21006]

For RBAC administrators in a custom RBAC role that includes some user group restrictions: If Active Directory users in user groups have some devices enrolled, the Manage > Devices page opens slowly. [CXM-21007, CXM-21009]

After upgrading to XenMobile 10.3.6, administrators with custom RBAC role access can see enrolled devices from other domains even if the RBAC configuration restricts that access. [CXM-21008]

XenMobile cluster members might not respond to some HTTP requests, which prevents users from enrolling because of the Company network not available errors. [CXM-21010]

If the iOS bulk enrollment settings have Require credentials for device enrollment enabled, any type of invitation for a DEP enrollment causes XenMobile Server errors. The errors include error messages in Secure Hub, error messages in the XenMobile console, and loss of MDM functionality for all devices. To work around this issue, delete all enrollment invitations for the affected users on the Manage > Enrollment page. Then, restart the XenMobile Server. [CXM-21500]

Automatic actions that the XenMobile Lost Mode triggers fail for iOS devices configured with a passcode. This issue applies to all available actions triggered by Lost Mode: App wipe, App lock, Mark the device as out of compliance, and Send notification. [CXM-21579]

The Devices & Apps report generated from Analyze > Reporting shows an incorrect app install count for each device. [CXM-21773]

When you add the Skype for Business public app on XenMobile Console, the icon might not appear. However, you can search and add the app on the console and the app can be installed on the device. [CXM-21774, #668341]

Some Enterprise apps for Android don't upload to a XenMobile console configured in MDM or XME mode. [CXM-22377]

Deploying resources based on dynamic device properties, such as Current mobile country code, don't work. XenMobile ignores the rules and allows the resources (such as device policies, apps, and actions) to deploy on the device. [CXM-22565]

You can't create a support bundle by using the XenMobile CLI. As a workaround, use the XenMobile console: Go to Support > Create Support Bundles and then click Create. [CXM-23091]

After an upgrade to XenMobile 10.3.6, Secure Hub no longer includes HDX apps. Logs include the entry, Unable to get the Config xml data Host name. [CXM-23177]

If you edit only the platform details for a device policy: The edits don't trigger a change to the Last updated on time on Configure > Device Policies. The last update time does change after you add or remove platforms. [CXM-23178]

If your browser language is set to French, you can't create or edit the WiFi device policy in the XenMobile console. [CXM-23180]

The Manage > Devices page shows iOS devices as inactive although the devices are active and communicating with XenMobile Server. This issue appears in logs as follows:

java.lang.IllegalStateException: Cannot load backing target entity: has been deleted. [CXM-23181]

If the server property StorageZone Connectors supported value is NOT SUPPORTED and you configure ShareFile: After you navigate to a different console page and then return to Configure > ShareFile, the ShareFile page doesn't show the configuration although the configuration is saved. To work around this issue, change the server property, ShareFile configuration type, to ENTERPRISE. [CXM-23337]

When a DEP device is deleted and then re-enrolled, the re-enrollment might fail with the error, Invalid profile. [CXM-24078]

This release contains a defense-in-depth measure for CVE-2016-5195, also known as Linux Dirty Cow.

Upgrade Tool fixed issues

If your deployment in XenMobile 9 includes a gpsstats.apk enterprise app, the upgrade to XenMobile 10.4 might fail. [CXM-17992]

After an upgrade from XenMobile 9 to XenMobile 10.4, Windows and iOS devices are in MDM mode instead of in MAM+MDM mode. In addition, the XenMobile Store does not open. As a workaround, users can reenroll a migrated device. [CXM-18532, CXM-23408]

After an upgrade from XenMobile 9 to XenMobile 10.4, XenMobile has duplicate, inactive MAM-only records from prior re-enrollments. That issue occurs even if XenMobile 9 required Device Manager enrollment. [CXM-18544]

During an upgrade from XenMobile 9.0 to XenMobile 10.4.x: The Upgrade tool doesn't update the device name in the device property table for devices that are enrolled in XME (MDM+MAM) mode. [CXM-20821]

If the App Controller database contains users in the data format username, an upgrade from XenMobile 9.0 to XenMobile 10.x fails. Instead, use the data format domain\username or username@domain. [CXM-21072]

If the case of the path to the .p12 server certificates differs for HTTP and HTTPS, an upgrade from XenMobile 9.0 to XenMobile 10.4.x fails. For example, if the HTTP path is Certificates\MDM.p12 and the HTTPS path is certificates\MDM.p12. [CXM-21581]

After an upgrade from XenMobile 9 to 10.x, XenMobile Store doesn't include apps. Also, XenMobile doesn't assign local groups to delivery groups. This issue occurs if a local user is part of a local group and the local user enrolls the device. [CXM-23375]

If Device Manager has two records for an Active Directory user and those records don't match as follows, an upgrade fails:

  • The records have different UPNs. For example, one user record has a UPN of The other record has
  • The records have case differences in the sAMAccountName. For example, one user record has a sAMAccountName of johns. The other record has JOHNS. [CXM-23382]

After an upgrade from XenMobile 9 to XenMobile 10.x: You cannot edit in the upgraded XenMobile console a configuration policy that you customized in Device Manager by using the iPhone Configuration Utility or Apple Configurator. [CXM-23942]

XenMobile Server 10.5 documentation errata

The following items are errata found in the documentation since they were last published. Errata are content issues, such as errors or missing information, that could affect your use of XenMobile Server.

The following port must be open for devices and apps to communicate with XenMobile 10.x.

  • Port: 30001
  • Description: Management API for initial staging of HTTPS service
  • Source: Internal LAN
  • Destination: XenMobile Server