Product Documentation

What’s new

Apr 17, 2018

A goal of Citrix is to deliver new features and product updates to XenMobile Service customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to the XenMobile Service release approximately every three weeks. This release cadence began in August 2016.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

If you are a XenMobile Service customer, you also receive XenMobile Service updates and communications directly from the XenMobile Cloud Ops Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the service level goal for the XenMobile Service for cloud scale and service availability, see Service Level Goal. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. The XenMobile Server documentation indicates features that apply only to on-premises deployments. Citrix notifies you when the What’s new articles for XenMobile Service are updated for a new release.

XenMobile Service 10.18.4

The latest version of XenMobile has these new features and improvements:

Manage OS updates to Chromebook devices

You can now use the Control OS Update device policy to deploy OS updates to Chromebook devices. To configure the policy, go to Configure > Device Policies and add or edit the Control OS Update device policy.

Image of Device Policies configuration screen

Configure these settings:

  • Update enabled: Specifies whether to update Chromebook devices automatically to a newly released version of Chrome OS. Default is Off.
  • Reboot after update: Specifies whether to reboot a Chromebook device the next time that the user signs out after a successful automatic update. Default is Off.
  • Target platform version prefix: If a device is on an older version, this setting specifies the prefix of the target version to update to. For Chrome platform versions, see https://chromereleases.googleblog.com/. If a device is already on a version with the given prefix, no update occurs. If the device is on a higher version, it remains on the higher version. Rollback isn’t supported. Default is empty.

    Use one of the following version formats:

    • ”“ or unset: Update to latest version available.
    • 10323.: Update to any minor version of 10323 (for example, 10323.58.0).
    • 10323.58.: Update to any minor version of 10323.58 (for example, 10323.58.0).
    • 10323.58.0: Update to this specific version only.
    • Delay update period: Specifies how long a device can wait before downloading an update. The delay is counted from the time the update first deploys to the server. The device might wait a portion of this time in terms of wall clock time and the remaining portion in terms of the number of update checks. The maximum duration value is 14 days. Default is 0.

Chromebook device power management settings

You can control how Chromebook devices respond to idle periods when using AC or battery power. To manage power settings, go to Configure > Device Policies, add the Power Management device policy, and configure these settings.

Image of Device Policies configuration screen

The following settings appear for both AC and Battery.

  • Idle delay: The length of time without user input before taking the idle action. Specify in milliseconds. Default is 0.

  • Idle warning delay: The length of time without user input before showing a warning dialog. Specify in milliseconds. Default is 0.

  • Screen dim delay: The length of time without user input before dimming the screen. Specify in milliseconds. Default is 0.

  • Screen off delay: The length of time without user input before turning off the screen. Specify in milliseconds. Default is 0.

  • Idle action: Action to take after reaching the idle delay: Suspend, Logout, Shutdown, Do Nothing. Default is Suspend.

App Restrictions device policy for Chrome OS

You use the App Restrictions device policy to specify allowed or blocked Chrome apps and Android apps running on Chrome OS. If you enable App Runtime for Chrome (ARC) in the Restrictions device policy, you configure Android app restrictions under Android apps in the XenMobile App Restrictions device policy.

To configure app restrictions, go to Configure > Device Policies, add the App Restrictions policy, and then configure these settings for Chrome OS.

Chrome app settings:

Chrome apps are both apps and extensions.

Image of Device Policies configuration screen

  • App install allowed: A global setting to allow or block the installation of all Chrome apps on Chromebook devices. If you choose Allowed, you can create a list of specific blocked apps. If you choose Not allowed, you can create a list of specific allowed apps. To do that, click Add under Chrome apps. To use the settings specified in your Chrome account, select Unspecified. Default is Allowed.
  • Chrome apps: To add Chrome apps that are exceptions to your selection for the App install allowed setting, click Add and then specify these settings:

    • App name: A name used to identify an app in the XenMobile console.
    • App ID: The unique identifier for a Chrome app. Don’t include the prefix “app:”.

    To look up a Chrome app ID: Go to the Chrome store, https://chrome.google.com/webstore, and search for the app. Click the app to view the URL and app ID in the address bar. The last portion of the address is the app ID. For example, if the URL is https://chrome.google.com/webstore/detail/citrix-intranet/hjacpdaecmilhndcbllidcgaaicdlpff, the app id is “hjacpdaecmilhndcbllidcgaaicdlpff”.

    You can look up Chrome apps only from Chromebook. You can look up Chrome extensions from any platform.

    • App install allowed: Creates an exception to the global setting above. This setting allows or blocks the specified Chrome app.
    • Installed: If On, forces the Chrome app to install for enrolled Chromebook users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
    • Pinned: If On, pins the app to the Chromebook task bar. Default is Off.
    • URL: Specifies the URL from which users can download an app that isn’t hosted in the Chrome Web Store.
    • Extension policy: Defines, in JSON format, the app-specific policy defined by this app. For information, see Manifest for storage areas.

Android app settings:

To enable enrolled Chromebook users to run Android apps, configure the Restrictions device policy as noted in the next section “Enable enrolled Chromebook users to run Android apps.” To configure ARC app restrictions, click Add under Android apps and then specify these settings.

Image of Device Policies configuration screen

  • App ID: A unique app identifier for an Android app running on Chrome OS. For example: com.android.camera. Don’t include the prefix “app:”.

    To look up an Android app ID: Go to the Google Play store, https://play.google.com/store, and search for the app. Click the app to view the app ID in the address bar. The portion after “id=” is the app ID. For example, if the URL is https://play.google.com/store/apps/details?id=com.citrix.Receiver, the app id is com.citrix.Receiver.

  • Installed: Specifies whether to force the Android app to install for enrolled Chromebook users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
  • Pinned: If On, pins the Android app to the Chromebook task bar. Default is Off.

Enable enrolled Chromebook users to run Android apps

To enable enrolled Chromebook users to run Android apps: Go to Configure > Device Policies and add a Restrictions device policy for Chrome OS with the setting Enable App Runtime for Chrome (ARC) enabled.

  • Enable App Runtime for Chrome (ARC): If On, allows enrolled Chromebook users to run Android apps. Specify ARC apps in the XenMobile App Restrictions device policy. Requires G Suite Chrome configuration. ARC isn’t available if either Ephemeral mode or multiple sign-on is enabled in the current user session. If Off, enterprise Chromebook users can’t run Android apps. The default is On.

Manage bookmarks for Chromebook devices

You can deploy a folder of bookmarks to Chromebook devices. To manage the bookmarks, go to Configure > Device Policies, add the Managed Bookmarks policy, and then configure these settings:

Image of Device Policies configuration screen

  • Folder name: The name of a bookmark folder to deploy to Chromebook devices.
  • Name: The name of a bookmark.
  • Bookmark: The URL for the bookmark.

Fixed issues in XenMobile Service 10.18.4

After you delete a Chromebook or Workspace hub device using the XenMobile action: The devices continue to show in the XenMobile console until after you refresh it. [CXM-46418]

When you change users to a different Active Directory security group: For enrolled iOS devices, XenMobile Service does not detect the change, update the delivery group membership, or push new policies to the devices. [CXM-47370]

After an update to XenMobile Service 10.18.2 or 10.18.3, the Export button is missing from the Manage > Users and Manage > Enrollment Invitations pages. [CXM-47974]

Device screen sharing (Preview feature)

You can now view the screen of a remote device from your XenMobile Service console. Screen sharing is supported on MDM-managed iOS devices. To enable screen sharing, users run the AetherPal Mobile Support Management app (AetherPalMSM) on the remote device. You can view the remote device screen in read-only mode.

This feature gives you a real-time view of reported issues and lets you diagnose efficiently and help rectify the issues.

Ensure the following prerequisites on the remote device:

  • MDM-managed iOS devices
  • Submit an activation request at the AetherPal activation site. Alternatively, email citrixsales@aetherpal.com.
  • The remote device must have outbound connectivity to https://xenmobile.aetherpal.com.
  • The remote device must run iOS version 11 or later. On devices running iOS versions 9.3 to 11, live streaming of the screen is not supported; however, the user can share static screenshots.

To set up screen sharing, first, define the AetherPalMSM app and the corresponding configuration policy, and then push them to the user device.

  1. Add the AetherPalMSM app. Follow the steps described in Add a public app store app in the Add apps article. On the App Information page, under Platforms, choose iOS and clear the others.
  2. Add an App Configuration device policy for the AetherPalMSM app. Follow the steps described in App configuration device policy.

    • In the App Configuration Policy page, under Platforms, choose iOS and clear the others.
    • In the Identifier drop-down, select the app you defined earlier.
    • Enter the Dictionary Content provided by AetherPal on customer activation.
  3. Deploy to the Delivery Group. Deploy the AetherPalMSM app as a required app. Also, deploy the App Configuration device policy. Follow the steps described in Deploy resources.

    The AetherPalMSM app is now available on the remote device when the device connects to the XenMobile Service.

    • Instruct the user to accept the app and allow its installation.
    • Instruct the user to launch the app. The provisioning information provided via the app configuration policy gets loaded and the device gets enrolled with the AetherPal server.
    • Instruct the user to initiate screen sharing from the AetherPalMSM app on the remote device as described in the Citrix-Remote Management Guide (download link) from AetherPal.
  4. Launch screen sharing. From the XenMobile Service console, go to the Monitor tab, search for the user, and select the device you want to troubleshoot.On the Device Details page, click Screen Sharing. This button is enabled only when the device is MDM-managed and enrolled with the AetherPal server.

    Image of Monitor configuration screen

  5. A new tab opens in your browser. It shows the status of your connection to the remote device.

    Image of Monitor configuration screen

  6. After the connection establishes, a 4-digit PIN appears. Share this PIN with the user. Instruct the user to type this PIN in the AetherPalMSM app to permit screen sharing.

    Image of Monitor configuration screen

    The remote device screen is now available on your browser.

    Image of screen sharing on device

    Share your feedback about the usage of this feature on the Citrix Cloud discussion forum.

XenMobile Service 10.18.3

The latest version of XenMobile has these new features and improvements:

Set up G Suite partner access for XenMobile

Some end-point management features for Chrome use Google partner APIs to communicate between XenMobile and your G Suite domain. For example, XenMobile requires the APIs for device policies that manage Chrome features such as Incognito mode and Guest mode.

To enable the partner APIs, you set up your G Suite domain in the XenMobile console and then configure your G Suite account.

Set up your G Suite domain in XenMobile

To enable XenMobile to communicate with the APIs in your G Suite domain, go to Settings > Google Chrome Configuration and configure the settings.

Image of Google Chrome settings screen

  • G Suite domain: The G Suite domain that hosts the APIs needed by XenMobile.
  • G Suite admin account: The administator account for your G Suite domain.
  • G Suite client ID: The client ID for Citrix. Use this value to configure partner access for your G Suite domain.
  • G Suite enterprise ID: The enterprise ID for your account, filled in from your Google enterprise account.

Enable partner access for devices and users in your G Suite domain

  1. Log in into the Google admin console: https://admin.google.com

  2. Click Device Management.

    Image of Google administrator console

  3. Click Chrome management.

    Image of Google administrator console

  4. Click User settings.

    Image of Google administrator console

  5. Search for Chrome Management - Partner Access.

    Image of Google administrator console

  6. Select the Enable Chrome Management - Partner Access check box.

  7. Agree that you understand and want to enable partner access. Click Save.

  8. In the Chrome management page, click Device Settings.

    Image of Google administrator console

  9. Search for Chrome Management - Partner Access.

    Image of Google administrator console

  10. Select the Enable Chrome Management - Partner Access check box.

  11. Agree that you understand and want to enable partner access. Click Save.

  12. Go to the Security page and then click Advanced Settings.

    Image of Google administrator console

  13. Click Manage API client Access.

  14. In the XenMobile console, go to Settings > Google Chrome Configuration and copy the value of G Suite Client ID. Then, return to the Manage API client Access page and paste the copied value to the Client Name field.

  15. In One or More API Scopes, add the URL: https://www.googleapis.com/auth/chromedevicemanagementapi

    Image of Google administrator console

  16. Click Authorize.

    The message “Your settings have been saved” appears.

More device management settings for Chrome OS

The XenMobile Restrictions device policy has new settings that let you manage user-specific properties for Chromebook devices from the XenMobile console.

Image of Device Policies configuration screen

  • Disable Incognito mode: If On, Chromebook device users can’t open an Incognito window in Chrome. Requires G Suite Chrome configuration. The default is Off.
  • Disable Guest user mode: If On, guest users can’t sign on to Chromebook devices. Requires G Suite Chrome configuration. The default is Off.
  • Single sign-on IdP redirection: If On, enables SAML-based single sign-on. Requires G Suite Chrome configuration. The default is On.
  • Single sign-on cookie behavior: If On, transfers cookies set by a SAML IdP to user profiles each time a user signs on with SAML credentials. If Off, cookies transfer during the first sign-on only. Requires G Suite Chrome configuration. The default is On.

Application Guard device policy for Windows 10 devices

The Application Guard device policy is now available for Windows 10 devices. The policy applies to the Microsoft Edge browser only. Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary: The sites open in a virtual browsing session in Hyper-V. Enterprise cloud resources define trusted sites.

This feature is only available for Windows 10 (64-bit) enterprise devices and OS version 1709. A device restart is required to install the Windows Defender Application Guard.

Image of Device Policies configuration screen

  • Application Guard: Enables Application Guard. Default is Off.
    • Enterprise Cloud Resources: A comma-separated list of enterprise cloud domains.
  • Clipboard Behavior: Controls which directions content can be copied and pasted. The options are as follows:

    • Not configured
    • Allow copy and paste from browser to PC only: Allows users to copy and paste content only from their browser to their PC.
    • Allow copy and paste from PC to browser only: Allows users to copy and paste content only from their PC to their browser.
    • Allow copy and paste between PC and browser: Allows users to copy and paste content freely between their PC and browser.
    • Block copy and paste between PC and browser: Does not allow users to copy and paste content between their PC and browser.
  • Clipboard Content: Controls which content users can copy and paste. The options are as follows:
    • Not configured
    • Allow text copying: Allows users to copy text only.
    • Allow image copying: Allows users to copy images only.
    • Allow both text and image copying: Allows users to copy both text and images.
  • Block external content on enterprise sites: If On, Windows Defender Application Guard prevents content from unapproved sites from loading on enterprise sites. Default is Off.
  • Retain user-generated browser data: If On, allows saving user data created during an Application Guard virtual browsing session. This data includes things like passwords, favorites, and cookies. Default is Off.

New device management settings for iOS 11.3

The Restrictions device policy contains new restrictions for devices running iOS 11.3 and later. The restrictions are as follows:

  • Allow USB restricted mode: If Off, the device can always connect to USB accessories while locked. Default is On. Available only for supervised iOS 11.3 and later devices.
  • Force delayed software updates: If On, delays user visibility of Software Updates. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. Default is Off. Available only for supervised iOS 11.3 and later devices.
  • Enforced software update delay (days): Allows you to specify a number of days to delay a software update on the device. The maximum delay is 90 days. Default is 30 days. Available only for supervised iOS 11.3 and later devices.
  • Force classroom request permission to leave classes: If On, a student enrolled in an unmanaged course with Classroom must request permission from the teacher when attempting to leave the course. Default is Off. Available only for supervised iOS 11.3 and later devices.

Image of Device Policies configuration screen

Other new features

  • Web clips in the Home Screen Layout device policy. When configuring the Home Screen Layout device policy, you can now select Web Clip from the Type menu. For the Value, enter the URL for the web clip. If more than one Web Clip value exists with the same URL, the behavior is undefined on iOS 11.3 and later devices.
  • Whitelist template instructions. When adding Citrix Ready workspace hub devices in XenMobile console: Under Manage > Devices, the template for adding Whitelist devices in bulk now has instructions for each field.

Fixed issues in XenMobile Service 10.18.3

After you use a XenMobile action to delete a Chromebook or Workspace hub device: The device continues to appear in the XenMobile console until after you refresh the console. [CXM-46418]

Known issues in XenMobile Service 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: XenMobile doesn’t update the User Role in the XenMobile console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]

XenMobile Service 10.18.2

The latest version of XenMobile has these new features and improvements:

Workspace Hub device management

Important: Workspace hub support is available only for our US-based customers. All other customers can expect full support in an upcoming release.

Using Citrix Ready workspace hubs, users can move virtual app and desktop sessions from a mobile device running Citrix Receiver to a Citrix Ready workspace hub. The Citrix Ready workspace hub is a Raspberry Pi device that has a keyboard, mouse, monitor, and any other accessory attached to it. You can manage Citrix Ready workspace hubs from your XenMobile Service console. For more information about Citrix Ready workspace hub, see this Citrix blog post.

By using XenMobile Service to manage Citrix Ready workspace hub, you can keep your devices updated with the latest features and security patches. If necessary, you can also perform security actions, such as full wipes or restarts. For more details about the unified endpoint management (UEM) and data protection benefits of XenMobile Service, see this use case on the Citrix website.

To use a Citrix Ready workspace hub, add the device to the Device Whitelist table in the XenMobile Console. There are two methods for adding devices to the table.

To add Citrix Ready workspace hubs to XenMobile Server manually

To enroll a Citrix Ready workspace hub in XenMobile, add it to the Device Whitelist table in the XenMobile Console. There are two methods for adding devices to the table.

  1. In the XenMobile console, navigate to Manage > Devices.

    Image of Devices configuration screen

  2. Click Device Whitelist at the top.

    Image of Devices configuration screen

  3. Click Add. On the page that opens, type the following information.

    • Device platform: Select Workspace Hub.
    • Device ID Type: Select the method to identify devices. Citrix Ready workspace hub only supports MAC address.
    • Device ID: Type the appropriate identifier you selected previously.
    • Associated User: User to associate with the Citrix Ready workspace hub. The user associated with the device can be a pseudo user, such as a service account. The selected user is used for enrollment, policy pushing, and applying security actions. A single user can associate with multiple devices. This user can be a Local user or LDAP user already configured in your XenMobile Service console. If you want to associate the Citrix Ready workspace hub with a local user, choose Local from Select domain. Enter the user name in Search for user and select the user. If you want to associate the Citrix Ready workspace hub with an LDAP user, choose the appropriate domain from Select domain. Search for a user in Search for user and select the user.
    • Select domain: Select the domain to use when searching for users.
    • Search for user: Type the user name you want to associate with this device and click Search. Select the user from the result box below and it displays in the Associated User box.

    Image of Devices configuration screen

  4. Click Save. The device is added to the table.

To import or export Citrix Ready workspace hubs in bulk

  1. In the XenMobile console, navigate to Manage > Devices. Click Device Whitelist and then click Import.

    Image of Import Whitelist Devices screen

  2. Click Download to download a .csv template for importing devices. The columns in the file are the same as the fields in the previous workflow.

  3. Fill out the form and save it. When finished, click Choose File and select the template.

  4. Click Import. All of the Citrix Ready workspace hubs in the template file are added to the table.

  5. To export the list of Citrix Ready workspace hubs for editing, click Export.

Configure a Citrix Ready workspace hub

After configuring your XenMobile Service to enroll your Citrix Ready workspace hubs, configure the Citrix Ready workspace hub itself. For more information on configuring the device, see the Stratodesk Knowledge Base.

If this is the first time using the device, configure Central Management during the first time wizard. Enter https://manageiot.xm.cloud.com:443/easyadmin/servlet/XmlRPC as the Management URL and click Finish. The device performs an Announce and enrolls in XenMobile Service.

Image of the No Touch wizard

Image of No Touch Central Management

If the device was configured, or if you don’t want to use the wizard, navigate to Services > No Touch Center. Configure the Management URL as you did previously and Save. Do a manual Announce by navigating to Information on the left pane and clicking Announce.

Image of No Touch Center

Image of the No Touch Information pane

To manage Citrix Ready workspace hub devices

  1. To view and manage Citrix Ready workspace hubs in XenMobile after enrollment, navigate to Manage > Devices. The Devices table appears. Select Workspace Hub on the left to see the newly enrolled device. Choose the Citrix Ready workspace hub you want to manage, and then click Edit to view and confirm the device details.

    When you select the check box next to a device, the options menu appears above the device list. If you click anywhere else in the list, the options menu appears on the right side of the listing.

    Image of Devices configuration screen

  2. The General page lists device Identifiers for the platform type, such as the serial number, ActiveSync ID, and other information. For Device Ownership, select Corporate or BYOD.

    The General page also lists device Security properties, such as Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type.

  3. The remaining Device Details sections contain summary information for the device.

    • Assigned Policies: Displays the number of assigned policies including the number of deployed, pending, and failed policies. Provides the policy name, type and last deployed information for each policy.
    • Apps: Displays the apps that are installed, pending, or failed.
    • Delivery Groups: Displays the number of successful, pending, and failed delivery groups. For each deployment, provides the delivery group name and deployment time.

You can also perform security actions such as full wipe or restart. For more information on security actions, see Security actions.

App Configuration device policy

Use the App Configuration device policy to deploy the Citrix Receiver configuration to Citrix Ready workspace hub devices. Go to Configure > Device Policies, add the App Configuration policy, and, under Platforms, select Workspace Hub. Configure the following Workspace Hub settings:

  • Connection Mode: Select Citrix Receiver.
  • Connection Name: Type a descriptive name for your connection.
  • Connection Target: Type a URL to load upon connection.

Some apps might require extra parameters to function. For each configuration parameter you want to add, click Add and then do the following:

  • Parameter name: Type the key name of an application setting for the Citrix Ready workspace hub device.
  • Value: Type the value for the specified parameter.

Image of Device Policies configuration screen

After you complete the configuration, choose delivery groups. For more information, see Add a device policy.

To deploy and update apps for Citrix workspace hub

  1. Because Citrix workspace hub devices only allow for deploying and updating a single file, first package all of your apps into a Squash FS file.

    For more information on creating a Squash FS file, see the Squash FS documentation.

    Note: When creating the file, ensure that you output an .img file.

  2. In your XenMobile Server, navigate to Configure > Apps and click Add. Click Enterprise.

  3. Type a name and description for your app, and then deselect all platforms except Workspace Hub. Click Next.

  4. On the Workspace Hub Enterprise App page, click Upload. Navigate to the .img file you created previously and click Open.

    Image of Device Policies configuration screen

  5. Click Next. The Approvals page does not function for Citrix workspace hub.

  6. Click Next. The Delivery Group Assignment page appears.

  7. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

    Note: Apps are always delivered to the device assigned to the delivery group. Whether or not the app is optional or required doesn’t change that behavior because there is no store for Citrix workspace hub devices.

  8. Click Save.

After the apps upload to XenMobile, Citrix workspace hub devices receive the update when restarted.

Apple TV management

You can now enroll Apple TVs in XenMobile as part of the Apple Device Enrollment Program (DEP). As part of this enrollment, you can perform these actions:

  • Configure DEP enrollment
  • Configure and push the Restrictions policy
  • Wipe, revoke, and restart an enrolled Apple TV device

Prerequisites

  • Apple DEP account connected to XenMobile. For information on creating an Apple DEP account and connecting it to XenMobile, see Deploying iOS Devices through Apple DEP.
  • Apple TV devices are DEP devices.

To configure your Apple TV settings

  1. Follow the steps at Deploying iOS Devices through Apple DEP to assign your Apple TVs to your XenMobile Server.

  2. In the XenMobile console, navigate to Settings > Apple Device Enrollment Program.

  3. On the page that opens, under Settings, select Apple TV. Configure the following settings:

    • Require device enrollment: Prevents users from skipping enrollment.
    • Require Credentials for device enrollment: Challenges for credentials during enrollment. When this setting is off, Apple TV gets enrolled as the default “Device Enrollment Program user”.
    • Wait for configuration to complete setup: The device waits in the Setup Assistant screen until all resources deploy.
    • Supervised mode: Gives more capability to the administrator while configuring restrictions.
    • Allow enrollment profile removal: Allows users to remove the enrollment profiles.
    • Allow device pairing: Allows devices enrolled through the Device Enrollment Program to be managed through Apple tools, such as iTunes and the Apple Configurator.

    Image of Apple DEP settings configuration screen

  4. Under Setup Assistant Options, select Apple TV and select the setup screens you want to skip during the Apple TV Enrollment.

    Image of Apple DEP settings configuration screen

  5. Click Save.

  6. In your server, navigate to Configure > Device Policy. Click Add and select the Restrictions device policy.

  7. Under Platforms, select TV OS and configure the restrictions you want to apply:

    • Security and Media Settings - Allow
      • Passcode on first AirPlay pairing: Require that AirPlay-enabled devices are verified with a one-time onscreen code before they can use AirPlay (iOS 7.0 and later).
      • Explicit sexual content in iBooks: Allow explicit material to be downloaded from iBooks (iOS 6.0 and later).
      • Explicit music, podcasts, and iTunes U material: Allow explicit material on users’ devices.
      • In-app purchases: Allow users to make in-app purchases.
        • Require iTunes password for purchases: Require a password for in-app purchases. The default is to restrict this feature, which means no password is required for in-app purchases (iOS 5.0 and later).
    • Supervised only settings - Allow
      • Device name modification: Allow users to change the name of their device.
      • Allow pairing with Apple TV Remote app: Allow users to pair their device with the Apple TV Remote app.
      • Siri profanity filter: Enable the Siri profanity filter. The default is to restrict this feature, which means no profanity filtering is done.

        For more information about Siri and security, see Siri and dictation policies.

      • Enable AirPlay: Allow users to stream content or mirror their iOS device’s screen on this device.
      • Restricted App usage: Allow users to use all apps or to use or not use apps, based on the bundle IDs you provide. Applies only to supervised devices.

        After you configure the Restrictions device policy to block some apps and then deploy the policy: If you later want to allow some or all of those apps, changing and deploying the Restrictions device policy doesn’t change the restrictions. In this case, iOS doesn’t apply the changes to the iOS profile.

        If you change this setting to Only allow some apps: Before deploying this policy, advise users of devices enrolled using Apple DEP to sign in to their Apple accounts from the Setup Assistant. Otherwise, users might have to disable two-faction authentication on their devices to sign in to their Apple accounts and access allowed apps.

    • Policy Settings
      • Next to Remove policy, click either Select date or Duration until removal (in hours).
      • If you click Select date, click the calendar to select the specific date for removal.
      • In the Allow user to remove policy list, click Always, Password required, or Never.
      • If you click Password required, next to Removal password, type the necessary password.
  8. Click Next and save the policy.

Security actions

After an Apple TV enrolls in XenMobile, administrators can perform security actions on the device. To perform a security action, do the following:

  1. In your server, navigate to Manage > Devices.
  2. Select the device you want to manage and click Secure. A popup appears with possible actions.

    • Revoke: Removes device management.
    • Full Wipe: Wipes the device completely. All the policies and apps installed are lost when this action is performed.
    • Restart: Restarts the device.

    Image of Security Actions configuration screen

Access XenMobile Tools throughout the XenMobile console

XenMobile now includes links to XenMobile Tools from the places in the XenMobile console where you need each tool:

  • XenMobile Analyzer:
    • Why you need it: Identify and triage potential issues with your deployment.
    • Where you can access it: Manage > Devices page and Manage > Users page.
  • APNs Portal:
    • Why you need it: Submit a request to Citrix to sign an APNs certificate, which you then submit to Apple.
    • Where you can access it: Settings > Certificates page and certificate configuration pages.
  • MDX Service:
    • Why you need it: Wraps apps that you can then manage by using XenMobile.
    • Where you can access it: Configure > Apps page and the Add App pages.

Support for COSU Android for Work devices

Note: In XenMobile Service and our documentation, we reference Android for Work; however, the latest terminology is Android enterprise. For details, see the Android documentation.

XenMobile now supports the management of corporate owned single use (COSU) Android for Work devices. COSU devices fulfill a single use case, such as digital signage, ticket printing, or inventory management. Administrators restrict these devices to one app or small set of apps. Administrators also prevent users from enabling other apps or performing other actions on the device.

For information about using XenMobile Management Tools to bind XenMobile as your enterprise mobility management provider through Google Play and create an enterprise for Android for Work, see Android for Work.

To provision COSU devices:

  • Add a role-based access control (RBAC) role that allows XenMobile administrators to enroll COSU devices to your XenMobile deployment. The role is new in this release of XenMobile Server. Assign this role to users whom you want to enroll COSU devices.
  • Add an enrollment profile for XenMobile administrators that you allow to enroll COSU devices to your XenMobile deployment.
  • Whitelist the app or apps you want the COSU device to access.
  • Optionally, set the whitelisted app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.

System requirements

Support for enrolling Android COSU devices begins with Android 6.0.

Add the COSU role

The RBAC role for enrolling COSU devices enables XenMobile to silently provision and activate a managed Google Play account on the device. Unlike managed Google Play user accounts, these device accounts identify a device that is not tied to a user.

You assign this RBAC role to XenMobile administrators to enable them to enroll COSU devices.

To add the RBAC role for enrolling COSU devices:

  1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.

  3. Click Add. The Add Role page appears.

  4. Enter the following information.

    • RBAC name: Enter COSU or other descriptive name for the role. You cannot change the name of a role.
    • RBAC template: Choose the ADMIN template.
    • Authorized access: Select Admin console access and COSU devices enroller.
    • Console features: Select Devices.
    • Apply permissions: Select the groups to which you want to apply the COSU role. If you click To specific user groups, a list of groups appears from which you can select one or more groups.
  5. Click Next. The Assignment page appears.

  6. Enter the following information to assign the role to user groups.

    • Select domain: In the list, click a domain.
    • Include user groups: Click Search to see a list of all available groups. Or, type a full or partial group name to limit the list to only groups with that name.
    • In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.
  7. Click Save.

Add a COSU enrollment profile

When your XenMobile deployment includes COSU devices, a single XenMobile administrator or small group of administrators enroll many COSU devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group containing the administrators who enroll COSU devices. That way, even if the default Global profile has a limited number of devices allowed per user, administrators can enroll an unlimited number of devices. Those administrators must be in the COSU enrollment profile.

  1. Go to Configure > Enrollment Profiles. The default Global profile appears.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Ensure that number of devices that members with this profile can enroll is set to unlimited.

    Image of Enrollment Profiles configuration screen

  3. Click Next. The Delivery Group Assignment screen appears.

  4. Choose the delivery group or delivery groups containing the administrators who enroll COSU devices. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Image of Enrollment Profiles configuration screen

Whitelist apps and set lock task mode

The Kiosk device policy let you whitelist apps and set lock task mode. By default, Secure Hub and Google Play services are whitelisted.

To add the Kiosk policy:

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy dialog box appears.

  3. Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.

  4. Under Platforms, select Android for Work.

  5. In the Policy Information pane, type the Policy Name and an optional Description.

  6. Click Next and then click Add.

  7. To whitelist an app and allow or deny lock task mode for that app:

    Select the app you want to whitelist from the list.

    Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

    Image of Device Policies configuration screen

  8. Click Save.

  9. To whitelist another app and allow or deny lock task mode for that app, click Add.

  10. Configure deployment rules and choose delivery groups. For more information, see Add a device policy.

New Restrictions device policy setting for Android for Work

XenMobile lets you set a restriction policy to allow users to place work profile app widgets on the device home screen. Support for this policy begins with Android 5.0. We have added the setting, Allow work profile app widgets on home screen.

To set whether users can place work profile app widgets on the device home screen:

  1. Go to Configure > Device Policies and add a Restrictions device policy.

  2. Under Platforms, select Android for Work.

    Image of Device Policies configuration screen

  3. Set Allow work profile app widgets on home screen. If this setting is On, users can place work profile app widgets on the device home screen. If this setting is Off, users cannot place work profile app widgets on the device home screen. Default is Off. (Android 5.0 and later)

  4. If you set Allow work profile app widgets on home screen to On: Select an app whose widgets you want to allow on the home screen from the list. Click Save. Repeat these steps for all the apps whose widgets you want to allow.

  5. Click Next.

  6. Configure deployment rules and choose delivery groups. For more information, see Add a device policy.

Bulk provisioning of Windows 10 devices

Important: Windows 10 bulk enrollment support is currently available only for our US-based customers. All other customers will have full support in an upcoming release.

XenMobile supports bulk enrollment of Windows 10 devices. With bulk enrollment, you can set up many devices for an MDM server to manage without the need to reimage devices. You can use the provisioning package for bulk enrollment for Windows 10 desktop devices. Follow these steps to set up and perform bulk enrollment.

Before running bulk enrollment, ensure that all devices are assigned to the correct end-user. Perform this assignment by registering the devices per user or by performing a bulk import of devices.

To assign devices

  1. In your XenMobile Server console, navigate to Manage > Device Whitelist.

    Image of Device Whitelist configuration screen

  2. To add each device manually, click Add.

    Image of Device Whitelist configuration screen

  3. Type the following information:

    • Device platform: Select Windows.
    • Hardware ID Type: Select an ID to use to identify the device. XenMobile supports only Hardware ID for Windows devices.
    • Hardware ID: Type the identification selected previously for the device.
    • Associated User: Type the associated user for this device.
  4. Click Save.

  5. To add devices in bulk, click Import.

    Image of Import Whitelist Devices screen

  6. Click Download to download a template for the device whitelist. Fill out that template using the previous descriptions, and then upload the file using Choose File and Import.

To bulk enroll devices

  1. In your XenMobile Server console, navigate to Settings > Windows Bulk Enrollment.

  2. In the UPN box, type a valid user name to deploy all devices.

    Image of Windows Bulk Enrollment configuration screen

  3. Click Save.

  4. To bulk provision devices, download the Windows Configuration Designer from the Microsoft Store. The Windows Configuration Designer creates provisioning packages used to image devices. As part of these packages, you can include XenMobile bulk enrollment configuration settings so that devices automatically enroll into XenMobile.

    For information on configuring the tool, building a provisioning package, and installing a provisioning package, see https://docs.microsoft.com/en-us/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool. For information on including XenMobile bulk enrollment configuration settings, see the section Create and apply a provisioning package for on-premises authentication in that document.

Delivery optimization for Windows 10 updates

Delivery optimization is a peer-to-peer client update service provided by Microsoft for Windows 10 updates. The goal of delivery optimization is to reduce bandwidth issues during the update process. Bandwidth reduction is achieved by sharing the downloading task among multiple devices. For more information, see the Microsoft article, Configure Delivery Optimization for Windows 10 updates.

The Control OS Update device policy for supervised Windows 10 Desktops and Tablets now includes delivery optimization settings. You can manage delivery optimization settings for desktops and tablets running Windows 10 version 1607.

To configure delivery optimization settings, go to Configure > Device Policies and add or edit the Control OS Updates policy.

Image of Device Policies configuration screen

Configure these settings:

  • Configure delivery optimization: Whether to use delivery optimization for Windows 10 Updates. Default is Off.
  • Cache size: The maximum size of the delivery optimization cache. A value of 0 means an unlimited cache. Default is 10 GB.
  • Allow VPN peer caching: Whether to allow devices to participate in peer caching when connected to the domain network through VPN. When On, the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. Default is Off.
  • Download method: The download method that delivery optimization can use for downloads of Windows Updates, app, and app updates. Default is HTTP blended with peering behind the same NAT. Options are:
    • HTTP only, no peering: Disables peer-to-peer caching but allows delivery optimization to download content from Windows Update servers or Windows Server Update Services (WSUS) servers.
    • HTTP blended with peering behind the same NAT: Enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempt to connect to other peers on the same network by using their private subnet IP.
    • HTTP blended with peering across a private group: Automatically selects a group based on the device Active Directory Domain Services (AD DS) site or the domain the device authenticates to. Selection based on AD DS is for Windows 10, version 1607. Selection based on domain is for Windows 10, version 1511. Peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices.
    • HTTP blended with Internet peering: Enable Internet peer sources for Delivery Optimization.
    • Simple download mode with no peering: Disable the use of Delivery Optimization cloud services. Delivery Optimization switches to this mode automatically during these conditions: When the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching.
    • Do not use Delivery Optimization and use BITS instead: Enables clients to use BranchCache. For more information, see the Microsoft article, BranchCache.
  • Max download bandwidth: The maximum download bandwidth in KBs/second. Default is 0, which means dynamic bandwidth adjustment.
  • Percentage of maximum download bandwidth: The maximum download bandwidth that delivery optimization can use across all concurrent download activities. The value is a percentage of the available download bandwidth. Default is 0, which means dynamic adjustment.
  • Max upload bandwidth: The maximum upload bandwidth in KBs/second. Default is 0. A value of 0 means unlimited bandwidth.
  • Monthly upload data cap: The maximum size in GBs that delivery optimization can upload to Internet peers in each calendar month. Default is 20 GB. A value of 0 means unlimited monthly uploads.

App lock device policy for Windows Desktops and Tablets

You can create an App Lock device policy that defines the list of blacklisted and whitelisted apps on managed Windows Desktops and tablets. You can allow or block executables, MSI installers, store apps, DLLs, and scripts.

Prerequisites for App lock

  • In Windows, configure rules in the Local Security Policy editor on a Windows 10 Desktop running Windows 10 Enterprise or Education.
  • Export the policy XML file. Citrix recommends that you create Default rules in Windows to avoid locking the default configuration or causing issues on devices.
  • Then, upload the XML file to XenMobile. For more information about creating rules, see this Microsoft article: https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview

To configure and export the policy XML file from Windows

Important: When configuring the policy XML file through the Windows policy editor, use Audit Only mode.

  1. On the Windows computer, start the Local Security Policy editor. Click Start, type local security policy and then click Local Security Policy.
  2. In the console tree, click Computer Configuration > Windows Settings > Security Settings and then expand Application Control Policies.
  3. Click AppLocker and then in the center pane, click Configure rule enforcement.
  4. Select Enforce rules. When you enable a rule, Enforce rules is the default.
  5. You can create Executable Rules, Windows Installer Rules, Script Rules, and Packaged App Rules. To do so, right-click the folder and then click Create New Rule.
  6. Right-click AppLocker, click Export Policy, and then save the XML file.

To stop applying an App Lock policy

After you deploy an App Lock policy in XenMobile: To stop applying that App Lock policy, create an empty XML file. Then, create another App Lock policy, upload the file, and deploy the policy. Devices that have an App Lock enabled are not affected. Devices receiving the policy for the first time do not have the App Lock policy in place.

Device Guard information in device status

XenMobile now supports showing Device Guard information in device status. When editing a device, you can now add the following properties:

Image of Devices configuration screen

Image of Devices configuration screen

  • LSA Configuration Flags: Displays the status for the Local System Authority credential guard. Possible values are as follows:
    • 0 - Running
    • 1 - Reboot required
    • 2 - Not licensed for Credential Guard
    • 3 - Not configured
    • 4 - VBS not running
  • VBS Hardware Requirement Status: Displays the status for virtualization-based security hardware requirements. Possible values are as follows:
    • 0x0 - System meets hardware configuration requirements
    • 0x1 - SecureBoot required
    • 0x2 - DMA Protection required
    • 0x4 - HyperV not supported for Guest VM
    • 0x8 - HyperV feature is not available
  • VBS Status: Displays the status for virtualization-based security.
    • 0 - Running
    • 1 - Reboot required
    • 2 - 64 bit architecture required
    • 3 - not licensed
    • 4 - not configured
    • 5 - System doesn’t meet hardware requirements
    • 42 - Other. Event logs in Microsoft-Windows-DeviceGuard have more details

Block a VPN connection by using a Network Access Control filter

Through policy settings in NetScaler, XenMobile supports Network Access Control (NAC) as an endpoint security feature for iOS devices. You can enable a NAC filter to block a VPN connection for devices that have non-compliant apps installed. When the VPN connection is blocked, the user cannot access any apps or websites through VPN.

For example, in the App Access Policy, you identify a particular app as Forbidden, or blacklisted. A user installs that app. When the user opens Citrix SSO and tries to connect to the VPN, the connection is blocked. The following error appears: Error while processing request. Contact your administrator.

Image of Connection Error

The configuration requires that you update NetScaler policies to support NAC. In the XenMobile console, you enable NAC filters. You must also deploy the VPN device policy. For this feature to work on devices, users install the Citrix SSO VPN client from the Apple store.

The NAC filters supported are:

  • Anonymous Devices
  • Forbidden Apps
  • Inactive Devices
  • Missing Required Apps
  • Non-Suggested Apps
  • Noncompliant Password
  • Out of Compliance Devices
  • Revoked Status
  • Rooted Android and Jailbroken iOS Devices
  • Unmanaged Devices

Prerequisites for NAC filtering

  • NetScaler 12
    • Update NetScaler policies to support NAC, as described in this section.
  • XenMobile Server 10.18.2
    • Enable NAC filters as described in this section.
    • Deploy the VPN device policy.
  • Citrix SSO VPN client 1.0.1 installed on devices from the Apple store

To update the NetScaler policies to support NAC

The authentication and VPN sessions policies you configure must be advanced. On your virtual VPN server from a console window, do the following. The IP addresses in the commands and examples are fictitious.

  1. Remove and unbind all classic policies if you are using classic policies on your VPN virtual server. To check, type:

    show vpn vserver <VPN_VServer>

    You need to remove any result that contains the word Classic. For example: VPN Session Policy Name: PL_OS_10.10.1.1 Type: Classic Priority: 0

    To remove the policy, type:

    unbind vpn vserver <VPN_VServer> -policy <policy_name>

  2. Create the corresponding advanced session policy.

    add vpn sessionPolicy <policy_name> <rule> <session action>

    For example, add vpn sessionPolicy vpn_nac true AC_OS_10.10.1.1_A_

  3. Bind the policy to your VPN virtual server.

    bind vpn vserver _XM_XenMobileGateway -policy vpn_nac -priority 100

  4. Create an authentication virtual server.

    add authentication vserver <authentication vserver name> <service type> <ip address>

    For example:

    add authentication vserver authvs SSL 0.0.0.0

    In the example, 0.0.0.0 means that the authentication virtual server is not public facing.

  5. Bind an SSL certificate with the virtual server.

    bind ssl vserver <authentication vserver name> -certkeyName <Webserver certificate>

    For example:

    bind ssl vserver authvs -certkeyName Star_mpg_citrix.pfx_CERT_KEY

  6. Associate an authentication profile to the authentication virtual server from the VPN virtual server. First, create the authentication profile.

    add authentication authnProfile <profile name> -authnVsName <authentication vserver name>

    For example:

    add authentication authnProfile xm_nac_prof -authnVsName authvs

  7. Associate the authentication profile with the VPN virtual server.

    set vpn vserver <vpn vserver name> -authnProfile <authn profile name>

    For example:

    set vpn vserver _XM_XenMobileGateway -authnProfile xm_nac_prof

  8. Check the connection from NetScaler to a device. In the following command, “server” is the XenMobile Server address.

    curl -v -k https://server:4443/Citrix/Device/v1/Check –header “X-Citrix-VPN-Device-ID: deviceid_<device_id>“

    for example:

    curl -v -k https://10.10.1.1:4443/Citrix/Device/v1/Check –header “X-Citrix-VPN-Device-ID: deviceid_7”

    You should see a command that’s similar to the following example.

       HTTP/1.1 200 OK
       < Server: Apache-Coyote/1.1
       < X-Citrix-Device-State: Non Compliant
       < Set-Cookie: ACNODEID=181311111;Path=/; HttpOnly; Secure
    
  9. When the preceding step is successful, create the web authentication action to XenMobile. First, create a policy expression to extract the device ID from the iOS VPN plug-in. Type the following.

    add policy expression xm_deviceid_expression “HTTP.REQ.BODY(10000).TYPECAST_NVLIST_T(\’=\’,\‘&\’).VALUE(\“deviceidvalue\”)”

  10. Send the request to XenMobile.

    add authentication webAuthAction xm_nac -serverIP 10.10.1.1 -serverPort 4443 -fullReqExpr q{“GET /Citrix/Device/v1/Check HTTP/1.1\r\n” + “Host: 10.200.60.80:4443\r\n” + “X-Citrix-VPN-Device-ID: “ + xm_deviceid_expression + “\r\n\r\n”} -scheme https -successRule “HTTP.RES.STATUS.EQ(\“200\”) &&HTTP.RES.HEADER(\“X-Citrix-Device-State\”).EQ(\“Compliant\”)”

    The successful output for the XenMobile NAC is HTTP status 200 OK. The ‘X-Citrix-Device-State’ header needs to have the value of Compliant.

  11. Create an authentication policy with which to associate the action.

    add authentication Policy <policy name> -rule <rule> -action <web auth action>

    For example:

    add authentication Policy xm_nac_webauth_pol -rule “HTTP.REQ.HEADER(\“User-Agent\”).CONTAINS(\“NAC\”)” -action xm_nac

  12. Convert the existing LDAP policy to an advanced policy.

    add authentication Policy <policy_name> -rule <rule> -action <LDAP action name>

    For example:

    add authentication Policy ldap_xm_test_pol -rule true -action 10.10.1.1_LDAP

  13. Add a policy label with which to associate the LDAP policy.

    add authentication policylabel <policy_label_name>

    For example:

    add authentication policylabel ldap_pol_label

  14. Associate the LDAP policy to the policy label.

    bind authentication policylabel ldap_pol_label -policyName ldap_xm_test_pol -priority 100 -gotoPriorityExpression NEXT

  15. Connect a compliant device to do a NAC test to confirm successful LDAP authentication. Type the following.

    bind authentication vserver <authentication vserver> -policy <webauth policy> -priority 100 -nextFactor <ldap policy label> -gotoPriorityExpression END

  16. Add the UI to associate with the authentication virtual server. Type the following command to retrieve the device ID.

    add authentication loginSchemaPolicy <schema policy>-rule <rule> -action lschema_single_factor_deviceid

  17. Bind the authentication virtual server.

    bind authentication vserver authvs -policy lschema_xm_nac_pol -priority 100 -gotoPriorityExpression END

  18. Create an LDAP advanced authentication policy enable the Secure Hub connection. Type the following.

    add authentication Policy ldap_xm_test_pol -rule “HTTP.REQ.HEADER(\“User-Agent\”).CONTAINS(\“NAC\”).NOT” -action 10.200.80.60_LDAP

    bind authentication vserver authvs -policy ldap_xm_test_pol -priority 110 -gotoPriorityExpression NEXT

To enable NAC filters in the XenMobile console

  1. Go to Settings > Network Access Control.
  2. Next to Set as not compliant, select the filters that you want to enable for detection and then click Save.

To configure the VPN device policy to support NAC

In the VPN policy settings for iOS:

  1. The Connection type of Custom SSL is required for configuring the NAC filter.
  2. Specify a Connection name of VPN.
  3. For Custom SSL identifier, type com.citrix.NetScalerGateway.ios.app
  4. For Provider bundle identifier, type com.citrix.NetScalerGateway.ios.app.vpnplugin

The values in step 3 and 4 are taken from the required Citrix SSO 1.0.1 installation for NAC filtering. Note that you do not configure an authentication password.

The following figure shows the required VPN settings.

Image of Device Policies configuration screen

Fixed issues in XenMobile Service 10.18.2

Users who have an administrator account on XenMobile, and then are provisioned for XenMobile Service (cloud), can’t enroll a device. [CXM-26447]

On the Manage > Devices page: Sorting by Operating system version doesn’t result in a correctly ordered list. [CXM-45540]

Known issues in XenMobile Service 10.18.2

After you delete a Chromebook or Workspace hub device using the XenMobile action: The devices continue to show in the XenMobile console until after you refresh it. [CXM-46418]

XenMobile Service 10.18.1

The latest version of XenMobile has these new features and improvements:

Support for Chromebook devices

Important: Chromebook support is currently available only for our US-based customers. All other customers will have full support in an upcoming release.

Starting with XenMobile Service 10.18.1, XenMobile supports Chromebook devices. Chromebook devices are enrolled in MDM mode only.

System requirements:

  • Chrome OS 46 and later

Configure G Suite for Chromebook enrollment

Before enrolling Chromebook devices, configure G Suite for Chromebook enrollment. The configuration forces installation of the Secure Hub extension on the Chromebook device and prevents the extension from being disabled or deleted.

  1. Go to https://admin.google.com and log in to your G Suite account.

  2. In the Google administrator console, click Device Management.

    Image of Google administrator console

  3. Click Chrome management.

    Image of Google administrator console

  4. In the Chrome device management page, click User Settings.

    Image of Google administrator console

  5. In the User settings page, search for Client certificates. Add this pattern:

    {"pattern": "https://[*.]xm.cloud.com", "filter": {}}

    Adding this pattern to Client certificates ensures device certificates pushed from XenMobile to the device are auto-selected without prompting for the user to select.

    Image of Google administrator console

  6. Click Save.

  7. Search for Force-installed Apps and Extensions and then click Manage force-installed apps.

    Image of Google administrator console

  8. Click Specify a Custom App.

    Image of Google administrator console

  9. Click the ID field, type cnkimbgkdakemjcipljhmoplehfcjban.

  10. Click the URL field, type https://chrome.google.com/webstore/detail/cnkimbgkdakemjcipljhmoplehfcjban.

  11. Click Add.

  12. Click Save in the Force-installed Apps and Extensions dialog window.

  13. Click Save in the User Settings page.

Enroll Chromebook devices

Users enroll Chromebook devices by using a Secure Hub extension in Chrome. XenMobile supports Autodiscovery for Chromebook devices.

XenMobile doesn’t support adding Chromebook devices manually or through bulk enrollment. XenMobile doesn’t support sending enrollment invitations for Chromebook devices.

Before a user enrolls a Chromebook device in XenMobile, you or the user must enroll the device in the G Suite domain of your enterprise. For information on enrolling Chrome devices, see the Google article Enroll Chrome devices.

A Citrix PIN must be created when a Chromebook device is enrolled in XenMobile. This PIN cannot be reset. If a user forgets this PIN, the Chromebook device must be unenrolled and re-enrolled.

  1. Sign in to your Chromebook device using your G Suite credentials.

  2. Click the Secure Hub extension in Chrome. The Secure Hub extension appears next to your browser address bar, is grayed out:

    Image of grayed out icon

  3. The Secure Hub enrollment window appears. Click Enroll.

    Image of enrollment on device

  4. Type your corporate credentials, such as your XenMobile Server name, User Principal Name (UPN), or email address. Then, click Next.

    Image of enrollment on device

  5. If prompted, type your corporate user name. Type your corporate password. Then click Sign In.

    Image of enrollment on device

  6. Create a Citrix PIN. This PIN must be six characters long. It can contain only letters and numbers. Type your Citrix PIN twice. Click Finish.

    Image of enrollment on device

  7. When the enrollment is complete, the Secure Hub extension icon is no longer grayed out.

Sign in to an enrolled Chromebook device

To sign in to a Chromebook device that is enrolled in XenMobile:

  1. Sign in using your G Suite credentials.

  2. When prompted, enter your Citrix PIN. This PIN was created when the device was enrolled in XenMobile.

If you do not type your Citrix PIN, you are prompted to type your Citrix PIN every minute until you type the PIN. After five minutes, access is blocked to all websites except google.com, citrix.com, gotomeeting.com, cloud.com. If you try to access any other website, an error message appears and you are prompted to sign in using your Citrix PIN.

Unenroll and reenroll a Chromebook device

To unenroll a Chromebook device from XenMobile, users delete their account.

  1. In the Chrome browser, click Secure Hub extension icon.
  2. In the Secure Hub enrollment window, click Delete.
  3. Click Yes, Delete to confirm the deletion.
  4. The Secure Hub enrollment window closes and the Secure Hub extension iron is grayed out.

To re-enroll:

  1. Log out of you Chromebook device and log back in using you G Suite credentials.
  2. Click Enroll and follow the prompts to re-enroll.

Device policies for Chromebook devices

These device restriction policies are available for Chromebook devices.

Image of Device Policies configuration screen

  • Disable autofill: Select whether to allow the autofill function of the Chrome browser. If this policy is set to On, autofill function is not allowed. Default is On.
  • Disable Save Password: Select whether to allow the save password function in the Chrome browser. If this policy is set to On, the save password function not allowed. Default is On.
  • Disable Page Translation: Select whether to allow translation of webpages that are in other languages in the Chrome browser. If this policy is set to On, translation of webpages is not allowed. Default is On.
  • Block Images: Select whether to allow display of images in webpages in the Chrome browser. If this policy is set to On, images in webpages in the Chrome browser are not displayed. Default is Off.
  • Websites: Select whether to control access to websites in the Chrome browser using a whitelist or blacklist. Default is Blacklist.

Windows Hello for Business policy

Windows Hello for Business allows users to sign on to Windows devices by using their Active Directory or Azure Active Directory account. You use the Windows Hello for Business device policy to enable the feature so users can provision Windows Hello for Business on their device. The policy also lets you configure passcode limitations and other security features.

Go to Configure > Device Policies to add the Windows Hello for Business policy. Configure these settings:

Image of Device Policies configuration screen

  • Use Windows Hello for Business: Enable the feature to allow users to provision Windows Hello for Business on their device.
  • Require security device: Require that users have a Trusted Platform Module (TPM) to sign on.
  • Minimum/Maximum PIN length: Minimum and maximum length for user PINs. Minimum PIN Length defaults to 4. Maximum PIN Length defaults to 127.
  • Uppercase letters, Lowercase letters, Special characters: Select whether to Allow, Require, or Do not allow each type of character. Defaults to Do not allow.
  • Digits: Whether to Allow, Require, or Do not allow digits. Defaults to Require.
  • History: The number of past PINs that users can’t reuse. Defaults to 0, meaning users can reuse all PINs.
  • Expiration: The number of days before a user must change their PIN. Defaults to 0, which means that PINs don’t expire.
  • Use Biometrics: Allow the use of biometrics instead of PINs for user sign-on.

Deploy Office 365 apps to Windows 10 devices

XenMobile now allows for deployment of Microsoft Office 365 products using the Office configuration service provider (CSP). By configuring the new Office device policy, you can deploy Microsoft Office apps to any Windows 10 desktop or tablet running update 1709 or later.

Go to Configure > Device Policies to add the Office policy. Configure these settings:

Image of Device Policies configuration screen

  • Product ID: Select a product ID based on your Office 365 plan. Options are O365ProPlusRetail, O365BusinessRetail, or O365SmallBusPremRetail.
  • Office 365 Apps: Select the Office 365 apps that you want deployed. All apps are selected by default.
  • Additional Office apps: If you own licenses for Project Online Desktop Client or Visio Pro for Office 365, you can select these apps to have them installed.
  • Office Version: Select whether to install the 32-bit or 64-bit version of Office.
  • Update channel: Choose how often you want updates to occur. Options are Monthly, Monthly (Targeted), Semi-Annual, or Semi-Annual (Targeted).
  • Properties:
    • Automatically accept the app end user license agreement: Select On or Off. Defaults to On.
    • User shared computer activation: Select whether the computer is shared or not. Options are On or Off. Defaults to Off.
  • Office Language: Office automatically installs in any languages that Windows already has installed. You can select extra languages to install.

Restrict Windows 10 devices to kiosk mode

You can now use the Kiosk policy to restrict Windows 10 devices to kiosk mode, allowing only one app to run.

Go to Configure > Device Policies to add the Kiosk policy. Configure these settings:

Image of Device Policies configuration screen

  • Kiosk Mode: Enable or Disable the feature.
  • Application user model ID (AUMID): The ID of the app that you want to allow in kiosk mode. To get a list of the AUMIDs for all Microsoft Store apps installed for the current device user: Run the following PowerShell command.

$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $aumidList += $app.packagefamilyname + "!"+ $id
    }
}

$aumidList

If the device is not domain joined through either Azure Active Directory or a company domain, pre-configure the enrollment user as a system local user. With that configuration, only the Kiosk policy gets installed on the device.

XenMobile deploys this policy only when the following conditions are met:

  • For a device with a local User: The user must have a device local account.
  • For a domain user (that is, an Active Directory user or Azure Active Directory user): The device must be domain joined. Manually creating a local account on device doesn’t work.
  • For a device with the local user “kiosk”: There must be a system user named “kiosk”.

Use Shared iPads with Apple Education features

XenMobile integration with Apple Education supports Shared iPads. Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.

Either you or instructors enroll Shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a Shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.

XenMobile uses two communications channels for Shared iPads: The system channel for the device owner (instructor) and the user channel for the current resident user (student). XenMobile uses those channels to send the appropriate MDM commands for the resources supported by Apple.

Resources that deploy over the system channel are:

  • Device policies, such as Education Configuration, Lock Screen Message, Maximum Resident Users, and Passcode Lock Grace Period
  • Device-based VPP apps

    Apple doesn’t support Enterprise apps or user-based VPP apps on Shared iPads. Apps installed on a Shared iPad are global to the device and not per user.

  • User-based VPP iBooks

    Apple supports assignment of user-based VPP iBooks on Shared iPads.

Resources that deploy over the user channel are:

  • Device policies: Apps Notifications, Home Screen Layout, and Restrictions

    XenMobile currently supports only those device policies over the user channel.

Requirements for Shared iPads

Device requirements:

  • Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
  • At least 32 GB of storage
  • Supervised

Other requirements:

  • For a first-time integration of Apple School Manager with XenMobile, be sure to read Integrate with Apple Education features. Follow those instructions to configure your integration for any iPads that you use in a one-to-one model (one iPad per student) or for instructor iPads (unshared). Then, return to this section to configure Shared iPads.

General workflow

Typically, you provide preconfigured and supervised Shared iPads to instructors. The instructors then distribute the devices to students. If you don’t distribute pre-enrolled Shared iPads to instructors: Be sure to provide the instructors with their XenMobile Server passwords so they can enroll their devices.

The general workflow for configuring and enrolling Shared iPads is as follows.

  1. Use the XenMobile Server console to add ASM DEP accounts (Settings > Apple Device Enrollment Program (DEP)) with Shared mode enabled. For more information, see “Manage ASM DEP accounts for Shared iPads” next.
  2. As described in this section, add the required device policies, apps, and media to XenMobile. Assign those resources to delivery groups. For more information, see Integrate with Apple Education features.
  3. Have the instructors perform a hard reset on the Shared iPads. The Remote Management screen for DEP enrollment appears.
  4. The instructors enroll the Shared iPads. XenMobile deploys configured resources to each enrolled Shared iPad. After an automatic restart, instructors can share the devices with students. A sign in page appears on the iPad.
  5. A student chooses the class and then enters their Managed Apple ID and temporary Apple School Manager (ASM) password. The Shared iPad authenticates to ASM and prompts the student to create an ASM password. For the next sign-in to the Shared iPad, the student provides the new ASM password.
  6. Another student who is sharing the iPad can then sign in by repeating the previous step.

Manage ASM DEP accounts for Shared iPads

If you already use XenMobile with Apple Education: You have an existing ASM DEP account configured in XenMobile for devices that aren’t shared, such as the devices used by instructors. You can use the same ASM and the same XenMobile Server for both shared and non-shared devices.

XenMobile supports these deployment scenarios:

  • A group of Shared iPads per class

    In this scenario, you assign the Shared iPads to a class of students. The iPads stay in the classroom. Instructors who teach different subjects in that class use the same set of iPads.

  • A group of Shared iPads per instructor

    In this scenario, you assign the Shared iPads to an instructor, who uses those iPads for the various classes that they teach.

Organize Shared iPads into device groups

ASM lets you organize devices into groups by creating multiple MDM servers. When you assign the Shared iPads to a MDM server, create a device group for each group of Shared iPads, per class or per instructor:

  • Group 1 of Shared iPads > Device Group 1 MDM Server
  • Group 2 of Shared iPads > Device Group 2 MDM Server
  • Group N of Shared iPads > Device Group N MDM Server

Add ASM DEP accounts for each device group

When you create multiple ASM DEP accounts from the XenMobile Server console, you automatically import groups of Shared iPads (one for each class or instructor):

  • Device Group 1 MDM Server > Device Group 1 DEP account
  • Device Group 2 MDM Server > Device Group 2 DEP account
  • Device Group N MDM Server > Device Group N DEP account

Requirements specific to Shared iPads are as follows:

  • One ASM DEP account for each device group with these settings enabled:
    • Require device enrollment
    • Supervised mode
    • Shared mode
  • For a given educational organization, be sure to use the same Education suffix for all ASM DEP accounts.

To add a DEP account, go to Settings > Apple Device Enrollment Program (DEP).

Image of Apple DEP settings configuration screen

For general information about adding an ASM DEP account to XenMobile, see Integrate with Apple Education features.

Device policies for Shared iPads

The following device policies are specific to Shared iPads:

  • Maximum Resident Users: The maximum number of users for a Shared iPad. If the number of users specified in this policy is greater than the maximum number of users supported by the device: XenMobile uses the device maximum instead. Default is 5 users. Available in iOS 9.3 and later.

    This policy must deploy when the iPad is in the “awaiting configuration” phase during the Setup Assistant. Apple doesn’t allow this policy to deploy after Shared iPads enroll.

    Image of Device Policies configuration screen

    Apple recommends that you keep the Maximum resident users value as low as possible. A low value maximizes the amount of iPad storage for each user. In addition, a low value minimizes communication with iCloud and provides a faster sign in experience. For information about how Apple handles shared storage on an iPad, see https://help.apple.com/deployment/ios/#/cad7e2e0cf56.

  • Passcode Lock Grace Period: The number of minutes that a Shared iPad screen stays locked before the user must enter a passcode to unlock the screen. Changing this setting to a less restrictive value doesn’t take effect until a user signs out. Default is Immediately. Available in iOS 9.3.2 and later.

    By default, the Shared iPad locks itself automatically after two minutes of inactivity.

    Image of Device Policies configuration screen

XenMobile currently supports the following device policies over the User channel:

  • Home Screen Layout: To define a layout of apps, folders, and web clips for the Home screen.
  • Apps Notifications: To specify the restriction enforced notification settings for apps.
  • Restrictions: To allow or disallow some educational restrictions or to restrict App usage. For example: Some blacklisted and whitelisted apps.
  • Profile Removal

You specify the deployment channel when you configure those policies.

Image of Device Policies configuration screen

To remove device policies that you deployed over the user channel, be sure to choose a Deployment scope of User for the Profile Removal policy.

For information about other device policies, see “Step 7: Plan and add resources and delivery groups to XenMobile Server” in Integrate with Apple Education features.

Apps for Shared iPads

Shared iPads support assignment of device-based VPP apps. Before deploying an app on a Shared iPad, XenMobile Server sends a request to the Apple VPP server to assign VPP licenses to devices. To check the VPP assignments, go to Configure > Apps > iPad and expand Volume Purchase Program.

For recommendations about choosing, deploying, and updating apps on Shared iPads, see Use Shared iPad in the Apple documentation.

Media for Shared iPads

Shared iPads support assignment of user-based VPP iBooks. Before deploying an iBook on the Shared iPad, XenMobile Server sends a request to the Apple VPP server to assign VPP licenses to students. To check the VPP assignments, go to Configure > Media > iPad and expand Volume Purchase Program.

Image of Media configuration screen

Deployment rules for Shared iPads

For Shared iPad deployment, the rules at the delivery group level don’t apply because they relate to user properties. To filter the policies, apps, and media for each group of devices: Add a deployment rule for the resources based on the DEP account name. For example:

  • For the Device Group 1 DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group 1 DEP account

  • For the Device Group 2 DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group 2 DEP account

  • For the Device Group N DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group N DEP account

Image of Device Policies configuration screen

To deploy the Apple Classroom app only to instructors (using unshared iPads), filter the resources by ASM DEP shared status with these deployment rules:


Deploy this resource regarding ASM DEP shared mode
only
unshared

Or:


Deploy this resource regarding ASM DEP shared mode
except
shareable

Image of Apps configuration screen

Delivery groups for Shared iPads

For the device group for each instructor:

  • Configure one delivery group. For the instructor, assign all the classes that the Education Configuration policy defines.

Image of Delivery Groups configuration screen

  • That delivery group must include these MDM resources:
    • Device policies:
      • Education Configuration
      • Lock Screen Message
      • Apps Notifications
      • Home Screen Layout
      • Restrictions
      • Maximum Resident Users
      • Passcode Lock Grace Period
    • Required VPP apps
    • Required VPP iBooks

Image of Delivery Groups configuration screen

Security actions for Shared iPads

In addition to existing security actions, you can use these new security actions for Shared iPads (available in iOS 9.3 and later):

  • Get Resident Users: Lists the users that have active accounts on the current device. This action forces a sync between the device and the XenMobile console.
  • Logout Resident User: Forces a log out of the current user.
  • Delete Resident User: Deletes the current session for a specific user. The user can sign in again.

Image of Security Actions screen

After you click Delete Resident User, you can specify the user name.

Image of Security Actions screen

Results of security actions appear on the Manage > Devices > General and Manage > Devices > Delivery Groups pages.

Get information about Shared iPads

Find information specific to Shared iPads on the Manage > Devices page:

  • Look up:
    • Whether a device is shared (ASM DEP shared)
    • Who is logged in to the shared device (ASM logged-in user)
    • All users assigned to the shared device (ASM resident users)

Image of Devices configuration screen

  • Filter the device list by its ASM DEP Device Status:

Image of Devices configuration screen

  • View details about the user logged in to a Shared iPad, on the Manage > Devices > Logged-in User Properties page.

Image of Devices configuration screen

Image of Devices configuration screen

  • See the channel used to deploy resources to instructors and users in a delivery group on the Manage > Devices > Delivery Groups page. The Channel/User column shows the type (System or User) and the recipient (instructor or student).

Image of Devices configuration screen

  • Get information about resident users:
    • Has data to sync: Whether the user has data to be synchronized to the cloud.
    • Data quotas: The data quota set for the user in bytes. A quota might not appear if user quotas are temporarily off or aren’t enforced for the user.
    • Data used: The amount of data used by the user in bytes. A value might not appear if an error occurs as the system gathers the information.
    • Is logged in: Whether the user is logged on to the device.

Image of Devices configuration screen

  • View the push status for both channels.

Image of Devices configuration screen

Set how app notifications appear on iOS devices

The Apps Notifications policy lets you control how iOS users receive notifications from specified apps. This policy is supported on devices running iOS 9.3 or later. To add the policy, go to Configure > Device Policies.

Image of Device Policies configuration screen

Configure notification settings:

  • App Bundle identifier: Specify the apps you want to apply this policy to.
  • Allow Notifications: Select ON to allow notifications.
  • Show in Notification Center: Select ON to show notifications in the notification center of the user devices.
  • Badge App Icon: Select ON to show a badge app icon with notifications.
  • Sounds: Select ON to include sounds with notifications.
  • Show in Lock Screen: Select ON to show notifications on the lock screen of the user devices.
  • Unlocked Alert Style: In the list, select None, Banner, or Alerts to configure the appearance of unlocked alerts.

Unenroll an Android for Work enterprise

XenMobile now lets you unenroll an Android for Work enterprise using the XenMobile Server console and XenMobile Tools.

When you perform this task, the XenMobile Server opens a popup window for XenMobile Tools. Before you begin, ensure that the XenMobile Server has permission to open popup windows in the browser you are using. Some browser, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block whitelist.

Warning: After an enterprise is unenrolled, Android for Work apps on devices already enrolled through it are reset to their default states. Google no longer manages the devices. Re-enrolling them in an Android for Work enterprise might require further configuration to restore previous functionality.

After the Android for Work enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android for Work apps reset to their default state. Android for Work App Permissions and Android for Work App Restrictions policies previously applied no longer effect operations.
  • XenMobile manages devices enrolled through the enterprise. Google doesn’t manage those devices. You can’t add Android for Work apps. You can’t apply Android for Work App Permissions or Android for Work App Restrictions policies. You can still apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you attempt to enroll devices in Android for Work, they enroll as Android devices, not Android for Work devices.

To unenroll an Android for Work enterprise:

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android for Work.

  3. Click Remove Enterprise.

    Image of Android for Work settings screen

  4. Specify a password. You’ll need the password in the next step to complete the unenrollment. Then click Unenroll.

    Image of Android for Work settings screen

  5. When the XenMobile Tools page opens, enter the password you created in the previous step.

    Image of Management Tools screen

  6. Click Unenroll.

    Image of Management Tools screen

Previously, a device search from the Manage > Devices page included all device properties by default, which might slow the search. Now the default search scope includes only the following device properties:

  • Serial Number
  • IMEI
  • Wifi MAC address
  • Bluetooth MAC address
  • Active Sync ID
  • User Name

You can configure the search scope through a new server property, include.device.properties.during.search, which defaults to false. To include all device properties in a device search, go to Settings > Server Properties and change the setting to true.

Fixed issues in XenMobile Service 10.18.1

For Configure > Device Policies > App Lock Policy: After you type the policy name and go to the iOS page, bundle IDs don’t appear in the App bundle ID menu. After you toggle between Android and iOS, the app bundle IDs appear. [CXM-39302]

When you upload an .ipa enterprise app to XenMobile Server, occasionally the upload fails. The following error message appears: Uploaded mobile app is invalid. Application icon was not found. [From xms_10.4.0.10018.bin][#662026][CXM-43032]

In an environment configured for Android for Work: After you enroll a device and then add an app, the app doesn’t appear in Google Play on the device. If you unenroll and then re-enroll the enterprise, and then add apps, Google Play might not show any apps. [CXM-43424]

Enrollment fails, with this log message: com.zenprise.zdm.enroll.EnrollmentException: com.hazelcast.core.OperationTimeoutException: QueryPartitionOperation invocation failed to complete due to operation-heartbeat-timeout. [CXM-43779]

App package (APK, IPA, MDX) uploads from Internet Explorer fail and the spinner continues until you interrupt it. [CXM-43797]

On Android devices with Tunnel and Webclip device policies: Secure Hub hangs after you open a webclip and then browser back several times. [CXM-43812]

After the Control OS Updates device policy deploys to iOS devices: The ActiveSync IDs in XenMobile don’t match the device ActiveSync IDs. As a result, users can’t access email. [CXM-43958]

Using the XenMobile console to search for a user or device is slow. [CXM-44120]

Known issues in XenMobile Service 10.18.1

If the SQL server is deployed in a child domain or if a child domain database login is used: Microsoft Java Database Connectivity (JDBC) with Windows Authentication fails. [CXM-42969]

XenMobile Service 10.7.6

The latest version of XenMobile has these new features and improvements:

Device Guard policy for Windows 10 devices

Device Guard is a Windows 10 security feature that enables virtualization-based security by using the Windows Hypervisor to support security services on the device. By using a new device policy, Device Guard, you can enable security features such as secure boot, UEFI lock, and virtualization.

Prerequisites:

  • Windows 10 Desktops and Tablets with an Enterprise or Education license on version 1709 (RS3)
  • Device Guard enabled in Windows

For more information on Device Guard, see https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage.

Go to Configure > Device Policies to add the Device Guard policy. Configure these settings:

Image of Device Policies configuration screen

  • Enable Virtualization Based Security: Disable or enable virtualization based security features. Virtualization based security uses the Windows Hypervisor to support security services.
  • LSA Configuration Flags: Allows you to configure Credential Guard. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Options are Off, On with UEFI Lock, and On without UEFI Lock. Default is Off.
  • Require Platform Security Features: Specifies the platform security level at the next reboot. Options are Off, VBS with Secure Boot, and VBS with Secure Boot and direct memory access (DMA). Default is Off.

XenMobile queries a device to determine if the virtualization based security settings match the settings on the server. If they do match, XenMobile doesn’t deploy this policy to the device. If the security settings do not match, XenMobile deploys the policy.

Configure firewalls on Windows 10 devices

You can now configure firewalls on Windows 10 Desktop and Tablet devices running Windows 10 RS3 and later. Go to Configure > Device Policies and add or edit the Firewall policy. Configure these settings:

Image of Device Policies configuration screen

  • Enable Feature: Controls incoming and outgoing traffic on computers to which this policy is deployed. Default is On.
  • Public Profile: Controls Windows Firewall while computers are connected to untrusted networks at public places, such as at an airport or coffee shop. Default is On.
  • Private Profile: Controls Windows Firewall while computers are connected to trusted networks, such as their home network. Default is On.
  • Domain Profile: Controls Windows Firewall while the computers are connected to the domain networks, such as at their workplace. Default is On.
  • Block all incoming connections, including those in the list of allowed programs: Default is Off.
  • Disable notifications to user when Firewall blocks a new program: Default is Off.

Server property changes to improve server tuning

For several server properties used to tune XenMobile operations, the default values now match the recommended values. For more information, see Tuning XenMobile Operations.

Here are the updated server properties, with their new default values shown in parentheses:

  • hibernate.c3p0.timeout (120 sec)
  • Push Services Heartbeat Interval: ios.apns.heartbeat.interval, windows.wns.heartbeat.interval, gcm.heartbeat.interval (20 hours)
  • Background Deployment (1440 minutes)
  • Background Hardware Inventory (1440 minutes)
  • Interval for check deleted Active Directory user (15 minutes)
  • In addition, the default value for the following server property has changed to the setting recommended in Server Properties.
  • Block Enrollment of Rooted Android and Jailbroken iOS Devices (true)

You can now further tune XenMobile Server through the following custom server properties that were previously undocumented.

Custom Key: hibernate.c3p0.min_size

This XenMobile Server property, a Custom Key, determines the minimum number of connections that XenMobile opens to the SQL Server database. Default is 50.

To change this setting, you must add a server property to XenMobile Server with the following configuration:

  • Key: Custom Key
  • Key: hibernate.c3p0.min_size
  • Value: 50
  • Display name: hibernate.c3p0.min_size=nnn
  • Description: DB connections to SQL

Custom Key: hibernate.c3p0.idle_test_period

This XenMobile Server property, a Custom Key, determines the idle time in seconds before a connection is automatically validated. Default is 30.

To change this setting, you must add a server property to XenMobile Server with the following configuration:

  • Key: Custom Key
  • Key: hibernate.c3p0. idle_test_period
  • Value: 30
  • Display name: hibernate.c3p0. idle_test_period =nnn
  • Description: Hibernate idle test period

Fixed issues in XenMobile Service 10.7.6

After you upgrade XenMobile from version 10.5 to 10.6, when you carry out an action on a device, such as a device wipe: The server logs loop regarding the security action and the database size increased significantly. [CXM-43020]

If the display name for a server property is set to NULL: Searching for any string on the Settings > Server Properties page results in a “500 Internal Server Error”. [CXM-43469]

Known issues in XenMobile Service 10.7.6

On the Manage > Devices page, when you edit an iOS device and go to the Apps tab: The Version column doesn’t include the revision number for Secure Hub and MDX apps. [CXM-40183]

For a Restrictions device policy for Samsung SAFE: The Browser, YouTube, and Google Play/Marketplace options have been removed. Use the Disable Applications option to enable or disable those features. [CXM-43043]

XenMobile Service 10.7.5

The latest version of XenMobile has these new features and improvements:

Monitor page for help desk administrators

You can now monitor and troubleshoot XenMobile Service on the new Monitor page. This interface is customized for help desk administrators to carry out user-based troubleshooting efficiently.

Help Desk administrators must have the following permissions to access the Monitor tab and all available workflows:

  • Authorized access
    • Admin console access
    • Public api access
  • Console Features
    • Monitor
    • Devices
    • Full Wipe Device
    • View Locations
      • Locate Device
      • Track Device
    • Lock device
    • Unlock device
    • App Lock
    • App Wipe
    • App

The Monitor page gives you a consolidated view of device policies and configuration. The view includes troubleshooting actions such as app lock/unlock, app wipe, device lock/unlock, and device wipe.

Image of Citrix Cloud Monitor screen

Use the Monitor page to:

  • Search for an Active Directory (AD) user and device you want to troubleshoot.
  • Analyze the Device Details page containing:
    • Policies: Displays device and app policies for the selected device and app. For information about modifying policies, see Device policies and Add apps.
    • Configuration: Displays the device configuration. This panel includes icons that indicate whether the device has location services enabled, is jailbroken, and is MAM/MDM managed. The panel also shows the storage encryption status.
    • Running Applications table: Displays the details of the applications currently running on the device.
  • Troubleshoot the device. Security actions available on this page are based on the enrollment of the device, and the permissions available to the logged in administrator:
    • Device lock/unlock
    • Device wipe
    • App lock/unlock (available if the device is MAM enrolled)
    • App wipe (available if the device is MAM enrolled)

For more information about the actions you can take, see Security actions.

The Monitor page might not operate as expected 60 minutes after it was last loaded, because it does not handle refreshes of the login token. As a workaround, refresh the token by reloading the page: Click the Citrix Cloud link on your service console and then click XenMobile Service > Manage > Monitor.

Share your feedback on the utility of this feature in the Citrix Cloud discussion forum.

Access to XenMobile Tools from the XenMobile console

XenMobile now lets you access these XenMobile Tools from the XenMobile console:

  • XenMobile Analyzer – Identify and triage potential issues with your deployment.
  • APNs Portal – Submit a request to Citrix to sign an APNs certificate, which you then submit to Apple.
  • Auto Discovery Service – Request and configure Auto Discovery for your domain’s XenMobile Server.
  • Manage Push Notifications – Manage push notifications for iOS and Windows XenMobile Apps.
  • MDX Service – Wraps apps that you can then manage by using XenMobile.

To access these tools, go to Settings > XenMobile Tools. This page is available to users with the Cloud Admin or Customer Admin role.

Image of XenMobile Tools screen

Use Windows AutoPilot to set up and configure devices

Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can use Windows AutoPilot to reset, repurpose, and recover devices. AutoPilot helps to remove some of the complexity of your current operating system deployment. Using AutoPilot reduces the task to a set of simple settings and operations that can get your devices ready to use quickly and efficiently.

Prerequisites:

  • Devices registered to the organization in Microsoft Store for Business portal.
  • Company branding configured in Azure Active Directory portal.
  • Company has an Azure Active Directory Premium P1 or P2 subscription.
  • Configure Citrix Identity Platform as the IDP type for XenMobile: In the XenMobile console, go to Settings > Identity Provider (IDP). For more information, see Azure Active Directory as IDP.
  • Network connectivity to cloud services used by Windows AutoPilot.
  • Devices pre-installed with Windows 10 Professional, Enterprise or Education, version 1703 or later.
  • Devices have access to the internet.

For more information on configuring prerequisites, see https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot.

To configure Windows Automatic Redeployment in XenMobile for AutoPilot devices:

  1. Follow the steps to add a custom XML policy at Custom XML Device Policy. Add the following in XML Content:

    
    <Add>
    <CmdID>_cmdid_</CmdID>
    <Item>
    <Target>
    <LocURI>./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials</LocURI>
    </Target>
    <Meta>
    <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>0</Data>
    </Item>
    </Add>
    
    
  2. On the Windows lock screen, type the keystroke CTRL + Windows key + R.

  3. Log in with an Azure Active Directory account.

  4. The device verifies that the user has rights to redeploy the device. The device then redeploys.

  5. After the device updates with the AutoPilot configuration, the user can then log into the freshly configured device.

More restrictions for Android for Work devices

You can now control more device restrictions for Android for Work devices from the Configure > Device Policies > Restrictions Policy page.

Image of Device Policies configuration screen

Each of these settings is available for Android 5.0 and later, unless otherwise noted.

  • File transfer: Allows file transfers over USB. Default is Off.
  • Tethering: Allows users to configure portable hotspots and tether data. Default is Off.
  • Allow copy and paste: Allows or prevents use of the clipboard to copy and paste between apps in the Android for Work profile and apps in the personal area. Default is Off.
  • Enable app verification: Enables the OS to scan apps to detect malicious behavior. Default is On.
  • Allow user control of application settings: Allows users to uninstall apps, disable apps, clear cache and data, force stop any app, and clear defaults. Default is Off.
  • Allow work profile contacts in device contacts: Shows contacts from the managed Android for Work profile in the parent profile, for incoming calls. Default is Off. (Android 7.0 and later)

For information about configuring device policies, see Device policies.

Deploy OS updates to managed Android for Work devices

You can now use the Control OS Update device policy to deploy OS updates to managed Android for Work devices (Android 7.0 and higher). To configure the policy, go to Configure > Device Policies.

Image of Device Policies configuration screen

Configure these Android for Work settings:

  • System update policy: Determines when system updates occur. Automatic installs an update when it is available. Windowed installs an update automatically within the daily maintenance window specified in the Start time and End time. Postpone allows a user to postpone an update for up to 30 days.
    • Start time: The start of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 0.
    • End time: The end of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 120.

Specify the behavior when Android for Work apps request dangerous permissions

For requests to Android for Work apps that are within work profiles: A new device policy lets you configure how those requests handle what Google calls “dangerous” permissions. You control whether to prompt users to grant or deny a permission request from apps. This feature is for devices running Android 7.0 and later.

Google defines dangerous permissions as permissions that give an app access to the following:

  • Data or resources that involve private user information.
  • Resources that might affect the stored data for a user or the operation of other apps. For example, the ability to read user contacts is a dangerous permission.

For Android for Work apps that are within work profiles: You can configure a global state that controls the behavior of all dangerous permission requests to the apps. You can also control the behavior of dangerous permission request for individual permission groups, as defined by Google, for each app. These individual settings override the global state.

For information on how Google defines permission groups, see “Permission groups” in the Android developers guide.

By default, users are prompted to grant or deny dangerous permission requests.

To configure permissions for Android for Work apps, go to Configure > Device Policies and add the Android for Work App Permissions policy. This policy applies only to apps that you first add and approve in the Google Play console and then add to XenMobile as Public Store apps.

Image of Device Policies configuration screen

Configure these settings.

  • Global State: Controls the behavior of all dangerous permission requests. In the list, click Prompt, Grant, or Deny. Default is Prompt.
    • Prompt: Prompts users to grant or deny dangerous permission requests.
    • Grant: Grants all dangerous permission requests without prompting users.
    • Deny: Denies all dangerous permission requests without prompting users.
  • To override the Global State for a permission group, set an individual behavior for the permission group. To configure settings for a permission group, click Add, choose an app from the list, and then choose a Grant Status.

Set messages to appear on the lock screen of lost devices

A new device policy, Lock Screen Message, lets you set messages to appear on the following devices when they are lost:

  • The login window of shared iPads
  • The lock screen of supervised iOS devices

To add the policy, go to Configure > Device Policies and add Lock Screen Message.

Image of Device Policies configuration screen

Configure these settings:

  • Asset tag information for the device: The asset tag for the device. Apple devices truncate long strings, so be sure to test a string before deploying the policy to production. String length depends on the Apple device model and Apple settings, which can change. (iOS 9.3 and later)
  • Login window and lock screen footnote: Information to help in returning the device so as an address or other contact information. Apple devices truncate long strings, so be sure to test a string before deploying the policy to production. String length depends on the Apple device model and Apple settings, which can change. (iOS 9.3.1 and later)
  • Remove Policy: Select a date or an expiration time for the policy to expire. The lock screen message ceases to appear after this time frame.
  • Allow user to remove policy: Select whether you want to allows users to turn off the lock screen message. Options are Always, Password required, or Never.

For information about configuring device policies, see Device policies.

New REST APIs

The XenMobile Public API for REST Services includes these new APIs:

  • Get Users by Filter
  • Remove Enrollment Token

For more information, download the XenMobile Public API for REST Services PDF and see section 3.12.1, Get Users by Filter, and section 3.19.7, Remove Enrollment Token.

Fixed issues in XenMobile Service 10.7.5

RBAC administrators cannot see managed devices from the XenMobile Server console. A 500 server internal error occurs. [CXM-41147]

When configuring an App Configuration device policy for iOS: If the dictionary content includes the “&” delimiter, the XML code doesn’t work on devices. The XML validation error in the log is: The reference to entity “name” must end with the ‘;’ delimiter.’ [CXM-41883]

The number of pending selective wipes displayed on the XenMobile Dashboard does not match the number displayed on the Analyze tab. [CXM-42020]

In certain versioning scenarios, the check for app updates feature does not function properly. [CXM-42388]

Known issues in XenMobile Service 10.7.5

For MDM-enrolled iOS 11 devices, when you deploy XenMobile in a cluster setup in MDM or MDM+MAM mode, MDM commands may fail. As a result, the following issues might occur:

  • You might not be able to push MDM policies or deploy apps
  • You might not be able to carry out security actions, such as lock or wipe, on iOS 11 devices.
  • On user devices, the following issues might occur:
    • Apps keep trying to install
    • VPN or WiFi configurations fail to install
    • Security actions, such as Lock, occur repeatedly.

For more details and required action, see this Citrix Knowledge Center article. https://support.citrix.com/article/CTX227406. [CXM-38331]

XenMobile Service 10.7.4

The latest version of XenMobile has these new features and improvements:

Single sign in with Azure Active Directory

XenMobile Service supports single sign-in with Azure Active Directory credentials for the following scenarios:

  • User enrollment through Citrix Secure Hub (Android or iOS)
  • For the RBAC User role, authentication to the XenMobile Self Help Portal
  • Administrator authentication to the XenMobile console
  • For XenMobile Service, administrator authentication to the XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API.
  • For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF.

XenMobile Service uses the Citrix Cloud service, Citrix Identity Platform, to federate with Azure Active Directory. Citrix Identity Platform is an identity provider (IDP) service.

To set up this service, you configure Citrix Cloud to use Azure Active Directory as your Identity Provider. Then, configure Citrix Identity Platform as the IDP type for XenMobile Server. Users can then log on to Secure Hub with their Azure Active Directory credentials. Secure Hub uses client certificate authentication for MAM devices.

Citrix recommends that you use Citrix Identity Platform instead of a direct connection to Azure Active Directory.

Prerequisites for single sign in with Azure Active Directory

  • XenMobile Server, configured in MDM, MAM-only, or Enterprise mode
  • NetScaler Gateway, configured for certificate-based authentication
  • Secure Hub 10.7.20 (minimum version)
  • Azure Active Directory user credentials

Configure Citrix Cloud to use Azure Active Directory as your Identity Provider

To configure Azure Active Directory in Citrix Cloud:

  1. Go to https://citrix.cloud.com and sign in to your Citrix Cloud account.

  2. From the Citrix Cloud menu, go to the Identity and Access Management page and connect to Azure Active Directory.

    Image of Citrix Cloud screen

  3. Type your administrator sign-in URL and then click Connect.

    Image of Citrix Cloud screen

  4. After you sign in, your Azure Active Directory account connects to Citrix Cloud. The Identity and Access Management > Authentication page shows which accounts to use to sign in to your Citrix Cloud and Azure AD accounts.

    Image of Citrix Cloud screen

Configure Citrix Identity Platform as the IDP type for XenMobile Server

After you configure Azure Active Directory in Citrix Cloud, configure XenMobile Server as follows.

  1. In the XenMobile console, go to Settings > Identity Provider (IDP) and then click Add.

  2. In the Identity Provider (IDP) page, configure the following:

    Image of IDP configuration screen

    • IDP Name: Type a unique name to identify the IDP connection that you are creating.
    • IDP Type: Choose Citrix Identity Platform.
    • Auth Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    Image of IDP configuration screen

    • User Identifier type: This field is set to userPrincipalName.
    • User Identifier string: This field is automatically filled.
  4. Click Next, review the Summary page, and then click Save.

    Secure Hub users, XenMobile console, and Self Help Portal users can now sign in with their Azure Active Directory credentials.

XenMobile Server administrator and user authentication flow

The sign-in screen for the XenMobile console and the XenMobile Self Help Portal includes the link Sign in with my company credentials.

Image of XenMobile sign in

Click that link to enter your Azure Active Directory credentials. After successfully authenticating you, XenMobile doesn’t require you to sign in for future access.

If you sign in to the XenMobile console or self-help portal from domain joined devices and click the Sign in with my company credentials link: XenMobile provides a single sign-on experience. No authentication prompt appears.

Secure Hub authentication flow

With XenMobile configured to use Citrix Identity Platform as its IDP, the Secure Hub authentication flow is as follows for a device enrolled through Secure Hub:

  1. A user starts Secure Hub.
  2. Secure Hub passes the authentication request to Citrix Identity Platform, which passes the request to Azure Active Directory.
  3. The user types their user name and password.
  4. Azure Active Directory validates the user and sends a code to Citrix Identity Platform.
  5. Citrix Identity Platform sends the code to Secure Hub, which sends the code to XenMobile Server.
  6. XenMobile obtains an ID token by using the code and secret, and then validates the user information that’s in the ID token. XenMobile returns a session ID.

Users of domain-joined devices can use their Azure Active Directory credentials for a single sign-on experience. For XenMobile local accounts, single sign-on isn’t available.

Deploy Microsoft Store for Business apps from XenMobile

Microsoft Store for Business is a location where you can find and distribute free and paid apps in volume for your organization. By connecting XenMobile Server to Microsoft Store for Business, the Store for Business apps appear in the XenMobile Configure > Apps page. You can then deploy those apps to Windows 10 devices.

XenMobile supports only online license app management, which is the default licensing model supported by Microsoft Store for Business. This model requires users and devices to connect to Microsoft Store services to acquire an app and its license.

To learn more about Microsoft Store for Business, see the Microsoft documentation at https://docs.microsoft.com/en-us/microsoft-store/microsoft-store-for-business-overview.

Prerequisites to access Microsoft Store for Business apps

  • Azure Active Directory

    To access Microsoft Store for Business apps, you must first configure Azure Active Directory as an Identity Provider. For information on performing this configuration, see Azure Active Directory as IDP.

  • Microsoft Store for Business

Connect XenMobile Server to Microsoft Store for Business

  1. In the XenMobile console Settings page, search for and click the link for Microsoft Store for Business.

  2. Configure these settings:

    • Azure AD configuration: Select the Azure Active Directory instance you configured as part of the prerequisites.
    • App Suffix: Enter a suffix added to all Microsoft Store for Business apps for easy identification.
    • Localization: Select the language to use for the app details downloaded from Store for Business to XenMobile.

    Image of Microsoft Store for Business settings screen

  3. Click Save. XenMobile adds the Microsoft Store for Business apps to the Configure > Apps page.

    Image of Microsoft Store for Business settings screen

  4. To resync the apps later, return to the Microsoft Store for Business settings page and click the Force Sync button.

    Image of Microsoft Store for Business settings screen

Associate your Microsoft Store for Business account with XenMobile

  1. Log in to the Microsoft Business Store using the same tenant account that you use to sign in to Azure Active Directory.
  2. In the Business Store, choose Settings > Management tools.
  3. On the Management tools page, choose Add a management tool, and choose XenMobile.

Sync apps with the Store for Business

By default, XenMobile syncs with Microsoft Store for Business every 24 hours. To force a sync, go to Settings > Microsoft Store for Business and click Force sync.

Image of Microsoft Store for Business settings screen

To change the sync interval, go to Settings > Server Properties and update the value for the Minimum MSB baseline interval server property.

Assign Store for Business apps to delivery groups

Apps synced from Microsoft Store for Business have the suffix you configured on the Settings > Microsoft Store for Business page.

Image of Apps configuration screen

  1. To add those apps to delivery groups: Go to Configure > Delivery Groups, select a group, click Edit, and then click Apps. Move the apps to the Required Apps list.
  2. Go to Configure > Apps. Select one or more apps, click Edit, and then click Delivery Group Assignments.

Revoke a user license for an app

  1. Go to Configure > Apps, select the Store for Business app, and then click Edit.

  2. Under Platform, click Windows Desktop/Tablet.

  3. Scroll down and expand Microsoft Store for Business.

    Image of Apps configuration screen

  4. Select the user and click Disassociate.

    Image of Apps configuration screen

Control the updates installed on Windows Desktop/Tablet

The Control OS Update device policy, which deploys OS updates to supervised Windows 10 Desktop and Tablet devices, has a new feature. You can now specify whether to install only approved updates. XenMobile handles the updates as follows:

  • For a security update, such as for Windows Defender definitions, XenMobile automatically approves the update and sends an install command to the device during next sync.
  • For all other update types, XenMobile waits for your approval before sending the install command to the device.

Requirement

You must upload the Microsoft root certificate to XenMobile Server as a server certificate. To get the certificate, go to http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409. After you upload the certificate to XenMobile, restart XenMobile Server. For information about importing a server certificate, see “To import a certificate” in Certificates and authentication.

Install only approved updates

  1. Go to Configure > Device Policies and open the Control OS Update device policy.
  2. Change the Allow updates only in approval list setting to Yes, install only approved updates.

Approve an update

  1. In the Control OS Update device policy, scroll down to the Pending updates table. XenMobile obtains the updates listed in the table from devices.

  2. Search for updates with an Approval status of Pending.

  3. Click the row for the update you want to approve and then click the edit icon for that row (in the Add column).

    Image of Device Policies configuration screen

  4. To approve the update, click Approved and then click Save.

    Image of Device Policies configuration screen

Note: Although the Pending updates table includes add and delete commands, those commands don’t result in any changes to the XenMobile database. Editing approval status is the only action available for pending updates.

To view the Windows update status for a device, go to Manage > Devices > Properties.

Image of Devices configuration screen

When an update publishes, the Update ID appears in the first column with a status (Success or Failure). You can create a report or an automated action for devices with failed updates. The date and time of the publication also appears.

How updates work for first-time and subsequent deployments

The effect of the Control OS Update device policy on devices differs for a first-time deployment versus a deployment after devices get updates.

  • For XenMobile to query a device for updates, you must configure and assign to a delivery group at least one Control OS update device policy.

    XenMobile queries a device for installable updates during a device MDM sync.

  • After the first Control OS update device policy deploys, the list of Windows updates is empty because no device has reported yet.
  • When the devices in the assigned delivery group report updates, XenMobile saves those updates in its database. To approve any reported updates, edit the policy again.

    Update approval applies only to the policy you are editing. Updates approved in one policy don’t show as approved in another policy. The next time that a device syncs, XenMobile sends a command to the device to indicate that the update is approved.

  • For a second Control OS Update device policy, the update list contains the updates stored in the XenMobile database. You must approve updates for each policy.

    During each device sync, XenMobile queries the device for the approved update state until the deice reports an update as installed. For updates that require device restart after installing the update, XenMobile queries the state of the update until the device reports it as installed.

  • XenMobile doesn’t restrict the updates shown in the policy configuration page by delivery group or device. All updates reported by devices appear in the list.

Inventory and delete Win32 apps

You can now determine whether the Win32 apps on user devices comply with your App access device policy. To view an inventory of Win32 apps on managed Windows 10 Desktop and Tablet devices:

  1. Go to Configure > Device Policies and add an App Inventory policy for the Windows Desktop/Tablet platform. Deploy the policy.

  2. Go to Manage > Devices, select the Windows 10 device that you want to view, click Edit, and then click the Apps tab.

    The results of the inventory appear.

    Image of Devices configuration screen

  3. Compare the app inventory to your App access device policy. If the device has blacklisted apps installed, you can delete them from devices as follows.

App install and uninstall issues caused by an incorrect Product Code

If a Win32 app is configured with the incorrect Product Code, the app initially installs, however Microsoft doesn’t return the app status to XenMobile. As a result:

  • The App Uninstall device policy doesn’t uninstall the app.
  • XenMobile Server continues to deploy the app because it doesn’t have confirmation that the app installed. With each deployment, the device generates an error code because the app is already installed. The error shown in Manage > Device > Delivery Group Details is: “Msi Application received: Reporting:AppPush id:7z1701-x64.msi: Command execution failed -2147023293”

To correct the Product Code:

  1. Manually remove the app from the device.
  2. In the XenMobile console, go to Configure > Apps and correct the Product Code for the Win32 app.
  3. Deploy the Win32 app.

Configure firewalls on managed macOS devices

You can now configure firewalls on managed devices running macOS 10.12 and later. Go to Configure > Device Policies and add or edit the Firewall policy.

Image of Device Policies configuration screen

Configure these settings:

  • Enable Firewall. To enable the firewall, set this option to ON.
  • Block all incoming connections. When this option is set to ON, it blocks all incoming connections except the connections required for basic services.
  • Enable stealth mode. In stealth mode, the device doesn’t respond to or acknowledge attempts to access it from the network by test applications using ICMP, such as Ping. To enable stealth mode, set this option to ON.
  • App specific incoming connection settings. To allow specific apps to receive connections, add the apps and set Allowed to True.

Enhanced security for work profiles for Android for Work

Work profile passcode

For devices running Android 7.0 and later, you can now require a passcode for apps within a work profile for Android for Work. Users are prompted to enter the passcode when they attempt to open any apps in the work profile. When users enter the passcode, they can then access apps in the work profile.

You configure a passcode requirement for the work profile only or for the device.

To configure a passcode requirement for Android for Work, go to Configure > Device Policies and add or edit the Passcode policy. Click the Android for Work platform page and configure these settings:

  • Work profile security challenge: Enable this setting to require users to complete a security challenge for access to apps running in an Android for Work work profile. This option is not available for Android devices earlier than Android 7.0. The default is OFF.
  • Passcode requirements for work profile security challenge:
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is OFF. This feature isn’t currently supported.
    • Required characters: In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed. Use No restrictions only for devices running Android 7.0. Android 7.1 and later don’t honor the No restrictions setting. The default is Both numbers and letters.

Default security policies

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android for Work in work profile mode.

Other improvements

  • New server properties to specify the number of days after which an offline iOS or macOS device is considered unreachable. When an iOS or macOS device reaches the limit specified by the following server properties, they stop checking back with XenMobile Server. Both properties default to 45 days.
    • ios.delayBeforeDeclareUnreachable
    • macos.delayBeforeDeclareUnreachable
  • Locale-based date and time formats. The date and time shown throughout the XenMobile console is now formatted according to the locale and time zone of the administrator.

    For example, 6 PM on November 20, 2017, is shown as follows:

    U.S. (en-US): 11/20/17 06:00:00 pm
    U.K. (en-GB): 20/11/17 18:00:00
    South Africa (en-ZA): 2017/11/20 06:00:00 pm
    

The XenMobile Public REST API has these related changes: The createdOn and lastAuthenticated fields are deprecated. Use creationDate and lastAuthDate instead. For more information, download the XenMobile Public API for REST Services PDF.

  • Public REST API changes. The XenMobile Public API for REST Services now includes the API “Revoke enrollment tokens”. This API sets the enrollment status to expired. For more information, download the XenMobile Public API for REST Services PDF.

Fixed issues in XenMobile Service 10.7.4

For Azure environments only: iOS devices that are offline more than seven days don’t check back with XenMobile Server until the server restarts. [CXM-39540]

iOS devices with a Telnet profile installed can’t communicate with XenMobile Server. As a result, XenMobile can’t deploy policies to those devices. [CXM-40402]

When you import a Citrix Receiver ADMX file to create XenMobile App Configuration device policy: If you do not specify a required field, XenMobile might fail to display an error. Ensure that you specify all required fields before saving the policy. [CXM-40664]

When you import the Microsoft Office 2016 ADMX file to create XenMobile App Configuration device policy, this error might appear:

“Error while processing admx/office16.admx: cvc-complex-type.3.2.3: Attribute ‘noSort’ is not allowed to appear in element.” To prevent this error, edit the office16.admx file to delete the text string noSort='true'. Rezip the file for upload. [CXM-40750]

The report that you can export from Manage > Devices has two columns labeled “ASM DEP device Type”. [CXM-40872]

Some large Win32 MSI apps might not install. The log error is similar to the following: Msi Application received: Reporting:AppPush id:AdbeRdr1000_en_US.msi: Command execution failed -2147023277. [CXM-40890]

During a download of a Secure Hub APK file to the XenMobile console, the following error occurs: 500 Server Internal Error. [CXM-41855]

NAC actions written to console log files result in large files. [CXM-42071]

Known issues in XenMobile Service 10.7.4

For pre-enrolled iOS devices, after an upgrade to XenMobile Service 10.7.4: If you change the Default store view in Settings > Client Branding, folder icons don’t appear in the Secure Hub category view. Workaround: Tap the folder name to see the apps in that category. [CXM-42091]

If you configure XenMobile Service for single sign in using Citrix Identity Platform with Azure Active Directory: When a XenMobile administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix XenMobile console.” [CXM-42309]

XenMobile Service 10.7.3

The latest version of XenMobile has these new features and improvements:

Deploy Win32 apps to managed Windows 10 Desktop and Tablet devices

You can now upload MSI files for Win32 apps to the XenMobile console for deployment to managed Windows 10 Desktop and Tablet devices. After you use XenMobile to deploy an MSI, the Windows device then installs the app as follows:

  • If the upgraded app removes the old version during installation, then the device includes only the upgraded app.
  • If the upgraded app can’t remove the old version, but the new version can install, then the device includes both versions of the app. XenMobile Server no longer contains the information for the old version.
  • If the upgraded app can’t install when an old version exists, the new app doesn’t install. In that case, first deploy the App Uninstall device policy to remove the old version. Then, deploy the new version.

Requirements

  • Windows 10, version 1607 (minimum version)
  • Windows 10 Professional or Windows 10 Enterprise
  • Standalone Win 32 MSI apps installed with the /quiet option. For this deployment use case, Microsoft doesn’t support MSIs containing multiple apps, nested MSIs, or interactive installation.

Look up MSI metadata

When you add a Win32 app to XenMobile, specify the metadata for the app. To look up the metadata, use the Orca application on a Windows computer and make note of the following information:

  • Product code
  • Product name
  • Product version
  • Package install type, either per user or per machine

Add a Win32 app to XenMobile

  1. Go to Configure > Apps, click Enterprise, and type a name for the app in the App Information page.

  2. Clear all Platform check boxes except for Windows Desktop/Tablet.

  3. On the Windows Desktop/Tablet Enterprise App page, click Upload and navigate to the MSI.

  4. Configure these settings:

    Image of Apps configuration screen

    • App name: The name of the app, from the app metadata.
    • Description: A description for the app.
    • App version: The app version number, from the app metadata.
    • Minimum OS version: Optional. The oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optional. The most recent operating system that the device must run to use the app.
    • Excluded devices: Optional. The manufacturer or models of devices that cannot run the app.
    • Product Code: The MSI app product code, in UUID format, from the app metadata.
    • Installation Context: Based on the app metadata, select whether the app is to install for the device or user.
    • Command Line: The command-line options to use when calling MSIEXEC.exe
    • Retry Count: The number of times you can retry a download and installation operation before marking the installation as failed.
    • Time Out: The number of minutes that the installation process runs before the installer interprets the installation as failed and no longer monitors the process.
    • Retry Interval: The number of minutes between retry operations.
  5. Specify deployment rules and store configuration as needed.

  6. Click Next until you get to the Summary page and then click Save.

  7. Go to Configure > Delivery Groups and add the Win32 app as a required app.

  8. After you deploy the app, let your users know that the app is available.

Upgrade a Win32 app

  1. Look up the metadata for the app, as described earlier in “Look up MSI metadata.”
  2. Go to Configure > Apps to upload the new version of the app. Update the App version. If the new version of the app has a different Product Code, update that setting.
  3. Submit the changes and deploy the app.

Support for ADMX files for Windows 10 Desktop and Tablet devices

You can now import Microsoft Administrative Template (ADMX) policy settings when configuring policies for Windows 10 tablets and desktops. Use the XenMobile App Configuration device policy to import an ADMX file and configure settings.

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy page appears.

  3. Under Apps, click App Configuration. The App Configuration Policy information page appears.

  4. In the Policy Information pane, enter the following information:

    • Policy Name: Type a descriptive name for the policy.
    • Description: Optionally, type a description of the policy.
  5. Clear all Platform check boxes except for Windows Desktop/Tablet and then click Next.

  6. In Application Type, select Win32 App.

  7. In ADMX file, import the ADMX file you want to use to configure the policy.

    Image of Device Policies configuration screen

  8. Click Add to add the configuration. Configuration options from the ADMX file appear on the right side of the page.

    Image of Device Policies configuration screen

  9. Choose a policy path.

  10. Set Enable to On.

  11. Set any other options required for the app:

    • Input list element values as key-value pairs. Use the text string “&#xF000” to separate each key-value pair and the value and key within the pair.
    • Values requiring a decimal value may require values within a specific range.
  12. To add another configuration to this policy, click Add and choose a different policy path. Repeat steps 10 and 11.

    Note: If you choose the same policy path more than once, the configuration associated with the most recently chosen version is enforced.

  13. Click Next.

  14. Configure deployment rules and select delivery groups.

Other improvements in this release

  • Force a sync with your VPP account. XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. You can now also force a sync. The Settings > iOS Settings page includes a Force synchronization button.

After you click to confirm the action, XenMobile imports the VPP information. The import might take several minutes, depending on the number of VPP licenses. After the sync completes, XenMobile refreshes the iOS Settings page and updates the sync date and time in the new Last Sync Date column.

Image of iOS Settings configuration screen

  • Support for Windows 10 RS3. We certified XenMobile 10.7 with Windows 10 RS3 Phone and Tablet.
  • Macros allowed for non-string fields in Cellular device policies for iOS. XenMobile now allows you to use macros for the values of non-string fields, such as Proxy server port, in the iOS cellular policy.

For example, you can now use a macro such as “${device.xyz}” or “${setting.xyz}”, which expands into an integer. You can also use the macros in a device configuration XML file that you import into XenMobile by using the Import iOS & macOS Profile device policy.

  • Disable apps on Samsung SAFE devices. You can use the Restrictions device policy to block a list of installed apps from running on Samsung SAFE devices. By default, the new Disable Applications setting is Off, which means apps are enabled. To disable an installed app, change the setting to On, click Add in the Application List table, and then type the app package name.

Changing and deploying an app list overwrites the prior app list. For example: If you disable com.example1 and com.example2, and then later change the list to com.example1 and com.example3, XenMobile enables com.example.2.

Image of Device Policies configuration screen

  • More status information for the Control OS Update device policy for macOS. The Manage > Devices > Device details page now shows the status of scheduled OS update scans, available OS updates, and scheduled macOS and app updates. The status provided includes:
    • Schedule OS Update Scan Sent
    • Schedule OS Update Scan Acknowledged
    • Get Available OS Update Sent
    • Get Available OS Update Acknowledged
    • Install OS Update Sent
    • Install OS Update Acknowledged

Image of Devices configuration screen

  • New server properties to specify the number of days after which an offline iOS or macOS device is considered unreachable. When an iOS or macOS device reaches the limit specified by the following server properties, they stop checking back with XenMobile Server. Both properties default to 45 days.
    • ios.delayBeforeDeclareUnreachable
    • macos.delayBeforeDeclareUnreachable
  • Changes to the following server properties no longer require that you restart XenMobile Server:
    • Add Device Always (secure.device.add.device.always)
    • Auto Logout (secure.device.auto.logout.after)
    • Background Deployment (scheduling.background.deployment)
    • Background Hardware Inventory (scheduling.background.inventory)
    • Block Enrollment of Rooted Android and Jailbroken iOS Devices (secure.device.forbid.jailbroken.iphones.and.rooted.androids)
    • Certificate Renewal (in Seconds) (secure.device.renew.certificate.before)
    • Default deployment channel (macos.mdm.deployment.deploymentSplitType)
    • Enable Device Triangulation (zdm.device.triangulation.enable)
    • Enforce SSL (secure.device.enforce.ssl)
    • Enrollment Required (wsapi.mdm.required.flag)
    • Full Pull of ActiveSync Allowed and Denied Users (mag.policy.baseline.interval.seconds)
    • Maximum Device IDs (zdm.mag.max.device.ids.asked)
    • Pull of Incremental Change of Allowed and Denied Users (mag.policy.delta.interval.seconds)
    • Secure Authentication (secure.device.enforce.strong.authentication)
    • SOAP Web Services (zdm.ws.soap.otp-service.enabled)
    • Strong 8 Character ID (secure.device.strong.id.short)
    • Strong ID Valid Once (secure.device.strong.id.valid.once)
    • User-Defined Device Properties N
    • Users only from Exchange (userOnlyFromExchange)
    • XenMobile MDM Self Help Portal console max inactive interval (minutes) (zdm.console.max.inactive.interval)

Fixed issues XenMobile Service 10.7.3

When configuring the Cellular device policy in the XenMobile console: Using a macro for an integer value results in an error, such as “Enter port integer values from 1 to 65535.” When importing a device configuration XML file into XenMobile by using the Import iOS & macOS Profile device policy: Using a macro for an integer results in an error, such as “Parsing error detected; the selected file is an invalid or corrupted iOS configuration file: ‘Cannot parse: org.xml.sax.InputSource@69335cc’.” [CXM-32005]

When you deploy an App Notification policy for the Messages and Wallet apps to iOS devices, some options don’t work as expected. For example, you can’t disable notifications for the Messages and Wallet apps and you can’t disable sounds for the Messages app. This third-party issue is Apple bug ID 34591546. [CXM-37529]

When using the XenMobile console in Internet Explorer, with the locale set to “English - South Africa” (en-ZA): The Last authenticated date shown on the Manage > Users page is incorrect. [CXM-40028]

Uploading an APK file to the XenMobile console fails with a “500 Internal Server Error”. [CXM–40333]

When you left-click Secure Mail or Secure Web for Android in the Configure > Apps list and then click Show more, the following error may appear: “A configuration error occurred. Please try again”. In the App rating section, the Android tab is blank. [CXM–40334]

Security actions don’t perform on a node that is already initialized for a given push if the notification is sent from another node. [CXM-40418]

When you download only a new iOS version as an update, the “Schedule OS Update” field is empty in General Settings of Device Details. [CXM-41066]

Known issues in XenMobile Service 10.7.3

For Azure environments only: iOS devices that are offline more than seven days don’t check back with XenMobile Server until the server restarts. [CXM-39540]

For devices running Windows 10 RS3 Version 1709 build 16299.19: XenMobile App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. [CXM-40521]

When you import the Microsoft Office 2016 ADMX file to create XenMobile App Configuration device policy, this error might appear:

“Error while processing admx/office16.admx: cvc-complex-type.3.2.3: Attribute ‘noSort’ is not allowed to appear in element.” To prevent this error, edit the office16.admx file to delete the text string “noSort=’true’.” Rezip the file for upload. [CXM-40750]

When you import a Citrix Receiver ADMX file to create XenMobile App Configuration device policy, XenMobile might fail to display an error if you do not specifying a required field. Ensure that you specify all required fields before saving the policy. [CXM-40664]

Some large Win32 MSI apps might not install. The log error is similar to the following: Msi Application received : Reporting:AppPush id:AdbeRdr1000_en_US.msi : Command execution failed -2147023277. [CXM-40890]

XenMobile Service 10.7.2

The latest version of XenMobile has these new features and improvements:

FileVault device encryption on enrolled macOS devices

The macOS FileVault Disk Encryption feature protects the system volume by encrypting its contents. With FileVault enabled on a macOS device, a user logs in with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

The XenMobile device policy, FileVault, enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support article, https://support.apple.com/kb/PH25107.

  1. Click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy dialog box appears.

  3. Start typing FileVault and then click that name in the search results. The FileVault Policy information page appears.

  4. In the Policy information page, enter the following information:

    • Policy Name: Type a descriptive name for the policy.
    • Description: Optionally, type a description of the policy.
  5. Click Next and then configure the platform settings.

macOS settings

Image of Device Policies configuration screen

  • Prompt for FileVault setup during logout: If ON, prompts the user to enable FileVault during the next N logouts, as specified by the option, Maximum times to skip FileVault setup. If OFF, the FileVault password prompt doesn’t appear.

After you deploy the FileVault policy with this setting on, the following screen appears when a user signs off the device. The screen gives the user the option to enable FileVault before signing off.

Image of FileVault user screen

If the Maximum times to skip FileVault setup value isn’t 0: After you deploy the FileVault policy with this setting off and then the user signs on, the following screen appears.

Image of FileVault user screen

If the Maximum times to skip FileVault setup value is 0 or the user has skipped setup the maximum number of times, the following screen appears.

Image of FileVault user screen

  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

    • Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. For information about recovery key management, see the Apple support article, https://support.apple.com/en-us/HT204837.

    • Institutional recovery key: You can create an institutional (or master) recovery key and FileVault certificate, which you then use to unlock devices. For information, see the Apple support article, https://support.apple.com/en-us/HT202385. Use XenMobile to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

    • Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Show personal recovery key: If ON, shows the personal recovery key to the user after enabling FileVault on the device. Defaults to ON.

Image of FileVault user screen

When you complete the settings, configure deployment rules and choose delivery groups. For more information, see Add a device policy.

Support for the new Cisco AnyConnect VPN client for iOS

Cisco is phasing out the Cisco AnyConnect client that was based on a now deprecated VPN framework. Cisco renamed that client to Cisco Legacy AnyConnect. The bundle ID is unchanged, com.cisco.anyconnect.gui.

Cisco has a new client named Cisco AnyConnect. The new client provides a more reliable connection to internal resources and support for UDP and TCP applications with per-app VPN. The bundle ID for the new client is com.cisco.anyconnect. Cisco supports the new client for iOS 10 (minimum version).

  • To continue using the Legacy AnyConnect client: If you still use the legacy client, you don’t need to change your existing VPN device policy for iOS. The policy will continue to work until Cisco phases out support for the legacy client. As of this release, the Connection type option Cisco AnyConnect is renamed to Cisco Legacy AnyConnect in the XenMobile Server console.
  • To use the new Cisco AnyConnect client: The new Cisco AnyConnect client doesn’t detect a XenMobile VPN device policy created with the Connection type option Cisco AnyConnect.

To use the new Cisco AnyConnect client, configure XenMobile Server, as follows.

  1. Go to Configure > Device Policies and add a VPN policy for iOS.

  2. On the VPN Policy platform page, configure the settings. The settings listed here are required for Cisco AnyConnect.

    • Connection name: Cisco AnyConnect
    • Connection type: Custom SSL
    • Custom SSL identifier (reverse DNS format): com.cisco.anyconnect
    • Provider bundle identifier: com.cisco.anyconnect
    • Provider type: Packet tunnel

    Other settings such as Authentication type for the connection and Enable per-app VPN, depend on your use case. For information, see “Configure Custom SSL protocol” under Configure iOS settings.

    Image of Device Policies configuration screen

  3. Configure deployment rules and choose delivery groups for the VPN device policy. Deploy that policy to iOS devices.

  4. Upload the Cisco AnyConnect client from https://itunes.apple.com/us/app/cisco-anyconnect/id1135064690?mt=8, add the app to XenMobile Server, and then deploy the app to iOS devices.

  5. Remove the old VPN device policy from iOS devices.

For more information, see the XenMobile support article https://support.citrix.com/article/CTX227708.

Control OS updates for Windows Desktop and Tablet

You can now use the Control OS Update device policy to deploy OS updates to supervised Windows 10 Desktop and Tablet devices.

Image of Device Policies configuration screen

Configure these Windows Desktop/Tablet settings:

  • Select active hours mode: Select a mode to configure the active hours for performing OS updates by a range of hours or a start and end time. After you select a mode, more settings appear: Specify max range for active hours or Active hours start and Active hours end. Not configured allows Windows to perform OS updates at any time. Defaults to Not configured.
  • Auto update behavior: Configures the download, install, and restart behavior of the Windows update service on user devices. Defaults to Auto install and restart.
    • Notify user before downloading the update: Windows notifies users when updates are available. Windows doesn’t automatically download and install updates. Users must initiate the download and install actions.
    • Auto install and notify to schedule device restart: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows prompts the user to schedule the restart time. The user has up to seven days to schedule the restart. After seven days, Windows forces the device to restart. Enabling the user to control the start time reduces the risk of accidental data loss caused by apps that don’t shut down properly on restart.
    • Auto install and restart: Default setting. Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive.
    • Auto install and restart at a specified time: When you choose this option, more settings appear so you can specify the day and time. The default is 3 a.m. daily. Automatic installation happens at the specified time and device restart occurs after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
    • Auto install and restart without end-user control: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive. This option also sets the user control panel to read-only.
    • Turn off automatic updates: Disables Windows automatic updates on the device.
  • Scan for app updates from Microsoft update: Specifies whether Windows accepts updates for other Microsoft apps from the Microsoft update service. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can accept or reject updates for other Microsoft apps.
    • Yes: Windows allows app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t allow app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Specify updates branch: Specifies which Windows update service branch to use for updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose a Windows update service branch.
    • Current Branch: Windows receives updates from Current Branch. The related setting on the user device is inactive, so the user can’t modify the setting.
    • Current Branch for Business: Windows receives updates from Current Branch for Business. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Configure number of days to defer feature updates: If On, Windows defers feature updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer feature updates. Defaults to Off.
  • Configure number of days to defer quality updates: If On, Windows defers quality updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer quality updates. Defaults to Off.
  • Pause quality updates: Specifies whether to pause quality updates for 35 days. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose to pause quality updates for 35 days.
    • Yes: Windows pauses the installation of quality updates from the Windows Update Service for 35 days. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t pause the installation of quality updates from the Windows Update Service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Allow updates only in approval list: Specifies whether to install only the updates that an MDM server approves. XenMobile Server currently doesn’t support configuring an approved list of updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose which updates to allow.
    • Yes, install only approved updates: Allows installation of approved updates only.
    • No, install all applicable updates: Allows installation of any applicable updates on the device.
  • Use internal update server: Specifies whether to obtain updates from the Windows update service or an internal update server through Windows Server Update Services (WSUS). If Off, devices use the Windows update service. If On, devices connect to the specified WSUS server for updates. Defaults to Off.
    • Accept updates signed by entities other than Microsoft: Specifies whether to accept updates signed by third-party entities other than Microsoft. This feature requires that the device trusts the third-party vendor certificate. Defaults to Off.
    • Allow connection to Microsoft update service: Allows Windows update on device to connect periodically to the Microsoft update service, even if the device is configured to get updates from a WSUS server. Defaults to On.
    • WSUS server: Specify the server URL for the WSUS server.
    • Alternate intranet server to host updates: Specify an alternate intranet server URL to host updates and receive reporting information.

Install offline maps on supervised Windows 10 phone devices

Windows 10 phone devices support offline maps. Use the Maps device policy to specify which maps to download to devices. The Microsoft Maps configuration service provider (CSP) currently supports maps of Germany, the United Kingdom, and the United States.

Image of Device Policies configuration screen

Other improvements in XenMobile Service 10.7.2

  • When performing a full wipe of an iOS 11 device that has a cellular data plan, you can choose to preserve the data plan.

    Image of Security Actions screen

  • XenMobile now displays a License Expiration Warning when Apple VPP or DEP tokens are nearing expiration or have expired.

    Image of License Expiration screen

    Image of License Expiration screen

  • Locale-based date and time formats. The date and time that appears on the Manage > Devices and Manage > Users pages are now formatted according to locale. For example, 6 PM on October 15, 2017, is shown as follows:


  U.S. (en-US): 10/15/17 06:00:00 pm
  U.K. (en-GB): 15/10/17 18:00:00
  South Africa (en-ZA): 2017/10/15 06:00:00 pm

Image of Devices configuration screen

Fixed issues in XenMobile Service 10.7.2

On the Manage > Devices > Properties page: The Passcode compliant property is set to Yes for Samsung devices that don’t meet the Passcode policy requirements. [CXM-37948]

In Configure > Device Policies > App Lock Policy: After you type the policy name and go to the iOS page, bundle IDs don’t appear in the App bundle ID menu. After you toggle between Android and iOS, the app bundle IDs appear. [CXM-39302]

When you import a renewed SSL Listener certificate into XenMobile, the “Could not import the certificate” message appears. After you restart XenMobile Server, the Certificates page and the XenMobile database continue to reference the old certificate. However, the new certificate is shown in a web browser. [CXM-39409]

If an action marks enrolled devices as Out of Compliance when they don’t have Secure Hub installed: Devices with Secure Hub are also marked as Out of Compliance. This fix applies to actions that have the following pattern. Trigger: If Installed app name Is Not / Does Not contain <App Name>. Action: Perform <Action> after a delay of <5 to 10> minutes. [CXM-39410]

Known issues in XenMobile Service 10.7.2

When you deploy an App Notification policy for the Messages and Wallet apps to iOS devices, some options don’t work as expected. For example, you can’t disable notifications for the Messages and Wallet apps and you can’t disable sounds for the Messages app. This third-party issue is Apple bug ID 34591546. [CXM-37529]

When using the XenMobile console in Internet Explorer, with the locale set to “English - South Africa” (en-ZA): The Last authenticated date shown on the Manage > Users page is incorrect. [CXM-40028]

XenMobile Service 10.7.1

The latest version of XenMobile has these new features and improvements:

New restrictions for supervised devices running iOS

The following restrictions are now available for iOS devices running in supervised mode. The minimum version supported for each restriction is noted.

  • Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can’t use the Classroom app to observe student screens remotely. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perform AirPlay and View Screen without prompting determines whether students receive a prompt to give the instructor permission. For supervised devices running iOS 9.3 (minimum version).

  • Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).

  • Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).

  • Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).

  • Allow AirPrint: If this restriction is set to Off, users can’t print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).

  • Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren’t stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).

  • Allow discovery of AirPrint printers by using iBeacons: If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. Disabling discovery prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).

  • Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).

  • Adding VPN configurations: If this restriction is set to Off, users can’t create VPN configurations. The default setting is On. For supervised devices running iOS 11 (minimum version).

  • Modifying cellular plan settings: If this restriction is set to Off, users can’t modify cellular plan settings. The default setting is On. For supervised devices running iOS 11 (minimum version).

  • Removing system apps: If this restriction is set to Off, users can’t remove system apps from their device. The default setting is On. For supervised devices running iOS 11 (minimum version).

  • Setting up new nearby devices: If this restriction is set to Off, users can’t set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).

To configure those restrictions, go to Configure > Device Policies. For more information on setting restrictions, see Restrictions device policy.

Image of Device Policies configuration screen

Image of Device Policies configuration screen

Support for Samsung Enterprise Firmware-Over-The-Air

Samsung Enterprise FOTA (E-FOTA) lets you determine when devices get updated and the firmware version to use. E-FOTA enables you to test updates before deploying them, to ensure that the updates are compatible with your apps. You can force devices to update with the latest firmware version available, without requiring user interaction.

Samsung supports E-FOTA for Samsung KNOX 2.7.1 devices (minimum version) that are running authorized firmware.

To configure an E-FOTA policy:

  1. Create a Samsung MDM license key policy with the keys and license information you received from Samsung. XenMobile Server then validates and registers the information.

    Image of Device Policies configuration screen

    • ELM License key: This field contains the macro that generates the ELM license key. If the field is blank, type the macro ${elm.license.key}.

    • Type the following information provided by Samsung when you purchased an E-FOTA package: Enterprise FOTA Customer ID, Enterprise FOTA license, Client ID, Client Secret

  2. Create a Control OS Update policy.

    Image of Device Policies configuration screen

    Configure these settings:

    • Enable Enterprise FOTA: Set to On.
    • Enterprise FOTA License Key: Select the Samsung MDM License Key policy name that you created in Step 1.
  3. Deploy the Control OS Update policy to Secure Hub.

Other improvements in XenMobile Service 10.7.1

  • New iOS Setup Assistant Option: New feature highlights. The iOS Setup Assistant item, New feature highlights, sets up these onboarding informational screens: Access the Dock from Anywhere and Switch Between Recent Apps. You can choose whether to omit those onboarding screens from iOS Setup Assistant steps when users start their devices the first time.

New Feature highlights is available for iOS 11.0 (minimum version). The default for all items is unselected.

Image of Apple DEP settings screen

  • The XenMobile console interface for macOS VPP apps changed as follows:
    • In Configure > Apps, you can filter apps by macOS VPP. Portions of the interface that don’t apply to a macOS VPP app are now omitted. For example, the Store Configuration section doesn’t appear because there is no Secure Hub for macOS. The VPP keys import option no longer appears.
    • In Manage > Devices, the User Properties include Retire VPP account.
  • Control OS Update device policy for macOS. You can now use the Control OS Update policy to deploy OS updates to macOS devices that are supervised or that are deployed through Apple DEP.

Image of Device Policies configuration screen

  • Option to allow multiple users to use a Samsung SAFE device. The Restrictions device policy now includes the hardware control option, Allow multiple users. This option, for MDM 4.0 and later, defaults to OFF.
  • The Manage > Devices page now includes these additional device properties reported by Android devices:

    • Carrier Code (reported only by devices running Samsung MDM 5.7 or higher)
    • Model Number (reported only by devices running Samsung MDM version 2.0 or higher)
  • Restrictions device policy now includes a policy to disable the camera on Android devices. To configure the policy, go to Configure > Device Policies, click Add, and click Restrictions. By default, camera use is enabled. To disable camera use, change the Camera setting to OFF.

This feature requires Secure Hub 10.7.5 (minimum version).

Image of Device Policies configuration screen

  • When creating an action based on device properties with a value type of integer: You now can choose between Greater or Equal and Lesser or Equal, in addition to the existing condition, Is. The device property values that have new conditions include: Available and total RAM, available and total storage space, screen dimensions, and screen resolution. Use the Configure > Actions page to create actions.
  • Login/Logout Public API update. Citrix Cloud users can now log in to XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API. For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF.

Fixed issues in XenMobile Service 10.7.1

The Lock security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-35731]

If you send the Enable Lost Mode security action to a supervised iOS device without Secure Hub, the Locate button doesn’t appear on the device. [CXM-36106]

On the Manage > Devices > Apps page, the inventory shows an incorrect version number for Boeing Toolbox Mobile Library. [CXM-37514]

iOS users can’t update Citrix Receiver to version 7.2.3. When they click Check for Update, the message “The app is up to date with the latest version” appears even when they have an older version. [CXM-38114]

If an RBAC role doesn’t have access to the App Wipe and App Lock actions: A user with that role and logged into the Self Help Portal can perform the App Wipe and App Lock actions. [CXM-38348]

Local and Active Directory users with the RBAC permission “ADD/EDIT/DELETE local users and groups” can also delete admin accounts. When those users are logged in to the XenMobile Console, the Manage > Users page includes Edit and Delete buttons for admin accounts. [CXM-38350]

A scheduled database cleanup fails due to many transaction logs exceeding disk space limits. [CXM-38439]

If the trigger for an automated action is based on a null value for a device property, the action is performed for that device. For example, if an action is set to wipe a device if the platform is not iOS, the action wipes iOS devices. [CXM-38470]

For administrators who have only the PKI Entities and Credential Providers roles in RBAC: The administrator gets logged out of the XenMobile console while adding a PKI Entity or Credential Provider. To work around this issue, add the Certificates permission to the RBAC role of the administrator. [CXM-38713]

XenMobile Service 10.7.0

Important: After an upgrade to XenMobile 10.7:

If functionality involving outgoing connections stop working, and you haven’t changed your connection configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer.”

If you receive the certificate validation error, disable hostname verification on XenMobile Server. By default, hostname verification is enabled on outgoing connections except for the Microsoft PKI server. If hostname verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

The latest version of XenMobile has these new features and improvements:

More macros for enrollment templates

You can use these new macros when creating enrollment templates for device enrollment invitations:


${enrollment.urls}
${enrollment.ios.url}
${enrollment.macos.url}
${enrollment.android.url}
${enrollment.ios.platform}
${enrollment.macos.platform}
${enrollment.android.platform}
${enrollment.agent}

These macros allow you to create enrollment templates that contain enrollment URLs for multiple device platforms.

This example shows how to create a notification that includes enrollment URLs for multiple device platforms. The macro for the Message is:

${enrollment.urls}

Image of Notification Template settings screen

These examples show how to create messages for notifications that prompt the users to click the enrollment URL for their device platforms:

Example 1:


To enroll, click the link below that applies to your device platform:

${enrollment.ios.platform} - ${enrollment.ios.url}

${enrollment.macos.platform} - ${enrollment.macos.url}

${enrollment.android.platform} - ${enrollment.android.url}

Example 2:


To enroll an iOS device, click the link ${enrollment.ios.url}.

To enroll a macOS device, click the link ${enrollment.macos.url}.

To enroll an Android device, click the link ${enrollment.android.url}.

Public REST API changes

When using the XenMobile Public REST API to create enrollment invitations, you can now:

  • Specify a custom PIN. If the enrollment mode requires a PIN, you can use a custom PIN instead of the one randomly generated by the XenMobile Server. The PIN length must match the setting configured for the enrollment mode. The PIN length defaults to 8. For example, a request might include: “pin”: “12345678”
  • Select multiple platforms. Previously, you could use the REST API to specify only one platform for an enrollment invitation. The “platform” field is deprecated and replaced with “platforms”. For example, a request might include: “platforms”: [“iOS”, “MACOSX”]

For the complete current set of available APIs, download the XenMobile Public API for REST Services PDF.

Fixed issues in XenMobile Service 10.7.0

If a VPN Connection name has a space, or other non-alphanumeric characters, XenMobile doesn’t deploy the policy to devices. [CXM-32538]

The XenMobile REST API doesn’t allow you to select multiple platforms when creating an enrollment invitation. [CXM-35853]

The Full Wipe security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-36397]

The enrollment URL link in an enrollment invitation might fail to resolve to the enrollment URL. [CXM-37513]

  • To prevent this issue, ensure that the template you choose contains macros compatible with the platforms you selected when creating the enrollment invitation. Use these new macros when creating enrollment URL templates:

  ${enrollment.urls}
  ${enrollment.ios.url}
  ${enrollment.macos.url}
  ${enrollment.android.url}
  ${enrollment.ios.platform}
  ${enrollment.macos.platform}
  ${enrollment.android.platform}
  ${enrollment.agent}

  • The older ${enrollment.url] still works for enrollment invitations that have only one platform selected.

After you use the XenMobile CLI to edit the proxy exclusion list and then restart the server, the list appears truncated in the CLI. This issue only affects the display of the list. [CXM-37812]

When you submit a macro on the Troubleshooting and Support > Macros page, the “Failed to get macro information” message appears. [CXM-37940]

Known issues in XenMobile Service 10.7.0

When you submit a macro on the Troubleshooting and Support > Macros page, the “Failed to get macro information” message appears. [CXM-37940]