Product Documentation

What's new in XenMobile Server 10.6

Sep 29, 2017

Note

For the full set of product documentation for XenMobile Server 10.6, see the PDF

For updates and corrections to the XenMobile Server 10.6 PDF, see XenMobile Server 10.6 documentation errata.

For information about upgrading, see Upgrade. To access the XenMobile management console, use only the XenMobile Server fully qualified domain name or the IP addresses of the node.

XenMobile Server 10.6 includes the following new features and fixed issues.

Important

Touchdown by Symantec reached End of Life on July 3, 2017, with End of Standard Support, End of Extended Support, and End of Support Life on July 2, 2018. For more information, see the Symantec support article, Touchdown End-of-Life, End-of-Availability, and End-of- Support announcement.

Improved deployment of required apps

XenMobile now consistently and promptly installs required apps on managed iOS and Android devices. This improvement resolves deployment issues that occurred primarily for XenMobile configured in enterprise (XME) mode. Users more promptly receive updates in situations, such as:

  • You upload a new app and mark it as required.
  • You mark an existing app as required.
  • As user deletes a required app.
  • A Secure Hub update is available.

Requirements

  • XenMobile Server 10.6
  • Secure Hub (minimum versions: 10.5.15 for iOS; 10.5.20 for Android)
  • MDX Toolkit 10.6
  • Custom server property, force.server.push.required.apps.

The forced deployment of required apps is disabled by default. To enable the feature, create a Custom Key server property. Set the Key and Display name to force.server.push.required.apps and set the Value to true.

  • After you upgrade XenMobile Server and Secure Hub: Users with enrolled devices must sign off and then sign on to Secure Hub, one time, to obtain the required app deployment updates.

Examples

The following examples show the sequence of adding the Secure Tasks app to a delivery group and then deploying the delivery group.

localized image
localized image

After the sample app, Secure Tasks, deploys to the user device, Secure Hub prompts the user to install the app.

localized image
localized image

Important

MDX-enabled required apps, including enterprise apps and public app store apps, upgrade immediately, even if you configure an MDX policy for an app update grace period and the user chooses to upgrade the app later. 

The following tables describe the administrator and user workflow for required apps. The tables describe the behavior in XenMobile Server versions earlier than version 10.6 as compared to the behavior in version 10.6.

The first table describes the workflow on iOS devices. The second table describes the workflow on Android devices. 

iOS required app workflow

Enterprise apps Public app store apps

Earlier versions

As of XenMobile Server 10.6

Earlier versions

As of XenMobile Server 10.6

Deploy XenMobile App during initial enrollment. Required app is installed on device.

Same.

Deploy XenMobile App during initial enrollment. Required app is installed on device.

Same.

Update the app on the XenMobile console.

Same.

Update the app on the XenMobile console.

Same.

Open the Secure Hub Store on the device. The update icon appears in the store.

Click deploy in the XenMobile console to deploy required apps.

Open the Secure Hub Store on the device. The update icon appears in the store

Click deploy in the XenMobile console to deploy required apps.

The app on the springboard is updated.

The app on the springboard is updated.

The app on the springboard is updated. The upgrade starts automatically. Users are not prompted to update.

The app on the springboard is updated. The upgrade starts automatically. Users are not prompted to update.

Users open the app from the springboard. The app prompts users to upgrade in 7 days.

Users open the app from the springboard. Users are prompted to upgrade in 7 days. Actually, the app is upgraded even when users click Later.

Open the app on the device. The app is upgraded. Users are not prompted after a grace period.

Same.

Users click Later, the upgrade is not started.

Users click Update now, the upgrade starts.

The app is upgraded.

Users click Later, the upgrade is not started.

Users click Update now, the upgrade starts.

The app is upgraded.

Android required app workflow

Enterprise apps Public app store apps

Earlier versions

As of XenMobile Server 10.6

Earlier versions

As of XenMobile Server 10.6

Deploy XenMobile App during initial enrollment. Required app is installed on device.

Same.

Same.

Same.

Update the app on the XenMobile console

Click deploy in the XenMobile console to deploy required apps.

Update the app on the XenMobile console

Update the app on the XenMobile console

Open the Secure Hub Store on the device. The update icon appears in the store.

The app is upgraded. (Nexus devices prompt for install updates, but Samsung devices do a silent install.)

Open the Secure Hub Store on the device. The update icon appears in the store.

Click Deploy or enter the Secure Hub Store on the device. The update icon appears in the store.

No prompt or update appears on the device springboard.

Users open the app from the springboard. Users are prompted to upgrade in 7 days. In actuality, the app is upgraded even when users click Later.

Users must manually click the update icon in the Secure Hub Store to upgrade. (Nexus prompts users to install updates.)

App upgrade starts automatically. (Nexus devices prompt users to install the update.)

Users open the app from the springboard. The app prompts users to upgrade in 7 days. 

App is upgraded.

Open the app on the springboard. The app is upgraded. Users are not prompted for a grace period. 

Open the app on the springboard. The app is upgraded. Users are not prompted for a grace period. 

Users click Later, the upgrade does not start.

Users click Update now, the upgrade starts.

(Users are not prompted to install on Samsung devices, but Nexus prompts for an update.)

The app is upgraded. (Samsung devices do a silent install.)

Users click Later, the upgrade does not start.

Users click Update now. The upgrade starts.

 The app is upgraded. (Samsung devices do a silent install.)

Configure an on-premises NetScaler Gateway for use with XenMobile Server

Starting with XenMobile 10.6, you configure NetScaler Gateway for use with XenMobile Server by exporting a script from XenMobile that you run on NetScaler Gateway. The script configures these NetScaler Gateway settings required by XenMobile:

  • NetScaler Gateway virtual servers needed for MDM and MAM
  • Session policies for the NetScaler Gateway virtual servers
  • XenMobile Server details
  • Authentication Policies and Actions for the NSG virtual server.
    The script describes the LDAP configuration settings.
  • Traffic actions and policies for the proxy server
  • Clientless access profile
  • Static local DNS record on NetScaler
  • Other bindings: Service policy, CA certificate

The script doesn't handle the following configuration:

  • Exchange load balancing
  • ShareFile load balancing
  • ICA Proxy configuration
  • SSL Offload

If a NetScaler Gateway instance exists, the Settings > NetScaler Gateway page now has an Export Configuration Script button.

localized image

The Add New NetScaler Gateway page also includes a link to export the configuration script.

localized image

For more information, see NetScaler Gateway and XenMobile.

Derived credentials for iOS device enrollment

Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is either a Personal Identity Verification (PIV) card or Common Access Card (CAC).

The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device.

XenMobile can use derived credentials for iOS device enrollment. If configured for derived credentials, XenMobile doesn't support enrollment invitations or other enrollment modes for iOS devices. However, you can use the same XenMobile Server to enroll Android devices through enrollment invitations and other enrollment modes.

Configure derived credentials by using the Settings > Derived Credentials for iOS page. By default, the XenMobile console doesn't include Settings > Derived Credentials. To enable the interface for derived credentials, go to Settings > Server Properties, add the server property derived.credentials.enable, and set it to true.

localized image

For more information, see Derived credentials for iOS. For information about the REST API for derived credentials, see the XenMobile REST API Reference PDF.

Select multiple device platforms for enrollment invitations

You can now select any combination of iOS, macOS, and Android device platforms for an enrollment invitation. The Manage > Enrollment Invitations page includes a Select a platform setting. The platforms selected determine the Enrollment mode options shown and whether some settings, such as Device info, appear.

If Recipient is Group, all platforms are selected by default.

localized image

If Recipient is User, no platforms are selected by default.

localized image

Only the Enrollment mode options that are valid for each of the selected platforms appear. For example, if all platforms are selected, the valid enrollment modes for that combination are User name + Password, Two Factor, and User name + PIN.

localized image

More enrollment options for macOS devices

In addition to enrolling macOS users by sending an enrollment link, you can now enroll macOS users by sending an enrollment invitation. Both methods enable macOS users to enroll over the air, directly from their devices.

An enrollment invitation can use any of the following enrollment modes for macOS devices:

  • User name + PIN

  • User name + password

  • Two Factor

When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

To send macOS device users an enrollment invitation:

Add an invitation for macOS user enrollment. For more information, see Send users an enrollment invitation.

localized image

After users receive the invitation and click the link, the following screen appears in the Safari browser. XenMobile fills in the user name. If you chose Two Factor for the enrollment mode, an extra field appears.

localized image

Users install certificates as necessary. If you configured a publicly trusted SSL certificate and a publicly trusted digital signing certificate for macOS, XenMobile doesn't prompt users to install a certificate. For more information about certificates, see Certificates and Authentication.

Users provide the requested credentials.

You can now start managing Macs with XenMobile just as you manage mobile devices.

To prevent enrollment with an installation link on macOS devices:

You can prevent the use of an enrollment link for macOS devices by setting new server property, Enable macOS OTAE (macos.otae.enable), to false. As a result, macOS users can enroll only by using an enrollment invitation.

localized image

Windows Information Protection device policy

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is a Windows 10 technology that protects against the potential leakage of enterprise data. Data leakage can occur through sharing of enterprise data to non-enterprise protected apps, between apps, or outside of the network of your organization. For more information, see Protect your enterprise data using Windows Information Protection (WIP) on Microsoft TechNet.

You can create a device policy in XenMobile to specify the apps that require Windows Information Protection at the enforcement level you set. The policy, Windows Information Protection, is for Windows 10 version 1607 and later supervised Phone, Tablet, and Desktop.

You specify an enforcement level that affects the user experience. For example, you can:

  • Block any inappropriate data sharing.

  • Warn about inappropriate data sharing and allow users to override the policy.

  • Run WIP silently while logging and permitting inappropriate data sharing.

To create the policy, go to Configure > Device Policies and add the Windows Information Protection policy.

localized image
localized image
localized image
localized image

Citrix VPN connection type for Android devices

The VPN device policy for Android now supports configuring Citrix VPN. Citrix VPN is a mobile application that connects to NetScaler Gateway in full VPN mode, as opposed to a clientless VPN or ICA proxy mode. This feature requires Secure Hub 10.6.

On the Configure > Device Policies page for Android, the Connection type menu now includes Citrix VPN.

localized image
localized image

Settings for the Citrix VPN connection type:

  • Server name or IP address: Type the FQDN or IP address of the NetScaler Gateway.

  • User name and Password: Type your VPN credentials for the Authentication types of Password or Password and Certificate. Optional. If you don't provide the VPN credentials, the Citrix VPN app prompts for a user name and password.

  • Identity credential: Appears for the Authentication types of Certificate or Password and Certificate.

  • Enable per-app VPN: Select whether to enable per-app VPN. If you don't enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default is OFF.

    • Whitelist or Blacklist: Choose a setting. If Whitelist, all apps in the whitelist tunnel through this VPN. If Blacklist, all apps except any on the blacklist tunnel through this VPN.

    • Application List: Specify the whitelisted or blacklisted apps. Click Add and then type a comma-separated list of app package names.

  • Custom XML: Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN:

    • disableL3Mode: Optional. To enable this parameter, type Yes for the Value. If enabled, no user-added VPN connections are displayed and the user cannot add another connection. The restriction is global and applies to all VPN profiles.

    • userAgent: A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string is appended to the existing Citrix VPN user agent.
localized image

For more information, see VPN device policy.

XenMobile integration with Azure Active Directory as IDP

Configuring Azure Active Directory (AD) as your identity provider (IDP) lets users enroll in XenMobile using their Azure credentials.

iOS, Android, and Windows 10 devices are supported. iOS and Android devices enroll through Secure Hub.

You configure Azure as your IDP under Settings > Authentication > IDP. The IDP page is new to this version of XenMobile. In previous versions of XenMobile, you configured Azure under Settings > Microsoft Azure.

localized image

Deploy device policies, apps, and smart actions based on app ID

You can now configure XenMobile to deploy device policies, apps, and smart actions based on app ID. To do that, you use a new deployment rule, Installed app name.

You can use this new feature to migrate from enterprise app store distribution to public app store distribution:

  • Use the Installed app name rule with the App Uninstall device policy. Doing so triggers XenMobile to remove enterprise apps from user devices after the public app store version installs.
  • This feature is available only for managed iOS devices connected to a XenMobile Server in enterprise mode (XME).

Note

Citrix requires that you use public app store versions of Citrix apps, instead of Enterprise versions, by the end of 2017.

To configure the App Uninstall device policy for an Enterprise app:

In Configure > Device Policies, click Add, and then click App Uninstall.

Name the policy and then remove the check boxes for all but the iOS platform.

On the iOS page, choose the app bundle ID for the old Enterprise app and then expand Deployment Rules.

localized image

Add a rule: Click New Rule and then, as shown in the sample, choose Installed app name and is equal to. Type the app bundle ID for the public app store app.

localized image

Compete the Assignment page and then click Save.

In the example, after the public app store app (com.citrix.mail.ios) installs on a device in the delivery groups specified, XenMobile removes the Enterprise version (com.citrix.mail).

Reporting improvements

The XenMobile Analyze > Reporting page has an improved design and more features for all pre-defined reports:

  • Sorting and searching using device-based filters.
  • Filtering reports by date
  • Exporting reports in PDF format.
  • Interactive charts that represent report data visually.
  • The Top 25 Apps report is now called Total Apps Deployment Attempts. This report now lists all deployed apps and the percentage of users that have attempted to install them on their devices.
localized image

For more information, see Reports.

Locate Windows 10 devices

XenMobile console administrators and Self Help Portal users can now locate Windows 10 phones, desktops, and tablets. The locate feature is already available for iOS and Android devices. When you issue a locate command, the XenMobile Server communicates directly with the device.

From the XenMobile console, send the Locate action to a device as follows.

On Manage > Devices, select the device, and then click Secure.

localized image

In Security Actions, click Locate.

localized image

The Device details page provides a status of the location request and shows a map if the device is located.

localized image
localized image

More device status properties for Windows 10 Phone and Tablet

The Manage > Devices page includes more device properties for Windows. The following properties, provided by the Windows 10 DeviceStatus configuration service provider (CSP), are available.

Antispyware Signature Status
Antispyware Status
Antivirus Signature Status
Antivirus Status
Battery Charging
Battery Remaining
Encryption Compliance
Firewall Status
IPV4 Address
IPV6 Address
MAC Address Network Connection
MAC Address Type
Operating System Edition
Primary SIM Carrier Operator
Primary SIM ICCID
Primary SIM Roaming compliance
Secure Boot status
TPM Version
User Account Control Status

For information about those properties, see the Microsoft article DeviceStatus CSP. The following sample shows a few of the added properties.

localized image

Device policy to control OS updates on iOS devices

You can now configure XenMobile to send the latest OS updates to supervised iOS devices. You choose whether to deploy OS updates to devices so that users can install the updates manually, or to force installation on devices. To configure the new device policy, go to Configure > Device Policies and add Control OS Update.

localized image

Configure the options:

  • OS update options: Both of the options download the latest OS updates to supervised devices according to the OS update frequency. The device prompts users to install updates. The prompt is visible after the user unlocks the device.

  • OS update frequency (1–365 days): Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.

More WiFi policy options for iOS 10+

  • Disable Captive Network Detection: If ON, users can't join networks that require agreements or other information before network access. Default is OFF.

  • Fast Lane QoS Marking: Quality of Service (QoS) marking enables you to prioritize network bandwidth for specific business apps. Choose to restrict or not restrict Cisco Fast Lane QoS marking. If you don't restrict QoS marking for a WiFi network that supports Cisco Fast Lane QoS, all apps are whitelisted to use L2 and L3 marking. If you restrict QoS marking, specify the apps that can use L2 and L3 marking. Default is Do not restrict QoS marking.

If Fast Lane QoS Marking is Restrict QoS marking, the following options appear:

  • Enable QoS Marking: Optional. If OFF, QoS marking is disabled. Default is ON.

  • Whitelist Apple audio/video calling: Optional. If OFF, Apple audio and video calling aren't whitelisted, which means the traffic isn't prioritized. Default is ON.

  • Whitelist specific apps: Specify the apps to use L2 and L3 marking.

For more information about WiFi policies for iOS, see Apple Configurator 2 Help.

localized image

More per-app VPN policy options for iOS

The VPN policy includes these new options, which are used when the VPN client on a device supports multiple VPN providers:

  • Provider bundle identifier: If the app specified in Custom SSL identifier has multiple VPN providers of the same type (App proxy or Packet tunnel), then specify this bundle identifier.
  • Provider type: A provider type indicates whether the provider is a VPN service or proxy service. For VPN service, choose Packet tunnel. For proxy service, choose App proxy. This option is visible when Enable per-app VPN is ON.

Per-app VPN options are available for these connection types: Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix VPN, and Custom SSL.

To configure a per-app VPN:

In Configure > Device Policies, create a VPN policy. For example:

localized image
localized image

In Configure > Device Policies, create an App Attributes policy to associate an app to the per-app VPN policy. For Per-app VPN identifier, choose the name of the VPN policy created in Step 1. For Managed app bundle ID, choose from the app list or enter the app bundle ID. (If you deploy an iOS App Inventory policy, the apps list contains apps.)

localized image

More feature restriction options for macOS devices

The Restrictions device policy has the following extra restriction options for macOS. By default, XenMobile allows all these features.

For macOS 10.12.4 and later:

  • Allow Touch ID To Unlock Mac
  • Allow iCloud Desktop and Documents

For macOS 10.12 and later:

  • Allow iCloud Photos
    If you change this setting to Off, any photos not fully downloaded from the iCloud Photo Library are removed from local device storage.
  • Allow Auto Unlock
    For information about this option and Apple Watch, see https://support.apple.com/en-ie/HT206995.
localized image

More IKEv2 parameters for the VPN device policy

iOS 10.0

The IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration connection types have more parameters for iOS 10.0.

localized image

DNS server IP addresses: Optional. A list of DNS server IP addresses. These IP addresses can include a mixture of IPv4 and IPv6 addresses.

Domain name: Optional. The primary domain of the tunnel.

Search domains: Optional. A list of domains used to qualify single-label host names fully.

Append supplemental match domains to resolver's list: Optional. Determines whether to append the domains in Supplemental match domains to the Search domains for the resolver. 0 means append; 1 means don't append. Default is 0.

Supplemental match domains: Optional. A list of domains used to determine which DNS queries are to use the DNS resolver settings contained in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver of the tunnel. Hosts not in one of the domains in this list get resolved by using the default resolver of the system.

If you save an empty string for this parameter, XenMobile uses that string as the default domain. This solution is how a split-tunnel configuration can direct all DNS queries first to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the default route of the network, the listed DNS servers become the default resolver. In that case, the supplemental match domains list is ignored.

iOS 9.0

The IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration connection types have more parameters for iOS 9.0.

localized image

These parameters apply to all three IKEv2 connection types:

  • Disable Mobility and Multihoming
  • Use IPv4/IPv6 internal subnet attributes
  • Disable redirects
  • Enable Perfect Forward Secrecy

The two AlwaysOn IKEv2 connection types also include:

  • Enable NAT keepalive while the device is asleep

Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular interval when the device is awake. If this setting is on, the chip sends keepalive packets even while the device is asleep.

The default interval is 20 seconds over WiFi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter.

  • NAT keepalive interval (seconds)

Defaults to 20 seconds.

Support for Zebra rugged Android-based mobile devices

XenMobile now supports users with Zebra Android devices.

Important: Zebra devices must install Secure Hub 10.5.10 to enroll in XenMobile.

In the XenMobile console, when you manage a Zebra device, several properties appear in Manage > Devices, in the Device details, Properties list.

localized image
  • Zebra API: Indicates that the device contains the Zebra API.
  • Zebra MXMF version: Indicates the MX Management Framework (MXMF) available for exposing APIs and configuring and managing Zebra Android-based devices.
  • Zebra patch version: Indicates the patch version currently installed on the device.

For more details about Zebra devices, see the Zebra Technologies documentation.

The Custom XML MDM policy is also available for the Zebra platform.

localized image

Other improvements

  • Exchange policy now available for Windows 10 for Tablet. To add the policy, go to Configure > Device Policies. The settings are the same as for Windows 10 Phone. For setting details, see Microsoft Exchange ActiveSync device policy.
localized image
  • Active Directory user names now stored using lowercase letters. As of this release, XenMobile stores all Active Directory user names using lowercase letters. This change applies to Active Directory users in the XenMobile database when it's upgraded and to new Active Directory users. This change doesn't apply to local user names.

  • Page loading, filtering, sorting, and searching device queries are now three times faster. This optimization is a result of decoupling device count and query optimization while querying for a list of devices based on a given criteria. XenMobile Server can now fetch device counts dynamically.

  • The VPN policy for iOS devices now has per-app VPN options for the IPSec connection type. iOS 9.0 and later devices support per-app VPN for IPSec connections. Netskope and other Cloud Access Security Brokers (CASBs) might recommend per-app VPN connections for IPSec.

The per-app VPN options are Enable per-app VPN, On-demand match app enabled, and Safari domains.

localized image
localized image
  • iOS Volume Purchase Program license revocation by user groups or in bulk. You can now also disassociate Volume Purchase Program licenses for user groups or for all assignments to free licenses in bulk.
localized image
  • Delete multiple Active Directory users at a time. The menu bar that appears when you select one or more Active Directory users now includes the Delete command. Previously, the Delete command appeared only in the right-click menu for a single user.
localized image

If a user that you delete has enrolled devices and you want to re-enroll those devices, delete the devices before re-enrolling them. To delete a device, go to Manage > Devices, select the device, and then click Delete.

  • Control whether the Common SAFE passcode field is editable. To prevent inadvertent changes to the Common SAFE passcode, the Kiosk policy has a new setting, Change Common SAFE passcode. By default, the new setting is OFF. To change the passcode, set Change Common SAFE passcode to ON and then type a value for the passcode.
localized image
  • Filter the device policy list when adding a policy. On the Configure > Device Policies page, when you click Add, the following page now appears. You can search for a policy by name, as before. You can also filter the list, to view the device policies for selected platforms.

The Add a New Policy page initially shows a list of device policies and platform filters.

localized image

Click one or more platforms to view a list of the device policies for the selected platforms. Click a policy name to continue with adding the policy.

localized image
  • Apple Mail Drop support added to the Mail device policy. You can now allow use of Apple Mail Drop for devices running iOS 9.2 and later. Mail Drop lets users upload files that are too large to send as an email attachment. Users can upload files up to 5 GB and then use the Mail app on their iOS device to send a link or preview to recipients.
localized image
  • Device details logged for a wipe or lock of MAM-only devices. When a MAM-only device gets wiped or locked, XenMobile logs now include the device ID and user name.
  • Support for Windows 10 RS2. We certified XenMobile 10.5.3 and 10.5.2 with Windows 10 RS2 Phone and Tablet. XenMobile 10.5.1, 10.5.0, 10.4, and 10.3.x are compatible with Windows 10 RS2 Phone and Tablet.
  • Full wipe of Windows Desktop and Tablet devices. You can now perform a full wipe to erase all personal and corporate data and apps from a Windows Desktop or Tablet device. From Manage > Devices, select a Windows Desktop/Tablet device, click Secure, and then click Full Wipe. On a desktop device, the remote wipe triggers the Windows Reset this PC command with the Remove everything option.
localized image

After you click Full Wipe, the Device Actions list includes Cancel Wipe. You can cancel a wipe before XenMobile deploys the wipe request.

Users can also wipe their Windows Desktop or Tablet device in the Self Help Portal.

XenMobile logs include wipe and cancel wipe events.

  • The Duration until removal option for all iOS device policies has changed from days to hours. This latest version of XenMobile converts existing values to hours.
  • Improved performance of device queries and device filter expansion. XenMobile now handles queries for device filter counts separately from device queries. When you expand a filter on the Manage > Devices page, spinners appear in place of filter counts until the counts are available.
  • The Troubleshooting and Support page now includes a link to the XenMobile Analyzer.
localized image
  • New XenMobile CLI option to specify SSL protocols. You can now use the CLI to specify which SSL protocols XenMobile uses. The protocols allowed are:
    • TLSv1.2
    • TLSv1.1
    • TLSv1

By default, XenMobile enables each of those SSL protocols. When you change the SSL protocol setting, you must restart XenMobile Server.

To enable or disable protocols:

Open the XenMobile CLI, choose [2] System, and choose [12] Advanced Settings.

localized image

Choose [3] SSL protocols.

After the prompt New SSL protocols to enable, type the protocols you want to enable. XenMobile disables any protocols that you don't include in your response. For example: To disable TLSv1, type TLSv1.2,TLSv1.1 and then type y to restart XenMobile Server.

localized image

Fixed issues

XenMobile 10.6 includes the following fixed issues. Fixed issues for the Upgrade Tool appear in "XenMobile Upgrade Tool," later in this article.

For fixed issues related to XenMobile Apps, see Fixed issues.

When users enroll in XenMobile through an Azure Active Directory account, even after you wipe or revoke the device, they can enroll again without authorization. This issue is a third-party issue. [#628865, CXM-23203]

After upgrading to XenMobile Server 10.4:

  • If you click the ShareFile tab, the page might not load and the information doesn't appear.

  • If you attempt to add or edit a delivery group, the following error message might appear: 500 Internal Server error. [#663344, #663788, CXM-19085]

If a table of users or enrollment invitations has multiple pages and you edit an item on the second or following page: After you save the change, XenMobile shows the first page of the table and discards the updates. [CXM-20209]

If you move a StorageZone Connector from delivery group A to delivery group B: ShareFile for iOS users in delivery group A can continue to use the connector. [CXM-21860]

When you integrate StoreFront with XenMobile and deploy HDX apps: After you change an Active Directory password, the HDX apps disappear from the XenMobile Store. [CXM-9859, CXM-22821]

If a table of users or enrollment invitations spans multiple pages and you edit an item on the second or following page: After you save the change, XenMobile shows the first page of the table and discards the updates. [CXM-20209]

If you move Active Directory users out of a group with permissions for StorageZone Connectors, ShareFile for iOS users can still access associated Network shares. To work around this issue, reinstall the ShareFile for iOS app. [CXM-21859]

You can't create a support bundle by using the XenMobile CLI. As a workaround, use the XenMobile console: Go to Support > Create Support Bundles and then click Create. [CXM-23091]

For a multi-page table of devices in the XenMobile console: After you save an edit to an item on the second or following page, XenMobile shows the first page of the table and discards the updates. [CXM-23143]

App downloads for MAM deployments to iOS and Android devices might fail. [CXM-23280]

If the server property StorageZone Connectors supported value is NOT SUPPORTED and you configure ShareFile in the XenMobile console: After you navigate to a different page and then return to Configure > Sharefile, the Sharefile page doesn't show the configuration although the configuration is saved. To work around this issue, change the server property, Sharefile configuration type, to ENTERPRISE. [CXM-23337]

When you configure a Windows Information Protection device policy and you enable the setting Revoke WIP certificate on unenroll: After you selectively wipe a Windows 10 tablet account, users are able to access a secure file. In addition, the file is not encrypted as expected. This condition is an issue with Windows 10 RS1 tablet. [CXM-23362]

For devices connecting to a cluster node: When you deploy policies and apps from a different cluster node, cluster issues occur. [CXM-23737]

When users whose sAMAccountName is different from the UPN prefix in Active Directory try to enroll their devices by using the invitation URL: XenMobile attempts to resolve the sAMAccountName@domainname as UPN and enrollment fails. As a workaround, in the XenMobile console, create invitations by user instead of by group. [CXM-24223]

When XenMobile queries Active Directory for a user group and receives an empty response with no errors: XenMobile interprets the response to mean that the group is deleted from Active Directory. XenMobile then deletes the user group from its database, causing users to lose access. [CXM-24228]

The Syslog server does not show the app name for app downloads. [CXM-24620]

If you create an RBAC role name that includes an ampersand (&), the symbol is encoded and you cannot edit the name. [CXM-24621]

For a XenMobile Webclip device policy: If the name and URL includes HTML special characters, such as ampersand (&), XenMobile encodes the characters. As a result, the URL breaks when you deploy the policy to managed devices. [CXM-24622]

When adding a public Google Play Store app in the XenMobile console: The app search function doesn't pass through the proxy as expected and search fails to return the correct apps. [CXM-24894]

On the Manage > Devices page of the XenMobile console: Sorting by the Inactivity Days and Last Access columns in the table results in an error. [CXM-24895]

For Windows 10 devices enrolled through Azure Active Directory during initial setup of the device: You cannot perform a selective wipe on the device from the XenMobile console. This issue is a Microsoft limitation. [CXM-24899]

Issues might occur when uploading some VPP tokens to a new installation of XenMobile 10 or when migrating some VPP tokens from XenMobile 9 to 10.5. [CXM-25268]

If you include an ampersand (&) in a device policy or RBAC role name, XenMobile saves the name with &instead of &. For example, policya&b is named policya&b. [CXM-25630]

After you assign devices to a different DEP account, XenMobile removes those devices from its database. [CXM-25692]

In the Configure > Device Policies page for the VPN device policy, the following settings are optional, although the console page indicates that they are required (*): DNS server IP addresses, Search domains, Supplemental match domains. [CXM-25767]

If you add a VPP token to XenMobile, consume a VPP license with device association, delete the token, and then add the same token: In the VPP ID Assignment table on the Configure > Apps settings page, the Associated Device column might include Hidden instead of the device serial number. [CXM-25907]

All device properties for an enrolled macOS device get populated in XenMobile only if the following occurs: A delivery group is associated with the enrolled device and has a deployed resource, such as a policy. [CXM-25917]

After you click Add on the Configure > Device Policies page, XenMobile doesn't filter the policy list and search results by the selected platforms. Only the first five search results appear. [CXM-26354]

The General properties in the VMware console incorrectly show the Guest OS as a 32-bit OS, instead of 64-bit. This issue resolves when you install the updated VMware (.ova) file. [CXM-28048]

When users delete an app from the XenMobile console, the app remains in the database. As a result, the console doesn't sync with the database. [CXM-29613]

When filtering a report by date on the Analyze > Reporting page, the Calendar under the last access doesn't open after you click the calendar icon. As a workaround, click the Value field to open the date chooser. [CXM-29748]

In the XenMobile console, when you edit a delivery group role, the delivery group name and Next button intermittently do not appear. [CXM-30010]

After you aggregate and deploy XenApp and XenDesktop resources to Secure Hub, with the associated configuration on the XenMobile console: The HDX app icons don't appear in the store and an error message appears when users launch the apps. The message is: XenApp - Failed to get application detail. Please try again later. [CXM-30737]

When you configure and save an automated action in the XenMobile 10.5 console, the Base or Advanced Deployment Rules are not saved. The issue occurs on all platforms. [CXM-30742]

In some XenMobile Server environments in a clustered configuration, memory allocation issues occur on all nodes. When this issue occurs, the servers become unresponsive. [CXM-31283]

Exporting a CSV file for the VPP apps license usage Dashboard widget results in high CPU utilization on the database server. [CXM-31917]

Occasionally, a memory spike and out of memory error occurs on a XenMobile Server instance. When this issue occurs, the XenMobile Server becomes unresponsive. [CXM-31959]

In the Settings > Apple Configurator Device Enrollment page, after you change a setting and then click Save, an Internal Server Error message appears. XenMobile saves the changes. [CXM-32446]

On the XenMobile Settings > Google Play Credentials page: After you type the settings and click Save, the message "Email or password incorrect" appears intermittently. This error is due to an update from Google. [CXM-32847]

XenMobile Upgrade Tool

After you upgrade to XenMobile 10.4 from XenMobile 9, Windows devices are in MDM mode instead of in MAM+MDM mode. In addition, the XenMobile Store does not open. As a work-around, users can reenroll a migrated device. [CXM-18532]

Issues might occur when uploading some VPP tokens to a new installation of XenMobile 10 or when migrating some VPP tokens from XenMobile 9 to 10.5. [CXM-25268]

After an upgrade from XenMobile 9 to 10.x, a certificate might not renew because of an issue with the certificate renewal period conversion. [CXM-25637]

If you use PostgreSQL with XenMobile 9: Upgrading from XenMobile 9 to 10.x might fail intermittently because the PostgreSQL JDBC driver ignored the fetch size. [CXM-25638]

Known issues

XenMobile 10.6 includes the following known issues. Fixed issues for the Upgrade Tool appear under the heading "XenMobile Upgrade Tool" in this article.

For known issues related to XenMobile Apps, see Known issues.

Some Enterprise apps for Android don't upload to a XenMobile console configured in MDM or Enterprise (XME) mode. [CXM-22377]

When you configure a Windows Information Protection device policy and you enable the setting Revoke WIP certificate on unenroll: After you selectively wipe a Windows 10 tablet account, users are able to access a secure file. In addition, the file is not encrypted as expected. This issue is a Microsoft issue with Windows 10 RS1 tablet. [CXM-23362]

For Windows 10 devices enrolled through Azure Active Directory during initial setup of the device: You cannot revoke the device from the XenMobile console. This issue is a Microsoft limitation. [CXM-24897]

After you update the obfuscated APK file for some Android apps in the XenMobile console: The older version appears in the details and the updated version doesn't deploy to devices. [CXM-25629]

For Windows 10 RS2 Phone: When you issue a Ring device action from Manage > Devices, the ring command fails and doesn't deploy to the device. This is a third-party issue. [CXM-25888]

For Windows 10 RS2 Phone and Tablet: During re-enrollment, a user isn't prompted for the Server URL. To work around this issue, restart the device. Or, on the email address screen, tap the X across from Connecting to a service to go to the Server URL page. This is a third-party issue. [CXM-25900]

When XenMobile is in MAM-only mode, enrollment fails after the following steps: [CXM-26481]

1. A user enrolls an iOS device through a one-time PIN invitation.

2. The user removes their account from Secure Hub.

3. The user re-enrolls through a different type of one-time PIN invitation. For example, the first enrollment mode is High Security and the second enrollment mode is Invitation URL + PIN. Enrollment occurs within the NetScaler Enable Session Reuse timeout value, which defaults to two minutes.

When derived credentials are enabled on XenMobile Server, the Self Help Portal allows you to create enrollment invitations for iOS. [CXM-29679]

For Windows 10 RS2 Phone: After a Custom XML policy or Restrictions policy that disables Internet Explorer deploys to the phone, the browser remains enabled. To work around this issue, restart the phone. This is a third-party issue. [CXM-30053]

On Windows 10 phones, if you deploy a Windows Information Protection device policy that has OneDrive configured as an allowed app, the following issue occurs. If you selectively wipe the device, OneDrive crashes when users open it. As a workaround, configure OneDrive as an exempt app in the Windows Information Protection device policy. [CXM-30618]

After XenMobile uses derived credentials for iOS device enrollment: If you later update Settings > Derived Credentials with a certificate that isn't from your provider, XenMobile continues to use derived credentials for iOS device enrollment. As a workaround, after you choose a different certificate in Settings > Derived Credentials, delete the derived credentials certificate from Settings > Certificates. [CXM-31540]

On a Windows RS2 tablet device that is enrolled with the XenMobile Server and logged in to a deployed Exchange account: If you use the XenMobile console to make the device unmanaged (except full wipe), the Exchange account remains on the enrolled device. [CXM-31697]

If the deprecated Enterprise Data Protection policy is configured and you upgrade to the latest version of XenMobile, the XenMobile console displays this error: "A configuration error has occurred. Please try again." As a workaround, delete the EDP policy before you upgrade XenMobile Server. [CXM-32132]

When searching for an app in the Google Play Store from the XenMobile console, the message "Error logging in with Google Play credentials" appears intermittently. You can close the error message and continue to search for apps. [CXM-32441]

For XenMobile cloud deployments outside of the U.S. only: When searching for an app in the Public App Store from the XenMobile console, the message "Error searching app from store platform: windows_phone" appears. [CXM-32444]

In the German, Korean, and Simplified Chinese versions of the XenMobile console: On the Android platform page for the VPN device policy, for the Citrix VPN connection type, the following labels aren't translated.

  • Password and Certificate (an Authentication type option)

  • Application List, App Package Name [CXM-33640]

XenMobile Server 10.6 documentation errata

The following items are errata found in the documentation since they were last published. Errata are content issues, such as errors or missing information, that could affect your use of XenMobile Server. 

  • XenMobile Server 10.6 supports VMWare ESXi 5.5.
  • The following port must be open for devices and apps to communicate with XenMobile 10.x.
    • Port: 30001
    • Description: Management API for initial staging of HTTPS service
    • Source: Internal LAN
    • Destination: XenMobile Server