- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
iOS Volume Purchase Program
You can manage iOS app licensing by using the Apple iOS Volume Purchase Program (VPP). The VPP solution simplifies the process to find, buy, and distribute apps and other data in bulk for an organization. With VPP, you can use XenMobile to distribute public app store apps. VPP is not supported for XenMobile Apps or for apps wrapped by using the MDX Toolkit. Although you can distribute the XenMobile public store apps with VPP, the deployment is not optimal. Further enhancements to XenMobile and the Secure Hub store are required to address the limitations. For a list of known issues with deploying the XenMobile public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center.
With VPP, you can distribute the applicable apps directly to your devices. Or, you assign content to your users by using redeemable codes. You configure settings specific to the iOS VPP in XenMobile.
XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. Such changes include when you manually delete an imported app from VPP. By default, XenMobile refreshes the VPP license baseline a minimum of every 720 minutes. You can change the baseline interval through the server property, VPP baseline interval (vpp.baseline). For information, see Server properties.
This article focuses on using VPP with managed licenses, which enables you to use XenMobile to distribute apps. If you currently use redemption codes and want to change to managed distribution, see this Apple Support document: Migrate from redemption codes to managed distribution with the Volume Purchase Program.
For information about the iOS VPP, see http://www.apple.com/business/vpp/. To enroll in VPP, go to https://deploy.apple.com/qforms/open/register/index/avs. To access your VPP store in iTunes, go to https://vpp.itunes.apple.com/?l=en.
After you save these iOS VPP settings in XenMobile, the purchased apps appear on the Configure > Apps page in the XenMobile console.
In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
Click iOS Settings. The iOS Settings configuration page appears.
Configure these settings:
- Store user password in Secure Hub: Select whether to store a user name and password in Secure Hub for XenMobile authentication. The default is to store the information by using this secure method.
- User property for VPP country mapping: Type a code to allow users to download apps from country-specific app stores.
XenMobile uses this mapping to choose the property pool of the VPP. For example, if the user property is United States, that user cannot download apps if the VPP code for the app is for the United Kingdom. Contact your VPP plan administrator for more information about the country mapping code.
For each VPP account you want to add, click Add. The Add VPP account dialog box appears.
Configure these settings for each account you add:
Note: If you use Apple Configurator 1, upload a license file: Go to Configure > Apps, go to a platform page, and then expand Volume Purchase Program.
- Name: Type the VPP account name.
- Suffix: Type the suffix to appear with the names of apps obtained through the VPP account. For example, if you enter VPP, the Secure Mail app appears in the apps list as Secure Mail - VPP.
- Company Token: Copy and paste the VPP service token obtained from Apple. To obtain the token: In the Account Summary page of the Apple VPP portal, click the Download button to generate and download the VPP file. The file contains the service token and other information, like the country code and expiry. Save the file in a secure location.
- User Login: Type an optional authorized VPP account administrator name used to import custom B2B apps.
- User Password: Type the VPP account administrator password.
Click Save to close the dialog box.
Click Save to save the iOS settings.
A message appears stating that XenMobile adds the apps to the list on the Configure > Apps page. On that page, notice that the app names from your VPP account include the suffix you provided in the preceding configuration.
You can now configure the VPP app settings and then tune your delivery group and device policy settings for VPP apps. After you complete those configurations, users can enroll their devices. The following notes provide considerations for those processes.
When configuring VPP app settings (Configure > Apps), enable Force license association to device. An advantage of using Apple VPP and DEP with supervised devices: The ability to use XenMobile to assign the app at the device (rather than user) level. As a result, you don’t have to use an Apple ID device. Also, users don’t receive an invitation to join the VPP program. Users can also download the apps without signing into their iTunes account.
To view the VPP info for that app, expand Volume Purchase Program. Notice in the VPP ID Assignment table, the license is associated with a device. If the user removes the token and then imports it again, the word Hidden appears instead of the serial number, due to Apple privacy restrictions.
To disassociate a license, click the row for the license and then click Disassociate.
If you associate VPP licenses with users, XenMobile integrates users into your VPP account and associates their iTunes ID with the VPP account. The iTunes ID of users is never visible to your company or to the XenMobile Server. Apple transparently creates the association to retain user privacy. You can retire a user from the VPP program, to disassociate all licenses from the user account. To retire a user, go to Manage > Devices.
XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. To force a sync with your VPP account, go to Settings > iOS Settings and click Force synchronization.
After you click to confirm the action, XenMobile imports the VPP information. The import might take several minutes, depending on the number of VPP licenses. After the sync completes, XenMobile refreshes the iOS Settings page and updates the sync date and time in the new Last Sync Date column.
- When you assign an app to a delivery group, by default XenMobile identifies the app as an optional app. To ensure that XenMobile deploys an app to devices, go to Configure > Delivery Groups. On the Apps page, move the app to the Required Apps list.
When an update for a public app store app is available: When VPP pushes the app, the app doesn’t automatically update on devices until you check for updates and apply them. To push an update for Secure Hub, when assigned to device and not to a user, do the following. In Configure > Apps, on a platform page, click Check for Updates and apply the update.
XenMobile displays a License Expiration Warning when Apple VPP or DEP tokens are nearing expiration or have expired.