Product Documentation

XenMobile Server 10.1 Known Issues

Nov 19, 2015

The following issues are known in XenMobile 10.1.

  • Due to IIS on servers running Windows 2008 that have an SSL handshake flaw in the TLS v1 implementation, problems occur with Java 8:

    • XenMobile Server 10.1 is supported on Windows 2008 R2 Certificate Authorities with a workaround. To enable TLSv1.1 and TLSv1.2 support, follow the instructions in the Microsoft KB article, in the section “SCHANNEL\Protocols subkey."
    • XenMobile Server 10.1 is not supported with Windows 2008 “vanilla” Certificate Authorities.


  • During enrollment, iOS devices may experience errors during or after mobile device management (MDM) profile installation. Users may see "Cocoa error 4097," on devices running iOS 8.1, or "Profile cannot be decrypted," on devices running earlier versions of iOS. If this occurs, users should try enrolling again. In some cases, it may take more than one attempt.


  • When re-enrolling a device, enrollment may fail if users re-enroll too soon after un-enrolling.


  • App enumeration fails when delivery groups are defined with Active Directory groups belonging to parent and child domains using the AND operator. To prevent this situation, use the OR operator when defining the delivery groups.


  • When you create an action in which the Disabled user is True, when the issue is triggered, the action you configure does not occur.


  • When you configure XenMobile server with a uppercase letter in the host name, such as, the Worx Store does not open on devices after the devices enroll.


  • On an Android device in Android for Work mode, when you add a PKI entity with a GPKI credential provider or Microsoft Certificate Services and associate credential in a Credentials device policy with another device policy, when users refresh the device policies from Worx Home, the certificate is revoked and regenerated in error. As a workaround, deploy the certificate only one time.


  • When you create an Exchange device policy for Windows Phone 8.1 devices and you set the Logging level to Basic, deployment fails. This is a third-party issue.


  • In the XenMobile console, when you configure a Browser device policy for Android for Work, for the URLs in the blacklist, the policy is enforced for exact matches. For example, if you list, only that URL is blocked, but not or


  • Windows Phone 8.1 devices cannot connect to XenMobile server after certificate renewal. This is a third-party issue.


  • You can choose a full wipe action in the XenMobile console from the dashboard for Android for Work devices, but the devices do not support the full wipe action. When you choose this action, the Android for Work devices are selectively wiped and users cannot re-enroll in XenMobile, unless you delete the device from XenMobile.


  • On Worx Home for iOS, when launching a Windows app hosted on a XenApp delivery controller with a display name configured with special characters (#%^), you may see the error “Access to your company network not available."


  • When you create a Password device policy and set the complexity as Alphanumeric or Numeric, after deploying the policy to Windows Phone 8.1 devices, users cannot choose letters on the keypad. This is a third-party issue.


  • On Windows Phone 8.1 devices, if users choose not to install Worx Home while enrolling, required enterprise apps are deployed and installed automatically on the device in error.


  • In the XenMobile console, when configuring RBAC settings, when you add a role, in Authorized access, you must clear the Admin console access check box, or in Console features, select one or more option. If not, you can still add the role, but an error appears when users sign on to the console.


  • Requiring iTunes passwords on IOS 8.3+ devices is not enforced.


  • Cert based enrollment of Worx Home fails on Windows Phone 8.1. For a workaround, see


  • After migrating data in a XenMobile enterprise deployment to XenMobile 10.1, the following issues occur with enrolled Windows Phone 8.1 devices:
    • Users with Windows Phone 8.1 devices cannot log on to the Worx Store.
    • users cannot open installed enterprise apps from Worx Home, but they can open the apps from the main menu.
    • Users cannot open the Worx Store.


  • When creating advanced deployment rules, if you add a rule for Limit by known device property name and you set the property value as True or False, the rule doesn't work as expected. For example, the rule for Supervised equal to False does not work. As a workaround, the property value you should choose for the Limit by known device property name rule should be a Boolean value: 0 to indicate False and a -1 to indicate True.


  • Not all required iOS apps are pushed to all users after enrolling Worx Home do to a delay in APNS.


  • When providing a host name for the command line interface, no error is indicated when you enter invalid characters. The host name cannot have a - as the first character and cannot contain the following characters: $ ? /


  • On the XenMobile console, when you open Settings -> NetScaler Gateway, you see the following instruction: "If you use NetScaler Gateway with StoreFront as the authentication server, you need to enable StoreFront as well." This is incorrect. You do not need to do anything with StoreFront.


  • When you configure a single device policy for both Android and Android for Work platforms, the policy for the Android device also takes effect on an Android for Work device. As a workaround, configure a separate policy for each platform and assign different users to each policy. That is, assign users with Android devices to the Android policy and assign users with Android for Work devices to the Android for Work policy.


  • In the XenMobile console, when configuring your connection to ShareFile, if the ShareFile admin password contains the characters % or ^, you will get an error or see other spurious behavior. To avoid this, change the ShareFile admin account password so it does not include the characters % or ^ .


  • Users cannot enroll devices running Android for Work with the enrollment method "User Name + PIN" This setting appears in the XenMobile console in Configure -> Settings -> Enrollment -> User name + PIN.


  • When you configure LDAP with sAMAccountName as the means for user searches, Android devices cannot enroll in Android for Work mode. This is a third-party issue.


  • In cloud deployments, NetScaler Gateway connectivity checks under Support Page may incorrectly show STA status as Fail.


  • Devices running Android M may have problems re-enrolling. This is a third-party issue.


  • If you are using SSL on the SQL Server, upload the Trusted Root CA Certificate through the XenMobile 10.0 Console prior to upgrading. Failure to do so causes a reboot loop.


  • Schedule the shutting down cluster nodes in Maintenance mode because there could be a two-minute window of outage.


  • Join new nodes only after bringing up the first node in the cluster.


  • An invalid profile error occurs when you try to configure the iOS Device Enrollment Program in the XenMobile console. This is a third-party issue.