iOS

To manage iOS devices in XenMobile Server, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, seeAPNs certificates.

Enrollment profiles determine whether iOS devices enroll in MDM+MAM, with the option for users to opt out of MDM. XenMobile Server supports the following authentication types for iOS devices in MDM+MAM. For information, see the articles underCertificates and authentication.

• Domain
• Domain plus security token
• Client certificate
• Client certificate plus domain

Requirements for trusted certificates in iOS 13:

Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication,https://support.apple.com/en-us/HT210176. For help with managing certificates, seeUploading certificates in XenMobile Server.

For supported operating systems, seeSupported device operating systems.

iOS 14 compatibility

XenMobile Server and Citrix mobile apps are compatible with iOS 14, but don’t currently support the new iOS 14 features.

For supervised iOS devices, you can delay software upgrades for up to 90 days. In the Restrictions device policy for iOS, use these settings:

• Force delayed software updates
• Enforced software update delay

SeeiOS settings. Those settings aren’t available for devices in user enrollment mode or unsupervised (full MDM) mode.

Apple host names that must remain open

Some Apple host names must remain open to ensure proper operation of iOS, macOS, and Apple App Store. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, seehttps://support.apple.com/en-us/HT201999.

Supported enrollment methods

You specify how to manage iOS devices in enrollment profiles. You can choose device enrollment or no MDM enrollment.

To configure enrollment settings for iOS devices, go toConfigure > Enrollment Profiles > iOS.

The following table lists which enrollment methods XenMobile Server supports for iOS devices:

Method	Supported
Apple Deployment Program	Yes
Apple School Manager	Yes
Apple Configurator	Yes
Manual enrollment	Yes
Enrollment invitations	Yes

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Deployment Program for device enrollment and management in XenMobile Server. That program is for iOS and macOS devices. SeeDeploy devices through Apple Deployment Program.

For education accounts, you create an Apple School Manager account. Apple School Manager unifies the Deployment Program and volume purchase. Apple School Manager is a type of Education Apple Deployment Program. SeeIntegrate with Apple Education features.

You can use the Apple Deployment Program to bulk enroll iOS and macOS devices. You can purchase those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier. Whether you purchase iOS devices directly from Apple, you can use the Apple Configurator to enroll those devices. SeeBulk enrollment of Apple devices.

Add an iOS device manually

If you want to add an iOS device manually, such as for testing purposes, follow these steps.

1. In the XenMobile Server console, clickManage > Devices. TheDevicespage appears.

   

2. ClickAdd. TheAdd Devicepage appears.

   

3. Configure these settings:

   • Select platform:ClickiOS.
   • Serial Number:Type the device serial number.

4. ClickAdd. TheDevices表出现with the device added to the bottom of the list. To view and confirm the device details: Choose the device you added and then, in the menu that appears, clickEdit.

   Note:

   When you select the check box next to a device, the options menu appears above the device list. When you click anywhere else in the list, the options menu appears on the right side of the listing.

   • LDAP configured

   • If using local groups and local users:

     • One or more local groups.

     • Local users assigned to local groups.

     • Delivery groups are associated with local groups.

   • If using Active Directory:

     • Delivery groups are associated with Active Directory groups.

     

5. TheGeneralpage lists deviceIdentifiers, such as the serial number and other information for the platform type. ForDevice Ownership, selectCorporateorBYOD.

   TheGeneralpage also lists deviceSecurityproperties, such as Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type. TheFull Wipe of Devicefield includes the user PIN code. The user must enter that code after the device is wiped. If the user forgets the code, you can look it up here.

6. ThePropertiespage lists the device properties that XenMobile Server is to provision. This list shows any device properties included in the provisioning file used to add the device. To add a property, clickAddand then select a property from the list. For valid values for each property, see the PDFDevice property names and values.

   When you add a property, it initially appears under the category where you added it. After you clickNextand then return to thePropertiespage, the property appears in the appropriate list.

   To delete a property, hover over the listing and then click theXon the right side. XenMobile Server deletes the item immediately.

7. The remainingDevice Detailssections contain summary information for the device.

   • User Properties:Displays RBAC roles, group memberships, volume purchase accounts, and properties for the user. You can retire a volume purchase account from this page.
   • Assigned Policies:Displays the number of assigned policies including the number of deployed, pending, and failed policies. Provides the policy name, type and last deployed information for each policy.
   • Apps:显示,在过去的库存,数量stalled, pending, and failed app deployments. Provides the app name, identifier, type, and other information. For a description of iOS and macOS inventory keys, such asHasUpdateAvailable, seeMobile Device Management (MDM) Protocol.
   • Media:Displays, for the last inventory, the number of deployed, pending, and failed media deployments.
   • Actions:Displays the number of deployed, pending, and failed actions. Provides the action name and time of the last deployment.
   • Delivery Groups:Displays the number of successful, pending, and failed delivery groups. For each deployment, provides the delivery group name and deployment time. Select a delivery group to view more detailed information, including status, action, and channel or user.
   • iOS Profiles:Displays the last iOS profile inventory, including name, type, organization, and description.
   • iOS Provisioning Profiles:Displays enterprise distribution provisioning profile information, such as the UUID, expiration date, and managed status.
   • Certificates:Displays, for valid, expired, or revoked certificates, information such as the type, provider, issuer, serial number, and the number of remaining days before expiration.
   • Connections:Displays the first connection status and the last connection status. Provides for each connection, the user name, penultimate (next to last) authentication time, and last authentication time.
   • MDM Status:Displays information such as the MDM status, last push time, and last device reply time.

Configure iOS device policies

Use these policies to configure how XenMobile Server interacts with devices running iOS. This table lists all device policies available for iOS devices.

AirPlay Mirroring	AirPrint	APN
App Access	App Attributes	App Configuration
App Inventory	App Lock	App Network Usage
App Uninstall	Apps Notifications	Calendar (CalDAV)
Cellular	Contacts (CardDAV)	Control OS Update
Credentials	Device Name	Education Configuration
Exchange	Font	Home Screen Layout
Import iOS & macOS Profile	LDAP	Location
Mail	Managed Domains	MDM Options
Organization Info	Passcode	Personal Hotspot
Profile Removal	Provisioning Profile	Provisioning Profile Removal
Proxy	Restrictions	Roaming
SCEP	Shared iPad - Maximum Resident Users	Shared iPad - Passcode Lock Grace Period
SSO Account	Store	Subscribed Calendars
Terms & Conditions	VPN	Wallpaper
Web Content Filter	Webclip	WiFi

Enroll iOS devices

This section shows how users enroll iOS devices (12.2 or later) into XenMobile Server. For more information about the iOS enrollment, open the following video:

1. Go to the Apple store on your iOS device, download the Citrix Secure Hub app, and then tap the app.
2. When prompted to install the app, tapNextand then tapInstall.
3. After Secure Hub installs, tapOpen.
4. Enter your corporate credentials, such as your XenMobile Server server name, User Principal Name (UPN), or email address. Then, clickNext.
5. TapYes, Enrollto enroll your iOS device.
6. A list of the data XenMobile Server collects appears. ClickNext. An explanation of how an organization uses that data appears. ClickNext.
7. After you type your credentials, tapAllowwhen prompted, to download the configuration profile. After you download the configuration profile, tapClose.
8. In your device settings, install the iOS certificate and add the device to the trusted list.
   • Go toSettings > General > Profile > XenMobile Profile Serviceand tapInstallto add the profile.
   • In the notification window, tapTrustto enroll your device into remote management.
9. Once enrollment succeeds, open Secure Hub. If you are enrolling into MDM+MAM: After your credentials validate, create and confirm your Citrix PIN when prompted.
10. After the workflow completes, the device is enrolled. You can then access the app store to view the apps you can install on your iOS device.

Security actions

iOS supports the following security actions. For a description of each security action, seeSecurity actions.

Activation Lock Bypass	App Lock	App Wipe
ASM Activation Lock	Certificate Renewal	Clear Restrictions
Enable/Disable Lost Mode	Enable/Disable Tracking	Full Wipe
Locate	Lock	Ring
Request/Stop AirPlay Mirroring	Restart/Shut Down	Revoke/Authorize
Selective Wipe	Unlock

Lock iOS devices

You can lock a lost iOS device with an accompanying display of a message and phone number that displays on the device lock screen.

To display a message and phone number on a locked device, set thePasscodepolicy totruein the XenMobile Server console. Alternatively, users can enable the passcode on the device manually.

1. ClickManage > Devices. TheDevicespage appears.

   

2. Select the iOS device you want to lock.

   Select the check box next to a device to show the options menu above the device list. Click anywhere else in the list to show the options menu on the right side of the listing.

   

   

3. In the options menu, clickSecure. TheSecurity Actionsdialog box appears.

   

4. ClickLock. TheSecurity Actionsconfirmation dialog box displays.

   

5. Optionally, type a message and phone number that appears on the lock screen of the device.

   iOS appends the words “Lost iPad” to what you type in theMessagefield.

   If you leave theMessage场空,并提供一个电话号码,苹果displays the message “Call owner” on the device lock screen.

6. ClickLock Device.

Put iOS devices in Lost Mode

The XenMobile Server Lost Mode device property puts an iOS device in Lost Mode. Unlike Apple Managed Lost Mode, XenMobile Server Lost Mode doesn’t require a user to perform either of the following actions to enable locating their device: Configure theFind My iPhone/iPadsetting or enable the Location Services for Citrix Secure Hub.

In XenMobile Server Lost Mode, only XenMobile Server can unlock the device. (In contrast, if you use the XenMobile Server device lock feature, users can unlock the device directly by using a PIN code that you provide.

To enable or disable lost mode: Go toManage > Devices, choose a supervised iOS device, and then clickSecure. Then, clickEnable Lost ModeorDisable Lost Mode.

If you clickEnable Lost Mode, type information to appear on the device when it’s in lost mode.

Use any of the following methods to check Lost Mode status:

• In theSecurity Actionswindow, verify if the button isDisable Lost Mode.
• FromManage > Devices, on theGeneraltab underSecurity, see the last Enable Lost Mode or Disable Lost Mode action.

• FromManage > Devices, on thePropertiestab, verify that the value of theMDM lost mode enabledsetting is correct.

If you enable XenMobile Server Lost Mode on an iOS device, the XenMobile Server console also changes as follows:

• InConfigure > Actions,Actionslist doesn’t include these automated actions:Revoke the device,Selectively wipe the device, andCompletely wipe the device.
• InManage > Devices,Security Actionslist no longer includes theRevokeandSelective Wipedevice actions. You can still use a security action to perform aFull Wipeaction, as needed.

iOS appends the words “Lost iPad” to what you type in theMessagein theSecurity Actionsscreen.

If you leave theMessageempty and provide a phone number, Apple shows the message “Call owner” on the device lock screen.

Bypass an iOS activation lock

Activation Lock is a feature of Find My iPhone/iPad that prevents reactivation of a lost or stolen supervised device. Activation Lock requires the user Apple ID and password before anyone can perform these actions: Turn off Find My iPhone/iPad, erase the device, or reactivate the device. For the devices that your organization owns, bypassing an Activation Lock is necessary to, for example, reset or reallocate devices.

To enable Activation Lock, you configure and deploy the XenMobile Server MDM Options device policy. You can then manage a device from the XenMobile Server console without the Apple credentials of the user. To bypass the Apple credential requirement of an Activation Lock, issue the Activation Lock Bypass security action from the XenMobile Server console.

For example, if the user returns a lost phone or to set up the device before or after a Full Wipe: When the phone prompts for the Apple App Store account credential, you can bypass that step by issuing the Activation Lock Bypass security action from the XenMobile Server console.

Device requirements for activation lock bypass

• Supervised through Apple Configurator or Apple Deployment Program
• Configured with an iCloud account
• Find My iPhone/iPad enabled
• Enrolled in XenMobile Server
• MDM Options device policy, with activation lock enabled, is deployed to devices

To bypass an activation lock before issuing a Full Wipe of a device:

1. Go toManage > Devices, select the device, clickSecure, and then clickActivation Lock Bypass.
2. Wipe the device. The activation lock screen doesn’t appear during device setup.

To bypass an activation lock after issuing a Full Wipe of a device:

1. Reset or wipe the device. The activation lock screen appears during device setup.
2. Go toManage > Devices, select the device, clickSecure, and then clickActivation Lock Bypass.
3. Tap the Back button on the device. The home screen appears.

Keep in mind the following:

• Advise your users not to turn off Find My iPhone/iPad. Don’t perform a full wipe from the device. In either of those cases, the user is prompted to enter the iCloud account password. After account validation, the user won’t see an Activate iPhone/iPad screen after erasing all content and settings.
• For a device with a generated Activation lock bypass code and with the Activation lock enabled: If you can’t bypass the Activate iPhone/iPad page after a Full Wipe, there is no need to delete the device from XenMobile Server. Either you or the user can contact Apple support to unblock the device directly.
• During a hardware inventory, XenMobile Server queries a device for an Activation lock bypass code. If a bypass code is available, the device sends it to XenMobile Server. Then, to remove the bypass code from the device, send the Activation Lock Bypass security action from the XenMobile Server console. At that point, XenMobile Server and Apple have the bypass code required to unblock the device.
• The Activation Lock Bypass security action relies on the availability of an Apple service. If the action doesn’t work, you can unblock a device as follows. On the device, manually enter the credentials of the iCloud account. Or, leave the user name field empty and type the bypass code in the password field. To look up the bypass code, go toManage > Devices, select the device, clickEdit, and clickProperties. TheActivation lock bypass codeis underSecurity information.