Last Monday, we started getting multiple reports from MacBook users experiencing an issue with their Citrix Workspace app for Mac. At first the issue wasn’t very clear to use, because everybody reported it slightly different, but soon we noticed the common thread was the resolution. Affected users somehow got a very high resolution in their Citrix session, while their local screen resolution was normal. The Citrix session didn’t seem to adopt the local screen resolution.

I wasn’t able to reproduce the issue myself, so I contacted an affected user. He had done some analyses himself and discovered a curious phenomenon. If you would ran the Citrix Workspace App setup again all seemed to be fine. A Citrix session would adopt the local screen resolution upon connection. Soon as you rebooted the MacBook, the problem suddenly returned. Reinstalling the Citrix Workspace app again made the issue disappear.

We compared the Citrix Workspace App version we were both using and noticed a small difference. The affected user was running version 22.04.0.44, I was running 22.04.0.25. By the end of the day I upgraded my Citrix Workspace App to version 22.04.0.44 and rebooted my MacBook hoping I would also be able to reproduce the issue. And indeed I had the issue myself ūüôā

At first I was just a little misled. I thought the issue was caused by the latest version 22.04.04.44. I took a look at the release notes and immediately noticed the section “Support for high DPI monitors [Technical preview]”.

Citrix Workspace app for Mac is now compatible with high DPI monitors with resolution greater than 4K. On desktop sessions, apps, text, images, and other graphical elements appear in a size that can be viewed comfortably on these high-resolution monitors.

Although this was an option that you had to activate manually, it had to do with screen resolutions. It appeared that this feature was inadvertently activated with the upgrade to 22.04.0.44. If this feature was indeed causing the problem, we could test that by manually disabling it. To disable this feature, run the following command in macOS terminal:

defaults write com.citrix.receiver.nomas EnableHighDPI -bool NO

And indeed soon as we disabled the feature all seemed fine again! We opened a support case with Citrix telling them something went wrong after updating our Citrix Workspace app for Mac to the latest version. After the support engineer had looked at our case and made internal inquiries, he came up with a remarkable response. The issue hadn’t been caused by the upgrade, but by Citrix. We heard that the product team unintentionally had turned on the DPI Scaling feature via Launch Darkly during the weekend.

After the problem was discovered the default setting for this tech preview was quickly disabled again. The engineering team will need to do more testing on the feature before making it enabled by default. So in the end we learned the issue was also present in 22.04.0.25 but wasn’t activated until a reboot of the MacBook and the settings from LaunchDarkly were applied.

If you are still experiencing the problem yourself, now that Citrix has disabled the option again, just reboot your MacBook and your Citrix Workspace App should work as expected

Since quite some time Office has a AutoRecover feature which saves your documents every couple minutes. A super handy function to prevent you from losing a lot of work. By default Office saves an AutoRecover file every 10 minutes, for example in Word this is the default location : %AppData%\Microsoft\Word. In an enterprise environment however, the AutoRecover file location is often adjusted. For example it’s redirect to the users homedrive, in my case “H:\My Documents\AutoRecover”.

Read More →

An external software supplier wanted to make a new app available for a selected group of smartphones. We were asked if it would be possible to retrieve the smartphone from the XenMobile database. New smartphones added to the delivery group would be detected automatically. Since XenMobile has a REST API, this didn’t seem like a problem at first. We made the REST API available to our software supplier, after which they created a link between their backend and our On-Prem XenMobile environment based on the Citrix XenMobile REST API documentation

Public API for REST Services

At first everything seemed to work perfectly and our software supplier thought they saw all our devices. After some time we noticed that there was a difference between the devices visible in the XenMobile console (Web GUI) and the devices that our software supplier saw through the REST API. Based on the query that was used in the REST API, we then did some testing ourselves using Postman, in the hope of uncovering the difference in devices.

Read More →

Life Cycle management occasionally causes SQL servers to be replaced and databases to be moved to new servers. As a result, the Ivanti WorkSpace Control datastores have to be moved. Now this does not seem very complex at first, but if the environment uses a primary and secondary datastore, you have to deal with some extra challenges. The IWC datastore contains three components

  1. Configuration and state
  2. Logging
  3. Usage Tracking

Out of the box the data is stored in the primary datastore, but the logging and usage tracking data can also be stored in the secondary datastore. This ensures that the configuration datastore does not explode.

Ivanti has a nice support article in which they exactly describe how you can move both datastores to a new database server (SQL in my case). Basically, you merge the secondary and primary datastore again, migrate the primary datastore to the new database server and split the logging and usage tracking from the primary to the secondary datastore.

HOWTO: Migrate database in Ivanti Workspace Control

This all sounds very simple, but what if your secondary datastore is 600GB in size? Putting these together will take forever, not to mention other challenges. Consider, for example, the sizing of the primary datastore, can it store so much extra data? In this case you actually want to migrate the primary and secondary datastore to the new SQL environment and simply change the database connection string within the Ivanti WorkSpace Control console. Although there is no support article how this can be accomplished, luckily there is a way to do this in a supported way!

Read More →
Android

Recently we added the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector) to a customer environment, with the intention of giving only known smartphones access to ActiveSync. The definition of known in this case, is a smartphone enrolled within Citrix Endpoint Management (formerly XenMobile). After some testing, we switched on “Blocking Mode” on the Gateway connector for Exchange ActiveSync and indeed all the ActiveSync traffic was nicely regulated. Only connections from device which existed in the Endpoint Management database were allowed access to ActiveSync. The check if a email client is allowed access is done based on the ActiveSync ID, which should be unique for every device.

Just to clarify, a short explanation how the Gateway connector for Exchange ActiveSync works. The Citrix Gateway connector for Exchange ActiveSync is connected to the Endpoint Management server(s) and periodically graps all ActiveSync ID’s. All the grapped ActiveSync ID’s are stored locally on the Gateway connector for Exchange server, in a .xml file. Depending you installation folder and provider name it’s stored on the Gateway connector for Exchange Server in : “%InstallFolder%\XenMobile NetScaler Connector\config\%ProviderName%.xml”

Depending your Endpoint Management ActiveSync Gateway configuration devices can be allowed or denied access based on several rules.

Read More →
RelayServer

During regular maintenance at a customer we noticed the Ivanti WorkSpace Control logging database was getting quite big. The logging database had reached a size of more than 1TB, something of which the cause was not immediately clear. Sure they had lots of users and were keeping lots of auditing data, but the increase in database size couldn’t be related to additional users or something else.

We contacted Ivanti Support to investigate the huge increase in logging database size. They told me about a useful tool called “Workspace Manager Logging Management Tool“. The tool was created by a former employee Patrick van Grinsven. Soon it became clear what exactly was using so much space within the logging database.

Read More →
Citrix Gateway connector for Exchange ActiveSync

Recently I was asked to increase the security for a public reachable ActiveSync url. Although the customer was using Citrix Endpoint Management (XenMobile) and Citrix Secure Mail was available in their Enterprise AppStore, employees were also allowed to use their native “un-secure” mail client, which made use of a public reachable ActiveSync URL.

A big advantage they had, was that almost all mobile devices were already enrolled within Citrix Endpoint Management, so we knew which ActiveSync ID’s where legit and allowed to access ActiveSync.

Cause we were already making use of Citrix Endpoint Management, we decided to use the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector), to add an extra layer of security to the public reachable ActiveSync url.

Read More →

Prior to Windows 10 (build 1607) Sticky Notes was a “Desktop App”, for which it was quite easy to roam all user settings and notes.¬†But since the Windows 10 anniversary update Sticky Notes is available as a “Windows App” (Universal App).¬†This creates a new challenge.

We have to make sure that Sticky Notes settings and notes, which a created by the users are being roamed.¬†In case that roaming profiles are being used, this won’t be very challenging, because the whole user profile will be stored soon as an user logs off. However¬†when local or mandatory profiles are used, in combination with a Zero Profile technology, like the technology offered by Ivanti Workspace Control (formerly RES Workspace Manager), some challenges lie ahead.

Read More →

Until recently I used to wrap all XenMobile applications using an Apple provisioning profile which used a wildcard App ID. This way only a single provisioning profile was required for all my XenMobile applications.

Last week¬†at a new customer site I noticed something different¬†with their new Apple iOS Developer Enterprise account, which was created somewhere last week.¬†I started by creating a “In-House” Production iOS Certificate to sign the apps

iOS Certificates (Production)

Followed by a wildcard iOS App ID

Read More →

During a recent implementation of XenMobile 10 Enterprise (build 10.0.0.62300)  I created a ShareFile Administrator Account within the ShareFile control plane to be used for the XenMobile integration.While I was still doing some testing and configuring a simple, non complex password was used for the ShareFile Administrator account. Soon as everything was working correctly I logged in to the ShareFile Control Plane and updated the password used for the ShareFile Administrator account for a complex one. Well so far so good. Next step in the process would naturally be to update the ShareFile Administrator account within the XenMobile Server (XMS) settings.

I logged in to the XenMobile 10 console and went to Configure > Settings > More > ShareFile and finally clicked Sharefile. Almost immediately I was confronted with an Error message “Username or Password was incorrect”.

XMS - Username or Password was incorrect

Read More →