Citrix has released XenMobile Server version 10.6. Here after information about the new or improved features.

For information about upgrading, see Upgrade. To access the XenMobile management console, use only the XenMobile Server fully qualified domain name or the IP addresses of the node.

XenMobile Server 10.6 includes the following new features. For information about bug fixes, see Fixed issues.

XenMobile now consistently and promptly installs required apps on managed iOS and Android devices. This improvement resolves deployment issues that occurred primarily for XenMobile configured in enterprise (XME) mode. Users more promptly receive updates in situations, such as:

• You upload a new app and mark it as required.
• You mark an existing app as required.
• As user deletes a required app.
• A Secure Hub update is available.

• XenMobile Server 10.6
• Secure Hub (minimum versions: 10.5.15 for iOS; 10.5.20 for Android)
• MDX Toolkit 10.6
• After you upgrade XenMobile Server and Secure Hub: Users with enrolled devices must sign off and then sign on to Secure Hub, one time, to obtain the required app deployment updates.

The following examples show the sequence of adding the Secure Tasks app to a delivery group and then deploying the delivery group.

After the sample app, Secure Tasks, deploys to the user device, Secure Hub prompts the user to install the app.

Starting with XenMobile 10.6, you configure NetScaler Gateway for use with XenMobile Server by exporting a script from XenMobile that you run on NetScaler Gateway. The script configures these NetScaler Gateway settings required by XenMobile:

• NetScaler Gateway virtual servers needed for MDM and MAM
• Session policies for the NetScaler Gateway virtual servers
• XenMobile Server details
• Authentication Policies and Actions for the NSG virtual server.
  The script describes the LDAP configuration settings.
• Traffic actions and policies for the proxy server
• Clientless access profile
• Static local DNS record on NetScaler
• Other bindings: Service policy, CA certificate

The script doesn’t handle the following configuration:

• Exchange load balancing
• ShareFile load balancing
• ICA Proxy configuration
• SSL Offload

The Settings > NetScaler Gateway page now has an Export Configuration Script button if a NetScaler Gateway instance exists.

The Add New NetScaler Gateway page also includes a link to export the configuration script.

For more information, see NetScaler Gateway and XenMobile.

Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is either a Personal Identity Verification (PIV) card or Common Access Card (CAC).

The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device.

XenMobile can use derived credentials for iOS device enrollment. If configured for derived credentials, XenMobile doesn’t support enrollment invitations or other enrollment modes for iOS devices. However, you can use the same XenMobile Server to enroll Android devices through enrollment invitations and other enrollment modes.

Configure derived credentials by using the Settings > Derived Credentials for iOS page. By default, the XenMobile console doesn’t include Settings > Derived Credentials. To enable the interface for derived credentials, go to Settings > Server Properties, add the server property derived.credentials.enable, and set it to true.

For more information, see Derived credentials for iOS. For information about the REST API for derived credentials, see the XenMobile REST API Reference PDF.

You can now select any combination of iOS, macOS, and Android device platforms for an enrollment invitation. The Manage > Enrollment Invitations page includes a Select a platform setting. The platforms selected determine the Enrollment mode options shown and whether some settings, such as Device info, appear.

If Recipient is Group, all platforms are selected by default.

If Recipient is User, no platforms are selected by default.

Only the Enrollment mode options that are valid for each of the selected platforms appear. For example, if all platforms are selected, the valid enrollment modes for that combination are User name + Password, Two Factor, and User name + PIN.

In addition to enrolling macOS users by sending an enrollment link, you now have the option to enroll macOS users by sending an enrollment invitation. Both methods enable macOS users to enroll over the air, directly from their devices.

An enrollment invitation can use any of the following enrollment modes for macOS devices:

• User name + PIN
• User name + password
• Two Factor

When the user follows the instructions in the enrollment invitation, a sign on screen with the user name filled in appears.

To send macOS device users an enrollment invitation:

To prevent enrollment with an installation link on macOS devices:

You can prevent the use of an enrollment link for macOS devices by setting new server property, Enable macOS OTAE (macos.otae.enable), to false. As a result, macOS users can enroll only by using an enrollment invitation.

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is a Windows 10 technology that protects against the potential leakage of enterprise data. Data leakage can occur through sharing of enterprise data to non-enterprise protected apps, between apps, or outside of the network of your organization. For more information, see Protect your enterprise data using Windows Information Protection (WIP) on Microsoft TechNet.

You can create a device policy in XenMobile to specify the apps that require Windows Information Protection at the enforcement level you set. The policy, Windows Information Protection, is for Windows 10 version 1607 and later supervised Phone, Tablet, and Desktop.

You specify an enforcement level that affects the user experience. For example, you can:

• Block any inappropriate data sharing.
• Warn about inappropriate data sharing and allow users to override the policy.
• Run WIP silently while logging and permitting inappropriate data sharing.

To create the policy, go to Configure > Device Policies and add the Windows Information Protection policy.

For more information, see Windows Information Protection device policy.

The VPN device policy for Android now supports configuring Citrix VPN. Citrix VPN is a mobile application that connects to NetScaler Gateway in full VPN mode, as opposed to a clientless VPN or ICA proxy mode. This feature requires Secure Hub 10.6.

On the Configure > Device Policies page for Android, the Connection type menu now includes Citrix VPN.

Settings for the Citrix VPN connection type:

• Server name or IP address: Type the FQDN or IP address of the NetScaler Gateway.
• User name and Password: Type your VPN credentials for the Authentication types of Password or Password and Certificate. Optional. If you don’t provide the VPN credentials, the Citrix VPN app prompts for a user name and password.
• Identity credential: Appears for the Authentication types of Certificate or Password and Certificate.
• Enable per-app VPN: Select whether to enable per-app VPN. If you don’t enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default is OFF.
  • Whitelist or Blacklist: Choose a setting. If Whitelist, all apps in the whitelist tunnel through this VPN. If Blacklist, all apps except those on the blacklist tunnel through this VPN.
  • Application List: Specify the whitelisted or blacklisted apps. Click Add and then type a comma-separated list of app package names.
• Custom XML: Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN:
  • disableL3Mode: Optional. To enable this parameter, type Yes for the Value. If enabled, no user-added VPN connections are displayed and the user cannot add a new connection. This is a global restriction and applies to all VPN profiles.
  • userAgent: A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string is appended to the existing Citrix VPN user agent.

For more information, see VPN device policy.

Configuring Azure Active Directory (AD) as your identity provider (IDP) lets users enroll in XenMobile using their Azure credentials.

iOS, Android, and Windows 10 devices are supported. iOS and Android devices enroll through Secure Hub.

You configure Azure as your IDP under Settings > Authentication > IDP. The IDP page is new to this version of XenMobile. In previous versions of XenMobile, you configured Azure under Settings > Microsoft Azure.

For more information, see XenMobile integration with Azure Active Directory as IDP.

You can now configure XenMobile to deploy device policies, apps, and smart actions based on app ID. To do that, you use a new deployment rule, Installed app name.

You can use this new feature to migrate from enterprise app store distribution to public app store distribution:

• Use the Installed app name rule with the App Uninstall device policy. Doing so triggers XenMobile to remove enterprise apps from user devices after the public app store version installs.
• This feature is available only for managed iOS devices connected to a XenMobile Server in enterprise mode (XME).

To configure the App Uninstall device policy for an Enterprise app:

The XenMobile Analyze > Reporting page has an improved design and more features for all pre-defined reports:

• Sorting and searching using device-based filters.
• Filtering reports by date
• Exporting reports in PDF format.
• Interactive charts that represent report data visually.
• The Top 25 Apps report is now called Total Apps Deployment Attempts. This report now lists all deployed apps and the percentage of users that have attempted to install them on their devices.

For more information, see Reports.

XenMobile console administrators and Self Help Portal users can now locate Windows 10 phones, desktops, and tablets. The locate feature is already available for iOS and Android devices. When you issue a locate command, the XenMobile Server communicates directly with the device.

From the XenMobile console, send the Locate action to a device as follows.

The Manage > Devices page includes more device properties for Windows. The following properties, provided by the Windows 10 DeviceStatus configuration service provider (CSP), are available.

Antispyware Signature Status
Antispyware Status
Antivirus Signature Status
Antivirus Status
Battery Charging
Battery Remaining
Encryption Compliance
Firewall Status
IPV4 Address
IPV6 Address
MAC Address Network Connection
MAC Address Type
Operating System Edition
Primary SIM Carrier Operator
Primary SIM ICCID
Primary SIM Roaming compliance
Secure Boot status
TPM Version
User Account Control Status

For information about those properties, see the Microsoft article DeviceStatus CSP. The following sample shows a few of the added properties.

You can now configure XenMobile to send the latest OS updates to supervised iOS devices. You choose whether to deploy OS updates to devices so that users can install the updates manually, or to force installation on devices. To configure the new device policy, go to Configure > Device Policies and add Control OS Update.

Configure the options:

• OS update options: Both of the options download the latest OS updates to supervised devices according to the OS update frequency. The device prompts users to install updates. The prompt is visible after the user unlocks the device.
• OS update frequency (1-365 days): Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.

• Disable Captive Network Detection: If ON, users can’t join networks that require agreements or other information before network access. Default is OFF.
• Fast Lane QoS Marking: Quality of Service (QoS) marking enables you to prioritize network bandwidth for specific business apps. Choose to restrict or not restrict Cisco Fast Lane QoS marking. If you don’t restrict QoS marking for a WiFi network that supports Cisco Fast Lane QoS, all apps are whitelisted to use L2 and L3 marking. If you restrict QoS marking, specify the apps that can use L2 and L3 marking. Default is Do not restrict QoS marking.

If Fast Lane QoS Marking is Restrict QoS marking, the following options appear:

• Enable QoS Marking: Optional. If OFF, QoS marking is disabled. Default is ON.
• Whitelist Apple audio/video calling: Optional. If OFF, Apple audio and video calling aren’t whitelisted, which means the traffic isn’t prioritized. Default is ON.
• Whitelist specific apps: Specify the apps to use L2 and L3 marking.

For more information about WiFi policies for iOS, see Apple Configurator 2 Help.

The VPN policy includes these new options, which are used when the VPN client on a device supports multiple VPN providers:

• Provider bundle identifier: If the app specified in Custom SSL identifier has multiple VPN providers of the same type (App proxy or Packet tunnel), then specify this bundle identifier.
• Provider type: A provider type indicates whether the provider is a VPN service or proxy service. For VPN service, choose Packet tunnel. For proxy service, choose App proxy. This option is visible when Enable per-app VPN is ON.

Per-app VPN options are available for these connection types: Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix VPN, and Custom SSL.

To configure a per-app VPN:

The Restrictions device policy has the following extra restriction options for macOS. By default, XenMobile allows all these features.

For macOS 10.12.4 and later:

• Allow Touch ID To Unlock Mac
• Allow iCloud Desktop and Documents

For macOS 10.12 and later:

• Allow iCloud Photos
  If you change this setting to Off, any photos not fully downloaded from the iCloud Photo Library are removed from local device storage.
• Allow Auto Unlock
  For information about this option and Apple Watch, see https://support.apple.com/en-ie/HT206995.

iOS 10.0

The IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration connection types have more parameters for iOS 10.0.

DNS server IP addresses: Optional. A list of DNS server IP addresses. These IP addresses can include a mixture of IPv4 and IPv6 addresses.

Domain name: Optional. The primary domain of the tunnel.

Search domains: Optional. A list of domains used to qualify single-label host names fully.

Append supplemental match domains to resolver’s list: Optional. Determines whether to append the domains in Supplemental match domains to the Search domains for the resolver. 0 means append; 1 means don’t append. Default is 0.

Supplemental match domains: Optional. A list of domains used to determine which DNS queries are to use the DNS resolver settings contained in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver of the tunnel. Hosts not in one of the domains in this list get resolved by using the default resolver of the system.

If you save an empty string for this parameter, XenMobile uses that string as the default domain. This solution is how a split-tunnel configuration can direct all DNS queries first to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the default route of the network, the listed DNS servers become the default resolver. In that case, the supplemental match domains list is ignored.

iOS 9.0

The IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration connection types have more parameters for iOS 9.0.

These parameters apply to all three IKEv2 connection types:

• Disable Mobility and Multihoming
• Use IPv4/IPv6 internal subnet attributes
• Disable redirects
• Enable Perfect Forward Secrecy

The two AlwaysOn IKEv2 connection types also include:

• Enable NAT keepalive while the device is asleep

Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular interval when the device is awake. If this setting is on, the chip sends keepalive packets even while the device is asleep.

The default interval is 20 seconds over WiFi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter.

• NAT keepalive interval (seconds)

Defaults to 20 seconds.

XenMobile now supports users with Zebra Android devices.

Important: Zebra devices must install Secure Hub 10.5.10 to enroll in XenMobile.

In the XenMobile console, when you manage a Zebra device, several properties appear in Manage > Devices, in the Device details, Properties list.

• Zebra API: Indicates that the device contains the Zebra API.
• Zebra MXMF version: Indicates the MX Management Framework (MXMF) available for exposing APIs and configuring and managing Zebra Android-based devices.
• Zebra patch version: Indicates the patch version currently installed on the device.

For more details about Zebra devices, see the Zebra Technologies documentation.

The Custom XML MDM policy is also available for the Zebra platform.

• Exchange policy now available for Windows 10 for Tablet. To add the policy, go to Configure > Device Policies. The settings are the same as for Windows 10 Phone. For setting details, see Microsoft Exchange ActiveSync device policy.

• Active Directory user names now stored using lowercase letters. As of this release, XenMobile stores all Active Directory user names using lowercase letters. This change applies to Active Directory users in the XenMobile database when it’s upgraded and to new Active Directory users. This change doesn’t apply to local user names.
• Page loading, filtering, sorting, and searching device queries are now three times faster. This optimization is a result of decoupling device count and query optimization while querying for a list of devices based on a given criteria. XenMobile Server can now fetch device counts dynamically.
• The VPN policy for iOS devices now has per-app VPN options for the IPSec connection type. iOS 9.0 and later devices support per-app VPN for IPSec connections. Per-app VPN connections for IPSec may be recommended by Netskope and other Cloud Access Security Brokers (CASBs).

The per-app VPN options are Enable per-app VPN, On-demand match app enabled, and Safari domains.

• iOS Volume Purchase Program license revocation by user groups or in bulk. You can now also disassociate Volume Purchase Program licenses for user groups or for all assignments to free licenses in bulk.

• Delete multiple Active Directory users at a time. The menu bar that appears when you select one or more Active Directory users now includes the Delete command. Previously, the Delete command appeared only in the right-click menu for a single user.

If a user that you delete has enrolled devices and you want to re-enroll those devices, delete the devices before re-enrolling them. To delete a device, go to Manage > Devices, select the device, and then click Delete.

• Control whether the Common SAFE passcode field is editable. To prevent inadvertent changes to the Common SAFE passcode, the Kiosk policy has a new setting, Change Common SAFE passcode. By default, the new setting is OFF. To change the passcode, set Change Common SAFE passcode to ON and then type a value for the passcode.

• Filter the device policy list when adding a policy. On the Configure > Device Policies page, when you click Add, the following page now appears. You can search for a policy by name, as before. You can also filter the list, to view the device policies for selected platforms.

The Add a New Policy page initially shows a list of device policies and platform filters.

Click one or more platforms to view a list of the device policies for the selected platforms. Click a policy name to continue with adding the policy.

• Apple Mail Drop support added to the Mail device policy. You can now allow use of Apple Mail Drop for devices running iOS 9.2 and later. Mail Drop lets users upload files that are too large to send as an email attachment. Users can upload files up to 5 GB and then use the Mail app on their iOS device to send a link or preview to recipients.

• Device details logged for a wipe or lock of MAM-only devices. When a MAM-only device gets wiped or locked, XenMobile logs now include the device ID and user name.
• Support for Windows 10 RS2. We certified XenMobile 10.5.3 and 10.5.2 with Windows 10 RS2 Phone and Tablet. XenMobile 10.5.1, 10.5.0, 10.4, and 10.3.x are compatible with Windows 10 RS2 Phone and Tablet.
• Full wipe of Windows Desktop and Tablet devices. You can now perform a full wipe to erase all personal and corporate data and apps from a Windows Desktop or Tablet device. From Manage > Devices, select a Windows Desktop/Tablet device, click Secure, and then click Full Wipe. On a desktop device, the remote wipe triggers the Windows Reset this PC command with the Remove everything option.

After you click Full Wipe, the Device Actions list includes Cancel Wipe. You can cancel a wipe before XenMobile deploys the wipe request.

Users can also wipe their Windows Desktop or Tablet device in the Self Help Portal.

XenMobile logs include wipe and cancel wipe events.

• The Duration until removal option for all iOS device policies has changed from days to hours. This latest version of XenMobile converts existing values to hours.
• Improved performance of device queries and device filter expansion. XenMobile now handles queries for device filter counts separately from device queries. When you expand a filter on the Manage > Devices page, spinners appear in place of filter counts until the counts are available.
• The Troubleshooting and Support page now includes a link to the XenMobile Analyzer.

• New XenMobile CLI option to specify SSL protocols. You can now use the CLI to specify which SSL protocols XenMobile uses. The protocols allowed are:
  • TLSv1.2
  • TLSv1.1
  • TLSv1

By default, XenMobile enables each of those SSL protocols. When you change the SSL protocol setting, you must restart XenMobile Server.

To enable or disable protocols: