XenMobile Analyzer Tool

The new XenMobile Analyzer Tool is a cloud-based solution that allows XenMobile administrators to diagnose issues proactively and in real time. XenMobile Analyzer environmental checks can identify device issues, user enrollment issues, and authentication issues. Numerous use-cases and deployment options are supported including MDM, MDM + MAM, MAM-only and five different authentication scenarios on both iOS and Android mobile environments.

Citrix Cerebro functionality has now been integrated into XenMobile Analyzer!

Visit our YouTube channel for a demonstration of XenMobile Analyzer Tool. The XenMobile Analyzer Tool is currently available on the XenMobile Management Tools page .

Please note, XM Analyzer tool does not currently function in the Workspace. Citrix is aware of this issue and currently investigating.

Scheduling Periodic Health Check Using XenMobile Analyzer Tool

XenMobile Analyzer Tool now provides you with the facility to monitor your XenMobile environment periodically. You can choose the time and frequency of when the health check should run. During configuration you will have to provide an email address and this email will be used by the XenMobile Analyzer Tool to send notifications on the health check. The XenMobile Analyzer Tool runs health checks automatically at the scheduled intervals and sends you email notifications on the results of the health checks.

Adding a New Health Check Schedule

  1. After you have set up your test environment, select it from the list and click Add Schedule.

    User-added image

    Or, you can also do this when you are on the Report page of a completed test.

    User-added image

  2. Click I Agree button to enable XenMobile Analyzer to store the test user credentials securely and click Continue.

    User-added image

  3. Enter the user credentials used for testing and click Continue.

    User-added image

  4. Select whether you want the health check to run Daily or Weekly and pick a time to run the health check. Select your time zone from the drop-down list.

    Next, select a date for the health checks to stop running.

    Finally, in the Recipients text-box, enter the email addresses (separated by comma if more than one) to which notification alerts about the scheduled tests will be sent.

    Click Save.

    User-added image

  5. Your scheduled health check is created.

    User-added image

After you successfully schedule a health check, you will receive an email from xma_admin@citrix.com confirming that the schedule has been added. The health check will run at the scheduled time in XenMobile Analyzer Tool. And every time the scheduled health check runs, you will get the notification email on the status of the health check.

Editing a Health Check Schedule

  • At any time, you can select the test environment where you want to edit the schedule and click Edit Schedule to change any of the variables entered. You can also pause/resume the health check schedule at any time using the ON/OFF switch.

    User-added image

Supported Test Environments for Adding Health Check Schedule

You will be able to only schedule tests which use:

  • LDAP authentication
  • Certificate authentication
  • LDAP + Certificate based enrollment authentication

You will not be able to schedule tests which have the following type of enrollment:

  • Invitation URL – because the invitation URL will be redeemed after the first enrollment and cannot be reused for next time.
  • Two-factor authentication which uses Security Token – because the token will expire in a short period of time.
  • Username + PIN enrollment
  • Username + Password + PIN enrollment


Citrix Gateway Native OTP not working with Citrix IOS Workspace Client

Nfactor support is planned for future releases of IOS Workspace. Meanwhile,by altering the configuration slightly on the AAA Vserver on Citrix Gateway i.e. for IOS Workspace clients – evaluate the passcode (OTP) first then followed by LDAP Credentials, we can solve this issue. Please follow the steps below from GUI.


1. Native OTP should be configured and working (i.e. Tested via Browser / Citrix Workspace for Windows / Citrix Workspace for Android)


2. identify the AAA Vserver used for Native OTP

If you followed the above configuration example: this it would be “authvs”

3. Identify the policy for LDAP Auth – this is the one bound to the LDAP Action with Authentication Enabled (Note – Authentication is enabled by default)

If you followed the above configuration example: this it would be “auth_pol_ldap_logon”

4. Identify the ldap action for OTP Verify – this is the ldap action with Auth Disabled

If you followed the above configuration example: this it would be “ldap_otp_action”

5. Identify the Gateway Session policy and profile for Receivers ensure the plugin-type is set to “Java”


Section1: Create a policy for OTP Verification for IOS Workspace Clients (Factor1)

  • Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policies ==> ADD
  • Name: IOS_WORKSPACE_Factor1
  • Action Type: LDAP
  • Action: ldap_otp_action (as noted in
  • Expression: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“IOS”)
  • Click OK

Section2: Create a policy label for LDAP Credential Verification (Factor2)

  • Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policy Labels ==> ADD
Name: Plabel_LDAP_AUTH
Schema: “LSCHEMA_INT”,
  • Click on Continue
  • In the policy binding section Click on “Click to Select” and from the list select the policy for LDAP Auth (in this case “auth_pol_ldap_logon”, as noted in #3 in prerequisites)
  • Click on Bind

Section3: Bind Factor1 with next Factor as Factor2 on AAA Vserver

  • Navigate to: Security ==> AAA – Application Traffic ==> Authentication Virtual Servers
  • Select the auth vserver (in this case “authvs”) and hit EDIT
  • Click on “Authentication Policy”, this will bring up the list of Authentication policies bound to the AAA Vserver, make a note of the lowest priority no
  • Click on ADD Binding
Click on the “Select Policy Section”, and from the list select the policy created in Section1 i.e. IOS_WORKSPACE_Factor1

Set Priority to a lower no than then lowest priority number noted above

Set Goto Expression to “END”

Click on the “Select Next Factor” option, and from the list select the policy label created in Section2 i.e. “Plabel_LDAP_AUTH”
  • Click Bind.
  • Close the AuthPolicy list and hit Done


LDAP Windows Update (ADV190023) and Impact to Citrix Virtual Apps and Desktop Components

Impact to Citrix Technology

  • This update will not impact Citrix Virtual App and Desktop Windows components: The update anticipated for the second half of 2020 requires SSL/TLS encryption for communication occurring over 389 and 636 to prevent any PLAINTEXT communication over both ports. Virtual App and Desktop Windows components do not rely on PLAINTEXT communication over 389.
  • The update may impact Linux VDA. Linux VDA depends on LDAP for VDA registration and policy evaluation. To resolve, configure LDAPS for Linux VDA.
  • The update may impact Citrix ADC/GW LDAP communication if the customer has configured the LDAP Service for PLAINTEXT. To resolve, you should modify the LDAP to use TLS or SSL as described in CTX269461.

Other Components not affected:

  • Citrix Cloud Connectors
  • Citrix Apps and Desktops – Virtual Delivery Agent
  • Citrix Apps and Desktops – Broker
  • Workspace App
  • Storefront
  • Director
  • App Layering
  • Workspace Environment Management
  • Endpoint Management
NOTE: – Microsoft is releasing a security update (ADV190023) with below changes to Active Directory Domain Controllers.
  1. Enable LDAP channel binding
  2. Enable LDAP signing

For more details on the Microsoft update please refer to below link:

This update is expected in March 2020.


      Remove orphan ldap sync server from Vip enterprise gateway console

      I need a solution


      In our environment we have lost one of the gateways that synced the with ldap directory and we implemented a new one in a different ip, but we are still seeing in Home / user store in the vip gateway console the lost server.

      How we can remove this orphaned instance of the gateway?



      Getting Error “internal service Error” when accessing the gateway externally

      If we get this error first thing to check is if we are able to resolve Storefront FQDN or base URL from netscaler.

      If not make an A record in Netscaler DNS.

      Or else give the IP of Storefront in session profile like:

      *Where is our SF IP and SF is our store name.

      Also make sure that the SSO domain that we add in session profile is same as the Userdomain.

      To check this run “set” command on storefront command line and check the Userdomain field.

      If we still get errors like “cannot complete your request”, check the LDAP profile.

      It may have an entry in SSO name attribute field like “cn.”

      Remove it.

      We need SSO name attribute in only multiple domain environment, and that should be set as “userPrincipalName ” in that case.