Installing and Configuring Citrix XenMobile MDM 8.6

In this step-by-step blog I will install and configuring Citrix XenMobile MDM 8.6 on a Windows 2012 Server, including the Oracle Java Platform (JDK) 7, configuring XenMobile MDM with the “Getting Started” wizard, create an external SSL Certificate file in .p12 format that includes the root and intermediate part, configuring an external SSL certificate within XenMobile MDM and configuring the Citrix NetScaler 10.1 for use with XenMobile MDM. For the installation and configuration of the AppController I will write a separate blog.

For this installation I will use my current Microsoft SQL 2012 server which is installed on a separate server and my current Citrix NetScaler ADC 10.1.

For the Citrix XenMobile MDM 8.6 installation you have to do the following preparations;

  • Open these ports in your network environment
  • Obtaining a Citrix XenMobile license file
  • Download Oracle Java Platform (JDK) 7
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
  • Create a Service Account
  • Create an external DNS record for the XenMobile MDM Server
  • On the XenMobile MDM Server, configure a static IP address
  • On the XenMobile MDM Server, disable UAC
  • On the XenMobile MDM server, disable IPv6 by applying this registry key
  • Create an Apple Push Notification service certificate
  • Install and Configure Citrix NetScaler 10.1

Service Account

For this installation you need to create a Service Account. This account needs dbcreator rights on the Microsoft SQL Server and Local Administrator rights on the XenMobile MDM server.

Installing Oracle Java Platform (JDK) 7


Run jdk-7u45-windows-x64 and click Next


Click Next


Click Next


Click Close

Copy and preplace local_policy.jar and US_export_policy.jar from the file to the following locations;

  • C:\Program Files\Java\jdk1.7.0_45\jre\lib\security
  • C:\Program Files\Java\jre7\lib\security

Installing Citrix XenMobile MDM 8.6


Run XenMobileDeviceManager- and click OK


Click Next


Click I Agree


I will use my existing Microsoft SQL server, so I select only Application Server. Click Next.


Click Install


Select your License file and click Next


Enter the information of your SQL server. Be sure you enter the Services Account with the correct SQL permissions. Click Check the connection.


Click Create


Click OK


Click Next


This keycode is optional to remove watermarks in the reports. Click Next


Click Next


Click Next


Click Next


Click Next


Leave the keystore file path default, enter a password (anything you like) and click Next


Leave the keystore file path default, enter a password (anything you like) and click Next


Leave the keystore file path default, enter a password (anything you like) and click Next


Leave the keystore file path default, enter a password (anything you like), fill in the external FQDN and click Next


Browse to you Apple Push Certificate, enter your password and click Next


Click Next


Enter a username and password for the webadmin console (can be a non-existing user). Click Check the user name.


Click OK


Click Next


Click Finish


Click Close


Click Next


Click Finish

Configure XenMobile MDM with the “Getting Started” wizard


Open Internet Explorer and browse to http://localhost/zdm, login with the account created during the installation.


Click Get Started


Click Next


Enter a package name (anything you like) and click Next


For this blog I will add Passcode and Jailbroken Detection. Drag Passcode to the right.


Click Done


Drag Jailbroken Detection to the righ and click Done.


Click Next


Click Yes, enroll with corporate credentials


Select LDAP and click Next.


Enter the following information:
Directory Type: Microsoft Active Directory
Primary Host [:Port:]: Your domain controller
Root context: DC=Hobo,DC=Lan (for example)
Search user: Admin useraccount
Password: Admin useraccount
Domain alias: Your domain alias
XenMobile lockout limit: 5
Global Catalog TCP port: 3268
User Search By: sAMAccountName

Click Check.


Click OK


Click Next


Click Next


You can specify which users are allowed to use XenMobile and which users have admin rights within the XenMobile console. I will add the Domain Users as XenMobile users for now.

Click Next


Click Finish


Click Next


I don’t have devices in my database at this moment, so I click Skip.


Click Go To Device Manager

At this point you are ready the create policies and deployment packages.

How to create an external SSL Certificate file in .p12 format that includes the root and intermediate part

To use XenMobile MDM with an external SSL Certificate, you need a SSL certificate in .P12 format, issued by a trusted CA, which includes the root and the intermediate parts.

In this part of the blog I will show you how to create that .P12 format certificate. I my case I have configured my SSL certificate on my NetScaler as described in this blog. I will export this certificate, and add the intermediate parts.


Go to the NetScaler admin console and browse to Traffic Management > SSL, on the right side of the screen click on Export PKCS#12


Enter the following information

PKC12 File Name: any name you like with .p12 extension
Certificate File Name: browse to the .crt file
Key Filename: Browse to the .key file
Export Password: Enter a password you like
PEM Passphrase: The passphrase of the PEM

Click OK


Click on Manage Certificates / Keys / CSRs


Download the .p12 file just created

NOTE: In my case this file is 4k in size and does not contain the intermediate certificate(s)


Open a MMC Console and add the Certificates (My user account) Snap-in


Right click Personal and go to All Tasks > Import…


Click Next


Select the exported .p12 file and click Next


Type the password for the private key and select Mark this key as exportable. This will allow you to back up or transport your keys at a later time and click Next


Click Next


Click Finish


Click OK


The certificate is now displayed under Personal > Certificates


Right click the certificate and go to All Tasks > Export…


Click Next


Select Yes, export the private key and click Next


Select Include all certificates in the certification path if possible and click Next


Enter a Password (anything you like) and click Next


Specify a location where you want to save the certificate and click Next


Click Finish


Click OK

Rename the exported .pfx certificate to a .p12 file.

In my case this file is now 6k big in size and contains the intermediate certificate(s)

Configuring an external SSL certificate within XenMobile MDM

To add an external SSL certificate within XenMobile you need to edit two XML files on the XenMobile MDM server. First create a folder on the local disk of the MDM server and copy the certificate file in to it, in my case I will use C:\XenMobile-Cert\XenMobile-RobinHoboCom.p12

Open the following file in an editor (for exemple Notepad++): C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF\classes\pki.xml

Add the following bean to the file:

<bean id=”externalSslCert” class=”com.sparus.nps.pki.def.KeyStoreParams”
p:keyStorePass=”Password you entered during the export of the certificate

Open the following file in an editor (for exemple Notepad++):  C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml

Locate”Connector port=”443 ” and replace the following fields;

keystorePass=”Password you entered during the export of the certificate

Locate”Connector port=”8443 ” and replace the following fields;

keystorePass=”Password you entered during the export of the certificate

Reboot the XenMobile MDM server after saving the files.


Configuring the Citrix NetScaler 10.1 for use with XenMobile MDM


Login to the NetScaler Admin console. Optional you can logon the the Deployment Type XenMobile MDM.


Go to Traffic Management > Load Balancing. on the right side of the screen click on Load Balance XenMobile Device Managers (MDM Servers)


Enter a name for the MDM Loadbalacer and enter a (new) IP address. Click Continue

NOTE: This is the IP address your external DNS record must point to.


Enter the name and IP address of your XenMobile MDM Server and click Create


Click Done


  • Thanks for the post, really helpful. Just a quick question, where would you recommend or what is the best practice on placing the XenMobile server, in DMZ or LAN.

    • Hallo Awees, with XenMobile 8.5 you must place the MDM in the DMZ, according the “XenMobile 8.6 new feature list”, XenMobile now support SSL offloading so the MDM server no longer needs to be placed in the DMZ. However according that same document this must be configured on the NetScaler Gateway 10.1, Build 10.1.1308 which has not yet been released. So til then you must place it still in the DMZ…

  • Thanks for this guide – this is really helpful for everyone looking at this… saved me a ton of time understanding the installation flow and expectations, and documenting the process 😉

    Robin Hobo for President!

  • Thanks Robin, that was a quite useful post, but I did not understand the use of import certificate on Device Manager Server, Can you please help me to understand the funda behind this.

    • That’s for the external address, for example; This certificate must be trusted by an external CA.

  • So then if your server is server1.corp.local and externally it’s hit via, the certificate would be issued to the enrollhere address, right? Would that cause any certificate errors given the difference in names? Also, given that you can now offload ssl to the netscaler, this external certificate could live only on the netscaler, correct? If you still use 443 from NS to MDM server, could that be an internal certificate?

    • Correct, with SSL Offloading you must install the certificate on the NetScaler, and yes, if you want to secure traffic from NetScaler to the MDM server it can be with a internal certificate.

  • Hi Robin,

    Really nice post and Happy New Year.

    What about the internet connectivity on the XenMobile Device manager through proxy server. When i’m trying to add any external iOS app it is throwing me an error “The URL for the external iOS App is invalid” but when i am giving the same URL in the next tab of my browser i am able to get the itune page. I am having a proxy server in between and i have full access to internet.
    I have also added the proxy server details in device manager. I used the link for the proxy configuration.

    Any help on this issue is really appreciated.


    • Have the same problem here, seems that the Apple traffic not going to the proxy but directly to the firewall where it’s blocked. Seems like a bug to me. Have you already a solution?

  • Hi Robin,

    thanks for this article.
    Is there any chance to change the password for the webadmin console?

  • Is it necessary to have Netscaler in place while wanting using Xenmobile Mail Manger/App controller? – In addition, can Mail manager/app controller be installed on the same server as Xmobile-device manger or do they require their own instance?

    I appreciate any feed back on this, great article otherwise!


    • Hi Chris, you can safely install XenMobile MDM and NetScaler Connector on the same server. Did it before..

  • I have downloaded the Xenmobile MDM for trail ,but could not move further on installation due to license file not available.
    is there any option to install without license file ,like trail for 60 days,90 days to learn about MDM.

  • Hi,

    I am new in XenMobile….

    Thank you for a great job…. What is the main function for netscaler gateway ?, can i implement just MDM and App controller without using Netscaler… or do i need to deploy all components ?

    Thanks for ur Cooperation

    • If you want to use all the XenMobile features like mail filting, micro VPN connections with applications ect you alway’s need a NetScaler.

  • Excellent information, is it possible to manage blackberry devices along with android and iOS with this solution?

  • Hello Robin
    thanks for this blog, i want to be sure that iam understanding this setup, so in order to use MDM we have two options, first one is to install MDM in DMZ and install the ssl certificate to the MDM server. and the other option is to place MD in the lan and apply the SSL certificate to netscaler, correct?
    from worx home, the url will be the netscaler public ip address?

    • Hi Mohamed, that’s correct. You can place the MDM server in the LAN and configure SSL Offloading on the NetScaler, with that configuration you install your external SSL certificate on the NetScaler and traffic from the NetScaler to the MDM server will continue over port 80 (or 443). With the NetScaler in the DMZ you configure SSL Bridge on the NetScaler (you can use the XenMobile wizard for that). For that you must install the SSL certificate on both the NetScaler and the MDM server. For enrollment with WorxHome you always use the external MDM (or AppController) address.

  • Hi Robin, Is it possible to use internal ssl certificates (from an internal root ca) and just use an external cert on the netscaler?

    Currently my xendesktop environment is working using internal certs and just an external cert on the netscaler.

  • Hi Robin, great Inf. In a sharefile only scenario can i use Storage Zone Controller and Netscalar with out XenMobile and XenApp? Also, have doubts if only one SSL certificate is required for this set up?


    • Hi Miguel, Yes you can use ShareFile without XenMobile. 1 certificate is needed for ShareFile. If you want your traffic from the NetScaler to the StorageZone to be also secure (Citrix best practice) you can use an second certificate for that.

  • Great article indeed!

    I have a question. During Xenmobile 9.0 installation, you get the option to “Enable iOS”, that is when you are prompted for the APNS cert. If you uncheck this option, you bypass the APNS and are able to complete the installation.

    So my question is… will you be able to “enable iOS” support and install an APNS cert on the MDM server “after” the installation is completed.. say sometime later after you decide to enroll iOS devices as well? Or do you have to re-install the MDM server from scratch? I can’t seem to find any option on the MDM console for this.

    • Hi Noman, good question. Yes, you can enable it afterwards by running the iOSenable.cmd script located on the MDM server in c:\program files(x86)\Citrix\XenMobile Device Manager\

  • Hey.. i am having a weird issue with Xenmobile 9.. the enrollment with iOS devices has been working for for more than 3 months. However, when i tried enrolling iOS devices, i get the error “Verify your credentials and try again” on Worx home, at the main screen after i punch in the MDM server address. However, if i use the AppController’s address (NS Gateway), the device connects to the infrastructure but upon adding any app from the Worx Store, i get the error “Cannot connect to the xxx.xxxx.xx server”. This is only happening with iOS devices.

    Any suggestions? A valid APNS server certificate is in place.

    Oh and i am currently utilizing self signed certificates throughout the deployment.

  • Hi Robin,

    Very fruitful document, is there any way where i can able to signup on ?

    Nafis Akhtar

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.