The latest version of XenMobile has these new features and improvements:

  • Set up G Suite partner access for XenMobile
  • More device management settings for Chrome OS
  • Application Guard device policy for Windows 10 devices
  • New device management settings for iOS 11.3
  • Other new features
  • Fixed issues in this release

Set up G Suite partner access for XenMobile

Some end-point management features for Chrome use Google partner APIs to communicate between XenMobile and your G Suite domain. For example, XenMobile requires the APIs for device policies that manage Chrome features such as Incognito mode and Guest mode.

To enable the partner APIs, you set up your G Suite domain in the XenMobile console and then configure your G Suite account.

Set up your G Suite domain in XenMobile

To enable XenMobile to communicate with the APIs in your G Suite domain, go to Settings > Google Chrome Configuration and configure the settings.

localized image
  • G Suite domain: The G Suite domain that hosts the APIs needed by XenMobile.
  • G Suite admin account: The administator account for your G Suite domain.
  • G Suite client ID: The client ID for Citrix. Use this value to configure partner access for your G Suite domain.
  • G Suite enterprise ID: The enterprise ID for your account, filled in from your Google enterprise account.

Enable partner access for devices and users in your G Suite domain

Log in into the Google admin console: https://admin.google.com

Click Device Management.

localized image

Click Chrome management.

localized image

Click User settings.

localized image

Search for Chrome Management – Partner Access.

localized image

Select the Enable Chrome Management – Partner Access check box.

Agree that you understand and want to enable partner access. Click Save.

In the Chrome management page, click Device Settings.

localized image

Search for Chrome Management – Partner Access.

localized image

Select the Enable Chrome Management – Partner Access check box.

Agree that you understand and want to enable partner access. Click Save.

Go to the Security page and then click Advanced Settings.

localized image

Click Manage API client Access.

In the XenMobile console, go to Settings > Google Chrome Configuration and copy the value of G Suite Client ID. Then, return to the Manage API client Access page and paste the copied value to the Client Name field.

In One or More API Scopes, add the URL: https://www.googleapis.com/auth/chromedevicemanagementapi

localized image

Click Authorize.

The message “Your settings have been saved” appears.

localized image

More device management settings for Chrome OS

The XenMobile Restrictions device policy has new settings that let you manage user-specific properties for Chromebook devices from the XenMobile console.

localized image
  • Disable Incognito mode: If On, Chromebook device users can’t open an Incognito window in Chrome. Requires G Suite Chrome configuration. The default is Off.
  • Disable Guest user mode: If On, guest users can’t sign on to Chromebook devices. Requires G Suite Chrome configuration. The default is Off.
  • Single sign-on IdP redirection: If On, enables SAML-based single sign-on. Requires G Suite Chrome configuration. The default is On.
  • Single sign-on cookie behavior: If On, transfers cookies set by a SAML IdP to user profiles each time a user signs on with SAML credentials. If Off, cookies transfer during the first sign-on only. Requires G Suite Chrome configuration. The default is On.

Application Guard device policy for Windows 10 devices

The Application Guard device policy is now available for Windows 10 devices. The policy applies to the Microsoft Edge browser only. Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary: The sites open in a virtual browsing session in Hyper-V. Enterprise cloud resources define trusted sites.

This feature is only available for Windows 10 (64-bit) enterprise devices and OS version 1709. A device restart is required to install the Windows Defender Application Guard.

localized image
  • Application Guard: Enables Application Guard. Default is Off.
  • Clipboard Behavior: Controls which directions content can be copied and pasted. The options are as follows:
    • Not configured
    • Allow copy and paste from browser to PC only: Allows users to copy and paste content only from their browser to their PC.
    • Allow copy and paste from PC to browser only: Allows users to copy and paste content only from their PC to their browser.
    • Allow copy and paste between PC and browser: Allows users to copy and paste content freely between their PC and browser.
    • Block copy and paste between PC and browser: Does not allow users to copy and paste content between their PC and browser.
  • Clipboard Content: Controls which content users can copy and paste. The options are as follows:
    • Not configured
    • Allow text copying: Allows users to copy text only.
    • Allow image copying: Allows users to copy images only.
    • Allow both text and image copying: Allows users to copy both text and images.
  • Block external content on enterprise sites: If On, Windows Defender Application Guard prevents content from unapproved sites from loading on enterprise sites. Default is Off.
  • Retain user-generated browser data: If On, allows saving user data created during an Application Guard virtual browsing session. This data includes things like passwords, favorites, and cookies. Default is Off.

New device management settings for iOS 11.3

The Restrictions device policy contains new restrictions for devices running iOS 11.3 and later. The restrictions are as follows:

  • Allow USB restricted mode: If Off, the device can always connect to USB accessories while locked. Default is On. Available only for supervised iOS 11.3 and later devices.
  • Force delayed software updates: If On, delays user visibility of Software Updates. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. Default is Off. Available only for supervised iOS 11.3 and later devices.
  • Enforced software update delay (days): Allows you to specify a number of days to delay a software update on the device. The maximum delay is 90 days. Default is 30 days. Available only for supervised iOS 11.3 and later devices.
  • Force classroom request permission to leave classes: If On, a student enrolled in an unmanaged course with Classroom must request permission from the teacher when attempting to leave the course. Default is Off. Available only for supervised iOS 11.3 and later devices.
localized image

Other new features

  • Web clips in the Home Screen Layout device policy. When configuring the Home Screen Layout device policy, you can now select Web Clip from the Type menu. For the Value, enter the URL for the web clip. If more than one Web Clip value exists with the same URL, the behavior is undefined on iOS 11.3 and later devices.
  • Whitelist template instructions. When adding Citrix Ready workspace hub devices in XenMobile console: Under Manage > Devices, the template for adding Whitelist devices in bulk now has instructions for each field.

Fixed issues in this release

After you use a XenMobile action to delete a Chromebook or Workspace hub device: The device continues to appear in the XenMobile console until after you refresh the console.

Known issues in this release

After you delete a Citrix Cloud administrator who has a device enrolled: XenMobile doesn’t update the User Role in the XenMobile console until after the administrator logs in again from Secure Hub or the Self Help Portal.