What’s new in XenMobile Server 10.9

XenMobile Server 10.9 (PDF Download)


To prepare for device upgrades to iOS 12: The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Delete your VPN device policy and create a new VPN device policy with the Citrix SSO connection type.

The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in XenMobile Server 10.9, during user enrollment.

XenMobile Migration Service

If you’re using XenMobile Server on premises, our XenMobile Migration Service can get you started with Endpoint Management. Migration from XenMobile Server to Citrix Endpoint Management doesn’t require you to re-enroll devices.

For more information, contact your local Citrix salesperson, Systems Engineer, or Citrix Partner. These blogs discuss the XenMobile Migration Service:

New XenMobile Migration Service

Making the Case for XenMobile in the Cloud

Access to XenMobile Tools from the console

You can access these XenMobile Tools from the XenMobile console:

  • XenMobile Analyzer: Identify and triage potential issues with your deployment.
  • APNs Portal: Submit a request to Citrix to sign an APNs certificate, which you then submit to Apple.
  • Auto Discovery Service: Request and configure Auto Discovery for XenMobile in your domain.
  • Manage Push Notifications: Manage push notifications for iOS and Windows mobile productivity apps.
  • MDX Service: Wraps apps that you can then manage by using XenMobile.

To access these tools, go to Settings > XenMobile Tools.

New workflow for adding an app from the Google Play Store

Instead of specifying Google Play credentials when you add an app, you now add the package ID of the public store Android app.

  1. From the Google Play Store, copy the package ID. The ID is in the URL of the app.

    Image of searching for app

  2. When adding a Public Store app in the XenMobile Server console, paste the package ID in the search bar.

    Image of searching for app

  3. If the package ID is valid, a UI appears allowing you to enter app details.

    Image of searching for app

For more information, see Add a public app store app.

New Public REST APIs

  • A new version of the Get Devices by Filters API provides additional details about devices. For information, see section 3.16.2, Get Devices by Filters (version 2), in the XenMobile Public API for REST Services PDF.

  • Ability to regenerate Root CA, Devices CA, Server CA and renew device certificates

    XenMobile Server uses the following certificate authorities internally for PKI: Root CA, device CA, and server CA. Those CAs are classified as a logical group and provided a group name. When a new XenMobile Server instance is provisioned, the three CAs are generated and given the group name “default”.

    You can renew the CAs for supported iOS, macOS, and Android devices by using the XenMobile Server console or the public REST API. For enrolled Windows devices, users must re-enroll their devices to receive a new device CA.

    The following APIs are available for refreshing or regenerating the internal PKI CAs in XenMobile Server and renewing the device certificates which are issued by these certificate authorities.

    • Create new group certificate authorities (CAs).
    • Activate new CAs and deactivate old CAs.
    • Renew the device certificate on a configured list of devices. Already enrolled devices continue to work without disruption. A device certificate is issued when a device connects back to the server.
    • Return a list of devices still using the old CA.
    • Delete the old CA after all devices have the new CA.

    For information, see the following sections in the XenMobile Public API for REST Services PDF:

    • Section 3.16.58, Renew Device Certificate
    • Section 3.23, Refresh XenMobile CA Group

    As part of this feature, a new security action, Certificate Renewal , is available from the Manage Devices console. This action renews the enrollment certificate on that device.


    • By default, these new certificate renewal features are disabled. To activate the certificate renewal features, set the value for the server property refresh.internal.ca to True.


    If your Citrix ADC is set up for SSL Offload, when you generate a new certificate, ensure that you update your load balancer with the new cacert.perm. For more information on Citrix Gateway setup, see To use SSL Offload mode for Citrix VIPs.