In-house application wrapped with citrix flag doesn't connect
UgniusD opened this issue · 8 comments
Describe the bug:
Hello,
We have few applications that needs connection to internal resources and configured Citrix ADC that works with edge micro vpn.
If we wrap any in-house application with citrix flag it gets stuck on white screen before login and if we press cancel it says failed to login to gateway if pressed cancel again on that screen it says "to protect its data your organization needs to manage this app. To complete this action sign in with your work or school account." after pressing ok the page still remains blank and nothing happens. Looking at gateway trace there are no connections to it and looking at fidler trace from device it only shows these 2 lines without response:
1 1 HTTP Tunnel to login.windows.net:443 http://login.windows.net:443 200 CONNECT ::ffff:192.168.121.180 40.126.9.7 8897 16:39:05.947 Tue Feb 02 2021 00:00:00 GMT+0200 (Eastern European Standard Time) 77
2 2 HTTPS login.windows.net /common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.windows.net%2Fcommon%2Foauth2%2Fauthorize https://login.windows.net/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.windows.net%2Fcommon%2Foauth2%2Fauthorize 200 GET ::ffff:192.168.121.180 40.126.9.7 937 max-age=86400, private application/json; charset=utf-8 16:39:06.294 Tue Feb 02 2021 00:00:00 GMT+0200 (Eastern European Standard Time) 111
We tried different iOS versions and the behavior is the same.
Toolkit versions:
Packager Version: 14.1.0, Packager Build: 2101.8, App Build: 2.3.0, Concatenated Build: 2117.12.0
MDX toolkit - version 20.10.5.6
Could you suggest what we could try to make this work?
*Application it self doesn't need any authentication with azure and only to Netscaler ADC.
On the side note applications without citrix flag does launch MS login page properly and after login gets proper configuration.
Hi @UgniusD, is 20.10.5.6 the latest version of the Citrix MDX toolkit? If not, have you tried the latest release? If that doesn't help, I think you may need to file a support case with Citrix, given that the apps work when MDX is not in the picture.
Hi, Yes it's the latest one. The problem is that if we wrap application with their toolkit for citrix enviroment it works. But in this scenario all policys are for intune only (IIntune MDM+MAM+Citrix SDK scenario) and app gets stuck on MS login page after which application should get policy from intune so it seems that enclosure of application happens to early and it doesn't send anything to gateway. Maybe you have an example of any working application with citrix flag? Looking at files added to application there are xml files that indicates for example MvpnClientId should be specified in application configuration policy, but it's not documented anywhere. Same as other flags that should be used after wraping with MS iOS toolkit so maybe we missed some of them? I presume it should add MvpnGatewayAddress,MvpnExcludeDomains,MvpnNetworkAccess?
Hi @UgniusD, yes the mVPN settings should be delivered to the app via Intune app config policy in the dual-wrapping scenario, meaning that MDX should not be interfering with Intune enrollment to get that policy. Have you reviewed this documentation on Integration between Citrix Endpoint Management and Microsoft Endpoint Manager?
Dual-wrapping? Tools doesn't allow dual wrap ipa/apk files in mdx toolkit and in MS toolkit.. I'm not talking about mdx wrapping scenario for citrix where intune mam is imposible. We don't want to use citrix endpoint management at all.
If you would look at Edge mvpn setup where citrix is involved only with netscaler ADC and nothing comes from their endpoint management and we configure only gateway to challange connecion for edge and make oauth. So we want to do the same with application and it seems possible doesnt it? documentation says it is possible to include mvpn functionality (which does oauth to gateway for internal connection)? since documenatation is sayng it is possible to include mvpn part only, it should be possible but now app only tryies to connect ot MS login endpont and nothing happens. so once again i ask do you have any working example with scenario called Intune MDM+MAM+ citrix sdk for mvpn? <- note that MDX is not needed here at all and citrix endpont management is not needed.
Hi @UgniusD, when the "-citrix" flag is specified for the Intune wrapping tool, it invokes the MDX wrapping tool after Intune wrapping has completed. That is what I meant by "dual-wrapping". Sorry if that caused any confusion. The app is wrapped with the network-only variant of the XenMobile SDK (mVPN only). We don't have a sample wrapped application available, but wrapping with the -citirix flag should produce an app which supports the config you've specified (Intune MDM+MAM with Citrix mVPN). If existence of Citrix SDK in the app is causing issues with the Intune enrollment auth prompt, I think that is an issue that needs to be investigated by Citrix.
Hi @UgniusD, do the apps being wrapped with Intune already contain the XenMobile SDK beforehand?
Hello, No SDK is not included beforehand and if app is wrapped that way it crashes instantly.
I have tried to wrap it without citrix flag and after that do a manual wrap with mdx toolkit as well and the behavior remains the same.
You mention XenMobile just note that it's not involved in any way with this setup. And yes integration is done following this guide: https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration/setup-gateway-for-microvpn-integration-with-intune (Edge works)
Also there's no documentation regarding this on Citrix and Microsoft except this one: https://docs.microsoft.com/en-us/mem/intune/developer/app-wrapper-prepare-ios#intune-app-wrapping-tool-for-ios-with-citrix-mdx-mvpn So i would expect this to be investigated between these parties? It seems that this feature is not tested at all.
I'm willing to test any working scenario if there is one? Like for example any other version of toolkits?
Also i know that before citrix released MDX toolkit on Nov 11, 2020 with new SDK Edge connection was not working so maybe it has to do something with this?
And the app i'm tasting is just hello world app without anything in it so i doubt that application causes this.
Edit:
For others trying to get this working i got update from MS support:
Engineering team found that Citrix SDK interfering with ADAL and they raised the issue with Citrix.
Closing out this issue as the "-citrix" option is no longer supported, since Citrix has ended support for their wrapping tool.