Problem with ActiveSync ID change not recognised by Citrix Gateway connector for Exchange ActiveSync/XenMobile NetScaler Connector/XenMobile

We manage an environment with XenMobile, Citrix Gateway connector for Exchange ActiveSync and NetScaler to allow Active-Sync traffic. We had some issues with Samsung devices not being to able to fetch email. We could see that in the logs on the Citrix Gateway connector for Exchange ActiveSync server that the device was denied.

The weird thing was that the ID sometimes didn’t correspond with the device itself. After an unknown amount of time, the device will be able to fetch email and the issue is gone.

We have the current situation:

• XenMobile 10.10.0.10103 installed
• Citrix Gateway connector for Exchange ActiveSync 8.5.3.19 installed
• Samsung SM-A530F/DS and SM-A520F devices in use.
  • Samsung SM-A530F/DS, Android 9, latest version of Samsung Mail
  • Samsung SM-A520F, Android 8, latest version of Samsung Mail

Sometimes during enrollment of the above devices, the Active-Sync ID will be incorrect (starting with android-xxxx). The Active-Sync ID will be corrected by either; rebooting, refreshing the policy or waiting an unknown time. The Active-Sync ID will change to SEC*****.

After the enrollment, the Active-Sync ID starting with android-xxxx will be synced to the Citrix Gateway connector for Exchange ActiveSync/XNC (in the XML file). The device won’t be able to access Active-Sync/Exchange because it will use the device Active-Sync ID (SEC*****).

After a period, the Active-Sync ID will be changed in XenMobile to the correct ID (SEC*****). For some reason, the Delta changes of the Citrix Gateway connector for Exchange ActiveSync won’t see this change and the old (android-xxxx) Active-Sync ID will remain present on the Citrix Gateway connector for Exchange ActiveSync server (XML file).

After testing this, we found out that forcing a Baseline sync in Citrix Gateway connector for Exchange ActiveSync/XNC will force the ID to be corrected.

When reaching out to Citrix our findings were confirmed:

During enrollment the devices will send their current ActiveSync ID to XenMobile. For Samsung devices, this ActiveSync ID is expected to change when the Samsung SAFE (or KNOX) license key is deployed. This is typically deployed via a Device Policy following MDM enrolment of the device. As soon as the user of the Samsung device accepts the license terms for SAFE or KNOX, then that is the moment when their ActiveSync ID will change. As you mentioned before the device will not be able to access the mailbox because the ActiveSync ID is different and not yet synced between XenMobile Server and Gateway Connector. XenMobile Server will update to the new ActiveSync ID when the device next checks in with the server. Because this is not a new device, the new details are not synced via the Delta sync process (the Delta sync process only syncs new devices, since the last Baseline sync). To sync changes for already enrolled devices, then a baseline sync must be performed (I supposed that is what you meant by “Full sync”). By default this has an 8 hour interval, which is well suited to large networks. It is ok to reduce this to a lower setting if better suited to your use case.

Silas Arentsen

Started working in IT since 2016 for several Managed Service Providers. IT is always changing, which is why I like to learn from others. A challenge is never too much and will try to get my work up to a higher level each time.

Personal characteristics:

Motivated, calm, sincere and honest

Free time spending:

Kickboxing, technology, cars and day trips