Review: Citrix Xen Mobile rates a spot on your MDM short list

XenMobile 9.0 delivers topnotch features, granular security policies.


When we reviewed six mobile device management products in 2013, Citrix declined the opportunity to participate, but the company has changed its mind with the recent release of Xen Mobile v9.0 MDM. In our testing, we found that the software stacks up nicely against AirWatch and Good Technology, the two leaders from that review, and should be on any IT manager’s short list, particularly if you already use other Citrix connectivity products.

We tested the cloud-based Xen Mobile services, but the on-premises server has similar functionality. To get started, you download the client app, called Citrix Worx Home, from either Google Play or Apple iTunes Stores. Once installed, provisioning a new device happens quickly and a user is taken through the steps to install various pieces of Citrix code and set up their workspace.

You enroll with your email ID and other apps are pushed down to the device to set up the protected containers and specialized MDM environment. As with our review last year, we looked at a variety of old and new phones and tablets running different vintages of operating systems. Xen Mobile supports Android (2.x or better) and iOS (v5.1 or better), along with Windows Mobile devices. AirWatch supports a larger collection of devices.

One of the nice things about Xen Mobile is that once you add a user to your Active Directory store, they can enroll as many devices as they are allowed to (which is specified in an optional setting), so that an IT department doesn't need any additional workflow, setup, or policies. This also means that if your Active Directory house isn’t in order, Xen Mobile will give you some grief to make it so.

Citrix sells three different bundles under the Xen Mobile line, which is somewhat similar to AirWatch’s approach. There is the basic MDM package, and you can add applications protection and enterprise features on top of this. This is not well specified on Citrix’ website, however.  

+ ALSO ON NETWORK WORLD How MDM works and doesn't work +

Worx Home is the starting point for all Xen Mobile activities on your device and gives you basic MDM features. From here, you can automatically do app sign-ons, prevent jailbroken or rooted phones, and install your device profiles.

The basic tier doesn’t include any sandboxed container or apps. Those are part of the middle tier, which includes a collection of Worx Apps and the ability to set up app-centric policies, along with a more extensive app catalog that can include both native apps as well as SaaS-based ones. Worx has deep integration into various Citrix products and makes it very easy to process emails, set up GotoMeetings, and do other common tasks, provided you have licenses for these various other Citrix products. In fact, the licensing is probably the most complex thing about Xen Mobile.

The top tier includes the full enterprise bundle. This adds a ShareFile feature that allows all your apps to have both read and write access to a common cloud-based file repository. There are ShareFile clients for both Windows and Mac, which are accessed via a browser, just like you would for a cloud-based file service such as Dropbox. The difference is that ShareFile recognizes the security and policies of Xen Mobile.

All three bundles include some form of single sign-on feature. Once you set up a device PIN and a Worx PIN, the entire authentication happens in the background and users don’t need to authenticate themselves for individual apps, which is a nice feature. You can also set time outs on the authentications, as part of your MDM policies.

Xen Mobile comes with three different management consoles: one for Device Manager (the main dashboard of which is pictured below), one for the App Controller, and one for setting up ShareFile. The three have different user interfaces and somewhat different operations. Citrix is working on integrating App Controller into the main Device Manager console for a future release.

Xen Device Manager screen shot

Xen Device Manager main dashboard, where you can drill down by clicking on the various graphic elements.


The Device Manager console is where the guts of the Citrix solution reside: you set up MDM policies, run reports and select particular users and groups. The App Controller allows you to set up how various apps can be consumed by your device and integrate authentication and security policies that are defined by the administrator. This is very similar to how MDM competitors’ app-related features work. Citrix has developed a series of Worx-certified apps that are listed on their website.

Xen Mobile has a very app-centric notion of what constitutes a secure container. It doesn’t segregate apps into some corner of your tablet; instead, each app is placed on the desktop alongside your existing or personal apps. There are numerous security features for each app such as disabling an app to run on a jailbroken device or on a different Wi-Fi network, turn off specific peripherals of the phone such as cameras or cut and paste, or even block particular Facebook or Twitter APIs from accessing a particular app.

Overall MDM policies are either global or OS specific and can be packaged in a variety of feature-oriented collections, such as scheduling policies, compliance policies, and passcode policies. These collections can be then sent to particular devices on a certain schedule, such as each time the device is connected to a particular Wi-Fi network or if they have sufficient storage capacity. The process is very powerful and granular, but will take some effort to understand how Citrix has implemented it. In our tests we managed to set up conflicting policies, which took time to debug and straighten out.

Phones that are out of compliance (which can have several dimensions such as whether or not a device has been jailbroken) can have several automatic consequences: wipe either the MDM profiles or the entire phone, revoke any connectivity, notify administrators, or just show the phone as out of compliance on the management dashboard. (See screen shot below.)

Xen Mobile screen shot

Xen Mobile’s Device Manager can set up a variety of automated actions when a device is out of compliance.

Like many of the other MDM products, you can have a wide collection of security options for each device, including wiping and locking, just by right clicking on the device’s entry on the management console. Unlike some other MDMs, you can see on the console status screen whether the device has acknowledged your lock command. You can also pull up a log showing what commands have been sent to your device.

Xen Mobile comes with dozens of reports. Once you enter a date range, they are first displayed on screen and then they can be printed or exported in one of several formats, including Crystal Reports, Acrobat, Word or CSVs.

Pricing is based on two methods, either $50 per device or $65 per user (for an unlimited number of devices per user). This is for the basic MDM package, the additional features will cost more.



Overall, Xen Mobile is a very capable MDM solution and has some outstanding protective features and very granular security policies. However, there are a lot of moving parts to Xen Mobile and a lot of integration points to various other Citrix products, such as Receiver, NetScaler, and Xen Desktop.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at and you can follow him on Twitter @dstrom. He lives in St. Louis.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022