What’s new in XenMobile Service 10.18.3

The latest version of XenMobile has these new features and improvements:

• Set up G Suite partner access for XenMobile
• More device management settings for Chrome OS
• Application Guard device policy for Windows 10 devices
• New device management settings for iOS 11.3
• Other new features
• Fixed issues in this release

Some end-point management features for Chrome use Google partner APIs to communicate between XenMobile and your G Suite domain. For example, XenMobile requires the APIs for device policies that manage Chrome features such as Incognito mode and Guest mode.

To enable the partner APIs, you set up your G Suite domain in the XenMobile console and then configure your G Suite account.

To enable XenMobile to communicate with the APIs in your G Suite domain, go to Settings > Google Chrome Configuration and configure the settings.

• G Suite domain: The G Suite domain that hosts the APIs needed by XenMobile.
• G Suite admin account: The administator account for your G Suite domain.
• G Suite client ID: The client ID for Citrix. Use this value to configure partner access for your G Suite domain.
• G Suite enterprise ID: The enterprise ID for your account, filled in from your Google enterprise account.

The XenMobile Restrictions device policy has new settings that let you manage user-specific properties for Chromebook devices from the XenMobile console.

• Disable Incognito mode: If On, Chromebook device users can’t open an Incognito window in Chrome. Requires G Suite Chrome configuration. The default is Off.
• Disable Guest user mode: If On, guest users can’t sign on to Chromebook devices. Requires G Suite Chrome configuration. The default is Off.
• Single sign-on IdP redirection: If On, enables SAML-based single sign-on. Requires G Suite Chrome configuration. The default is On.
• Single sign-on cookie behavior: If On, transfers cookies set by a SAML IdP to user profiles each time a user signs on with SAML credentials. If Off, cookies transfer during the first sign-on only. Requires G Suite Chrome configuration. The default is On.

The Application Guard device policy is now available for Windows 10 devices. The policy applies to the Microsoft Edge browser only. Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary: The sites open in a virtual browsing session in Hyper-V. Enterprise cloud resources define trusted sites.

This feature is only available for Windows 10 (64-bit) enterprise devices and OS version 1709. A device restart is required to install the Windows Defender Application Guard.

• Application Guard: Enables Application Guard. Default is Off.
• Clipboard Behavior: Controls which directions content can be copied and pasted. The options are as follows:
  • Not configured
  • Allow copy and paste from browser to PC only: Allows users to copy and paste content only from their browser to their PC.
  • Allow copy and paste from PC to browser only: Allows users to copy and paste content only from their PC to their browser.
  • Allow copy and paste between PC and browser: Allows users to copy and paste content freely between their PC and browser.
  • Block copy and paste between PC and browser: Does not allow users to copy and paste content between their PC and browser.
• Clipboard Content: Controls which content users can copy and paste. The options are as follows:
  • Not configured
  • Allow text copying: Allows users to copy text only.
  • Allow image copying: Allows users to copy images only.
  • Allow both text and image copying: Allows users to copy both text and images.
• Block external content on enterprise sites: If On, Windows Defender Application Guard prevents content from unapproved sites from loading on enterprise sites. Default is Off.
• Retain user-generated browser data: If On, allows saving user data created during an Application Guard virtual browsing session. This data includes things like passwords, favorites, and cookies. Default is Off.

The Restrictions device policy contains new restrictions for devices running iOS 11.3 and later. The restrictions are as follows:

• Allow USB restricted mode: If Off, the device can always connect to USB accessories while locked. Default is On. Available only for supervised iOS 11.3 and later devices.
• Force delayed software updates: If On, delays user visibility of Software Updates. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. Default is Off. Available only for supervised iOS 11.3 and later devices.
• Enforced software update delay (days): Allows you to specify a number of days to delay a software update on the device. The maximum delay is 90 days. Default is 30 days. Available only for supervised iOS 11.3 and later devices.
• Force classroom request permission to leave classes: If On, a student enrolled in an unmanaged course with Classroom must request permission from the teacher when attempting to leave the course. Default is Off. Available only for supervised iOS 11.3 and later devices.

• Web clips in the Home Screen Layout device policy. When configuring the Home Screen Layout device policy, you can now select Web Clip from the Type menu. For the Value, enter the URL for the web clip. If more than one Web Clip value exists with the same URL, the behavior is undefined on iOS 11.3 and later devices.
• Whitelist template instructions. When adding Citrix Ready workspace hub devices in XenMobile console: Under Manage > Devices, the template for adding Whitelist devices in bulk now has instructions for each field.

After you use a XenMobile action to delete a Chromebook or Workspace hub device: The device continues to appear in the XenMobile console until after you refresh the console.

After you delete a Citrix Cloud administrator who has a device enrolled: XenMobile doesn’t update the User Role in the XenMobile console until after the administrator logs in again from Secure Hub or the Self Help Portal.