- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
ActiveSync is a mobile data synchronization protocol developed by Microsoft. ActiveSync synchronizes data with handheld devices and desktop (or laptop) computers.
You can configure ActiveSync Gateway rules in XenMobile. Based on these rules, you can allow or deny devices access to ActiveSync data. For example, if you activate the rule Missing Required Apps, XenMobile checks the App Access Policy for required apps and denies access to ActiveSync data if the required apps are missing. For each rule, you can choose either Allow or Deny. The default setting is Allow.
For more information about the App Access device policy, see App access device policy.
XenMobile supports the following rules:
Anonymous Devices: Checks if a device is in anonymous mode. This check is available if XenMobile can’t re-authenticate the user when a device attempts to reconnect.
Failed Samsung KNOX attestation: Checks if a device failed a query of the Samsung KNOX attestation server.
Forbidden Apps: Checks if a device has forbidden apps, as defined in an App Access policy.
Implicit Allow and Deny: This action is the default for the ActiveSync Gateway. The gateway creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies connections based on that list. If no rule matches, the default is Implicit Allow.
Inactive Devices: Checks if a device is inactive as defined by the Device Inactivity Days Threshold setting in Server Properties.
Missing Required Apps: Checks if a device is missing required apps, as defined in an App Access policy.
Non-suggested Apps: Checks if a device has non-suggested apps, as defined in an App Access policy.
Noncompliant Password: Checks if the user password is compliant. On iOS and Android devices, XenMobile can determine whether the password currently on the device is compliant with the passcode policy sent to the device. For instance, on iOS, the user has 60 minutes to set a password if XenMobile sends a passcode policy to the device. Before the user sets the password, the passcode might be non-compliant.
Out of Compliance Devices: Checks whether a device is out of compliance, based on the Out of Compliance device property. That property is usually changed by the automated actions or by a 3rd party leveraging XenMobile APIs.
Revoked Status: Checks whether the device certificate was revoked. A revoked device cannot re-enroll until it is authorized again.
Rooted Android and Jailbroken iOS Devices: Checks whether an Android or iOS device is jailbroken.
Unmanaged Devices: Check whether a device is still in a managed state, under XenMobile control. For example, a device running in MAM mode or an un-enrolled device is not managed.
Send Android domain users to ActiveSync Gateway: Click YES to ensure that XenMobile sends Android device information to the ActiveSync Gateway.
In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
Under Server, click ActiveSync Gateway. The ActiveSync Gateway page appears.
In Activate the following rules, select one or more rules you want to activate.
In Android-only, in Send Android domain users to ActiveSync Gateway, click YES to ensure that XenMobile sends Android device information to the ActiveSync Gateway.