How to Use Citrix Endpoint Management (XenMobile) Device Policies

Review the following link for additional details on Device Policies: Click Here

Below are the top questions around device policies:

Q: Our user does not have GAL (Global address book) functionality on their systems and they are managing local mobile device address by saving vcf file locally on device and importing it manually.

Now they would like to use Citrix Endpoint Management (XenMobile) policy file to deploy address book to Android device and this is working.

Problem is that they still have to manually import new contacts to address book. They would like to make this automatically upon every change in vcf file. Do you have any idea how to make this possible?

A: There is no automatic way to update contacts, you need to rely on pushing the file with the MDM policy and update it manually. There is currently an enhancement request to add GAL support on Secure Mail.

Q: Is it possible to block starting of a Google play but to leave possibility of updating already installed applications?

A: You can use Citrix Launcher in order to block Google Play access from the devices but still they will be able to update the apps. Otherwise it is not possible to update the app since the devices need access by default to Google Play when updating an application. Details about Citrix Launcher

Q: Is it possible to configure a policy which will allow usage of Google Play if the user of mobile device is given PIN key, which can be changed on request of admin?

A: No, this is not possible at the moment. In order to get PIN every application should be wrapped with mdx otherwise is not possible. Alternatively you can use Citrix Launcher to allow access to Google Play for some delivery groups.

Q: How to remove the lock when we lock an Android device (using Secure actions, set Lock, the assigned PIN will stay there and user needs to manually remove lock using mobile device settings)?

A: It is not possible to remove the PIN. It works like this by design at the moment.


Submit a Form

Download the ShareFile Workflows mobile app

You can download the ShareFile Workflows app from the iOS App Store or Google Play Store. (or click the image below on your mobile device)


User-added image


User-added image

Submit a Form that has been assigned to you

To see a form in web app, sign into your ShareFile account and navigate to Forms section under Workflows section

To see a form in mobile app, download and install the ShareFile Workflows mobile app and sign into your ShareFile account when prompted.

Example: iOS App

User-added image

You can now also submit forms from your web browser. Any form that has been shared with you will be listed in the Forms section of ShareFile. Click a form to open it. Use the provided fields to complete your form, then click the Submit button to complete it.

User-added image

After a form has been submitted

After a form has been submitted by a user, the user designated as an “approver” or “email recipient” will receive the appropriate email notification automatically.

For example: if approval workflow was added as an action in the Custom Workflow, then the designated recipient will automatically receive a link to the submission where he or she can provide comments, approve, or reject the submitted information.

Workflow App Settings

The Settings icon in the upper left allows you to review the following:

User-added image


SEP Mobile not passing initial setup

I need a solution


I am currently doing a trial run on SEPC and I am trying to enroll my iOS devices but I am getting error code 7154.

I logged in via Safari to SEPC console, went to Groups, Users and Devices, clicked on Enroll this device. Then installed profile into phone, after that it installed SEP Mobile. All policies are default.



Fix: Outlook does not support connections to Exchange ActiveSync

While trying to connect your Outlook account with Exchange by using ActiveSync protocol the users may get the Outlook does not support connections to exchange by using ActiveSync error. This error is commonly caused if the Outlook does not support connection to a server that is running Exchange server. A similar discussion can also be read on the Microsoft Community forum.

On the same Windows 8 Pro machine, on the same user account – Windows Mail app is connected successfully to my corporate e-mail account (‘Outlook‘ account type, use SSL connection, domain and user name specified).

In Outlook 2013 the same account can’t be connected (selecting ‘ActiveSync’ account type, specifying server name and user name, however there are no options to specify SSL and domain) – getting error message ‘Log onto Exchange ActiveSync mail server (EAS): The server cannot be found.’

Follow the steps listed in the article below to fix Outlook server issue with ActiveSync and Exchange.

Is the Exchange Activesync supported by Outlook?

1. Connect to Exchange using Standard Exchange Connection

  1. Launch the Outlook desktop app.
  2. Click on File and then click on Add Account button.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  3. Enter your email address and click Connect.outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  4. Now you will be asked to enter your password again. Enter the password, and click OK.
  5. Click Finish to connect to exchange using standard exchange connection.
  6. Trying to set up your email account manually can create issues like the one mentioned earlier. Try to set up the email account normally and check if the error is resolved.

Deal with spam mails for good with these Exchange anti-spam software for Exchange email server.

2. Configure Outlook 2013 / 2016 Manually

  1. If you want to configure Outlook for Exchange by using ActiveSync do the following.
  2. Launch the Outlook desktop client.
  3. Choose “New Email Account“.
  4. Select “Manual setup or additional server types“.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  5. Select “Exchange ActiveSync“.
  6. Now you need to fill in the server setting. The username can be in Domainusername format.
  7. Now press and hold the Enter key on the Keyboard until all the boxes go away.
  8. Once the connection goes through. Launch the Outlook client and check if the error is resolved.

For Outlook 2016 / Office 365

  1. Launch the Outlook client in your Windows system.
  2. Click on File and select Add Account.
  3. Now enter the email address for the account and click the Advanced Options.
  4. Select “Let me set up my account manually” option.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  5. Click the Connect button.
  6. Select “Exchange” option.

    outlook does not support connections to exchange by using activesyncoutlook does not support connections to exchange by using activesync
  7. Enter the password for your ID and check if the connection is established without any error.

The EAS protocol provides access to data in exchange mailboxes thus keeping all of your connected devices in sync. Since EAS connection does not provide all the features of an Exchange account, Outlook does not support this method resulting in the error.


CVE-2016-5109 – Authentication bypass vulnerability in Citrix Worx Home for iOS and Citrix MDX Toolkit for iOS

Citrix has released a new version that addresses this vulnerability. Citrix recommends that customers upgrade to XenMobile MDX Toolkit and Worx Home 10.3.6.x and later. These new versions can be found at the following location:

Enterprise applications that encrypt application data using the Worx PIN or AD password are not affected. Customers can configure XenMobile Server to encrypt application data with the Worx PIN or AD password through the XenMobile administration console. This can be accomplished by navigating to Settings > Client Properties on the XenMobile Server Administration GUI and ensuring that ENCRYPT_SECRETS_USING_PASSCODE is set to true.

For more information on this, please see the XenMobile Administrators guide at the following location:


XenMobile Server 10.9.0 Rolling Patch 2

Package name: xms_10.9.0.10204.bin

For: XenMobile Server 10.9.0

Deployment type: On-premises only

Replaces: xms_10.9.0.10105.bin

Date: January, 2019

Languages supported: English (US)

Readme version: 1.00

Readme Revision History

Version Date Change Description
1.00 January, 2019 Initial release

Important Notes about This Update

As a best practice, Citrix recommends that you install this and other updates only if you are affected by the specific issues they resolve.

Where to Find Documentation

This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see XenMobile Server 10.9 on the Citrix Product Documentation site.

What’s new

  • Support for Endpoint Data Protection. You now have the ability to choose whether Endpoint Management encrypts data on your device or if you want to allow the device platform to handle encryption. When you switch to device platform encryption, Endpoint Management decrypts existing files and databases in the background next time the app launches. You configure Endpoint Data Protection settings when adding an iOS app. For information about the MDX policies, see MDX policies for iOS Apps.

    [From xms_10.9.0.10204.bin][CXM-55926]

  • Support for the following new app restrictions for devices running iOS:

    • Documents from managed apps in unmanaged apps
    • Documents from unmanaged apps in managed apps

    [From xms_10.9.0.10204.bin][CXM-59603]

  • The Restrictions device policy for Android Enterprise now includes the setting “Allow copy and paste”. This policy is available on devices running Android 5 or later.

    [From xms_10.9.0.10204.bin][CXM-59877]

For information about XenMobile Server 10.9.0 Rolling Patch 1 release, see XenMobile Server 10.9.0 Rolling Patch 1.

Known Issue(s) in this Release

  1. When you provide a non-numeric value or empty double quotes for property name in the pki.xml file, the XenMobile Server boots to the recovery mode.

    [From xms_10.9.0.10204.bin][CXM-60545]

New Fixes in This Update

  1. When you have set a non-default value to pki.xml file and then import it, the pki.xml file resets to the default value.

    [From xms_10.9.0.10204.bin][CXM-38390]

  2. When you upload Google Play services APK versions later than 11.5.09 in the XenMobile Server console, multiple “500 Internal Server Error” messages appear. The error message persists even after closing the error window.

    [From xms_10.9.0.10204.bin][CXM-59022]

  3. When you upgrade from XenMobile Server version 10.9 to 10.9 RP1, a fatal error message appears in the debug log file.

    [From xms_10.9.0.10204.bin] [CXM-59040]

  4. In the Shared devices mode for Android, you receive a prompt to install required apps even when all the required apps are installed on the device.

    [From xms_10.9.0.10204.bin] [CXM-59182]

  5. For devices enrolled with the XenMobile Server set to the MAM mode, the license count appears incorrectly and keeps increasing, resulting in a license overconsumption notification.

    [From xms_10.9.0.10204.bin] [CXM-59539]

  6. When you deploy the following policies on devices running iOS 12 or later, the Create Event calendar option does not appear:

    Documents from managed apps in unmanaged apps [OFF]

    Documents from unmanaged apps in managed apps [ON]

    [From xms_10.9.0.10204.bin][CXM-59603]

    Note: This is an Apple limitation and is tracked in [CXM-60708].

  7. When you enroll devices and modify the Delivery Groups, the changes do not reflect after a server refresh cycle. This occurs when public IP addresses are configured as XenMobile node IP addresses in a cluster.

    [From xms_10.9.0.10204.bin][CXM-60290]

  8. You are unable to push Provisioning profiles on to XenMobile Server version 10.8, and the device states appear as “Pending” along with the java.lang.NullPointerException error.

    [From xms_10.9.0.10204.bin][CXM-60370]

Fixes From Replaced Releases

  1. When you create a Web&SaaS app through the XenMobile server console and have modified the User Account option, and try to edit the User Account option, the default value appears.

    [From xms_10.9.0.10105.bin][CXM-53722]

  2. For Android devices, when a certificate renewal does not succeed or is cancelled, checking the Delivery Group logs shows that the enrollment certificate renewal completed successfully.

    [From xms_10.9.0.10105.bin][CXM-55352]

  3. For Android devices, the Device administrator disabled property is missing when you navigate to Device management > Device > Properties.

    [From xms_10.9.0.10105.bin][CXM-56098]

  4. When you enroll a device in the Profile Owner mode, the Android Enterprise apps are not available.

    [From xms_10.9.0.10105.bin][CXM-56629]

  5. While editing an app in the app store that contains a special character in the description, the 500 Internal Server Error appears.

    [From xms_10.9.0.10105.bin][CXM-56638]

  6. When StoreFront is integrated with XenMobile Server, non-primary domains cannot enroll.

    [From xms_10.9.0.10105.bin][CXM-56640]

  7. MDX-wrapped Android apps might download slowly from the Citrix Secure Hub app store.

    [From xms_10.9.0.10105.bin][CXM-57697]

  8. When you upload a new version of MDX file through the XenMobile Server console to replace an older MDX version using a REST API call to update platform details, the new MDX version does not appear in the console.

    [From xms_10.9.0.10105.bin][CXM-57787]

  9. The ability to configure the server property max.renew_device_cert_requests.allowed is removed. By default, the number of devices on which you can request certificate renewal simultaneously is 100.

    [From xms_10.9.0.10105.bin][CXM-57830]

  10. When you create an iOS public store app and assign it to a Delivery Group and enroll the iOS device, the app fails to install.

    [From xms_10.9.0.10105.bin][CXM-58583]

  11. The following error is displayed while adding a registry key to a Windows Embedded Compact policy if the length of the registry value is more than 2048 characters:

    “Console error: could not execute statement; SQL [n/a]; nested exception is org.hibernate.exception.DataException: could not execute statement.”

    [From xms_10.9.0.10105.bin][CXM-58834]

  12. You are unable to upload Google Play services APK versions later than 11.5.09 in the XenMobile Server console.

    [From xms_10.9.0.10105.bin][CXM-58952]

  13. You are unable to import and install B2B apps delivered through Volume Purchase Program (VPP) after you migrate DEP accounts to Apple Business Manager.

    [From xms_10.9.0.10105.bin][CXM-59300]

Installing This Update

Note: If your system is configured in cluster mode, follow the steps below to update each node, one after the other.

Important: Before installing this update, take a snapshot of the current settings and create a backup of the database.

  1. Log on to your account on the Citrix website and download the XenMobile Server update (.bin) file to an appropriate location.
  2. In the XenMobile Server Console of a node click Settings > Release Management. The Release Management page appears, which displays the currently installed software version, as well as a list of any updates, patches, and upgrades you have already uploaded.
  3. Under Release Management, click Update. The Update dialog box appears.
  4. Click Browse to upload the update (.bin) file you have downloaded from
  5. Click Update and then if prompted, restart the XenMobile Server node using command line.

To verify the patch deployment

After installing this patch, log on to the XenMobile Server Console as an administrator, then navigate to Settings > Release Management > Updates. Information about the most recent successful patch installation appears in this section.