XenMobile Server

What’s new in XenMobile Server 10.16

Continued support for the Classic policies deprecated from Citrix ADC

Citrix recently announced the deprecation of some Classic policy-based features starting with Citrix ADC 12.0 build 56.20. The Citrix ADC deprecation notices have no impact to existing XenMobile Server integrations with Citrix Gateway. XenMobile Server continues to support the Classic policies and no action is needed.

XenMobile Migration Service

If you’re using XenMobile Server on-premises, our free XenMobile Migration Service can get you started with Endpoint Management. Migration from XenMobile Server to Citrix Endpoint Management doesn’t require you to re-enroll devices.

To start migration, contact your local Citrix salesperson or Citrix partner. For more information, see XenMobile Migration Service.

Deprecation announcements

For advanced notice of the Citrix XenMobile features that are being phased out, see Deprecation.

Before upgrading endpoints to iOS 14.5

Before upgrading any endpoint to iOS 14.5, Citrix recommends that you do the following actions to mitigate app crashes:

  • Upgrade Citrix Secure Mail and Secure Web to 21.2.X or higher. See Upgrade MDX or enterprise apps.
  • If you use the MDX Toolkit, wrap all third-party iOS applications with MDX Toolkit 21.3.X or higher. Check the MDX Toolkit download page for the latest version.

Before you upgrade an on-premises Citrix ADC

Upgrading an on-premises Citrix ADC to certain versions can result in a single sign-on error. Single sign-on to Citrix Files or the ShareFile domain URL in a browser with the Company Employee Sign in option results in an error. The user is unable to sign in.

To work around this issue: If you haven’t already run the following command from the ADC CLI on Citrix Gateway, run it to enable global SSO:

`set vpn parameter SSO ON`
`bind vpn vs <vsName> -portalTheme X1`

For more information, see:

After you complete the workaround, users can authenticate to Citrix Files or the ShareFile domain URL using SSO in a browser with the Company Employee Sign-in option. [CXM-88400]

Before you upgrade to XenMobile 10.16 (on-premises)

Some systems requirements changed. For information, see System requirements and compatibility and XenMobile compatibility.

  1. If the virtual machine running the XenMobile Server to be upgraded has less than 8 GB of RAM, we recommend increasing the RAM to at least 8 GB.

  2. Update your Citrix License Server to 11.17.2.0 Build 47000 or later before updating to the latest version of XenMobile Server 10.16.

    The latest version of XenMobile requires Citrix License Server 11.17 (minimum version).

    Note:

    The Customer Success Services date (previously, Subscription Advantage date) in XenMobile 10.16 is November 15, 2022. The Customer Success Services date on your Citrix license must be later than this date.

    You can view the date next to the license in the License Server. If you connect the latest version of XenMobile to an older License Server environment, the connectivity check fails and you can’t configure the License Server.

    To renew the date on your license, download the latest license file from the Citrix Portal and upload the file to the Licensing Server. See Customer Success Services.

  3. For a clustered environment: iOS policy and app deployments to devices running iOS 11 and later have the following requirements:

    • If Citrix Gateway is configured for SSL persistence, you must open port 80 on all XenMobile Server nodes.
  4. Recommendation: Before you install a XenMobile update, use the functionality in your VM to take a snapshot of your system. Also, back up your system configuration database. If you experience issues during an upgrade, complete backups enable you to recover.

To upgrade

With this release, XenMobile supports VMware ESXi 7.0. Make sure that you upgrade to 10.14 or later, before installing or upgrading ESXi 7.0.

You can directly upgrade to XenMobile 10.16 from XenMobile 10.15.x or 10.14.x. To do the upgrade, download the latest binary available: Go to the Citrix downloads page. Navigate to Citrix Endpoint Management (XenMobile) > XenMobile Server > Product Software > XenMobile Server 10. On the tile for the XenMobile Server software for your hypervisor, click Download File.

To upload the upgrade, use the Release Management page in the XenMobile console. See To upgrade using the Release Management page.

After you upgrade

If functionality involving outgoing connections stop working, and you haven’t changed your connections configuration, check the XenMobile Server log for errors such as the following: “Unable to connect to the VPP Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer”.

  • The certificate validation error means you must disable host name verification on the XenMobile Server.
  • By default, host name verification is enabled on outgoing connections except for the Microsoft PKI server.
  • If host name verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

Platform updates

  • Support for Android 14: XenMobile Server and Citrix Mobile productivity apps now supports Android Enterprise device updates to Android 14. For more information about security and privacy benefits, see the Android documentation.
  • Support for iOS 17: XenMobile Server and Citrix Mobile productivity apps are now compatible with iOS 17, but don’t currently support any new iOS 17 features.
  • Support for macOS 14: XenMobile Server and Citrix Mobile productivity apps are now compatible with macOS 14, but don’t currently support any new macOS 14 features.

Access to Devices & Apps reports

Previously, the Devices & Apps reports page displayed the information about all the devices and apps for all the users irrespective of their user group even if the role-based access control (RBAC) was applied.

Starting from XenMobile Server 10.16 release, the Devices & Apps reports page displays the devices and apps specific to the user groups defined in the To specific user groups that the RBAC role has permission to manage. For more information about configuring roles with RBAC, see Configure roles with RBAC.

Added a new mandatory field “Domain” in the 802.1x settings for Android Enterprise

A new field Domain is added in the Android Enterprise platform network policy settings page for the 802.1x EAP authentication type. For more information, see 802.1x settings for Android Enterprise.

Added new settings in Restrictions device policy and Exchange device policy for iOS

  • Added a new setting Allow Mail Drop” in the Exchange device policy for iOS. For more information, see Exchange device policy - iOS settings.

  • Added the following new settings in the Restrictions device policy for iOS:

    • Allow boot to recovery by an unpaired device
    • Install rapid security response
    • Remove rapid security response
    • Allow mail privacy protection
    • NFC
    • Allow App clips
    • Allow Apple personalized advertising
    • Auto unlock

For more information, see Restrictions device policy - iOS settings.

Added new fields OAuth sign-in URL and OAuth token request URL in the Exchange device policy settings for iOS

Starting from the XenMobile Server 10.16 release, the OAuth sign-in URL and OAuth token request URL fields are added under the Exchange Policy > iOS > Use OAuth radio button. For more information, see Exchange device policy.

Added new Knox Platform for Enterprise Key device policy

A new device policy named Knox Platform for Enterprise Key has been added. This policy allows you to provide the required Samsung Knox Platform for Enterprise (KPE) license information and use the KPE licenses to enhance the security of your Samsung device. For more information, see Knox Platform for Enterprise Key device policy.

Clone a delivery group to use as the basis for a new delivery group

This feature lets you copy a complex delivery group that includes multiple policies, apps, and actions. You can then edit the copy such as adding enrollment profiles or a new set of Active Directory users. For details, see Clone a delivery group.

Support for Apple Business Manager for shared iPads

Starting from XenMobile Server 10.16 release, shared iPads support Apple Business Manager (ABM) with XenMobile Server. This allows you to sign in to the shared iPads using the ABM accounts and use them. For more information, see Configuring shared iPads.

Added new security action named Delete All Users for shared iPads

Starting from XenMobile Server 10.16 release, a new security action named Delete All users is added for shared iPads in XenMobile Server. This allows you to delete all the users on the device. For more information, see Security actions for shared iPads.

App attributes device policy supports new iOS app attributes

You can now specify the following attributes for apps installed on iOS devices:

  • Removable app: Specify whether the app is removable by users when it’s a managed app.
  • Enable associated domain direct download: Specify whether the app can perform the claimed site association verification at the domains directly.
  • Associated Domains: Specify the associated domains to add to an app.

For more information, see App attributes device policy.

Support to sync or override Synced Exchange Services for iOS

Starting from the XenMobile Server 10.16 release, you can choose whether to sync or override the following synced Exchange Services for iOS by enabling the relevant settings.

  • Calendars
  • Contacts
  • Mail
  • Notes
  • Reminders

For more information, see Exchange device policy.

Support for resetting Control OS Updates device policy to system default

Starting from the XenMobile Server 10.16 release, a new value Default is added in the System update policy dropdown list under Control OS Updates for Android Enterprise. This feature allows you to reset the System update policy to system default. For more information, see Control OS Updates device polic.

Added new option “OS updates version” in the OS Update policy for iOS

In the OS Update policy for the iOS platform, a new option OS updates version is added after the OS update frequency field. This option allows you to specify the OS version to use to update the supervised iOS devices. For more information, see iOS settings.

Network Access Control

Use the Network Access Control (NAC) solution to extend the XenMobile device security assessment for Android and Apple devices. The NAC solution uses the XenMobile security assessment to facilitate and handle authentication decisions. After you configure the NAC appliance, the device policies and NAC filters that you configure in XenMobile get enforced. For more information, see Network Access Control.

Support for mixed license types with XenMobile Server

This feature allows you to activate a mixture of XenMobile license types and editions using either XenMobile Server or Citrix Licensing Server. For more information, see To activate a different license.

Support for eSim on iOS devices

XenMobile Server has a new property ios.esim.support, which enables the XenMobile Server to get the eSim information from the iOS devices and displays the eSim related device properties on the user interface. The default value of this property is True. For more information, see Server properties.

VPN device policy for Android Enterprise platform

Previously, you can enable VPN service for devices running on Android Enterprise by enabling the Enable Always-On VPN option in the XenMobile Options device policy.

Starting from XenMobile Server 10.16, you can enable always-on VPN service for devices running on Android Enterprise by enabling the Enable Always-On VPN option in the VPN device policy. If you have already enabled the Enable Always-On VPN option in the XenMobile Options device policy in a previous release, then make sure that you enable the same in the VPN device policy again for the newly enrolled devices. No changes are required for the devices that are enrolled already. For more information, see VPN device policy for Android Enterprise platform.

Added new field Profile scope under Webclip Policy Settings for iOS

For iOS devices, a new field named Profile scope is added under the Policy Settings in the Webclip device policy. This allows you to select whether the policy applies to a user or a system. For more information, see Webclip device policy - iOS settings.

Secure Hub APNs certificate renewal

This update automatically renews the Secure Hub Apple Push Notification Service (APNs) certificate for XenMobile Server 10.16 to a new certificate which will expire on February 9, 2025.

Update deployment rule for the public store app using REST API

A new field named rules is added to the Add New Public Store App and Update Public Store App REST APIs. This allows you to update the deployment rules for the public store app. For more information, see Public REST API documentation.

Support for auto-update of optional apps in iOS

Starting from the XenMobile Server 10.16, a new server property named apple.ios.optional_app_update is added. This property allows you to auto-update the optional apps in iOS. The default value of apple.ios.optional_app_update is set as False. For more information, see Server properties.

For more information about auto-update of optional Volume Purchased apps, see Check for the app updates.

Support for Enterprise apps on macOS devices

XenMobile Server has a new property mac.app.push which enables the support of Enterprise apps on devices running macOS. The default value of this property is True. For more information, see Server properties.

Device report enhancement for Total App Deployment Attempts and Top 100 Installed Apps

In the XenMobile Server Console Analyze -> Reporting, two new columns Operating system version and Device model columns are added in Total App Deployment Attempts and the new device report Top 100 Installed Apps is added to show top 100 apps installed for each platform. For more information see Reports.

XenMobile Server has a new property device.report.enhancement.enabled, which enables the above new device report enhancement. The default value of this property is True. For more information, see Server properties.

Modernizing sorting and filtering in Device enrollment

The list views in XenMobile Server are currently difficult to navigate and less user-friendly. By moving filtering and sorting options to the column headers, the users can combine these functions, making it much simpler and intuitive to find the required data.

Deprecations and removals

Deprecation of the XenMobile Analyzer Tool: As per our frequent and stable release cadence, the XenMobile Analyzer Tool is no longer required. Citrix has discontinued this service from March 31, 2023. Citrix recommends you to use the connectivity checks available within the Citrix XenMobile console or Citrix Gateway. For more information, see Connectivity checks.

What’s new in XenMobile Server 10.16

In this article