After we recently upgraded our environment to Ivanti Workspace Control 10.12.0.0, we suddenly encountered issues with Citrix Published Applications. Users trying to launch a published application received an error “Application can’t be started…(Instant Passthru could not be resolved)
Although we had not made any changes to the Citrix XenApp Publishing integration within the Ivanti Console, we did check the configuration completely. Everything was configured as Ivanti says it should be set up.
Cause the update of our last golden image only updated Ivanti Workspace Control, we decided to downgrade the agent from 10.12.0.0 to 10.11.10.0, the version we were previously using. And yes, suddenly everything was working properly again.
Last Monday, we started getting multiple reports from MacBook users experiencing an issue with their Citrix Workspace app for Mac. At first the issue wasn’t very clear to use, because everybody reported it slightly different, but soon we noticed the common thread was the resolution. Affected users somehow got a very high resolution in their Citrix session, while their local screen resolution was normal. The Citrix session didn’t seem to adopt the local screen resolution.
I wasn’t able to reproduce the issue myself, so I contacted an affected user. He had done some analyses himself and discovered a curious phenomenon. If you would ran the Citrix Workspace App setup again all seemed to be fine. A Citrix session would adopt the local screen resolution upon connection. Soon as you rebooted the MacBook, the problem suddenly returned. Reinstalling the Citrix Workspace app again made the issue disappear.
We compared the Citrix Workspace App version we were both using and noticed a small difference. The affected user was running version 22.04.0.44, I was running 22.04.0.25. By the end of the day I upgraded my Citrix Workspace App to version 22.04.0.44 and rebooted my MacBook hoping I would also be able to reproduce the issue. And indeed I had the issue myself 🙂
Since quite some time Office has a AutoRecover feature which saves your documents every couple minutes. A super handy function to prevent you from losing a lot of work. By default Office saves an AutoRecover file every 10 minutes, for example in Word this is the default location : %AppData%\Microsoft\Word. In an enterprise environment however, the AutoRecover file location is often adjusted. For example it’s redirect to the users homedrive, in my case “H:\My Documents\AutoRecover”.
An external software supplier wanted to make a new app available for a selected group of smartphones. We were asked if it would be possible to retrieve the smartphone from the XenMobile database. New smartphones added to the delivery group would be detected automatically. Since XenMobile has a REST API, this didn’t seem like a problem at first. We made the REST API available to our software supplier, after which they created a link between their backend and our On-Prem XenMobile environment based on the Citrix XenMobile REST API documentation
At first everything seemed to work perfectly and our software supplier thought they saw all our devices. After some time we noticed that there was a difference between the devices visible in the XenMobile console (Web GUI) and the devices that our software supplier saw through the REST API. Based on the query that was used in the REST API, we then did some testing ourselves using Postman, in the hope of uncovering the difference in devices.
Life Cycle management occasionally causes SQL servers to be replaced and databases to be moved to new servers. As a result, the Ivanti WorkSpace Control datastores have to be moved. Now this does not seem very complex at first, but if the environment uses a primary and secondary datastore, you have to deal with some extra challenges. The IWC datastore contains three components
Configuration and state
Out of the box the data is stored in the primary datastore, but the logging and usage tracking data can also be stored in the secondary datastore. This ensures that the configuration datastore does not explode.
Ivanti has a nice support article in which they exactly describe how you can move both datastores to a new database server (SQL in my case). Basically, you merge the secondary and primary datastore again, migrate the primary datastore to the new database server and split the logging and usage tracking from the primary to the secondary datastore.
This all sounds very simple, but what if your secondary datastore is 600GB in size? Putting these together will take forever, not to mention other challenges. Consider, for example, the sizing of the primary datastore, can it store so much extra data? In this case you actually want to migrate the primary and secondary datastore to the new SQL environment and simply change the database connection string within the Ivanti WorkSpace Control console. Although there is no support article how this can be accomplished, luckily there is a way to do this in a supported way!
Recently we added the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector) to a customer environment, with the intention of giving only known smartphones access to ActiveSync. The definition of known in this case, is a smartphone enrolled within Citrix Endpoint Management (formerly XenMobile). After some testing, we switched on “Blocking Mode” on the Gateway connector for Exchange ActiveSync and indeed all the ActiveSync traffic was nicely regulated. Only connections from device which existed in the Endpoint Management database were allowed access to ActiveSync. The check if a email client is allowed access is done based on the ActiveSync ID, which should be unique for every device.
Just to clarify, a short explanation how the Gateway connector for Exchange ActiveSync works. The Citrix Gateway connector for Exchange ActiveSync is connected to the Endpoint Management server(s) and periodically graps all ActiveSync ID’s. All the grapped ActiveSync ID’s are stored locally on the Gateway connector for Exchange server, in a .xml file. Depending you installation folder and provider name it’s stored on the Gateway connector for Exchange Server in : “%InstallFolder%\XenMobile NetScaler Connector\config\%ProviderName%.xml”
Depending your Endpoint Management ActiveSync Gateway configuration devices can be allowed or denied access based on several rules.
During regular maintenance at a customer we noticed the Ivanti WorkSpace Control logging database was getting quite big. The logging database had reached a size of more than 1TB, something of which the cause was not immediately clear. Sure they had lots of users and were keeping lots of auditing data, but the increase in database size couldn’t be related to additional users or something else.
We contacted Ivanti Support to investigate the huge increase in logging database size. They told me about a useful tool called “Workspace Manager Logging Management Tool“. The tool was created by a former employee Patrick van Grinsven. Soon it became clear what exactly was using so much space within the logging database.
Recently I was asked to increase the security for a public reachable ActiveSync url. Although the customer was using Citrix Endpoint Management (XenMobile) and Citrix Secure Mail was available in their Enterprise AppStore, employees were also allowed to use their native “un-secure” mail client, which made use of a public reachable ActiveSync URL.
A big advantage they had, was that almost all mobile devices were already enrolled within Citrix Endpoint Management, so we knew which ActiveSync ID’s where legit and allowed to access ActiveSync.
Cause we were already making use of Citrix Endpoint Management, we decided to use the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector), to add an extra layer of security to the public reachable ActiveSync url.
Prior to Windows 10 (build 1607) Sticky Notes was a “Desktop App”, for which it was quite easy to roam all user settings and notes. But since the Windows 10 anniversary update Sticky Notes is available as a “Windows App” (Universal App). This creates a new challenge.
We have to make sure that Sticky Notes settings and notes, which a created by the users are being roamed. In case that roaming profiles are being used, this won’t be very challenging, because the whole user profile will be stored soon as an user logs off. However when local or mandatory profiles are used, in combination with a Zero Profile technology, like the technology offered by Ivanti Workspace Control (formerly RES Workspace Manager), some challenges lie ahead.
Until recently I used to wrap all XenMobile applications using an Apple provisioning profile which used a wildcard App ID. This way only a single provisioning profile was required for all my XenMobile applications.
Last week at a new customer site I noticed something different with their new Apple iOS Developer Enterprise account, which was created somewhere last week. I started by creating a “In-House” Production iOS Certificate to sign the apps