iOS 11 MDM-enrolled Device Issues with XenMobile in Cluster Mode

Description

MDM commands may try to deploy multiple times on an MDM-enrolled iOS 11 device and may fail to complete successfully.
An admin attempting to push MDM policies to an iOS 11 device, deploy applications, or carry out security actions (such as Lock or Wipe) may not be able to successfully to do.
The user of an iOS 11 device may notice that applications keep trying to install, VPN or WiFi configurations fail to install, and security actions such as "Lock" may happen repeatedly.

The issue is apparent when users are on an iOS11 device, using MDM, and will apply to all versions of XenMobile Server (10.5, 10.6, all the cloud releases, etc.) if the end-user iOS11 device receives an MDM command.

If you are managing iOS devices via XenMobile, and your XenMobile deployment matches the two conditions below, then you need to take action before your end-users upgrade their devices to iOS 11.

1. XenMobile is deployed in a cluster setup (with more than one node)

2. XenMobile is deployed in MDM-only or Enterprise (MDM+MAM) mode.

Resolution

Update: This issue has been resolved in 10.8 RTM.

You will need to modify your NetScaler load balancer configuration to use Source IP persistence for all NetScaler MDM load balancers e.g. virtual servers set up for ports 8443 and 443.

For XenMobile Service customers, Citrix Cloud Ops will be performing this configuration change as a maintenance operation, so no action is necessary by customers.

Please refer to this article for more details on Source IP persistence - https://docs.citrix.com/en-us/netscaler/12/getting-started-with-netscaler/load-balancing/configure-persistence-settings.html.

The configuration change can be made either through the command-line or the NetScaler GUI.

Here are example commands to set Source IP Persistence:

set lb vserver _XM_LB_MDM_XenMobileMDM_172.16.30.62_443 -persistenceType SOURCEIP
set lb vserver _XM_LB_MDM_XenMobileMDM_172.16.30.62_8443 -persistenceType SOURCEIP

Here is a screenshot of the GUI to set Source IP Persistence:

If Source IP persistence is already configured on NetScaler and your XenMobile environment has more than 10,000 devices being managed by a XenMobile cluster, plus if network address translation (NAT) is enabled on an appliance such as F5 or a firewall fronting the NetScaler before the XenMobile Server, please monitor the NetScaler and XenMobile for CPU and memory usage. If NetScaler or XenMobile server resources are consistently pegged at 80% of the CPU or memory usage over a long period of time, please contact Citrix Technical Support for further assistance.

Problem Cause

With iOS 11 behavior multiple connections are opened by the iOS MDM software in response to a single MDM command from XenMobile.
XenMobile testing of iOS 11 revealed that MDM management of iOS 11 devices will be impacted if:

1. XenMobile is deployed in a cluster setup (with more than one node), and

2. XenMobile is deployed in MDM-only or Enterprise (MDM+MAM) mode (MAM-only deployment mode is not affected)

This affects all versions of XenMobile Server.

Issue/Introduction

iOS 11 Compatibility - iOS 11 MDM-enrolled device issues with XenMobile in cluster mode

Additional Information

Reference the following articles:

For more details on Source IP persistence - https://docs.citrix.com/en-us/netscaler/12/getting-started-with-netscaler/load-balancing/configure-persistence-settings.html.
CTX227610 - What would be the impact in changing Source IP persistence for iOS preparation?

Welcome to "KB Articles"