Tuesday, October 18, 2016

Citrix corrects clear text credentials in latest version of SecureHub

It looks like Citrix has finally corrected an issue with WorxHome/SecureHub for iOS.  Versions of WorxHome/SecureHub prior to version included clear text username and password in the WorxHome logs.

Friday, October 14, 2016

XenMobile device grooming using the XenMobile public API and Powershell

I've been working on a Powershell module for XenMobile which you can find here.  The module mostly has get commands for now but I am actively updating...

Current functions


**Update** 10/24/2016 - I changed the XenMobile Powershell module by renaming delete-xmdevice to remove-xmdevice

For example, here's how you can delete inactive devices from XenMobile using this module.

This can be done in the XenMobile console but if you have a bunch of devices to clean up - it might be easier to do it with a script or scheduled task.

Friday, October 7, 2016

Citrix pulls Secure Hub from iOS App Store! Worx Home is missing too!

It looks like Citrix pulled Secure Hub from the iOS App Store and Worx Home is missing as well!

Obviously, there's probably a problem with Secure Hub and they had to pull it. But, uh... with Worx Home missing as well - how are iOS users supposed to enroll?

Happy Friday - Thanks Citrix!

Update - 10/7/2016 @ 2:30 PM

Citrix Secure Hub 10.4 for iOS has been removed from Apple App Store

Is this a joke?  Next communication on 10/10/2016!  Give me a break - this is ridiculous.

Update - 10/7/2016 - Citrix sent out the following notification.

Dear Valued Citrix XenMobile and Citrix Workspace Suite Customers,

This afternoon we released XenMobile 10.4 which included XenMobile Server, XenMobile apps and Secure Hub (formerly Worx Home). We've since received some customer reported issues that are detailed below.

Executive Summary:

Citrix Secure Hub 10.4 for iOS has been removed from Apple App Store due to some customers reporting issues when they upgrade from Secure Hub 10.3.10 to 10.4.

Please do not use MDX Toolkit 10.4 and XenMobile apps 10.4 for iOS if you have already downloaded these artifacts. MDX Toolkit 10.4 and XenMobile apps 10.4 for iOS have been removed from citrix.com

Worx apps on end-user iOS devices will continue to work even if end users could not successfully update to Secure Hub 10.4. If Worx Home update to Secure Hub 10.4 was not successful, Worx Home will continue to function on the device without any requirement for re-enrollment.

There is no issue with Secure Hub 10.4 for Android.

Next customer communication will be sent out on Monday Oct. 10, 2016


Before Secure Hub 10.4, Worx Home 10.3.10 for iOS was updated to leverage the VPN Network Extension capability available in Apple’s iOS 10 which allows MDX-enabled apps to share data between each other.

The usage of VPN Network Extension in iOS 10 greatly improves the SSO (Single Sign-On) experience across all MDX apps and also reduces the number of flips back to Secure Hub. The VPN Network Extension is used by XenMobile Advanced Edition and XenMobile Enterprise Edition only on iOS 10 devices.

Secure Hub 10.4 was recently released to App Store on October, 6th, 2016.

Secure Hub 10.4 upgrade issues have been reported by some customers on iOS 10 devices who are using it with XenMobile Advanced Edition to XenMobile Enterprise Edition.


During the upgrade to Secure Hub 10.4, the following issues were observed:

Secure Hub upgrade failed on first attempt
User either got “Unable to download. Done/Retry” or the download remained in “Waiting” stage (user had to cancel the download)
Second attempt to upgrade succeeded

After upgrading to Secure Hub 10.4
User was prompted to “Allow VPN config”
After allowing, Secure Hub works as expected.

Diagnosis & Workaround

Though this problem was not observed during internal QA testing and extensive EAR testing (via TestFlight), Secure Hub 10.4 upgrade from the App Store fails during the first attempt because VPN Network Extension is still running on Worx Home 10.3.10.

This behavior is observed with upgrades from the App Store. Once the upgrade fails, iOS terminates the VPN extension in Worx Home 10.3.10 automatically. However, on the second upgrade attempt, Secure Hub 10.4 upgrade succeeds and the user has to enable the VPN Network extension by accepting the prompts.

The current workaround for users who have access to Secure Hub 10.4 is to de-activate the VPN by going to Settings -> VPN. If VPN is disabled prior to the upgrade, Secure Hub 10.4 upgrades successfully on first attempt. User will then need to enable the VPN Network extension by accepting the prompts as before. Removal of Secure Hub 10.4 for iOS from App Store Since the issue is applicable to all iOS 10 customers who are using XenMobile Advanced and Enterprise Editions, we have removed Secure Hub 10.4 from the App Store.

We have also removed MDX Toolkit 10.4 and XenMobile apps 10.4 from your customer download pages. Please do not use MDX Toolkit 10.4 and XenMobile apps 10.4 for iOS if you have already downloaded these artifacts.

Next Steps

Citrix is investigating on a fix to ensure upgrades can work smoothly even if VPN Network Extension is running. Once a fix is implemented and tested, a new version of Secure Hub 10.4 for iOS will be made available on the App Store. The next communication update will be on October 10th, 2016.

The XenMobile Team

Friday, September 16, 2016

A specified logon session does not exist. It may already have been terminated

I have a NetGear wireless router with a neat feature called ReadyShare.  NetGear ReadyShare let's me connect a USB drive to my router and create a network share.  It's been working great but I recently reloaded my Windows 10 desktop and started getting the following error.

"\\readyshare is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.  A specified logon session does not exist.  It may already have been terminated."

I suspect a security settings was causing an error so I checked the Windows firewall and found my desktop's Wi-Fi connection had the public "profile" applied (Windows Key + S then search for "windows firewall")...

I prefer for this to be set to private for my home network so I went into settings (Windows Key + I), clicked Network & Internet, clicked Wi-Fi, clicked my Wi-Fi connection, and enabled "Make this PC discoverable".

My "ReadyShare" is now accessible after the profile change!

Thursday, September 15, 2016

Parsing NetScaler 'show icaconnections' with Powershell and NetCmdlets

There's probably a gigabillion ways to do this - Nitro, syslogs, etc; but if you're using NetCmdlets with Powershell you can easily parse through your ICA connections...

Now we have the ICA connections in $sessions; we can do some simple analysis with Powershell.

Here are some ideas...

Is there a server with a high number of ICA connections?
 #Number of ICA connections per destination IP  
 $sessions.Traffic | group-object -Property destip | sort-object count  
Do you have any users with a high number of ICA connections?
 #Source IPs with multiple ICA sessions  
 $sessions | Group-Object -Property UserName | ?{$_.count -gt 1} | Sort-Object Count  
This one is helpful if you want to know the ports being used by the ICA connections.
 #Sessions by destination port - 2598 and/or 1494  
 $sessions.traffic | Group-Object -Property DestPort  
Maybe you're expecting sessions to be using session reliability?
 #sessions not running session reliability  
 $sessions.traffic | ?{-not $_.DestPort -eq 2598}  

Citrix Publishes Supported Architectures Between NetScaler and XenMobile Server

Citrix published a new article detailing the supported architectures between NetScaler and XenMobile server on Aug. 16th 2016.  The article can be found here: CTX215980

Basically, if you're running an SSL offload with end to end encryption (re-encrypting) for MDM using port 8443 ...

 client <-8443-> NetScaler <-8443-> XenMobile  

... then this is not supported by Citrix.

The supported architecture is to use an SSL bridge or SSL offload (without encryption - Boooo!) for MDM.

NetScaler SSO Behavior with Split Tunnel Reverse/On

If you're using NetScaler be aware enabling split tunnel or reverse split tunnel for your users will change how SSO is handled with web applications.

It turns out that the NetScaler does consider split tunnel settings when deciding to do SSO.
  • If SplitTunnel is OFF, SSO is done only for Private IP addresses
  • If SplitTunnel is ON/REVERSE, SSO is done for all IP addresses