Push NotificationLogon Not Working on iPhones

I need a solution

Hi all,

I ran into the follwoing problem. Environment:

1. Logon on Netscaler 12.1 AAA.

2. RADIUS to VIP Enterprise Gateway 9.8 “User ID – Security code”

Some (large number) of iPhones don’t get push notification. It’s there if you open the app but the push notification never comes. Any ideas? Can’t find anything anywhere.

0

Related:

Fix: Outlook does not support connections to Exchange ActiveSync

While trying to connect your Outlook account with Exchange by using ActiveSync protocol the users may get the Outlook does not support connections to exchange by using ActiveSync error. This error is commonly caused if the Outlook does not support connection to a server that is running Exchange server. A similar discussion can also be read on the Microsoft Community forum.

On the same Windows 8 Pro machine, on the same user account – Windows Mail app is connected successfully to my corporate e-mail account (‘Outlook‘ account type, use SSL connection, domain and user name specified).

In Outlook 2013 the same account can’t be connected (selecting ‘ActiveSync’ account type, specifying server name and user name, however there are no options to specify SSL and domain) – getting error message ‘Log onto Exchange ActiveSync mail server (EAS): The server cannot be found.’

Follow the steps listed in the article below to fix Outlook server issue with ActiveSync and Exchange.

Is the Exchange Activesync supported by Outlook?

1. Connect to Exchange using Standard Exchange Connection

  1. Launch the Outlook desktop app.
  2. Click on File and then click on Add Account button.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  3. Enter your email address and click Connect.outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  4. Now you will be asked to enter your password again. Enter the password, and click OK.
  5. Click Finish to connect to exchange using standard exchange connection.
  6. Trying to set up your email account manually can create issues like the one mentioned earlier. Try to set up the email account normally and check if the error is resolved.

Deal with spam mails for good with these Exchange anti-spam software for Exchange email server.


2. Configure Outlook 2013 / 2016 Manually

  1. If you want to configure Outlook for Exchange by using ActiveSync do the following.
  2. Launch the Outlook desktop client.
  3. Choose “New Email Account“.
  4. Select “Manual setup or additional server types“.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  5. Select “Exchange ActiveSync“.
  6. Now you need to fill in the server setting. The username can be in Domainusername format.
  7. Now press and hold the Enter key on the Keyboard until all the boxes go away.
  8. Once the connection goes through. Launch the Outlook client and check if the error is resolved.

For Outlook 2016 / Office 365

  1. Launch the Outlook client in your Windows system.
  2. Click on File and select Add Account.
  3. Now enter the email address for the account and click the Advanced Options.
  4. Select “Let me set up my account manually” option.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  5. Click the Connect button.
  6. Select “Exchange” option.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  7. Enter the password for your ID and check if the connection is established without any error.

The EAS protocol provides access to data in exchange mailboxes thus keeping all of your connected devices in sync. Since EAS connection does not provide all the features of an Exchange account, Outlook does not support this method resulting in the error.

RELATED STORIES YOU MAY LIKE:

XenMobile Server 10.8.0 Rolling Patch 4

Package name: xms_10.8.0.10402.bin

For: XenMobile Server 10.8.0

Deployment type: On-premises only

Replaces: xms_10.8.0.10104.bin, xms_10.8.0.10212.bin, xms_10.8.0.10309.bin

Date: July, 2018

Languages supported: English (US)

Readme version: 1.00

Readme Revision History

Version Date Change Description
1.00 July, 2018 Initial release

Important Notes about This Update

As a best practice, Citrix recommends that you install this and other updates only if you are affected by the specific issues they resolve.

Where to Find Documentation

This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see XenMobile Server 10.8 on the Citrix Product Documentation site.

New Fixes in This Update

  1. The Secure Hub Apple Push Notification Service (APNs) certificate for XenMobile Server 10.8 will expire on September 8, 2018. As a result, the Agent Notification fails and the application push might be delayed on iOS devices.

    With this update, the Secure Hub APNs certificate will be renewed and will expire on August 2, 2019.

    [From xms_10.8.0.10402.bin][CXM-53213]

Fixes From Replaced Releases

  1. On the Analyze > Dashboard page, the Installed Apps graph and report show incorrect BluPrint app version numbers.

    [From xms_10.8.0.10309.bin][CXM-37939]

  2. As a workaround provided by a third-party component, it is a prerequisite to have a license file with the sort keyword in the file.

    After upgrading to XenMobile Server 10.7 or later and enrolling a device, the license count shown in the XenMobile console is much greater than the actual number of enrolled devices.

    [From xms_10.8.0.10309.bin][CXM-40533]

  3. When trying to configure the Salesforce SAML app with provisioning enabled from the XenMobile Server 10.8.0 console, the XenMobile console displays the “Invalid Application details, please try again” error message.

    [From xms_10.8.0.10309.bin][CXM-47853]

  4. Create a credentials provider (Settings > Credential Providers), with the default notification template selected on the Renewal tab. When you return to Settings > Credential Providers and go directly to the Renewal tab, the Notification template shows None instead of the template previously specified. As a workaround, when you return to Settings > Credential Providers, click Next to navigate to the Renewal tab.

    [From xms_10.8.0.10309.bin][CXM-48908]

  5. When you change the Store name in XenMobile Server, a warning message asking the iOS users to log off and log on to the Secure Hub might not appear. As a result, when the user accesses the Secure Hub Store, the MDM-pushed apps are uninstalled from the device.

    [From xms_10.8.0.10309.bin][CXM-49223]

  6. After you restart XenMobile Server, your settings in the Log Settings page revert to the defaults.

    [From xms_10.8.0.10309.bin][CXM-49335]

  7. Syslog messages now include the XenMobile Server/Node IP address.

    [From xms_10.8.0.10309.bin][CXM-49370]

  8. When you attempt to add a URL that begins with “http” or “https” but does not contain the “.com” or file name extension to Web Content Filter policy, the following error message appears:

    “Please enter a valid FQDN or an http:// or https:// URL.”

    [From xms_10.8.0.10309.bin][CXM-50019]

  9. In XenMobile Server, certain iOS apps’ version numbers are reported incorrectly.

    [From xms_10.8.0.10309.bin][CXM-50640]

  10. The German expiration notification message for a VPP account is incorrect.

    [From xms_10.8.0.10309.bin][CXM-50991]

  11. When users who are enrolled in XenMobile Server through “email enrolment” attempt to change the User Principal Name (UPN) in Active Directory, the device goes to an unmanaged state causing an App Wipe/Lockout.

    However, when the user attempts to re-enroll with the new UPN, the users are directed back to the First Time Use (FTU) screen.

    To enable the fix, set the custom server property “refresh.user.using.objectguid” to “true”.

    [From xms_10.8.0.10309.bin][CXM-51704]

  12. The devices running on Microsoft Windows operating system such as Windows phone and desktop/tablet might fail to search the public store apps and the following error message appears:

    “Application search Failed”

    [From xms_10.8.0.10309.bin][CXM-52555]

  13. On devices running iOS 11.3, when multiple apps are installed and marked as required apps on non-supervised devices, you may receive repeated “Update Available” notifications.

    [From xms_10.8.0.10212.bin][CXM-49783]

  14. The XenMobile console doesn’t accept valid Google play credentials for Android. The following error message appears: “The Google Play logon request used a user name or password that is not recognized.”

    [From xms_10.8.0.10212.bin][CXM-50257]

  15. When you change users to a different Active Directory security group: For enrolled iOS devices, XenMobile Service does not detect the change, update the delivery group membership, or push new policies to the devices.

    [From xms_10.8.0.10104.bin][CXM-47370]

Installing This Update

Note: If your system is configured in cluster mode, follow the steps below to update each node, one after the other.

Important: Before installing this update, take a snapshot of the current settings and create a backup of the database.

  1. Log on to your account on the Citrix website and download the XenMobile Server update (.bin) file to an appropriate location.
  2. In the XenMobile Server Console of a node click Settings > Release Management. The Release Management page appears, which displays the currently installed software version, as well as a list of any updates, patches, and upgrades you have already uploaded.
  3. Under Release Management, click Update. The Update dialog box appears.
  4. Click Browse to upload the update (.bin) file you have downloaded from support.citrix.com.
  5. Click Update and then if prompted, restart the XenMobile Server node using command line.

To verify the patch deployment

After installing this patch, log on to the XenMobile Server Console as an administrator, then navigate to Settings > Release Management > Updates. Information about the most recent successful patch installation appears in this section.

Related:

How to Prepare Secure Mail for APNs XenMobile App

This article explains how to prepare, wrap and deploy the Secure Mail application to support Push Notifications.

For the purpose of this article the following components were used:

  • Mac OS X 10.10.3 laptop with Xcode 6.3.1
  • MDX Toolkit version 10.4.5
  • Secure Mail (.IPA) version 10.4.5
  • Microsoft Exchange Server 2010 (SP3)
  • XenMobile Server 10

Note that Secure Mail Push Notifications is only available for Microsoft Exchange Server environments and not IBM Notes Traveler.

Pre-requisites

  • Download the Secure Mail for iOS (10.0.7 or later) and the Citrix MDX Toolkit (10.0.7 or later) to the Mac machine. It is required to wrap Secure Mail 10.0.7 (or later) with the Citrix MDX Toolkit 10.0.7 (or later) in order to support this new Push Notifications feature.
  • To install the MDX Toolkit on the Mac OS X machine, make sure to follow the system requirements found (CTX140458) – XenMobile MDX Toolkit Documentation.
  • Secure Mail Push Notifications feature uses EWS Push Notification from Exchange Server. For more information how do EWS notifications work, go to Notification subscriptions, mailbox events, and EWS in Exchange.
  • It is required to generate a new Certificate for Secure Mail in order to support the Push Notifications feature. For more information on how to configure Push Notifications for iOS apps with existing App IDs or new ones, go to Apple – Configuring Push Notifications.

High Level Architecture

This section provides an overview how Secure Mail APNs behaves.

User-added image

When users download, install and configure Secure Mail (APNs) for the first time, they will be prompted to allow or not notifications.

Example of Secure Mail notifications prompt.

User-added image

By allowing notifications, Secure Mail will update the badge number and notifications via the Citrix Hosted Service using Push Notification.

Note: In the event notifications were not allowed, users can enable the feature under Settings > Secure Mail > Notifications. By allowing Notifications, Secure Mail would be able to update the badge number and display notifications on the iOS device.

User-added image

Once Secure Mail is configured, the app will download email data (e.g. messages, attachments, etc.) via ActiveSync protocol. Therefore, depending on the type of deployment, Secure Mail will communicate with Exchange Server (CAS) – either directly or via the NetScaler Gateway using the STA feature.

Please note that badge number and notification traffic is handled by Exchange Server (EWS) and Citrix Hosted Service using APNs behind the scenes. For more information on how EWS works, refer to this Microsoft article – Notification subscriptions, mailbox events, and EWS in Exchange.

Related:

Secure Mail Test Tool

1. Checks for ActiveSync server handshake

2. Verifies user Authentication (both Default and Cert Based) to active sync server

3. User Mailbox Folder Sync Tests

4. Checking Active Sync configurations based on Request/Response methods

5. Simulates iOS as well as Android headers for communications

6. Connectivity checks for servers configured in MDX Policy like Citrix Listener Services, Push Registration server

7. Uses MicroVPN traffic to perform tests when wrapped

8. Extended Connectivity checks to APNS server and the Background Network Services Gateway

9. Verifying Push Notifications

10. Verifying that the CustomerID corresponds to the Push Notification Region

11. Validating end to end email flow by sending a test email and verifying the receipt in the user inbox

12. Enhanced progress indicators to provide more details on all the tests being performed

13. Ability to test Multiple ActiveSync Servers at one go using same credentials

14. A neat diagnostic report of the Tests Performed

15. A comprehensive list of recommendations if there are any issues found during the tests

16. Ability to send the report via email with Mail Test App logs attached.

17. Extended Connectivity checks to APNS server and the Background Network Services Gateway.

Related:

XenMobile Server 10.7.0 Rolling Patch 4

Package name: xms_10.7.0.10403.bin

For: XenMobile Server 10.7.0

Deployment type: On-premises only

Replaces: xms_10.7.0.10112.bin, xms_10.7.0.10229.bin, xms_10.7.0.10312.bin

Date: July, 2018

Languages supported: English (US)

Readme version: 1.00

Readme Revision History

Version Date Change Description
1.00 July, 2018 Initial release

Important Notes about This Update

As a best practice, Citrix recommends that you install this and other updates only if you are affected by the specific issues they resolve.

Where to Find Documentation

This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see XenMobile Server 10.7 on the Citrix Product Documentation site.

New Fixes in This Update

  1. The Secure Hub Apple Push Notification Service (APNs) certificate for XenMobile Server 10.7 will expire on September 8, 2018. As a result, the Agent Notification fails and the application push might be delayed on iOS devices.

    With this update, the Secure Hub APNs certificate will be renewed and will expire on August 2, 2019.

    [From xms_10.7.0.10403.bin][CXM-53212]

Fixes From Replaced Releases

  1. On devices running iOS 11.3, when multiple apps are installed and marked as required apps on non-supervised devices, you may receive repeated “Update Available” notifications.

    [From xms_10.7.0.10312.bin][CXM-49783]

  2. The XenMobile console doesn’t accept valid Google play credentials for Android. The following error message appears: “The Google Play logon request used a user name or password that is not recognized.”

    [From xms_10.7.0.10312.bin][CXM-50257]

  3. You can use the Restrictions Policy to disable the camera on Android devices.

    [From xms_10.7.0.10229.bin][CXM-12684]

  4. XenMobile Server now supports the Microsoft Java Database Connectivity (JDBC) driver for SQL connectivity. The jTDS driver remains the default driver when you install XenMobile Server on-premises or upgrade from a XenMobile Server that’s configured to use the jTDS driver.

    To switch from the jTDS driver to the Microsoft JDBC driver, perform the following steps:

    1. In the XenMobile CLI main menu, type 2 to select the System Menu.
    2. Type 12 to select Advanced Settings.
    3. Type 7 to select Switch JDBC driver, and then type m for Microsoft JDBC driver or j for jTDS.
    4. When prompted, type y to choose SQL authentication, or n to choose Windows authentication, and then type the SQL Server username and password.
    5. Repeat the steps for each XenMobile Server node.
    6. Restart each XenMobile Server node.

    [From xms_10.7.0.10229.bin][CXM-31846]

  5. When you configure Mobile Service Provider (MSP) on XenMobile Server over a secure connection such as https:// /services/zdmservice, the connection fails and the following error appears:
  6. “An error occurred when verifying security for the message.”

    [From xms_10.7.0.10229.bin][CXM-39048]

  7. In XenMobile Server, the following error message that appears consistently for various XenMobile Server authentication failures:

    “Authentication failed. Please try again.”

    [From xms_10.7.0.10229.bin][CXM-40393]

  8. When you upgrade from XenMobile Server 10.6 to XenMobile Server 10.7, devices registered in MAM-only mode might fail to download MDX apps.

    [From xms_10.7.0.10229.bin][CXM-42345]

  9. Network Access Control (NAC) actions written to console log files result in large files.

    [From xms_10.7.0.10229.bin][XMHELP-817]

  10. The .EWDEPLOY_HISTO database table is not cleaned up periodically, resulting in a large table size.

    [From xms_10.7.0.10229.bin][XMHELP-827]

  11. iOS users can’t update Citrix Receiver to version 7.2.3. When you click Check for Update, the message “The app is up to date with the latest version” appears even when you have an older version.

    [From xms_10.7.0.10229.bin][691529]

  12. When you left-click Secure Mail or Citrix Secure Web for Android in the Configure > Apps list and then click Show more, the following error might appear: “A configuration error occurred. Please try again.” In the App rating section, the Android tab is blank.

    [From xms_10.7.0.10229.bin][692848]

  13. When you upload an SSL listener certificate in XenMobile Server, the error “Could not import the certificate” appears.

    [From xms_10.7.0.10229.bin][692965]

  14. When you enrol iOS devices on XenMobile Server, enrolment fails intermittently, and the error “Could Not Connect” appears.

    [From xms_10.7.0.10229.bin][693175]

  15. Uploading some APK files to the XenMobile console might fail with a “500 Internal Server Error.”

    [From xms_10.7.0.10229.bin][693978]

  16. On Android devices, managed apps do not appear during XenMobile Server API calls.

    [From xms_10.7.0.10229.bin][695647]

  17. The report that you can export from Manage > Devices has two columns labeled “ASM DEP device Type.”

    [From xms_10.7.0.10229.bin][695366, 695895]

  18. Security actions don’t perform on a node that is already initialized for a given push if the notification is sent from another node.

    [From xms_10.7.0.10229.bin][695573]

  19. On iOS 11 devices, issuing an MDM security action command once causes this command to be issued to the device repeatedly.

    [From xms_10.7.0.10112.bin][CXM-39189]

  20. After upgrading to XenMobile Server version 10.5 or later, device enrollment fails and the “Could not sign CSR” error message appears in the debug log of setups using Generic PKI (GPKI). This issue occurs because the GPKI protocol fails to retrieve a signed user certificate.

    [From xms_10.7.0.10112.bin][690361]

Installing This Update

Note: If your system is configured in cluster mode, follow the steps below to update each node, one after the other.

Important: Before installing this update, take a snapshot of the current settings and create a backup of the database.

  1. Log on to your account on the Citrix website and download the XenMobile Server update (.bin) file to an appropriate location.
  2. In the XenMobile Server Console of a node click Settings > Release Management. The Release Management page appears, which displays the currently installed software version, as well as a list of any updates, patches, and upgrades you have already uploaded.
  3. Under Release Management, click Update. The Update dialog box appears.
  4. Click Browse to upload the update (.bin) file you have downloaded from support.citrix.com.
  5. Click Update and then if prompted, restart the XenMobile Server node using command line.

To verify the patch deployment

After installing this patch, log on to the XenMobile Server Console as an administrator, then navigate to Settings > Release Management > Updates. Information about the most recent successful patch installation appears in this section.

Related:

FAQ: Citrix Secure Mail APNS for IT Admins

This article provides answers to frequently asked questions on Citrix Secure Mail APNS for IT Admins.For more information on Push Notifications for Secure Mail, refer to Citrix Documentation – Push Notifications for Secure Mail for iOS.

General Overview

Q1: Why does Secure Mail for iOS require APNS notifications?

A: In Avatar and previous releases, when Secure Mail application is in the background, it relies on background app refresh functionality of the iOS platform to “wake up” the application to:

  1. Update the badge
  2. Show notifications (if turned on)
  3. Sync emails

The frequency algorithm to wake up the application is more or less depending on the app usage (the more frequent the app is in use the more frequent it checks for new mail while in background mode). Therefore, at times the badge or the mails will not sync for hours.

For customers who want near real time of badge update and a higher frequency of mail syncing, it is recommended to use Secure Mail with Push Notifications.

Q2: Is APNS notification an optional feature in Beetlejuice for Secure Mail for iOS?

A: Yes, it is an optional feature in BeetleJuice. It is turned off by default. The Admin will have to enable the feature (as an app specific policy in AppC/ XMS server). If the customer is ok with background app refresh approach when Secure Mail is in background, then this feature does not need to be enabled.

Q3: How about push notifications for Secure Mail for Android?

A: Android OS allows 3rd party applications to maintain server connections both in foreground and background mode. Hence, Secure Mail for Android maintains a persistent ActiveSync connection to sync emails and sync is near real time.

Q4: Will APNS feature in Secure Mail for iOS work with both XM 9 and XM 10 servers?

A: Yes

Q5: What are the supported upgrade paths?

A: The following table provides supported upgrade paths.

User-added image

Key points (to elaborate on the above table)

  • APNs support requires a unique App ID (Apple iOS requirement). Therefore, this solution will be supported for Secure Mail wrapped with a Unique App ID. Secure Mail that is using a provisioning profile created with a wildcard App ID is not supported for APNs.
  • It is not possible to upgrade a wildcard App ID wrapped Secure Mail to a Unique App ID wrapped Secure Mail on the users device. A re-install is required. So, for older customers wanting to leverage this push service, you will need to create a Unique App ID in the Apple Developers portal, a new provisioning profile, a new wrapped version of Secure Mail then load this up to the server as a new app.

Q6: Will the APNs feature work with Office365?

A: Yes, O365 is supported in addition to Exchange 2007, 2010 and 2013.

Q7: Is the APNs feature available for Lotus Notes?

A: The Beetlejuice release (10.0.7) only supports Exchange. We will investigate on what web services are available for Lotus Notes. When the due diligence is completed, we will provide a status update.

Q8: Do I need to install any server components on-premise?

A: No. Citrix will host a “listener” service in the cloud. This service will send out push notifications to your user’s Secure Mail application. Note that no personally identifiable information (PII) is stored or flows through this cloud service.

Q9: Why did you go with a cloud first approach for listener service?

A: Key reasons are:

  • Zero on-premise server footprint to support APNS notifications
    • No hardware/ software/ monitoring/ server scaling work effort for IT administrators
  • No change to mail data flow
    • Mail data traffic continues to flow between Device and Exchange Server
  • No sensitive data sent to listener service by Exchange server
    • APNS notification sends only the badge count to Secure Mail application.

Q10: Why does the feature require a listener service? The Native Mail client does not need a listener service.

A: The native mail client on iOS maintains a persistent ActiveSync connection with the exchange server. Apple allows this only for the native mail client. 3rd party mail clients have to leverage APNs to send remote notifications.

In order to support APNs, a server component is required. The server component receives a trigger from the exchange server and then send an APNs notification to Secure Mail application.

Q11: Where is the listener service hosted?

A: The listener service is hosted on Amazon Web Services (AWS). It is configured as an HA/DR service. The listener service will be available in three regions – Americas, EMEA, APAC. The IT admin will have to select the region that is closest to the Exchange Server.

Q12: What is the Citrix hosted listener service URL?

The listener service URLs and IP addresses are based on region:

– Americas:

– EMEA:

– APAC:

Configuration and Setup

Q1: What does the customer IT admin need to do to enable APNs push notifications for WM?

A: The document by the Mobility Experts team provides step-by-step instructions and screenshots to set up APNs notifications, Citrix Blog – Mobility Experts: A Step-by-Step Guide to Configuring Secure Mail APNS

Q2: Can I use the MDM server APNs certificate for my Secure Mail App ID?

A: No. The MDM server APNs certificate is required to enable XDM/ XMS manage iOS devices. The Secure Mail APNs certificate is required to support APNs push notifications for the Secure Mail application.

Q3: How do I generate the APNs certificate for Secure Mail?

A: The APNs certificate for Secure Mail application is generated by IT admin using the Apple developer portal. This is the same portal used to register the app with Apple (with a specific app ID). When the APNs certificate is generated, the IT admin can upload that using the Xenmobiletools portal. For more information, refer to the step-by-step instructions from Apple on generating and exporting APNs certificates – Configuring Push Notifications.

Q4: How do I renew the APNs certificate for Secure Mail when it expires?

A: A new APNs certificate should first be generated via the Apple developer portal and exported. You then go to xenmobiletools.citrix.com and update the certificate that has been previously uploaded for Secure Mail. This is done by selecting the ‘Update’ action for the Secure Mail app ID in the uploaded certificates list.

Q5: The Exchange server is behind a firewall. Do I need to allow outbound connection to the Citrix hosted listener service?

A: Yes. Ensure outbound SSL connections are not blocked by the Firewall to the Citrix hosted service for your region:

– Americas:

– EMEA:

– APAC:

Q6: How do I configure Exchange to reach the listener service when there is a proxy server?

A: If you have a proxy server, you should allow Exchange to bypass the proxy and route traffic directly to the listener service:

  • On Exchange for EWS, make the following update to the XML in the web.config file in the ClientAccessexchwebews folder:

     <configuration> <system.net> <defaultProxy> <proxy usesystemdefault="false" proxyaddress="http://proxy.ournetwork:8080" bypassonlocal="true” /> </defaultProxy> </system.net></configuration> 
  • For the Proxy: configure the bypass list to allow Exchange to make the connection to the listener service. Depending on the proxy you are using, you can filter this to the specific FQDN for the listener service. Refer to the section under Push notifications: https://msdn.microsoft.com/en-us/library/office/aa579128(v=exchg.140).aspx.

Q7: What are the configurations required when EWS and ActiveSync servers are different?

A: For Secure Mail to be able to connect to the EWS server, the following configuration is required:

  1. Update the hidden policy for the EWS server FQDN in the Secure Mail policy XML file:

    <key>PushNotificationsEWSHostName</key>

    <string></string>

  2. If using STA for Secure Mail, then you need to add the EWS FQDN to the background services policy just like the ActiveSync server FQDN.

    Note: EWS usage from the Secure Mail application is only during subscription of EWS push notifications. Mail data traffic will continue to flow via ActiveSync.

Q8: Can ActiveSync and EWS use different authentication methods?

A: No, Secure Mail requires that both Activesync and EWS use the same authentication method for SSO. If you want to enable EWS certificate based authentication only for Secure Mail clients so that other EWS mail clients are not impacted, the following configurations can be selected from:

  1. Using NetScaler KCD: Using the NetScaler AAA and KCD, the certificate can be used to authenticate at the NetScaler and then this is delegated to the Exchange CAS for authentication. See this post for more details on configuring Secure Mail and KCD with NetScaler AAA – How to: Single Sign on to XenMobile Secure Mail.
  2. New IIS Site on Exchange server with EWS Virtual Directory: Microsoft supports configuring a new EWS directory and ActiveSync directory in a separate IIS site on the Exchange server. This way, authentication methods can be set differently for EWS. Microsoft documentation for a new virtual directory in Exchange
  • As part of the site-creation process, you must bind an IP address to the site; each site should have a unique IP address.
  • After you assign an IP address, create a DNS record that allows users to access the new website using a new domain name.
  • Secure Mail can be configured to connect to this separate site while leaving all other clients to connect to the default site by specifying the FQDN of the new site in the Secure Mail Exchange server policy. This way the Autodiscovery used by other clients will not be impacted by the new configuration and will still connect to the default site.

Q9: What are the configuration changes required when Split Tunneling is set to Off and STA is enabled?

A: NetScaler Gateway must allow traffic from Secure Mail to the Citrix registration service URLs so that the initial registration of the Secure Mail client to the NetScaler does not fail.

Americas:

  • https://us-east-1.pushreg.xm.citrix.com
  • 52.7.65.6 & 52.7.147.0
EMEA:

  • https://eu-west-1.pushreg.xm.citrix.com
  • 54.154.200.233 & 54.154.204.192
APAC:

  • https://ap-southeast-1.pushreg.xm.citrix.com
  • 52.74.236.173 & 52.74.25.245

Q10: What do I set the Upload Read Ahead Size to?

A: If the Exchange Server is configured for client certificate authentication, the uploadReadAheadSize parameter needs to be changed in IIS for both the EWS site and the ActiveSync site:

Q11: How can I verify that the Outbound connections are working and APNs is setup?

  • The outbound connection from Exchange to the listener service can be verified either via the Exchange event logs which will log events when a subscription request or notification for a subscription is invalid/fails. You can also run Wireshark traces on the Exchange server to track outbound traffic to the listener service.
  • There are two easy checks that can be carried out to know whether APNs is working or the app is still using local badging:
    • First, validate that the badge unread count is equal to what you see for your Outlook client on your laptop/desktop.
    • As a second check, send the app to the background for more than 5 minutes and then check if the badge is still updating.

Q12: I do not see the Secure Mail updated APNs policies to configure the settings.

A: This is available in the Beetlejuice wrapper. Ensure that with the Beetlejuice upgrade, you are also using the latest version of the MDX toolkit.

Q13: Can I change the APNs policy from OFF to ON or ON to OFF?

A: This can be changed by the Admin from ‘OFF’ to ‘ON’. The next time Secure Mail checks in with the server to get the latest policies, the badge will begin to update. The scenario of going from ‘ON’ to ‘OFF’ is not supported. If turned OFF, the badge will continue to update.

Q14: Where do I upload the APNs certificate?

A: The listener service will require your Secure Mail’s APNs certificate to push notifications to your end users. The APNs certificate is uploaded via https://xenmobiletools.citrix.com. You will need your citrite id to get access to the portal. Ensure to select the 2nd option on the screen: “Upload Secure Mail APNs certificates”.

Q15: Can I upload the same certificate and app ID for multiple regions?

A: Yes, the same certificate and app ID can be uploaded for multiple regions. However, you can only have one entry per region. To upload for multiple regions, each region will need to be registered under a different citrite ID.

Information/Data Flow

Q1: After the admin enables APNs push, what is the end to end flow?

A: The end -to -end flow is as follows:

Set-up
  1. User launches APNs enabled Secure Mail application on their device.
  2. User is prompted by the iOS platform to allow Notifications. User clicks on “Allow”.
  3. The iOS platform obtains the device token from the Apple Push Notification service (on behalf of the Secure Mail application).
  4. Secure Mail registers with the Citrix hosted listener service.
  5. Secure Mail makes an EWS call to subscribe to EWS push notifications for the inbox folder. Upon success, the Exchange server sends the subscription id to Secure Mail.
  6. Secure Mail updates the Citrix hosted listener service with the subscription id.
Execution
  1. When there is mailbox activity, the Exchange server will send an EWS push notification to the listener service.
  2. Listener service will send out an APNs push notification via Apple APNs to Secure Mail. The APNs push notification will have the total unread count of the inbox.
  3. WM will connect to Exchange server via active sync and sync e-mails as well as trigger mail notifications if enabled by the user in Secure Mail settings.

Q2: Does anything need to be configured on the Exchange Server to make it aware of the Listener service?

  • EWS Push Notification APIs will be used by Secure Mail to communicate with the Exchange Server.
  • For most customers, EWS will be enabled on the Exchange server since Outlook for Mac uses EWS. Ensure with your Exchange Admin that EWS is not blocked or allowed for only specific user agents.
  • At FTU, after upgrade, or when the policy change to turn on APNs is received by the client, the client makes a push subscription request to Exchange. The URL of the listener service will also be communicated as part of this request to Exchange. This is how the Exchange server knows which Listener service to communicate with to trigger push notifications to the device.
  • Refer to the tech note on EWS Push notifications for complete details of the subscription request from the client.

Q3: What server role on Exchange carries out the communication with the listener service?

A: CAS – Client Access Server

Q4: What kind of information does the Listener service know about a Mailbox?

A: No Personally Identifiable Information (PII) is available to the Listener Service. The Listener service will store the following information:

  1. Device Token ID: Assigned to the device during initial registration with the listener service
  2. EWS subscription ID: assigned by Exchange to the client upon EWS Push subscription request
  3. EWS folder ID of inbox.
  4. Active Sync ID hashed with SHA-256
  5. Email address hashed with SHA-256
  6. iOS version
  7. APNs specific information: notification id, etc
  8. No mail data will flow through the listener service.

Q5: How will the actual mail data traffic flow?

A: This will continue to flow between the device and the exchange server via ActiveSync (no change in the behavior).

Q6: What happens if the EWS connection from Exchange to the Listener service fails?

  • The connection will be retried for up to 15 minutes based on the algorithm described in this StatusFrequency.
  • If within 15 minutes, there is still no success, Exchange will terminate the subscription request for the client.
  • When Secure Mail is brought into the foreground, it will check its registration status with the listener service every 5 minutes.
  • If it has been 30 minutes since the listener service last received an update from Exchange, the client will send a new subscription request to Exchange since Exchange would have terminated the subscription after retrying for 15 minutes.

Q7: Why are we using ‘Push’ instead of ‘Streaming’ notifications? Microsoft seems to recommend the latter.

A: The only reason Microsoft recommends streaming over push is because of the reduction in overhead of an additional listener service that needs to be written and maintained. Since Citrix is hosting the listener service, a push solution is just as viable and effective.

In addition, to use the streaming approach, the server would have to subscribe itself to Exchange for the updates and would require the credentials of the user. For a cloud based offering, this cannot be done. This would be the approach for an On-prem solution.

Q8: What info will help Citrix support if I need assistance troubleshooting my APNs setup?

  • Secure Mail logs – set this to Debug level 10 or 15 (preferred)
  • Your APNs tenant ID
  • Screenshots of the badge count and AppController policy settings

Additional Resources

CTX200971 – How to Prepare Secure Mail for APNs XenMobile App

CTX201025 – FAQ: Badge Behavior and Notifications Behavior for End Users

Citrix Blog – Mobility Experts: A Step-by-Step Guide to Configuring Secure Mail APNS

XenMobile How Do I

Related:

Citrix Secure Mail Unable to Sync New Data or Show Notifications Since iOS 11.0

With the release of Secure Mail 10.8.20, Citrix has rearchitected the way notifications are received with Rich push notifications, which ensures that you receive lock screen notifications for your inbox even when Secure Mail is not running in the background.

For more information, Please refer to Rich Push Notifications section in this article.

Related:

Get started with Servlet 4.0

Servlet 4.0 fully integrates HTTP/2’s server push technology, and also
enables runtime discovery of a servlet’s mapping URL. With video
demonstrations and code examples, this hands-on tutorial gets you started with
HTTP/2 server push and the new HttpServletMapping interface in Java servlet
and JSF applications.

Related: