What’s new in XenMobile Server 10.8 (on-premise)

Event

Citrix has released XenMobile 10.8 for on-premise installation.

Here after some more details:

Important

Before an upgrade to XenMobile 10.8:

Update your Citrix License server to 11.14.x or later before updating to the latest version of XenMobile Server 10.8.

For a clustered environment: To install apps from the XenMobile Store on iOS 11 devices, you must enable port 80 on XenMobile Server.

After an upgrade to XenMobile 10.8:

If functionality involving outgoing connections stop working, and you haven’t changed your connection configuration, check the XenMobile Server log for errors, such as the following: Unable to connect to the VPP Server: Host name ‘192.0.2.0’ does not match the certificate subject provided by the peer.

If you receive the certificate validation error, disable hostname verification on XenMobile Server. By default, hostname verification is enabled on outgoing connections except for the Microsoft PKI server. If hostname verification breaks your deployment, change the server property disable.hostname.verification to true. The default value of this property is false.

 

XenMobile Server 10.8 includes the following new features:

  • Install offline maps on supervised Windows 10 phone devices
  • New restrictions for supervised devices running iOS
  • Set how app notifications appear on iOS devices
  • Support for the new Cisco AnyConnect VPN client for iOS
  • FileVault device encryption on enrolled macOS devices
  • Support for Samsung Enterprise Firmware-Over-The-Air
  • Enhanced security for work profiles for Android for Work
  • Unenrolling an Android for Work enterprise
  • Specify the behavior when Android for Work apps request dangerous permissions
  • SNMP Monitoring
  • Support for the Microsoft JDBC driver for SQL Server
  • Server property changes to improve server tuning
  • Optimized device property search
  • Other improvements

For information about bug fixes, see Fixed issues.

Important

TouchDown by Symantec reached End of Life on July 3, 2017, with End of Standard Support, End of Extended Support, and End of Support Life on July 2, 2018. For more information, see the Symantec support article, TouchDown End-of-Life, End-of-Availability, and End-of-Support announcement.

Install offline maps on supervised Windows 10 phone devices

Windows 10 phone devices support offline maps. Use the Maps device policy to specify which maps to download to devices. The Microsoft Maps configuration service provider (CSP) currently supports maps of Germany, the United Kingdom, and the United States.

localized image

New restrictions for supervised devices running iOS

The following restrictions are now available for iOS devices running in supervised mode. The minimum version supported for each restriction is noted.

  • Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can’t use the Classroom app to observe student screens remotely. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perform AirPlay and View Screen without promptingdetermines whether students receive a prompt to give the instructor permission. For supervised devices running iOS 9.3 (minimum version).
  • Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).
  • Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
  • Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
  • Allow AirPrint: If this restriction is set to Off, users can’t print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).
  • Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren’t stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).
  • Allow discovery of AirPrint printers by using iBeacons: If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. Disabling discovery prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).
  • Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).
  • Adding VPN configurations: If this restriction is set to Off, users can’t create VPN configurations. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Modifying cellular plan settings: If this restriction is set to Off, users can’t modify cellular plan settings. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Removing system apps: If this restriction is set to Off, users can’t remove system apps from their device. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Setting up new nearby devices: If this restriction is set to Off, users can’t set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).

To configure those restrictions, go to Configure > Device Policies. For more information on setting restrictions, see Restrictions device policy.

localized image

localized image

In addition, you can now skip the keyboard selection screen in the Setup Assistant. To do so, edit the Restrictions device policy for iOS and, under the System Preferences Pane setting, select Keyboard.

Set how app notifications appear on iOS devices

The Apps Notifications policy lets you control how iOS users receive notifications from specified apps. This policy is supported on devices running iOS 9.3 or later. To add the policy, go to Configure > Device Policies.

localized image

Configure notification settings:

  • App Bundle identifier: Specify the apps you want to apply this policy to.
  • Allow Notifications: Select ON to allow notifications.
  • Show in Notification Center: Select ON to show notifications in the notification center of the user devices.
  • Badge App Icon: Select ON to show a badge app icon with notifications.
  • Sounds: Select ON to include sounds with notifications.
  • Show in Lock Screen: Select ON to show notifications on the lock screen of the user devices.
  • Unlocked Alert Style: In the list, select NoneBanner, or Alerts to configure the appearance of unlocked alerts.

Support for the new Cisco AnyConnect VPN client for iOS

Cisco is phasing out the Cisco AnyConnect client that was based on a now deprecated VPN framework. Cisco renamed that client to Cisco Legacy AnyConnect. The bundle ID is unchanged, com.cisco.anyconnect.gui.

Cisco has a new client named Cisco AnyConnect. The new client provides a more reliable connection to internal resources and support for UDP and TCP applications which have per-app VPN. The bundle ID for the new client is com.cisco.anyconnect. Cisco supports the new client for iOS 10 (minimum version).

  • To continue using the Legacy AnyConnect client: If you still use the legacy client, you don’t need to change your existing VPN device policy for iOS. The policy will continue to work until Cisco phases out support for the legacy client. As of this release, the Connection type option Cisco AnyConnect is renamed to Cisco Legacy AnyConnect in the XenMobile Server console.
  • To use the new Cisco AnyConnect client: The new Cisco AnyConnect client doesn’t detect a XenMobile VPN device policy created with the Connection type option Cisco AnyConnect.

To use the new Cisco AnyConnect client, configure XenMobile Server, as follows.

Go to Configure > Device Policies and add a VPN policy for iOS.

On the VPN Policy platform page, configure the settings. The settings listed here are required for Cisco AnyConnect.

  • Connection name: Cisco AnyConnect
  • Connection type: Custom SSL
  • Custom SSL identifier (reverse DNS format): com.cisco.anyconnect
  • Provider bundle identifier: com.cisco.anyconnect
  • Provider type: Packet tunnel

Other settings such as Authentication type for the connection and Enable per-app VPN, depend on your use case. For information, see “Configure Custom SSL protocol” under Configure iOS settings.

localized image

Configure deployment rules and choose delivery groups for the VPN device policy. Deploy that policy to iOS devices.

Upload the Cisco AnyConnect client from https://itunes.apple.com/us/app/cisco-anyconnect/id1135064690?mt=8, add the app to XenMobile Server, and then deploy the app to iOS devices.

Remove the old VPN device policy from iOS devices.

For more information, see the XenMobile support article https://support.citrix.com/article/CTX227708.

FileVault device encryption on enrolled macOS devices

The macOS FileVault Disk Encryption feature protects the system volume by encrypting its contents. With FileVault enabled on a macOS device, a user logs in with their account password each time that the device starts. If the user loses their password, a recovery key enables them to unlock the disk and reset their password.

The XenMobile device policy, FileVault, enables FileVault user setup screens and configures settings such as recovery keys. For more information about FileVault, see the Apple support article, https://support.apple.com/kb/PH25107.

To add the policy, go to Configure > Device Policies, add the FileVault policy, and configure these macOS settings.

localized image

  • Prompt for FileVault setup during logout: If ON, prompts the user to enable FileVault during the next N logouts, as specified by the option, Maximum times to skip FileVault setup. If OFF, the FileVault password prompt doesn’t appear.

After you deploy the FileVault policy with this setting on, the following screen appears when a user signs off the device. The screen gives the user the option to enable FileVault before signing off.

localized image

If the Maximum times to skip FileVault setup value isn’t 0: After you deploy the FileVault policy with this setting off and then the user signs on, the following screen appears.

localized image

If the Maximum times to skip FileVault setup value is 0 or the user has skipped setup the maximum number of times, the following screen appears.

localized image

  • Maximum times to skip FileVault setup: The maximum number of times that the user can skip FileVault setup. When the user reaches the maximum, the user must set up FileVault to log in. If 0, the user must enable FileVault during the first login attempt. Default is 0.
  • Recovery key type: A user who forgets their password can type a recovery key to unlock the disk and reset their password. Recovery key options:

Personal recovery key: A personal recovery key is unique to a user. During FileVault setup, a user chooses whether to create a recovery key or to allow their iCloud account to unlock their disk. To show the recovery key to the user after FileVault setup completes, enable Show personal recovery key. Showing the key enables the user to record the key for future use. For information about recovery key management, see the Apple support article, https://support.apple.com/en-us/HT204837.

Institutional recovery key: You can create an institutional (or master) recovery key and FileVault certificate, which you then use to unlock devices. For information, see the Apple support article, https://support.apple.com/en-us/HT202385. Use XenMobile to deploy the FileVault certificate to devices. For information, see Certificates and authentication.

Personal & institutional recovery key: By enabling both types of recovery keys, you must unlock a user device only if the user loses their personal recovery key.

  • Show personal recovery key: If ON, shows the personal recovery key to the user after enabling FileVault on the device. Defaults to ON.

localized image

Support for Samsung Enterprise Firmware-Over-The-Air

Samsung Enterprise FOTA (E-FOTA) lets you determine when devices get updated and the firmware version to use. E-FOTA enables you to test updates before deploying them, to ensure that the updates are compatible with your apps. You can force devices to update with the latest firmware version available, without requiring user interaction.

Samsung supports E-FOTA for Samsung KNOX 2.7.1 devices (minimum version) that are running authorized firmware.

To configure an E-FOTA policy:

Create a Samsung MDM license key policy with the keys and license information you received from Samsung. XenMobile Server then validates and registers the information.

localized image

ELM License key: This field contains the macro that generates the ELM license key. If the field is blank, type the macro ${elm.license.key}.

Type the following information provided by Samsung when you purchased an E-FOTA package:

Enterprise FOTA Customer ID
Enterprise FOTA license
Client ID
Client Secret

Create a Control OS Update policy.

localized image

Configure these settings:

  • Enable Enterprise FOTA: Set to On.
  • Enterprise FOTA License Key: Select the Samsung MDM License Key policy name that you created in Step 1.

Deploy the Control OS Update policy to Secure Hub.

Enhanced security for work profiles for Android for Work

Work profile passcode

For devices running Android 7.0 and later, you can now require a passcode for apps within a work profile for Android for Work. Users are prompted to enter the passcode when they attempt to open any apps in the work profile. When users enter the passcode, they can then access apps in the work profile.

You configure a passcode requirement for the work profile only or for the device.

To configure a passcode requirement for the work profile, go to Configure > Device Policies, add the Passcode policy, and configure these settings:

  • Work profile security challenge: Enable this setting to require users to complete a security challenge for access to apps that run in an Android for Work work profile. This option is not available for Android devices earlier than Android 7.0. The default is OFF.
  • Passcode requirements for work profile security challenge:
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is OFF. This feature isn’t currently supported.
    • Required characters: Configures how passcodes are composed. Use No restrictions only for devices running Android 7.0. Android 7.1 and later don’t support the No restrictions setting. The default is Both numbers and letters.

Default security policies

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android for Work in work profile mode.

Unenrolling an Android for Work enterprise

XenMobile now lets you unenroll an Android for Work enterprise using the XenMobile Server console and XenMobile Tools.

When you perform this task, the XenMobile Server opens a popup window for XenMobile Tools. Before you begin, ensure that the XenMobile Server has permission to open popup windows in the browser you are using. Some browser, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block whitelist.

After the Android for Work enterprise in unenrolled:

  • Devices and users enrolled through the enterprise have the Android for Work apps reset to their default state. Android for Work App Permissions and Android for Work App Restrictions policies previously applied no longer effect operations.
  • Although XenMobile manages devices enrolled through the enterprise, Google doesn’t manage them. You can’t add new Android for Work apps. You can’t apply new Android for Work App Permissions or Android for Work App Restrictions policies. You can still apply other policies, such as Scheduling, Password, and Restrictions to these devices. Devices must re-enroll to allow new Android for Work apps and Android for Work-specific policies to be applied.
  • If you attempt to enroll devices in Android for Work, they enroll as Android devices, not Android for Work devices.

To unenroll an Android for Work enterprise:

In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

On the Settings page, click Android for Work.

Click Remove Enterprise.

localized image

Specify a password. You’ll need the password for the next step to complete the unenrollment. Then click Unenroll.

localized image

When the XenMobile Tools page opens, enter the password you created in the previous step.

localized image

Click Unenroll.

localized image

Specify the behavior when Android for Work apps request dangerous permissions

For requests to Android for Work apps that are within work profiles: A new device policy lets you configure how those requests handle what Google calls “dangerous” permissions. You control whether to prompt users to grant or deny a permission request from apps. This feature is for devices running Android 7.0 and later.

Google defines dangerous permissions as permissions that give an app access to the following:

  • Data or resources that involve private user information.
  • Resources that might affect the stored data for a user or the operation of other apps. For example, the ability to read user contacts is a dangerous permission.

For Android for Work apps that are within work profiles: You can configure a global state that controls the behavior of all dangerous permission requests to the apps. You can also control the behavior of dangerous permission request for individual permission groups, as defined by Google, for each app. These individual settings override the global state.

For information on how Google defines permission groups, see “Permission groups” in the Android developers guide.

By default, users are prompted to grant or deny dangerous permission requests.

To configure permissions for Android for Work apps, go to Configure > Device Policies and add the Android for Work App Permissions policy. This policy applies only to apps that you first add and approve in the Google Play console and then add to XenMobile as Public Store apps.

localized image

Configure these settings.

  • Global State: Controls the behavior of all dangerous permission requests. In the list, click PromptGrant, or Deny. Default is Prompt.
    • Prompt: Prompts users to grant or deny dangerous permission requests.
    • Grant: Grants all dangerous permission requests without prompting users.
    • Deny: Denies all dangerous permission requests without prompting users.
  • To override the Global State for a permission group, set an individual behavior for the permission group. To configure settings for a permission group, click Add, choose an app from the list, and then choose a Grant Status.

SNMP Monitoring

You can enable SNMP monitoring in XenMobile Server to allow monitoring systems to query and obtain information on your XenMobile nodes. The queries use parameters, such as Processor Load, Load Average, Memory Usage, and Connectivity. For more information about SNMP v3, such as authentication and encryption specifications, see the official SNMP documentation for RFC 3414.

For more information about SNMP monitoring, see SNMP monitoring.

Support for the Microsoft JDBC driver for SQL Server

XenMobile Server now supports the Microsoft Java Database Connectivity (JDBC) driver for SQL Server. The jTDS driver remains the default driver when you install XenMobile Server on-premises or upgrade from a XenMobile Server that uses the jTDS driver.

For both drivers, XenMobile supports SQL Server authentication or Windows authentication, with SSL either on or off.

When you use Windows authentication with the Microsoft JDBC driver, the driver uses integrated authentication with Kerberos. XenMobile contacts Kerberos to obtain the Kerberos Key Distribution Center (KDC) details. If the required details aren’t available, the XenMobile CLI prompts for the IP address of the Active Directory server.

To switch from the jTDS driver to the Microsoft JDBC driver, SSH to all of your XenMobile Server nodes. Then, use the XenMobile CLI to configure the settings. The steps vary according to your current jTDS driver configuration. For more information, see SQL Server drivers.

Server property changes to improve server tuning

For several server properties used to tune XenMobile operations, the default values now match the recommendations provided in Tuning XenMobile Operations.

Here are the updated server properties, with their new default values shown in parentheses:

  • hibernate.c3p0.timeout (120 sec)
  • Push Services Heartbeat Interval: ios.apns.heartbeat.interval, windows.wns.heartbeat.interval, gcm.heartbeat.interval (20 hours)
  • auth.ldap.connect.timeout (60000)
  • auth.ldap.read.timeout (60000)
  • iOS MDM APNS Connection Pool Size (10)
  • Background Deployment (1440 minutes)
  • Background Hardware Inventory (1440 minutes)
  • Interval for check deleted Active Directory user (15 minutes)

In addition, the default value for the following server property has changed to the setting recommended in Server Properties:

  • Block Enrollment of Rooted Android and Jailbroken iOS Devices (true)

You can now further tune XenMobile server through the following custom server properties that were previously undocumented.

Custom Key: hibernate.c3p0.min_size

This XenMobile server property, a Custom Key, determines the minimum number of connections that XenMobile opens to the SQL Server database. Default is 50.

To change this setting, you must add a server property to XenMobile server with the following configuration:

Key: Custom Key

Key: hibernate.c3p0.min_size

Value: 50

Display name: hibernate.c3p0.min_size=nnn

Description: DB connections to SQL

Custom Key: hibernate.c3p0.idle_test_period

This XenMobile server property, a Custom Key, determines the idle time in seconds before a connection is automatically validated. Default is 30.

To change this setting, you must add a server property to XenMobile server with the following configuration:

Key: Custom Key

Key: hibernate.c3p0. idle_test_period

Value: 30

Display name: hibernate.c3p0. idle_test_period =nnn

Description: Hibernate idle test period

Optimized device property search

Previously, a device search from the Manage > Devices page included all device properties by default, which could slow the search. Now the default search scope includes only the following device properties:

  • Serial Number
  • IMEI
  • Wifi MAC address
  • Bluetooth MAC address
  • Active Sync ID
  • User Name

You can configure the search scope by using a new server property, include.device.properties.during.search, which defaults to false. To include all device properties in a device search, change the setting to true.

Other improvements

  • New iOS Setup Assistant Option: New feature highlights. The iOS Setup Assistant item, New feature highlights, sets up these onboarding informational screens: Access the Dock from Anywhere and Switch Between Recent Apps. You can choose whether to omit those onboarding screens from iOS Setup Assistant steps when users start their devices the first time.

New Feature highlights is available for iOS 11.0 (minimum version). The default for all items is unselected.

localized image

  • When performing a full wipe of an iOS 11 device that has a cellular data plan, you can choose to preserve the data plan.

localized image

  • XenMobile now displays a License Expiration Warning when Apple VPP or DEP tokens are nearing expiration or have expired.

localized image

  • The XenMobile console interface for macOS VPP apps changed as follows:
    • In Configure > Apps, you can filter apps by macOS VPP. Portions of the interface that don’t apply to a macOS VPP app are now omitted. For example, the Store Configuration section doesn’t appear because there is no Secure Hub for macOS. The VPP keys import option no longer appears.
    • In Manage > Devices, the User Properties include Retire VPP account.
  • Control OS Update device policy for macOS. You can now use the Control OS Update policy to deploy OS updates to macOS devices that are supervised or are deployed through Apple DEP.

localized image

  • Option to allow multiple users to use a Samsung SAFE device. The Restrictions device policy now includes the hardware control option, Allow multiple users. This option, for MDM 4.0 and later, defaults to OFF.
  • Disable apps on Samsung SAFE devices. You now use the Restrictions device policy to block a list of installed apps from running on Samsung SAFE devices. The BrowserYouTube, and Google Play/Marketplace options are deprecated.
By default, the new Disable Applications setting is Off, which means apps are enabled. To disable an installed app, change the setting to On, click Add in the Application List table, and then type the app package name.
Changing and deploying an app list overwrites the prior app list. For example: Suppose that you disable com.example1 and com.example2. You then later change the list to com.example1 and com.example3. In that case, XenMobile enables com.example.2.
  • The Manage > Devices page now includes these additional device properties reported by Android devices:
Carrier Code (reported only by devices running Samsung MDM 5.7 or higher)
Model Number (reported only by devices running Samsung MDM version 2.0 or higher)
  • Restrictions device policy now includes a policy to disable the camera on Android devices. To configure the policy, go to Configure > Device Policies, click Add, and click Restrictions. By default, camera use is enabled. To disable camera use, change the Camera setting to OFF.

localized image

  • Locale-based date and time formats. The date and time that appears on the Manage > Devices and Manage > Users pages are now formatted according to locale. For example, 6 PM on October 15, 2017, is shown as follows:U.S. (en-US): 10/15/17 06:00:00 pm
    U.K. (en-GB): 15/10/17 18:00:00
    South Africa (en-ZA): 2017/10/15 06:00:00 pm
  • The Samsung SAFE Firewall device policy is renamed to the Firewall device policy.
  • The default number of backup archives included in support bundles has been reduced to 100 for the following files. The default file size for these files is 10 MB.
    • DebugLogFile
    • AdminAuditLogFile
    • UserAuditLogFile
    • HibernateStats.log

When the support bundle includes 100 log archive files for each of those categories, the log file rolls over. If you configure a lower maximum number of log files (Troubleshooting and Support -> Log Settings), extraneous log files are immediately deleted for that server node.

  • The Settings > Syslog page now includes an option to send XenMobile Server debug logs to a syslog server.
  • XenMobile Public API for REST Services updates.
  • The XenMobile Public API for REST Services includes these new APIs. For more information, download the XenMobile Public API for REST Services PDF and see the sections noted below.
    • Get Users by Filter (section 3.12.1)
    This new API replaces the now deprecated API, Get All Users.
    • Revoke Enrollment Token (section 3.19.6)
    • Remove Enrollment Token (section 3.19.7)