Modern Management with XenMobile Part III: Windows 10 and Applications

Thanks for tuning in to a new edition of the “untamed world” of modern endpoint management.

As my colleague, Matthew Brooks, has mentioned before, modern endpoints roam the world

and are not necessarily domain joined. In modern endpoint management, the identity of the user which is used for authentication will mostly exist in the cloud. Good examples of theses type of identity services are Azure Active Directory, G-Suite, Okta and Citrix identity provider.

Besides the roaming of the user and the endpoint, the application landscape is changing.  If I look at my two kids — a 9-year-old boy and a 7-year-old girl — they only know that apps are installed from an app store that is on their tablet or phone. So, if they want a new app or game it’s just (almost) one click away. And I say almost, because when they try to get an app, I get a notification for approval on my endpoint (similar to an Enterprise Approval Workflow), so most of the time, they click the app and start sending me millions of What’s App messages to approve it 😉. The same, of course, is relevant in an enterprise where more and more apps will move to the public or an enterprise app store. The distribution model is changing. Modern endpoint management solutions like XenMobile (soon to be Citrix Endpoint Management) facilitate delivery of those apps while managing resources the apps need to operate, including connectivity, security, operating systems, data, and other endpoint features.

Additionally, you see the Big 3 — Microsoft, Apple and Google — consolidate their operating systems from multiple form factors into one, where apps from a public store or a business store are crucial. The user experience and the consumerization of IT strengthens this shift to the native use of (store) apps on modern endpoints. A good example of this is how Microsoft positioned their Surface product line. Have a look at the below video (2014) of a Windows 10 Surface Endpoint and Epic being used in Healthcare and the doctor’s feedback on user experience and how it enables him to interact with his patient. In a scenario like this, the doctor can work how he wants to work on a endpoint he wants to use while UEM MEM manages and secures the endpoint, apps, data, and connectivity.

Source: Microsoft Healthcare

Android apps on Chrome OS

The capability of installing and running Android apps on your manageable Chromebook opens up a broad range of native mobile apps that are designed for the new Mobile Era to organizations and their Modern Mobile Workforce use cases. You can download and use Android apps on your Chromebook just using the Google (managed) Play Store app.


Which Chromebooks will be able to install Android apps?

Did you know that XenMobile can manage Google Chrome OS Endpoints?

Managing Chromebook Devices with XenMobile

Microsoft Universal Windows Platform (UWP) app

  • Secure: UWP apps declare which device resources and data they access. The user must authorize that access.
  • Able to use a common API on all devices that run Windows 10.
  • Able to use device-specific capabilities and adapt the UI to different device screen sizes, resolutions, and DPI.
  • Available from the Microsoft Store on all devices (or only those that you specify) that run on Windows 10. The Microsoft Store provides multiple ways to make money on your app.
  • Able to be installed and uninstalled without risk to the machine or incurring “machine rot”.
  • Engaging: use live tiles, push notifications, and user activities that interact with Windows Timeline and Cortana’s Pick Up Where I Left Off, to engage users.
  • Programmable in C#, C++, Visual Basic, and JavaScript. For UI, use XAML, HTML, or DirectX.


Apple’s project “Marzipan”

The rumor is that even Apple is looking into unification on development for iOS and MacOS apps, blurring the lines between the both operating systems’ app development frameworks, closing the app gap and achieving app feature parity between their operating systems.


With all the changes in the application landscape and the increasing use of modern endpoints with natively installed apps that can be private or enterprise owned, the enterprise data and enterprise applications need to be secured, configured and managed separately from the private applications.

With modern management comes providing a comprehensive set of capabilities to deploy apps. XenMobile is able to deploy, Web Links, Public App Store Apps, .appx files, .appxbundle files, .msi files, .exe files and .ps1 PowerShell script. With such comprehensive filled toolbox, you can provide your users with the apps they need.


  • Deploy Office 365 CDN with a simple policy.

Additionally, you can, of course, deploy the .msi file you want, just keep in mind that nested .msi files are not supported by Windows 10 OMA-URI/CSP.

Other Citrix software you can install with XenMobile are;

  • NetScaler Gateway Plugin (MSI)
  • Citrix Windows 10 Extension agent (MSI)
  • ShareFile Drive Mapper (MSI)
  • ShareFile Sync (MSI)

See how to deploy .MSI with XenMobile all together in this brief video:

For details on Windows 10  MSI deployment, see:

.Appx and .Appxbundle files

Microsoft new Universal Windows Platform applications use the. Appx or Appx file format. Mostly they are used in the Microsoft Public Store or the Microsoft Store for Business. But Windows 10 allows also the sideloading or UEM/MEM distribution of these files. There is also the possibility to Distribute offline apps from the Microsoft Store for Business when the app is provided with the Offline license option (currently not yet supported in Citrix Endpoint Management). If you are using repackaging tools like CloudHouse or Microsoft Desktop app converter to transform legacy apps into the new Universal Windows Platform (UWP) with the .appx or the appxbundle file you can deploy these apps with the default XenMobile app functionality.

See how to deploy a legacy app transformed into a UWP app by CloudHouse Technology with XenMobile all together in this brief video:

Microsoft Store for Business

Microsoft Store for Business is a location where you can find and distribute free and paid apps in volume for your organization. By connecting XenMobile to Microsoft Store for Business, the Store for Business apps appear in the XenMobile Configure > Apps page. You can then deploy those apps to Windows 10 endpoints.

XenMobile supports only online license app management, which is the default licensing model supported by Microsoft Store for Business. This model requires users and endpoints to connect to Microsoft Store services to acquire an app and its license.

See how to Microsoft Store for Business works with XenMobile all together in this brief video:

For details on distribute apps to your employees from Microsoft Business Store, see:

Once apps are distributed they need to be configured and managed. XenMobile integrates with several interfaces Microsoft provides to accomplish this.

App Configuration with ADMX

ADMX files mentioned above are groups of registry-based policy settings that can be defined for Windows apps using a standards-based XML file format.  For example, Citrix Receiver for Windows includes administrative template files that may be applied using Windows Group Policy Object Editor. Now with modern management they may also be configured and pushed by XenMobile for Receiver or any of the many windows apps that provide an admx file.

See how to use XenMobile to configure Citrix Receiver with an Admx App Configuration policy on a Windows 10 endpoint in this brief video:

For more details on how to implement App Configuration polices on Windows 10 endpoints see:


AppLocker is a Windows 10 features that helps administrators control which apps users may execute.  A common use case would be to blacklist apps or files frequently identified by enterprises as containing vulnerabilities. XenMobile can push AppLocker XML configurations to managed Windows 10 endpoints to enforce app control.

See how to use XenMobile to implement AppLocker on Win10 endpoints in this brief video:

For more details on how to implement AppLocker see:

Disable promoted app and Windows Consumer Features

With modern endpoint management and the modern workforce, the endpoints will no longer be pre-imaged or installed with the traditional desktop management, tools but most likely they will be shipped directly to the end-users and will be in the Autopilot program. With this the end-users just simply turns on the endpoint and from the OOBE in combination with AutoPilot and a UEM/MEM solution like XenMobile will onboard, deploy apps, secure and configure the endpoints. We all have seen that if you first start Windows 10 there is a lot of Apps you have never seen before and in your start menu there are even suggestions for games. This is maybe something you want to control or turn-off. With the Policy CSP Experience, you have the option to control these with a custom XML deployed with XenMobile.


Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.


This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.

For more details on the Policy CSP Experience see:

Configure browsers with XenMobile

Internet browsers are the power tools for the majority of the modern workforce. They provide access to internal and external resources with a endless resources of information and data. From an organizations perspective you want to provide the best user experience by providing pre-configuration company links, the best available search engine or the company homepage for example. This in combination with a layered security model where some of the browser settings for example Deleting Browser History or not allowing the Password Manager to store Passwords can be a part of this layered security model. Next to that Windows Defender Application Guard which is also available in XenMobile as a policy.

XenMobile can manage the Windows 10 Edge browser by a custom xml policy based on the Policy CSP – Browser. Internet Explorer can be managed by a similar custom xml policy based on the Policy CSP – InternetExplorer. Google Chrome as a .MSI can be pushed to the Windows 10 Endpoint and configured with a .admx file both deploy with XenMobile.

See how to use XenMobile with custom xml to manage the Edge Browser in this brief video:

For more details on how to manage Internet Browsers see:

With the proliferation of apps across a variety of mobile endpoint types used in a variety of locations on public networks app security is paramount to protecting the enterprise data they process. XenMobile also integrates with the many features Microsoft makes available to secure apps on managed Windows 10 endpoints.

Windows Defender Application Guard (WDAG)

Application Guard is security feature to help secure Edge browsers on physical endpoints with processors that support virtualization. It isolate Microsoft Edge at a hardware level using Hyper-V technology and limits access to the operating system to protect the endpoint and data from malware. Microsoft introduced the feature for Windows 10 Enterprise with its Fall Creators Update (1709) and with the recent 1803 update extended it to Windows 10 Pro endpoints with the necessary hardware.

For details on how to implement Application Guard, see:

Windows Information Protection

Windows Information Protection (WIP) , which evolved from Enterprise Data Protection (EDP), helps protect against data leakage with minimal impact on user experience. XenMobile supports flexible configuration of WIP to protect data use by local and SaaS apps. It’s comparable to Mobile App Management (MAM) solutions available for other mobile platforms like iOS or Android.

See how to use XenMobile to implement Windows Information protection on Win10 endpoints in this brief video:

For details on how to implement Windows Information Protection, see:

Windows 10 Per-app VPN for WIP enabled Applications

Organizations need transparency from their users to protect native applications and data from any network to which they are connecting. Microsoft CSP provides commands to manage and secure these Windows 10 Endpoints. In addition, you might want a specific set of Enterprise or Public applications to connect securely from within the WIP container to your corporate network. The default policy in XenMobile doesn’t allow you to configure settings like Application Trigger List, EDPModeID wich is required for WIP enabled apps or TrafficFilterLists. For this to work you need to create a custom xml file that you can deploy with XenMobile.

See how to use XenMobile with Per-App VPN for WIP enabled applications in this video:

For more details on how to create the custom and configure the custom xml see this previous Citrix blog post:

As you can see, XenMobile provides comprehensive Modern Endpoint Management. This blog series is focused on the Modern Management of Windows 10 Endpoints, but XenMobile also support all the other major operating systems like iOS, Android (all Enterprise modes), macOS, Chrome Enterprise, tvOS, Citrix Workspace HUB a manageable low cost high performance thin-client and other endpoints. Furthermore, XenMobile is one of the few vendors delivering a multi-container (Platform MAM and Platform Independent Application MAM on iOS and Android) MAM strategy. Comments below, or tweet co-author Matt @tweetmattbrooks or me @jjvlebon, additionally special thanks to the XenMobile Development Team for assisting Matt and myself on this Windows 10 blog journey & please stay tuned and tune in again for our next deep dive of Windows 10 Modern Endpoint Management and the features that come with XenMobile!

Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! This email address is being protected from spambots. You need JavaScript enabled to view it.

Add comment

Security code

Download Joomla Templates Responsive