XenMobile Service 10.18.1

The latest version of XenMobile has these new features and improvements:

  • Support for Chromebook devices
  • Windows Hello for Business policy
  • Deploy Office 365 apps to Windows 10 devices
  • Restrict Windows 10 devices to kiosk mode
  • Use Shared iPads with Apple Education features
  • Set how app notifications appear on iOS devices
  • Unenroll an Android for Work enterprise
  • Optimized device property search
  • Fixed issues in this release

Support for Chromebook devices

Important

Chromebook support is currently available only for our US-based customers. All other customers will have full support in our next release.

Starting with XenMobile Service 10.18.1, XenMobile supports Chromebook devices. Chromebook devices are enrolled in MDM mode only.

System requirements:

  • Chrome OS 46 and later

Configure G Suite for Chromebook enrollment

Before enrolling Chromebook devices, configure G Suite for Chromebook enrollment. The configuration forces installation of the Secure Hub extension on the Chromebook device and prevents the extension from being disabled or deleted.

Go to https://admin.google.com and log in to your G Suite account.

In the Google administrator console, click Device Management.

localized image

Click Chrome management.

localized image

In the Chrome device management page, click User Settings.

localized image

In the User settings page, search for Client certificates. Add this pattern:
{“pattern”: “https://[*.]xm.cloud.com”, “filter”: {}}
Adding this pattern to Client certificates ensures device certificates pushed from XenMobile to the device are auto-selected without prompting for the user to select.

localized image

Click Save.

Search for Force-installed Apps and Extensions and then click Manage force-installed apps.

localized image

Click Specify a Custom App.

localized image

Click the ID field, type “cnkimbgkdakemjcipljhmoplehfcjban”.

Click the URL field, type “https://chrome.google.com/webstore/detail/
cnkimbgkdakemjcipljhmoplehfcjban”.

Click Add.

Click Save in the Force-installed Apps and Extensions dialog window.

Click Save in the User Settings page.

Enroll Chromebook devices

Users enroll Chromebook devices by using a Secure Hub extension in Chrome. XenMobile supports Autodiscovery for Chromebook devices.

XenMobile doesn’t support adding Chromebook devices manually or through bulk enrollment. XenMobile doesn’t support sending enrollment invitations for Chromebook devices.

Before a user enrolls a Chromebook device in XenMobile, you or the user must enroll the device in the G Suite domain of your enterprise. For information on enrolling Chrome devices, see the Google article Enroll Chrome devices.

A Citrix PIN must be created when a Chromebook device is enrolled in XenMobile. This PIN cannot be reset. If a user forgets this PIN, the Chromebook device must be unenrolled and re-enrolled.

Sign in to your Chromebook device using your G Suite credentials.

Click the Secure Hub extension in Chrome. The Secure Hub extension appears next to your browser address bar, is grayed out:

localized image

The Secure Hub enrollment window appears. Click Enroll.

localized image

Type your corporate credentials, such as your XenMobile Server name, User Principal Name (UPN), or email address. Then, click Next.

localized image

If prompted, type your corporate user name. Type your corporate password. Then click Sign In.

localized image

Create a Citrix PIN. This PIN must be six characters long. It can contain only letters and numbers. Type your Citrix PIN twice. Click Finish.

localized image

When the enrollment is complete, the Secure Hub extension icon is no longer grayed out.

Sign in to an enrolled Chromebook device

To sign in to a Chromebook device that is enrolled in XenMobile:

1. Sign in using your G Suite credentials.

2. When prompted, enter your Citrix PIN. This PIN was created when the device was enrolled in XenMobile.

If you do not type your Citrix PIN, you are prompted to type your Citrix PIN every minute until you type the PIN. After five minutes, access is blocked to all websites except google.com, citrix.com, gotomeeting.com, cloud.com. If you try to access any other website, an error message appears and you are prompted to sign in using your Citrix PIN.

Unenroll and reenroll a Chromebook device

To unenroll a Chromebook device from XenMobile, users delete their account.

  1. In the Chrome browser, click Secure Hub extension icon.
  2. In the Secure Hub enrollment window, click Delete.
  3. Click Yes, Delete to confirm the deletion.
  4. The Secure Hub enrollment window closes and the Secure Hub extension iron is grayed out.

To re-enroll:

  1. Log out of you Chromebook device and log back in using you G Suite credentials.
  2. Click Enroll and follow the prompts to re-enroll.

Device policies for Chromebook devices

These device restriction policies are available for Chromebook devices.

localized image
  • Disable autofill: Select whether to allow the autofill function of the Chrome browser. If this policy is set to On, autofill function is not allowed. Default is On.
  • Disable Save Password: Select whether to allow the save password function in the Chrome browser. If this policy is set to On, the save password function not allowed. Default is On.
  • Disable Page Translation: Select whether to allow translation of webpages that are in other languages in the Chrome browser. If this policy is set to On, translation of webpages is not allowed. Default is On.
  • Block Images: Select whether to allow display of images in webpages in the Chrome browser. If this policy is set to On, images in webpages in the Chrome browser are not displayed. Default is Off.
  • Websites: Select whether to control access to websites in the Chrome browser using a whitelist or blacklist. Default is Blacklist.

Windows Hello for Business policy

Windows Hello for Business allows users to sign on to Windows devices by using their Active Directory or Azure Active Directory account. You use the Windows Hello for Business device policy to enable the feature so users can provision Windows Hello for Business on their device. The policy also lets you configure passcode limitations and other security features.

Go to Configure > Device Policies to add the Windows Hello for Business policy. Configure these settings:

localized image
  • Use Windows Hello for Business: Enable the feature to allow users to provision Windows Hello for Business on their device.
  • Require security device: Require that users have a Trusted Platform Module (TPM) to sign on.
  • Minimum/Maximum PIN length: Minimum and maximum length for user PINs. Minimum PIN Length defaults to 4Maximum PIN Length defaults to 127.
  • Uppercase lettersLowercase lettersSpecial characters: Select whether to AllowRequire, or Do not allow each type of character. Defaults to Do not allow.
  • Digits: Whether to AllowRequire, or Do not allow digits. Defaults to Require.
  • History: The number of past PINs that users can’t reuse. Defaults to 0, meaning users can reuse all PINs.
  • Expiration: The number of days before a user must change their PIN. Defaults to 0, which means that PINs don’t expire.
  • Use Biometrics: Allow the use of biometrics instead of PINs for user sign-on.

Deploy Office 365 apps to Windows 10 devices

XenMobile now allows for deployment of Microsoft Office 365 products using the Office configuration service provider (CSP). By configuring the new Office device policy, you can deploy Microsoft Office apps to any Windows 10 desktop or tablet running update 1709 or later.

Go to Configure > Device Policies to add the Office policy. Configure these settings:

localized image
  • Product ID: Select a product ID based on your Office 365 plan. Options are O365ProPlusRetail, O365BusinessRetail, or O365SmallBusPremRetail.
  • Office 365 Apps: Select the Office 365 apps that you want deployed. All apps are selected by default.
  • Additional Office apps: If you own licenses for Project Online Desktop Client or Visio Pro for Office 365, you can select these apps to have them installed.
  • Office Version: Select whether to install the 32-bit or 64-bit version of Office.
  • Update channel: Choose how often you want updates to occur. Options are MonthlyMonthly (Targeted)Semi-Annual, or Semi-Annual (Targeted).
  • Properties:
    • Automatically accept the app end user license agreement: On or Off. Defaults to On.
    • User shared computer activation: Select whether the computer is shared or not. Options are On or Off. Defaults to Off.
  • Office Language: Office automatically installs in any languages that Windows already has installed. You can select extra languages to install.

Restrict Windows 10 devices to kiosk mode

You can now use the Kiosk policy to restrict Windows 10 devices to kiosk mode, allowing only one app to run.

Go to Configure > Device Policies to add the Kiosk policy. Configure these settings:

localized image
  • Kiosk Mode – Enable or Disable the feature.
  • Application user model ID (AUMID) – The ID of the app that you want to allow in kiosk mode. To get a list of the AUMIDs for all Microsoft Store apps installed for the current device user: Run the following PowerShell command.

$installedapps = get-AppxPackage

$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
{
$aumidList += $app.packagefamilyname + “!”+ $id
}
}

$aumidList

If the device is not domain joined through either Azure Active Directory or a company domain, pre-configure the enrollment user as a system local user. With that configuration, only the Kiosk policy gets installed on the device. For example:

Enroll user System user
AD user:
UPN: testuser@domain.com
SAM: domain\testuser
testuser
Local User:
kiosk
kiosk

Use Shared iPads with Apple Education features

XenMobile integration with Apple Education supports Shared iPads. Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.

Either you or instructors enroll Shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a Shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.

XenMobile uses two communications channels for Shared iPads: The system channel for the device owner (instructor) and the user channel for the current resident user (student). XenMobile uses those channels to send the appropriate MDM commands for the resources supported by Apple.

Resources that deploy over the system channel are:

  • Device policies, such as Education Configuration, Lock Screen Message, Maximum Resident Users, and Passcode Lock Grace Period
  • Device-based VPP apps

Apple doesn’t support Enterprise apps or user-based VPP apps on Shared iPads. Apps installed on a Shared iPad are global to the device and not per user.

  • User-based VPP iBooks

Apple supports assignment of user-based VPP iBooks on Shared iPads.

Resources that deploy over the user channel are:

  • Device policies: Apps Notifications, Home Screen Layout, and Restrictions

XenMobile currently supports only those device policies over the user channel.

Requirements for Shared iPads

Device requirements:

  • Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
  • At least 32 GB of storage
  • Supervised

Other requirements:

  • For a first-time integration of Apple School Manager with XenMobile, be sure to read Integrate with Apple Education features. Follow those instructions to configure your integration for any iPads that you use in a one-to-one model (one iPad per student) or for instructor iPads (unshared). Then, return to this section to configure Shared iPads.

General workflow

Typically, you provide preconfigured and supervised Shared iPads to instructors. The instructors then distribute the devices to students. If you don’t distribute pre-enrolled Shared iPads to instructors: Be sure to provide the instructors with their XenMobile Server passwords so they can enroll their devices.

The general workflow for configuring and enrolling Shared iPads is as follows.

  1. Use the XenMobile Server console to add ASM DEP accounts (Settings > Apple Device Enrollment Program (DEP)) with Shared mode enabled. For more information, see “Manage ASM DEP accounts for Shared iPads” next.
  2. As described in this section, add the required device policies, apps, and media to XenMobile. Assign those resources to delivery groups. For more information, see Integrate with Apple Education features.
  3. Have the instructors perform a hard reset on the Shared iPads. The Remote Management screen for DEP enrollment appears.
  4. The instructors enroll the Shared iPads.
    XenMobile deploys configured resources to each enrolled Shared iPad. After an automatic restart, instructors can share the devices with students. A sign in page appears on the iPad.
  5. A student chooses the class and then enters their Managed Apple ID and temporary Apple School Manager (ASM) password.
    The Shared iPad authenticates to ASM and prompts the student to create an ASM password. For the next sign-in to the Shared iPad, the student provides the new ASM password.
  6. Another student who is sharing the iPad can then sign in by repeating the previous step.

Manage ASM DEP accounts for Shared iPads

If you already use XenMobile with Apple Education: You have an existing ASM DEP account configured in XenMobile for devices that aren’t shared, such as the devices used by instructors. You can use the same ASM and the same XenMobile Server for both shared and non-shared devices.

XenMobile supports these deployment scenarios:

  • A group of Shared iPads per class

In this scenario, you assign the Shared iPads to a class of students. The iPads stay in the classroom. Instructors who teach different subjects in that class use the same set of iPads.

  • A group of Shared iPads per instructor

In this scenario, you assign the Shared iPads to an instructor, who uses those iPads for the various classes that they teach.

Organize Shared iPads into device groups

ASM lets you organize devices into groups by creating multiple MDM servers. When you assign the Shared iPads to a MDM server, create a device group for each group of Shared iPads, per class or per instructor:

  • Group 1 of Shared iPads > Device Group 1 MDM Server
  • Group 2 of Shared iPads > Device Group 2 MDM Server
  • Group N of Shared iPads > Device Group N MDM Server

Add ASM DEP accounts for each device group

When you create multiple ASM DEP accounts from the XenMobile Server console, you automatically import groups of Shared iPads (one for each class or instructor):

  • Device Group 1 MDM Server > Device Group 1 DEP account
  • Device Group 2 MDM Server > Device Group 2 DEP account
  • Device Group N MDM Server > Device Group N DEP account

Requirements specific to Shared iPads are as follows:

  • One ASM DEP account for each device group with these settings enabled:
    • Require device enrollment
    • Supervised mode
    • Shared mode
  • For a given educational organization, be sure to use the same Education suffix for all ASM DEP accounts.

To add a DEP account, go to Settings > Apple Device Enrollment Program (DEP).

localized image

For general information about adding an ASM DEP account to XenMobile, see Integrate with Apple Education features.

Device policies for Shared iPads

The following device policies are specific to Shared iPads:

  • Maximum Resident Users: The maximum number of users for a Shared iPad. If the number of users specified in this policy is greater than the maximum number of users supported by the device: XenMobile uses the device maximum instead. Default is 5 users. Available in iOS 9.3 and later.

This policy must deploy when the iPad is in the “awaiting configuration” phase during the Setup Assistant. Apple doesn’t allow this policy to deploy after Shared iPads enroll.

localized image

Apple recommends that you keep the Maximum resident users value as low as possible. A low value maximizes the amount of iPad storage for each user. In addition, a low value minimizes communication with iCloud and provides a faster sign in experience. For information about how Apple handles shared storage on an iPad, see https://help.apple.com/deployment/ios/#/cad7e2e0cf56.

  • Passcode Lock Grace Period: The number of minutes that a Shared iPad screen stays locked before the user must enter a passcode to unlock the screen. Changing this setting to a less restrictive value doesn’t take effect until a user signs out. Default is Immediately. Available in iOS 9.3.2 and later.

By default, the Shared iPad locks itself automatically after two minutes of inactivity.

localized image

XenMobile currently supports the following device policies over the User channel:

  • Home Screen Layout: To define a layout of apps, folders, and web clips for the Home screen.
  • Apps Notifications: To specify the restriction enforced notification settings for apps.
  • Restrictions: To allow or disallow some educational restrictions or to restrict App usage. For example: Some blacklisted and whitelisted apps.
  • Profile Removal

You specify the deployment channel when you configure those policies.

localized image

To remove device policies that you deployed over the user channel, be sure to choose a Deployment scope of User for the Profile Removal policy.

For information about other device policies, see “Step 7: Plan and add resources and delivery groups to XenMobile Server” in Integrate with Apple Education features.

Apps for Shared iPads

Shared iPads support assignment of device-based VPP apps. Before deploying an app on a Shared iPad, XenMobile Server sends a request to the Apple VPP server to assign VPP licenses to devices. To check the VPP assignments, go to Configure > Apps > iPad and expand Volume Purchase Program.

For recommendations about choosing, deploying, and updating apps on Shared iPads, see Use Shared iPad in the Apple documentation.

Media for Shared iPads

Shared iPads support assignment of user-based VPP iBooks. Before deploying an iBook on the Shared iPad, XenMobile Server sends a request to the Apple VPP server to assign VPP licenses to students. To check the VPP assignments, go to Configure > Media > iPad and expand Volume Purchase Program.

localized image

Deployment rules for Shared iPads

For Shared iPad deployment, the rules at the delivery group level don’t apply because they relate to user properties. To filter the policies, apps, and media for each group of devices: Add a deployment rule for the resources based on the DEP account name. For example:

  • For the Device Group 1 DEP account, set this deployment rule:

DEP account name
Only
Device Group 1 DEP account

  • For the Device Group 2 DEP account, set this deployment rule:

DEP account name
Only
Device Group 2 DEP account

  • For the Device Group N DEP account, set this deployment rule:

DEP account name
Only
Device Group N DEP account

localized image

To deploy the Apple Classroom app only to instructors (using unshared iPads), filter the resources by ASM DEP shared status with these deployment rules:

Deploy this resource regarding ASM DEP shared mode
only
unshared

Or:

Deploy this resource regarding ASM DEP shared mode
except
shareable

localized image

Delivery groups for Shared iPads

For the device group for each instructor:

  • Configure one delivery group. For the instructor, assign all the classes that the Education Configuration policy defines.
localized image
  • That delivery group must include these MDM resources:
    • Device policies:
      • Education Configuration
      • Lock Screen Message
      • Apps Notifications
      • Home Screen Layout
      • Restrictions
      • Maximum Resident Users
      • Passcode Lock Grace Period
    • Required VPP apps
    • Required VPP iBooks
localized image

Security actions for Shared iPads

In addition to existing security actions, you can use these new security actions for Shared iPads (available in iOS 9.3 and later):

  • Get Resident Users: Lists the users that have active accounts on the current device. This action forces a sync between the device and the XenMobile console.
  • Logout Resident User: Forces a log out of the current user.
  • Delete Resident User: Deletes the current session for a specific user. The user can sign in again.
localized image

After you click Delete Resident User, you can specify the user name.

localized image

Results of security actions appear on the Manage > Devices > General and Manage > Devices > Delivery Groups pages.

Get information about Shared iPads

Find information specific to Shared iPads on the Manage > Devices page:

  • Look up:
    • Whether a device is shared (ASM DEP shared)
    • Who is logged in to the shared device (ASM logged-in user)
    • All users assigned to the shared device (ASM resident users)
localized image
  • Filter the device list by its ASM DEP Device Status:
localized image
  • View details about the user logged in to a Shared iPad, on the Manage > Devices > Logged-in User Properties page.
localized image
localized image
  • See the channel used to deploy resources to instructors and users in a delivery group on the Manage > Devices > Delivery Groups page. The Channel/User column shows the type (Systemor User) and the recipient (instructor or student).
localized image
  • Get information about resident users:
    • Has data to sync: Whether the user has data to be synchronized to the cloud.
    • Data quotas: The data quota set for the user in bytes. A quota might not appear if user quotas are temporarily off or aren’t enforced for the user.
    • Data used: The amount of data used by the user in bytes. A value might not appear if an error occurs as the system gathers the information.
    • Is logged in: Whether the user is logged on to the device.
localized image
  • View the push status for both channels.
localized image

Set how app notifications appear on iOS devices

The Apps Notifications policy lets you control how iOS users receive notifications from specified apps. This policy is supported on devices running iOS 9.3 or later. To add the policy, go to Configure > Device Policies.

localized image

Configure notification settings:

  • App Bundle identifier: Specify the apps you want to apply this policy to.
  • Allow Notifications: Select ON to allow notifications.
  • Show in Notification Center: Select ON to show notifications in the notification center of the user devices.
  • Badge App Icon: Select ON to show a badge app icon with notifications.
  • Sounds: Select ON to include sounds with notifications.
  • Show in Lock Screen: Select ON to show notifications on the lock screen of the user devices.
  • Unlocked Alert Style: In the list, select NoneBanner, or Alerts to configure the appearance of unlocked alerts.

Unenroll an Android for Work enterprise

XenMobile now lets you unenroll an Android for Work enterprise using the XenMobile Server console and XenMobile Tools.

When you perform this task, the XenMobile Server opens a popup window for XenMobile Tools. Before you begin, ensure that the XenMobile Server has permission to open popup windows in the browser you are using. Some browser, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block whitelist.

Warning

After an enterprise is unenrolled, Android for Work apps on devices already enrolled through it are reset to their default states. Google no longer manages the devices. Re-enrolling them in an Android for Work enterprise might require further configuration to restore previous functionality.

After the Android for Work enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android for Work apps reset to their default state. Android for Work App Permissions and Android for Work App Restrictions policies previously applied no longer effect operations.
  • XenMobile manages devices enrolled through the enterprise. Google doesn’t manage those devices. You can’t add Android for Work apps. You can’t apply Android for Work App Permissions or Android for Work App Restrictions policies. You can still apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you attempt to enroll devices in Android for Work, they enroll as Android devices, not Android for Work devices.

To unenroll an Android for Work enterprise:

In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

On the Settings page, click Android for Work.

Click Remove Enterprise.

localized image

Specify a password. You’ll need the password in the next step to complete the unenrollment. Then click Unenroll.

localized image

When the XenMobile Tools page opens, enter the password you created in the previous step.

localized image

Click Unenroll.

localized image

Optimized device property search

Previously, a device search from the Manage > Devices page included all device properties by default, which might slow the search. Now the default search scope includes only the following device properties:

  • Serial Number
  • IMEI
  • Wifi MAC address
  • Bluetooth MAC address
  • Active Sync ID
  • User Name

You can configure the search scope through a new server property, include.device.properties.during.search, which defaults to false. To include all device properties in a device search, go to Settings > Server Properties and change the setting to true.

Fixed issues in this release

For Configure > Device Policies > App Lock Policy: After you type the policy name and go to the iOS page, bundle IDs don’t appear in the App bundle ID menu. After you toggle between Android and iOS, the app bundle IDs appear.

When you upload an .ipa enterprise app to XenMobile Server, occasionally the upload fails. The following error message appears: Uploaded mobile app is invalid. Application icon was not found.

In an environment configured for Android for Work: After you enroll a device and then add an app, the app doesn’t appear in Google Play on the device. If you unenroll and then re-enroll the enterprise, and then add apps, Google Play might not show any apps.

Enrollment fails, with this log message: com.zenprise.zdm.enroll.EnrollmentException: com.hazelcast.core.OperationTimeoutException: QueryPartitionOperation invocation failed to complete due to operation-heartbeat-timeout.

App package (APK, IPA, MDX) uploads from Internet Explorer fail and the spinner continues until you interrupt it.

On Android devices with Tunnel and Webclip device policies: Secure Hub hangs after you open a webclip and then browser back several times.

After the Control OS Updates device policy deploys to iOS devices: The ActiveSync IDs in XenMobile don’t match the device ActiveSync IDs. As a result, users can’t access email.

Using the XenMobile console to search for a user or device is slow.

Known issues in this release

If the SQL server is deployed in a child domain or if a child domain database login is used: Microsoft Java Database Connectivity (JDBC) with Windows Authentication fails.