Lets Test XenMobile (Citrix Endpoint Management) 

There is a real world reason for performing this test as we have come across some devices in that were assigned to a delivery group with a restricted setting that couldn’t be undone easily and resulted in removing the MDM profile from the device to regain control.  But why? Surely we can turn settings on and off, otherwise XenMobile isnt a really good solution.


Today I have been testing XenMobile Restriction Policies to see how this affects an iPhone.


Test 1)  AD Group Membership change.

In this test I have 2 AD Groups tied to Delivery groups and those delivery groups have different restriction policies assigned.  Delivery group A has very few restrictions and Delivery Group B has the camera and facetime switched off.  A test user is assigned to delivery group A and has all the application and policy assigned to him upon registration. Its All working as expected.  🙂 Yay!

Now we move test user from one AD group to another with the more restrictive policy……. Nothing happens..

Here is what to try in order:

  • Once the policy has been applied to the delivery group click Deploy and this should send a push. Otherwise
  • Reboot the device
  • Check for policy updates on the device.
  • Login into XenMobile user portal.  (Believe it or not that logging into portal can force an AD update to the delivery group) AD Sync is normally performed between 2AM – 4AM daily.



A quick way to check the policy restriction on a device is to go to settings > General > Device Management and then click on MDM Configuration. Here you can see all the restriction policy actions as well as apps deployed.


We take a look at the device in the Manage > Device tab and search for the test user.  This will show the policies assigned and the delivery group a user is in.







Test 2) Disable restrictions and restoring the device: 

In this test we leave the test user in the same delivery group but edit the restriction policy to turn back on the camera, Facetime and Safari.

















Now we simply want to turn this feature on and deploy to see if the camera, facetime, and Safari appear.  We would expect this to be pretty instant. But if it isnt…


Try: Secure Hub > Menu > Preferences > Device Information and Refresh Policy.

This worked for me and the camera, facetime, Safari icons instantly reappeared.


Summary: Moving from one AD Group (Delivery Group) to another will not have an instant effect and it may take some time to filter down to the users. The best practice is to design your policies from the beginning and make changes to the policy rather than migrate them to another. But if you do have to migrate users from one group to another then the above should help that process much quicker.  Remember to Deploy to your delivery group for the changes to be pushed, just saving them doesn’t always trigger a push.  Making a  change to an existing policy is pretty instant from my testing.


Don’t Panic!: If a device is still not released from a restriction policy then you could remove the MDM profile, but this will break Secure Apps and you will need to enroll the device again.