Product Documentation

What's new in XenMobile Service

Jan 16, 2018

A goal of Citrix is to deliver new features and product updates to XenMobile Service customers when they are available. New releases provide more value, so there's no reason to delay updates. Rolling updates to the XenMobile Service release approximately every three weeks. This release cadence began in August 2016.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

If you are a XenMobile Service customer, you also receive XenMobile Service updates and communications directly from the XenMobile Cloud Ops Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the service level goal for XenMobile Service cloud scale and service availability, see Service Level Goal. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

XenMobile Service 10.7.6

Device Guard policy for Windows 10 devices

Device Guard is a Windows 10 security feature that enables virtualization-based security by using the Windows Hypervisor to support security services on the device. By using a new device policy, Device Guard, you can enable security features such as secure boot, UEFI lock, and virtualization.

Prerequisites:

  • Windows 10 Desktops and Tablets with an Enterprise or Education license on version 1709 (RS3)
  • Device Guard enabled in Windows

For more information on Device Guard, see https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage.

Go to Configure > Device Policies to add the Device Guard policy. Configure these settings:

localized image
  • Enable Virtualization Based Security: Disable or Enable virtualization based security features. Virtualization based security uses the Windows Hypervisor to support security services.
  • LSA Configuration Flags: Allows you to configure Credential Guard. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Options are Off, On with UEFI Lock, and On without UEFI Lock. Default is Off.
  • Require Platform Security Features: Specifies the platform security level at the next reboot. Options are Off, VBS with Secure Boot, and VBS with Secure Boot and direct memory access (DMA). Default is Off.

XenMobile queries a device to determine if the virtualization based security settings match the settings on the server. If they do match, XenMobile doesn't deploy this policy to the device. If the security settings do not match, XenMobile deploys the policy.

Configure firewalls on Windows 10 devices

You can now configure firewalls on Windows 10 Desktop and Tablet devices running Windows 10 RS3 and later. Go to Configure > Device Policies and add or edit the Firewall policy.

localized image

Configure these settings:

  • Enable Feature: Controls incoming and outgoing traffic on computers to which this policy is deployed. Default is On.
  • Public Profile: Controls Windows Firewall while computers are connected to untrusted networks at public places, such as at an airport or coffee shop. Default is On.
  • Private Profile: Controls Windows Firewall while computers are connected to trusted networks, such as their home network. Default is On.
  • Domain Profile: Controls Windows Firewall while the computers are connected to the domain networks, such as at their workplace. Default is On.
  • Windows Firewall: Control incoming and outgoing traffic on computers to which this policy is deployed.
  • Block all incoming connections, including those in the list of allowed programs: Default is Off.
  • Disable notifications to user when Firewall blocks a new program: Default is Off.

Server property changes to improve server tuning

For several server properties used to tune XenMobile operations, the default values now match the recommendations provided in Tuning XenMobile Operations.

Here are the updated server properties, with their new default values shown in parentheses:

  • hibernate.c3p0.timeout (120 sec)
  • Push Services Heartbeat Interval: ios.apns.heartbeat.interval, windows.wns.heartbeat.interval, gcm.heartbeat.interval (20 hours)
  • auth.ldap.connect.timeout (60000)
  • auth.ldap.read.timeout (60000)
  • iOS MDM APNs Connection Pool Size (10)
  • Background Deployment (1440 minutes)
  • Background Hardware Inventory (1440 minutes)
  • Interval for check deleted Active Directory user (15 minutes)

In addition, the default value for the following server property has changed to the setting recommended in Server Properties.

  • Block Enrollment of Rooted Android and Jailbroken iOS Devices (true)

You can now further tune XenMobile Server through the following custom server properties that were previously undocumented.

Custom Key: hibernate.c3p0.min_size

This XenMobile Server property, a Custom Key, determines the minimum number of connections that XenMobile opens to the SQL Server database. Default is 50.

To change this setting, you must add a server property to XenMobile Server with the following configuration:

Key: Custom Key

Key: hibernate.c3p0.min_size

Value: 50

Display name: hibernate.c3p0.min_size=nnn

Description: DB connections to SQL

Custom Key: hibernate.c3p0.idle_test_period

This XenMobile Server property, a Custom Key, determines the idle time in seconds before a connection is automatically validated. Default is 30.

To change this setting, you must add a server property to XenMobile Server with the following configuration:

Key: Custom Key

Key: hibernate.c3p0. idle_test_period

Value: 30

Display name: hibernate.c3p0. idle_test_period =nnn

Description: Hibernate idle test period

Fixed issues in this release

After you upgrade XenMobile from version 10.5 to 10.6, when you carry out an action on a device, such as a device wipe: The server logs loop regarding the security action and the database size increased significantly. [CXM-43020]

If the display name for a server property is set to NULL: Searching for any string on the Settings > Server Properties page results in a "500 Internal Server Error". [CXM-43469]

Known issues in this release

On the Manage > Devices page, when you edit an iOS device and go to the Apps tab: The Version column doesn't include the revision number for Secure Hub and MDX apps. [CXM-40183]

For a Restrictions device policy for Samsung SAFE: The Browser, YouTube, and Google Play/Marketplace options have been removed. Use the Disable Applications option to enable or disable those features. [CXM-43043]