Installing and Configuring Citrix XenMobile App Controller 2.9

After installing and configuring the XenMobile MDM server it’s time for the step-by-step blog about XenMobile App Controller. In this blog I will install (upload) the Citrix XenMobile App Controller 2.9 to the Citrix XenServer. After that I will configure the basic settings from the console and run the configuration wizard from the administrator web console. I will also create a server certificate for the App Controller, connect the XenMobile MDM server to the App Controller and publish an application.

XenMobile and the NetScaler

The Citrix NetScaler (10.1) now includes a XenMobile setup deployment wizard. With this wizard you can configure XenMobile MDM, App Controller, MS Exchange with Email Filtering and ShareFile at once. For the App Controller the wizard will create a NetScaler Gateway. Make sure you enter the correct Gateway FQDN (App Controller URL) and that you configure the correct certificate (for the external DNS name).



For the Citrix XenMobile App Controller installation/configuration you have to do the following preparations;

Active Directory Requirements

Fill in (at least) the following fields in the user account properties;

  • User Logon Name (and not only the pre-Windows 2000 one)
  • First Name
  • Last Name
  • E-Mail

Downloading and Uploading the XenMobile App Controller to the XenServer


For this installation I will download “App Controller 2.9 Virtual appliance for XenServer” from the Citrix website.


After downloading the XenMobile App Controller, open XenCenter, open the File menu and choose the option Import…


Browse to the downloaded App Controller and click Next


Select your XenServer and click Next


Select the storage you want to upload the App Controller to and click Import


Select the network interface you want to use for the App Controller and click Next


Click Finish

Configuring the XenMobile App Controller


Start the XenMobile App Controller and go to the Console tab of the virual machine (XenCenter). Login with the default admin account (account name: Admin, Password: password).


Type 0 to start the Express Setup


Type 1 to configure the IP Address


Enter the IP Address you want to assign to the App Controller


Enter the correct Netmask


Type 2 to configure the Default Gateway


 Enter the correct Default Gateway IP address


Type 3 to configure the DNS Server(s)


Enter the correct IP Address of the DNS server(s)


Type 4 to configure the NTP Server


Enter the correct IP Address of the NTP server


Type 5 to commit the changes


Type y to reboot the App Controller


Open a web browser and type the following address: https://<ip of appcontroller>:4443/ControlPoint. Login with username: administrator (NOT admin !) password: password.


When logging on for the first time, a Configuration Wizard will be appear. The first step is to change the default administrator password. Fill in the default password (password) and enter a new one (twice). Click Next


Enter a hostname. In my case I will use appcontroller.hobo.lan. NOTE: you must create an inernal DNS record for this hostname manually.


Enter the requested Active Directory information. Leave “Use secure connection” unselected for now. We will configure the certificates for the secure connection later. Click Next.


Configure the correct Time Zone and DNS suffixes. Click Next


Enter the requested mail server settings and click Next


Click Save


Click Yes

Creating and Installing a server certificate

The Citrix XenMobile App Controller requires the root and a server certificate to communicate between the App Controller and the Management console, Applications and StoreFront.  Note: this is not the SSL certificate for use with the external DNS record, that certificate must be trusted by an external CA and must be installed on the NetScaler.


For the creation of the server certificate I will use Internet Information Services (IIS). Go to Server Certificates and click Create Domain Certificate


Enter the requested information and click Next


Select the correct (intern) Certification Authority (CA), enter a Friendly name and click Finish


Right click the certificate and click Export


Export the certificate to an .pfx file and set an password. Click Ok


Open an MMC console and add the Certificates snap-in (My User Account)


Browse to Certificates – Current User > Personal > Certificates. Right click Certificates and browse to All Tasks > Import


Click Next


Browse to the certificate and click Next


Type the password for the private key and select Mark this key as exportable. This will allow you to back up or transport your keys at a later time. Click Next.


Click Next


Click Finish


Click OK


Right click the certificate and browse to All Taks > Export


Click Next


Click Next


Make sure you select Include all certificates in the certification path if possible and click Next


Set a password and click Next


Browse to the path you want to save the certificate to and click Next


Click Finish


Click OK


Logon to the XenMoble App Controller web console and go to Settings, Certificates


Go to Import and select Server (.pfx)


Enter the password you set while exporting the certificate and click OK


Select the certificate and click Make Active. Note that the root CA is also imported automatically and is added to the Certificate Chain.


Click Yes


You can now browse to the AppController Admin Console via HTTPS

Allow the XenMobile MDM server to communicate with the XenMobile App Controller

To allow the XenMobile MDM server to communicate with the XenMobile App Controller configure the following;


Logon to the XenMobile MDM admin console and go to Options


Go to App Controller. Enter the Host Name and a Shared Key (anything you like without special characters) and click Close


Click Yes


Open the XenMobile App Controller admin console, go to Settings, XenMobile MDM and click Edit


Enter the requested information and click Test Connection


Click Close


Click Save


Go back to the XenMobile MDM Console and click Check connection


Click OK

Publish an Application

Within the Citrix XenMobile App Controller you can deploy a lot of different types of applications including Android Apps (APK files or MDX files for wrapped), iOS Apps (IPA files or MDX files for wrapped), Web & SaaS, Web Links or Apps directly from iTunes or the Google Play store. For this blog I show you how to publish a SaaS application.


Logon to the App Controller administrator panel and go to the tab Apps & Docs


Go to Web & SaaS and click on the big green plus sign


For this example I will use the LinkedIn SaaS app, click Add


Click Next


You can define Workflows within the App Controller if, for example, approval is required from a manager. In this case I let everything default. Click Next


Click Save


The LinkedIn application is now published from the App Controller


To see if it works, open a web browser and enter the App Controller URL


Click on the plus sign to add the LinkedIn application


Select the LinkedIn application


Click on the LinkedIn icon


The App Controller will save the credentials for the user.

It is also possible to add XenApp / XenDesktop application and desktops by connecting StoreFront to the App Controller.


  • Hi Robin ,

    Thanks for the effort . Great article.

    One question : I followed the exact same steps and I still get the following :

    there are no apps or desktops assigned to you at this time.

    I have added to your steps new AD group and giving permissions but getting the same message on all users .

    any ideas ?

  • Hi Robin,

    After filling the User Logon Name as you stated in your article it all worked fine.

    Thanks again.

  • I am trying to follow the same process but it looks like the screens are different now. At least in my case. The Netscaler login portal for XenMobile only shows the options for Xenmobile and Exchange. I am on build 124.13 and this is brand new install.

    • That’s correct, the other two wizard options are only available in the enhanced version of the NetScaler.

  • Thanks Robin, this is awesome.

    BTW app controller address should be
    https://App ControllerIPaddress:4443/ControlPoint

    port is 4443 and not 4333

    I figured it out though, thanks!

  • First of all thanks for this great post. I configured the appcontroller and used your article for wrapping WorxMail and WorxWeb for both Android and IOS. On Android the WorxMail works great. However on IOS there are no mails visible in the app. When I configure the native app with the same credentials all mails are retrieved properly.

    Any ideas what the issue might be?

    • You can check the policy tab from the published iOS WorxMail app. What are the network settings, is “Tunneled to the internal network” selected? And is the Inital VPN mode correct configured?

      • Hi Robin,

        no the configuration was ok. Problem was that WorxMail is incompatible with Exchange 2003.

        gr, F

  • Hi…

    Just wanted to ask if you are able to push out in-application settings with the App Controller?

    For example if an application had an email address and a port number – could this be automatically populated for each user?

    Great post!


    • That depends on the application, the application must be Worx ready and must be wrapped.

  • Hi Robin,

    Your article on App Controllers and MDM was extremely useful.

    Yesterday I did HA on the App Controllers here and I finally worked it out. I thought I would send the steps through to you in the event someone visited your website and it could help them. Here are the steps.

    For anyone else struggling with this, this is the simple way I did it. (This is my own experience and you need to test yourself)

    Install the 1st controller and the 2nd controller, configure the IP address, subnet mask and gateway for both. Then configure the Role preference for each controller, along with the VIP address and the peer address. (This is the other controllers IP) Create a DNS entry for the VIP address

    Then sign into the controller via the VIP address. So and configure the hostname for the controller as the DNS VIP address and enter all the other settings as required. (You can skip the certificates for now) You will then logged out of the website. Log back in and import the certificate for the VIP address. (Don’t forget to import root cert and chain it if required) You will now be able to log out and back in and should have no certificate errors.

    You can now either turn off the 1st controller and sign back into the website and you should be able to see that you are signed in via the 2nd controller as the overview will show the 2nd controllers IP, or you can just force failover to the second controller in the app controller console.



  • Hi Robin,

    Thank you for the great article. I have a related question.

    Scenario: upgrade 2.8 went wrong & you implement 2.9 (fresh install) to eventually replace the old App Controllers.

    Question: Do you need to add all your Weblinks & other Applications manually or is there a way to bulk import all the apps?

    Thank you in advance.

    Best regards,

    • Never test that scenario, but with the same versions you can create/export a snapshot for that.

  • I Robin

    First of all thanks for your help.

    I´m trying to have my App Controller apps to appear on Storefront, but so far I´be been failing at this.

    Storefront works ok, users are able to logon,and launch XenApp and XenDesktop apps without any issues.

    App controller is running, I can create apps, assign them to groups, and everything looks to be ok. I´ve configured the Deployment, and Windows Apps tabs as everyone seems to say its required (tried different choices), but they are not appearing.

    I´ve also tried adding AC server to Storefront Store as Delivery Controller wtthout success.

    So far, this environment doens´t have netscaler available (we´re waiting for the purchase of the public cert)

    Also, if I try to logon to AC Web Store, I can´t, every user gets rejected no matter what they input there.

  • Hi Robin

    It is a very great article to learn and understand the Citrix XenMobile and its components configuration.

    I would like to know that how i can register devices on MAM directly (any enrollment doc available) . I am not using MDM.


About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.