Product Documentation

What's new

Nov 21, 2017

A goal of Citrix is to deliver new features and product updates to XenMobile Service customers when they are available. New releases provide more value, so there's no reason to delay updates. Rolling updates to the XenMobile Service release approximately every three weeks. This release cadence began in August 2016.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

If you are a XenMobile Service customer, you also receive XenMobile Service updates and communications directly from the XenMobile Cloud Ops Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the service level goal for the XenMobile Service for cloud scale and service availability, see Service Level Goal. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. Citrix notifies you when the What’s new articles for XenMobile Service are updated for a new release.

XenMobile Service 10.7.3

The latest version of XenMobile has these new features and improvements:

  • Deploy Win32 apps to managed Windows 10 Desktop and Tablet devices
  • Support for ADMX files for Windows 10 Desktop and Tablet devices
  • Other improvements
  • Fixed issues in this release

Deploy Win32 apps to managed Windows 10 Desktop and Tablet devices

You can now upload MSI files for Win32 apps to the XenMobile console for deployment to managed Windows 10 Desktop and Tablet devices. After you use XenMobile to deploy an MSI, the Windows device then installs the app as follows:

  • If the upgraded app removes the old version during installation, then the device includes only the upgraded app.
  • If the upgraded app can't remove the old version, but the new version can install, then the device includes both versions of the app. XenMobile Server no longer contains the information for the old version.
  • If the upgraded app can't install when an old version exists, the new app doesn't install. In that case, first deploy the App Uninstall device policy to remove the old version. Then, deploy the new version.

Requirements

  • Windows 10, version 1607 (minimum version)
  • Windows 10 Professional or Windows 10 Enterprise
  • Standalone Win 32 MSI apps installed with the /quiet option. For this deployment use case, Microsoft doesn’t support MSIs containing multiple apps, nested MSIs, or interactive installation.

Look up MSI metadata

When you add a Win32 app to XenMobile, specify the metadata for the app. To look up the metadata, use the Orca application on a Windows computer and make note of the following information:

  • Product code
  • Product name
  • Product version
  • Package install type, either per user or per machine

Add a Win32 app to XenMobile

Go to Configure > Apps, click Enterprise, and type a name for the app in the App Information page.

Clear all Platform check boxes except for Windows Desktop/Tablet.

On the Windows Desktop/Tablet Enterprise App page, click Upload and navigate to the MSI.

Configure these settings:

localized image
  • App name: The name of the app, from the app metadata.
  • Description: A description for the app.
  • App version: The app version number, from the app metadata.
  • Minimum OS version: Optional. The oldest operating system version that the device can run to use the app.
  • Maximum OS version: Optional. The most recent operating system that the device must run to use the app.
  • Excluded devices: Optional. The manufacturer or models of devices that cannot run the app.
  • Product Code: The MSI app product code, in UUID format, from the app metadata.
  • Installation Context: Based on the app metadata, select whether the app is to install for the device or user.
  • Command Line: The command-line options to use when calling MSIEXEC.exe
  • Retry Count: The number of times you can retry a download and installation operation before marking the installation as failed.
  • Time Out: The number of minutes that the installation process runs before the installer interprets the installation as failed and no longer monitors the process.
  • Retry Interval: The number of minutes between retry operations.

Specify deployment rules and store configuration as needed.

Click Next until you get to the Summary page and then click Save.

Go to Configure > Delivery Groups and add the Win32 app as a required app.

After you deploy the app, let your users know that the app is available.

Upgrade a Win32 app

  1. Look up the metadata for the app, as described earlier in "Look up MSI metadata."
  2. Go to Configure > Apps to upload the new version of the app. Update the App version. If the new version of the app has a different Product Code, update that setting.
  3. Submit the changes and deploy the app.

Support for ADMX files for Windows 10 Desktop and Tablet devices

You can now import Microsoft Administrative Template (ADMX) policy settings when configuring policies for Windows 10 tablets and desktops. Use the XenMobile App Configuration device policy to import an ADMX file and configure settings.

In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

Click Add. The Add a New Policy page appears.

Under Apps, click App Configuration. The App Configuration Policy information page appears.

In the Policy Information pane, enter the following information:

  • Policy Name: Type a descriptive name for the policy.
  • Description: Optionally, type a description of the policy.

Clear all Platform check boxes except for Windows Desktop/Tablet and then click Next.

In Application Type, select Win32 App.

In ADMX file, import the ADMX file you want to use to configure the policy.

localized image

Click Add to add the configuration. Configuration options from the ADMX file appear on the right side of the page.

localized image

Choose a policy path.

Set Enable to On.

Set any other options required for the app:

  • Input list element values as key-value pairs. Use the text string “&#xF000” to separate each key-value pair and the value and key within the pair.
  • Values requiring a decimal value may require values within a specific range.

To add another configuration to this policy, click Add and choose a different policy path. Repeat steps 10 and 11.

Note: If you choose the same policy path more than once, the configuration associated with the most recently chosen version is enforced.

Click Next.

Configure deployment rules and select delivery groups.

Other improvements

  • Force a sync with your VPP account. XenMobile periodically reimports VPP licenses from Apple to ensure that the licenses reflect all changes. You can now also force a sync. The Settings > iOS Settings page includes a Force synchronization button.

After you click to confirm the action, XenMobile imports the VPP information. The import might take several minutes, depending on the number of VPP licenses. After the sync completes, XenMobile refreshes the iOS Settings page and updates the sync date and time in the new Last Sync Date column.

localized image
  • Support for Windows 10 RS3. We certified XenMobile 10.7 with Windows 10 RS3 Phone and Tablet.
  • Macros allowed for non-string fields in Cellular device policies for iOS. XenMobile now allows you to use macros for the values of non-string fields, such as Proxy server port, in the iOS cellular policy.

For example, you can now use a macro such as "${device.xyz}" or "${setting.xyz}", which expands into an integer. You can also use the macros in a device configuration XML file that you import into XenMobile by using the Import iOS & macOS Profile device policy.

  • Disable apps on Samsung SAFE devices. You can use the Restrictions device policy to block a list of installed apps from running on Samsung SAFE devices. By default, the new Disable Applications setting is Off, which means apps are enabled. To disable an installed app, change the setting to On, click Add in the Application List table, and then type the app package name.

Changing and deploying an app list overwrites the prior app list. For example: If you disable com.example1 and com.example2, and then later change the list to com.example1 and com.example3, XenMobile enables com.example.2.

localized image
  • More status information for the Control OS Update device policy for macOS. The Manage > Devices > Device details page now shows the status of scheduled OS update scans, available OS updates, and scheduled macOS and app updates. The status provided includes:
    • Schedule OS Update Scan Sent
    • Schedule OS Update Scan Acknowledged
    • Get Available OS Update Sent
    • Get Available OS Update Acknowledged
    • Install OS Update Sent
    • Install OS Update Acknowledged
localized image
  • New server properties to specify the number of days after which an offline iOS or macOS device is considered unreachable. When an iOS or macOS device reaches the limit specified by the following server properties, they stop checking back with XenMobile Server. Both properties default to 45 days.
    • ios.delayBeforeDeclareUnreachable
    • macos.delayBeforeDeclareUnreachable
  • Changes to the following server properties no longer require that you restart XenMobile Server:
    • Add Device Always (secure.device.add.device.always)
    • Auto Logout (secure.device.auto.logout.after)
    • Background Deployment (scheduling.background.deployment)
    • Background Hardware Inventory (scheduling.background.inventory)
    • Block Enrollment of Rooted Android and Jailbroken iOS Devices (secure.device.forbid.jailbroken.iphones.and.rooted.androids)
    • Certificate Renewal (in Seconds) (secure.device.renew.certificate.before)
    • Default deployment channel (macos.mdm.deployment.deploymentSplitType)
    • Enable Device Triangulation (zdm.device.triangulation.enable)
    • Enforce SSL (secure.device.enforce.ssl)
    • Enrollment Required (wsapi.mdm.required.flag)
    • Full Pull of ActiveSync Allowed and Denied Users (mag.policy.baseline.interval.seconds)
    • Maximum Device IDs (zdm.mag.max.device.ids.asked)
    • Pull of Incremental Change of Allowed and Denied Users (mag.policy.delta.interval.seconds)
    • Secure Authentication (secure.device.enforce.strong.authentication)
    • SOAP Web Services (zdm.ws.soap.otp-service.enabled)
    • Strong 8 Character ID (secure.device.strong.id.short)
    • Strong ID Valid Once (secure.device.strong.id.valid.once)
    • User-Defined Device Properties N
    • Users only from Exchange (userOnlyFromExchange)
    • XenMobile MDM Self Help Portal console max inactive interval (minutes) (zdm.console.max.inactive.interval)

Fixed issues in this release

When configuring the Cellular device policy in the XenMobile console: Using a macro for an integer value results in an error, such as "Enter port integer values from 1 to 65535." When importing a device configuration XML file into XenMobile by using the Import iOS & macOS Profile device policy: Using a macro for an integer results in an error, such as "Parsing error detected; the selected file is an invalid or corrupted iOS configuration file: 'Cannot parse: org.xml.sax.InputSource@69335cc'." [CXM-32005]

When you deploy an App Notification policy for the Messages and Wallet apps to iOS devices, some options don't work as expected. For example, you can't disable notifications for the Messages and Wallet apps and you can't disable sounds for the Messages app. This third-party issue is Apple bug ID 34591546. [CXM-37529]

When using the XenMobile console in Internet Explorer, with the locale set to "English - South Africa" (en-ZA): The Last authenticated date shown on the Manage > Users page is incorrect. [CXM-40028]

Uploading an APK file to the XenMobile console fails with a "500 Internal Server Error". [CXM–40333]

When you left-click Secure Mail or Secure Web for Android in the Configure > Apps list and then click Show more, the following error may appear: "A configuration error occurred. Please try again". In the App rating section, the Android tab is blank. [CXM–40334]

Security actions don't perform on a node that is already initialized for a given push if the notification is sent from another node. [CXM-40418]

When you download only a new iOS version as an update, the "Schedule OS Update" field is empty in General Settings of Device Details. [CXM-41066]

Known issues in this release

For Azure environments only: iOS devices that are offline more than seven days don't check back with XenMobile Server until the server restarts. [CXM-39540]

For devices running Windows 10 RS3 Version 1709 build 16299.19: XenMobile App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. [CXM-40521]

When you import the Microsoft Office 2016 ADMX file to create XenMobile App Configuration device policy, this error might appear:

"Error while processing admx/office16.admx: cvc-complex-type.3.2.3: Attribute 'noSort' is not allowed to appear in element." To prevent this error, edit the office16.admx file to delete the text string "noSort='true'." Rezip the file for upload. [CXM-40750]

When you import a Citrix Receiver ADMX file to create XenMobile App Configuration device policy, XenMobile might fail to display an error if you do not specifying a required field. Ensure that you specify all required fields before saving the policy. [CXM-40664]

Some large Win32 MSI apps might not install. The log error is similar to the following: Msi Application received : Reporting:AppPush id:AdbeRdr1000_en_US.msi : Command execution failed -2147023277. [CXM-40890]

XenMobile Service 10.7.2

FileVault device encryption on enrolled macOS devices

The macOS FileVault Disk Encryption feature protects the system volume by encrypting its contents. With FileVault enabled on a macOS device, a user logs in with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

The XenMobile device policy, FileVault, enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support article, https://support.apple.com/kb/PH25107.

Click Configure > Device Policies. The Device Policies page appears.

Click Add. The Add a New Policy dialog box appears.

Start typing FileVault and then click that name in the search results. The FileVault Policy information page appears.

In the Policy information page, enter the following information:

  • Policy Name: Type a descriptive name for the policy.
  • Description: Optionally, type a description of the policy.

Click Next and then configure the platform settings.

macOS settings

localized image
  • Prompt for FileVault setup during logout: If ON, prompts the user to enable FileVault during the next N logouts, as specified by the option, Maximum times to skip FileVault setup. If OFF, the FileVault password prompt doesn’t appear.

After you deploy the FileVault policy with this setting on, the following screen appears when a user signs off the device. The screen gives the user the option to enable FileVault before signing off.

localized image

If the Maximum times to skip FileVault setup value isn’t 0: After you deploy the FileVault policy with this setting off and then the user signs on, the following screen appears.

localized image

If the Maximum times to skip FileVault setup value is 0 or the user has skipped setup the maximum number of times, the following screen appears.

localized image
  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. For information about recovery key management, see the Apple support article, https://support.apple.com/en-us/HT204837.

Institutional recovery key: You can create an institutional (or master) recovery key and FileVault certificate, which you then use to unlock devices. For information, see the Apple support article, https://support.apple.com/en-us/HT202385. Use XenMobile to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Show personal recovery key: If ON, shows the personal recovery key to the user after enabling FileVault on the device. Defaults to ON.
localized image

Configure deployment rules and choose delivery groups. For more information, see Add a device policy.

Set how app notifications appear on iOS devices

The new Apps notifications policy lets you control how iOS users receive notifications from specified apps. This policy is supported on devices running iOS 9.3 or later.

In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

Click Add. The Add a New Policy page appears.

Under Apps, click Apps Notifications. The Apps Notifications Policy information page appears.

In the Policy Information pane, enter the following information:

  • Policy Name: Type a descriptive name for the policy.
  • Description: Optionally, type a description of the policy.

Click Next. The Apps Notifications platform information page appears.

localized image

Configure notification settings:

  • App Bundle identifier: Specify the apps you want to apply this policy to.
  • Allow Notifications: Select ON to allow notifications.
  • Show in Notification Center: Select ON to show notifications in the notification center of the user devices.
  • Badge App Icon: Select ON to show a badge app icon with notifications.
  • Sounds: Select ON to include sounds with notifications.
  • Show in Lock Screen: Select ON to show notifications on the lock screen of the user devices.
  • Unlocked Alert Style: In the list, select None, Banner, or Alerts to configure the appearance of unlocked alerts.

Click Save to save the notifications settings.

Configure Policy Settings:

  • Next to Remove policy, click either Select date or Duration until removal (in hours).
  • If you click Select date, click the calendar to select the specific date for removal.
  • In the Allow user to remove policy list, click Always, Password required, or Never.
  • If you click Password required, next to Removal password, type the necessary password.

Configure deployment rules and choose delivery groups. For more information, see Add a device policy.

Support for the new Cisco AnyConnect VPN client for iOS

Cisco is phasing out the Cisco AnyConnect client that was based on a now deprecated VPN framework. Cisco renamed that client to Cisco Legacy AnyConnect. The bundle ID is unchanged, com.cisco.anyconnect.gui.

Cisco has a new client named Cisco AnyConnect. The new client provides a more reliable connection to internal resources and support for UDP and TCP applications with per-app VPN. The bundle ID for the new client is com.cisco.anyconnect. Cisco supports the new client for iOS 10 (minimum version).

  • To continue using the Legacy AnyConnect client: If you still use the legacy client, you don't need to change your existing VPN device policy for iOS. The policy will continue to work until Cisco phases out support for the legacy client. As of this release, the Connection type option Cisco AnyConnect is renamed to Cisco Legacy AnyConnect in the XenMobile Server console.
  • To use the new Cisco AnyConnect client: The new Cisco AnyConnect client doesn’t detect a XenMobile VPN device policy created with the Connection type option Cisco AnyConnect.

To use the new Cisco AnyConnect client, configure XenMobile Server, as follows.

Go to Configure > Device Policies and add a VPN policy for iOS.

On the VPN Policy platform page, configure the settings. The settings listed here are required for Cisco AnyConnect.

  • Connection name: Cisco AnyConnect
  • Connection type: Custom SSL
  • Custom SSL identifier (reverse DNS format): com.cisco.anyconnect
  • Provider bundle identifier: com.cisco.anyconnect
  • Provider type: Packet tunnel

Other settings such as Authentication type for the connection and Enable per-app VPN, depend on your use case. For information, see “Configure Custom SSL protocol” under Configure iOS settings.

localized image

Configure deployment rules and choose delivery groups for the VPN device policy. Deploy that policy to iOS devices.

Upload the Cisco AnyConnect client from https://itunes.apple.com/us/app/cisco-anyconnect/id1135064690?mt=8, add the app to XenMobile Server, and then deploy the app to iOS devices.

Remove the old VPN device policy from iOS devices.

For more information, see the XenMobile support article https://support.citrix.com/article/CTX227708.

Control OS updates for Windows Desktop and Tablet

You can now use the Control OS Update device policy to deploy OS updates to supervised Windows 10 Desktop and Tablet devices.

localized image

Windows Desktop/Tablet options

  • Select active hours mode: Select a mode to configure the active hours for performing OS updates by a range of hours or a start and end time. After you select a mode, more settings appear: Specify max range for active hours or Active hours start and Active hours end. Not configured allows Windows to perform OS updates at any time. Defaults to Not configured.
  • Auto update behavior: Configures the download, install, and restart behavior of the Windows update service on user devices. Defaults to Auto install and restart.
    • Notify user before downloading the update: Windows notifies users when updates are available. Windows doesn’t automatically download and install updates. Users must initiate the download and install actions.
    • Auto install and notify to schedule device restart: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows prompts the user to schedule the restart time. The user has up to seven days to schedule the restart. After seven days, Windows forces the device to restart. Enabling the user to control the start time reduces the risk of accidental data loss caused by apps that don’t shut down properly on restart.
    • Auto install and restart: Default setting. Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive.
    • Auto install and restart at a specified time: When you choose this option, more settings appear so you can specify the day and time. The default is 3 a.m. daily. Automatic installation happens at the specified time and device restart occurs after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
    • Auto install and restart without end-user control: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive. This option also sets the user control panel to read-only.
    • Turn off automatic updates: Disables Windows automatic updates on the device.
  • Scan for app updates from Microsoft update: Specifies whether Windows accepts updates for other Microsoft apps from the Microsoft update service. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can accept or reject updates for other Microsoft apps.
    • Yes: Windows allows app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t allow app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Specify updates branch: Specifies which Windows update service branch to use for updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose a Windows update service branch.
    • Current Branch: Windows receives updates from Current Branch. The related setting on the user device is inactive, so the user can’t modify the setting.
    • Current Branch for Business: Windows receives updates from Current Branch for Business. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Configure number of days to defer feature updates: If On, Windows defers feature updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer feature updates. Defaults to Off.
  • Configure number of days to defer quality updates: If On, Windows defers quality updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer quality updates. Defaults to Off.
  • Pause quality updates: Specifies whether to pause quality updates for 35 days. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose to pause quality updates for 35 days.
    • Yes: Windows pauses the installation of quality updates from the Windows Update Service for 35 days. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t pause the installation of quality updates from the Windows Update Service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Allow updates only in approval list: Specifies whether to install only the updates that an MDM server approves. XenMobile Server currently doesn’t support configuring an approved list of updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose which updates to allow.
    • Yes, install only approved updates: Allows installation of approved updates only.
    • No, install all applicable updates: Allows installation of any applicable updates on the device.
  • Use internal update server: Specifies whether to obtain updates from the Windows update service or an internal update server through Windows Server Update Services (WSUS). If Off, devices use the Windows update service. If On, devices connect to the specified WSUS server for updates. Defaults to Off.
    • Accept updates signed by entities other than Microsoft: Specifies whether to accept updates signed by third-party entities other than Microsoft. This feature requires that the device trusts the third-party vendor certificate. Defaults to Off.
    • Allow connection to Microsoft update service: Allows Windows update on device to connect periodically to the Microsoft update service, even if the device is configured to get updates from a WSUS server. Defaults to On.
    • WSUS server: Specify the server URL for the WSUS server.
    • Alternate intranet server to host updates: Specify an alternate intranet server URL to host updates and receive reporting information.

Install offline maps on supervised Windows 10 phone devices

Windows 10 phone devices support offline maps. Use the Maps device policy to specify which maps to download to devices. The Microsoft Maps configuration service provider (CSP) currently supports maps of Germany, the United Kingdom, and the United States.

localized image

Other improvements

  • When performing a full wipe of an iOS 11 device that has a cellular data plan, you can choose to preserve the data plan.
localized image
  • XenMobile now displays a License Expiration Warning when Apple VPP or DEP tokens are nearing expiration or have expired.
localized image
localized image
  • Locale-based date and time formats. The date and time that appears on the Manage > Devices and Manage > Users pages are now formatted according to locale. For example, 6 PM on October 15, 2017, is shown as follows:

U.S. (en-US): 10/15/17 06:00:00 pm
U.K. (en-GB): 15/10/17 18:00:00
South Africa (en-ZA): 2017/10/15 06:00:00 pm

localized image

Fixed issues in this release

On the Manage > Devices > Properties page: The Passcode compliant property is set to Yes for Samsung devices that don't meet the Passcode policy requirements. [CXM-37948]

In Configure > Device Policies > App Lock Policy: After you type the policy name and go to the iOS page, bundle IDs don't appear in the App bundle ID menu. After you toggle between Android and iOS, the app bundle IDs appear. [CXM-39302]

When you import a renewed SSL Listener certificate into XenMobile, the "Could not import the certificate" message appears. After you restart XenMobile Server, the Certificates page and the XenMobile database continue to reference the old certificate. However, the new certificate is shown in a web browser. [CXM-39409]

If an action marks enrolled devices as Out of Compliance when they don't have Secure Hub installed: Devices with Secure Hub are also marked as Out of Compliance. This fix applies to actions that have the following pattern. Trigger: If Installed app name Is Not / Does Not contain <App Name>. Action: Perform <Action> after a delay of <5 to 10> minutes. [CXM-39410]

Known issues in this release

When you deploy an App Notification policy for the Messages and Wallet apps to iOS devices, some options don't work as expected. For example, you can't disable notifications for the Messages and Wallet apps and you can't disable sounds for the Messages app. This third-party issue is Apple bug ID 34591546. [CXM-37529]

When using the XenMobile console in Internet Explorer, with the locale set to "English - South Africa" (en-ZA): The Last authenticated date shown on the Manage > Users page is incorrect. [CXM-40028]

XenMobile Service 10.7.1

New restrictions for supervised devices running iOS

The following restrictions are now available for iOS devices running in supervised mode. The minimum version supported for each restriction is noted.

Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can't use the Classroom app to observe student screens remotely. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perform AirPlay and View Screen without prompting determines whether students receive a prompt to give the instructor permission. For supervised devices running iOS 9.3 (minimum version).

Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).

Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).

Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).

Allow AirPrint: If this restriction is set to Off, users can't print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).

Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren't stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).

Allow discovery of AirPrint printers by using iBeacons: If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. Disabling discovery prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).

Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).

Adding VPN configurations: If this restriction is set to Off, users can't create VPN configurations. The default setting is On. For supervised devices running iOS 11 (minimum version).

Modifying cellular plan settings: If this restriction is set to Off, users can't modify cellular plan settings. The default setting is On. For supervised devices running iOS 11 (minimum version).

Removing system apps: If this restriction is set to Off, users can't remove system apps from their device. The default setting is On. For supervised devices running iOS 11 (minimum version).

Setting up new nearby devices: If this restriction is set to Off, users can't set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).

To configure those restrictions, go to Configure > Device Policies. For more information on setting restrictions, see Restrictions device policy.

localized image
localized image

Support for Samsung Enterprise Firmware-Over-The-Air

Samsung Enterprise FOTA (E-FOTA) lets you determine when devices get updated and the firmware version to use. E-FOTA enables you to test updates before deploying them, to ensure that the updates are compatible with your apps. You can force devices to update with the latest firmware version available, without requiring user interaction.

Samsung supports E-FOTA for Samsung KNOX 2.7.1 devices (minimum version) that are running authorized firmware.

To configure an E-FOTA policy:

Create a Samsung MDM license key policy with the keys and license information you received from Samsung. XenMobile Server then validates and registers the information.

localized image
  • ELM License key: This field contains the macro that generates the ELM license key. If the field is blank, type the macro ${elm.license.key}.

Type the following information provided by Samsung when you purchased an E-FOTA package:

Enterprise FOTA Customer ID
Enterprise FOTA license
Client ID
Client Secret

Create a Control OS Update policy.

localized image

Configure these settings:

  • Enable Enterprise FOTA: Set to On.
  • Enterprise FOTA License Key: Select the Samsung MDM License Key policy name that you created in Step 1.

Deploy the Control OS Update policy to Secure Hub.

Other improvements

  • New iOS Setup Assistant Option: New feature highlights. The iOS Setup Assistant item, New feature highlights, sets up these onboarding informational screens: Access the Dock from Anywhere and Switch Between Recent Apps. You can choose whether to omit those onboarding screens from iOS Setup Assistant steps when users start their devices the first time.

New Feature highlights is available for iOS 11.0 (minimum version). The default for all items is unselected.

localized image
  • The XenMobile console interface for macOS VPP apps changed as follows:
    • In Configure > Apps, you can filter apps by macOS VPP. Portions of the interface that don't apply to a macOS VPP app are now omitted. For example, the Store Configuration section doesn't appear because there is no Secure Hub for macOS. The VPP keys import option no longer appears.
    • In Manage > Devices, the User Properties include Retire VPP account.
  • Control OS Update device policy for macOS. You can now use the Control OS Update policy to deploy OS updates to macOS devices that are supervised or that are deployed through Apple DEP.
localized image
  • Option to allow multiple users to use a Samsung SAFE device. The Restrictions device policy now includes the hardware control option, Allow multiple users. This option, for MDM 4.0 and later, defaults to OFF.
  • The Manage > Devices page now includes these additional device properties reported by Android devices:

Carrier Code (reported only by devices running Samsung MDM 5.7 or higher)
Model Number (reported only by devices running Samsung MDM version 2.0 or higher)

  • Restrictions device policy now includes a policy to disable the camera on Android devices. To configure the policy, go to Configure > Device Policies, click Add, and click Restrictions. By default, camera use is enabled. To disable camera use, change the Camera setting to OFF.

This feature requires Secure Hub 10.7.5 (minimum version).

localized image
  • When creating an action based on device properties with a value type of integer: You now can choose between Greater or Equal and Lesser or Equal, in addition to the existing condition, Is. The device property values that have new conditions include: Available and total RAM, available and total storage space, screen dimensions, and screen resolution. Use the Configure > Actions page to create actions.
  • Login/Logout Public API update. Citrix Cloud users can now log in to XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API. For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF.

Fixed issues in this release

The Lock security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-35731]

If you send the Enable Lost Mode security action to a supervised iOS device without Secure Hub, the Locate button doesn't appear on the device. [CXM-36106]

On the Manage > Devices > Apps page, the inventory shows an incorrect version number for Boeing Toolbox Mobile Library. [CXM-37514]

iOS users can't update Citrix Receiver to version 7.2.3. When they click Check for Update, the message "The app is up to date with the latest version" appears even when they have an older version. [CXM-38114]

If an RBAC role doesn't have access to the App Wipe and App Lock actions: A user with that role and logged into the Self Help Portal can perform the App Wipe and App Lock actions. [CXM-38348]

Local and Active Directory users with the RBAC permission "ADD/EDIT/DELETE local users and groups" can also delete admin accounts. When those users are logged in to the XenMobile Console, the Manage > Users page includes Edit and Delete buttons for admin accounts. [CXM-38350]

A scheduled database cleanup fails due to many transaction logs exceeding disk space limits. [CXM-38439]

If the trigger for an automated action is based on a null value for a device property, the action is performed for that device. For example, if an action is set to wipe a device if the platform is not iOS, the action wipes iOS devices. [CXM-38470]

For administrators who have only the PKI Entities and Credential Providers roles in RBAC: The administrator gets logged out of the XenMobile console while adding a PKI Entity or Credential Provider. To work around this issue, add the Certificates permission to the RBAC role of the administrator. [CXM-38713]

XenMobile Service 10.7.0

Important

After an upgrade to XenMobile 10.7:

If functionality involving outgoing connections stop working, and you haven't changed your connection configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name '192.0.2.0' does not match the certificate subject provided by the peer.”

If you receive the certificate validation error, disable hostname verification on XenMobile Server. By default, hostname verification is enabled on outgoing connections except for the Microsoft PKI server. If hostname verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

The latest version of XenMobile has these new features and improvements:

  • More macros for enrollment templates
  • Public REST API changes
  • Fixed issues in this release

More macros for enrollment templates

You can use these new macros when creating enrollment templates for device enrollment invitations:

${enrollment.urls}
${enrollment.ios.url}
${enrollment.macos.url}
${enrollment.android.url}
${enrollment.ios.platform}
${enrollment.macos.platform}
${enrollment.android.platform}
${enrollment.agent}

These macros allow you to create enrollment templates that contain enrollment URLs for multiple device platforms.

This example shows how to create a notification that includes enrollment URLs for multiple device platforms. The macro for the Message is:

${enrollment.urls}

localized image

These examples show how to create messages for notifications that prompt the users to click the enrollment URL for their device platforms:

Example 1:

To enroll, click the link below that applies to your device platform:

${enrollment.ios.platform} - ${enrollment.ios.url}

${enrollment.macos.platform} - ${enrollment.macos.url}

${enrollment.android.platform} - ${enrollment.android.url}

Example 2:

To enroll an iOS device, click the link ${enrollment.ios.url}.

To enroll a macOS device, click the link ${enrollment.macos.url}.

To enroll an Android device, click the link ${enrollment.android.url}.

Public REST API changes

When using the XenMobile Public REST API to create enrollment invitations, you can now:

  • Specify a custom PIN. If the enrollment mode requires a PIN, you can use a custom PIN instead of the one randomly generated by the XenMobile Server. The PIN length must match the setting configured for the enrollment mode. The PIN length defaults to 8. For example, a request might include: "pin": "12345678"
  • Select multiple platforms. Previously, you could use the REST API to specify only one platform for an enrollment invitation. The "platform" field is deprecated and replaced with "platforms". For example, a request might include: "platforms": ["iOS", "MACOSX"]

For the complete current set of available APIs, download the XenMobile Public API for REST Services PDF.

Fixed issues in this release

If a VPN Connection name has a space, or other non-alphanumeric characters, XenMobile doesn't deploy the policy to devices. [CXM-32538]

The XenMobile REST API doesn't allow you to select multiple platforms when creating an enrollment invitation. [CXM-35853]

The Full Wipe security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-36397]

The enrollment URL link in an enrollment invitation might fail to resolve to the enrollment URL. To prevent this issue, ensure that the template you choose contains macros compatible with the platforms you selected when creating the enrollment invitation. Use these new macros when creating enrollment URL templates:

${enrollment.urls}, ${enrollment.ios.url}, ${enrollment.macos.url}, ${enrollment.android.url}, ${enrollment.ios.platform}, ${enrollment.macos.platform}, ${enrollment.android.platform}, and ${enrollment.agent}

The older ${enrollment.url] still works for enrollment invitations that have only one platform selected. [CXM-37513]

After you use the XenMobile CLI to edit the proxy exclusion list and then restart the server, the list appears truncated in the CLI. This issue only affects the display of the list. [CXM-37812]

When you submit a macro on the Troubleshooting and Support > Macros page, the "Failed to get macro information" message appears. [CXM-37940]

Known issues in this release

When you submit a macro on the Troubleshooting and Support > Macros page, the "Failed to get macro information" message appears. [CXM-37940]

XenMobile Service 10.6.3

Integrate with Apple Education features

You can use XenMobile Server as your mobile device management (MDM) solution in an environment that uses Apple Education. XenMobile supports the Apple Education enhancements introduced in iOS 9.3, including Apple School Manager and Classroom app for iPad. The new XenMobile Education Configuration device policy configures instructor and student devices for use with Apple Education.

The following video provides a quick tour of the changes you make to Apple School Manager and XenMobile Server.

Citrix XenMobile Education Configuration: Integrate Apple Education features with XenMobile

You provide preconfigured and supervised iPads to instructors and students. That configuration includes:

  • Apple School Manager DEP enrollment in XenMobile
  • A Managed Apple ID account configured with a new password
  • Required VPP apps and iBooks

For details about integrating with Apple Education features, see Integrate with Apple Education features and Education Configuration device policy.

localized image

BitLocker device policy for Windows 10

Windows 10 Enterprise includes a disk encryption feature called BitLocker. BitLocker provides extra file and system protections against unauthorized access of a lost or stolen Windows device. For more protection, you can use BitLocker with Trusted Platform Module (TPM) chips, version 1.2 or later. A TPM chip handles cryptographic operations and generates, stores, and limits the use of cryptographic keys.

Starting with Windows 10, build 1703, MDM policies can control BitLocker. You use the BitLocker device policy in XenMobile to configure the settings available in the BitLocker wizard on Windows 10 devices. For example, on a device with BitLocker enabled, BitLocker can prompt users for:

  • How they want to unlock their drive at startup
  • How to back up their recovery key
  • How to unlock a fixed drive.

BitLocker device policy setting also configure whether to:

  • Enable BitLocker on devices without a TPM chip.
  • Show recovery options in the BitLocker interface.
  • Deny write access to a fixed or removable drive when BitLocker isn't enabled.
localized image
localized image

For more information, see BitLocker device policy.

Other improvements

  • The XenMobile console and the Self Help Portal are now available in Spanish.
  • Filter enrollment invitations by macOS. The Platform filter for Manage > Enrollment Invitations now includes macOS.
localized image
  • XenMobile now reports the Security patch level for Android devices. You can view the Security patch level on the Manage > Devices page and in Device details. You can also use Configure > Actions to create an action that the security patch level triggers.
localized image
localized image
  • Restrictions policy setting to block users from using face recognition to unlock Samsung Galaxy S8+ devices. The Restrictions device policy for Samsung SAFE now includes the setting, Face Recognition. To block use of face recognition to unlock device access, go to Configure > Device Policies and edit the Restrictions policy to set Face Recognition to Off.
localized image

Fixed issues in this release

Delivery groups might show a pending deployment status even though the apps associated with the devices in those delivery groups successfully install. [654162, CXM-21771]

After you update the obfuscated APK file for some Android apps in the XenMobile console: The older version appears in the details and the updated version doesn't deploy to devices. [CXM-25629]

In Manage > Devices, after saving edits to remove the Device Model property from an iOS device and then clicking Export, the "500 Internal Error" message appears. [CXM-36495]

Over-the-air enrollment for iOS devices fails intermittently. The "Profile installation failed" message appears. [CXM-37001]

Known issues in this release

On iOS 11, installed MDX apps begin to reinstall when the next deployment occurs. [CXM-34896]

The Lock security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-35731]

If you send the Enable Lost Mode security action to a supervised iOS device without Secure Hub, the Locate button doesn't appear on the device. [CXM-36106]

The Full Wipe security action fails on enrolled devices running macOS High Sierra (10.13 beta3) with the Apple File System (APFS). [CXM-36397]

RBAC administrators can assign the default admin role to new or existing users. Assigning the default admin role should be restricted to super admins. [CXM-37805]

XenMobile Service 10.6.2

The latest version of XenMobile has these new features and improvements.

Restart or shut down a supervised iOS device

You can use security actions to restart or shut down a supervised iOS device (minimum version 10.3). Go to Manage > Devices, select the device, click Security, and then click Restart or Shut Down.

A device restarts immediately when it receives the Restart command. Passcode-locked iOS devices don't rejoin WiFi networks after restarting, so they might not communicate with the server. A device shuts down immediately when it receives the Shut Down command.

localized image

Locate or ring a supervised iOS device that's in lost mode

After you place a supervised iOS device in lost mode, you can use security actions to locate or ring the device. A "ring" is the lost mode sound that Apple defines for the device.

localized image
  • To locate a device that's in lost mode:

Go to Manage > Devices, select the device, click Security, and then click Locate. The Device details page provides a status of the location request.

localized image

If the device is located, the Device details page includes a map.

localized image
  • To ring a device that's in lost mode (minimum version iOS 10.3):

Go to Manage > Devices, select the device, click Security, and then click Ring. The next time that the device connects, it rings. To stop the ring, the user clicks the power button. To stop the ring from the XenMobile console, use the Disable Lost Mode security action.

Other improvements

  • Reboot a Windows 10 device. You can now send a security action, Reboot, to reboot a device. For Windows Tablet and PCs, the message "System will reboot soon" appears and then the reboot occurs in five minutes. For Windows Phone, there is no warning message to users and the reboot occurs after a few minutes.

localized image
  • Improved performance when importing many VPP licenses. This optimization uses multi-threading. A new XenMobile Server property, MaxNumberOfWorker, defaults to 3 (threads). If you need further optimization, you can increase the number of threads. However, with a larger number of threads, such as 6, a VPP import results in very high CPU usage.

  • Configure > Apps now shows the Package ID for public app store apps and enterprise apps.
localized image
localized image
  • Alphabetized resource lists for delivery groups. In Configure > Delivery Groups, all resource lists and search results appear in alphabetical order.
localized image
localized image
  • On the Manage > Devices and Manage > Users pages, dates now appear in the 24-hour format, dd/mm/yyyy hh:mm:ss. Dates reflect the local time zone for devices and users.

  • In the XenMobile console, all references to Mac OS X, OS X, OSX, MACOSX, and MacOS are now macOS.

Public REST API changes

The XenMobile Public API for REST Services now includes the following APIs:

  • Get Public Store App by container ID

  • Add New Public Store App

  • Update Public Store App

  • Add Public Store App platform data

  • Delete Public Store App platform data

  • Update Public Store App platform data

For the device notification REST services, you can now notify a device by using the device ID, without requiring XenMobile to send a token.

For details, see XenMobile Public API for REST Services.

Fixed issues in this release

If you give the USER role any of the following RBAC permissions, the user can modify an administrator account:

  • Local Users and Groups > Add/Delete Local Users

  • Local Users and Groups > Edit Local User [#TRK0681955]

When you click Export on the Manage > Users page: If there are more than 10,000 users, the download takes a very long time. [CXM-32425]

You might have intermittent difficulties accessing the XenMobile Server console, because of high memory usage. [CXM-35069]