Product Documentation

Deprecated device policies

APN device policy (Windows Mobile/CE)

You use the Access Point Name (APN) device policy if your organization doesn’t use a consumer APN to connect to the Internet from a mobile device. An APN policy determines the settings used to connect your devices to a specific phone carrier’s General Packet Radio Service (GPRS). This setting is already defined in most newer phones.

Windows Mobile/CE settings

  • APN: Type the name of the access point. This name must match an accepted Android APN or the policy fails.
  • Network: In the list, click the type of network to use. The default is Built-in office.
  • User name: This string specifies the user name for this APN. If the user name is missing, the device prompts for the string during profile installation.
  • Password: The password for the user for this APN. For obfuscation purposes, the password is encoded. If it is missing from the payload, the device prompts for the password during profile installation.

App access device policy (Windows Mobile/CE)

The app access device policy in XenMobile allows you to define a list of apps that meet any of these conditions:

  • Required to be installed on the device
  • Can be installed on the device
  • Must not be installed on the device.

You can then create an automated action to react to the device compliance with that list of apps.

You can only configure one type of access policy at a time. You can add a policy for either a list of required apps, suggested apps, or forbidden apps. You can’t include a mix of required, suggested, or forbidden apps within the same app access policy. If you create a policy for each type of list, we recommend that you name each policy carefully. That practice enables you to know which policy in XenMobile applies to which list of apps.

Mobile/CE settings

  • Access policy: Click Required, Suggested, or Forbidden. The default is Required.
  • To add one or more apps to the list, click Add and then do the following:
    • App name: Enter an app name.
    • App Identifier: Enter an optional app identifier.
    • Click Save or Cancel.
    • Repeat these steps for each app you want to add.

App inventory device policy (Windows Mobile/CE)

The App inventory policy lets you collect an inventory of the apps on managed devices. XenMobile can then compare the inventory to any app access policies deployed to those devices. In this way, you can detect apps that appear on an app blacklist or whitelist and take action accordingly.

An app appears in a blacklist when the app is forbidden in an app access policy. An app appears in a whitelist when the app is required in an app access policy).

Windows Mobile/CE settings

  • For each platform you select, leave the default setting or change the setting to Off. The default is On.

App uninstall device policy (Windows Mobile/CE)

The App uninstall policy lets you remove apps from user devices for any number of reasons. It may be that you no longer want to support certain apps. Or perhaps your company wants to replace existing apps with similar apps from different vendors.

The apps are removed when this policy is deployed to user devices. Users receive a prompt to uninstall the app.

Windows Mobile/CE settings

  • Apps to uninstall: For each app you want to add, click Add and then do the following:
    • App name: In the list, click an existing app or click Add new to enter a new app name. If there are no apps configured for this platform, the list is empty and you must add new apps.
    • Click Add to add the app or click Cancel to cancel adding the app.

App tunneling device policy (Windows Mobile/CE)

Application tunnels (app tunnels) are designed to increase service continuity and data transfer reliability for your mobile apps. App tunnels define proxy parameters between the client component of any mobile device app and the app server component.

Any app traffic sent through a tunnel that you define in this policy goes through XenMobile before being redirected to the server running the app.

Windows Mobile/CE settings

  • Connection initiated by: Click Device or Server to specify the source initiating the connection.

  • Protocol: In the list, click the protocol to use. The default is Generic TCP.

  • Maximum connections per device: Type a number to specify how many concurrent TCP connections the app can establish. This field applies only to device-initiated connections.

  • Define connection time out: Select whether to set a length of time an app can be idle before the tunnel is closed.

    • Connection time out: Specify the time out when you set Define connection time out to On. The time out is the number of seconds that an app can be idle before the tunnel is closed.
  • Block cellular connections passing by this tunnel: Select whether this tunnel is blocked while roaming. WiFi and USB connections aren’t blocked.

  • Redirect to XenMobile: In the list, click how the device connects to XenMobile. The default is Through app settings.

    • If you select Using a local alias, type the alias in Local alias. The default is localhost.
    • If you select An IP address range, type the from IP address in IP address range from. Then type the to IP address in IP address range to.
  • Client port: Type the client port number. Usually, this value is the same as for the server port.

  • IP address or server name: Type the IP address or name of the app server. This field applies only to device-initiated connections.

  • Server port: Type the server port number.

Connection manager device policy (Windows Mobile/CE)

In XenMobile, you can specify the connection settings for apps that connect automatically to the Internet and to private networks. This policy is only available on Windows Pocket PCs.

Windows Mobile/CE settings

Note:

Built-in office means that all connections are to your company’s intranet. Built-in Internet means that all connections are to the Internet.

  • Apps that connect to a private network automatically use: In the list, click either Built-in office or Built-in Internet. The default is Built-in office.

  • Apps that connect to the Internet automatically use: In the list, click either Built-in office or Built-in Internet. The default is Built-in office.

Connection scheduling device policy (Windows Mobile/CE)

You create connection scheduling policies to control how and when user devices connect to XenMobile. You can specify that users connect their devices manually, that devices stay connected permanently, or that devices connect within a defined time frame.

Windows Mobile/CE settings

  • Require devices to connect: Click the option you want to set for this schedule.
    • Always: Keep the connection alive permanently. XenMobile on the user’s device attempts to reconnect to the XenMobile server after a network connection loss. XenMobile monitors the connection by transmitting control packets at regular intervals. Citrix recommends this option for optimized security. When you choose Always, also use for the device Tunnel Policy, the Define connection time-out setting to ensure that the connection is not draining battery. By keeping the connection alive, you can push security commands like wipe or lock to the device on-demand. Ensure that you also select the Deployment Schedule option Deploy for always-on connections in each policy deployed to the device.
    • Never: Connect manually. Users must initiate the connection from XenMobile on their devices. Citrix doesn’t recommend this option for production deployments because it prevents you from deploying security policies to devices. As a result, users don’t receive any new apps or policies.
    • Every: Connect at the designated interval. When this option is in effect and you send a security policy such as a lock or a wipe: XenMobile processes the action on the device the next time that the device connects. When you select this option, the Connect every N minutes field appears where you must enter the number of minutes after which the device must reconnect. The default, and minimum value, is 120.
    • Define schedule: When enabled, XenMobile on the user’s device attempts to reconnect to the XenMobile server after a network connection loss. XenMobile monitors the connection by transmitting control packets at regular intervals within the time frame that you define. See Defining a connection time frame, next, for how to define a connection time frame.
      • Maintain permanent connection during these hours: Users’ devices must be connected for the defined time frame.
      • Require a connection within each of these ranges: Users’ devices must be connected at least once in any of the defined time frames.
      • Use local device time rather than UTC: Synchronize the defined time frames to local device time rather than Coordinated Universal Time (UTC).

Defining a connection time frame

When you enable the following options, a timeline appears where you can define the time frames you want. You can enable either or both options to require a permanent connection during specific hours or to require a connection within certain time frames. Each square in the timeline is 30 minutes. Thus, if you want a connection between 8:00 AM and 9:00 AM every weekday, click the two squares on the timeline between 8 AM and 9 AM every weekday.

For example, the two timelines in the following figure require:

  • A permanent connection between 8:00 AM and 9:00 AM every weekday.
  • A permanent connection between 12:00 AM Saturday and 1:00 AM Sunday.
  • At least one connection every weekday between 5:00 AM and 8:00 AM or between 10:00 AM and 11:00 PM.

Credentials device policy (Windows Mobile/CE)

You can create credentials device policies in XenMobile to enable integrated authentication with your PKI configuration in XenMobile. For example, to integrate with a PKI entity, a keystore, a credential provider, or a server certificate. For more information about credentials, see Certificates and authentication.

Note:

Before you can create this policy, you need the credential information you plan to use for each platform, plus any certificates and passwords.

Windows Mobile/CE settings

  • Store device: In the list, click the location of the certificate store for the credential. The default is root. Options are:
    • Privileged execution trust authorities: Applications signed with a certificate belonging to this store runs with privileged trust level.
    • Unprivileged execution trust authorities: Applications signed with a certificate belonging to this store runs with normal trust level.
    • SPC (Software Publisher Certificate): The Software Publishing Certificate (SPC) is used for signing .cab files.
    • root: A certificate store that contains root, or self-signed, certificates.
    • CA: A certificate store that contains cryptographic information, including intermediary certification authorities.
    • MY: A certificate store that contains end-user personal certificates.
  • Credential type: Certificate is the only credential type for Windows Mobile/CE devices.
  • The credential file path: Select the credential file by clicking Browse and then navigating to the file’s location.

Custom XML device policy (Windows Mobile/CE)

You can create custom XML policies in XenMobile to customize the following features:

  • Provisioning, which includes configuring the device, and enabling or disabling features
  • Device configuration, which includes allowing users to change settings and device parameters
  • Software upgrades, which include providing new software or bug fixes to be loaded onto the device, including apps and system software
  • Fault management, which includes receiving error and status reports from the device

For Windows devices: You create your custom XML configuration by using the Open Mobile Alliance Device Management (OMA DM) API in Windows. Creating custom XML with the OMA DM API is beyond the scope of this topic. For more information about using the OMA DM API, see OMA Device Management on the Microsoft Developer Network site.

Windows Mobile/CE settings

  • XML content: Type, or cut and paste, the custom XML code you want to add to the policy.

    After you click Next, XenMobile checks the XML content syntax. Any syntax errors appear below the content box. Fix any errors before you continue.

    If there are no syntax errors, the Custom XML Policy assignment page appears.

Delete files and folders device policy (Windows Mobile/CE)

You can create a policy in XenMobile to delete specific files or folders from Windows Mobile/CE devices.

Windows Mobile/CE settings

  • Files and folders to delete: for each file or folder you want to delete, click Add and then do the following:
    • Path: Type the path to the file or folder.
    • Type: In the list, click File or Folder. The default is File.
    • Click Save to save the file or folder, or click Cancel not to save the file or folder.

Delete registry keys and values device policy (Windows Mobile/CE)

You can create a policy in XenMobile to delete specific registry keys and values from Windows Mobile/CE devices.

Windows Mobile/CE settings

  • Registry keys and values to delete: for each registry key and value you want to delete, click Add and then do the following:
    • Key: Type the registry key path. This field is required. The registry key path should either start with HKEY_CLASSES_ROOT\ or HKEY_CURRENT_USER\ or HKEY_LOCAL_MACHINE\ or HKEY_USERS\.
    • Value: Type the value name to be deleted or leave this field blank to delete the entire registry key.
    • Click Save to save the key and value, or click Cancel not to save the key and value.

Files device policy (Windows Mobile/CE)

You can add script files to XenMobile that perform certain functions for users. You can add the following file types with this policy:

  • Text-based files (.xml, .html, .py, and so on)
  • Script files created with MortScript

Windows Mobile/CE settings

  • File to be imported: Select the file to import by clicking Browse and navigating to the file location.
  • File type: Select either File or Script. When you select Script, Execute immediately appears. Select whether the script is executed when the file is uploaded. The default is Off.
  • Replace macro expressions: Select whether to replace macro token names in a script with a device or user property. The default is Off.
  • Destination folder: In the list, select the location in which to store the uploaded file or click Add new to choose an unlisted file location. In addition, you can use any of the following macros as the start of a path identifier:
    • %Flash Storage%\
    • %XenMobile Folder%\
    • %Program Files%\
    • %My Documents%\
    • %Windows%\
  • Destination file name: Optionally, type a different name for the file if it must be changed before being deployed on a device.
  • Copy file only if different: In the list, select whether to copy the file if it is different from the existing file. The default is to copy the file only if it is different.
  • Read only file: Select whether the file is to be read-only. The default is Off.
  • Hidden file: Select whether the file is not to be shown in the file list. The default is Off.

Proxy device policy (Windows Mobile/CE)

You can add a device policy in XenMobile to specify global HTTP proxy settings for devices running Windows Mobile/CE. You can deploy only one global HTTP proxy policy per device.

Windows Mobile/CE settings

  • Network: In the list, click the network type to use. The default is Built-in office. Possible options are:
    • User-defined office
    • User-defined Internet
    • Built-in office
    • Built-in Internet
  • Network: In the list, click the network connection protocol to use. The default is HTTP. Possible options are:
    • HTTP
    • WAP
    • Socks 4
    • Socks 5
  • Hostname or IP address for the proxy server: Type the host name or IP address of the proxy server. This field is required.
  • Port for the proxy server: Type the proxy server port number. This field is required. The default is 80.
  • User name: Type an optional user name to authenticate to the proxy server.
  • Password: Type an optional password to authenticate to the proxy server.
  • Domain name: Type an optional domain name.
  • Enable: Select whether to enable the proxy. The default is On.

Registry device policy (Windows Mobile/CE)

The Windows Mobile/CE registry stores data about apps, drivers, user preferences, and configuration settings. In XenMobile, you can define the registry keys and values that let you administer Windows Mobile/CE devices.

Windows Mobile/CE settings

For each registry key or registry key/value pair you want to add, click Add and do the following:

  • Registry key path: Type the full path for the registry key. For example, type HKEY_LOCAL_MACHINE\Software\Microsoft\Windows to specify the route to the Windows key from the HKEY_LOCAL_MACHINE root key.
  • Registry value name: Type the name for the registry key value. For example, type ProgramFilesDir to add that value name to the registry key path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. If you leave this field blank, it means that you are adding a registry key and not a registry key/value pair.
  • Type: In the list, click the data type for the value. The default is DWORD. Possible options are:
    • DWORD: A 32-bit unsigned integer.
    • String: Any string.
    • Extended string: A string value that can contain environment variables like %TEMP% or %USERPROFILE%.
    • Binary: Any arbitrary binary data.
  • Value: Type the value associated with Registry value name. For example, to specify the value of ProgramFilesDir, type C:\Program Files.
  • Click Save to save the registry key information or click Cancel not to save the registry key information.

Restrictions device policy (Windows Mobile/CE)

The Restrictions device policy allows or restricts certain features or functionality on user devices, such as the camera. You can also set security restrictions, as well as restrictions on media content and restrictions on the types of apps users can and cannot install. Most of the restriction settings default to On, or allows.

Tip:

Any option for which you select On means that the user can perform the operation or use the feature. For example:

Camera. If On, the user can use the camera on their device. If Off, the user cannot use the camera on their device.

Windows Mobile/CE settings

Image of Device Policies configuration screen

  • Bluetooth/infrared beaming (Obex): Enable OBEX (OBject EXchange protocol) over Bluetooth or infrared to exchange data between devices.
  • Camera: Enable the camera on user devices.
  • WiFi switch: Allow users to switch WiFi networks.
  • Bluetooth: Enable Bluetooth on users’ devices.

Roaming device policy (Windows Mobile/CE)

You can add a device policy in XenMobile to configure whether to allow voice and data roaming. When voice roaming is disabled, data roaming is automatically disabled.

Windows Mobile/CE settings

  • While roaming
    • Use on-demand connection only: The device only connects to XenMobile if users manually trigger the connection on their devices or if a mobile application requests a forced connection. For example, such as a push mail request if the Exchange Server has been set accordingly. This option temporarily disables the default device connection schedule policy.
    • Block all cellular connections except the ones managed by XenMobile: Except for the data traffic officially declared in a XenMobile application tunnel or other XenMobile device management task: No other data is sent or received by the device. For example, this option disables all connections to the Internet through the device’s web browser.
    • Block all cellular connections managed by XenMobile: All application data transiting through a XenMobile tunnel is blocked (including XenMobile Remote Support). The data traffic related to pure device management, however, is not blocked.
    • Block all cellular connections to XenMobile: Until the device is either reconnected through USB, WiFi, or its default mobile operator cellular network: There is no traffic transiting between the device and XenMobile.
  • While domestic roaming
    • Ignore domestic roaming: No data is blocked while users roam domestically.

WiFi device policy (Windows Mobile/CE)

WiFi policies let you manage how users connect their devices to WiFi networks by defining the following items:

  • Network names and types
  • Authentication and security policies
  • Proxy server use
  • Other WiFi details

Prerequisites

Before you create a policy, be sure that you complete these steps:

  • Create any delivery groups that you plan to use.
  • Know the network name and type.
  • Know any authentication or security types that you plan to use.
  • Know any proxy server information that you might need.
  • Install any necessary CA certificates.
  • Have any necessary shared keys.
  • Create the PKI entity for certificate-based authentication.
  • Configure credential providers.

For more information, see Authentication and its subarticles.

Windows Mobile/CE settings

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Device-to-device connection (ad-hoc): Allows two devices to connect directly. Default is Off.
  • Network: Choose whether the device is connected to an external internet source or an Office intranet.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA-2 Enterprise

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows Mobile/CE

  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows Mobile/CE

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows Mobile/CE

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.
  • Key provided (automatic): Choose whether the key is automatically provided. Default is Off.
  • Password: Type the password in this field.
  • Key index: Choose the key index. Available options are 1, 2, 3, and 4.

Windows CE certificate device policy (Windows Mobile/CE)

You can create a device policy in XenMobile to create and deliver Windows Mobile/CE certificates from an external PKI to users’ devices. You can create a device policy in XenMobile to create and deliver Windows Mobile/CE certificates from an external PKI to user devices.

Windows CE settings

  • Credential provider: In the list, click the credential provider. The default is None.
  • Password of generated PKCS#12: Type the password used to encrypt the credential.
  • Destination folder: In the list, click the destination folder for the credential or click Add new to add a folder not already in the list. The predefined options are:
    • %Flash Storage%\
    • %XenMobile Folder%\
    • %Program Files%\
    • %My Documents%\
    • %Windows%\
  • Destination file name: Type the name of the credential file.

XenMobile options device policy (Windows Mobile/CE)

You add a XenMobile options policy to configure Secure Hub behavior when connecting to XenMobile from Windows Mobile/CE devices.

Windows Mobile/CE settings

  • Device agent configuration
    • XenMobile backup configuration: In the list, click an option for backing up the XenMobile configuration on the users’ devices. The default is Disabled. Available options are:
      • Disabled
      • At the first connection after XenMobile installation
      • At the first connection after each device reboot
    • Connect to the office network
    • Connect to the Internet network
    • Connect to the built-in office network: When set to On, XenMobile automatically detects the network.
    • Connect to the built-in Internet network: When set to On, XenMobile automatically detects the network.
    • Tray bar notification - hide tray bar icon: Select whether the tray bar icon is hidden or visible. The default is Off.
    • Connection time-out(s): Type the length of time in seconds that a connection can be idle before the connection times out. The default is 20 seconds.
    • Keep-alive interval(s): Type the length of time in seconds to keep a connection open. The default is 120 seconds.
  • Remote support
    • Prompt the user before allowing remote control: Select whether to prompt the user before allowing remote support control. The default is Off.
    • Before a file transfer: In the list, click whether to warn the user about a file transfer or whether to ask the user for permission. Available values: Do not warn the user, Warn the user, and Ask for user permission. The default is Do not warn the user.

XenMobile uninstall device policy (Windows Mobile/CE)

You can add a device policy in XenMobile to uninstall XenMobile from Window Mobile/CE devices. When deployed, this policy removes XenMobile from all devices in the deployment group.

Windows Mobile/CE settings

  • Uninstall XenMobile from devices: Select whether to uninstall XenMobile from every device to which you deploy this policy. The default is Off.