The following symptoms are seen: 

• Android devices fail to enroll into XenMobile 
• The error "Security policy does not allow you to connect" is seen in Secure Hub
• Android devices enrolling with Device Administrator mode (legacy) are the ones that see this adverse behavior the most but a smaller group of Android Enterprise devices were affected as well 
• XenMobile On-Premises only (not seen in Citrix Endpoint Management in the cloud) 
• Issue only occurs when XenMobile and Netscaler are in a SSL Offload configuration
• SSL bridge configurations are not impacted 

• 12.1-58.15
• 12.1-59.16
• 13.0-64.35
• 13.0-67.39
• Above

• Schedule a new maintenance window
• Take regular preventive measures before an upgrade such as:
  • A backup of your XM database
  • A snapshot of your XM virtual machines
  • Necessary precautions to backup Netscaler
• Before upgrading Netscaler, apply the appropriate XenMobile Server Rolling Patch
• If you have a clustered environment, please be sure to read: https://docs.citrix.com/en-us/xenmobile/server/upgrade.html#to-upgrade-clustered-xenmobile-deployments
• Once the upgrade is applied then go ahead and upgrade Netscaler

Problem Cause

Known traffic flow compatibility issues when combining the below components: 

• XenMobile On-Prem (see versions above)
• Android Legacy Device Administrator
• Android Enteprise
• Netscaler build 12.1-58.15, 12.1-59.16, 13.0-64.35, 13.0-67.39 or above.
• SSL offload