- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
With XenMobile, you can choose whether to manage devices, apps, or both. XenMobile uses the following terms for device and app management modes, sometimes also referred to as deployment modes:
- Mobile device management mode (MDM mode)
- Mobile app management mode (MAM mode)
- MDM+MAM mode (Enterprise mode)
With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices and data on devices at a system level. You can configure policies, actions, and security functions. For example, you can wipe a device selectively if the device is lost, stolen, or out of compliance. Although app management is not available with MDM mode, you can deliver mobile apps, such as public app store and enterprise apps, in this mode. Following are common use cases for MDM mode:
- MDM is a consideration for corporate-owned devices where device-level management policies or restrictions, such as full wipe, selective wipe, or geo-location are required.
- When customers require management of an actual device, but do not require MDX policies, such as app containerization, controls on app data sharing, or micro VPN.
- When users only need email delivered to their native email clients on their mobile devices, and Exchange ActiveSync or Client Access Server is already externally accessible. In this use case, you can use MDM to configure email delivery.
- When you deploy native enterprise apps (non-MDX), public app store apps, or MDX apps delivered from public stores. Consider that an MDM solution alone might not prevent data leakage of confidential information between apps on the device. Data leakage might occur with copy and paste or Save As operations in Office 365 apps.
MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With XenMobile configured for MAM mode, you can use MDX-enabled mobile apps to provide per-app containerization and control. MAM mode is also called MAM-only mode.
By leveraging MDX policies, XenMobile provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.
MAM mode is often suitable for bring-your-own (BYO) devices because, although the device is unmanaged, corporate data remains protected. MDX has more than 50 MAM-only policies that you can set without needing an MDM control or relying on device passcodes for encryption.
MAM also supports the XenMobile Apps. This support includes secure email delivery to Citrix Secure Mail, data sharing between the secured XenMobile Apps, and secure data storage in ShareFile. For details, see XenMobile Apps.
MAM is often suitable for the following examples:
- You deliver mobile apps, such as MDX apps, managed at the app level.
- You are not required to manage devices at a system level.
MDM+MAM is a hybrid mode, also called Enterprise Mode, which enables all feature sets available in the XenMobile Enterprise Mobility Management (EMM) solution. Configuring XenMobile with MDM+MAM mode enables both MDM and MAM features.
XenMobile lets you specify whether users can choose to opt out of device management or whether you require device management. This flexibility is useful for environments that include a mix of use cases. These environments may or may not require management of a device through MDM policies to access your MAM resources.
MDM+MAM is suitable for the following examples:
- You have a single use case in which both MDM and MAM are required. MDM is required to access your MAM resources.
- Some use cases require MDM while some do not.
- Some use cases require MAM while some do not.
The XenMobile edition for which you have a license determines the management modes and other features available, as shown in the following table.
|XenMobile MDM Edition||XenMobile Advanced Edition||XenMobile Enterprise Edition|
|MDM features||MDM features||MDM features|
|-||MAM features||MAM features|
|-||MDX Service or Toolkit||MDX Service or Toolkit|
|Secure Hub||Secure Hub||Secure Hub|
|-||Secure Mail||Secure Mail|
|-||Secure Web||Secure Web|
|-||Secure Tasks||Secure Tasks|
|-||-||ShareFile Enterprise Edition|
A XenMobile Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources. Before deploying XenMobile Apps to users, fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, it is likely that users must re-enroll their devices.
Note: To specify whether you require users to enroll in MDM, use the XenMobile Server property Enrollment Required in the XenMobile console (Settings > Server Properties). That global server property applies to all users and devices for the XenMobile instance. The property applies only when the XenMobile Server Mode is ENT.
Following is a summary of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment in a XenMobile Enterprise mode deployment.
- Users can access MAM resources without putting their devices under MDM management. This option can increase user adoption.
- Ability to secure access to MAM resources to protect enterprise data.
- MDX policies such as App Passcode can control app access for each MDX app.
- Configuring NetScaler, XenMobile, and per-application time-outs, along with Citrix PIN, provide an extra layer of protection.
- While MDM actions do not apply to the device, some MDX policies are available to deny MAM access. The denial would be based on system settings, such as jailbroken or rooted devices.
- Users can choose whether to enroll their device with MDM during first-time use.
- MAM resources are available to devices not enrolled in MDM.
- MDM policies and actions are available only to MDM-enrolled devices.
- Have users agree to a company terms and conditions that holds them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.
- Manage application access and security by using application timers. Decreased time-out values increase security, but may affect user experience.
- Ability to restrict access to MAM resources only to MDM-managed devices.
- MDM policies and actions can apply to all devices in the environment as desired.
- Users are not able to opt out of enrolling their device.
- Requires all users to enroll with MDM.
- Might decrease adoption for users who object to corporate management of their personal devices.
- Educate users about what XenMobile actually manages on their devices and what information administrators can access.