For an overview of XenMobile Apps, including new features in the more recent versions, see What's new in XenMobile Apps.

Size: px

Start display at page:

Download "For an overview of XenMobile Apps, including new features in the more recent versions, see What's new in XenMobile Apps."

Cecilia White
6 years ago
Views:

1 XenMobile Apps Nov 21, 2017 Citrix-developed XenMobile Apps provide a suite of productivity and communication tools within the XenMobile environment that are secured by your company's policies. For an overview of XenMobile Apps, including new features in the more recent versions, see What's new in XenMobile Apps. Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps. The MDX Toolkit continues to support enterprise wrapping for app developers. T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For more information about the XenMobile Apps that you can wrap by using the MDX Toolkit version , see XenMobile Apps administration and delivery Citrix Systems, Inc. All rights reserved. p.1

2 Prior to version 10.4, some XenMobile Apps had different names. For details, see About XenMobile Apps. For details about apps delivery, see XenMobile Apps delivery and administration. XenMobile components are available on the XenMobile downloads page. Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your end-to-end XenMobile environment, see the XenMobile Deployment Handbook. Related information Citrix Blogs: XenMobile Citrix Systems, Inc. All rights reserved. p.2

3 XenMobile Apps release timeline Nov 21, 2017 This release timeline illustrates the cadence of XenMobile Apps releases. Although exact dates may change, we want to help you plan ahead. We also want to make it easier for you to manage app deployments and updates. The tables list the following basic app types: Public app st ore apps. As of version , you can distribute XenMobile Apps directly from the Apple App Store and Google Play Store. These apps are pre-wrapped and manageable through the XenMobile console. Ent erprise apps. You sign third-party apps with the MDX Toolkit. You distribute wrapped secured apps through the XenMobile Store. Users access the Store by enrolling their devices in Secure Hub. You control the configuration and operation of XenMobile Apps through administrative features, such as MDX policies and other XenMobile settings. For more information about public app store and enterprise delivery of XenMobile Apps, see XenMobile Apps administration and delivery. For a summary of the versions of the supported XenMobile components that you can integrate, see XenMobile compatibility. Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. You can use in-app guide for moving from the enterprise versions of XenMobile Apps to the public store versions. For details, see In-app guide for migrating to public store apps. The MDX Toolkit continues to support enterprise wrapping for app developers. T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For more information about the XenMobile Apps that you can wrap by using the MDX Toolkit version , see XenMobile Apps administration and delivery. Proposed general availability release dates for public app store apps - Secure Hub and XenMobile Apps. July 18 August 8 August 21* September 6* September 18 *Includes release of enterprise XenMobile Apps and the on-premises MDX Toolkit. Apps version was the last enterprise release for Android and ios. Proposed general availability release dates for the XenMobile Apps from the public app store Citrix Systems, Inc. All rights reserved. p.3

5 About XenMobile Apps Nov 21, 2017 Important Before upgrading to Android O (version 8), users mus t upgrade Secure Hub and all XenMobile Apps to version Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and Android 8, see What's new in XenMobile Apps, Known issues, and XenMobile supported device operating systems. Before upgrading to ios 11, users mus t upgrade Secure Hub and XenMobile Apps to version T hat upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running ios 11. For more information about anticipating this change, see the Knowledge Center article on XenMobile ios 11 and Android O Support. Beginning with version , there are two ways to deliver XenMobile Apps: T hrough public app st ores: Users download apps from the App Store for ios and Google Play for Android. Windows currently isn't supported for public-app-store distribution. T hrough t he XenMobile St ore. Users enroll their devices in Secure Hub to gain access to the XenMobile Store. From the store, users can add XenMobile Apps and third-party apps, all of which you secure with the MDX Toolkit. You control the configuration and operation of XenMobile Apps through administrative features, such as MDX policies and other XenMobile settings. For known issues in the most recent versions, see Known issues. For fixed issues in the most recent versions, see Fixed issues. For new features in the current release, see What's new in XenMobile Apps. For details about apps delivery, see XenMobile Apps delivery and administration. XenMobile components are available on the XenMobile downloads page. Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps. Prior to version 10.4, some XenMobile Apps and tools had different names: Citrix Systems, Inc. All rights reserved. p.5

6 Names in vers ions 10.3 and earlier Names as of vers ion 10.4 Worx Home Secure Hub WorxStore XenMobile Store Worx PIN Citrix PIN WorxMail Secure Mail WorxWeb Secure Web WorxNotes Secure Notes WorxTasks Secure Tasks The names for Citrix Secure Forms, QuickEdit, ShareConnect, and ShareFile haven't changed Citrix Systems, Inc. All rights reserved. p.6

7 What's new in XenMobile Apps Nov 21, 2017 Important Before upgrading to Android O (version 8), users mus t upgrade Secure Hub and all XenMobile Apps to version Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and Android 8, see the information later in this article, the XenMobile Apps Known issues, and XenMobile supported device operating systems. Before upgrading to ios 11, users mus t upgrade Secure Hub and XenMobile Apps to version T hat upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running ios 11. For more information about anticipating this change, see the Knowledge Center article on XenMobile ios 11 and Android O Support. Prerequisit es f or f eat ure flag management If an issue occurs with Secure Hub or Secure Mail in production, we can disable an affected feature within the app code. To do so, we use feature flags and a third-party service called Launch Darkly. You do not need to make any configurations to enable traffic to Launch Darkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to Launch Darkly via specific URLs or IP addresses, depending on your policy requirements. For details about support in MDX since XenMobile Apps for the exclusion of domains from tunneling, see the MDX Toolkit documentation. For a FAQ about feature flags and Launch Darkly, see this Support Knowledge Center article. The XenMobile Apps release includes: Public app store versions of: Secure Hub, Secure Web, and Secure Mail for Android Secure Mail for ios Secure Mail for Android (enterprise) patch MDX Toolkit on Citrix.com and XenMobile MDX Service for enterprise wrapping. This release does not include an update to Secure Hub or Secure Web for ios. Note T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For more information about the XenMobile Apps that you can wrap by using the MDX Toolkit version , see XenMobile Apps administration and delivery. The following features are new in XenMobile Apps Device operat ing syst em support. Support for Pixel 2 with Android O. Secure Mail f or ios Citrix Systems, Inc. All rights reserved. p.7

8 Support f or iphone X. Secure Mail for ios now supports Apple iphone X. Calendar subject line act ions. You can tap phone numbers and web addresses in a calendar subject line, as you can already do with the location. Enhancement s t o swipe act ion. You can now configure the swipe action through Secure Mail settings to include new behavior, such as: Move Forward Reply Reply All The default behaviors for swipe actions remain as follows: Read Delete Flag Preview Lines f eat ure. You can use Preview Lines, in Secure Mail settings, to configure how many lines of an body appear as preview in the mailbox view. Secure Mail f or Android Enhancement s t o Folder and sub f older views and UI. You can now navigate through folders or sub folders and switch between multiple accounts without leaving the Mailboxes screen. UI options that appear when you long press on folders have been realigned. Support f or responsive s. Secure Mail for Android has been optimized to handle responsive s and render them seamlessly across Android devices. The following features are new in XenMobile Apps Secure Mail Support f or print ing s, event s, or inline images. You can print s, calendar events, or inline images from Secure Mail for ios. Cont act order. Secure Mail on ios maintains the order of contacts when sending an or meeting invite. The following features are new in XenMobile Apps Secure Hub Enable and disable biomet ric aut hent icat ion f or Samsung devices. XenMobile now allows you to enable and disable biometric authentication (fingerprint and iris scan authentication) for Samsung devices without requiring any action from users. If you disable biometric authentication in XenMobile, users and third-party apps cannot enable the feature. Secure Mail Support f or Skype f or Business. You can join Skype for Business meetings seamlessly through Secure Mail for ios and Android. This feature requires the Skype for Business app to be installed on your device Citrix Systems, Inc. All rights reserved. p.8

9 The XenMobile Apps release includes public app store versions of: Secure Web for ios Secure Mail for ios The release includes bug fixes. For details, see Fixed issues. The following features are new in XenMobile Apps Same-day support f or ios 11. XenMobile Apps 10.7 support ios 11. For details about testing and preparing for ios, see XenMobile supported device operating systems and Known issues. XenMobile Apps 10.7 ent erprise versions. The Secure Mail and Secure Web enterprise apps for ios in this release contain all new features and enhancements that we introduced in versions 10.6 and later in the XenMobile Apps public app store versions. Secure Mail In Secure Mail for ios with multiple Exchange accounts, you can view the Cont act s folders or subfolders of individual accounts. Support f or PPT M file f ormat. Secure Mail for ios supports the Microsoft PowerPoint PPTM file format. Users can attach, view, and open.pptm files in Secure Mail. The XenMobile Apps release includes: Ent erprise Secure Hub for Android Secure Mail for Android Secure Notes for Android Secure Tasks for Android Secure Web for Android Public App St ore Secure Hub for Android Secure Hub for ios Secure Mail for Android Secure Mail for ios Secure Notes for Android Secure Tasks for Android Secure Web for Android Secure Web for ios Citrix Systems, Inc. All rights reserved. p.9

10 The following features and enhancements are new in XenMobile Apps Same-day support f or Android O. XenMobile Apps noted in the preceding list support Android O (version 8). With the release of Android O, Android 5 becomes the minimum supported version. For details about testing and preparing for Android O, as well as for the ios 11 release, see XenMobile supported device operating systems. Also be sure to review the Known issues. Not e: Google support for SSLv3 connections ends. XenMobile Apps that run on an Android O device cannot connect to internal servers that use SSLv3 connections. Plan ahead to anticipate this change to avoid connectivity issues for users. MDX no longer enf orces app upgrades on Android by def ault. You can modify a new policy, Disable Required Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default. This feature was available for ios apps in the release of MDX. Secure Hub f or Android XenMobile shows the security patch level only for Samsung devices running Android 6.0 and later. [CXM-36345] Secure Mail f or Android In Secure Mail for Android, all replies or forwards to an encrypted are encrypted even if the Encrypt by def ault setting is OFF. Mult iple Exchange account s on Android. Secure Mail now supports multiple Exchange accounts on Android. From Set t ings within Secure Mail, you can now add multiple Exchange accounts and switch between them. This feature allows you to monitor all your mails, contacts, and calendars in one place. This feature was first available for ios in version Secure Web f or Android Of fline pages. The Enable offline pages policy now controls the offline web pages feature for Android devices. The default value is OFF. Enable this policy to allow users to save offline web pages on their devices. XenMobile does not encrypt these offline pages, but you can use device level encryption to achieve the same. Additionally, previously saved offline pages will not be accessible after you upgrade to XenMobile Apps The following features are new in XenMobile Apps Secure Mail Secure Mail now support s mult iple Exchange account s on ios. From Settings within Secure Mail, you can now add multiple Exchange accounts and switch between them. This feature allows you to monitor all your mails, alerts, and calendars in one place. For details, see Multiple Exchange accounts on ios. Secure Mail f or ios and Android support s new f eat ures on swipe gest ures. You perform the following actions by swiping an either left or right. More Flag Delete Citrix Systems, Inc. All rights reserved. p.10

11 Mark For details, see Swipe to delete. Encrypt ion f or replies or f orwards. In Secure Mail for ios, all replies or forwards to an encrypted are encrypted even if the Encrypt by def ault setting is OFF. Personal calendar conflict s. s Secure Mail for Android displays conflicts with your personal calendar event while you create or reschedule an Exchange account calendar event. Support f or super-wide device screens f or Secure Mail f or Android. This release supports displays on device screens with aspect ratios of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8. Secure Web Support f or super-wide device screens f or Secure Web. This release supports displays on device screens with aspect ratios of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8. The following features are new in XenMobile Apps Secure Hub Support f or super-wide device screens on Android. This release supports displays on device screens with aspect ratios of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8. Secure Mail Bat t ery enhancement s. s Improvements to Secure Mail reduce battery consumption on Android devices. Personal Calendar account select ion. On Secure Mail for Android, you can select which personal calendars appear on the settings screen. This feature first appeared in Secure Mail for Android version Secure Mail for Android displays the following details about a personal calendar event: Account name of the sender Invitees Meeting notes For details, see Personal Calendar Overlay. Rest rict users f rom using unknown or personal domains. In Secure Mail for ios, as a security feature, you can keep users from configuring accounts from specific domains. For example, you may want to restrict users from using an unknown or personal domain. To do so, you configure the Allowed Domains MDX policy when you update Secure Mail in the XenMobile console. To allow Secure Mail to filter for prohibited domains, you need to add the allowed domains to the list. Secure Mail then compares the domain with the allowed list. For instance, if you list server.company.com as an allowed domain name, if the user's address is user@internal.server.company.com, Secure Mail supports the address. In that example, Secure Mail does not support any other address with a domain name that is not server.company.com. In the policy settings, you add the allowed domains in comma-separated format, such as server.company.com, server.company.co.uk Citrix Systems, Inc. All rights reserved. p.11

12 For a matrix of MDX app policies per platform, see MDX Policies at a Glance. The following features are new in XenMobile Apps Secure Hub Secure Hub Touch ID on ios: Fingerprint aut hent icat ion when of fline or f or app inact ivit y. When fingerprint authentication is enabled, users can now sign on by using a fingerprint when offline authentication is required because of app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time and when restarting the device. Fingerprint authentication is supported on ios 9 and ios 10.3 devices and some Android devices. Secure Mail Personal Calendar account select ion. On Secure Mail for Android, you can now select which personal calendars appear on the settings screen. New MDX analyt ics policy f or Secure Mail f or ios and Android. Citrix collects analytics data to improve product quality. The Google Analytics level of detail policy allows you to specify whether the data collected can be associated with your company domain or collected anonymously. Selecting Anonymous opts users out of including the company domain with the data that is collected. This new policy replaces an earlier Google analytics policy. When the policy is set to Anonymous, we collect the following types of data. We have absolutely no way to link this data to an individual user or company because we do not request user identifiable information. No personally identifiable information is sent to Google. Device statistics, such as the operating system version, app version, and device model Platform information, such as ActiveSync version and Secure Mail server version Citrix Systems, Inc. All rights reserved. p.12

13 Failure points for product quality like APNs registrations, mail sync failures, mail send failures, attachment download failures, calendar sync failures, and so on Note that other than company domain, no other identifiable information is collected when the policy is set to Complet e. e Default is Complet e. e Secure Web Fixed issues. To learn more about the issue fixed in this release see XenMobile Apps Fixed Issues. Secure Mail 10.6 Upgrade t o Exchange Act ivesync (EAS) version 16. Secure Mail supports both EAS version 16.1 and version 16.0 on ios and Android. However, an upgrade to the respective EAS version depends on the EAS protocol supported by Exchange Server 2016 in your environment. During the upgrade, Secure Mail resynchronizes all your local data and preserves any draft or unsent s that you may have. Personal Calendar overlay enhancement s. Secure Mail now notifies users when they make a calendar event that conflicts with events in their native calendar. Additional fields appear for personal events as well. Users can see whom an event is from and can show the invitee count. For details, see Personal Calendar Overlay. Secure Hub 10.6 Cit rix VPN connect ion t ype f or Android devices The VPN device policy for Android now supports configuring Citrix VPN. Citrix VPN is a mobile application that connects to NetScaler Gateway in full VPN mode, as opposed to a clientless VPN or ICA proxy mode. On the Configure > Device Policies page for Android, the Connect ion t ype menu now includes Cit rix VPN Citrix Systems, Inc. All rights reserved. p.13

14 Citrix VPN settings: Server name or IP address: Type the FQDN or IP address of the NetScaler Gateway. User name and Password: Type your VPN credentials for the Aut hent icat ion t ypes of Password or Password and Cert if icat e. e Optional. If you don't provide the VPN credentials, the Citrix VPN app prompts for a user name and password. Ident it y credent ial: Appears for the Aut hent icat ion t ypes of Cert if icat e or Password and Cert if icat e. e Enable per-app VPN: Select whether to enable per-app VPN. If you don't enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default is OFF. Whit elist or Blacklist : Choose a setting. If Whit elist, all apps in the whitelist tunnel through this VPN. If Blacklist, all apps except those on the blacklist tunnel through this VPN. Applicat ion List : Specify the whitelisted or blacklisted apps. Click Add and then type a comma-separated list of app package names. Cust om XML: Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN: disablel3mode: Optional. To enable this parameter, type Yes for the Value. If enabled, no user-added VPN connections are displayed and the user cannot add a new connection. This is a global restriction and applies to all VPN profiles. useragent : A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string is appended to the existing Citrix VPN user agent Citrix Systems, Inc. All rights reserved. p.14

15 For general information about configuring the VPN device policy, see VPN device policy. Derived credent ials f or ios device enrollment Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is either a Personal Identity Verification (PIV) card or Common Access Card (CAC). The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device. XenMobile can use derived credentials for ios device enrollment. If configured for derived credentials, XenMobile doesn't support enrollment invitations or other enrollment modes for ios devices. However, you can use the same XenMobile server to enroll Android devices through enrollment invitations and other enrollment modes. For information on how users enroll using derived credentials, see Enrolling devices by using derived credentials. For more information about requirements and the configuration for derived credentials, see Derived credentials for ios. The following features are new in XenMobile Apps : Secure Mail Personal calendar support on Android. Import your personal calendar from the native calendar app and view events from Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar. Select a color for your personal events and the calendars that you want to display in Secure Mail. This is a read-only view only visible to the user. The personal calendar information does not sync back to the Exchange or Lotus Notes mail server. Select mult iple s in search mode. When searching for s on ios, you can now select multiple mails on which to perform an operation. Long press an to begin selecting multiple mails. Insert inline images on devices running ios. Secure Mail now supports inserting inline images in the mail body Citrix Systems, Inc. All rights reserved. p.15

16 Export cont act s even if a nat ive mail account exist s. s On ios, Secure Mail contacts can be exported and synced with the phone contacts even if a Hotmail or Exchange account is set up on the device. You configure this feature in XenMobile through the Override Native Contacts Check policy for Secure Mail. This policy determines if Secure Mail should override the check for contacts from an Exchange/Hotmail Account configured in the native Contacts app. If On, the app syncs contacts to the device even if the native Contacts app is configured with an Exchange/Hotmail Account. If Of f, the app continues to block contacts sync. Default is On. Secure Not es and Secure Tasks f or Android Support includes a fix for Samsung Android 7 devices related to SQLite encryption issues. Secure Not es and Secure Tasks f or ios Fix for a TMobile VPN issue with Secure Notes and Secure Tasks. Fix for an autodiscovery failure for Secure Tasks. The following features are new in XenMobile Apps Secure Hub Supports the following devices: Nexus 6P (operating system 7.1.1) Moto Turbo (operating system 6.0.1) Fingerprint aut hent icat ion support on Android. The Enable Touch ID Authentication client property enables users to sign on by using a fingerprint when offline authentication is required because of app inactivity. When prompted, users can sign on by using a fingerprint or choose to use a Citrix PIN or passcode instead. Fingerprint authentication for Android was tested on the following devices: Nexus 5X Samsung S7 Edge Samsung S6 Edge+ LG G5 Google Pixel To add and enable t his propert y 1. In the XenMobile console, click the gear icon in the upper-right corner. The Set t ings page appears. 2. Under Client, click Client Propert ies. The Client Propert ies page appears. 3. Click Add. The Add New Client Propert y page appears. 4. Configure these settings: Key = ENABLE_TOUCH_ID_AUTH Value = True Name = Enable Fingerprint Authentication Descript ion = Enable Fingerprint Authentication 5. Click Save. Secure Mail Citrix Systems, Inc. All rights reserved. p.16

17 S/MIME public key ret rieval f rom LDAP direct ories. Secure Mail now supports the retrieval of public key certificates from LDAP. Users can encrypt or sign their s with S/MIME. To enable the search of LDAP directories, you configure the following new MDX policies in the XenMobile console. S/MIME public cert if icat e source: Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange. Ldap server address: LDAP server address including port number. Ldap Base DN: LDAP Base distinguished name. Access LDAP Anonymously : If this policy is ON, Secure Mail can search LDAP without prior authentication. Select mult iple s in search mode. When searching for s on Android devices, users can now select multiple mails on which to perform an operation. Long press on an to begin selecting multiple mails. Phone number f ormat support. Secure Mail for Android and ios supports more phone number formats and conference code formats. Users can join meeting directly from invitations in their calendars. The following formats for Conference IDs or extensions are new in version For an audio conference, the following formats let users tap the Dial In button. If they tap the phone number from the body of the calendar meeting, however, they can dial into the meeting. ; They must then enter conference codes manually. The following phone number and conference code formats are supported Citrix Systems, Inc. All rights reserved. p.17

18 Codes Phone number formats " +1 (631) ,, # ' +1 (631) , #,,, +1 (631) ,,, #,,,, +1 (631) ,,,, # passcode +1 (631) passcode # ext: +1 (631) ext: # ext. +1 (631) ext # ;ext= +1 (631) ;ext= # extn +1 (631) extn # HC +1 (631) HC # xtn +1 (631) xtn # xt +1 (631) xt # x +1 (631) x # PC +1 (631) PC # pc +1 (631) pc # The following features are new in XenMobile Secure Hub Citrix Systems, Inc. All rights reserved. p.18

Zebra device support. With Secure Hub 10.5.10, for enrolled Zebra devices, the XenMobile console shows the MXMF version, and patch version if applicable, in device properties. Securit y improvement s.

19 Zebra device support. With Secure Hub , for enrolled Zebra devices, the XenMobile console shows the MXMF version, and patch version if applicable, in device properties. Securit y improvement s. s Secure Hub no longer trusts certificates issued by StartCom and WoSign Root certificate authorities based on findings by Mozilla and other security teams. Secure Web T urkish language support. Secure Web for Android now supports the Turkish language. Secure Mail Support f or.pass f iles. You can download and import.pass files received as attachments into the ios Wallet app. Personal calendar support on ios. You can import your personal calendar from the native calendar app and view events from Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar. Select a color for your personal events and the calendars that you want to display in Secure Mail. This view for users is read-only. The personal calendar information is not synced back to the Exchange or Lotus Notes mail server. To enable the personal calendar overlay, you can either enable the feature from the pop-up notification or from Secure Mail settings Citrix Systems, Inc. All rights reserved. p.19

Select a color for your personal mail items.

24 XenMobile Apps administration and delivery Nov 21, 2017 This article provides an overview of app administration and delivery in XenMobile. Prerequisit es f or f eat ure flag management If an issue occurs with Secure Hub or Secure Mail in production, we can disable an affected feature within the app code. To do so, we use feature flags and a third-party service called Launch Darkly. You do not need to make any configurations to enable traffic to Launch Darkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to Launch Darkly via specific URLs or IP addresses, depending on your policy requirements. For details about support in MDX since XenMobile Apps for the exclusion of domains from tunneling, see the MDX Toolkit documentation. For a FAQ about feature flags and Launch Darkly, see this Support Knowledge Center article. Quick links to sections in this article: Public App Store Delivery of XenMobile Apps Enterprise Delivery of XenMobile Apps Not e: e End of Life for enterprise XenMobile Apps is December 31, 2017 Public app store apps require a fresh installation the first time you deploy them. It is not possible to upgrade from the current enterprise wrapped version of the app to the public store version. Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps. The MDX Toolkit continues to support enterprise wrapping for app developers. T he MDX T oolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section later in this article. Public app store delivery of XenMobile Apps With public app store distribution, you do not sign and wrap Citrix-developed apps with the MDX Toolkit. This significantly streamlines the process of deploying apps. You can use the MDX Toolkit to wrap third-party or enterprise apps. XenMobile 10.5 or later. Ensure that the apps can communicate with the following services if you have split tunneling on NetScaler set to OFF : Launch Darkly service. For details, see this Support Knowledge Center article. APNs listener service Citrix Systems, Inc. All rights reserved. p.24

25 XenMobile Apps are available on the Apple App Store and Google Play. For securing and deploying the native productivity apps on Windows devices, see the Windows Information Protection device policy. In China, where Google Play is unavailable, Secure Hub for Android is available on the following app stores: Download public-store.mdx files for both ios and Android from the XenMobile downloads page. 2. Upload the.mdx files to the XenMobile console. The public store versions of XenMobile Apps are still uploaded as MDX applications. Do not upload the apps as public store apps on the server. For steps, see Add apps. 3. Change policies from their defaults based on your security policies (optional). 4. Push the apps as required apps (optional). This step requires your environment to be enabled for mobile device management. 5. Install apps on the device from the App Store, Google Play, or the XenMobile Store. If the app is directly installed from the Secure Hub store, the experience is similar to installing the Enterprise version of the apps. The exception is that the app is installed by Secure Hub from the public app store instead of from the XenMobile Server. We recommend that users continue to install apps from the Secure Hub store. On Android, the user is directed to the Play Store to install the app. On ios, in deployments with MDM, the app installs without the user being taken to the app store. When the app is installed from the App Store or Play Store, the app transitions to a managed app as long the corresponding.mdx file has been uploaded to the server. When transitioning to a managed app, the app prompts for a Citrix PIN. When users enter the Citrix PIN, Secure Mail displays the account configuration screen. 6. Apps are accessible only if you're enrolled in Secure Hub and the corresponding.mdx file is on the server. If either condition is not met, users can install the app, but usage of the app is blocked. If you currently use apps from the Citrix Ready Marketplace that are on public app stores, you're already familiar with the deployment process. XenMobile Apps adopt the same approach that many ISVs currently use. Embed the MDX SDK within the app to make the app public-store ready. From an MDX perspective, this approach is not new. It is, however, a new deployment model for XenMobile Apps. Note T he public store versions of the ShareFile app for both ios and Android are now universal. T he ShareFile app is the same for phones and tablet. Enterprise deployments require separate apps for phone and tablet. The move to the public app store also simplifies the process of setting up Apple Push Notifications for Secure Mail. For more information on configuring push notifications, see Configuring Secure Mail for Push Notifications. 1. What 's t he recommended user flow? Should users inst all apps f rom t he XenMobile St ore t hrough Secure Citrix Systems, Inc. All rights reserved. p.25

26 Hub or f rom t he public app st ore? To minimize changes for users, they should continue to install the public store versions of XenMobile Apps from the XenMobile Store. In this case, Secure Hub initiates the install of the binary of the app from the public store on to the device. 2. Can an ent erprise app and a public st ore app be inst alled on a device at t he same t ime? ios: Yes, but it isn't recommended. The app IDs are different, and so deploying both apps is possible. However, because the underlying URL schemes are the same for both apps, running two apps on the device causes conflicts in interactions between apps. Android: No. The Play Store app cannot be installed unless the enteprise app is first uninstalled. Both apps leverage the same provider authority string, which prevents apps from coexisting on the same device. 3. Can I deploy t he public st ore version of t he app as an upgrade t o t he ent erprise version? No. The app ID and signing certificate are different, so the public store version of the app requires a new installation. 4. Can I cont inue t o deploy mult iple copies of t he public st ore app t o dif f erent user groups? For example, I may want t o deploy dif f erent policies t o dif f erent user groups. Yes. You'll have to upload a different.mdx file for each user group. However, in this case, a single user cannot belong to multiple groups. If users did belong to multiple groups, multiple copies of the same app are assigned to that user. Multiple copies of a public store app cannot be deployed to the same device, because the app ID can't be changed. 5. Can I push public st ore apps as required apps? Yes. This is the same capability as that of enterprise versions of the apps. Pushing apps to devices requires MDM; it's not supported for MAM-only deployments. 6. Do I need t o updat e any t raf fic policies or Exchange Server rules t hat are based on user agent? No. The user agent strings remain the same and, therefore, the rules already in place for the enterprise wrapped apps don't change for the public store apps. Strings for any user agent-based policies and rules are as follows Citrix Systems, Inc. All rights reserved. p.26

27 App Android ios Citrix Secure Mail Exchange WorxMail WorxMail Lotus Notes Traveler Apple - iphone WorxMail Apple - iphone WorxMail Citrix Secure Web WorxMail com.citrix.browser Citrix Secure Tasks (Exchange only) WorxMail WorxTasks Citrix Secure Notes Exchange WorxMail WorxNotes ShareFile Secure Notes Secure Notes On ios, they can download the app. However, because the app hasn't been assigned to the user on the XenMobile Server, the app indicates to the user that they are not entitled to use this version of the app when the app is opened.7 7. What happens if I haven't swit ched users t o t he public st ore apps yet and t hey download t he app f rom t he App St ore or Play St ore? On Android, users cannot download the app. 8. Can I prevent app upgrades? No. When an update is posted on the public app store, any users who have auto updates enabled receive the update. 9. Can I enf orce app upgrades? Yes, upgrades are enforced via the Upgrade grace period policy. This policy is set when the new.mdx file corresponding to the updated version of the app is uploaded to the XenMobile Server. 10. How do I t est t he apps bef ore t he updat e reaches users if I can't cont rol t he updat e t imelines? Similar to the process for Secure Hub, the apps are available for testing on Test Flight for ios during the EAR period. For Android, the apps are available via the Google Play beta program during the EAR period. You can test app updates during this time Citrix Systems, Inc. All rights reserved. p.27

28 11. What happens if I don't updat e t he new.mdx file bef ore t he aut omat ic updat e reaches user devices? The updated app continues to work with the older.mdx file. Any new features that depend on a new policy are not enabled. 12. Will t he app t ransit ion t o managed if Secure Hub is inst alled or does t he app need t o be enrolled? Users must be enrolled in Secure Hub for the public store app to activate as a managed app (secured by MDX) and to be usable. If Secure Hub is installed, but not enrolled, the user cannot use the public store app. 13. Do I need an Apple Ent erprise developer account f or t he public st ore apps? No. Because Citrix is now maintaining the certificates and provisioning profiles for XenMobile Apps, an Apple Enterprise developer account is not required to deploy the apps to users. 14. Does t he end of ent erprise dist ribut ion apply t o any wrapped applicat ion I have deployed? No, it applies only to the XenMobile productivity apps: Secure Mail, Secure Web, Secure Notes, Secure Tasks, Secure Forms, Sharefile for XenMobile, ScanDirect for XenMobile, QuickEdit for XenMobile and ShareConnect for XenMobile. Any other enterprise wrapped apps you have deployed that are either developed in-house or by third parties can continue to use enterprise wrapping. The MDX Toolkit will continue to support enterprise wrapping for app developers. 15. When I inst all an app f rom Google Play, I get an Android error wit h error code 505. This is a known issue with Google Play and Android 5.x versions. If this error occurrs, you can follow these steps to clear stale data on the device that prevents installation of the app: 1. Restart the device. 2. Clear the cache and data for Google Play through device settings. 3. As a last resort, remove and then add back the Google account on your device. For more information, see this blog. 16. Alt hough t he app on Google Play has been released t o product ion and t here isn't a new bet a release, why do I st ill see Bet a af t er t he app t it le on t he Google Play? If you are part of our Early Access Release (EAR) program, you always see Beta next to the app title. This name simply notifies users of their access level for a particular app. The Beta name indicates that users receive the most recent version of the app available. The most recent version may be the latest version is published to a production track or to a beta track. 17. Af t er inst alling and opening t he app, users see t he message App Not Aut horized, even t hough t he.mdx file is on t he XenMobile Server. This issue can happen if users install the app directly from the App Store or Google Play and Secure Hub is not refreshed. Secure Hub needs to be refreshed when the inactivity timer is expired. Policies refresh when users opens Secure Hub and reauthenticate. The app is authorized the next time users open the app. 18. Do I need an access code t o use t he app? I see a screen prompt ing me t o ent er an access code when I inst all t he app f rom t he App St ore or Play St ore. If you see a screen requesting an access code, you are not enrolled in XenMobile through Secure Hub. Enroll with Secure Citrix Systems, Inc. All rights reserved. p.28

29 Hub and ensure that the.mdx file for the app is deployed on the server. Also ensure that the app can be used. The access code is limited to Citrix internal use only. Apps require a XenMobile deployment to be activated. 19. Can I deploy ios public st ore apps via VPP or DEP? XenMobile Server is optimized for VPP distribution of public store apps that are not MDX-enabled. Although you can distribute the XenMobile public store apps with VPP, the deployment is not optimal, until we make further enhancements to the XenMobile Server and the Secure Hub store to address the limitations. For a list of known issues with deploying the XenMobile public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center. Enterprise delivery of XenMobile Apps Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. The MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. The following table lists the XenMobile App enterprise versions that you can wrap with the MDX Toolkit Citrix Systems, Inc. All rights reserved. p.29

30 XenMobile App Enterpris e vers ions that you can wrap by us ing the MDX T oolkit Secure Hub and available for Windows Phone Secure Forms available for ios Secure Mail for ios for Android Secure Notes available for ios available for Android Secure Tasks available for ios available for Android Secure Web available for ios available for Android QuickEdit 6.15 available for ios 6.13 available for Android1 ScanDirect available for ios ShareConnect 3.5 available for ios 3.5 available for Android ShareFile 5.5 available for ios 5.4 available for Android1 1 It's possible that QuickEdit and ShareFile might support an MDX Toolkit version following version To deliver a new wrapped XenMobile enterprise app or an update of a previously delivered wrappep XenMobile enterprise app, follow these general steps: 1. Download the latest XenMobile Apps and MDX Toolkit from the XenMobile downloads page. 2. Review the article for each app in this section. In particular, be aware of upgrade considerations and known issues. 3. After installing the MDX Toolkit, use the MDX Toolkit to wrap the apps. Citrix provides the MDX Toolkit that you use to wrap mobile apps for ios, Android, and Windows 10 Phone and Tablet devices with Citrix logic and policies. For details, see About the MDX Toolkit. To take advantage of the latest MDX policies, be sure to re-wrap your apps with each updated release of the MDX Toolkit. 4. In the XenMobile console, add the MDX apps and then deliver the apps to user devices Citrix Systems, Inc. All rights reserved. p.30

31 MDX policies enable you to configure settings that the XenMobile Server enforces. The policies cover authentication, device security, network requirements and access, encryption, app interaction, app restrictions, and more. Many MDX policies apply to all XenMobile Apps; some policies are app-specific. Policy files are provided as.mdx files for the public store versions of the XenMobile Apps and with the MDX Toolkit, in the case of enterprise distribution. You can directly edit the policy files. You can also configure policies in the XenMobile console when you add an app. The following sections describe the MDX policies related to user connections. For details about policies specific to XenMobile Apps, see the articles for each app. For a complete list of policies and their descriptions, see MDX Policies at a Glance and its sub-articles. Connections that tunnel to the internal network can use a full VPN tunnel or a variation of a clientless VPN, referred to as secure browse. The Preferred VPN mode policy controls that behavior. By default, connections use secure browse, which is recommended for connections that require SSO. The full VPN tunnel setting is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network; the setting handles any protocol over TCP and can be used with Windows and Mac computers as well as ios and Android devices. Secure Web for ios and Android supports use of a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment, if you use NetScaler for proxy authentication. For details, see Configuring User Connections. The Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. The Network access policy specifies whether restrictions are placed on network access. By default, Secure Mail and Secure Notes access is unrestricted, which means no restrictions are placed on network access; apps have unrestricted access to networks to which the device is connected. By default, Secure Web access is tunneled to the internal network, which means a per-application VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used. You can also specify blocked access so that the app operates as if the device has no network connection. Do not block the Network access policy if you want to allow features such as AirPrint, icloud, and Facebook and Twitter APIs. The Network access policy also interacts with the Background network services policy. For details, see Integrating Exchange Server or IBM Notes Traveler Server. Client properties contain information that is provided directly to Secure Hub on user devices. Client properties are located in the XenMobile console in Set t ings > Client > Client Propert ies. Client properties are used to configure settings such as the following: User password caching Citrix Systems, Inc. All rights reserved. p.31

32 User password caching allows the users' Active Directory password to be cached locally on the mobile device. If you enable user password caching, users are prompted to set a Citrix PIN or passcode. Inact ivit y t imer The inactivity timer defines the time in minutes that users can leave their device inactive and then can access an app without being prompted for a Citrix PIN or passcode. To enable this setting for an MDX app, you must set the App passcode policy to On. If the App passcode policy is Of f, users are redirected to Secure Hub to perform a full authentication. When you change this setting, the value takes effect the next time users are prompted to authenticate. Cit rix PIN aut hent icat ion Citrix PIN simplifies the user authentication experience. The PIN is used to secure a client certificate or save Active Directory credentials locally on the device. If you configure PIN settings, the user sign on experience is as follows: 1. When users start Secure Hub for the first time, they receive a prompt to enter a PIN, which caches the Active Directory credentials. 2. When users subsequently start a XenMobile app, they enter the PIN and sign on. You use client properties to enable PIN authentication, specify the PIN type, and specify PIN strength, length, and change requirements. Fingerprint aut hent icat ion Fingerprint authentication is an alternative to Citrix PIN when wrapped apps, except for Secure Hub, need offline authentication, such as when the inactivity timer expires. You can enable this feature in the following authentication scenarios: Citrix PIN + Client certificate configuration Citrix PIN + Cached AD password configuration Citrix PIN + Client certificate configuration and Cached AD password configuration Citrix PIN is off If fingerprint authentication fails or if a user cancels the fingerprint authentication prompt, wrapped apps fall back to Citrix PIN or AD password authentication. Fingerprint authentication requirements: - ios devices (minimum version 8.1) that support fingerprint authentication and have at least one fingerprint configured. - User entropy must be off. To configure fingerprint aut hent icat ion Import ant : If user entropy is on, the Enable Touch ID Authentication property is ignored. User entropy is enabled through the Encrypt secrets using Passcode key. 1. In the XenMobile console, go to Set t ings > Client > Client Propert ies Citrix Systems, Inc. All rights reserved. p.32

34 In-app guide for migrating to public store apps Nov 21, 2017 Important Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31, For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public app store distribution is supported. T he MDX Toolkit continues to support enterprise wrapping for app developers. Moving from the enterprise versions of XenMobile Apps to the public app store versions on user devices requires new installations of the apps. As of version , an in-app guide in some XenMobile Apps helps users export their app settings: Secure Mail, Secure Web, ShareFile, and QuickEdit include an in-app migration guide that you enable with policies in the MDX Toolkit. Secure Notes and Secure Tasks do not include an in-app migration guide. The following sections describe the steps to get ready for app migration, including how to enable the in-app migration guide. For Secure Notes and Secure Tasks, the article shows how to migrate without the guide. The article also includes specific steps users take on their ios or Android devices. We recommend that you migrate your other apps, such as Secure Web, ShareFile, or QuickEdit, before you migrate Secure Mail. Doing so ensures that Secure Mail exports the app settings for your other apps successfully. For apps that include an in-app migration guide (Secure Mail, Secure Web, ShareFile, and QuickEdit): For ios, set the Cut and Copy MDX policy to Unrest rict ed. Note that you only need to change this setting if users migrate Secure Mail for ios first. Upload the MDX file to the XenMobile console. Doing so ensures that Secure Hub authorizes the apps to be downloaded and installed from the app stores. Set up automatic enrollment and a credential store in the public store version of Secure Mail. Set the configuration to configure the account automatically when users open the app, if the configuration does not include certificates. For details, see Configure single sign-on for Secure Mail. During the migration period, both the enterprise apps and public app store apps are available in Secure Hub. A best practice is to prepend the display name of the enterprise apps with a phrase like Do Not Install. Move the apps to a new folder named Deprecated - Do Not Install. When the migration period ends and the enterprise apps are wiped, you can push the public store apps as required. To enable the guide, turn on the MDX policies for App Store migration (ios) or Play Store Migration (Android) on the XenMobile console. The next time users open the enterprise versions, the migration guide appears. You can control how long the guide appears by configuring the Migration grace period (hours) MDX policy. The default value is 72 hours. When the period ends, the enterprise app becomes inactive. At that time, users must move apps to the public app store version Citrix Systems, Inc. All rights reserved. p.34

35 Other points to note about the in-app guide: Wait for the migration grace period to pass before removing the enterprise apps from your user groups. If you blocked app store access, the guide can't be enabled. In this case, users must move their apps to public store apps manually. Enabling the guide with shared devices isn't recommended. The shared device administrator should manage the move to public store apps. Secure Notes and Secure Tasks do not include an in-app migration guide. To migrate Secure Notes and Secure Tasks from the enterprise app versions to the public app store apps, do the following. 1. Deploy an App uninstall device policy to remove the enterprise versions when the app store version of Secure Mail is installed. This policy is not supported in MAM-only environments. 2. Send Secure Hub notifications to install Secure Notes and Secure Tasks from the app store. The notifications appear to users when they install the app store version of Secure Mail or Secure Web. 3. In environments without an MDM deployment, we recommend that you wipe the apps. Then, users reinstall that app when you send them an migration template. For templates, see the Citrix.com resource guide on XenMobile End User Adoption. 1. When users tap the enterprise version of Secure Mail or Secure Web, a screen instructs them to download the app from the App Store. The screen also notifies them when the enterprise app becomes inactive. 2. A pop-up message appears, telling users to look for an with an attachment that contains their settings Citrix Systems, Inc. All rights reserved. p.35

3. When users tap OK, a confirmation screen appears: 4.

37 5. After installing the public app store version of the app, users must delete the old, enterprise versions from their devices. If they don't, when they open the enterprise version, they see a message. The message instructs them to remove the old version. Note On ios, both the enterprise and public app store versions can exist on the device. On Android, however, users must uninstall the enterprise version before installing the app store version. On Android, it s recommended that users migrate from the Secure Web enterprise version to the Secure Web app store version first and then migrate Secure Mail. Android requires users to uninstall an older version of an app. In this case, users uninstall the enterprise version. Then, they install the Google Play version. To export app settings, users must have Secure Mail on the device. If a user taps the enterprise version of Secure Mail, the following sequence of screens appears: Citrix Systems, Inc. All rights reserved. p.37

40 After users migrate their apps, do the following as appropriate for your scenario: When using the migration guide for ios devices, users have the enterprise apps and public store apps installed on their devices simultaneously. To remove the enterprise app upon install of the public store version, use the App Uninstall device policy. The policy is available in XenMobile Server 10.6 and later. This policy is not supported in MAM-only environments. We also recommended that you use the App Uninstall policy to trigger the removal of Secure Notes and Secure Tasks. In the following figure, in Managed app bundle ID, type the bundle ID of the app you want users to uninstall. In the Deployment Rules, for Inst alled App Name is equal to, type the bundle ID of the app from the public app store that you want users to install. To use automated actions to trigger a Secure Hub notification, see Automated actions. You set the trigger based on the Inst alled app name Citrix Systems, Inc. All rights reserved. p.40

41 Known issues Nov 21, 2017 For technical support articles and other support resources for XenMobile, such as software updates and security bulletins, see the Citrix Support Knowledge Center. Important Before upgrading to Android O (version 8), users mus t upgrade Secure Hub and all XenMobile Apps to version Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and Android 8, see the information later in this article, the XenMobile Apps Known issues, and XenMobile supported device operating systems. Before upgrading to ios 11, users mus t upgrade Secure Hub to to version or later before upgrading their devices to ios 11. T hat upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running ios 11. For more information about anticipating this change, see the Knowledge Center article on XenMobile ios 11 and Android O Support. T he MDX T oolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. Secure Mail On Secure Mail for Android, tapping on a ShareFile link in the body of an does not display options to open the link in a ShareFile app. [CXM-41524] Secure Web In Secure Web for Android on a Pixel device running Android O, when opening the app for the first time, the app crashes. [CXM-40993] When you set a MDX policy in XenMobile to enable micro VPN for Secure Web for Android: When users tap a Secure Web tab, such as Downloads, Set t ings, or Favorit es, the app flips to Secure Hub in error. [CXM-41141] The XenMobile Apps releases includes no known issues. For fixed issues, see Fixed issues. In Secure Mail on ios 11 devices, silent notifications do not work. As a result, notifications may not appear on the lock screen. When mail synchronizes in the background, however, the notifications do appear. This is a third-party issue. For details and updates, see this Citrix Support Knowledge Center article. In Secure Mail for ios 11, the Join Meet ing button is available on Skype or GoToMeeting meetings even though those apps are not installed. [CXM-39406] Secure Hub Citrix Systems, Inc. All rights reserved. p.41

42 Devices running ios 11 can't enroll in XenMobile or might have Secure Hub store access issues in the following conditions: If TLS 1.2 isn't enabled on NetScaler and XenMobile is configured with any of the following authentication options: LDAP and certificate authentication Certificate authentication Certificate authentication plus security token This issue affects: New enrollments through Secure Hub on ios 11. Existing enrollments, after the device upgrades to ios 11 and either of these actions occur: The user accesses the Secure Hub store. A XenMobile App or MDX-wrapped app needs to renew a NetScaler Gateway cookie. This issue occurs because ios 11 now requires that NetScaler is configured for TLS 1.2 for certificate-based authentication. If you run one of the authentication modes listed above, resolve this issue by enabling TLS 1.2 on NetScaler Gateway. [CXM-33327] For MDM-enrolled ios 11 devices, when you deploy XenMobile in a cluster setup in MDM or MDM+MAM mode, MDM commands may fail. As a result, you may not be able to push MDM policies, deploy apps, or carry out security actions, such as lock or wipe, on ios 11 devices. On user devices, the following issues may occur: Apps keep trying to install; VPN or WiFi configurations fail to install; and security actions, such as Lock happen repeatedly. For more details and required action, see this Citrix Knowledge Center article. [CXM-38331] On ios 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912] Users might be locked out of Secure Hub after changing their Active Directory (AD) password. The lockout can occur when the user authenticates on Secure Mail with the new password without first authenticating on Secure Hub with the new password. To prevent this, advise users to close and relaunch Secure Hub after changing their AD password, so that Secure Hub prompts them to enter a password. It might take several tries until Secure Hub prompts for a password. [CXM-39899] Found in QuickEdit version 6.14 (ios) When you try to send files to Secur from QuickEdit or ScanDirect, the transfer fails. As a workaround, add the following file encryption exclusion within the policy settings for these apps: "\/tmp\/\.com\.apple\.pasteboard" Issues wit h Android O (version 8) Before upgrading to Android O, users must upgrade Secure Hub and all XenMobile Apps to version Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. [CXM-36910] If you run XenMobile Apps version , , or , and you upgrade to Android O, be aware of the following known issues Citrix Systems, Inc. All rights reserved. p.42

43 Users with Android O devices might not be prompted to change their passcodes to comply with new or updated policies that require stronger passcodes. To ensure users are prompted to change their passcodes, when creating or updating a passcode policy, specify that numbers, letters, or both are required characters. [CXM-28102] [Found in ] If users are running a version of Secure Mail earlier than version and they upgrade to Android O, the following error may appear: The device does not support encryption features required by application. Then, when you update the app in XenMobile, the account is deleted. [CXM-36763] [Found in ] In Secure Mail on Android O, the AutoFill option is enabled. [CXM-35112] [Found in and ] On Android O, users are unable to upload files through Secure Web. [CXM-35407] [Found in and ] On Android O, shortcuts created by policies do not appear on the device home screen. This is by design in Android O. [CXM-35460] [Found in and ] If users are running a version of Secure Mail earlier than version and they upgrade to Android O, the following error may appear: The device does not support encryption features required by application. Then, when you update the app in XenMobile, the account is deleted. [CXM-36763] [Found in and ] Touchdown for Smartphones might stop unexpectedly on devices running Android O. [CXM-36685] [Found in , , and ] In Secure Hub for Android, when you deploy a Wi-Fi policy with hidden network settings enabled, the settings don t appear on the device as expected. This is a third-party issue. [CXM-37585][Found in ] Not e: e On Secure Mail for Android with IBM Lotus Notes version 9.0.1, invitees might not receive reminders for non-recurring meetings. [CXM-37691] Secure Web On Secure Web for Android, after saving a page for offline viewing, the page does not render. [CXM-36270] Secure Mail On Secure Mail for ios with multiple accounts, tapping the triage action Move to from a secondary account displays the folders of the primary account. This issue affects iphone devices. [CXM-35911] The XenMobile Apps and releases include no known issues. For fixed issues, see Fixed issues. Secure Hub On Android, if a device is enrolled in XenMobile Essentials and gets wiped, they can reenroll without supplying their Azure Active Directory credentials again. [CXM-29653] On Android devices, after a selective wipe, Secure Hub should revert to the first time user screen. Instead, the app hangs. [CXM-29660] After upgrading, Secure Hub might fail to prompt users to sign in using fingerprint authentication when expected. Instead, users might be prompted twice to authenticate using a Citrix PIN or passcode before being prompted to authenticate using fingerprint authentication. [CXM-31213] On Android, users cannot see the upgrade progress bar when updating enterprise apps through Secure Hub without signing off then signing back on. [CXM-32119] Citrix Systems, Inc. All rights reserved. p.43

44 Secure Mail On Android, when a user scrolls to a native calendar event beyond one month in Secure Mail, switching to Week or Day view and then back to Month view, the event does not display. This happens intermittently. [CXM-30870] On Android, if users enable personal calendar overlay in Secure Mail then scroll back through calendar events in agenda view, tapping the Today button does not display today's events. This happens intermittently. [CXM-30875] On Android, when a user enables personal calendar overlay and scrolls back over three months in agenda view, a message displays "Touch to view events after..." and the date. Touching this message does not load more events. This happens intermittently. [CXM-30877] On Android, when a user enables personal calendar overlay and opens an event from Month view, upon closing the event, random events are highlighted. This happens consistently on devices running Android 4.x and intermittently on other devices. [CXM-30879] In Secure Mail for ios, when users press Edit on the Mail screen to edit mail and then long press, when they exit the edit mode, the folder list menu does not appear as expected. To resolve the issue, users must close and reopen Secure Mail. [CXM-32147] Secure Hub After users enroll and reenroll an ios device, when you create and deploy, for the first time, a delivery group with required apps, this issue occurs: MDX, public app store, and enterprise apps in the delivery group are not pushed to the device. Only web SaaS and web links deploy. All apps deploy only if users refresh the app store or if they sign off and on again. [CXM ] Secure Mail With NetScaler , when Secure Mail is configured with STA, mail sync fails on ios and Android devices. The issue is fixed in NetScaler 12.0 build For details and updates, see this Support Knowledge Center article. [#685075] On a Nexus 6P device running Android 7.x, if S/MIME is enabled, Secure Mail crashes while trying to encrypt and sign an with a large attachment. [CXM-29544] Secure Hub Attempts to enroll devices running Android 4.4.x in an IDP-enabled XenMobile Server in Secure Hub for Android might fail, showing a blank enrollment page. As a workaround, do one of the following: Force Secure Hub to close on the device. Restart the device after the second enrollment attempt. [CXM-24145] Secure Web Citrix Systems, Inc. All rights reserved. p.44

45 When you set the Enable_Secret _Using_Passcode flag to t rue in the XenMobile console to enable user entropy, the following issue occurs on Android devices. When users are enrolled in Secure Hub and have already opened Secure Web, when they restart the device and then reopen the app, Secure Web closes. To resolve the issue, users can open Secure Hub and then open Secure Web. [CXM-26413] Secure Mail In Secure Mail for ios, a Download Complet e Message does not appear when the body of the message is larger than the truncation size set in Exchange Server 2013 CU 15. [CXM-25885] Values set in Exchange Server 2013 CU 15 for including past items are not reflected in Secure Mail for Android or ios. [CXM-26017, CXM-26023] Secure Hub On Android, when Secure Hub attempts to re-authenticate the session of a user, the first authentication screen is slow or unusable. [CXM-24293] In Secure Hub for Android, when the inactivity timer expires and users enter a wrong PIN, when they tap Having t rouble and try to re-enroll, a Delet ing account message appears. At that time, the account is not deleted and a PIN screen appears. If users enters the wrong PIN again and try to re-enroll by tapping Having Trouble, the account is deleted. [CXM ] Secure Mail When users open Secure Mail for Android and are prompted for authentication, if they do not provide their credentials and instead switch to Secure Hub for authentication, when they open the app from the home screen, the My Apps screen appears instead of Secure Mail. As a workaround, users can restart Secure Mail. [CXM-24072] In a XenMobile enterprise deployment (MDM + MAM), when you configure automatic app updates for enrolled ios devices, the following issue occurs intermittently. After users update XenMobile Apps from public app stores, an earlier version of the apps installs. As a result, users are prompted to upgrade, and the pattern repeats. The issue does not occur with Secure Hub. As a workaround, users can update the app directly from the app store. For details, see Secure Hub 10.5 On Android devices, changing the required length of the Secure Hub PIN in XenMobile Server causes the old PIN to be refused. This requires a PIN reset. [CXM-23637] On Android devices, when resetting your PIN in an MDX app due to exceeding invalid attempts, old PINs will be accepted as replacements without honoring the value configured in PIN history [CXM-23638] For known issues with Secure Hub that relate to XenMobile Server, see Known issues Citrix Systems, Inc. All rights reserved. p.45

46 Secure Mail 10.5 On Samsung 7 devices running Android 7, when a user deletes VIP contacts in Secure Mail, the app crashes intermittently. [CXM-23516] On Android devices, long pressing a link in Secure Mail and attempting to share it with ShareFile does not work. [CXM ] Secure Hub On ios devices, if a user enables the Credent ial St ore flag in XenMobile, enters their XenMobile Server FQDN or URL in Secure Hub, enrolls using their user name and password, and then opens Secure Mail, the app is not configured automatically. [CXM-23414] Secure Web On Android 7 devices, after the inactivity timer expires, when a user opens Secure Web, enters an invalid PIN, and resets the PIN, websites fail to load. If users then close and re-open Secure Web, the websites load properly. [CXM-23274] Secure Mail f or Android f or ent erprise dist ribut ion On Android devices, when you block location services in XenMobile, Secure Mail users are notified intermittently that the location service is blocked. [CXM-21770] If Secure Mail version or is installed for the first time (not upgraded) on devices running Android or later, users cannot a file with Secure Mail when using the ShareFile or QuickEdit apps, unless they grant the Storage Access Permission for Secure Mail in Android device settings. [CXM-23277] On Samsung S7 devices running Android 7, the paste option will not display on long press when composing a mail. [CXM ] On Samsung 7 devices running Android 7, when a user deletes VIP contacts in Secure Mail, the app crashes intermittently. [CXM-23516] For known issues with the MDX Toolkit, see Known issues. The following are known issues in version of XenMobile Apps. Secure Hub The XenMobile location policy setting that locks devices locally when the geofencing perimeter is breached fails to take effect on devices running Android 7.0 or later, due to a limitation Android has placed on the resetpassword API. [CXM ][CXM-14990] When you convert XenMobile Apps to managed on an ios device, when you delete a user account, the apps are not removed from the device home screen. Instead, an "App Not Available" message appears. [CXM-19133] On ios, when XenMobile Apps are converted from unmanaged to managed mode and the inactivity timer expires, once WiFi is restored, Secure Hub prompts users for their passcodes multiple times. [CXM-18694] With Citrix Launcher, in MDM mode, when users open the XenMobile Store, the store opens in a default browser even if you listed a different browser on a white list. [CXM-17097] Citrix Systems, Inc. All rights reserved. p.46

47 When you configure Citrix Launcher, the Just Once option does not work. You must click the Always option. [CXM-13413] When you integrate StoreFront with XenMobile and deploy HDX apps, after you change an Active Directory password, the HDX apps disappear from the Worx Store/XenMobile Store. [CXM-9859] Secure Mail On ios in FIPS mode with S/MIME enabled, Secure Mail crashes when a user enters a password to import an attached S/MIME certificate. [CXM-19526] In Secure Mail for ios, when you set an all-day event: After recipients accept the meeting invitation, the meeting appears on a different day in Agenda view. The issue occurs only when the organizer and attendees are in different time zones. The meeting day appears correctly in all other views. [CXM-21017] Secure Web On the public app store version of Secure Web for Android, Web Links do not open and a toast message appears to the user. [CXM-20425] Secure Hub With Citrix Launcher, in MDM mode, when users open the XenMobile Store, the store opens in a default browser even if you listed a different browser on a whitelist. [CXM-17097] When you configure Citrix Launcher, the Just Once option does not work. You must click the Always option. [CXM-13413] When users install any public app store version of any XenMobile app on Android devices in unmanaged mode and open the app and then install Secure Hub and enroll in XenMobile, when they open the XenMobile app again and the device is offline, the app does not change to managed mode. Instead, a network connection error appears. [CXM-18068] On ios, when XenMobile Apps are converted from unmanaged to managed mode and the inactivity timer expires, once WiFI is restored Secure Hub prompts users for their passcodes multiple times. [CXM-18694] When you convert XenMobile Apps to managed on an ios device, when you delete user account, the apps are not removed from the device home screen. Instead, an "App Not Available" message appears. [CXM-19133] Due to a third-party issue with the ios operating system, devices set to a language other than English may nonetheless show alerts for Secure Hub in English. For more information about the issue, see Secure Mail If a device is running a version of Secure Mail downloaded from the App Store and ShareFile is not installed on the device, the user sees an alert to go to the App Store and download ShareFile. However, when the user taps the Go to App Store button, the app flips to the main App Store page instead of flipping to the ShareFile App Store page, forcing the user to search for ShareFile. [CXM-17389] On ios, when trying to attach documents from ShareFile, and ShareFile version 4.2 or below is installed on a device, the user Citrix Systems, Inc. All rights reserved. p.47

48 sees a message asking to upgrade to ShareFile from the App Store. However, when the user taps Go to App Store, the XenMobile Store opens instead. [CXM-20170] In some cases, Secure Mail is unable to display files attached to s that are sent as attachments. [CXM-17127] On ios, when Secure Mail is restored from the background and a user opens a draft message and then tries to save it, the draft message is deleted. [CXM-17048] On ios, Secure Mail crashes after a period of inactivity. [CXM-14959] On ios, if the size of a message is less than the message truncation size set on Exchange, users still see a Download Complete Message request. If users forward the message without tapping Download Complete Message, the forwarded messages also is truncated. [CXM-17590] Secure Forms When users submit forms from the mobile app, the form shows in the Submitted tab as not submitted and users see an error message, such as "Unable to Sync," even though the form and related data are in fact collected by the configured method. [CXM-20112] Secure Web In Secure Web for Windows, when users try to view and download a file using a ShareFile link, the preview does not appear and the file does not download properly. [CXM-13435] In Secure Web on Android devices, if a session timeout occurs on NetScaler Gateway, users are prompted to sign on in Secure Hub. After users authenticate successfully, Secure Hub does not flip to Secure Web as expected. [CXM-18084] Secure Mail In Secure Mail for Windows, when you set the Inactivity Timer MDX policy to 150 minutes and the Maximum offline policy to 1 hour, when users open Secure Mail and let the app go to the background, if the Maximum offline interval ends, users are not prompted to sign on again to Secure Mail as expected. [CXM-14634] In Secure Mail for Windows, when the Online session required MDX policy is set to OFF and the App passcode policy is set to ON, when users open Secure Mail, if the user session on NetScaler Gateway ends, they are not prompted to authenticate to Secure Hub, as expected. [CXM-14728, CXM-14716] When you enable client certificate only authentication (for example, without a domain), when users install and open Secure Mail for Windows, an authentication dialog box appears in error. [CXM-15191] In Secure Mail on some Android devices, when users compose a mail and start typing in the To, CC, or BCC fields, a delay occurs in the appearance of the characters. [CXM-18509] Secure Hub In a configuration with NetScaler, users cannot reenroll an ios device in Secure Hub. [CXM-15405] Citrix Systems, Inc. All rights reserved. p.48

49 Enrollment fails on ios devices through Secure Hub when the NetScaler session profile Account Services address does not contain the XenMobile Server URL. [CXM-15408] After you delete a device in the XenMobile console, on Android devices, users are prompted to sign on from Secure Hub instead of being prompted to reenroll. After signing on, however, users cannot access their apps. [CXM-17833] In a XenMobile MAM-only deployment, when XenMobile Apps are updated to version 10.4, but Secure Hub is version 10.3, an app compatibility error appears on Android devices. [CXM-17993] In Secure Home for ios 10, users are not prompted to sign on again when Secure Hub remains in the foreground and the inactivity timer expires. [CXM-18245] Related information XenMobile Support Knowledge Center Citrix Systems, Inc. All rights reserved. p.49

50 Fixed issues Nov 21, 2017 The following issues are fixed in version : Secure Mail f or ios In Secure Mail for ios version , if you perform a server search for a contact, the display name of the contact appears in the search result. Previously, when performing server searches, the full name of the contact appeared in the result. For example, if the name of the contact is Jonathan Doe and the display name is Jon Doe, the server search returned Jonathan Doe instead of Jon Doe. [CXM-35340] In Secure Mail for ios, after users create an appointment in IBM Lotus Notes, some meeting recipients cannot accept the invitation. The following error appears: Error trying to open document: Invalid or non-existent parent document. [CXM ] Secure Mail f or Android For new Secure Hub enrollments, Secure Mail for Android fails to connect to the latest version of Office 365. The following error appears: Cannot connect to server. [XMHELP-860] The following issues are fixed in version : Secure Mail In Secure Mail for Android, the calendar does not sync events with dates older than January 1, [CXM-40310] In Secure Mail for ios, the calendar does not sync across devices. [CXM-38510] Secure Hub When logging in to Secure Hub for Android, intermittently, the progress spinner appears continuously and the error message AG tunneler not authenticated appears. [CXM-38442] In Secure Hub for Android, the client authentication (PIN/Passcode) dialog appears repeatedly even when the app is in the background. [CXM-38143] On ios, when in Shared Device mode, Secure Hub shows a generic message that does not indicate an issue when there is no Internet connection. [CXM-28353] Fixed issues in QuickEdit 6.15 When users edit an with Secure Mail for ios by using Citrix QuickEdit for XenMobile, the attachment remains in the Outbox. The issue occurs when users create a Word document from a desktop computer that has a janusseal for classification. Found in QuickEdit [MEQE-6500] Secure Hub Citrix Systems, Inc. All rights reserved. p.50

51 On Android, Secure Hub crashes as soon as it establishes a micro VPN connection. [CXM-36464] On Android, Secure Hub gets stuck loading MDX apps. [CXM-37801] On Android, when Secure Hub sends the device lock and unlock code, the device unlock code does not overwrite the current password. [CXM-39061] Secure Mail On Android devices, when a user presses the dial-in button, a conference ID dials instead of a contact number. [CXM ] On Android, the Secure Mail dial-in button recognizes Indian toll free numbers as US numbers when dialing into Skype meetings. [CXM37916] On Android, the Secure Mail dial-in button does not recognize the correct prefix for Indian phone numbers when dialing into a Skype meeting. [CXM-37917] On Android, setting up a calendar event in Secure Mail contains a translation error in German. [CXM-38471] On ios, Exchange Online does not accept credentials containing the umlaut character in the password when they are sent by Secure Mail. [CXM-38539] On Secure Mail for Android, the Locat ion field for a Calendar event does not prompt the user to select a number from the list. Instead, it selects the first number in the list and dials that number. [CXM-38540] On ios, users are unable to upload photos to some sites using Secure Web. [CXM-38745] The following issues are fixed in version : On ios 11, files from ShareFile opened in MDX-wrapped applications appear corrupted. [CXM-38900] On ios 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912] Secure Hub 10.7 On Android devices, users cannot deploy the VPN policy when trying to configure a per app VPN. [CXM-37344] On Android devices with TouchDown that update to Secure Hub 10.7: If you remove enrollment in Secure Hub on the device through an action, such as delete account, selective wipe, or app wipe, the TouchDown configuration is also removed. [CXM-37435] On ios, when NetScaler Gateway has an invalid configuration to support the XenMobile micro VPN, XenMobile Apps crash on launch after installation. [CXM-38449] Secure Mail Citrix Systems, Inc. All rights reserved. p.51

52 Secure Mail for Android does not open from the springboard (home screen) on some devices. You can open the app only by opening Secure Hub and selecting the app though the Store. [CXM-36921] Secure Mail for Android does not recognize the 10-digit conference code when joining a WebEx meeting. [CXM-37488] In Secure Mail for Android, corrupt or unreadable information appears in the From: and To: fields. This issue occurs when you reply to or forward an using Secure Mail in the Arabic or Hebrew languages. [CXM-37723] In Secure Mail for ios, replying to or forwarding an that is an attachment to another mail fails. [CXM-38083] In Secure Mail for ios in Simplified Chinese, the full message does not appear until users refresh or reload the message. [CXM-38113] Secure Hub On ios, during data syncing, the access gateway cookie may be lost, resulting in Secure Hub taking a long time to start. [CXM-31212] Secure Mail On a Nexus 6P running Android 7.x, if S/MIME is enabled, Secure Mail crashes while trying to encrypt and sign an with a large attachment. [CXM-29544] On Secure Mail for ios, clicking a hyperlink that generates a new with text opens an with a blank body. [CXM ] Secure Web On Secure Web for ios, mailto links included in JavaScript do not redirect to Secure Mail. [CXM-35927] In MDX-wrapped Cordova-based apps on ios, the Allowed URLs policy does not redirect to Secure Web. [CXM-36275] Secure Mail On ios, when attaching a file from MDX-wrapped ShareFile to Secure Mail, "%20" replaces any space in the file name. [CXM-34801] Secure Hub When configuring the Connect every N minutes setting within the Connection Scheduling Policy page, users need to use a value greater than or equal to 5 minutes to connect. If users have trouble connecting, they need to sign out and reconnect to Secure Hub. [CXM-25119] Secure Mail In Android, if users enable personal calendar overlay in Secure Mail then scroll back through calendar events in agenda view, Citrix Systems, Inc. All rights reserved. p.52

53 tapping the Today button does not display today's events. This happens intermittently. [CXM-30875] On Secure Mail for ios, replying to an alert containing the quarantine release code from the Data Loss Prevention (DLP) server fails. [CXM-32572] On Secure Mail for Android, deleted custom holiday calendar entries (All day) of a recurring series still appear. [CXM-32990] Secure Web On Secure Web for ios, users are unable to open certain links. [CXM-33366] On Secure Web, certain links load in the same web page instead of loading in a new tab. [CXM-34120] On Secure Web for ios, users are unable to play videos through vimeo.com on iphone devices. [CXM-34316] Secure Hub When logging on using derived credentials: If users exceed the maximum number (15 times) of incorrect PIN attempts, they see a dialog box with a Reset Pin and Report button, where the Reset Pin button displays an overflowing label. [CXM ] In Secure Hub for Android, when you have fingerprint authentication configured: When the inactivity timer expires, users see a notification that states the following: Sign on with %s. In addition, the message refers to Worx Home, the older product name for Secure Hub. [CXM-31145] On ios devices running version 9.3.5, after users enroll in Secure Hub 10.5, Secure Hub crashes. [CXM-32356] Secure Mail When an ios device is restored from a backup of another enrolled device: When the new device enrolls for the same user and the user installs Secure Mail, mail synchronization keeps occurring. [CXM-26245] On ios, when previewing a video in Secure Mail attachments view, if a user changes orientation, the video does not fit the screen.[cxm-31653] On Android, the Dial In option does not work in Secure Mail when one number has a country code starting with "+" and the other does not. [CXM-32191] In the Secure Mail for Android public app store version on devices running Android 7.0, when users try to open a.wav file, the option for the Secure Audio player does not appear as expected. [CXM-32989] Secure Web On ios, Secure Web opens dynamically inserted hyperlinks in the same tab instead of a new tab as expected. [CXM-32192] Secure Hub Citrix Systems, Inc. All rights reserved. p.53

54 On Android, if a device is enrolled in XenMobile Essentials and gets wiped, they can reenroll without supplying their Azure Active Directory credentials again. [CXM-29653] On Android devices, after a selective wipe, Secure Hub should revert to the first time user screen. Instead, Secure Hub shows a spinner. [CXM-29660] On ios, when Secure Hub has an intranet page configured as the home page, Secure Hub displays a blank page. [CXM ] When logging on using derived credentials: If users exceed the maximum number (15 times) of incorrect PIN attempts, they see a dialog box with a Reset Pin and Report button, where the Reset Pin button displays an overflowing label. [CXM ] On Android devices other than Motorola and Asus, when installing Secure Hub from the public app store while installation of non-app store apps is disabled: Users get a warning prompt: The option to install third-party apps is not enabled. Do you want to enable it now?' When users tap OK, Secure Hub redirects them to Application Settings instead of to Security Settings. [CXM-30574] On Android, users cannot see the upgrade progress bar when updating enterprise apps through Secure Hub without signing off then signing back on. [CXM-32119] On some Android devices, the device serial number displays as all zeroes in Secure Hub, preventing more than one of these devices from enrolling. [CXM-32535] On Secure Hub for Android, users may see an intermittent error when using WebClip or WebLink applications in an environment that uses XenMobile cluster mode deployment. [CXM-32656] Secure Mail 10.6 On Android, if a user replies to a long while it is still loading, Secure Mail loses the conversation history. [CXM-30211] In Secure Mail for Android, a street address that contains a comma does not appear as a hyperlink. [CXM-30663] On Secure Mail for Android, verification of the address fails in the signing certificate. [CXM-31502] On Android, when a user taps on the location field with conference details in a Calendar event, the passcode for the conference does not get passed to the dialer. [CXM-31513] In Secure Mail for Android, mail flagged in Outlook does not sync to Secure Tasks. [CXM-31514] On ios, when modifying individual occurrences of a series of meetings in Outlook, Secure Mail does not reflect the modification. [CXM-32348] Secure Hub On Android, when upgrading to Secure Hub or 10.4, multiple NetScaler Gateway sessions are opened. To resolve this issue, contact Citrix support. [CXM-19567] On Android, users may see an Invalid Certificates message due to erroneous SSL alerts resulting in Secure Mail creating Citrix Systems, Inc. All rights reserved. p.54

55 multiple certificates for each user. [CXM-31999] ios and Android devices running Citrix Secure Hub might over-consume NetScaler Gateway licenses. [#492788, #578867, #603244, #493944, #510249, #561243, #594831, #634473] Secure Mail Secure Mail for ios crashes after the Sync Mail Period is set to one month. [CXM-26039] On devices running Android 7, Secure Mail fails to launch and the following error message displays. "This device doesn't support encryption features required by this application." [CXM-26244] On devices running Android, Secure Mail crashes when the Microsoft Exchange Server restricts the ActiveSync mailbox policies. [CXM-28178] When using Secure Mail to compose an in response to an notification from ShareFile, displays as a suggestion in the recipient field. [CXM-29505] On Android, when replying or forwarding an to an address with specific text in them, formatting is applied to the address and the body of the . For instance, a mail address like b.maisto@domain.it results in the address and body of the becoming bold. [CXM-29730] Samsung devices updated in early 2017 face issues with sync. Users will get an "Access to company network is unavailable" error. [CXM-29838] On Android, when trying to add a second account to Secure Mail, users see a popup instead of the manual account configuration screen. Since users cannot edit the domain in this popup, they are unable to add the account. [CXM-29898] Secure Mail for Android requests a new user certificate from the certificate authority (CA) when it receives an SSL exception from NetScaler Gateway, even when the existing certificate is valid. The CA server issues duplicate certificates for the same user, and an "invalid certificate" error appears on the device. This issue is seen only in XenMobile deployments configured with certificate-based authentication. [CXM-31402] Secure Web On Secure Web for ios, when a user tries to submit a search query through a HTML form, they don't see any response after tapping the search button. [CXM-29572] On ios, when the popup blocker in Secure Web is not enabled, quick links do not appear. [CXM-30018] Secure Hub When you integrate StoreFront with XenMobile and deploy HDX apps, after you change an Active Directory password, the HDX apps disappear from the XenMobile Store. [CXM-9859, CXM-22821] On Android devices, when users install a managed app from the Secure Hub store, the following message appears: This managed application is no longer registered with Secure Hub. [CXM-22899] On devices running Android 6, when enrolled in XenMobile Server, Secure Hub cannot provide the device MAC address properly. [CXM-23454] Citrix Systems, Inc. All rights reserved. p.55

56 On Android, when opening VPN enabled apps, a private build of Secure Hub shows the following error. The VPN service has failed to connect. You might not have access to Internal networks. To continue running Secure Web, press OK. [CXM ] Secure Mail In Secure Mail for Android, when a STA ticket with NetScaler Gateway expires or the Secure Hub inactivity timer expires, users can't synchronize their mail. Instead, a network access error appears. [CXM-25699] When certificate-based authentication is configured for Secure Mail on Android devices, after users update from WorxMail to Secure Mail 10.4, synchronization to Exchange Server fails. [CXM-29507] On Android, if a server certificate is not installed on the device and the Accept All Certificates policy is set on XenMobile, Secure Mail does not sync after upgrading from to [CXM-29699] The following are fixed issues in the version of the XenMobile Apps. Secure Hub In Secure Hub for ios with shared devices, the following issue occurs. When users try to sign on by using their shared account credentials, two error messages appear. Subsequently, sign on for the shared user fails. [CXM-25761] Secure Web On ios, for sites that expect to use the NetScaler Gateway client certificate to authenticate, Secure Web fails to authenticate. [CXM-21644] On ios devices, Secure Web is unable to open internal web sites that use HTTP redirects which include special characters in their URL. [CXM-22300] In Secure Web for ios, anchor links within a page don't work. [CXM-22800] On Android, users are unable to open Microsoft Excel files downloaded through Secure Web in the Microsoft Excel app. [CXM-23231] On ios, Secure Web does not open custom links that flip to a different app. [CXM-23621] Secure Mail On Huawei devices running Android, users are unable to open attachments in QuickEdit from Secure Mail. [CXM-23182] On Android, when replying to an existing conversation in a language other than English, Secure Mail begins a new conversation instead of continuing the existing one. [CXM-23232] On ios, account configuration fails because Secure Mail does not handle an HTTP 451 redirect response from the Exchange Server in certain environments. [CXM-24069] On ios, when users compose an in Secure Mail, the search and auto-suggest features in the To, CC, and BCC fields Citrix Systems, Inc. All rights reserved. p.56

57 do not find users whose first name and user name do not match. [CXM-24184] On Android, when trying to view or create a meeting invite for a user with special characters in their address, Secure Mail crashes. [CXM-25506] On Android, when sending a calendar invite to one person, the reply option is not available. [CXM-25649] On Android, locally synced contacts do not appear on cars over Bluetooth. [CXM-25893, CXM-28086] The following are fixed issues in the version of the XenMobile Apps. Secure Hub On devices running Android 6, when enrolled in XenMobile Server, Secure Hub cannot provide the device MAC address properly. [CXM-23454] On Android, KNOX requires users to provide their old password before setting a new password, resulting in users being unable to reset their passwords. [CXM-23972] Secure Mail On ios, users can not open attachments from Secure Mail with Quick Edit unless Quick Edit is already open in the background. [CXM-21815] On Android 6 and 7 devices, when the default notification sound is changed in Secure Mail settings, the selection is not reflected. [CXM-23716] In Secure Mail for Android, after starting the app for the first time, synchronization does not work. When users close the app and restart it, synchronization works. [CXM-25542] Secure Hub 10.5 On an ios 9 device, if Secure Hub was previously installed, users may see an error when opening XenMobile Apps after a fresh installation of Secure Hub or later. [CXM-23823] This issue was reported in the following Knowledge Base article: For Secure Hub fixed issues that relate to XenMobile Server, see Fixed issues. Secure Mail 10.5 When users reply to an without using smart reply, the response indicator does not appear. [CXM-21690] On an ios 9 device, if Secure Hub was previously installed, users may see an error when opening XenMobile Apps after a fresh installation of Secure Hub or later. [CXM-23823] This issue was reported in the following Knowledge Base article: Citrix Systems, Inc. All rights reserved. p.57

58 Secure Hub On ios in MAM-only mode, when users sign off from Secure Hub, the Authenticating message shows indefinitely. [CXM ] On Secure Hub for ios, when users enter the FQDN for the XenMobile Server for which certificate pinning is enabled, the message "Certificate Not Trusted: We cannot connect securely to your company's network" is shown. [CXM-21987] On ios, when users sign on to Secure Hub after a device restart and then open an MDX app, an Incompatible App message shows. [CXM-22013] On ios, enrollment fails with Secure Hub if the HTTPS secure port is not the default 443 port. [CXM-22941] On Secure Hub for ios when certificate pinning is configured, users see a Certificate Not Trusted message with an Exit button when enrolling in Secure Hub. If they open Secure Hub a second time, when they tap the Exit button, the message goes away. [CXM-23145] Secure Web f or Android On the public app store version of Secure Web for Android, Web Links do not open and a toast message appears. [CXM ] After users open public app store apps for Android from Google Play one time, the apps do not open on subsequent tries. [CXM-21246] Secure Mail f or Android On Android, when Secure Mail is installed on a device and opened for the first time, automatic mail sync fails for users with large numbers of mailboxes (more than 500). However, users can sync individual mailboxes manually. [CXM-18066] Edits to messages that users make in Outlook, such as changing text in the subject line or body of the , don't sync in Secure Mail for Android. [CXM-21366] On Android, Secure Mail 10.4 crashes when users open a hosted Office 365 mailbox in a hybrid environment that also includes on-premise Exchange 2010 Server mailboxes. [CXM-21733] On Android devices, when you block location services in XenMobile, Secure Mail users are notified intermittently that the location service is blocked. [CXM-21770] On Android, when the background services list includes more than one Exchange Server, users cannot activate Secure Mail for Android when installing the app for the first time or when updating the app. [CXM-23176] Secure Mail f or ios In Secure Mail for ios, users cannot disable an event reminder notification. [CXM-21700] On WorxMail or Secure Mail for ios, when users switch their WiFi connection from the office to a T-Mobile cellular connection, s stop synchronizing and a connection failure error occurs. [CXM-22984] After updating Secure Mail for ios to version , when users tap the Secure Mail icon to open the app, they are prompted that Secure Hub needs to start and then Secure Hub opens. When they return to Secure Mail from Secure Hub, a grey screen appears and the app crashes. [CXM-23831] Secure Mail f or Android f or ent erprise dist ribut ion On Android 7 devices, users trying to sign on to Secure Mail by using certificates see an error indicating that the certificate is not trusted. As a result, users cannot sign on. [CXM-23252] Citrix Systems, Inc. All rights reserved. p.58

59 Note T he Worx Mobile Apps mentioned in these fixed issues were renamed in version For details, see About XenMobile Apps. The following are fixed issues in version of XenMobile Apps. Secure Hub In XenMobile configurations with client certificate authentication, when XenMobile Apps attempt to connect to NetScaler Gateway after Secure Hub has accessed the client certificate, the following issues may occur: Users cannot sync new mails in Secure Mail. Users cannot browse to web pages in Secure Web. To resolve the issues, users must reenroll in Secure Hub. [CXM-20421] Android devices might return to the enrollment screen after the device has been successfully enrolled if the device is selectively wiped while Secure Hub is running in the background. [CXM-20722] When an ios user logs on to Secure Hub using an Active Directory passcode, the first app on the user's My Apps list might automatically open. [CXM-19793] Xoro devices might fail to enroll in XenMobile because XenMobile fails to read the devices' serial number correctly, instead associating them with the generic serial number [CXM , CXM-16449] After Worx Home is upgraded to version , ios devices fail to enroll and users see the error message "URLRequestFailedMessage". [CXM-13731] Secure Hub might freeze at the credentials screen after installation on ios devices using Device Enrollment Program. [ ] Secure Mail After upgrading to ios 10, Secure Mail can't open links in the RSA SecurID app. [CXM-20895] When a message is larger than the initial download size specified on the Exchange Server and the user taps Download Full Message, the message scrolls back to the top instead of remaining at the position from which the rest of the message was downloaded, resulting in a loss of reading continuity. [CXM-20794, CXM-21409] When users configure large text as an Accessibility setting in Secure Mail on ios 10 devices, the text appears as small when composing or replying to a message. [CXM-19773] When Secure Mail for ios has been in the background for 15 minutes or longer, push notifications stop working. Bringing the app to the foreground makes push notifications start working again. [CXM-19597] On ios, in WorxMail/Secure Mail versions and later, s sometimes get stuck in the Outbox. [CXM-19568] In Secure Mail for Android configured with Secure Ticket Authority (STA), when the STA time period expires, Secure Mail stops syncing and does not redirect to Secure Hub for re-authentication. As a workaround, users can open Secure Hub and Citrix Systems, Inc. All rights reserved. p.59

60 enter their credentials to regain access to Secure Mail. [CXM-19372] When the Classification policy is disabled, the Classification option is still visible on the device. [CXM-18503] If a device is running a version of Secure Mail downloaded from the App Store and ShareFile is not installed on the device, the user sees an alert to go to the App Store and download ShareFile. However, when the user taps Go t o App St ore, the app flips to the main App Store page instead of flipping to the ShareFile App Store page, forcing the user to search for ShareFile. [CXM-17389] On ios, when trying to attach documents from ShareFile, and ShareFile version 4.2 or earlier is installed on a device, the user sees a message asking to upgrade to ShareFile from the App Store. However, when the user taps Go t o App St ore, the XenMobile Store opens instead. [CXM-20170] On ios, Secure Mail is sometimes unable to display files attached to s that are sent as attachments. [CXM-17127] On ios, when Secure Mail is restored from the background and a user opens a draft message and then tries to save it, the draft message is deleted. [CXM-17048] On ios, Secure Mail crashes after a period of inactivity. [CXM-14959] On ios, if the size of a message is less than the message truncation size set on Exchange, users still see a Download Complet e Message request. If users forward the message without tapping the Download Complet e Message, the forwarded messages are also truncated. [CXM-17590] Secure Web On Secure Web for ios, tapping on a PDF link produces an error message. In some cases, PDFs open only when the user presses the link for several seconds. [CXM-21014] On Secure Web for ios, users are not able to print from within a third-party app. [CXM-20535] On ios, WorxWeb versions and earlier sometimes did not open URLs when WorxWeb is in Secure Browse mode. [CXM-20094] In some cases, URLs with special characters result in an error in WorxWeb for Android. [CXM-15245] When Secure Web for ios opens, occasionally a PAC file is not downloaded and error occurs. [CXM-15756] Secure Forms The date format configured in the Composer affects only how dates appear in the Dat e field on the device. On submitted forms, dates appear in the following ways, depending on the form submission format selected in the Composer: PDF: The date is always localized, using the device's location and calendar. CSV / XML / JSON: Dates are in RFC3339 format; for example: T18:30:00Z [CXM-20623] When users submit forms from the mobile app, the form shows in the Submit t ed tab as not submitted and users see an error message, such as "Unable to Sync," even though the form and related data are in fact collected by the configured method. [CXM-20112] Citrix Systems, Inc. All rights reserved. p.60

61 Not e: e The Worx Mobile Apps mentioned in these fixed issues were renamed in version For details, see About XenMobile Apps. Secure Hub After Worx Home is upgraded to version , ios devices fail to enroll and users see the error message "URLRequestFailedMessage". [CXM-13731] When ios devices are upgraded to Secure Hub from version or , a few devices might be selectively wiped, causing them to be re-enrolled. [CXM-18240] Secure Mail On ios, Secure Mail crashes after a period of inactivity. [CXM-14959] In some cases, Secure Mail is unable to display files attached to s that are sent as attachments. [CXM-17127] On Secure Mail for ios, the user agent string sometimes shows as "Secur " instead of "WorxMail". [CXM-19193] On ios 10, when Secure Mail is in the background for some time, badge counts on the home screen do not update. To update the badge counts, bring the app into the foreground. [CXM-19320] Secure Web In some cases, URLs with special characters result in an error in WorxWeb for Android. [CXM-15245] On Android, when full tunnel VPN is configured and online connection switches from one source to another, such as from WiFi to cellular, apps may lose connectivity. [CXM-15606] Not e: e The Worx Mobile Apps mentioned in these fixed issues have new names in versions For details, see About XenMobile Apps. In WorxMail for ios, users cannot connect to WorxMail due to an issue with the HTTP 451 redirect address. This fix addresses the issues with the 451 redirect. You should use the 451 redirect address as the supported ActiveSync redirect, and not the 301 redirect address. [CXM-14827] In WorxWeb for ios, if URLs contain certain special characters, such as ";", WorxWeb opens a Google search or an error message appears. [CXM-14997] In WorxMail for ios, the Sync to local contacts option does not work correctly on the device when users change the option from On to Off. [CXM-15375] On WorxWeb for ios, contact pages on certain websites sometimes don't load. [#635994] If a user's outbox includes a large attachment because it exceeds the Exchange server limit for outbound attachments, WorxMail for Android uses a large amount of cellular data over a short period of time. [#644054] Citrix Systems, Inc. All rights reserved. p.61

63 System requirements for XenMobile Apps Nov 21, 2017 To run XenMobile Apps, you need the following system requirements. To run Secure Hub, you need devices running operating systems that XenMobile supports in XenMobile Enterprise and MDM-only modes. For details, see Supported device operating systems. ScanDirect requires a ShareFile account. It is compatible with ios versions 9 and later. ScanDirect currently is not supported for Android. The Secure Forms Composer, available at secureforms.citrix.com is supported on Chrome browsers only, for both Mac and PC. Chrome on ipad is not supported. The mobile app is supported only on iphones and ipads running ios versions 10 to 11. Not e: e End of Life (EOL) lifecycle date for Secure Forms: December 31, When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the available support options are limited. Historical information appears in the Knowledge Center or other online resources. The documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones, see the Product Matrix. Customers are encouraged to transition to the ShareFile Workflows for XenMobile Apps included with ShareFile Platinum and Premium accounts. Secure Mail is supported for any device that runs one of the following operating systems: ios: 9, 10, 11 Android: 5.x, 6.x, 7.x, and 8.0. Android 4.2, 4.3, and 4.4.x are not supported. Citrix has tested Secure Mail on the following devices. Not all supported devices are listed. Google Pixel iphone 5 - iphone 8 ipad 3, ipad fourth generation ipad Air 1 and 2 ipad mini 3 (touch ID) ipad Pro Nexus Samsung Note Samsung Galaxy S series Samsung Galaxy Tab Samsung Tablet SM-T311 HTC One Citrix Systems, Inc. All rights reserved. p.63

64 Motorola Nexus Huawei Honor 7 and Nexus 6P XenMobile currently doesn t support NetScaler due to an issue with Secure Ticket Authority (STA) and Secure Mail. The issue is fixed in NetScaler 12.0 build For details and updates, see this Support Knowledge Center article. Secure Mail is compatible with: Exchange Server 2016 Cumulative Update 4 Microsoft Office 365 (Exchange Online) Support for Exchange Server 2016 only supports calendar attachments as a feature of ActiveSync 16. Secure Mail will continue to make use of ActiveSync 14.1 features and functionality when syncing mail and contacts with Exchange Server Exchange Server 2013 Cumulative Update 15 Exchange Server 2010 SP3 Update Rollup 16 IBM Domino Mail Server version FP4 IBM Lotus Notes Traveler version As of Secure Mail 10.5, Exchange 2007 and Lotus Notes will not be supported for new features. Existing features and functionality introduced in versions prior to 10.5 will continue to be supported on all versions until the End of Support and End of Life dates below: No s upport for new features End of s upport End of Life Lotus Notes and later September 30, 2017 September 30, 2017 Exchange and later March 31, 2017 June 30, 2017 For the best performance when sending ShareFile attachments, the latest versions of ShareFile are recommended. ShareFile is not supported for Windows. In IBM Notes environments, you must configure IBM Domino Traveler server, version 9.0. For details, see Configuring Notes Traveler Server for Secure Mail. Secure Notes is supported on any device that runs one of the following operating systems: ios: 10 and 11 Android: Any phone with versions 5.x, 6.x, 7, or 8 that has Secure Mail installed. Not e: e Secure Notes is not currently supported for Android tablets. Citrix has tested Secure Notes on the following devices. Not all supported devices are listed. iphone 4 iphone 6 Plus ipad 2 ipad Air Citrix Systems, Inc. All rights reserved. p.64

65 ipad mini ipad mini 3 Nexus phone Samsung Galaxy phone HTC One phone Secure Notes can sync notes with the following compatible services: ShareFile Exchange Server 2013 SP1 Exchange Server 2013 Exchange Server 2010 SP3 Exchange Server 2010 SP2 Secure Notes is not compatible with Lotus Notes. Secure Tasks requires Microsoft Exchange Server versions 2007, 2010, or 2013, and is supported for any device that runs one of the following operating systems: ios: 10 and 11 Not e: e Secure Tasks is not supported on ipad. Android: 5.x, 6.x, 7, or 8 In Android, a valid Secure Mail account, or higher, is required. Secure Tasks accesses flagged mail from the Secure Mail database, so Citrix strongly recommends rolling out Secure Tasks together with Secure Mail to avoid potential conflicts. If users have an earlier version of Secure Mail, they will follow in-app instructions for upgrading and resetting their accounts. Secure Tasks is not compatible with Lotus Notes. Citrix has tested Secure Tasks on the following devices. Not all supported devices are listed. iphone 5 iphone 6 Plus Nexus Samsung Note Samsung Galaxy Samsung Galaxy Tab HTC One Secure Web is supported for any device that runs one of the following operating systems: ios: 9, 10, and 11 Android: 5.x, 6.x, 7, and 8. Devices should have the latest version of Android WebView installed; users can download Android WebView from the Google Play Store. Citrix has tested Secure Web on the following devices. Not all supported devices are listed. Google Pixel Citrix Systems, Inc. All rights reserved. p.65

66 iphone 5 - iphone 6 Plus iphone 7 ipad Pro ipad 3 ipad Air 1 and 2 ipad mini 3 (touch ID) Nexus Samsung Note Samsung Galaxy Samsung Galaxy Tab HTC One Motorola Device operat ing syst em Android 5.x or later ios 10 or later File t ypes Microsoft Word.doc,.docx,.docm* Microsoft Excel.xls,.xlsx,.xlsm* Microsoft PowerPoint.ppt,.pptx,.pptm*.csv,.txt,.rtf.jpeg,.gif,.png,.svg,.bmp,.ico,.webp * These files are opened, but Macros are disabled Citrix has tested QuickEdit on the following devices. Not all supported devices may be listed. iphone 4 iphone 7 Plus ipad 2 ipad Air 2 ipad mini ipad mini 3 Nexus Samsung Note Samsung Galaxy Samsung Galaxy Tab LG G HTC One Google Pixel (phone and tablet) Host computer operating systems: Windows 7 (minimum version) Supported ios devices: ipad 2 ipad Air 2 with ios versions Supported Android devices: Any tablet with a screen 7 inches or larger running Android versions 4.1.x, 4.4.x, 5.x, and 6.x Any phone using Android version 4.1.x, 4.4.x, 5.x, and 6.x Citrix Systems, Inc. All rights reserved. p.66

67 Android 4.1.x is supported in MDM mode only. Android 4.2 and 4.3 are not supported. Device operating system: Android 5.x or later ios 10 or later Citrix has tested ShareFile on the following devices. Not all supported devices may be listed. iphone 5 iphone 7 Plus ipad 4th Gen ipad Pro 12 Nexus phones Nexus tablets Samsung Note Samsung Galaxy Samsung Galaxy Tab LG G HTC One Google Pixel (phone) ios 10 and 11 (iphone, ipad, ipod Touch) Android 5.x or later Citrix Systems, Inc. All rights reserved. p.67

68 Supported device operating systems Nov 21, 2017 You can find the list of device operating systems that XenMobile 10.x supports for enterprise mobility management in Supported device operating systems Citrix Systems, Inc. All rights reserved. p.68

69 XenMobile Apps features by platform Nov 21, 2017 The following tables summarize features for each XenMobile app. X indicates the feature is available for that platform. For features in QuickEdit, see the Citrix QuickEdit for XenMobile article. For features in the most recent releases, see What's New in XenMobile Apps. Citrix Secure Hub ios Android Sign on to authenticate X X Monitor policy adherence X X Access apps and desktops X X HDX apps and desktops X X Create and send issue logs X X Attach screenshots to logs X X Contact help desk within app X X Contact Citrix support within app X X Crash collection and analysis X X Offline authentication X X Send logs with Citrix Secure Mail X X Google Analytics X X Portrait and landscape mode X X In-app guide for trusting apps X X When enrolled with , automatic enrollment in Secure Mail (MAM only) X X Citrix Systems, Inc. All rights reserved. p.69

70 When enrolled with , automatic enrollment in Secure Mail (MAM only) X X Citrix Secure Hub ios Android Touch ID offline authentication X X Enroll with derived credentials X BioMetric Authentication X Citrix Secure Mail ios Android Productivity Send, receive, reply, reply all, forward mail X X Create, edit, delete drafts X X Flag mail X X Mark as unread X X View all folders and subfolders X X Auto-save drafts when app put in background X X -to-note with Citrix Secure Notes X X Search mail (local and server) X X Select mail sync period (up to 1 month or All mails) X X View unread mail X X Secure attachment viewing/playing of images, video, and audio X X Multiple attachments X X Citrix Systems, Inc. All rights reserved. p.70

71 Reply and forward attachments X X Citrix Secure Mail ios Android Attach files from ShareFile X X Attach files from ShareFile Restricted Zones and connectors X X Attachment repository X X Rich text editing X X Mail notification with subject, preview on lock screen X X Reply to and delete mail and invitations from notification screen X Attach or take photo X X Select multiple messages X X Download attachments X X Load images inline X X Fast sort X X Send, receive, open, and save.zip file attachments X X Portrait and landscape modes X Accross mail list, mail read, compose, calendar, and contacts views X For mail read and compose views only Pasted text maintains formatting X X SMS from contacts X X FaceTime from contacts X Messages unsent due to connectivity issues or full mailbox stored in Outbox X X Citrix Systems, Inc. All rights reserved. p.71

72 Recent folders bubble up X Citrix Secure Mail ios Android Pull-down mail refresh X X Last-refresh time stamp X X Left-swipe for message actions X X Microsfot Exchange and IBM Notes Traveler support X X Tap to refresh mail, calendar, and contacts X X Honor device accessibility/font-size settings in mail views X X S/MIME signing and encryption X X S/MIME cert import by X X S/MIME, Intercede integration X S/MIME, Entrust integration X Microsoft IRM protection for message body X X Push notifications X Push notifications to Inbox automatically update all folders, including calendar X Open Office 365 documents X X 3D Touch actions X Contextual icons on lock screen X X Search folders X X VIP mail folder X X Citrix Systems, Inc. All rights reserved. p.72

73 Dynamic Type support X X Citrix Secure Mail ios Android Maintain expanded folders X X Message classification markers X X Spell check X Attach last photo taken X X URL preview X X Open ShareFile links in ShareFile X X Support for.pass files X Select multiple s in search mode X X Insert images inline X X Upgrade to Exchange ActiveSync (EAS) version 16 X X Restrict users from using unknown or personal domains X Support super-wide device screens X Configure multiple Exchange accounts X X Swipe left or right for more actions X X Encrypt replies to or forwards of encrypted mails X Print s and inline images X Use Preview Lines in Settings to configure how many lines of an body appear as preview in the mailbox view X Support for responsive s X Citrix Systems, Inc. All rights reserved. p.73

74 Calendar ios Android Day, week, month, and agenda views X X Detailed reminders on lock screen X X Sync for six months X X Set events as private X X Scroll to hour before first event X Manual refresh options X X Set reminders X X Tap to map address X X Week numbers X X Dynamic Type support X X Security classification markers X X Long taps on addresses X Set workweek start day X X Focus view on week of selected date X Current date always highlighted X X Calendar attachments from attachment repository X X Personal calendar support X X Citrix Systems, Inc. All rights reserved. p.74

75 Display conflicts with personal calendar events Calendar ios X Android Print calendar events X Tap phone numbers and web addresses in a calendar subject line X Meetings ios Android Reply, reply all, forward meetings X X Organizer view of invite responses X X Organizer view of invitees' availability with suggested availability X X Tap to join online meetings Note: For WebEx and Lync, App Controller must be configured to allow these apps. X X Tap to join audio conferences X X Schedule online meeting, audio, conference in new invite X X Add ShareFile links to new invites X X Forward invites with attachments X X Tap to send "running late" X X Tap to reply to meeting organizer X X Tap to reply to all meeting invites X X Tap to reply to all meeting invitees X X Tap to reply to all meeting invitees with attachments X X Dial in to GoToMeeting X X Citrix Systems, Inc. All rights reserved. p.75

76 Respond to invite from lock screen or notification screen X X Meetings ios Android Dial in to WebEx or Lync meetings X X Hide declined events X X Display more than 3 simultaneous events X X Quick view of invitee status X X Delete, reply, reply all, add comments on canceled events X X Show organizer name on forwarded invites X X Shared devices X X Join Skype for Business meetings X X Citrix Systems, Inc. All rights reserved. p.76

77 Contacts ios Android Detailed contact information GAL search X X Export and sync Secure Mail contacts to local contacts X X Contacts: Favorite and Category X Control which contact fields get exported X X Non-Secure Mail contact details X X Dynamic Type support X X Mark contacts as VIPs X X Share contacts with.vcards X X View contacts with long press X Export contacts even if native mail account exists X X View folders and subfolders X Settings configured on the device ios Android imessage support X Advanced opions to control notifications X X Lock-screen notification control X X Mail and calendar notifications sounds X X Auto refresh folders X X Citrix Systems, Inc. All rights reserved. p.77

78 Set internal and external out-of-office notifications X X Settings configured on the device ios Android Ask before deleting X X T hreaded conversation or chronological views X X Load attachments on WiFi X X Make load attachments on WiFi default X X Set sync mail period X X Unlimited sync/sync all mail X Set signature X X List contacts by first name or last name X X Auto advance X Use home time zone X Quick-response templates X Push mail configuration frequency X Export/import settings X X Secure Web ios Android Download files X X Add favorites X X Citrix Systems, Inc. All rights reserved. p.78

79 Clear saved user names and passwords X X Secure Web ios Android Delete cache/history/cookies X X Block pop-ups X X Save offline pages X X Search in address bar X X Open downloaded items from notifications X X Passwords auto-saved X X Proxy support Enterprise proxies X X URL black and white lists X X History X X Default homepage X X Tabs X X Push bookmarks X X Screen capture block X Search in current page X X 3D Touch actions X Shared devices X X File tampering protection with shared devices X Citrix Systems, Inc. All rights reserved. p.79

81 Citrix Secure Notes ios Android Create notes with text, image, or audio X X Link to Microsoft Exchange X X Link to ShareFile X X Web-based access X X ShareFile StorageZones support X Tag, sort and search notes X X Organize notes into notebooks X X Send notes to Secure Mail contacts X X Upload notes to ShareFile X X Format and spellcheck text X X Map location when creating note X X Set reminders X X Move notes between notebooks X X Mark notes as favorites X X Auto-save notes X X Portrait and landscape mode X X Citrix Systems, Inc. All rights reserved. p.81

82 Citrix Secure T as ks ios Android Create tasks X X Sync flagged mail from Outlook X X* Sync tasks from Outlook X X* Sync categories from Outlook X X* Categorize tasks X X Prioritize tasks X X Sort by due date X X Filter by category X X Search tasks X X Set due dates X X Set repeating tasks X X Reply to/forward flagged mail X X Set reminders X X View tasks offline X X Portrait and landscape mode X Portrait only (phone) Not supported (tablet) X Portrait only (phone) Not supported (tablet) * Requires valid Secure Mail account Citrix Systems, Inc. All rights reserved. p.82

83 Citrix ShareConnect for XenMobile ios Android Restricted ports X Require passwords each time (optional) X X Cache previewed files X X Add host computers X X Access and edit files X X Access and run applications X X Access networked drives X X Compatible with Citrix XI Mouse X X Apps displayed in dock X X View files on phone X Non-SSO support X X Switch between apps X Access app menus X Portrait and landscape mode X X Citrix Secure Forms Compos er (Chrome brows er) iphone ipad Create customized forms X Add text, number, photo, audio and video input fields X Citrix Systems, Inc. All rights reserved. p.83

84 Add bar code fields Citrix Secure Forms X Compos er (Chrome brows er) iphone ipad Add dropdown menus and checkboxes X Add drawing fields X Collect forms and attachments in ShareFile X Collect forms and attachments by X Collect forms and attachments by web service X Auto-fill data with beacons X Creator's name on forms X Submitted forms include user's name and timestamp X Complete and submit forms on device X X Forms automatically saved X X Take and attach photos X X Complete forms offline X X Upload on Wi-Fi only X X Electronic signature X X Access through Secure Hub X X Access with single sign-on X X Portrait and landscape mode X X Draw with finger and save drawing X X Citrix Systems, Inc. All rights reserved. p.84

87 Citrix Secure Hub Nov 21, 2017 Citrix Secure Hub is the launchpad for the Citrix XenMobile experience. Users enroll their devices in Secure Hub to gain access to the Store. From the store, they can add Citrix-developed apps (Secure Forms, Secure Mail, Secure Notes, Secure Web, Secure Tasks, QuickEdit, and ShareFile) and third-party apps. You can download Secure Hub and other XenMobile components from the XenMobile downloads page. For Secure Hub and other XenMobile App system requirements, see System requirements for XenMobile Apps. Important T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. You perform most of the administration tasks related to Secure Hub during the initial configuration of XenMobile. To make Secure Hub available to users, follow these guidelines: For ios and Android: Unlike other Citrix apps, do not wrap Secure Hub or add it to XenMobile. Instead, upload Secure Hub to the ios App Store and the Google Play Store. For Windows Phone: Wrap Secure Hub for Windows Phone and add the app to XenMobile. Use the MDX Toolkit for Windows Phone to re-sign and wrap Secure Hub so that Windows Phone users can access the company application store published by XenMobile. XenMobile then deploys Secure Hub to Windows Phone devices after users complete enrollment. In addition to providing a portal for Citrix apps, Secure Hub refreshes most MDX policies stored in the XenMobile Server for the installed apps when a user's NetScaler Gateway session renews after authentication using NetScaler Gateway. Important Changes to any of the following policies require that a user delete and reinstall the app to apply the updated policy: Security Group, Enable encryption, and Secure Mail Exchange Server. You can configure Secure Hub to use the Citrix PIN, a security feature enabled in the XenMobile console in Set t ings > Client Propert ies. The setting requires enrolled mobile device users to sign on to Secure Hub and activate any MDX wrapped apps by using a personal identification number (PIN). The Citrix PIN feature simplifies the user authentication experience when logging on to the secured wrapped apps, keeping users from having to repeatedly enter another credential like their Active Directory user name and password Citrix Systems, Inc. All rights reserved. p.87

88 Users who sign on to Secure Hub for the first time must enter their Active Directory user name and password. During signon, Secure Hub saves the Active Directory credentials or a client certificate on the user device and then prompts the user to enter a PIN. When users sign on again, they enter the PIN to access their Citrix apps and the Store securely, until the next idle timeout period ends for the active user session. Related client properties enable you to encrypt secrets using the PIN, specify the passcode type for the PIN, and specify PIN strength and length requirements. For details, see Client properties. When fingerprint authentication is enabled, users can sign on by using a fingerprint when offline authentication is required because of app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time, restarting the device, and after the inactivity timer expires. Fingerprint authentication is supported for ios 9 and ios 10.3 devices and some Android devices. For information about enabling fingerprint authentication, see the ENABLE_TOUCH_ID_AUTH setting in Client properties. Secure Hub for ios and Android supports SSL certificate pinning. This feature ensures that the certificate signed by your enterprise is used when Citrix clients communicate with XenMobile, thus preventing connections from clients to XenMobile when installation of a root certificate on the device compromises the SSL session. When Secure Hub detects any changes to the server public key, Secure Hub denies the connection. As of Android N, the operating system no longer allows user-added certificate authorities (CAs). Citrix recommends using a public root CA in place of a user-added CA. Users upgrading to Android N may experience problems if they use private or self-signed CAs. Connections on Android N devices break under the following scenarios: Private/self-signed CAs and the Required Trusted CA for XenMobile option on XenMobile AutoDiscovery Service is set to ON. Private/self-signed CAs and the AutoDiscovery Service (ADS) is not reachable. Due to security concerns, when ADS is not reachable, Required Trusted CA turns ON even it was set as OFF initially. Before you enroll devices or upgrade Secure Hub, consider whether you want to enable certificate pinning, which is of f by default and managed by the XenMobile Auto Discovery Service (ADS). To use certificate pinning, request that Citrix upload certificates to the Citrix ADS server. Open a technical support case using the Citrix Support portal and then provide the following information: The domain containing the accounts with which users will enroll. The XenMobile Server fully qualified domain name (FQDN). The XenMobile instance name. By default, the instance name is zdm and is case-sensitive. User ID Type, which can be either UPN or . By default, the type is UPN. The port used for ios enrollment if you changed the port number from the default port The port through which the XenMobile Server accepts connections if you changed the port number from the default port 443. The full URL of your NetScaler Gateway. Optionally, an address for your XenMobile administrator. The PEM-formatted certificates you want added to the domain. How to handle any existing server certificates: Whether to remove the old server certificate immediately (because it is compromised) or to continue to support the old server certificate until it expires. Your technical support case is updated when your details and certificate have been added to the Citrix servers Citrix Systems, Inc. All rights reserved. p.88

89 You can configure NetScaler so that Secure Hub authenticates using a certificate plus a security token that serves as a one-time password. This configuration provides a strong security option that doesn't leave an Active Directory footprint on devices. To enable Secure Hub to use this type of authentication, add a rewrite action and a rewrite policy in NetScaler that inserts a custom response header of the form X-Cit rix-am-gat ewayaut htype: Cert AndRSA to indicate the NetScaler Gateway logon type. Ordinarily, Secure Hub uses the NetScaler Gateway logon type configured in the XenMobile console. However, this information isn't available to Secure Hub until Secure Hub completes logon for the first time, so the custom header is required to allow Secure Hub to do this. Not e: e If different logon types are set in XenMobile and NetScaler, the NetScaler configuration overrides the XenMobile configuration. For details, see NetScaler Gateway and XenMobile. 1. In NetScaler, navigate to Configurat ion > AppExpert > Rewrit e > Act ions. 2. Click Add. The Creat e Rewrit e Act ion screen appears. 3. Fill in each field as shown in the following figure and then click Creat e. e The following result appears on the main Rewrit e Act ions screen Citrix Systems, Inc. All rights reserved. p.89

90 4. Bind the rewrite action to the virtual server as a rewrite policy. Go to Configurat ion > Net Scaler Gat eway > Virt ual Servers and then select your virtual server. 5. Click Edit. 6. On the Virt ual Servers configurat ion screen, scroll down to Policies. 7. Click + to add a policy Citrix Systems, Inc. All rights reserved. p.90

8. In the Choose Policy field, choose Rewrit e. e 9.

92 The Policy Binding section expands. 11. Click Select Policy. A screen with available policies appears. 12. Click the row of the policy you just created and then click Select. The Policy Binding screen appears again, with your selected policy filled in Citrix Systems, Inc. All rights reserved. p.92

14. To view the policy details, click Rewrit e Policy. Port configuration ensures that Android devices connecting from Secure Hub can access the Citrix ADS from within the corporate network.

94 14. To view the policy details, click Rewrit e Policy. Port configuration ensures that Android devices connecting from Secure Hub can access the Citrix ADS from within the corporate network. The ability to access ADS is important when downloading security updates made available through ADS. ADS connections might not be compatible with your proxy server. In this scenario, allow the ADS connection to bypass the proxy server. Import ant : Secure Hub version 10.2 and later require you to allow Android devices to access ADS. For details, see Port requirements in the XenMobile documentation. Note that this communication is on outbound port 443. It's highly likely that your existing environment is designed to allow this access. Customers who cannot guarantee this communication are strongly discouraged from upgrading to Secure Hub If you have any questions, please contact Citrix support. Customers interested in enabling certificate pinning must do the following prerequisites: Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key. Contact Citrix support and place a request to enable certificate pinning. During this process, you are asked for your certificates. The new certificate pinning improvements require that devices connect to ADS before the device enrolls. This ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. If devices cannot reach ADS, Secure Hub does not allow enrollment of the device. Therefore, opening up ADS access within the internal network is critical to enable devices to enroll. To allow access to the ADS for Secure Hub 10.2 for Android, open port 443 for the following IP addresses and FQDN: Citrix Systems, Inc. All rights reserved. p.94

95 FQDN IP addres s Port IP and port us age discovery.mdm.zenprise.com Secure Hub - ADS Communication discovery.mdm.zenprise.com Secure Hub - ADS Communication ads.xm.cloud.com* Secure Hub - ADS Communication ads.xm.cloud.com* Secure Hub - ADS Communication * SecureHub version and later uses ads.xm.cloud.com. If certificate pinning is enabled: Secure Hub pins your enterprise certificate during device enrollment. During an upgrade, Secure Hub discards any currently pinned certificate and then pins the server certificate on the first connection for enrolled users. Not e: If you enable certificate pinning after an upgrade, users must enroll again. Certificate renewal does not require reenrollment, provided that the certificate public key did not change. Certificate pinning supports leaf certificates, not intermediate or issuer certificates. Certificate pinning applies to Citrix servers, such as XenMobile and NetScaler Gateway, and not third-party servers. The following XenMobile articles include other information about requirements and configuration related to Secure Hub: XenMobile Port requirements XenMobile preinstallation checklist NetScaler Gateway and XenMobile Creating and updating notification templates XenMobile Store and Citrix Secure Hub branding Android at Work Citrix Launcher Secure Hub allows you to monitor and enforce mobile policies while providing access to the Store and live support. Users begin by downloading Secure Hub onto their devices from the Apple, Android, or Windows app store. The following figure shows what users see when first opening Secure Hub and signing on. The figure shows what appears for each option on the main screen, such as My Apps, Store, Preferences, and Help. For a PDF version of this figure, download the Secure Hub Quick Reference Guide Citrix Systems, Inc. All rights reserved. p.95

When Secure Hub opens, users enter the credentials provided by their companies to enroll their devices in Secure Hub. For more details about device enrollment, see Enroll devices.

96 When Secure Hub opens, users enter the credentials provided by their companies to enroll their devices in Secure Hub. For more details about device enrollment, see Enroll devices. Once enrolled, users see any apps and desktops that you've pushed in their My Apps tab. Users can add more apps from the Store. On phones, the Store link is under the Settings hamburger icon in the upper left-hand corner Citrix Systems, Inc. All rights reserved. p.96

the enterprise developer, Citrix, is not trusted on that iphone and the app will not be available for use until the developer is

97 On tablets, the Store is a separate tab. When users with iphones running ios 9 or later install XenMobile Apps from the XenMobile Store, they see a message stating that the enterprise developer, Citrix, is not trusted on that iphone and the app will not be available for use until the developer is trusted. When this message appears, Secure Hub prompts users to view a guide that coaches them through the process of trusting Citrix enterprise apps for their iphone Citrix Systems, Inc. All rights reserved. p.97

98 For wrapped XenMobile Apps for ios 9 and ios 10, Secure Hub and the Worx Apps SDK work together to track the installed app list. Secure Hub displays apps in the My Apps view using this tracking list. To accommodate this app tracking method: In the My Apps view, newly installed apps appear with a blue dot next to them. This blue dot disappears the first time the app opens successfully. If users attempt to open an app that has not finished installing or is updating, they see a message instructing them to try again. If users attempt to open an app that has been deleted, they see a message instructing them to tap More to remove the app from Secure Hub or install it from the Store. If a user deletes a required app from the device home screen, the user must go to the Store to install the app again. The app is not installed again during the next online authorization or store refresh. For MAM-only deployments, you can configure XenMobile so that users with Android or ios devices who enroll in Secure Hub using credentials are automatically enrolled in Secure Mail. Users do not have to enter more information or take more steps to enroll in Secure Mail. On first-time use of Secure Mail, Secure Mail obtains the user's address, domain, and user ID from Secure Hub. Secure Mail uses the address for autodiscovery. The Exchange server is identified using the domain and user ID, which enables Secure Mail to authenticate the user automatically. The user is prompted to enter a password if the policy is set to not pass through the password, but the user is not required to enter any more information. To enable this feature, create three properties: The server property MAM_MACRO_SUPPORT. For instructions, see Server properties. The client properties ENABLE_CREDENTIAL_STORE and SEND_LDAP_ATTRIBUTES. For instructions, see Client properties. If you want to customize your Store, go to Set t ings > Client Branding to change the name, add a logo, and specify how apps appear Citrix Systems, Inc. All rights reserved. p.98

99 You can edit app descriptions in the XenMobile console. Click Configure, then click Apps. Select the app from the table and click Edit. Select the platforms for the app with the description you're editing and then type the text in the Descript ion box. In the Store, users can browse only those apps and desktops that you've configured and secured in XenMobile. To add the app, users tap Det ails and then tap Add Citrix Systems, Inc. All rights reserved. p.99

100 Secure Hub also offers users a variety of ways to get help. On tablets, tapping the question mark in the upper-right corner opens help options. On phones, users tap the hamburger menu icon in the upper-left corner and then tap Help Citrix Systems, Inc. All rights reserved. p.100

Your IT Depart ment shows the telephone and email of your company help desk, which users can access directly from the app. You enter phone numbers and email addresses in the XenMobile console.

101 Your IT Depart ment shows the telephone and of your company help desk, which users can access directly from the app. You enter phone numbers and addresses in the XenMobile console. Click the gear icon in the upper-right corner. The Set t ings page appears. Click More and then click Client Support. The screen where you enter the information appears. Report Issue shows a list of apps. Users select the app that has the issue. Secure Hub automatically generates logs and then opens a message in Secure Mail with the logs attached as a zip file. Users add subject lines and descriptions of the issue. They can also attach a screenshot Citrix Systems, Inc. All rights reserved. p.101

102 Note On ios devices, Secure Hub automatically uses native clients to send logs. Secure Hub does not allow users to send logs as attachments using Secure Mail. T his is a third-party issue. As a workaround, you can configure XenMobile 10.3 to send logs to the server automatically. Go to Settings > Client Support > Send logs to IT help des k and select directly. Send Feedback t o Cit rix opens a message in Secure Mail with a Citrix support address filled in. In the body of the message, the user can enter suggestions for improving Secure Mail. If Secure Mail isn't installed on the device, the native mail program opens. Users can also tap Cit rix Support, which opens the Citrix Knowledge Center. From there, they can search support articles for all Citrix products. In Pref erences, users can find information about their accounts and devices Citrix Systems, Inc. All rights reserved. p.102

Secure Hub also provides geo-location and geo-tracking policies if, for example, you want to ensure that a corporateowned device does not breach a certain geographic perimeter.

103 Secure Hub also provides geo-location and geo-tracking policies if, for example, you want to ensure that a corporateowned device does not breach a certain geographic perimeter. For details, see Location device policies. Additionally, Secure Hub automatically collects and analyzes failure information so you can see what led to a particular failure. This function is supported by the software Crashlytics. You can configure XenMobile to enroll users automatically in Secure Mail when they enroll in Secure Hub. This means users do not have to enter additional information or take additional steps to enroll in Secure Mail. This single-sign on (SSO) feature is available only for App Store versions of the apps, not enterprise versions, so that both Secure Hub and Secure Mail are signed with the same certificate. For users who enroll in Secure Hub with credentials, this feature requires that autodiscovery is enabled. If autodiscovery is not enabled, you can enable this feature for the following enrollment methods: The XenMobile Server address is passed to Secure Mail from Secure Hub. Users enter the XenMobile Server address when enrolling in Secure Hub. To enable the automatic enrollment in Secure Mail, set these XenMobile client properties to t rue: ENABLE_PASSCODE_AUT H ENABLE_PASSWORD_CACHING ENABLE_CREDENT IAL_STORE Add this XenMobile client property: Display name: SEND_LDAP_ATTRIBUTES Value: userprincipalname=${user.userprincipalname},samaccountname=${user.samaccountname}, displayname= ${ user.displayname},mail= ${ user.mail} Add this XenMobile server property: MAM_MACRO_SUPPORT set to t rue Configure these Secure Mail properties: Set Initial Authentication Mechanism to User address Set Initial Authentication Credentials to userprincipalname Citrix Systems, Inc. All rights reserved. p.103

105 Samsung KNOX Bulk Enrollment Nov 27, 2017 To enroll multiple Samsung KNOX devices into XenMobile (or any mobile device manager) without manually configuring each device, use KNOX Mobile Enrollment. The enrollment occurs upon first-time use or after a factory reset. Note The setup for KNOX Mobile Enrollment is not related to the XenMobile KNOX container. Samsung devices running KNOX 2.4 or later Some devices lacking a device root key (DRK) support Mobile Enrollment with the KNOX binary. For a list of supported devices, see KNOX Mobile Enrollment. Samsung must whitelist the devices to be enrolled. When you add devices to the KNOX portal, you enter device IMEIs or serial numbers. The only way to bulk enroll is to: Purchase devices from a list of approved Samsung resellers, or Purchase devices from resellers willing to share the IMEIs directly with Samsung. A list of resellers for your country can be obtained from KNOX customer support. For details on device verification requirements, contact KNOX Support. KNOX partner account You must have permission to access the KNOX Mobile Enrollment features. XenMobile server must be configured (including licenses and certificates) and running. Secure Hub APK file. You will upload the file when setting up KNOX Mobile Enrollment. To download the Secure Hub APK file: 1. Log in to the Citrix download site and go to the XenMoble downloads. 2. Go to XenMobile Apps and MDX Toolkit and choose your edition. 3. Download the Citrix Secure Hub for Android file. Configure Firewall Exceptions To access Knox Mobile Enrollment, configure the following firewall exceptions. Some of these firewall exceptions are required for all devices and some are specific the device's geographical region Citrix Systems, Inc. All rights reserved. p.105

106 Device's Region URL Port Des tination All Global load balancer for Knox Mobile Enrollment initiation All 80 Global load balancer for Knox Mobile Enrollment initiation on some limited legacy devices All umc-cdn.secb2b.com 443 Samsung agent update servers All bulkenrollment.s3.amazonaws.com 80 Knox Mobile Enrollment customer EULAs All eula.secb2b.com 443 Knox Mobile Enrollment customer EULAs All us-be-api-mssl.samsungknox.com 443 Samsung servers for IMEI verification United States Samsung Enterprise Gateway for US region Europe Samsung Enterprise Gateway for European region China Samsung Enterprise Gateway for China region Follow these procedures to get access to KNOX Mobile Enrollment. If you have a KNOX web port al account 1. Log on to the KNOX web portal and go to your Samsung KNOX Dashboard. 2. Under KNOX Mobile Enrollment, click Get St art ed. 3. Fill out the applicable fields and then click Apply. After Samsung approves your application, you will receive a welcome with instructions on how to start using the Citrix Systems, Inc. All rights reserved. p.106

107 KNOX Mobile Enrollment tool. For a faster approval process, provide any essential information, including contact details for your reseller, Samsung sales representative, or any other information that will assist in your approval. If you don't have a KNOX web port al account 1. On the KNOX Mobile Enrollment page, click Get St art ed. 2. Fill out the required fields. 3. You will receive an to confirm your registration with the KNOX portal. Click Complet e Regist rat ion to continue. 4. Enter and confirm your KNOX web portal password. 5. In your Samsung KNOX Dashboard, under KNOX Bulk Enrollment Program, click Launch KNOX Mobile Enrollment. 6. For faster approval, please provide any essential information; this includes contact details for your reseller, Samsung sales representative, or any other information that will assist in your approval. After you get access to KNOX Mobile Enrollment, go to the KNOX portal and click Launch Mobile Enrollment. If Samsung cannot authorize the account to use Bulk Enrollment, you will see this screen: Citrix Systems, Inc. All rights reserved. p.107

You can either upload a CSV file with device information or scan the devices with the Mobile Enrollment app from Google Play. 3. Samsung alerts you when device ownership is verified. 4.

108 The enrollment process then follows these general steps, described in detail in the following sub-sections. 1. Create an MDM profile with your MDM console information and settings. The MDM profile indicates to your devices how to connect to your MDM. 2. Add devices to your MDM profile. You can either upload a CSV file with device information or scan the devices with the Mobile Enrollment app from Google Play. 3. Samsung alerts you when device ownership is verified. 4. Provide users with MDM credentials. Instruct them to connect to the Internet using W-iFi and to accept the prompt to enroll their device. You must create an MDM profile that defines the XenMobile Server to use. Create one profile per XenMobile Server. 1. Log on to the KNOX Mobile Enrollment website. 2. Click the MDM Profiles tab, click Add, and then click Server URI not required f or my MDM Citrix Systems, Inc. All rights reserved. p.108

109 Not e: Do note specify an MDM server URI. XenMobile does not use the Samsung MDM protocol. 3. In the Create an MDM Profile screen, provide the following: A name for the profile. For MDM Agent APK, the Secure Hub APK download URL. For example: The APK file can reside on any server that the devices can access during enrollment. During the enrollment, a device downloads Secure Hub from that URL, installs Secure Hub, and then opens Secure Hub with the custom JSON data described next. Not e: e The capitalization of the.apk file name must match the URL you enter. For example, if the file name is all lowercase, it must also be all lowercase in the URL. For Custom JSON Data, the XenMobile server address in the format: {"serverurl":"url"} Examples: {"serverurl":" {"serverurl":" Not e: The Secure Hub APK file must be uploaded on the specified server (example: under the Apps section. This is similar to uploading enterprise apps Citrix Systems, Inc. All rights reserved. p.109

110 When a device starts bulk enrollment, the device uses the profile data: First, the device downloads Secure Hub from the given URL, installs Secure Hub, and opens Secure Hub with the custom JSON data as parameter. Then, Secure Hub opens the credentials page. Secure Hub already has the XenMobile Server address, so Secure Hub doesn't need to prompt for it. To add devices, upload device IDs and associate them to one of the previously created MDM profiles. Upload a.csv file. The different ways of building the file are documented on the KNOX website. The simplest way is to enter one IMEI per line, as follows. Note You can alternatively add devices by scanning them, as described in the next section. 1. Go to Devices > All Devices and click Upload devices Citrix Systems, Inc. All rights reserved. p.110

2. Under CSV File Format, click Download file t emplat e. e 3. Enter information in corresponding columns in the template: Device inf o: o IMEI, MEID, or serial number.

111 2. Under CSV File Format, click Download file t emplat e. e 3. Enter information in corresponding columns in the template: Device inf o: o IMEI, MEID, or serial number. Username (optional): If the user has been provisioned with a user name for your enterprise MDM setup. Password (optional): If the user has been provisioned with a password for your enterprise MDM setup. Ot her inf o (optional): Any other information that you want to include about the device. 4. Highlight all the cells in the spreadsheet. 5. Right-click the highlighted cells and select Format cells. 6. On the Number tab, under Cat egory, click Text and then click OK. 7. Save the spreadsheet as a.csv file. 1. Click the Devices tab. 2. Click Upload Devices Citrix Systems, Inc. All rights reserved. p.111

112 3. In the Add Devices dialog, click Browse, select your.csv file and then click Upload. 4. Enter your purchase details. The KNOX Mobile Enrollment tool verifies your purchase details to ensure that each device is enrolled in the proper enterprise. 5. Under Assign t o Profile, select the MDM profile that you added. 6. Click Submit. The All Devices list displays the enrollment status and profile of all the devices that you attempted to enroll. Only TIMA-enabled Samsung 2.4 devices are supported out of the box by the Samsung KNOX Mobile Enrollment tool. Also, for a device to successfully enroll in the enterprise, the device must connect to WiFi and users must agree to download and install Secure Hub. 1. Download and install the KNOX Mobile Enrollment app from Google Play. 2. Enter your Samsung Portal credentials and then tap SIGN IN. 3. Tap Scan Devices. 4. Tap Scan new devices. 5. Align the barcode of your device with the red line to scan. 6. If the scan succeeds, the device IMEI appears. Tap Save Citrix Systems, Inc. All rights reserved. p.112

113 7. Your scanned devices are shown in the scan queue. Tap Upload. 1. Log on to your KNOX Web Portal account and click Launch Mobile Enrollment. 2. Tap Scanned to view all added devices. 3. Select the devices that you want to enroll and tap Submit select ed. To submit all scanned devices, tap Submit all. 4. In the Submit scanned devices pop-up, enter your Purchase det ails to confirm device ownership. 5. In the Assign MDM profile menu, select the profile to use for device enrollment. 6. Click Submit. You will receive a confirmation when the device information is verified. For security reasons, devices are not immediately assigned to this bulk enrollment account. Samsung first must verify that the devices belong to the entity that is setting up the bulk enrollment account. For that purpose, the next screen prompts for the identity of the reseller and for matching invoices. Important Citrix Systems, Inc. All rights reserved. p.113

For legal reasons, Samsung maintains two distinct server groups: Americas and EU. U.S. devices must register with a KNOX account for the U.S. region.

114 For legal reasons, Samsung maintains two distinct server groups: Americas and EU. U.S. devices must register with a KNOX account for the U.S. region. EU devices, as well as devices from any other region except China, which is not supported, must register with a KNOX account for the EU region. A device from the wrong region will actually be accepted into the account, but bulk enrollment will fail on the device with a cryptic error. To check whether the device country code or origin is a non-u.s. country, download the simple Phone Info Samsung app from Google Play. After the preceding configuration is completed, the first time a user starts a device and connects to the Internet using Wi- Fi, the following sequence of screens appears. The enrollment process starts automatically and users needs to download and install Secure Hub and then enter valid credentials on the Secure Hub screen to complete the enrollment. Note Enrollment doesn't use a cellular connection to avoid any network costs for the user Citrix Systems, Inc. All rights reserved. p.114

115 On devices that have KNOX API earlier than version 2.4, bulk enrollment will not work out of the box, so users must initiate enrollment by going to a Samsung site to download the new Mobile Enrollment client and start the enrollment. The downloaded enrollment client uses the same MDM profile and APKs configured in the KNOX Bulk enrollment portal for the KNOX 2.4/2.4.1 devices. Users typically follow these steps: 1. Turn on the device and connect to Wi-Fi. If the Mobile Enrollment doesn't start or Wi-Fi is not available, do the following: a. Go to b. Tap the Enroll button to enroll devices with mobile data. 2. When the prompt Enroll wit h KNOX appears, tap Cont inue. 3. Read the EULAs (if available). Tap Next. 4. If prompted, enter the User ID and Password provided by the IT administrator Citrix Systems, Inc. All rights reserved. p.115

116 At this point, the user credentials are validated and their device is enrolled in your organization's enterprise IT environment. XenMobile allows you to enable and disable biometric authentication (fingerprint and iris scan authentication) for Samsung devices without requiring any action from users. If you disable biometric authentication in XenMobile, users and third-party apps cannot enable the feature. 1. In the XenMobile console, click Conf igure > Device Policies. The Device Policies page appears. 2. Click Add. The Add New Policy page appears. 3. Click Passcode. The Passcode Policy inf ormat ion page appears. 4. In the Policy Inf ormat ion pane, enter the following information: Policy Name: Type a descriptive name for the policy. Descript ion: Optionally, type a description of the policy. 5. Descript ion: Optionally, type a description of the policy. 6. Click Next. The Plat f orms page appears. 7. Under Plat f orms, select Android or Samsung KNOX. 8. Set Conf igure biomet ric aut hent icat ion to ON. 9. If you selected Android, under Samsung SAFE, select Allow f ingerprint or Allow Iris or both Citrix Systems, Inc. All rights reserved. p.116

117 Authentication Prompt Scenarios Nov 21, 2017 Various scenarios prompt users to authenticate with XenMobile by entering their credentials on their devices. The scenarios change depending on these factors: Your MDX app policy and Client Property configuration in the XenMobile console settings. Whether the authentication occurs offline, or needs to be an online authentication (the device needs a network connection to XenMobile). In addition, the kind of credentials that users enter Active Directory password, Citrix PIN or passcode, one-time password, fingerprint authentication (known as Touch ID in ios) also change based on the type of authentication and frequency of authentication that you require. Let's start with the scenarios that result in an authentication prompt. Device rest art. When users restart their device, they must reauthenticate with Secure Hub. Of fline inact ivit y (t ime-out ).) With the App Passcode MDX policy enabled, which it is by default, the XenMobile client property called Inactivity Timer comes into play. The Inactivity Timer limits the length of time that can pass without user activity in any of the apps that use the secure container. When the Inactivity Timer expires, users must reauthenticate to the secure container on the device. If, for example, users set down their devices and walk away, if the Inactivity Timer has expired, someone else can't pick up the device and access sensitive data within the container. You set the Inactivity Timer client property in the XenMobile console. The default is 15 minutes. The combination of the App Passcode set to ON and the Inactivity Timer client property is responsible for probably the most common of the authentication prompt scenarios. Signing of f f rom Secure Hub. When users sign off from Secure Hub, they have to reauthenticate the next time they access Secure Hub or any MDX app, when the app requires a passcode as determined by the App Passcode MDX policy and the Inactivity Timer status. Maximum of fline period. This scenario is specific to individual apps because it is driven by a per-app MDX policy. The Maximum offline period MDX policy has a default setting of 3 days. If the time period for an app to run without online authentication with Secure Hub elapses, a check-in with XenMobile Server is required in order to confirm app entitlement and to refresh policies. When this check-in occurs, the app triggers Secure Hub for an online authentication. Users must reauthenticate before they can access the MDX app. Note the relationship between the Maximum offline period and the Active poll period MDX policy: The Active poll period is the interval during which apps check in with XenMobile server for performing security actions, such as app lock and app wipe. In addition, the app also checks for updated app policies. After a successful check for policies via the Active poll period policy, the Maximum offline period timer is reset and begins counting down again. Both check-ins with the XenMobile server, for Active poll period and Maximum offline period expiry, require a valid NetScaler Gateway token on the device. If the device has a valid NetScaler Gateway token, the app retrieves new policies from XenMobile without any interruption to users. If the app needs a NetScaler Gateway token, a flip to Secure Hub occurs, and users see an authentication prompt in Secure Hub Citrix Systems, Inc. All rights reserved. p.117

118 On Android devices, the Secure Hub activity screens open directly on top of the current app screen. On ios devices, however, Secure Hub must come to the foreground, which temporarily displaces the current app. After users enter their credentials, Secure Hub flips back to the original app. If, in this case, you allow for cached Active Directory credentials or you have a client certificate configured, users can enter a PIN, password, or fingerprint authentication. If you do not, users must enter their complete Active Directory credentials. The NetScaler token may become invalid due to NetScaler Gateway session inactivity or a forced session time-out policy, as discussed in the following list of NetScaler Gateway policies. When users sign on to Secure Hub again, they can continue running the app. Net Scaler Gat eway session policies. Two NetScaler Gateway policies also affect when users are prompted to authenticate. In these cases, they authenticate in order to create an online session with NetScaler for connecting to XenMobile server. Session t ime-out. The NetScaler session for XenMobile is disconnected if no network activity occurs for the set period of time. The default is 30 minutes. If you use the NetScaler Gateway wizard to configure the policy, however, the default is 1440 minutes. Users will then see an authentication prompt to reconnect to their corporate network. Forced t ime-out. If On, the NetScaler session for XenMobile is disconnected after the forced time-out period elapses. The forced time-out makes reauthentication mandatory after a set period of time. Users will then see an authentication prompt to reconnect to their corporate network upon the next use. The default is Of f. If you use the NetScaler Gateway wizard to configure the policy, however, the default is 1440 minutes. Credential Types The preceding section discussed when users are prompted to authenticate. Let's now discuss the kinds of credentials they must enter. Authentication is necessary through various authentication methods in order to gain access to encrypted data on the device. To initially unlock the device, you unlock the primary container. After this occurs and the container is secured again, to gain access again, you unlock a secondary container. Not e: e When the article refers to a managed app, the term refers to an app wrapped by the MDX Toolkit, in which you've left the App Passcode MDX policy enabled by default and are leveraging the Inactivity Timer client property. The circumstances that determine the credential types are as follows: Primary cont ainer unlock. An Active Directory password, Citrix PIN or passcode, one-time password, Touch ID or fingerprint ID are required to unlock the primary container. On ios, when users open Secure Hub or a managed app for the first time after the app is installed on the device. On ios, when users restart a device and then open Secure Hub. On Android, when users open a managed app if Secure Hub is not running. On Android, when users restart Secure Hub for any reason, including a device restart. Secondary cont ainer unlock. Fingerprint authentication (if configured), a Citrix PIN or passcode, or Active Directory credentials, to unlock the secondary container. When users open a managed app after the inactivity timer expires. When users sign off of Secure Hub and subsequently open a managed app. Active Directory credentials are required for either container unlock circumstance when the following conditions are true: Citrix Systems, Inc. All rights reserved. p.118

119 When users change the passcode associated with their corporate account. When you have not set the client properties in the XenMobile console to enable the Citrix PIN: ENABLE_PASSCODE_AUTH and ENABLE_PASSCODE_AUTH. When the NetScaler Gateway session ends, which occurs when the session time-out or forced time-out policy timer expires, if the device does not cache the credentials or does not have a client certificate. When fingerprint authentication is enabled, users can sign on by using a fingerprint when offline authentication is required because of app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time and when restarting the device. Fingerprint authentication is supported for ios 9 and ios 10.3 devices and some Android devices. For information about enabling fingerprint authentication, see the ENABLE_TOUCH_ID_AUTH setting in Client properties. The following flowchart summarizes the decision flow that determines which credentials a user must enter when prompted to authenticate Citrix Systems, Inc. All rights reserved. p.119

121 Another situation to note is when a flip from an app to Secure Hub and then back to an app is required. The flip displays a notification that users must acknowledge. Authentication is not required when this occurs. The situation occurs after a check-in happens with XenMobile server, as specified by the Maximum offline period and Active poll period MDX policies, and XenMobile detects updated policies that need to be pushed to the device through Secure Hub Citrix Systems, Inc. All rights reserved. p.121

122 ios VPN Installation Nov 21, 2017 On ios 10 and later devices, Secure Hub VPN is used for secure local data sharing between Secure Hub and MDX apps. Secure Hub VPN runs on the ios 10 and later device. Secure Hub VPN provides the ideal user experience, because Secure Hub and MDX apps can communicate seamlessly through this VPN. Secure Hub VPN works for apps signed by Apple Enterprise developer account ("team id") certificates, Citrix certificates, Enterprise certificates, or third-party ISV certificates. Secure Hub VPN is used by default on ios 10 devices. If Secure Hub VPN is not running on the ios 10 device, MDX uses the ios shared keychain for secure data sharing. The ios shared keychain mechanism requires all participating apps to be signed with the same certificate to access the specific shared keychain for that ios "team id" certificate. If an app is not signed with the same certificate as the Citrix-signed Secure Hub app, the app might flip to Secure Hub to get the required information. Secure Hub VPN is available only for XenMobile Enterprise and MAM-only deployments. Secure Hub VPN does not apply to XenMobile MDM-only environments, and the VPN is not installed in MDM-only enrollments. On ios 9 and earlier versions, Secure Hub does not use Secure Hub VPN. Secure Hub VPN is used for communication between Secure Hub and XenMobile or enterprise apps. It does not filter or monitor network traffic on the device and is independent of the MDX micro-vpn mechanism. Note Citrix recommends that you leave Secure Hub VPN enabled in environments where it is enabled by default. Because ios does not allow more than one VPN client to run on an ios device simultaneously, however, be aware of the following situation. T he Secure Hub VPN cannot be used if another VPN app, such as Cisco AnyConnect or Citrix VPN, needs to run on ios devices to establish a device-level VPN. You can set up an ios per-app VPN even if Secure Hub VPN is not disabled. The app using the ios per-app VPN establishes a per-app VPN connection when the app is in the foreground. To disable Secure Hub VPN, see the following section in this article. When Secure Hub VPN is disabled, users might experience more flips from a managed app to Secure Hub. Disabling or reenabling Secure Hub VPN in XenMobile Secure Hub VPN is enabled by default when users start using Secure Hub and later on ios 10. To disable Secure Hub VPN and set ios devices in your deployment to use the shared keychain mechanism, do the following: 1. In the XenMobile console, go to Set t ings > Client > Client Propert ies. 2. On the Client Propert ies page, create a custom client property called ENABLE_NETWORK_EXTENSION and set the value to Citrix Systems, Inc. All rights reserved. p.122

123 To reenable Secure Hub VPN, go to the Secure Hub VPN and set the value of ENABLE_NETWORK_EXTENSION to 1. Installing Secure Hub VPN on the client device The Secure Hub VPN is installed in two cases: after Secure Hub or later is installed on an ios 10 device or when a user upgrades a device running Secure Hub or later to ios 10. Users see this informational message Citrix Systems, Inc. All rights reserved. p.123

124 Next, users see an ios message asking for permission to add VPN configurations. This message is shown only one time, when the VPN is first installed. It is not shown when users open Secure Hub again. The message on this screen is not customizable. It is a standard ios dialog box used for all VPN installations. On the screen asking for permission to add the VPN configuration: If users select Don't Allow, they see another message indicating that they must install the VPN to access Secure Hub. Running Secure Hub VPN on the client device When the Secure Hub VPN is running as designed, the text Connect ing appears in the General > VPN screen of the ios Settings app Citrix Systems, Inc. All rights reserved. p.124

125 This is expected and does not mean that the MDX sharing and communication mechanisms are not functioning. There is no action required from users if they see this message Citrix Systems, Inc. All rights reserved. p.125

126 Enrolling devices by using derived credentials Nov 21, 2017 Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is either a Personal Identity Verification (PIV) card or Common Access Card (CAC). The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile Stores the credentials obtained from the credential provider in a secure vault on the device. XenMobile can use derived credentials for ios device enrollment. If configured for derived credentials, XenMobile doesn't support enrollment invitations or other enrollment modes for ios devices. However, you can use the same XenMobile Server to enroll Android devices through enrollment invitations and other enrollment modes. Device enrollment steps when using derived credentials Enrollment requires that users insert their smart card to a reader attached to their desktop. 1. The user installs Secure Hub and the app from your derived credential provider. In this example, the identity provider app is the Intercede MyID Identity Agent Citrix Systems, Inc. All rights reserved. p.126

2. The user starts Secure Hub. When prompted, the user types the XenMobile Server fully qualified domain name and then clicks Next. Enrollment in Secure Hub starts.

128 2. The user starts Secure Hub. When prompted, the user types the XenMobile Server fully qualified domain name and then clicks Next. Enrollment in Secure Hub starts. If the XenMobile Server supports derived credentials, Secure Hub prompts the user to create a Citrix PIN Citrix Systems, Inc. All rights reserved. p.128

130 3. The user follows the instructions to activate their smart credential. A splash screen appears, followed by a prompt to scan a QR code. 4. The user inserts their card into the smart card reader that's attached to their desktop. The desktop app then displays a QR code and prompts the user to scan the code using their mobile device Citrix Systems, Inc. All rights reserved. p.130

The user enters their Secure Hub PIN when prompted.

132 After authenticating the PIN, Secure Hub downloads the certificates. The user then follows the prompts to complete enrollment. To view device information in the XenMobile console: Go to Manage > Devices and then select a device to display a command box. Click Show more. Go to Analyze > Dashboard Citrix Systems, Inc. All rights reserved. p.132

133 Citrix ScanDirect Nov 21, 2017 Citrix ScanDirect allows users to capture, edit, and save documents for easy sharing. ScanDirect automatically detects the edges of documents and whiteboards and applies document-specific filters to ensure superior image quality. Users can quickly export the captured images to ShareFile as PDF, Microsoft Word, or Microsoft PowerPoint files. For ScanDirect and other XenMobile App system requirements, see System requirements for XenMobile Apps. ScanDirect requires access to a device's camera, so turn off the Block camera policy on the XenMobile server. With ScanDirect, users can: Quickly digitize and store handwritten notes, documents, and receipts for later use. Add multiple images to a single capture to create a case or project file for associated content. Save digitized captures as a PDF, Microsoft Word, or Microsoft PowerPoint files. Export captures to their most common collaboration resources, such as , photo gallery, and cloud storage. Crop captured notes any time to modify for future use. For information about how users can take their first scan and add ShareFile as a cloud service, see this article Citrix Systems, Inc. All rights reserved. p.133

Citrix Secure Forms Nov 21, 2017 Important End of Life (EOL) lifecycle date for Secure Forms: March 31, 2018.

134 Citrix Secure Forms Nov 21, 2017 Important End of Life (EOL) lifecycle date for Secure Forms: March 31, When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the available support options are limited. Historical information appears in the Knowledge Center or other online resources. The documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones, see the Product Matrix. Customers are encouraged to transition to the ShareFile Workflows for XenMobile Apps included with ShareFile Platinum and Premium accounts. Citrix Secure Forms is a two-part app for creating and completing customized forms. Users create forms on the web-based Secure Forms Composer and then publish the forms to the Secure Forms mobile app, available for download on the XenMobile downloads page. With the mobile app, end users fill out and submit forms from wherever they're working. For more information about the Secure Forms mobile app, see Secure Forms Mobile App. Secure Forms is integrated with ShareFile, so submitted forms are easily collected in a designated ShareFile folder. Forms can also be collected by or through a web service. For Secure Forms and other XenMobile App system requirements, see System requirements for XenMobile Apps. To deploy Secure Forms, you must set up ShareFile folders either manually or by using PowerShell script. For instructions, see Integrating Secure Forms with ShareFile. You wrap the Secure Forms mobile app with the MDX Toolkit, v for ios, available on the XenMobile downloads page. Follow the instructions in Wrapping ios Mobile Apps and Add an MDX app. For best performance, configure Secure Forms policies in the XenMobile console as follows: Block camera: Off Block Photo Library : Off Block mic record: Off Block location services: Off 1. Set Network access as Tunneled to t o internal network Citrix Systems, Inc. All rights reserved. p.134

135 2. Set App URL schemes as ctxf orms and Allowed URLs as: + maps.apple.com,+ it unes.apple.com,^ht t p:= ct xmobilebrowser:,^ht t ps:= ct xmobilebrowsers:,^mailt o:= ct xmail:,+ ^cit rixreceiver:,+ ^t elprompt :,+ ^t el:,+ ^col- g2m-2:,+^col-g2w 2:,+^maps:ios_addr,+^mapitem:,+^ctxinternalmail:,+^ctxmail: 3. After saving these changes and publishing the apps, go to Secure Forms and then at the end of Allowed URLs, add +^ctxf orms: To begin creating forms on the Secure Forms Composer, users go to securef orms.citrix.com rix.com on a Chrome browser. From there, they enter a ShareFile address and password that belongs to the CitrixSecureFormsAdminUsers group. When users sign in, they see this landing screen: From here, they can do the following: Click New to create a new form. View saved, unpublished forms in Draf ts. View published forms in Published. Search forms. Note: e Published forms are called Templates, both in the composer and the mobile app. Creating a New Form On the landing screen, click New. The composer dashboard appears Citrix Systems, Inc. All rights reserved. p.135

136 Forms consist of three components: Cover, Content and Settings. In the Cover area, users name their forms and add optional descriptions and images. Clicking Next takes them to the Content area, where they add fields to their forms. Adding Fields to Forms To build a form, in Content view, users simply drag fields over from the left side of the composer. They can choose fields that allow users to enter text, numbers, video, and audio, as well to scan bar codes, check a box, or choose from a drop-down menu. Secure Forms supports the following bar code types: One-Dimensional Two-Dimensional Citrix Systems, Inc. All rights reserved. p.136

137 UPC QR EAN DataMatrix Code 39 PDF417 Code 128 Aztec ITF (interleaved 2 of 5) MaxiCode Code 93 EAN 8 EAN 13 UPCe UPCa GS1-128 One-Dimensional ional T wo-dimensional UPC QR EAN DataMatrix Code 39 PDF417 Code 128 Aztec ITF (interleaved 2 of 5) MaxiCode Code 93 EAN 8 EAN 13 UPCe UPCa GS1-128 Field Setting When users add a field, Field Setting appears on the right side of the composer. This is where users can designate a field as required, add help text, or add a description Some settings are specific to particular fields. For example, users can select an audio quality level or specify the format for numbers, when they add those fields Citrix Systems, Inc. All rights reserved. p.137

138 They can also add page breaks and numbers for a multiple-page form. In Custom field name, users can create a name that is compatible with formats in which data might be exported, such as XML and CSV. This name doesn't appear on the published form. For example, users may see a field labeled "First Name," but the custom field name may be "Employee_First_Name". Testing Forms Forms are saved automatically in Draf ts. At any time, users can sign on to the Secure Forms mobile app to test the form. Their permissions allow them to see drafts that end users don't see. If they're satisfied with the form, they can return to the composer to publish it. In Settings, users choose how to collect forms, how to format the data, and whether to collect additional data. Form Collection Methods When end users click Submit on the mobile app, completed forms are collected by the following selected methods: Uploaded to the ShareFile folder, in XML or CSV format. Sent to an address as PDFs. The mobile app flips to a prepared message in WorxMail for users to send. Posted to a web service in XML, CSV or JSON format. You must enter a key:value pair that's included as header information in the web service call. For details, see Posting to Web Services later in this article. Uploaded to a Network File System. For details, see Configuring a Network File System later in this article. Configuring a Network File System When you select Save to o Network File System (NFS) as a data collection method, you need to enter the path to the folder where data is collected. Windows Citrix Systems, Inc. All rights reserved. p.138

139 enforces the NFS folder permissions, which you can manage and structure according to your organization's needs. Before you begin setting up NFS permissions, you first need to have a network file share connector configured in ShareFile, if you don't already. For steps on how to set up a network file share connector, see Create and manage StorageZone connectors. Once the file share connector is added, make sure to configure the domain controller to trust the StorageZones Controller for delegation. Follow the configuration steps here. Then you need to add citrix.com as an allowable top-level domain: 1. Go to C:\inetpub\wwwroot\Citrix\StorageCenter\AppSettingsRelease.config. C is the drive where the StorageZone Controller is installed 2. Add citrix.com to the end of allowable-top-level-app-domains. This is a comma-separated list of allowable top-level application domains with which the Storage Center can communicate: <add key="allowable-top-level-app-domains" value="sf-api.eu,sharefile.com,securevdr.com,sf-api.com,sharefilenext.com,sf-apitest.com,sharefiletest.com,sfapidev.com,sharefiledev.com,sharefile.eu,citrixdata.com,citrixvdr.com,citrixsecure.com,citrixdataroom.com, citrixsharefile.com,citrixsharefile.eu,cit rix.com"/> Now you're ready to create NFS folder permissions. 1. In the Active Directory, create two groups called SecureFormsLOB and CitrixSecureFormsEndUsers. SecureFormsLOB includes users who are allowed to create and fill out forms. CitrixSecureFormsEndUsers includes users who are allowed to fill out forms but not to create them. 2. Create a folder on your Network File System. For this example, the folder is called SecureFormsData. 3. Give full control to SecureFormsLOB so its members can read, write, and delete data. 4. Give CitrixSecureFormsEndUsers write-only access, to ensure that its members can't read each other's data. Under T ype, select Deny. Under Advanced permissions, select the items as shown in the following figure Citrix Systems, Inc. All rights reserved. p.139

140 NFS Settings in Secure Forms Composer 1. Use a network that has access to your StorageZone Controller. Secure Forms authenticates against this network to verify that you have the proper connector. 2. Set Save t o Net work File Syst em (NFS) to On. 3. Enter a folder path in this format: NFS connector name / rootfolderpath/ FormDataFolder, where: NFS connector name is the name of the NFS connector on ShareFile. rootfolderpath h is the path to the root folder where all form data is stored. FormDataFolder afolde is the root folder where all form data is stored. The root folder is automatically created if the folder is not there and is given the same permissions applied to the parent folder. In this example, the root folder is named SecureFormsData. a. Publishing a Form with NFS Before publishing a form, users have to enter a user name and password to authenticate on the server where the NFS is located Citrix Systems, Inc. All rights reserved. p.140

141 Auto Collect Data Users select the Auto o collect data a check boxes if they want to collect an end user's location and address, or the form submission date. The end user's permission isn't required to collect this data. In Advanced, users can enter key:value pairs that are included with the form data in an XML or JSON file. Posting to Web Services Any web service you use to collect form data must meet the following criteria: Be an HTTPS (secure) service. Other URL schemes are currently not supported. Intercept POST requests sent by the client. Read multipart/form-data as content type. Respond to the URL request with the HTTP response status code. The client does not read the response body. Process optional custom headers sent as a part of the URL request headers. Follow these steps to configure form collection by web service: 1. Sign on to the Secure Forms Composer and create a new form. 2. Go to Set t ings and turn on the Post to t o web service collection method. 3. Select one of the data formats for the payload. The default is XML. Not e: e Media content images, audio and video is saved in a shared folder in ShareFile, and the file path is included in the file name. 4. Add a web service URL. For security reasons, Secure Forms requires an HTTPS URL with a valid certificate. The Secure Forms ios client performs a POST request to this URL, with the form payload in the request body. The request is sent as multipart/form-data content type. The actual file is uploaded with the key "file" in the request Citrix Systems, Inc. All rights reserved. p.141

For testing purposes, you can create a self-signed certificate and trust it on your device (iphone / ipad). Use the following instructions to create a self-signed certificate: Windows Mac 5.

142 For testing purposes, you can create a self-signed certificate and trust it on your device (iphone / ipad). Use the following instructions to create a self-signed certificate: Windows Mac 5. You can opt to provide custom headers to the URL request. These headers are sent as part of the URL request headers. Client -sent URL request sample For purposes of explanation, this request is captured in RAW format. In practice, this request is sent to the server in XML, CSV or JSON format. The essential parts of this request are highlighted in red. The custom headers configured in the Secure Forms Composer are sent as request headers. The Secure Forms client does not interpret the response body. To validate the server submission, the client reads the HTTP response status codes that the server sends in the header. A status code of 200 signifies a successful submission. If the submission fails, an error message appears to the user. Beacons With ibeacon technology, you can track locations, people and assets using beacons and Bluetooth functionality. You can also link form fields to beacons to autofill information, which saves time and improves accuracy. For more information on ibeacon, see What Is ibeacon?. To read about use cases, see Yes, Real World Market Verticals Use Beacon Technology. Follow these instructions to use beacons with Secure Forms. System requirements Beacon hardware. Citrix has tested beacons from Gimbal, but you can use any brand. Secure Forms Composer and Secure Forms mobile app version A ShareFile domain whitelisted to use beacons with Secure Forms. To request your domain to be whitelisted, send a message to Citrix by clicking on the message icon in the upper-right corner of the Secure Forms Composer dashboard. An iphone or ipad running ios Every beacon configuration includes a universally unique identifier, or UUID. It's best to use just one UUID for your company. This UUID will apply to every beacon you use. Major and minor values are added to the UUID. Major values identify subsets of beacons; for example, all devices in a particular location, such as a warehouse or a hospital. Minor values identify individual beacons. To activate a beacon 1. Register for a free Gimbal account Citrix Systems, Inc. All rights reserved. p.142

To activate a beacon you need to name the beacon and enter its factory ID.

143 2. Download the Gimbal Beacon Manager app onto your ios device to configure, test and manage beacons. 3. On the Gimbal website, go to Beacons > Beacon Management and click Activate Beacon. 4. To activate a beacon you need to name the beacon and enter its factory ID. Some IDs are inside the battery compartment; you may find yours in another spot. Enter the ID and then click Activate Gimbal Beacon. To configure your beacon 1. Go to Beacons > Beacon Configurations ions and then click New Configuration Citrix Systems, Inc. All rights reserved. p.143

144 2. Name your configuration and select the beacon type. The Proximity UUID field populates automatically. 3. In the Major and Minor fields, enter numbers that identify individual beacons and their locations. Major and minor numbers are found on the Gimbal console at Beacons > Beacon Configurations. 4. Click Create Configuration. Your new beacon configuration appears at the bottom of the list Citrix Systems, Inc. All rights reserved. p.144

145 To apply the configuration to the active beacon 1. Go to Beacons > Beacon Management, find your beacon, and then under the Actions column, click the edit icon. 2. Click Configuration, ion in the list, click your configuration and then click Save to apply this configuration to your activated beacon. You should now see your beacon with the applied configuration. You can check the Gimbal app to make sure the beacon is on and broadcasting Citrix Systems, Inc. All rights reserved. p.145

In the Gimbal Beacon Manager app, go to Configure.

146 To update beacons 1. To make a beacon discoverable, pull the battery out of the beacon and put it back in. 2. In the Gimbal Beacon Manager app, go to Configure. When the beacon is found, click Update Beacon. To testing beacons 1. Sign on to the Secure Forms Composer and then create a form to test your beacon Citrix Systems, Inc. All rights reserved. p.146

2. For purposes of the test, drag a Text element from the left side of the composer and create fields in which a user would enter a first name and a last name. 3.

147 2. For purposes of the test, drag a Text element from the left side of the composer and create fields in which a user would enter a first name and a last name. 3. In the Cust om field name box on the right, enter First Name and Last Name for the respective fields. 4. Map the data between form fields and beacons. Create a CSV file where the column headings match the values entered in the Custom field name in this example, First Name and Last Name. The CSV file must also have the UUID and major and minor beacon configuration data added as shown in the following figure. 5. Save the CSV file to Secure Forms > Beacons Citrix Systems, Inc. All rights reserved. p.147

You can also check the Beacon Manager app to ensure that the beacon is visible to the device.

148 6. Upload the file to Settings in Secure Forms Composer. 7. Test the beacon on the Secure Forms mobile app: On the device, make sure that Location Services and Bluetooth are enabled. You can also check the Beacon Manager app to ensure that the beacon is visible to the device. Open the Secure Forms mobile app and wait for the test form to download. Open the test form. If the app finds a beacon nearby, an autofill confirmation dialog box appears Citrix Systems, Inc. All rights reserved. p.148

149 8. The form data populates based on the CSV file. For more information about working with beacons, see Gimbal Developer Resources. When users are done building their form, they click Publish. At that point, the form is saved in Published and becomes available on the Secure Forms mobile app under Templat es. To troubleshoot errors that users may see when using Secure Forms Composer, see Troubleshooting in Secure Forms Composer Citrix Systems, Inc. All rights reserved. p.149

150 Secure Forms Mobile App Nov 21, 2017 Important End of Life (EOL) lifecycle status for Secure Forms Mobile App: March 31, When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the available support options are limited. Historical information appears in the Knowledge Center or other online resources. T he documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones, see the Product Matrix. Customers are encouraged to consider the ShareFile Workfl ows for XenMobile mobile app. For more information on this feature, please see ShareFile Workflows in the sidebar. You can download the Secure Forms QuickStart Guide here. Scroll to the bottom of the page and click on ios. With Citrix Secure Forms, users can fill out and submit forms that were created with the Secure Forms Composer. You can download the Secure Forms mobile app at the XenMobile downloads page. After you download the app, you can then secure the app with the MDX Toolkit. Secure Forms is supported only on iphones and ipads running ios versions 9 to 9.3. Users sign on to Secure Hub, tap XenMobile St ore and then select Secure Forms from the list of apps. Secure Forms will automatically install on their devices. When users open Secure Forms, they'll see a list of forms available to them, under Templat es Citrix Systems, Inc. All rights reserved. p.150

151 Forms are auto-saved as users fill them out, so users can pause while completing a form and return to the form later. In Submit t ed and In Progress, a left swipe brings up options to delete a form or send the form as a PDF attachment with Secure Mail Citrix Systems, Inc. All rights reserved. p.151

Tapping a blue question mark next to a field brings up help text pertaining to that field. Help text is added to a field in the Secure Forms Composer when the form is created.

152 Tapping a blue question mark next to a field brings up help text pertaining to that field. Help text is added to a field in the Secure Forms Composer when the form is created. Secure Forms allows users to take or attach photos, as well as record audio and video. It may take a few minutes to submit forms that contain media. Users should wait until the form is successfully submitted before navigating away from the app, because the submission process might pause if Secure Forms is put in the background Citrix Systems, Inc. All rights reserved. p.152

153 If users are in a location without an Internet connection, they can still fill out and submit a form. The form uploads when connectivity is restored. If users want to upload forms only with WiFi to save cell phone data, in Set t ings, they can turn on Save Form Dat a > On Wi-Fi Only. If users have an unlimited data plan, in Set t ings, they can turn on Save Form Dat a > On Mobile Dat a and Wi-Fi. The form uploads when users return to a coverage area Citrix Systems, Inc. All rights reserved. p.153

Integrating Secure Forms with ShareFile Nov 27, 2017 Important End of Life (EOL) lifecycle status for Secure Forms: March 31, 2018.

154 Integrating Secure Forms with ShareFile Nov 27, 2017 Important End of Life (EOL) lifecycle status for Secure Forms: March 31, When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the available support options are limited. Historical information appears in the Knowledge Center or other online resources. T he documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones, see the Product Matrix. Customers are encouraged to consider the ShareFile Workfl ows for XenMobile app, which is integrated with a ShareFile account at the time of creation. For more information on this feature, please see ShareFile Workflows in the sidebar. To deploy Citrix Secure Forms, you must set up ShareFile folders either manually or by using PowerShell script. ShareFile Restricted Zones are also supported. Note T he script works only if you have a Citrix-managed (cloud) ShareFile StorageZone. If you have a customer-managed (on-premise) StorageZone, use the steps for manual setup later in this article. 1. Install the ShareFile PowerShell SDK, available here. 2. Open the PowerShell console in administrative mode and run the CitrixSecureForms.ps1 script, available here. If you get the error Cit rixsecureforms.ps1 cannot be loaded because t he execut ion of script s is disabled on t his syst em, run the following command: Set -Execut ionpolicy Unrest rict ed 3. Enter a user name and password that has permission to create root-level folders and user and distribution groups. The script automatically creates the groups Cit rixsecureformsadminusers and Cit rixsecureformsendusers, as well as the required folders with appropriate permissions assigned Citrix Systems, Inc. All rights reserved. p.154

155 You can now add users to these groups from the ShareFile console. User Permissions Users added to CitrixSecureFormsAdminUsers can access the composer at securef orms.cit rix.com, create and publish forms, and read data from submitted forms. Users added to CitrixSecureFormsEndUsers can use the mobile app only. They can sign on to secureforms.citrix.com, but they have read-only access to forms. They can't edit or publish forms, or access submitted data. Form Storage All published forms are saved in Shared Folders > Citrix_SecureFormsTemplate.root > Default.workspace. All submitted forms are saved in Citrix_SecureFormsData.root. If the PowerShell script doesn't work, you can set up the necessary folders manually. 1. Log on to ShareFile with a user name and password that has permission to create root-level folders, as well as user and distribution groups. 2. Go to Manage Users > Dist ribut ion Groups and then select New Group. 3. Create a distribution group called Cit rixsecureformsadminusers Citrix Systems, Inc. All rights reserved. p.155

156 4. Click Add Member to add users who can access the Secure Forms Composer. Members of this group can create, update, publish and delete forms. 5. Create a distribution group called Cit rixsecureformsendusers. Members of this group can use the Secure Forms mobile app to fill out and submit forms. On the composer, members have read-only access to forms. They can't publish forms or view submitted data Citrix Systems, Inc. All rights reserved. p.156

157 The distribution groups you've just created appear in Manage Users > Dist ribut ion Groups. 6. Return to Home and go to Shared Folders. 7. Create a folder called Cit rix_secureformstemplat e.root Citrix Systems, Inc. All rights reserved. p.157

8. Give all permissions for the Citrix_SecureFormsTemplate.

160 10. Inside the Citrix_SecureFormsTemplate.root folder, create another folder named Def ault.workspace. Make sure Default.workspace has the same distribution group permissions as Citrix_SecureFormsTemplate.root. All published forms are saved inside Default.workspace Citrix Systems, Inc. All rights reserved. p.160

161 11. Return to Home and go to Shared Folders. 12. Create a folder named Cit rix_secureformsdat a.root. All submitted forms data goes into this folder. 13. Give all Citrix_SecureFormsData.root permissions - download, upload, delete, and admin - to CitrixSecureFormsAdminUsers Citrix Systems, Inc. All rights reserved. p.161

162 14. Give CitrixSecureFormsEndUsers upload only permissions for the Citrix_SecureFormsData.root folder. CitrixSecureFormsEndUsers members can submit but not view form data Citrix Systems, Inc. All rights reserved. p.162

163 The following troubleshooting tips apply to errors users may see when using Secure Forms Composer. Many of these errors result from mistakes made during the initial ShareFile setup. Error Code Mes s age Us er Sees What It Means What T o Do T he user can't publish the template You don't have permission to publish. Please contact your ShareFile administrator. T his usually happens because the user doesn't have permission to access Personal Folders > Citrix_SecureForms.root > My Unpublished Templates, or Shared Folders > Citrix_SecureFormsTemplate.root Log in to ShareFile as an administrator and add the user to the CitrixSecureFormsAdminUsers distribution group, following the instructions at Integration with ShareFile > Manual Setup. T his gives the user permission to access these folders. > Default.workspace. You don't have Log in to ShareFile as an administrator and give the user permission to delete permission: Citrix Systems, Inc. All rights reserved. p.163

164 12502 Error Code delete. Please contact your ShareFile Mes s age Us er Sees administrator. T he user doesn't have permission to delete the particular form or template. What It Means Add the user to the CitrixSecureFormsAdminUsers distribution group, following the instructions at Integration with ShareFile > Manual Setup. Make sure that What CitrixSecureFormsAdminUsers T o Do has delete permissions You don't have permission to unpublish. Please contact your ShareFile administrator. T he user can't unpublish a template. T his happens when the user has readonly access to the shared location, Shared Folders > Citrix_SecureFormsTemplate.root > Default.workspace. Log in to ShareFile as an administrator and give the user full permission to the shared location. Add the user to the CitrixSecureFormsAdminUsers distribution group, following the instructions at Integration with ShareFile > Manual Setup. Make sure that CitrixSecureFormsAdminUsers has write permission tso the shared folder. One of several possible Network File System (NFS) errors has occurred: Invalid NFS connector name or no such connector (this returns a Couldn't find or create the given NFS path. 404 HTTP) Not enough permission to create a new folder in the NFS connector NetScaler/NetScaler Gateway isn't handling the OPT IONS request through a separate load balancer/policy Anonymous/Windows authentication is disabled in the Storage Zone Controller Storage Zone Controller is down/unavailable Invalid credentials (user name, password, domain name) Citrix.com is not an allowable toplevel domain. Make sure the NFS connector name exists and is accessible in ShareFile. Check Shared Folders permissions. Check load balancer configuration in NetScaler. Make sure both Anonymous and Basic authentication are enabled in the Storage Zone Controller. Manually check to make sure the Storage Zone Controller is available. Verify the user's credentials. Add citrix.com as an allowable top-level domain. For more information, see Configuring a Network File System. You've reached the duplication limit. Please delete some copies to continue. A template has reached 100,000 duplicates, the maximum allowed. Delete some templates Couldn't find Personal Folders in your ShareFile account. T he top folder, Personal Folders, is unavailable. Usually, Personal Folders is created automatically in ShareFile when a user is added to a particular subdomain. Secure Forms creates a root folder in Personal Folders where all user-specific data is stored. Make sure that the user is added to the folder as an employee, not as a client. For more information on the differences between employees and clients in ShareFile, see this article. T here also may be a licensing issue, in which case you should contact ShareFile support or go to the MyCitrix portal for help Couldn't find Shared Folders in your ShareFile account. T he folder Shared Folders is unavailable. Usually, Shared Folders is created automatically in ShareFile when a user is added to a particular subdomain. Secure Forms uses this location to access shared data. Log in to ShareFile as an administrator. Make sure Shared Folders is available and that the user is in the group that has permission to access it. Follow the instructions at Integration with ShareFile > Manual Setup Citrix Systems, Inc. All rights reserved. p.164

Error Code 12000 An error code of 12000 is an unidentified issue. You need to contact Citrix support. Follow these steps to generate console logs and send them to Citrix. 1. Open the Chrome inspector.

165 Error Code An error code of is an unidentified issue. You need to contact Citrix support. Follow these steps to generate console logs and send them to Citrix. 1. Open the Chrome inspector. Right-click anywhere within the Chrome window and then select Inspect. The page source code appears. 2. Get console logs. Click the Console tab in the inspector window. Right-click and then select Save as to save the logs as a file. Close the inspector. 3. Contact Citrix. Click the dialog bubble icon in the upper-right corner of Secure Forms Composer. In the message window, write a short description of the issue. Then, take a screen shot and attach the console log file Citrix Systems, Inc. All rights reserved. p.165

166 Citrix Secure Mail Nov 21, 2017 Citrix Secure Mail lets users manage their , calendars and contacts on their mobile phones and tablets. To maintain continuity from Microsoft Outlook or IBM Notes accounts, Secure Mail syncs with Microsoft Exchange Server and IBM Notes Traveler Server. As part of the Citrix suite of apps, Secure Mail benefits from single sign-on (SSO) compatibility with Citrix Secure Hub. After users sign on to Secure Hub, they can move seamlessly into Secure Mail without having to reenter their user names and passwords. You can configure Secure Mail to be pushed to users' devices automatically when the devices enroll in Secure Hub, or users can add the app from the Store. Important T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. To begin, download Secure Mail and other XenMobile components from XenMobile Downloads. For Secure Mail and other XenMobile App system requirements, see System requirements for XenMobile Apps. The MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. Citrix will support both enterprise distribution and public app store distribution until December 31, After that, only public app store distribution will be supported. The MDX Toolkit will continue to support enterprise wrapping for app developers. To deploy Secure Mail with XenMobile as an enterprise app, follow these general steps: 1. You can integrate Secure Mail with an Exchange Server or IBM Notes Traveler Server to keep Secure Mail in sync with Microsoft Exchange or IBM Notes. If you use IBM Notes, configure the IBM Notes Traveler server. The configuration uses Active Directory credentials to authenticate to Exchange or the IBM Notes Traveler server. For details, see Integrating Exchange Server or IBM Notes Traveler Server. 2. You can optionally enable SSO from Secure Hub. To do so, you configure ShareFile account information in XenMobile to enable XenMobile as a SAML identity provider for ShareFile. The configuration uses Active Directory credentials to authenticate to ShareFile. Configuring the ShareFile account information in XenMobile is a one-time setup used for all Citrix clients, ShareFile clients, and non-mdx ShareFile clients. For details, see To configure ShareFile account information in XenMobile for SSO. 3. Download Secure Mail from the Citrix Downloads site and then wrap Secure Mail. For details, see About the MDX Toolkit Citrix Systems, Inc. All rights reserved. p.166

167 Add Secure Mail to XenMobile and configure MDX policies. For details, see Add an MDX app. For details about Secure Mail policies, see the articles under MDX Policies at a Glance. Not e: e As of Secure Mail version , you can configure a new MDX analytics policy for Secure Mail for ios and Android. Citrix collects analytics data to improve product quality.t he Google Analytics level of detail policy allows you to specify whether the data collected can be associated with your company domain or collected anonymously. Selecting Anonymous opts users out of including the company domain with the data that is collected. This new policy replaces an earlier Google analytics policy. When the policy is set to anonymous, we collect the following types of data. We have absolutely no way to link this data to an individual user or company because we do not request user identifiable information. No personally identifiable information is sent to Google. Device statistics, such as the operating system version, app version, and device model Platform information, such as ActiveSync version and Secure Mail server version Failure points for product quality like APNs registrations, mail sync failures, mail send failures, attachment download failures, calendar sync failures, and so on Note that other than company domain, no other identifiable information is collected when the policy is set to Complet e. e Default is Complet e. e Microsoft IRM support security classifications Australian Signals Directorate Data Program Secure Mail for ios background app refresh Secure Mail and ActiveSync Exporting Contacts in Secure Mail Secure Mail notifications Secure Mail features Spellcheck feature for ios Attaching files in Android Joining meetings from calendar Personal calendar overlay Insert an inline image Multiple Exchange accounts for ios Swipe to delete feature Multiple Exchange accounts for Android Print s, calendar events, or inline images on ios Secure Mail for Android and Secure Mail for ios support messages protected with Microsoft Information Rights Management (IRM), subject to the configured IRM policy. This feature allows organizations use IRM to apply persistent protection to messaging content and allows mobile device users to be able to create and consume IRM-protected content. By default IRM support is Of f. To enable IRM support, set the Information Rights Management policy to On Citrix Systems, Inc. All rights reserved. p.167

168 Secure Mail supports the following template attributes: Import ant : Attachments are not included in IRM support. At t ribut e Label in Secure Mail Descript ion Cont ent ExpiryDat e No expiration or the expiration date Allows you to purge the body and attachments of the message when the Cont ent ExpiryDat e has passed. Additionally, Secure Mail provides the ability to fetch the content again from the server. Edit Allowed Edit Content Specifies whether the user can modify the message when the user forwards, replies, or replies all to the message. Export Allowed Specifies whether the user can remove the IRM protection on the message. Ext ract Allowed Copy Content Specifies whether the user can copy content out of the messages. ForwardAllowed Forward Specifies whether the user is allowed to forward the message. Modif yrecipient sallowed Modify Recipients Specifies whether the user can modify the recipient list when the user forwards or replies to the message. Programmat icaccessallowed Send to Other Apps Specifies whether the contents of the message can be accessed programmatically by third-party applications. ReplyAllAllowed Reply All Specifies whether the user can reply to all of the recipients of the original message. ReplyAllowed Reply Specifies whether the user is allowed to reply to the message. Users see the following Restrictions screen Citrix Systems, Inc. All rights reserved. p.168

Although XenMobile can detect certain attacks, you may want to consider the following precautionary measures to increase security: Review the security guidance supplied by the device vendor.

169 Some organizations may require strict adherence to their IRM policy. Users with access to Secure Mail may attempt to bypass the IRM policy by tampering with Secure Mail, the operating system, or even the hardware platform. Although XenMobile can detect certain attacks, you may want to consider the following precautionary measures to increase security: Review the security guidance supplied by the device vendor. Configure devices accordingly, using XenMobile capabilities or otherwise. Provide guidance to your users for the appropriate use of IRM features, including Secure Mail. Deploy additional third-party security software to resist this type of attack. Secure Mail for ios and Android supports classification markings, enabling users to specify security (SEC) and dissemination limiting markers (DLM) when sending s. SEC markings include Protected, Confidential, and Secret. DLM includes Sensitive, Legal or Personal. When composing an , a Secure Mail user can select a marking to indicate the classification level of the , as shown in the following images Citrix Systems, Inc. All rights reserved. p.169

170 Recipients can view the classification marking in the subject. For example: Subject: Planning [SEC = PROTECTED, DLM = Sensitive] Subject: Planning [DLM = Sensitive] Subject: Planning [SEC = UNCLASSIFIED] headers include classification markings as an Internet Message Header Extension, shown in bold in this example: Date: Fri, 01 May :34: Subject: Planning [SEC = PROTECTED, DLM = Sensitive] Priority: normal X-Priority: normal X-Prot ect ive-marking: VER , NS= gov.au,sec = PROT ECT ED, DLM = Sensit ive,origin= operat ions@ example.com From: operat ions@ example.com To: Team <mylist@example.com> MIME-Version: 1.0 Content-Type: multipart/ alternative;boundary="_com.example. _6428e5e4-9db f e39a980" Citrix Systems, Inc. All rights reserved. p.170

171 Secure Mail only displays classification markings. The app does not take any actions based on those markings. When a user replies to or forwards an that has classification markings, the SEC and DLM values default to those of the original . The user can choose a different marking. Secure Mail does not validate such changes in relation to the original . You configure classification markings through the following MDX policies. classificat ion If On, Secure Mail supports classification markings for SEC and DLM. Classification markings appear in headers as "X-Protective-Marking" values. Be sure to configure the related classification policies. Default value is Of f. classificat ion namespace Specifies the classification namespace that is required in the header by the classification standard used. For example, the namespace "gov.au" appears in the header as "NS=gov.au". Default value is empty. classificat ion version Specifies the classification version that is required in the header by the classification standard used. For example, the version "2012.3" appears in the header as "VER=2012.3". Default value is empty. Def ault classificat ion Specifies the protective marking that Secure Mail applies to an if a user does not choose a marking. This value must be in the list for the classification markings policy. Default value is UNOFFICIAL. classificat ion markings Specifies the classification markings to be made available to users. If the list is empty, Secure Mail does not include a list of protective markings. The markings list contains value pairs that are separated by semicolons. Each pair includes the list value that appears in Secure Mail and the marking value that is the text appended to the subject and header in Secure Mail. For example, in the marking pair"unofficial,sec=unofficial;", the list value is "UNOFFICIAL" and the marking value is "SEC=UNOFFICIAL". Default value is a list of classification markings that you can modify. The following markings are provided with Secure Mail. UNOFFICIAL,SEC=UNOFFICIAL UNCLASSIFIED,SEC=UNCLASSIFIED For Official Use Only,DLM=For-Official-Use-Only Sensitive,DLM=Sensitive Sensitive:Legal,DLM=Sensitive:Legal Sensitive:Personal,DLM=Sensitive:Personal PROTECTED,SEC=PROTECTED PROTECTED+Sensitive,SEC=PROTECTED PROTECTED+Sensitive:Legal,SEC=PROTECTED,DLM=Sensitive:Legal PROTECTED+Sensitive:Personal,SEC=PROTECTED,DLM=Sensitive:Personal PROTECTED+Sensitive:Cabinet,SEC=PROTECTED,DLM=Sensitive:Cabinet CONFIDENTIAL,SEC=CONFIDENTIAL CONFIDENTIAL+Sensitive,SEC=CONFIDENTIAL,DLM=Sensitive CONFIDENTIAL+Sensitive:Legal,SEC=CONFIDENTIAL,DLM=Sensitive:Legal CONFIDENTIAL+Sensitive:Personal,SEC=CONFIDENTIAL,DLM=Sensitive:Personal CONFIDENTIAL+Sensitive:Cabinet,SEC=CONFIDENTIAL,DLM=Sensitive:Cabinet SECRET,SEC=SECRET Citrix Systems, Inc. All rights reserved. p.171

172 SECRET+Sensitive,SEC=SECRET,DLM=Sensitive SECRET+Sensitive:Legal,SEC=SECRET,DLM=Sensitive:Legal SECRET+Sensitive:Personal,SEC=SECRET,DLM=Sensitive:Personal SECRET+Sensitive:Cabinet,SEC=SECRET,DLM=Sensitive:Cabinet TOP-SECRET,SEC=TOP-SECRET TOP-SECRET+Sensitive,SEC=TOP-SECRET,DLM=Sensitive TOP-SECRET+Sensitive:Legal,SEC=TOP-SECRET,DLM=Sensitive:Legal TOP-SECRET+Sensitive:Personal,SEC=TOP-SECRET,DLM=Sensitive:Personal TOP-SECRET+Sensitive:Cabinet,SEC=TOP-SECRET,DLM=Sensitive:Cabinet Secure Mail supports Australian Signals Directorate data protection for those enterprises that must meet ASD computer security requirements. By default, the Enable ios data protection policy is Of f and Secure Mail provides Class C data protection or uses the data protection set in the provisioning profile. If the policy is On, Secure Mail specifies the protection level when creating and opening files in the app sandbox. Secure Mail sets Class A data protection on: Outbox items Photos from the camera or camera roll Images pasted from other apps Downloaded file attachments Secure Mail sets Class B data protection on: Stored mail Calendar items Contacts ActiveSync policy files Class B protection enables a locked device to sync and enables downloads to complete if a device is locked after the download starts. With data protection enabled, queued outbox items are not sent when a device is locked because the files cannot be opened. And, if the device terminates and then restarts Secure Mail when a device is locked, Secure Mail is unable to sync until the device is unlocked and Secure Mail starts. Citrix recommends that, if you enable this policy, you enable Secure Mail logging only when needed to avoid the creation of log files with Class C data protection. If Secure Mail for ios is configured to provide notifications through ios background app refresh (and not APNs), Secure Mail refresh works in the following ways: When user enable Background App Ref resh on the device (Set t ings > General > Background App Ref resh) and Secure Mail is running in the background, mail is synced with the server. The sync frequency depends on a variety of factors. If the user disables Background App Ref resh, the app never receives while running in the background. When users move Secure Mail to the background, the app continues to run within a grace period before the app is Citrix Systems, Inc. All rights reserved. p.172

173 suspended. While running in the foreground, Secure Mail shows real-time activity, regardless of the Background App Ref resh setting. Secure Mail syncs with Exchange Server via the ActiveSync messaging protocol to give users real-time access to their Outlook mail, contacts, calendar events, automatically generated mailboxes, and user-created folders. Not e: e ActiveSync doesn't support the synchronization of Exchange public folders. In Exchange Server 2013, ActiveSync doesn't sync the Drafts folder. To sync user-created folders, follow these steps: ios: 1. Go to Set t ings > Aut o Ref resh. 2. Set Aut o Ref resh to On. 3. Tap On. A list of all mailboxes appears. 4. Tap the folders you want to sync. Android: 1. Go to the Mailboxes list. 2. Tap the mailbox you want to sync. 3. Tap the More icon in the lower-right corner. 4. Tap Sync opt ions. 5. Under Check f requency, select how often you want the folder to sync. Secure Mail users can continuously sync their contacts with the phone address book, do a one-time export of an individual contact to the phone address book, or share a contact as a vcard attachment. To allow these features, set the Export Cont act s policy for Secure Mail in the XenMobile console to ON. When the policy is ON, the following options are enabled in Secure Mail: Sync wit h Local Cont act s in Settings Exporting individual contacts Share contacts as vcard attachments When the Export Cont act s policy is OFF, those options do not appear in the app. Once the policy is enabled, to continuously sync contacts from the mail server to the phone address book, users need to set Sync wit h Local Cont act s to ON. As long as Sync wit h Local Cont act s is ON, any updates to contacts in Exchange or Secure Mail triggers an update to local contacts. Due to Android limitations, if any Exchange or Hotmail account is already set to sync with local contacts, Secure Mail is unable to sync contacts. On ios, Secure Mail contacts can be exported and synced with the phone contacts even if a Hotmail or Exchange account is set up on the device. You configure this feature in XenMobile through the Override Native Contacts Check policy for Citrix Systems, Inc. All rights reserved. p.173

174 Secure Mail. This policy determines if Secure Mail should override the check for contacts from an Exchange/Hotmail Account configured in the native Contacts app. If On, the app syncs contacts to the device even if the native Contacts app is configured with Exchange/Hotmail Account. If Of f, the app continues to block contacts sync. Default is On. The following table summarizes how notifications are handled for supported mobile devices when Secure Mail is running in the foreground or background. With Secure Mail running in the: Notifications are handled as follows : ios Android Foreground Secure Mail maintains a persistent ActiveSync connection to sync and calendar activity. Secure Mail maintains a persistent ActiveSync connection to sync and calendar activity. Background (or terminated) Secure Mail receives notifications through the ios background app refresh functionality or, if configured, APNs. For configuration details, see Push Notifications for Secure Mail for ios. Secure Mail maintains a persistent ActiveSync connection. Secure Mail interactivity with other XenMobile Apps and ShareFile lets users access, edit, share, and save documents seamlessly, without leaving the secure environment set by your organization's policies. For example, tapping a link in Secure Mail opens the site in Secure Web. Users can open and edit attachments with Citrix QuickEdit for XenMobile, and they can select text from one or multiple s and then add the information to Secure Notes. Attachments are downloaded into the user's Citrix ShareFile for XenMobile space. Other security-enhancing features include the ability to control which contact fields a user can export and which mail and calendar notifications pop up on a locked screen. For a full list of Secure Mail features for each platform, see XenMobile Apps Features by Platform. The following two figures show what users see when first opening Secure Mail, as well as the various options within the app. For the PDF version of the figures, download the Secure Mail Quick Reference Guide Citrix Systems, Inc. All rights reserved. p.174

176 in the following ways: Auto-Correction on Device Check Spelling on Device Check Spelling in Secure Mail Behavior ON ON ON Red underline shows. When tapped, the word is highlighted in pink and a suggestion appears. OFF OFF ON Red line shows. When tapped, no suggestion appears. ON ON OFF No red underline shows. When tapped, the word is highlighted in pink and a suggestion appears OFF OFF OFF No red underline, highlighting, or suggestion appear. ON OFF ON Red underline shows. When tapped, the word is highlighted in pink and a suggestion appears. OFF ON ON Red underline shows. When tapped, the word is highlighted in pink and a suggestion appears. ON OFF OFF No red underline shows. When tapped, the word is highlighted in pink and a suggestion appears. OFF ON OFF No red underline shows. When tapped, the word is highlighted in pink and a suggestion appears. In Secure Mail/WorxMail versions and later, Android users can't attach images directly from the Gallery app when the Inbound document exchange (Open-in) policy is set to Rest rict ed. If you want to keep this policy set to Restricted but still allow users to add photos from the Gallery, follow these configuration steps in the XenMobile console. 1. Set Block gallery to Of f. 2. Get the Gallery package ID for devices. Some examples: LG Nexus 5: com.google.android.gallery3d, com.google.android.apps.photos Samsung Galaxy Note 3: com.sec.android.gallery3d, com.sec.android.gallery3d.panorama360view, com.google.android.apps.photos Sony Expire: com.sonyericsson.album, com.google.android.apps.photos HTC: com.google.android.apps.photos, com.htc.album Huawei: com.android.gallery3d, com.google.android.apps.photos Citrix Systems, Inc. All rights reserved. p.176

177 3. Make the hidden policy InboundDocument ExchangeWhit elist visible: Download the WorxMail APK file and wrap the file with the MDX Toolkit. Find the.mdx file on your computer and change the file suffix to.zip. Open the.zip file and find the policy_metadata.xml file Search for and change InboundDocumentExchangeWhitelist from <PolicyHidden>t rue</policyhidden> to <PolicyHidden>f alse</ PolicyHidden>. Save the policy_metadata.xml file. Select all the files in that folder and compress to create the.zip file. Not e: e Don't zip the outer folder. Select all files inside the folder and compress the selected files. Click on the resulting compressed file. Choose Get Inf o and change the file suffix back to.mdx 4. Upload the modified.mdx file to the XenMobile console and add the list of Gallery package IDs to the now-visible Inbound document exchange whit elist policy. Ensure that the package IDs are comma-separated: com.sec.android.gallery3d, com.sec.android.gallery3d.panorama360view, com.google.android.apps.photos 5. Save and deploy Secure Mail. Android users can now attach an image from the Gallery app. An X indicates a file format that can be attached, viewed, and opened in Secure Mail. ios Android VIDEO * H.263 AMR NB codec_mp4 X H.263 AMR NB codec_3gp X Citrix Systems, Inc. All rights reserved. p.177

178 H.264 AAC codec_3gp X X H.264 AAC codec_mp4 X X H.264 Acclc codec_mp4 X X GTM recorded_wmv X AVI X FLV X WAV X X MP4 X X 3GP X X Flac X AAC X X M4A X X 3GP(AMR-NB) X X MP3 X X WAV X X WMA X OGG X ICO X X JPEG X X Citrix Systems, Inc. All rights reserved. p.178

179 PNG X X TIF (single-page only) X BMP X X GIF X X WebP X.dot X X PDF X X PPT X X PPTX X X DOC X X DOCX X X XLS X X XLSM X X XLSX X X TXT X X POT X X HTM X X HTML X X ZIP X X Citrix Systems, Inc. All rights reserved. p.179

180 EML X X In Secure Mail, users can join meetings directly from invitations in Calendar. The following tables list which meeting types and phone number formats are supported, and dial-in requirements for each. Meeting type Identification requirements Action after tapping Join Meeting GoToMeeting (GTM) One of the following in the meeting content: 1. This type of URL: GT M access code in any of these formats: 2. GTM: GTM G2M G2M: If the GTM app is installed, the app opens and user joins meeting. If the app is not installed, the user sees an option to go the app store to install GTM. For GT Ms in the gotomeet.me/username format, the app opens and the user joins the meeting. WebEx T his type of URL anywhere in the meeting content: Citrix Secure Web opens and opens the unwrapped WebEx app, if installed on the device. WebEx must be added as an exception in the Secure Web Restricted Open-in exception list on Android and in the Allowed URLs policy on ios. Lync Join Meeting is not supported for Lync meetings. Only dial-in is supported. For details, see the dial-in specifications later in this article. Users can click a link that opens in Secure Web, which then opens the unwrapped Lync app if installed on the device. Add the Lync app as an exception in the Secure Web Restricted Open-In exception list policy on Android. Add the exception in the Allowed URLs policy on ios. Configuring the following table of policies allows users to tap a meeting link to open the relevant app Citrix Systems, Inc. All rights reserved. p.180

181 Meeting type ios - "Allow URLs " Policy Android - "Open-in Exclus ions " Policy Webex (Unwrapped app) +^wbx: Eg. Policy string : ^ {action=android.intent.action.view scheme=wbx package=com.cisco.webex.meetings} Lync of Skype for Bus ines s +^lync: {action=android.intent.action.view scheme=lync package=com.microsoft.office.lync15} Skype +^skype: {action=android.intent.action.view scheme=skype package=com.skype.raider} Citrix Systems, Inc. All rights reserved. p.181

182 Meeting type Supported phone number formats Supported conference code formats GoToMeeting (GTM) 1. Any phone number in GT M formats. Examples: India (toll-free): United States (toll-free): Any phone number that satisfies RFC 3966 format standards. ( The conference code is picked up from any of the following formats in the meeting body: URL (*.gotomeeting.com/join/ ) URL (gotomeet.me/username format) "GT M" formats such as "GT M: " "G2M" formats such as "G2M: " Formats such as "Access Code: " WebEx Any phone number in WebEx Call-in formats. Examples (both Verizon and U.S.): Any phone number in WebEx Audio Connection formats. Example: (US toll) 3. Any phone number that satisfies RFC 3966 format standards. T he meeting content must contain one of these formats: 1. Meeting number: Access code: Note : For conference codes that are nine digits or fewer, the # key is added automatically to dial in to the meeting. Lync Any phone number in RFC 3966 formats ( T he meeting body contains this text: "Conference ID: " Note : T he # key is added automatically for Lync meetings. Generic audio conference information Any phone number in RFC 3966 formats ( Examples: (555) (in case of country code) Note : Use a single separator between digits in the phone number. For example, ) can cause the number not to be recognized. Recommended format: "(phone number)","(code)" You can specify up to four commas and provide the # key if necessary. See the table later in this document for a list of supported formats. For an audio conference, the following formats let users tap Dial In. If they tap the phone number from the body of the calendar meeting, however, they can dial into the meeting. They must then type conference codes manually. The following phone number and conference code formats are supported. Supported phone number formats Conference code s eparator Example Any phone number in RFC 3966 formats Examples: Citrix Systems, Inc. All rights reserved. p.182

183 (555) Supported phone (in case number of country formats code) Participant Code Participant Code: Conference code s eparator Example Participant PIN Participant PIN: Guest Code Guest Code: Guest PIN Guest PIN: Participant/Guest Code Participant/Guest Code: Chair Code Chair Code: Chair PIN Chair PIN: Chairperson Code Chairperson Code: Chairperson PIN Chairperson PIN: Host PIN Host PIN: PIN PIN: Access Code Access Code: Code Code: Conference Code Conference Code: Conference ID Conference ID: , +1 (631) , #,, +1 (631) ,, #,,, +1 (631) ,,, # Citrix Systems, Inc. All rights reserved. p.183

184 Supported phone number formats,,,, +1 (631) ,,,, # Conference code s eparator Example passcode +1 (631) passcode # ext: +1 (631) ext: # ext. +1 (631) ext # ;ext= +1 (631) ; ext # extn +1 (631) extn # HC +1 (631) HC # xtn +1 (631) xtn # xt +1 (631) xt # x +1 (631) x # PC +1 (631) PC # pc +1 (631) pc # On ios and Android devices, you can import your personal calendar from the native calendar app and view your personal events in Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar. Select a color for your personal events that you want to display in Secure Mail. This is a read-only view that is only visible to users. The personal calendar information does not sync back to the Exchange or Lotus Notes mail server. You enable the personal calendar overlay either from the pop up notification or from Secure Mail settings. The first set of figures show the feature on an ios device. The subsequent set of figures show the feature on an Android device Citrix Systems, Inc. All rights reserved. p.184

189 Account name of the sender Invitees Meeting notes Secure Mail for Android, displays any conflicts with your personal calendar event while creating or rescheduling an Exchange account calendar event Citrix Systems, Inc. All rights reserved. p.189

191 1. To attach an inline image to your , long press in the mail body. From the options that appear, tap Insert Picture. 2. Secure Mail may prompt you for access to your Photos. The Photos gallery appears. Navigate to the gallery and tap picture you want to insert Citrix Systems, Inc. All rights reserved. p.191

193 From Set t ings within Secure Mail, you can now add multiple Exchange accounts and switch between them. This feature allows you to monitor all your mails, contacts, and calendars in one place. Prerequisit es A user name and password is required to configure additional accounts. Automatic enrollment or credential store configurations applies only to the first account setup in the app. Type the user name and password for all additional accounts. To allow additional accounts to connect to a domain or Exchange Server in an external network, you must set split tunneling to ON in Citrix NetScaler. Secure Mail for ios supports Exchange and Office 365 mail servers only. To add an Exchange account f or ios 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap + Add Exchange Account. 3. In the Exchange screen, type the credentials for the new account Citrix Systems, Inc. All rights reserved. p.193

Sync Mail Period Tap to select a value for the sync mail period. The value you set specifies the number of mail days for Secure Mail to synchronize. Your administrator sets the default value.

195 Sync Mail Period Tap to select a value for the sync mail period. The value you set specifies the number of mail days for Secure Mail to synchronize. Your administrator sets the default value. Make t his my def ault account Tap to set the new account as your default account. The value is set to OFF by default. 4. Tap Sign On to create the account. You can view the new account in the Set t ings screen under the ACCOUNT S menu. Not e: The default or primary account uses certificate-based authentication because Secure Mail can only receive a single user certificate from XenMobile Server. Additional accounts must use authentication based on Active Directory. Not e: Citrix recommends that you do not configure multiple accounts on shared devices. To edit an account You can edit the password and description of account. 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap the account you want to edit. 3. In the Account screen, edit the fields. 4. Tap Save to confirm your action or tap Cancel to return to the Set t ings screen Citrix Systems, Inc. All rights reserved. p.195

197 To delet e an account 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap the account you want to delete. 3. In the Account screen, tap Delet e Account at the bottom of the screen or tap Cancel to return to the Set t ings screen. 4. Tap Delet e to confirm your action Citrix Systems, Inc. All rights reserved. p.197

199 To set a def ault account Secure Mail uses the default account in the following scenarios: Composing s. The From: field auto-populates with the ID of the default account. Creat ing calendar event s.the s Organizer field auto-populates with the ID of the default account. App badge count. Indicates the unread mail count of the default account. When you add one or more accounts, the first account you create is the default account. To change the default account, navigate to Set t ings > General > Def ault. In the Def ault screen, tap the account you want to set as default. Alternatively, you can navigate to Set t ings > ACCOUNT S and then tap the account you want to set as default. In the Account screen, enable the Make t his my def ault account feature. Set t ings If you have configured multiple Exchange accounts, some of the Secure Mail settings are available to each of these accounts individually, whereas other settings are global. The following settings are account-specific: Default Notifications Auto Refresh Out of Office Sync Mail Period S/MIME Offline Files Signature Sync with Local Contacts Export Settings These settings appear with the > icon. Tap the > icon to view the accounts on your device. To apply the setting to a specific account, expand a setting item by tapping > and then select the account. Not e: e You can only import the previously exported Secure Mail settings to the default or primary account. Mail The Mailboxes screen displays all the accounts you have configured and has the following views: All Account s. s Contains s from all Exchange accounts that you have configured. Individual account s. s Contains s and folders of an individual account. These accounts appear as a list that you can expand to view the subfolders Citrix Systems, Inc. All rights reserved. p.199

200 The All Account s mailbox is the global view by default. This view contains attachments and s from all Exchange accounts that you have configured on your device. The All Account s mailbox has the following menu items: All attachments Inbox Unread Flagged Drafts Sent Items Outbox Deleted Items Citrix Systems, Inc. All rights reserved. p.200

201 Although the All Account s view displays your s from multiple accounts collectively, the following actions use the address of the default or primary account: New message New event To change the address of the sender while composing a new mail from the All Account s view, tap the default address in the From: field and select a different account from the mail accounts that appear Citrix Systems, Inc. All rights reserved. p.201

Not e: e Composing an email from the conversation

address that conversation is addressed to.

203 Individual account s All the accounts you have configured appear as a list below All Account s. The default or the primary account always appears first followed by the other accounts in alphabetical order. The individual accounts display any subfolders you might have created. You can view the subfolders folders by tapping the V icon next to the folder Citrix Systems, Inc. All rights reserved. p.203

204 The following actions are limited to individual accounts only: Moving items. Composing s from conversation view. Importing vcard. Saving contacts. Cont act s To view your contacts, tap CONTACT S from the slide-out menu and then tap the hamburger icon on the top left. The Contacts screen displays the following items: All Cont act s. s Displays all contacts from multiple accounts. Individual account s. s Displays contacts pertaining to the individual accounts that you have configured Citrix Systems, Inc. All rights reserved. p.204

205 You can synchronize contacts pertaining to an individual account to your local contacts. To sync wit h local cont act s: s 1. Navigate to Set t ings > Cont act s > Sync wit h Local Cont act s and then tap > to expand the menu. 2. In the Sync Local Cont act s screen, enable the account whose contacts you want to sync. 3. Tap OK. 4. When prompted to allow Secure Mail to access your contacts, tap OK Citrix Systems, Inc. All rights reserved. p.205

206 You have now successfully exported contacts for the account. To undo this action, go to Set t ings > Cont act s > Sync wit h Local Cont act s and then tap on the switch next to the account to disable this feature. Tap Yes, Delet e to confirm your action Citrix Systems, Inc. All rights reserved. p.206

207 If you have created folders or subfolders for your contacts using Microsoft Outlook, you can view them in Secure Mail. To view t he cont act f olders: 1. Tap Contacts form the slide-out menu. The Contacts folders and subfolders pertaining to the individual accounts are displayed. 2. Tap an account to view all the contacts associated with that account Citrix Systems, Inc. All rights reserved. p.207

3. To view contacts from a folder or subfolder, tap the respective folder or subfolder.

209 Calendar The calendar displays all events pertaining to the multiple accounts on your device. You can set colors to individual accounts to differentiate calendars events pertaining to individual accounts Citrix Systems, Inc. All rights reserved. p.209

To set colors t o calendar event s 1. Select CALENDAR from menu. 2. Tap the hamburger icon on the top left. The Calendars screen is displays all the accounts you have configured. 3.

210 To set colors t o calendar event s 1. Select CALENDAR from menu. 2. Tap the hamburger icon on the top left. The Calendars screen is displays all the accounts you have configured. 3. Tap on the default color displayed on the right of an Exchange account. The Colors screen displays the available colors for that account. 4. Select a color of your choice and then tap Save. 5. To return to the previous screen, tap Cancel. The selected color is set for all calendar events pertaining to that Exchange account Citrix Systems, Inc. All rights reserved. p.210

To change the mail account, tap this email address and select

212 When you are creating a calendar invitation or event, the Organizer field auto-populates with the address of the default account. To change the mail account, tap this address and select another account Citrix Systems, Inc. All rights reserved. p.212

213 Not e: When you exit and then launch Secure Mail, the app restores the last configured calendar settings on your device. Search You can perform a global search from the All Account s or the All Cont act s view. This action displays the appropriate results after searching all the accounts in the app. All searches from within an individual account displays results pertaining to that account only. On ios and Android devices, you perform the following actions by swiping an either left or right. More Flag Delete Mark The following table captures the actions available on swipe gestures in various folders: Citrix Systems, Inc. All rights reserved. p.213

Folders Left s wipe Long left s wipe Right s wipe Delete Inbox/Sent/Delete Flag/Unflag More Delete Read/Unread Drafts Delete Flag/Unflag Delete Read/Unread Outbox Delete Resend/Cancel Delete No

214 Folders Left s wipe Long left s wipe Right s wipe Delete Inbox/Sent/Delete Flag/Unflag More Delete Read/Unread Drafts Delete Flag/Unflag Delete Read/Unread Outbox Delete Resend/Cancel Delete No Action Server Results Forward Reply/Reply All Reply/Reply All No Action Tap on one of the menu items to perform further actions. You swipe right to perform the Mark action. The following sections provide more information about each menu item. The More menu displays the following options: Reply Reply All Citrix Systems, Inc. All rights reserved. p.214

Forward Move Cancel The Flag option allows you to mark the email for faster reference.

The Delet e option allows you to delete the selected email.

215 Forward Move Cancel The Flag option allows you to mark the for faster reference. You can also use this option to clear the status of a previously flagged . The Delet e option allows you to delete the selected . You can also delete an by long swiping the item toward the left Citrix Systems, Inc. All rights reserved. p.215

want to delete. The Mark option allows you to mark an email as read or unread.

216 In both delete scenarios, the Undo button appears for a few seconds so you can reverse the action. You can delete multiple s by long pressing an item and then selecting the s that you want to delete. The Mark option allows you to mark an as read or unread. This swipe gesture lets you toggle among the two Mark as states - Read and Unread Citrix Systems, Inc. All rights reserved. p.216

From Set t ings within Secure Mail, you can now add multiple Exchange email accounts and switch between them. This feature allows you to monitor all your mails, contacts, and calendars in one place.

217 From Set t ings within Secure Mail, you can now add multiple Exchange accounts and switch between them. This feature allows you to monitor all your mails, contacts, and calendars in one place. Prerequisit es A user name and password is required to configure additional accounts. Automatic enrollment or credential store configurations applies only to the first account setup in the app. Type the user name and password for all additional accounts. If the first account you create is certificate-based, you cannot add further certificate-based accounts. To allow additional accounts to connect to a domain or Exchange Server in an external network, you must set split tunneling to ON in Citrix NetScaler. Secure Mail for ios supports Exchange and Office 365 mail servers only. To add an Exchange account f or Android 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap + Add account. 3. In the Add account screen, type the credentials for the new account Citrix Systems, Inc. All rights reserved. p.217

Optionally, you can set values for the following

219 Sync mail period Tap to select a value for the sync mail period. The value you set specifies the number of mail days for Secure Mail to synchronize. Your administrator sets the default value. Make t his my def ault account Tap to set the new account as your default account. The value is set to OFF by default. 4. Tap Sign In to create the account. You can view the new account in the Set t ings screen under the ACCOUNT S menu Citrix Systems, Inc. All rights reserved. p.219

220 Note Additional accounts must use authentication based on Active Directory. Secure Mail does not support certificate-based authentication when configuring multiple accounts. To edit an account You can edit the password and description of account. 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap the account you want to edit. 3. In the Account details screen, edit the fields. 4. Tap Save to confirm your action or tap Cancel to return to the Set t ings screen Citrix Systems, Inc. All rights reserved. p.220

222 To delet e an account 1. Open Secure Mail and then tap Set t ings. 2. Under ACCOUNT S, tap the account you want to delete. 3. In the Account det ails screen, tap Delet e account at the bottom of the screen or tap Cancel to return to the Set t ings screen. 4. Tap Delet e to confirm your action Citrix Systems, Inc. All rights reserved. p.222

224 If you delete the default account, the next account will become the default account. To set a def ault account Secure Mail uses the default account in the following scenarios: Composing s. The From: field auto-populates with the ID of the default account. Creat ing calendar event s.the s Organizer field auto-populates with the ID of the default account. When you add one or more accounts, the first account you create is the default account. To change the default account, navigate to Set t ings and then tap Def ault under General. In the Def ault account screen, tap the account you want to set as default. Set t ings If you have configured multiple Exchange accounts, some of the Secure Mail settings are available to each of these accounts individually, whereas other settings are global. The following settings are account-specific: Default Notifications Out of Office Sync inbox frequency Sync mail period Sync S/MIME Offline Files Signature Quick responses Sync calendar Sync contacts Sync with local contacts Export Settings These settings appear with the > icon. Tap the > icon to view the accounts on your device. To apply the setting to a specific account, expand a setting item by tapping > and then select the account. Mail The Mailboxes screen displays all the accounts you have configured and has the following views: All Account s. s Contains s from all Exchange accounts that you have configured. Individual account s. s Contains s and folders of an individual account. These accounts appear as a list that you can expand to view the subfolders. To view your mailboxes, select Mail from the slide-out menu. In the Mailboxes screen, tap the account to expand the options Citrix Systems, Inc. All rights reserved. p.224

225 The All Account s mailbox is the global view by default. This view contains attachments and s from all Exchange accounts that you have configured on your device Citrix Systems, Inc. All rights reserved. p.225

Although the All Account s view displays your emails from multiple accounts collectively, the following actions use the email address of the default or primary account: New message New event To

226 Although the All Account s view displays your s from multiple accounts collectively, the following actions use the address of the default or primary account: New message New event To change the address of the sender while composing a new mail from the All Account s view, tap the default address in the From: field and select a different account from the mail accounts that appear Citrix Systems, Inc. All rights reserved. p.226

Note Composing an email from the conversation view auto-populates the From: field with the email

228 Individual account s The default or the primary account always appears first followed by the other accounts in alphabetical order. The individual accounts display any subfolders you might have created Citrix Systems, Inc. All rights reserved. p.228

229 The following actions are limited to individual accounts only: Moving items. Composing s from conversation view. Saving contacts. Cont act s To view your contacts, tap CONTACT S from the slide-out menu and then tap the hamburger icon on the top left. The Cont act s screen displays the following items: All Cont act s. s Displays all contacts from multiple accounts. Individual account s. s Displays contacts pertaining to the individual accounts that you have configured. Cat egories. Displays any contact categories that you may have created Citrix Systems, Inc. All rights reserved. p.229

230 You can synchronize contacts pertaining to an individual account to your local contacts. To sync wit h local cont act s: s 1. Navigate to Set t ings and then tap Sync wit h local cont act s listed under Cont act s to expand the menu. 2. In the Sync wit h local cont act s screen, enable the account whose contacts you want to sync. 3. Tap OK. 4. When prompted to allow Secure Mail to access your contacts, tap OK Citrix Systems, Inc. All rights reserved. p.230

231 You have now successfully exported contacts for the account. To undo this action, go to Set t ings > Cont act s > Sync wit h Local Cont act s and then tap on the switch next to the account to disable this feature. Tap OK to confirm your action Citrix Systems, Inc. All rights reserved. p.231

232 Calendar The calendar displays all events pertaining to the multiple accounts on your device. You can set colors to individual accounts to differentiate calendars events pertaining to individual accounts. Note T he Personal calendar feature will always be associated with your primary or default account if enabled Citrix Systems, Inc. All rights reserved. p.232

233 To set colors t o calendar event s 1. Select CALENDAR from menu. 2. Tap on the default color displayed on the right of an Exchange account. The Colors screen displays the available colors for that account. 3. Select a color of your choice and then tap Save. To return to the previous screen, tap Cancel. The selected color is set for all calendar events pertaining to that Exchange account Citrix Systems, Inc. All rights reserved. p.233

When you are creating a calendar invitation or event, the Organizer field auto-populates with the email address of the default account.

235 When you are creating a calendar invitation or event, the Organizer field auto-populates with the address of the default account. To change the mail account, tap this address and select another account Citrix Systems, Inc. All rights reserved. p.235

236 Search You can perform a global search from the All Account s or the All Cont act s view. This action displays the appropriate results after searching all the accounts in the app. All searches from within an individual account displays results pertaining to that account only. You can join Skype for Business meetings seamlessly through Secure Mail. This feature requires the Skype for Business app to be installed on your device. To join a Skype f or Business meet ing 1. Tap on the Skype for Business meeting reminder or calendar event. 2. In the Event Det ails screen, tap the Skype Join Meet ing. The Skype for Business meeting starts in a new window. If you have not installed Skype for Business on your device, tap Inst all Skype to install the app Citrix Systems, Inc. All rights reserved. p.236

You can now print emails, calendar events, or inline images from your ios device. Prerequisit es: Before you begin, ensure that the following requirements are met: 1.

239 You can now print s, calendar events, or inline images from your ios device. Prerequisit es: Before you begin, ensure that the following requirements are met: 1. The Block AirPrint option is set to OFF. 2. The Allow viewers t o print option is disabled in IRM. By default, the print feature is enabled in Secure Mail for ios. The printing feature might be controlled by your administrator through administrative policies via Apple AirPrint or Microsoft Information Rights Management (IRM). In these scenarios, printing an , calendar event, or inline image will not work and an error message might appear. To print s 1. Open the item you want to print. 2. Tap the Reply/Forward icon. The following options appear: Reply Forward Print 3. Tap Print. The Print er Opt ions screen appears Citrix Systems, Inc. All rights reserved. p.239

4. To select a printer, tap Select Print er.

242 7. To print a specific page or a range of pages, tap Range. The Page Range screen appears. By default, All Pages is selected. 8. To change the page selection, swipe the page numbers up or down Citrix Systems, Inc. All rights reserved. p.242

244 10. To print in black and white, tap the Black & Whit e button. By default, Secure Mail prints in color. 11. Tap Print on the top right to print the To cancel the print job, tap Cancel on the top left. To print a calendar event 1. Navigate to calendar and select an event Citrix Systems, Inc. All rights reserved. p.244

3. Tap Print and follow the same instructions as mentioned in the section To print emails above. To print inline images: 1.

246 3. Tap Print and follow the same instructions as mentioned in the section To print s above. To print inline images: 1. Open the item with the inline image. 2. Long press the image. The following options appear: Reply Forward Print Citrix Systems, Inc. All rights reserved. p.246

248 Integrating Exchange Server or IBM Notes Traveler Server Nov 21, 2017 To keep Secure Mail in sync with Microsoft Exchange or IBM Notes, you can integrate Secure Mail with an Exchange Server or IBM Notes Traveler Server that resides in your internal network or is behind NetScaler Gateway. Syncing is also available for Secure Notes and Secure Tasks, as follows. You can integrate Secure Notes for ios with an Exchange Server. Secure Notes for Android and Secure Tasks for Android use the Secure Mail for Android account to sync Exchange notes and tasks. To learn about known limitations with IBM/Lotus Notes, please see this Citrix blog post. When you add Secure Mail, Secure Notes, and Secure Tasks to XenMobile, configure the following MDX policies for integration with Exchange or IBM Notes: For Secure Mail: Set the Secure Mail Exchange Server policy to the fully qualified domain name (FQDN) for Exchange Server or IBM Notes Traveler server. The Secure Mail requirements for specifying a connection to a Notes Traveler Server differ by platform, as follows: Secure Mail f or Android and Secure Mail f or ios support the full path specified for a Notes Traveler Server. For example: (It is no longer necessary to configure your Domino Directory with web site substitution rules for the Traveler Server.) For Secure Not es and Secure T asks: Specify values for the Secure Notes Exchange Server, Secure Notes user domain, Secure Tasks Exchange Server, and Secure Tasks user domain policies. The following MDX policies affect Secure Mail communication flow: Net work access. The Network access policy specifies whether restrictions are placed on network access. By default, Secure Mail access is tunneled to the internal network, which means no restrictions are placed on network access; apps have unrestricted access to networks to which the device is connected. The Network access policy interacts with the Background network service policy, as follows. Background net work service. The Background network services policy specifies the service addresses permitted for background network access. The service addresses might be for Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443. When you configure the Background network services policy, also set the Network access policy to Tunneled t o t he int ernal net work. The Background network services policy takes affect when you configure the Network access policy. Background net work service gat eway. The Background network service gateway policy specifies the NetScaler Gateway that Secure Mail uses to connect to the internal Exchange Server. If you specify an alternate gateway address, set the Network access policy to Tunneled t o t he int ernal net work. The Background network service gateway policy takes affect when you configure the Network access policy Citrix Systems, Inc. All rights reserved. p.248

249 Background services t icket expirat ion. The Background services ticket expiration policy specifies the time period that a background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days). For details about related XenMobile server settings, see these XenMobile articles: ActiveSync Gateway and Mobile Service Provider. The following figures show the types of Secure Mail connections to a mail server. After each figure is a list of the related policy settings. Policies for a direct connection to a mail server: Network access: Unrest rict ed Background network services: blank Background services ticket expiration: 168 Background network service gateway: blank Citrix Systems, Inc. All rights reserved. p.249

Policies for a direct connection to a mail server: Network access: T unneled t o t he int ernal net work Background network services: blank Background services ticket expiration: 168 Background

250 Policies for a direct connection to a mail server: Network access: T unneled t o t he int ernal net work Background network services: blank Background services ticket expiration: 168 Background network service gateway: blank Policies for STA access to a mail server: Network access: T unneled t o t he int ernal net work Background network services: mail.example.com: Background services ticket expiration: 168 Background network service gateway: gat eway3.example.com:4 4 3 The following figure shows where those policies apply: Citrix Systems, Inc. All rights reserved. p.250

251 Configuring IBM Notes Traveler Server for Secure Mail In IBM Notes environments, you must configure the IBM Notes Traveler server before you deploy Secure Mail. This section shows a diagram of this configuration in a XenMobile deployment as well as system requirements. Important If your Notes Traveler Server uses SSL 3.0, be aware that SSL 3.0 contains a vulnerability called the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting any app that connects to a server using SSL 3.0. To address the vulnerabilities introduced by the POODLE attack, Secure Mail disables SSL 3.0 connections by default and uses T LS 1.0 to connect to the server. As a result, Secure Mail cannot connect to a Notes Traveler Server that uses SSL 3.0. See the following section, Configuring SSL/T LS Security Level, for details on a recommended workaround. In IBM Notes environments, you must configure the IBM Notes Traveler server before deploying Secure Mail. The following diagram shows the network placement of IBM Notes Traveler servers and an IBM Domino mail server in a sample XenMobile deployment. Inf rast ruct ure Server Requirement s IBM Domino Mail Server IBM Notes Traveler Citrix Systems, Inc. All rights reserved. p.251

252 Aut hent icat ion Prot ocols Domino Database Lotus Notes Authentication Protocol Lightweight Directory Authentication Protocol Port Requirement s Exchange: Default SSL port is 443. IBM Notes: SSL is supported on port 443. Non-SSL is supported, by default, on port 80. Citrix made modifications to Secure Mail to address vulnerabilities introduced by the POODLE attack, as described in the preceding Important note. If your Notes Traveler Server uses SSL 3.0, therefore, to enable connections, the recommended workaround is to use TLS 1.2 on the IBM Notes Traveler Server 9.0. IBM has a patch to prevent the use of SSL 3.0 in Notes Traveler secure server-to-server communication. The patch, released in November 2014, is included as interim fix updates for the following Notes Traveler server versions: IF7, IF8 and Upgrade Pack 2 IF8 (and will be included in all future releases). For details about the patch, see LO82423: DISABLE SSLV3 FOR TRAVELER SERVER TO SERVER COMMUNICATION. As an alternative workaround, when you add Secure Mail to XenMobile, change the Connection security level policy to SSLv3 and T LS. For the latest information about this issue, see SSLv3 Connections Disabled by Default on Secure Mail The following tables indicate the protocols that Secure Mail supports, by operating system, based on the Connection security level policy value. Your mail server must also be able to negotiate the protocol. The following table shows supported protocols for Secure Mail when the connection security level is SSLv3 and TLS. Operating s ys tem type SSLv3 T LS Earlier than ios 9 Yes Yes ios 9 and later No Yes Earlier than Android M Yes Yes Android M and Android N Yes Yes Android O No Yes The following table shows supported protocols for Secure Mail when the connection security level is TLS Citrix Systems, Inc. All rights reserved. p.252

253 Operating s ys tem type SSLv3 T LS Earlier than ios 9 No Yes ios 9 and later No Yes Earlier than Android M No Yes Android M and Android N No Yes Android O No Yes Configuring Notes Traveler Server The following information corresponds to the configuration pages in the IBM Domino Administrator client. Securit y. Internet authentication is set to Fewer name variations with higher security. This setting is used to map UID to AD User ID in LDAP authentication protocols. NOT ES.INI Set t ings. Add NT S_AS_ENFORCE_POLICY=f f alse. This allows Secure Mail policies to be managed by XenMobile rather than Traveler. This setting may conflict with current customer deployments, but will simplify the management of the device in XenMobile deployments. Synchronizat ion prot ocols. SyncML on IBM Notes and mobile device synchronization are not supported by Secure Mail at this time. Secure Mail synchronizes Mail, Calendar and Contacts items through the Microsoft ActiveSync protocol built into Traveler servers. If SyncML is forced as the primary protocol, Secure Mail cannot connect back through the Traveler infrastructure. Domino Direct ory Conf igurat ion - Web Int ernet Sit es. Override Session Authentication for /traveler to disable form-based authentication Citrix Systems, Inc. All rights reserved. p.253

254 S/MIME for Secure Mail Nov 21, 2017 Secure Mail supports Secure/Multipurpose Internet Mail Extensions (S/MIME), enabling users to sign and encrypt messages for greater security. Signing assures the recipient that the identified sender sent the message not an imposter. Encryption allows only the recipients with a compatible certificate to open the message. For details about S/MIME, go to Microsoft TechNet article - Understanding S/MIME. In the following table, X indicates that Secure Mail supports an S/MIME feature on a device OS. S/MIME Feat ure ios Android Windows Phone Digit al ident it y provider int egrat ion You can integrate Secure Mail with a supported third-party digital identity provider. Your identity provider host supplies certificates to an identity provider app on user devices. That app sends certificates to the XenMobile shared vault, a secure storage area for sensitive app data. Secure Mail obtains certificates from the shared vault. X For details, see Integrating with a Digital Identity Provider. Cert if icat e dist ribut ion by Distributing certificates by requires that you create certificate templates and then use those templates to request user certificates. After you install and validate the certificates, you export the user certificates and then them to users. Users then open the in Secure Mail and import the certificates. X X X For details, see Distributing Certificates by . Aut o-import of single-purpose cert if icat es Secure Mail detects if a certificate is only for signing or encryption and then automatically imports the certificate and notifies the user. If a certificate is for both purposes, users are prompted to import it. X The following diagram shows the path that a certificate takes from the digital identity provider host to Secure Mail. This happens when you integrate Secure Mail with a supported third-party digital identity provider Citrix Systems, Inc. All rights reserved. p.254

The MDX shared vault is a secure storage area for sensitive app data such as certificates. Only XenMobile enabled apps can access the shared vault.

255 The MDX shared vault is a secure storage area for sensitive app data such as certificates. Only XenMobile enabled apps can access the shared vault. Prerequisites Secure Mail supports integration with Entrust IdentityGuard. Configuring the Integration 1. Prepare the identity provider app and provide it to users: 1. Contact Entrust to get the.ipa to wrap. 2. Use the MDX Toolkit to wrap the app. If you deploy this app to users who already have a version of the app outside of the XeMobile environment, use a unique app ID for this app. Use the same provisioning profile for this app and Secure Mail. 3. Add the app to XenMobile and publish it to the XenMobile Store. 4. Let your users know that they must install the identity provider app from Secure Hub. Provide guidance, as needed, about any post-installation steps. Depending on how you configure the S/MIME policies for Secure Mail in the next step, Secure Mail might prompt users to install certificates or enable S/MIME in Secure Mail settings. Steps for both of those procedures are in Enabling S/MIME on Secure Mail for ios. 2. When you add Secure Mail to XenMobile, be sure to configure these policies: Set the S/MIME certificate source policy to Shared vault. This setting means that Secure Mail uses the certificates stored in its shared vault by your digital identity provider. To enable S/MIME during the initial startup of Secure Mail, configure the Enable S/MIME during first Secure Mail startup policy. The policy determines if Secure Mail enables S/MIME when there are certificates in the shared vault. If no certificates are available, Secure Mail prompts the user to import certificates. If the policy isn't enabled, users can enable S/MIME in the Secure Mail settings. By default, Secure Mail does not enable S/MIME, which means that users must enable S/MIME through Secure Mail Citrix Systems, Inc. All rights reserved. p.255

256 settings. Instead of integrating with a digital identity provider, you can distribute certificates to users by . This option requires the following general steps, detailed in this section. 1. Use Server Manager to enable web enrollment for Microsoft Certificate Services and to verify your authentication settings in IIS. 2. Create certificate templates for signing and encrypting messages. Use those templates to request user certificates. 3. Install and validate the certificates, then export the user certificates and them to users. 4. Users open the in Secure Mail and import the certificates. The certificates are thus available only to Secure Mail. They do not appear in the ios profile for S/MIME. Smart cards are not supported. Prerequisites The instructions in this section are based on the following components: XenMobile Server 10 and later A supported version of NetScaler Gateway Secure Mail for ios (minimum version ); Secure Mail for Android devices (minimum version ) Microsoft Windows Server 2008 R2 or later with Microsoft Certificate Services acting as the Root Certificate Authority (CA) Microsoft Exchange: Exchange Server 2016 Cumulative Update 4 Exchange Server 2013 Cumulative Update 15 Exchange Server 2010 SP3 Update Rollup 16 Complete the following prerequisites before configuring S/MIME: Deliver the root and intermediate certificates to the mobile devices either manually or through a credentials device policy in XenMobile. For details, see Credentials device policies. If you are using private server certificates to secure the ActiveSync traffic to Exchange Server, do the following: Have all the root and intermediate certificates installed on the mobile devices. Wrap Secure Mail with the latest MDX Toolkit available on the Citrix downloads site. Enabling Web Enrollment for Microsoft Certificate Services 1. Go to Administ rat ive T ools and select Server Manager. 2. Under Act ive Direct ory Cert if icat e Services, check to see if Cert if icat e Aut horit y Web Enrollment is installed. 3. Select Add Role Services to install Certificate Authority Web Enrollment, if needed. 4. Check Cert if icat e Aut horit y Web Enrollment and then click Next. 5. Click Close or Finish when the installation is complete. Verifying your authentication settings in IIS Ensure that the Web enrollment site used to request user certificates (for example, is secured with an HTTPS server certificate (private or public) Citrix Systems, Inc. All rights reserved. p.256

The Web enrollment site must be accessed through HTTPS. 1. Go to Administ rat ive T ools and select Server Manager. 2. In Web Server (IIS), look under Role Services.

257 The Web enrollment site must be accessed through HTTPS. 1. Go to Administ rat ive T ools and select Server Manager. 2. In Web Server (IIS), look under Role Services. Verify that Client Certificate Mapping Authentication and IIS Client Certificate Mapping Authentication are installed. If not, install these role services. 3. Go to Administ rat ive T ools and select Int ernet Inf ormat ion Services (IIS) Manager. 4. In the left pane of the IIS Manager window, select the server running the IIS instance for web enrollment. 5. Click Aut hent icat ion. 6. Ensure that Act ive Direct ory Client Cert if icat e Aut hent icat ion is Enabled. 7. Click Sit es > Def ault sit e f or Microsof t Int ernet Inf ormat ion Services > Bindings in the right pane. 8. If an HTTPS binding does not exist, add one. 9. Go to the Default Web Site Home. 10. Click SSL Set t ings and then click Accept f or Client Cert if icat es. Creating new certificate templates To sign and encrypt messages, Citrix recommends that you create certificates on Microsoft Active Directory Certificate Services. If you use the same certificate for both purposes and archive the encryption certificate, it is possible to recover a signing certificate and allow impersonation. The following procedure duplicates the certificate templates on the Certificate Authority (CA) server: Exchange Signature Only (for Signing) Exchange User (for Encryption) 1. Open the Certificate Authority snap-in. 2. Expand the CA and then go to Cert if icat e T emplat es. 3. Right-click and then click Manage. 4. Search for the Exchange Signature Only template, right-click the template and then click Duplicat e T emplat e. e 5. Assign any name. 6. Select the Publish cert if icat e in Act ive Direct ory check box Citrix Systems, Inc. All rights reserved. p.257

Not e: e If you do not select the Publish cert if icat e in Act ive Direct ory check box, users must publish the user certificates (for signing and encryption) manually.

258 Not e: e If you do not select the Publish cert if icat e in Act ive Direct ory check box, users must publish the user certificates (for signing and encryption) manually. They can do this through Out look mail client > T rust Cent er > Securit y > Publish t o GAL (Global Address List ).) For details, see the Microsoft topic Add or import a certificate into Contacts. 7. Click the Request Handling tab and then set the following parameters: Purpose: Signature Minimum key size: 2048 Allow privat e key t o be export ed check box: selected Enroll subject wit hout requiring any user input check box: selected Citrix Systems, Inc. All rights reserved. p.258

Also ensure that, under Permissions f or Aut hent icat ed Users, the Read and Enroll check boxes are selected for

259 8. Click the Securit y tab and, under Group or user names, ensure that Aut hent icat ed Users (or any desired Domain Security Group) is added. Also ensure that, under Permissions f or Aut hent icat ed Users, the Read and Enroll check boxes are selected for Allow. 9. For all other tabs and settings, leave the default settings. 10. In Cert if icat e T emplat es, click Exchange User and then repeat steps 4 though Citrix Systems, Inc. All rights reserved. p.259

key size: 2048 Allow privat e key t o be export ed check box: selected Enroll subject wit hout

260 For the new Exchange User template, use the same default settings as for the original template. 11. Click the Request Handling tab and then set the following parameters: Purpose: Encryption Minimum key size: 2048 Allow privat e key t o be export ed check box: selected Enroll subject wit hout requiring any user input check box: selected Citrix Systems, Inc. All rights reserved. p.260

The procedure requests two new user certificates for secure email: one certificate for signing and the other for encryption.

261 12. When both templates are created, be sure to issue both certificate templates. Click New and then click Cert if icat e T emplat e t o Issue. Requesting user certificates This procedure uses "user1" to navigate to the Web enrollment page; for example, The procedure requests two new user certificates for secure one certificate for signing and the other for encryption. You can repeat the same procedure for other domain users that require the use of S/MIME through Secure Mail. Manual enrollment is used through the Web enrollment site (example, on Microsoft Certificate Services to generate the user certificates for signing and encryption. An alternative is to configure autoenrollment through a Group Policy for the group of users who would use this feature. For details, see the Microsoft TechNet article: Configure User Certificate Autoenrollment. 1. On a Windows-based computer, open Internet Explorer and go to the Web enrollment site to request a new user certificate. Not e: e Be sure you log on with the correct domain user to request the certificate Citrix Systems, Inc. All rights reserved. p.261

Generate the user certificate for signing purposes.

262 2. When logged in, click Request a cert if icat e. e 3. Click Advanced Cert if icat e Request. 4. Click Creat e and Submit a request t o t his CA. 5. Generate the user certificate for signing purposes. Select the appropriate template name and type your user settings, and then next to Request Format, select PKCS10. The request has been submitted Citrix Systems, Inc. All rights reserved. p.262

6. Click Inst all t his cert if icat e. e 7. Verify that the certificate is installed successfully. 8. Repeat the same procedure but now for encrypting email messages.

263 6. Click Inst all t his cert if icat e. e 7. Verify that the certificate is installed successfully. 8. Repeat the same procedure but now for encrypting messages. With the same user logged on to the Web enrollment site, go to the Home link to request a new certificate. 9. Select the new template for encryption and then type the same user settings you entered in step Citrix Systems, Inc. All rights reserved. p.263

10. Ensure you installed the certificate successfully and then repeat the same procedure to generate a pair of user certificates for another domain user.

264 10. Ensure you installed the certificate successfully and then repeat the same procedure to generate a pair of user certificates for another domain user. This example follows the same procedure and generates a pair of certificates for "User2". Not e: e This procedure uses the same Windows-based computer to request the second pair of certificates for "User2". Validating Published Certificates 1. To ensure that the certificates are properly installed in the domain user profile, go to Act ive Direct ory Users and Comput ers > View > Advanced Feat ures. 2. Go to the properties of the user (User1 for this example) and then click the Published Cert if icat es tab. Ensure that both certificates are available. You can also verify that each certificate has a specific usage Citrix Systems, Inc. All rights reserved. p.264

This figure shows a certificate to encrypt

The way Secure Mail works is by checking the usercertificate user object attribute via LDAP queries.

266 Ensure that the correct encrypted certificate is assigned to the user. You can verify this information under Act ive Direct ory Users and Comput ers > user propert ies. The way Secure Mail works is by checking the usercertificate user object attribute via LDAP queries. You can read this value on the At t ribut e Edit or tab. If this field is empty or has the incorrect user certificate for encryption, Secure Mail cannot encrypt (or decrypt) a message Citrix Systems, Inc. All rights reserved. p.266

Open the MMC console and go to the snap-in for Cert if icat es - Current User. You see both "User1" and User2" pair of certificates. 2.

267 Exporting the user certificates This procedure exports both "User1" and "User2" pair certificates in.pfx (PKCS#12) format with the private key. When exported, the certificates are sent through to the user using Outlook Web Access (OWA). 1. Open the MMC console and go to the snap-in for Cert if icat es - Current User. You see both "User1" and User2" pair of certificates. 2. Right-click the certificate and then click All T asks > Export. 3. Export the private key by selecting Yes, export t he privat e key. 4. Select the Include all cert if icat es in t he cert if icat ion pat h if possible and Export all ext ended propert ies check boxes Citrix Systems, Inc. All rights reserved. p.267

pfx. Sending certificates through email When all certificates are exported in PFX format, you can use Outlook Web Access (OWA) to send them through email.

268 5. When you export the first certificate, repeat the same procedure for the remaining certificates for users. Not e: e Clearly label which certificate is the signing certificate and which certificate is the encryption certificate. In the example, the certificates are labeled as userx-sign.pfx and "userx-enc.pfx. Sending certificates through When all certificates are exported in PFX format, you can use Outlook Web Access (OWA) to send them through . The logon name for this example is User1 the sent contains both certificates. Repeat the same procedure for User2 or other users in your domain. Enabling S/MIME on Secure Mail for ios and Android After the is delivered, the next step is to open the message using Secure Mail and enable S/MIME with the appropriate certificates for signing and encryption Citrix Systems, Inc. All rights reserved. p.268

1. In Secure Mail, open the email message. 2.

269 1. In Secure Mail, open the message. 2. Download the first certificate (for signing) and then tap Import cert if icat e f or Signing. 3. Type the password assigned to the private key when the certificate was exported. 4. Go to Set t ings to enable signing on Secure Mail. 5. Tap S/MIME and next to Signing, tap Of f Citrix Systems, Inc. All rights reserved. p.269

This figure shows signing enabled with user certificate (for signing). 7.

270 6. In Signing, enable and verify that the correct signing certificate is selected. This figure shows signing enabled with user certificate (for signing). 7. Go back to the message to download and import the certificate for encryption Citrix Systems, Inc. All rights reserved. p.270

271 8. Type the password assigned to the private key. 9. Go to Set t ings to enable encryption on Secure Mail. Next to Encrypt by Def ault, tap Of f. Ensure that the correct user certificate is selected for encryption. This figure shows encryption enabled with user certificate (for encryption) Citrix Systems, Inc. All rights reserved. p.271

Not e: e If an email is digitally signed with S/MIME, has attachments, and the recipient does not have S/MIME enabled, attachments are not received.

Testing S/MIME on ios and Android If everything has been performed correctly, when User1 or User2 sends an email signed and encrypted, the recipient can read the

272 Not e: e If an is digitally signed with S/MIME, has attachments, and the recipient does not have S/MIME enabled, attachments are not received. This behavior is an Active Sync limitation. To receive S/MIME messages effectively, turn on S/MIME in Secure Mail settings. Testing S/MIME on ios and Android If everything has been performed correctly, when User1 or User2 sends an signed and encrypted, the recipient can read the message. The following figure shows an example of an encrypted message read by the recipient. The following figure shows an example of verification of signed trusted certificate Citrix Systems, Inc. All rights reserved. p.272

273 Secure Mail searches the Active Directory domain for public encryption certificates of recipients. If a user sends an encrypted message to a recipient who does not have a valid public encryption key, the message is sent unencrypted. In a group message, if even one recipient doesn't have a valid key, the message is sent unencrypted to all recipients. Enabling S/MIME on Secure Mail f or Windows Phone After the is delivered, the next steps are as follows: Open the message by using Secure Mail for Windows Phone. Then, enable S/MIME with the appropriate certificates for signing and encryption. 1. In Secure Mail, open the message Citrix Systems, Inc. All rights reserved. p.273

274 2. Download the first certificate (for signing) and then tap Import for signing & encryption. 3. Type the password assigned to the private key when the certificate was exported Citrix Systems, Inc. All rights reserved. p.274

4. Tap settings to enable signing for Secure Mail. 5.

Go back to the email message to download and import the

276 6. In SIGNING, enable Sign Outgoing Messages and verify that the correct signing certificate is selected. 7. Go back to the message to download and import the certificate for encryption Citrix Systems, Inc. All rights reserved. p.276

277 8. Type the password assigned to the private key. 9. Go to Settings and, under ENCRYPTION, tap Encrypt by Def ault to enable encryption for Secure Mail Citrix Systems, Inc. All rights reserved. p.277

Testing S/MIME on Windows Phone If everything has been performed correctly, when User 9 sends an email signed and encrypted, the recipient can read the message.

278 Testing S/MIME on Windows Phone If everything has been performed correctly, when User 9 sends an signed and encrypted, the recipient can read the message. The following figure shows an example of an encrypted message read by the recipient. The following figure shows an example of verification of a signed trusted certificate Citrix Systems, Inc. All rights reserved. p.278

279 To use S/MIME public certificates, configure the S/MIME public certificate source, LDAP server address, LDAP Base DN, and Access LDAP Anonymously policies. For more information about these policies, see MDX Policies at a Glance. In addition to the app policies, do the following. If the LDAP servers are public, ensure that the traffic goes directly to LDAP servers. To do so, configure the network policy for Secure Mail to be T unneled t o t he int ernal net work and configure split DNS for NetScaler. If the LDAP servers are on an internal network, do the following: For ios, ensure that you don t configure the Background network service gateway policy. If you do configure the policy, users receive frequent authentication prompts. For Android, ensure that you add the LDAP server URL in the list for the Background network service gateway policy Citrix Systems, Inc. All rights reserved. p.279

Push Notifications for Secure Mail for ios Nov 21, 2017 Secure Mail for ios can receive notifications about email and calendar activity when the app is running in the background or is closed.

280 Push Notifications for Secure Mail for ios Nov 21, 2017 Secure Mail for ios can receive notifications about and calendar activity when the app is running in the background or is closed. Secure Mail supports notifications provided through Background App Refresh or push notifications provided through the Apple Push Notification service (APNs). Secure Mail sends push notifications for the following Inbox activities: New mail, meet ing request s, meet ing cancellat ions, meet ing updat es. When APNs pushes notifications to an inbox, Secure Mail updates all folders, including Calendar, so that meeting changes are reflected immediately in users' calendars. Mail st at us changes f rom read t o unread and vice versa. The Secure Mail icon shows the total count of unread and new messages in the Exchange Inbox folder only. Secure Mail updates the icon after users read s on a desktop or laptop computer. Secure Mail still provides the count of unread Inbox s for the sync period. If the Control locked screen notifications policy is On, push notifications appear on a locked device screen after ios wakes up Secure Mail to perform a sync. During an installation or upgrade, Secure Mail prompts users to allow push notifications. Users can also allow push notifications later by using ios Settings. To provide push notifications, Citrix hosts a listener service on Amazon Web Services (AWS) to perform the following functions: Listen for Exchange Web Services (EWS) push notifications sent by Exchange Servers when there is Inbox activity. Exchange does not send any mail content to the Citrix service. No personally identifiable information is stored by the Citrix service. Instead, a device token and subscription ID identifies the specific device and Inbox folder to be updated within Secure Mail. Send APNs notifications, containing only badge counts, to Secure Mail on ios devices. The Citrix listener service does not impact mail data traffic, which continues to flow between user devices and Exchange Servers through ActiveSync. The listener service, which is configured for high availability and disaster recovery, is available in three regions: Americas Europe, Middle East and Africa (EMEA) Citrix Systems, Inc. All rights reserved. p.280

281 Asia Pacific (APAC) For details about the EWS push notification service, see the Microsoft article Notification subscriptions, mailbox events, and EWS in Exchange. If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow traffic (when tunneled from Secure Mail) to the following Citrix listener service URLs: Region URL IP Addres s Americas EMEA APAC Provisioning profiles and app IDs: APNs requires a provisioning profile created with an explicit and unique app ID. APNs does not support apps that use a provisioning profile created with a wildcard (*) app ID. XenMobile Management Tools for APNs signature signing is compatible with these browsers: Chrome (minimum version 36) Firefox (minimum version 31) Internet Explorer 10 or 9 Safari (minimum version 7) To access the tools, see XenMobile Management Tools. App St ore dist ribut ion The move to the public app store also simplifies the process of setting up Apple Push Notifications for Secure Mail. You no longer have to request a certificate from Apple and upload it to XenMobile Tools. Instead, on the console, set Push notifications to ON and then select your region Citrix Systems, Inc. All rights reserved. p.281

282 Configure Exchange and NetScaler to allow traffic to flow to the listener service. Exchange Server configurat ion Allow outbound SSL (over port 443) from your firewall to the Citrix listener service URL for the region where your Exchange Server is located. For example: Region URL IP Address Americas EMEA APAC 1.mailboxlistener.xm.citrix.com If you have a proxy server between EWS and the Citrix listener device, you can do one of the following. Send EWS traffic through the proxy and then on to the listener device. Bypass the proxy and route EWS traffic to the listener device directly. To send EWS traffic through the proxy server, configure the EWS web.config file in the ClientAccess\exchweb\ews folder, as follows Citrix Systems, Inc. All rights reserved. p.282

283 <configuration> <system.net> <defaultproxy> <proxy usesystemdefault="false" proxyaddress=" bypassonlocal="true /> </defaultproxy> </system.net> </configuration> For Exchange 2013 environments, you must add the system.net section to the web.config file manually. Otherwise, configurations described in this article should work for Exchange For troubleshooting, contact your Exchange administrator. To bypass the proxy server, configure the bypass list to allow Exchange to make connections to the Citrix listener service. For details, see "Push Event Notifications" in When Secure Hub is enrolled with certificate-based authentication, you must also configure Exchange Server for certificate-based authentication. For details, see this XenMobile Advanced Concepts article. Net Scaler Gat eway configurat ion While the Exchange server needs to allow traffic to the listener service, NetScaler must allow traffic to the registration service. In this way, devices can connect to register for push notifications. If your EWS and ActiveSync servers are different, configure your NetScaler traffic policy to allow EWS traffic. Ent erprise dist ribut ion If you distribute Secure Mail as an enterprise app through Secure Hub, you must generate an Apple Provisioning Profile, which involves requesting a certificate from Apple using XenMobile Tools and uploading the certificate to the XenMobile server. An explicit app ID is required to be able to request a certificate. Follow these steps to configure enterprise Secure Mail for push notifications : 1. Verify that your environment meets the system requirements, described earlier in System Requirements for Push Notifications. 2. If your deployed version of Secure Mail was wrapped with an explicit app ID with its own distribution profile, enable the Push Notification service for the app ID. For details, see Registering App IDs in the Apple App Distribution Guide. 3. If your deployed version of Secure Mail was wrapped with a wildcard app ID or this is a new deployment, you must use a new app ID and provisioning profile when wrapping the new version of Secure Mail. From the Apple Enterprise Developer portal, create a new provisioning profile and a unique, explicit app ID. You must register an explicit Secure Mail app ID, use the explicit distribution profile for that app ID, and enable the Push Notification service for the app ID. For details, see Registering App IDs in the Apple App Distribution Guide. If you have staging and production environments, you will need separate app IDs and certificates for each environment. 4. Wrap Secure Mail with the MDX Toolkit, using the explicit app ID prepared in Steps 2 or Generate a Secure Mail APNs certificate for the explicit Secure Mail app ID. Be sure to choose the Production SSL Citrix Systems, Inc. All rights reserved. p.283

certificate and not the Development SSL certificate. Secure Mail requires an APNs certificate to support push notifications. This cannot be the same APNs certificate uploaded to the XenMobile server.

284 certificate and not the Development SSL certificate. Secure Mail requires an APNs certificate to support push notifications. This cannot be the same APNs certificate uploaded to the XenMobile server. To obtain and upload an APNs certificate: 1. Request a new APNs certificate from Apple. 2. Export, as a.p12 file, the certificate and private key using the Keychain Access feature on your Mac. For details on generating and exporting the APNs certificate from the Apple Developer portal, see Configuring Push Notifications in the Apple App Distribution Guide. 6. Register your APNs certificate and obtain a customer ID. 1. Use your Citrix Login ID to log in to the XenMobile Management Tools portal at 2. Click Upload WorxMail APNs cert if icat es. (Not e: e XenMobile Management Tools do not yet reflect the new names for XenMobile Apps.) 3. Choose the region where your Exchange Server is located Citrix Systems, Inc. All rights reserved. p.284

285 4. Specify your explicit Secure Mail app ID, choose your APNs certificate (.p12 file), and enter your certificate password. 5. When the upload completes, your customer ID displays. You will need the customer ID to configure the Push notifications customer ID policy, as described in Step Citrix Systems, Inc. All rights reserved. p.285

286 You can return to the Dashboard view to view details, obtain your customer ID, or delete certificates. 7. When you add Secure Mail to XenMobile, update the following policies to enable and configure push notifications. Push not if icat ions Enables APNs-based notifications about Inbox activity. If On, Secure Mail supports push notifications. Default value is Off. Push not if icat ions region The region where the APNs host is located for your Secure Mail users. Options are Americas, EMEA, and APAC. Default value is Americas. Select the same value you specified for Step 6c. Push not if icat ions cust omer ID Your APNs customer ID, used to identify your account to the Citrix notification service. This is the customer ID that displayed in Step 6e. 8. If your previously deployed Secure Mail had a wildcard app ID, let your users know that they must reinstall Secure Mail. To troubleshoot outbound connections, check the Exchange event logs, which include log entries when a subscription request or the notification for a subscription is invalid or fails. You can also run Wireshark traces on the Exchange Server to track outbound traffic to the Citrix listener service. For other issues, try the Secure Mail Test Tool. When does ios deliver not ificat ions t o Secure Mail? Citrix Systems, Inc. All rights reserved. p.286

287 If Secure Mail is running in the foreground, notifications are always delivered to Secure Mail. This is the only time that Citrix can guarantee that notifications are delivered. When Secure Mail enters the background, the application badge count always updates. However, notifications (lockscreen and banner notifications) rely on Background App Refresh and, particularly when ios suspends or terminates the app, notifications are not a certainty. The following factors are outside the control of Citrix. The following cases may affect the delivery of notifications: The battery is low. Secure Mail is not used frequently (rarely opened into the foreground). s received outside of core usage times in which the app is suspended for an extended period in the background; for example, between midnight and 6 a.m. Notifications are not delivered to Secure Mail in the following cases: If the user closes Secure Mail, until the user manually reopens the app. If the system has terminated Secure Mail. and the app has not been automatically restarted. When Secure Mail is not active. Import ant not e: e Notifications may not be delivered to Secure Mail when it is not active for many reasons, including but not limited to the following cases: If the device is in Low Power Mode and Secure Mail is in the background. This is the most common case in which notifications are not delivered. If Background App Refresh is off for Secure Mail and if Secure Mail is in the background. Note that users control this setting. If the device has poor network connectivity. This situation depends entirely on the ios device. When Secure Mail does not receive a notification, Secure Mail does not sync new data to the device. As a consequence, the following situations occur: Secure Mail syncs data only when users bring the app to the foreground. Lockscreen notifications stop occurring for new mail. Calendar reminders still appear, however. How does Background App Ref resh af f ect Secure Mail and APNs? If the user turns off Background App Refresh, the following situations occur: Secure Mail does not receive notifications when Secure Mail is not the background app. Secure Mail does not update the lockscreen with new notifications. Disabling Background App Refresh has a major effect on the behavior of Secure Mail. As stated earlier, badge updates based on APNs still occur, but no is synced to the device in this mode. How does Low Power Mode af f ect Secure Mail and APNs? The behavior of the system with respect to Secure Mail is the same in Low Power Mode as it is when Background App Refresh is disabled. In Low Power Mode, the device does not wake up apps for periodic refresh and does not deliver notifications to apps in the background. The side effects are therefore the same as those listed in the Background App Refresh section above. Note that in Low Power Mode, badge updates still occur, based on APNs notifications. How does APNs af f ect not ificat ions t hat appear on t he lock screen? New mail notifications that appear on the device lock screen are generated based on data that is synced down to the Citrix Systems, Inc. All rights reserved. p.287

288 device by Secure Mail. Importantly, this information does not come from the listener service. In order to show new mail notifications, Secure Mail needs to be able to sync data from Exchange so that Secure Mail has the information available to create the notifications. If APNs notifications are not delivered to Secure Mail in the background, Secure Mail does not detect the notifications and hence does not sync new data. Because no new data is available to Secure Mail, no notifications are generated on the device lockscreen, even when APNs notifications are not delivered. What ot her issues can cause APNs-driven sync t o f ail in t he background? A number of issues can cause APNs-driven sync requests to fail, including the following: An invalid STA ticket. A slow network connection. When Secure Mail is woken in the background, the app has 30 seconds to sync all data from the server. If the data protection policy is enabled and Secure Mail is woken by an APNs notification, when the device is locked, Secure Mail cannot access the data store and sync does not occur. Note that this is only the case in which the system is attempting to cold start Secure Mail. If a user has already started Secure Mail at some point after unlocking the device, APNs-driven sync succeeds even when the device is locked. If any of the preceding conditions occur, Secure Mail cannot sync data and hence cannot display locksscreen notifications. How else does Secure Mail generat e lockscreen not ificat ions when not ificat ions are not delivered or APNs is not in use? If APNs is disabled, Secure Mail is still woken by periodic Background App Refresh events from ios, assuming that Background App Refresh is enabled and assuming that Low Power Mode is off. During these wakeup events, Secure Mail syncs new from the Exchange Server. This new can then be used to generate notifications on the lock screen. Thus, even when APNs notifications are not delivered or APNs is disabled, Secure Mail can sync data in the background. It's important to note that this will occur less in real time than when APNs is in use and when APNs notifications are delivered to Secure Mail. When ios routes APNs notifications to Secure Mail, the app immediately syncs data from the server and the lockscreen notifications appear to be real time. In the event that Background App Refresh wakeups are required, lockscreen notifications do not occur in real time. In this case, Secure Mail is woken up at a frequency that ios completely determines. As such, some time may elapse between when an arrives in a user's Inbox on Exchange and Secure Mail syncs that message and generates the lockscreen notification. Also note that Secure Mail receives these periodic wakeups even when APNs is in use. In all cases in which Background App Refresh wakes up Secure Mail, Secure Mail attempts to sync data from Exchange. How does Secure Mail dif f er f rom ot her apps t hat show cont ent on t he lock screen? A very important difference - and one that leads to confusion - is that Secure Mail does not always show new in real time on the lock screen in the same way that Gmail, Microsoft Outlook, and other apps do. The primary reason for this difference is security. To align with the behavior of the other apps, the Citrix listener service would require the user credentials to authenticate with Exchange to get the content and also pass this content through the Citrix Citrix Systems, Inc. All rights reserved. p.288

289 listener service, as well as the Apple APNs service. The approach by Citrix to APNs notifications does not require the Citrix listener service to acquire or store the users' password. The listener service has no access to the users' mailbox or password. A note about the native ios mail app: ios allows its own app to maintain a persistent connection with the mail server, which ensures that notifications are always delivered. Third-party apps outside of the native mail are not allowed this capability. Gmail app behavior. Google owns and controls both the Gmail app and the Gmail server. This means that Google can read message content and include that message content in the APNs notification payload. When ios receives this APNs notification from Gmail, ios does the following: Sets the application badge to the value that is specified in the notification payload. Displays the lockscreen notification using the message text that is contained in the notification payload. This is a critical difference: It is ios, not the Gmail app, that displays the lockscreen notification, based on the data contained in the payload. In fact, ios may never wake the Gmail app, similar to the way that ios may not wake Secure Mail when a notification arrives. However, because the payload contains the message snippet, ios can display the lockscreen notification without any mail data having to be synced to the device. In Secure Mail, this situation is different. Secure Mail must first sync message data from Exchange before the app can show the lockscreen notification. Out look f or ios app behavior. Microsoft controls Outlook for ios. The organization to which the user belongs, however, controls the Exchange Servers from which data is obtained. Despite this setup, Outlook can display lockscreen notifications based on data that Microsoft provides in the APNs notification, because Outlook for ios makes use of a model in which Microsoft stores user credentials. Microsoft then directly accesses the user's mailbox from its cloud service and determines the existence of new mail. If new mail is available, the Microsoft cloud service generates an APNs notification that contains the new mail data. This model operates in a similar way to the Gmail model, in which ios simply takes the data and generates a lockscreen notification based on that data. The Outlook ios app is not involved in the process. Import ant securit y not e on Out look f or ios: There are clear security implications in the Outlook for ios approach. Organizations need to trust Microsoft with passwords for their users so that Microsoft can access the user's mailbox, which poses a security risk. For more information about the way Microsoft manages user's passwords, see this Microsoft Technet article. For more FAQs specific to administrators on push notifications, please see this Support Knowledge Center article. For more user-specific FAQs, see this article Citrix Systems, Inc. All rights reserved. p.289

290 Testing and Troubleshooting Secure Mail Nov 21, 2017 When Secure Mail isn't working properly, connection issues are typically the cause. This article describes how to avoid connection issues. If issues occur, this article describes to troubleshoot the issues. The Mail Test App helps you verify that ActiveSync is ready for deployment in a XenMobile environment. The app also verifies that your environment meets the system requirements for Secure Mail push notifications. The Mail Test App verifies the following. ios and Android device connections with Microsoft Exchange or IBM Traveler servers. User authentication. Push notification configuration for ios, including Exchange Server, Exchange Web Services (EWS), NetScaler Gateway, APNs certificates, and Secure Mail. For information about configuring push notifications, see Push Notifications for Secure Mail for ios. The tool provides a comprehensive list of recommendations for correcting issues. The Mail Test App, MailTest.ipa, is available for download from The Mail Test App supports environments configured with client certificate authentication. To install, you wrap MailTest.ipa with the MDX Toolkit and then add the app to XenMobile. To uninst all t he Mail Test App 1. Press and hold the Mail Test App icon on your home screen until the icon begins to move back and forth. 2. Tap the X in the upper left corner of the icon. 3. When prompted, tap Delet e. e The Mail Test App writes all logs to /documents/citrixlogs/ on a device. If you wrap Mail Test App, the app generates two files: CtxLog_AppInfo.txt and CtxLog_AppPolicies.xml. Use the Send Log command in Mail Test App to all log files. Prerequisites for testing: Ensure that the Network Access policy is not blocked. Set the Block Compose policy to Of f. To set up a t est 1. On the device where you installed the Mail Test App, open the tool Citrix Systems, Inc. All rights reserved. p.290

2. To add the server you are testing, tap Add new server. Specify any of the following to connect to a server: FQDN (subdomain.example.com) IP address (10.20.30.40) Email address (name@example.

291 2. To add the server you are testing, tap Add new server. Specify any of the following to connect to a server: FQDN (subdomain.example.com) IP address ( ) address (name@example.com) For a cluster configuration, add all the servers including the load balancing server. Tap Next to add more servers or tap Dismiss to continue with the next step. To delete an added server, swipe left on its name and tap Delet e. e 3. Enter the following items for the account to be used to test the connection. To enter an item, tap the field, type the value, and then tap Next. Username: Specify either the userprincipalname (UPN) or samaccountname attribute. Domain: Provide the user domain. If you are using an internal domain for the Traveler server, you can leave Domain blank. Password: Specify the user password. To enable Accept All Certificates, set it to On. By default, the Client OS is set to Aut o Det ect. To change the OS, Version, or Device T ype, select them from the provided lists. To add a Version or Device T ype, tap its label, tap + and then enter the information as shown in the following example. When you are finished, tap <. To return to the main screen, tap < again Citrix Systems, Inc. All rights reserved. p.291

Test results appear as shown in the following example: The following example

292 4. To change the number of times the test runs, tap Repeat Count and then tap a value. 5. To run the test, tap Diagnose in top right corner. Test results appear as shown in the following example: The following example shows how issues are reported Citrix Systems, Inc. All rights reserved. p.292

The following example shows how the tool notifies you that Secure Mail successfully

If there are issues during the test, the results appear as shown in the

6. For a detailed list of ActiveSync policies, tap Send Logs and then tap Send. 7. To reset the test, tap Reset on the main screen. A reset performs the following actions: Deletes all Server names.

295 6. For a detailed list of ActiveSync policies, tap Send Logs and then tap Send. 7. To reset the test, tap Reset on the main screen. A reset performs the following actions: Deletes all Server names. Clears all Credent ials. Sets Accept All Cert if icat es to Of f. Sets Client Set t ings to Aut o Det ect. Sets Repeat Count to 1. All XenMobile Apps generate several logs to assist with troubleshooting. To obtain Secure Mail logs, do the following. 1. Go to Secure Hub > Help > Report Issue. 2. Select Secure Mail from the list of apps. An addressed to your organization help desk opens. 3. Fill in the subject line and body with a few words describing your issue. 4. Select the time when it happened. 5. Change log settings only if your support team has instructed you to do so Citrix Systems, Inc. All rights reserved. p.295

296 6. Click Send. The completed message opens with zipped log files attached. 7. Click Send again. The zip files sent include the following logs: CtxLog_AppInfo.txt (ios), Device_And_AppInfo.txt (Android), logx.txt and WH_logx.txt (Windows Phone) App info logs include information about the device and app. Verify that the hardware model and platform version in use are supported. Verify that the versions of Secure Mail and MDX Toolkit in use are the latest and are compatible. For details, see System Requirements for Secure Mail and XenMobile compatibility. CtxLog_VPNConfig.xml (ios) and VpnConfig.xml (Android) The VPN configuration logs are provided for Secure Hub only. Check the NetScaler version (<ServerBuildVersion>) to ensure the latest NetScaler release is in use. Check the <SplitDNS> and <SplitTunnel> settings as follows: If Split DNS is set to Remot e, e Local, or Bot h, h verify that you are correctly resolving the mail server FQDN through DNS. (Split DNS is available for Secure Hub on Android.) If Split Tunnel is set to On, ensure that mail server is listed as one of the Internet apps accessible on the backend. CtxLog_AppPolicies.xml (ios), Policy.xml (Android and Windows Phone) The policies logs provide the values of all MDX policies applied to Secure Mail as of the time you obtained the log. For connection issues, verify that the values for the <BackgroundServices> and <BackgroundServicesGateway> policies. Diagnostic logs (in the diagnostics folder) For initial configurations of Secure Mail, the most common issue is Your Company Network Is Not Currently Available. To use the diagnostic logs to troubleshoot connection issues, do the following. The key columns in the diagnostic logs are Timestamp, Message Class, and Message. When an error message appears in Secure Mail, make note of the time so you can quickly locate related log entries in the Timestamp column. To determine whether the connection from the device to NetScaler Gateway succeeded: Review the AG Tunneler entries. The following messages indicate successful connection: AG policy Intercepting FQDN:443 for STA tunneling New TCP proxy connection to (null):443 established To determine whether the connection from NetScaler Gateway to XenMobile succeeded (and thus can validate the STA ticket), go to the Secure Hub diagnostic log and review the INFO (4) entries under Message Class, for the time the device was enrolled. The following messages indicate that Secure Hub obtained a STA ticket from XenMobile: Getting STA Ticket Got STA Ticket response STA Ticket Success obtaining STA ticket for App -- Secure Mail Note Citrix Systems, Inc. All rights reserved. p.296

297 During enrollment, Secure Hub sends a request to the XenMobile server for a STA ticket. T he XenMobile server sends the STA ticket to the device, where it is stored and added to the XenMobile server STA ticket list. To determine if XenMobile Server issued a STA ticket to a user, check the UserAuditLogFile.log, included in the XenMobile support bundle. It lists for each ticket, the issue time, user name, user devices, and result. For example: Time: T 12:26: User: user2 Device: Mozilla/5.0 (ipad; CPU OS 8_1_2 like macos) Result: Successfully generated STA ticket for user 'user2' for app 'Secure Mail' To check the communication from NetScaler Gateway to the mail server: Check if DNS and networking are configured correctly. To do so, use Secure Web to access Outlook Web Access (OWA). Like Secure Mail, Secure Web can use a micro VPN tunnel to establish a connection to NetScaler Gateway. Secure Web acts as a proxy to the internal or external resource the app is accessing. Usually and particularly in an Exchange environment, OWA is hosted on the mail server. To test the configuration, open Secure Web and enter the FQDN of the OWA page. That request takes the same route and DNS resolution as communication between NetScaler Gateway and the mail server. If the OWA page opens, you know that NetScaler Gateway is communicating with the mail server. If the preceding checks indicate successful communications, you know that the issue isn't with your Citrix setup. Instead, the issue is with the Exchange or Traveler servers. You can collect information for your Exchange or Traveler server administrators. First check for HTTP issues on the Exchange or Traveler servers by searching the Secure Mail diagnostic log for the word Error. If the errors include HTTP codes and you have multiple Exchange or Traveler servers, investigate each server. Exchange and Traveler have HTTP logs that show HTTP requests and responses from client devices. The log for Exchange is C:\inetpub\LogFiles\W3SVC1\U_EX*.log. The log for Traveler is IBM_TECHNICAL_SUPPORT > HTTHR*.log. You can troubleshoot Secure Mail issues, such as an or s stuck in drafts, missing contacts, or calendar items outof-sync. To troubleshoot these issues, use Exchange ActiveSync mailbox logs. The logs show incoming requests sent by the devices and the outgoing responses from the mail server. For more details, see these TechNet blog posts: Exchange ActiveSync Mailbox Logging Under The Hood: Exchange ActiveSync Mailbox Log Analysis When users set their sync mail period to All, they have unlimited sync. With unlimited sync, the assumption is that users manage their mailbox size, which is the Inbox and all synced subfolders. Here are a few points to keep in mind for best performance. 1. If the mailbox size exceeds 18,000 messages or 600 MB in total size, sync can slow down Citrix Systems, Inc. All rights reserved. p.297

298 2. It is not recommended to enable Load At t achment s on WiFi with unlimited sync. This option can cause the mail size to bloat quickly on the device. 3. To prevent unlimited sync as an option for users, set the Max sync int erval app policy to a value other than All. 4. It is not recommended to set All as the Def ault sync int erval for users Citrix Systems, Inc. All rights reserved. p.298

299 ios Data Protection Nov 21, 2017 Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the Enable ios dat a prot ect ion policies for Secure Mail and Secure Web. By default the policies are Of f. When Enable ios dat a prot ect ion is On for Secure Web, Secure Web uses Class A protection level for all files in the sandbox. For details about Secure Mail data protection, see Australian Signals Directorate Data Protection. If you enable this policy, the highest data protection class is used so there is no need to also specify the Minimum dat a prot ect ion class policy. To change the Enable ios dat a prot ect ion policy: 1. Use the latest MDX Toolkit to wrap the latest version of XenMobile Apps. For details, see Wrapping ios Mobile Apps and Wrapping XenMobile Apps for ios 8 or ios Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrade MDX or enterprise apps. 3. For Secure Mail, browse to the App settings, locate the Enable ios dat a prot ect ion policy, and set it to On. Devices running older operating system versions are not affected when this policy is enabled. 4. For Secure Web, browse to the App settings, locate the Enable ios dat a prot ect ion policy, and set it to On. Devices running older operating system versions are not affected when this policy is enabled. 5. Configure the app policies as usual and save your settings to deploy the app to the XenMobile Store Citrix Systems, Inc. All rights reserved. p.299

300 Certificate-based authentication with Office 365 Nov 21, 2017 Secure Mail supports certificate-based authentication (also known as client-based authentication) with Office 365. Secure Mail users with ios and Android devices can take advantage of certificate-based authentication when connecting to Office 365. When they sign on to Secure Mail, users authenticate by using a client certificate, instead of typing their credentials. This article discusses how to configure certificate-based authentication for Office 365. Support for certificate-based authentication in Secure Mail exists for on-premises Exchange configurations. If you had already set up certificate-based authentication in XenMobile, you now configure Exchange Online, Azure Active Directory, and Active Directory Federation Services (ADFS) on Windows Server. Then, users with Secure Mail versions 10 and later can take advantage of certificate-based authentication to connect to their Office 365 accounts. If you have not configured certificate-based authentication in XenMobile, you first enable the feature in the XenMobile console. For details, see Client certificate or certificate plus domain authentication. Then, you enable certificate-based authentication for Exchange online, Azure (AD), and ADFS on Windows Server. The procedures in this article assume that you have enabled certificate-based authentication in XenMobile Server. The following figure shows how the components involved in certificate-based authentication integrate. 1. A copy of the certificate (X.509) generated from the Certificate Authority (CA) when you configured PKI Ent it ies in the XenMobile console Citrix Systems, Inc. All rights reserved. p.300

301 The CA must have a certificate revocation list (CRL) that can be referenced via a URL. In the certificate Subject Alt ernat ive Name field, include the user address in the RFC822 Name or the Principal Name value. For example, see the following figure. The following steps show how you configure certificate-based authentication for Exchange Online, Azure AD, and ADFS on Windows Server. This article summarizes configuration guidance from Microsoft. If you have trouble with the steps for configuring the Microsoft components, we recommend that you see the Microsoft documentation for more information. To enable Exchange Online Microsoft Exchange Online uses modern authentication features of the Office 365 tenant. These features enable authentication features like multifactor authentication (MFA) by using smart cards, certificate-based authentication, and third-party SAML identity providers. By default, modern authentication isn't enabled in Exchange Online. To enable modern authentication, do the following. 1. Connect to Exchange Online PowerShell. For details, see the Microsoft documentation. 2. Run the following command Citrix Systems, Inc. All rights reserved. p.301

302 Set-OrganizationConfig -OAuth2ClientProfileEnabled $true 3. To verify that the change was successful, run the following command. Get-OrganizationConfig Format-Table -Auto Name,OAuth* To configure Azure AD Exchange Online sends a prompt = login command to Azure AD in a request. By default, Azure AD translates this command in the request to ADFS as waut h= usernamepassworduri. By default, Azure AD prompts ADFS to do U/P authentication. Azure AD also sends the command 'wf resh= 0' which prompts Azure ADD to ignore the single sign-on (SSO) state and to do a fresh authentication. 1. Change the default Azure AD Set Prompt LoginBehavior behavior. a. Connect to Office 365 PowerShell. For details, see the Microsoft documentation. b. Run the following command in Office 365 PowerShell. Not e: e The domain is the same as the mail server domain. Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled 2. Configure the certificate authorities in Azure AD. Upload the public portion of the root certificate, as discussed in the preceding list of prerequisites. a. Connect to Azure AD PowerShell. For details, see the Microsoft documentation. b. Run the following set of commands in Azure AD PowerShell. The.cer file is available locally on the machine Citrix Systems, Inc. All rights reserved. p.302

303 $cert=get-content -Encoding byte "[LOCATION OF THE CER FILE]" $new_ca=new-object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation $new_ca.authoritytype=0 $new_ca.trustedcertificate=$cert New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca 3. Configure revocation in Azure AD. To revoke a client certificate, Azure AD fetches and caches the certificate revocation list (CRL) from the URLs, which were uploaded as part of the CA information. The last publish timestamp (Ef f ect ive Dat epropert y ) in the CRL is used to ensure that the CRL is still valid. The CRL is periodically referenced to revoke access to certificates that are a part of the list. To ensure that the revocation persists, you must set the Ef f ect ive Dat e of the CRL to a date after the value set by St sref reshtokenvalidfrom. Ensure also that the certificate in question is in the CRL. The following steps outline the process for updating and invalidating the authorization token by setting the St sref reshtokenvalidfrom field. a. Connect to the MSOL service. For details, see the Microsoft documentation. b. Retrieve the current St sref reshtokensvalidfrom value for a valid user by running the following commands. $user = Get-MsolUser -UserPrincipalName test@yourdomain.com $user.stsrefreshtokensvalidfrom c. Configure a new St sref reshtokensvalidfrom value for the user equal to the current timestamp by running the following command Citrix Systems, Inc. All rights reserved. p.303

304 Set-MsolUser -UserPrincipalName -StsRefreshTokensValidFrom ("03/15/2017") The date you set must be in the future. If the date is not in the future, the St sref reshtokensvalidfrom property is not set. If the date is in the future, St sref reshtokensvalidfrom is set to the current time (not the date indicated by the Set -MsolUser command). To configure ADFS You complete two main steps to configure ADFS. Enable certificates as an authentication method. Configure claims in an ADFS token. 1. Enable certificates as an authentication method. a. Open the ADFS management console and then navigate to Service > Aut hent icat ion Met hods > Edit Primary Aut hent icat ion Met hods. b. Under Ext ranet, select the Cert ificat e Aut hent icat ion check box Citrix Systems, Inc. All rights reserved. p.304

c. Under Int ranet, optionally select the Cert ificat e Aut hent icat ion check box. Most of your devices that use certificate authentication are likely to come only from the extranet.

305 c. Under Int ranet, optionally select the Cert ificat e Aut hent icat ion check box. Most of your devices that use certificate authentication are likely to come only from the extranet. For that reason, the Intranet selection is optional. 2. Configure claims in the ADFS token. Azure AD sends the issuer and serial number to ADFS so that ADFS can revoke or deny authentication in different access scenarios. If a device is lost or stolen, for example, the administrator can update the CRL. Then, Azure AD revokes access by using certificate authentication. To configure claims, do the following. a. Navigate to Service > Claim Descript ions > Add Claim Descript ion Citrix Systems, Inc. All rights reserved. p.305

b. In the Active Directory Claims Provider trust, add the following two rules. These rules indicate to ADFS to allow an Active Directory user to pass through when authenticating.

306 b. In the Active Directory Claims Provider trust, add the following two rules. These rules indicate to ADFS to allow an Active Directory user to pass through when authenticating. Serial Number of the Client Certificate - Issuer of the client certificate - The following figures are examples of the completed fields Citrix Systems, Inc. All rights reserved. p.306

308 Citrix Secure Notes Nov 21, 2017 Citrix Secure Notes lets users manage their notes on their mobile devices. Users can create, share, and organize notes that contain text, photos, or audio. There are two options for storing notes: Secure Notes on a Microsoft Exchange Server or Secure Notes + on a ShareFile server. Secure Not es. The Exchange option integrates with Outlook so that users enjoy data continuity and basic functionality. Users sync notes, format text, create notebooks, and notes. For Android users, Secure Notes syncs with Exchange through Citrix Secure Mail. For ios users, Secure Notes syncs directly with Exchange. Secure Not es +. The ShareFile option includes all the features of the Exchange option. In addition, users can capture whiteboard photos or record conversations. They can tap to send notes to meeting attendees. And they can set up reminders for their notes. You can deploy both options to users through the Secure Notes version and the Secure Notes + version. The first time users sign on, they select the version they want. With Secure Notes, users can: Create and share notes with text, image, or audio content. The inclusion of audio content requires the Secure Notes + version. Tag notes. Organize notes into folders that they can color-code by category. notes to Secure Mail contacts. Sync with Exchange. Upload notes to ShareFile. Move notes between folders. Format and spellcheck text with an in-app editor. Map their location when creating a note. Requires the Secure Notes + version. Set reminders on notes that contain tasks or actionable items. Requires the Secure Notes + version. View notebooks as a grid. Select text from a Secure Mail message and add it to an existing note or create a new note with it. Have their notes auto-saved to local storage several times a minute. As part of XenMobile Apps, Secure Notes benefits from single sign-on (SSO) compatibility with Citrix Secure Hub. After users sign on to Secure Hub, they can move seamlessly into Secure Notes without having to reenter their user names and passwords. You can configure Secure Notes to be pushed to user devices automatically when the devices enroll in Secure Hub. Alternatively, users can add the app from the XenMobile Store. To begin, download Secure Notes and other XenMobile components from the XenMobile downloads page. For Secure Notes and other XenMobile App system requirements, see System requirements for XenMobile Apps Citrix Systems, Inc. All rights reserved. p.308

309 Users with accounts linked to ShareFile can sync notes between their mobile devices and their laptops or desktops. They do so through a web-based version of Secure Notes. They sign on to the web-based version with their ShareFile user names and passwords. They can store notes in your private StorageZones as well. Accounts linked to Exchange can already sync notes between desktop and mobile. For configuration details, see the next section on Integrating and Delivering Secure Notes. Secure Notes for Web offers many of the same features as the mobile version: Create, view, edit, tag, search, sort, and print notes. Mark notes as favorites. Create and color-code notebooks. Move notes from one notebook to another. Play audio files attached to notes. Set reminders. Secure Notes for Web works only with ShareFile cloud deployments. Certain features are not currently available, such as the ability to sync offline notes, notes, or link notes to calendar events. Secure Notes for Web also does not work on mobile browsers. 1. You can integrate Secure Notes for ios with an Exchange Server. (Secure Notes for Android uses the Secure Mail for Android account to sync Exchange notes.) The configuration uses Active Directory credentials to authenticate to Exchange. For details, see Integrating Exchange Server or IBM Notes Traveler Server. 2. For Secure Notes and Secure Notes for Web: You can optionally enable single sign-on (SSO) from Secure Hub. To do that, you configure ShareFile account information in XenMobile to enable XenMobile as a SAML identity provider for ShareFile. The configuration uses Active Directory credentials to authenticate to ShareFile. Configuring the ShareFile account information in XenMobile is a one-time setup used for all XenMobile clients, ShareFile clients, and non-mdx ShareFile clients. For details, see ShareFile Single Sign-On. 3. For Secure Notes for Web: Update the ShareFile Login URL, which redirects authentication when ShareFile attempts SAML-based SSO. The following change is required for Secure Notes for Web and is also compatible with Secure Notes. In the ShareFile administrator console, go to Admin > Conf igure Single Sign-On and update the Login URL as follows: action=authenticateuser&app=saml_appname&reqtype=1&nssso=true For details about SAML_AppName and NetScaler Gateway configuration for ShareFile, see ShareFile Single Sign-On. 4. Secure Notes for ios syncs directly with Exchange and consumes one Exchange Active Sync (EAS) device ID position on the server. Citrix recommends increasing the number of EAS partnerships to 20, so that users don't exceed the maximum number of devices allowed. If users exceed the maximum, Secure Notes does not sync. To increase EAS partnerships, update the EASMaxDevices property of the Exchange Server throttling policy. For details on managing EAS partnerships, see this blog post. Alternatively, users can delete devices they're not using. To do so, they must sign on to Outlook Web App and go to Opt ions > Phone > Mobile Phones. From there, they can remove devices from the list, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.309

310 5. Download Secure Notes from the XenMobile downloads page. Wrap Secure Notes with the MDX Toolkit. For details, see About the MDX Toolkit. 6. Add Secure Notes to XenMobile and configure MDX policies, as described in the next section. You add Secure Notes to XenMobile by using the same steps as for other MDX apps. For details, see Add an MDX app. When adding Secure Notes, be aware of the following MDX policies that are specific to Secure Notes. For all supported mobile devices: Secure Not es st orage opt ions Allows you to set storage options for notes that users create when using Secure Notes. If you choose the ShareFile and Exchange Server option, the user can choose the storage option for notes. If ShareFile only, notes are stored in ShareFile. If Exchange only, notes are stored in Exchange Server. Default value is ShareFile and Exchange Server. ShareFile offers users more features than Exchange; see the section Secure Notes Features, below, for more information. Accept all SSL cert ificat es If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Of f, Secure Notes blocks access when a certificate error occurs and displays a warning. Default value is Of f. Inf ormat ion Right s Management If On, Secure Notes supports Exchange Information Rights Management (IRM) capabilities. Default value is Of f. Google analyt ics Citrix Systems, Inc. All rights reserved. p.310

311 If On, Citrix collects anonymous data to improve product quality. If Of f, no data is collected. Default value is On. In addition, Secure Notes for ios has policies related to integration with Exchange Server. For details, see Integrating Exchange Server or IBM Notes Traveler Server. Secure Notes for Android uses the Secure Mail for Android account to sync Outlook notes. Secure Notes interacts with other XenMobile Apps for a productive workflow within the secure XenMobile environment. From within Secure Notes, users can notes to Secure Mail contacts or upload their notes to ShareFile for easy sharing. When you set Secure Notes storage options to ShareFile and Exchange, first-time users are asked to select the version they want. They can choose Secure Notes or Secure Notes +, as shown in the following figure. When users tap Compare, a list of the different features available with each version appears. The following figure shows the features for Secure Notes Citrix Systems, Inc. All rights reserved. p.311

The following figure shows the features for Secure Notes +.

313 Linking Not es t o Meet ings ios users can link Secure Notes to their calendars to receive notices of meetings and, during meetings, take notes that they can easily share. Afterward, the meeting remains associated with the note. To enable this feature, users tap Link Your Calendar during the initial sign-on and provide their account credentials Citrix Systems, Inc. All rights reserved. p.313

314 If users tap Skip t his f or now, they can link Secure Notes to meetings later by going into Settings and tapping on Link My Calendar. Delet ing Account s Android users can de-link their Exchange accounts without having to delete their Secure Notes accounts. After de-linking, users return to the initial Secure Notes sign-on screen. From there, they can choose to create a ShareFile account or another Exchange account. In ios, when users delete their accounts, the app creates a new account automatically. Secure Notes supports m4a audio files and the following image files: JPEG PNG BMP GIF WebP Users cannot open PDF files in Secure Notes. ios users, however, can notes as PDFs. Secure Notes also does not support video or documents Citrix Systems, Inc. All rights reserved. p.314

315 Citrix Secure Tasks Nov 21, 2017 Citrix Secure Tasks lets users manage their Microsoft Outlook tasks on their mobile devices. Secure Tasks syncs with Exchange Server so that tasks, flagged messages, and categories that users create in Outlook appear in Secure Tasks. Users can also create tasks within the app itself. For Android users, Secure Tasks syncs with Exchange via Citrix Secure Mail. For ios users, Secure Tasks syncs directly with Exchange. You can configure Secure Tasks to be pushed to users' devices automatically when the devices enroll in Citrix Secure Hub, or users can add the app from the XenMobile Store. As a XenMobile app, Secure Tasks benefits from single sign-on (SSO) compatibility with Secure Hub. After users sign on to Secure Hub, they can move seamlessly into Secure Tasks without having to reenter their user names and passwords. To begin, download Secure Tasks and other XenMobile components from the XenMobile downloads page. For Secure Tasks and other XenMobile App system requirements, see System requirements for XenMobile Apps. To integrate and deliver Secure Tasks with XenMobile, follow these general steps: 1. You can integrate Secure Tasks for ios with an Exchange Server. (Secure Tasks for Android uses the Secure Mail for Android account to sync Exchange tasks.) The configuration uses Active Directory credentials to authenticate to Exchange. For details, see Integrating Exchange Server or IBM Notes Traveler Server. 2. Secure Tasks for ios syncs directly with Exchange and consumes one Exchange Active Sync (EAS) device ID position on the server. Citrix recommends increasing the number of EAS partnerships to 20, so that users don't exceed the maximum number of devices allowed. If users exceed the maximum, Secure Tasks does not sync. To increase EAS partnerships, update the EASMaxDevices property of the Exchange Server throttling policy. For details on managing EAS partnerships, see this blog post. Alternatively, users can delete devices they are not using. To do this, they must sign on to Outlook Web App and go to Options > Phone > Mobile Phones. From there, they can remove devices from the list, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.315

316 3. Download and wrap Secure Tasks. For details, see About the MDX Toolkit. 4. Add Secure Tasks to XenMobile and configure MDX policies, as described in the next section. Add Secure Tasks to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app. When adding Secure Tasks, be aware of the following MDX policies that are specific to Secure Tasks. ios-only Secure Tasks policies: Secure T asks Exchange Server. Fully qualified domain name (FQDN) for Exchange Server. Default value is empty. Secure T asks user domain. Default Active Directory domain name for Exchange users. Default value is empty. Secure Mail Allowed URLs. Be sure to add + ^ct xt asks: to this policy. Secure Tasks policies for Android and ios: Background net work services. Comma-separated list of service addresses and ports that are permitted for background network access. Each service should be of the form fqdn:port. Default value is empty, implying background network services are not available. Background services t icket expirat ion. Time period that a background network service ticket should remain valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days). Google analyt ics. If On, Citrix collects anonymous data to improve product quality. If Off, no data is collected. Default value is On. Background net work service gat eway. Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway. Accept all SSL cert if icat es. If On, Secure Tasks accepts all SSL certificates (valid or not) and allows access. If Off, Secure Tasks blocks access when a certificate error occurs and displays a warning. Default value is Off. Users can populate their task list in several ways: by creating tasks in Outlook or within Secure Tasks itself by tapping the + icon, or by flagging messages in Outlook or Secure Mail Citrix Systems, Inc. All rights reserved. p.316

317 Users can see their tasks in Secure Tasks when they tap, respectively, the Tasks and Flagged Mail icons at the bottom of the screen. There are also icons for completed tasks and all tasks. When the task list includes tasks, users can perform several functions: Citrix Systems, Inc. All rights reserved. p.317

318 Priorit ize. They can label tasks as High, Normal, or Low priority. Apply cat egories. They can create categories in the app or sync categories with Outlook to help organize their tasks. Uncategorized tasks go into No Categories. Filt er by cat egory. Users can view and manage only the tasks within the categories they select. Search and sort. Users can search the tasks on their task lists, and they can sort tasks by due date and priority Citrix Systems, Inc. All rights reserved. p.318

Set due dat es. Users can set a due date for each task. When sorted, tasks are sectioned into No Due date, Overdue, Today, This week, This Month, and Other. Set repeat ing t asks.

319 Set due dat es. Users can set a due date for each task. When sorted, tasks are sectioned into No Due date, Overdue, Today, This week, This Month, and Other. Set repeat ing t asks. Users can set tasks to repeat every day, week, weekday, month, or year. Note: Although users will see a Custom setting for repeating tasks, that feature isn't available for this tech preview. Reply t o/ff orward f lagged mail.this feature makes it convenient to reply to a flagged mail and then immediately complete the task. View t asks of f line. When users have no Internet connectivity, they can still view tasks on their devices. They can also create, edit, and delete tasks; the changes apply when connectivity is restored and Secure Tasks is synced. Set reminders. Notifications appear at the time the user sets. Google analyt ics. You can integrate data-collection programs, such as Google Analytics, to send Citrix data to help improve Citrix products. All data collected is anonymous. You can opt out of data collection by setting the UsageAnalytics policy to Of f. Sync Behavior By default, Secure Mail syncs flagged mail only from the Inbox. If Android users want to see flagged messages from other folders, they need to turn on syncing for those folders in Secure Mail. To do so, they select the folder to be synced and then tap the three dots in the upper-right corner to bring up Sync opt ions. Then they tap Sync opt ions, and select how often the flagged messages should sync. The length of time that flagged mail and tasks are synced and stored on the device varies according to operating system: Flagged Mail T asks ios One month Unlimited Citrix Systems, Inc. All rights reserved. p.319

320 Android Secure Mail settings Unlimited Flagged Mail T asks To change the sync window in Android, go to Sync opt ions for the relevant folder, tap Days t o sync and then select the sync window Citrix Systems, Inc. All rights reserved. p.320

321 Citrix Secure Web Nov 21, 2017 Citrix Secure Web is a mobile web browser that provides secure access to internal and external sites. You can configure Secure Web to be pushed to user devices automatically when the devices are enrolled in Citrix Secure Hub, or users can add the app from the XenMobile Store. You can download Secure Web and other XenMobile components from XenMobile Downloads. For Secure Web and other XenMobile App system requirements, see System requirements for XenMobile Apps. Important T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. Beginning with version , you can distribute Secure Web as an enterprise app or from public app stores. For more information, see XenMobile Apps administration and delivery. Citrix will support both enterprise distribution and public app store distribution until December 31, After that, only public app store distribution will be supported. The MDX Toolkit will continue to support enterprise wrapping for app developers. To integrate and deliver Secure Web as an enterprise app, follow these general steps: 1. To enable SSO to the internal network, configure NetScaler Gateway. For HTTP traffic, NetScaler can provide SSO for all proxy authentication types supported by NetScaler. For HTTPS traffic, the Web password caching policy enables Secure Web to authenticate and provide SSO to the proxy server through MDX. MDX supports basic, digest and NTLM proxy authentication only. The password is cached using MDX and stored in the XenMobile shared vault, a secure storage area for sensitive app data. For details about NetScaler Gateway configuration, see NetScaler Gateway. 2. Download and wrap Secure Web. For details about wrapping apps, see About the MDX Toolkit. 3. Determine how you want to configure user connections to the internal network. For details, see Configuring User Connections. 4. Add Secure Web to XenMobile, by using the same steps as for other MDX apps and then configure MDX policies. For details about policies specific to Secure Web, see About Secure Web Policies. Secure Web supports the following configurations for user connections: Secure browse. Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as secure browse. This is the default configuration specified for the Pref erred VPN mode policy. Secure browse is recommended for connections that require single sign-on (SSO) Citrix Systems, Inc. All rights reserved. p.321

322 Full VPN t unnel. Connections that tunnel to the internal network can use a full VPN tunnel, configured by the Pref erred VPN mode policy. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP and can be used with Windows and Mac computers as well as ios and Android devices. The Permit VPN mode swit ching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. Full VPN t unnel wit h PAC. You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for ios and Android devices. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. Secure Web parses PAC file rules and send the proxy server information to NetScaler Gateway. The full VPN tunneling performance when a PAC file is used is comparable to secure browse mode. For details about PAC configuration, see Full VPN Tunneling with PAC. The following table summarizes the differences between the user connection configurations Citrix Systems, Inc. All rights reserved. p.322

323 Secure Brows e Full VPN tunnel Full VPN tunnel with PAC file NetScaler provides SSO. XenMobile supports proxy authentication provided by NetScaler. NetScaler provides SSO for all proxy authentication types supported by NetScaler. For authentication to HTTPS web sites, the Enable web pas s word caching policy enables Secure Web to authenticate and provide SSO to the proxy server through MDX. MDX supports basic, digest and NT LM proxy authentication only. T he password is cached using MDX and stored in the XenMobile shared vault, a secure storage area for sensitive app data Proxies HTTP and HTTPS traffic. Proxies HTTP and HTTPS traffic. Proxies HTTP and HTTPS traffic. Tunnels all TCP and DNS traffic originating from Secure Web for ios and Android. NetScaler Gateway replies to 401 and 407 responses. MDX replies to 401 responses for HT T PS traffic. NetScaler Gateway replies to 401 responses for HT T P traffic. NetScaler Gateway replies to 407 responses when a proxy server is configured. MDX replies to 401 responses for HTTPS traffic. NetScaler Gateway replies to 401 responses for HTTP traffic. NetScaler Gateway replies to 407 responses when a proxy server is configured. If NetScaler Gateway is unable to reply, it passes the request to MDX, which caches the credentials. Rewrites URLs. Intercepts sockets. No client certificate support for backend services. Provides client certificate validation. ios and Android validate client certificates. NetScaler Gateway performs name resolution and relies on DNS suffixes for internal and external sites. DNS servers perform name resolution. HTTPS handshake is between NetScaler Gateway and the backend server. HT T PS handshake is between Secure Web and the backend server Citrix Systems, Inc. All rights reserved. p.323

324 The following table notes whether Secure Web prompts a user for credentials, based on the configuration and site type: Secure Web prompt s f or credent ials? SSO Connect ion mode Sit e t ype Password caching? configured f or Net Scaler Gat eway? On first access of a websit e On subsequent access of t he websit e Af t er password change Secure Browse HTTP No Yes No No No Secure Browse HTTPS No Yes No No No Full VPN HTTP No Yes No No No Full VPN HTTPS Yes (1) No Yes (2) No Yes (1) If the Secure Web MDX policy Enable web password caching is On. (2) Required to cache the credential in Secure Web. Important If Secure Web is configured with a PAC file and NetScaler is configured for proxy operation, Secure Web will time out. You must remove NetScaler Gateway traffic policies configured for proxy before using full VPN tunneling with PAC. When you configure Secure Web for full VPN tunneling with your PAC file or proxy server, Secure Web sends all traffic to the proxy through NetScaler Gateway, which then routes traffic according to the proxy configuration rules. In this configuration, NetScaler Gateway is unaware of the PAC file or proxy server. The traffic flow is the same as for full VPN tunneling without PAC. The following diagram shows the traffic flow when Secure Web users navigate to a web site: Citrix Systems, Inc. All rights reserved. p.324

In that example, the traffic rules specify that: NetScaler Gateway directly connects to the intranet site example1.net. Traffic to intranet site example2.net is proxied through internal proxy servers.

325 In that example, the traffic rules specify that: NetScaler Gateway directly connects to the intranet site example1.net. Traffic to intranet site example2.net is proxied through internal proxy servers. External traffic is proxied through internal proxy servers. Proxy rules block external traffic to Facebook.com. To configure full VPN tunneling with PAC 1. Validate and test the PAC file: Note For details about creating and using PAC files, see Validate your PAC file using a PAC validation tool such as Pacparser When you read your PAC file, ensure the Pacparser results are what you expect. If the PAC file has a syntax error, mobile devices will silently ignore the PAC file. (A PAC file is stored only in memory on mobile devices.) A PAC file is processed from the top down and processing stops when a rule matches the current query. Test the PAC file URL with a web browser before entering into the PAC/Proxy field of the XenMobile Server. Make sure that the computer can access the network where the PAC file is located Citrix Systems, Inc. All rights reserved. p.325

326 Tested PAC file extensions are.txt or.pac. The PAC file should show its contents inside the web browser. Important Each time you update the PAC file used with Secure Web, inform users that they must close and reopen Secure Web. 2. Configure NetScaler Gateway: Disable NetScaler Gateway split tunneling. If split tunneling is on and a PAC file is configured, the PAC file rules override the NetScaler split tunneling rules. A proxy does not override NetScaler split tunneling rules. Remove NetScaler Gateway traffic policies configured for proxy. This is required for Secure Web to work correctly. The following figure shows an example of the policy rules to remove. 3. Configure Secure Web policies: Set the Preferred VPN mode policy to Full VPN t unnel. Set the Permit VPN mode switching policy to Of f. Configure the PAC file URL or proxy server policy. Secure Web supports HTTP and HTTPS as well as default and nondefault ports. For HTTPS, the root certificate authority must be installed on the device if the certificate is self-signed or untrusted. Be sure to test the URL or proxy server address in a web browser before configuring the policy. Example PAC file URLs: http[s]://example.com/proxy.pac http[s]:// /proxy.txt Example proxy servers (port is required): myhost.example.com:port :port Note Citrix Systems, Inc. All rights reserved. p.326

327 If you configure a PAC file or proxy server, do not configure PAC in system proxy settings for WiFi. Set the Enable web password caching policy to On. Web password caching handles SSO for HTTPS sites. NetScaler can perform SSO for internal proxies if the proxy supports the same authentication infrastructure. Limit at ions of PAC file support Secure Web does not support: Failover from one proxy server to another. PAC file evaluation can return multiple proxy servers for a hostname. Secure Web uses only the first proxy server returned. Protocols, such as ftp and gopher in a PAC file. SOCKS proxy servers in a PAC file. Web Proxy Autodiscovery Protocol (WPAD). Secure Web ignores the PAC file function alert so that Secure Web can parse a PAC file that doesn't include those calls. When adding Secure Web, be aware of these MDX policies that are specific to Secure Web. For all supported mobile devices: Allowed or blocked websit es Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a plus sign (+) or minus sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows: A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved. A plus (+) prefix allows the URL to be processed normally. If neither + or - is provided with the pattern, + (allow) is assumed. If the URL does not match any pattern in the list, the URL is allowed To block all other URLs, end the list with a minus sign followed by an asterisk (-*). For example: The policy value + permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs. The policy value + allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol. Default value is empty (all URLs allowed). Block pop-ups Popups are new tabs that websites open without your permission. This policy determines whether Secure Web allows popups. If On, Secure Web prevents websites from opening pop-ups. Default value is Off Citrix Systems, Inc. All rights reserved. p.327

328 Preloaded bookmarks Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list of tuples that include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder and name may optionally be enclosed in double quotes ("). For example, the policy values,"mycorp, Inc. home page", "MyCorp Links",Account logon, "MyCorp Links/Investor Relations","Contact us", define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"." Default value is empty. Home page URL Defines the website that Secure Web loads when started. Default value is empty (default start page). For supported Android and ios devices only: Browser user int erf ace Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible. Options: All controls visible. All controls are visible and users are not restricted from using them. Read-only address bar. All controls are visible, but users cannot edit the browser address field. Hide address bar. Hides the address bar, but not other controls. Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience. Enable web password caching When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms. If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. Default value is Off. This policy is enabled only when you also set the Preferred VPN policy to Full VPN tunnel for this app. Proxy servers You can also configure proxy servers for Secure Web when used in secure browse mode. For details, see this blog post. DNS suf fixes On Android, if DNS suffixes aren't configured, the VPN could fail. For details on configuring DNS suffixes, see Supporting DNS Queries by Using DNS Suffixes for Android Devices Citrix Systems, Inc. All rights reserved. p.328

329 This section is for website developers who need to prepare an intranet site for use with Secure Web for Android and ios. Intranet sites designed for desktop browsers require changes to work properly on Android and ios devices. Secure Web relies on Android WebView and ios UIWebView to provide web technology support. Some of the web technologies supported by Secure Web are: AngularJS ASP.NET JavaScript JQuery WebGL WebSockets Some of the web technologies not supported by Secure Web are: Flash Java The following table shows the HTML rendering features and technologies supported for Secure Web. X indicates the feature is available for a platform, browser, and component combination Citrix Systems, Inc. All rights reserved. p.329

330 T echnology ios Secure Web Android 5.x/6.x/7.x Secure Web JavaScript engine JavaScriptCore V8 Local Storage X X AppCache X X IndexedDB X SPDY X WebP X srcet X X WebGL X requestanimationframe API X Navigation T iming API X Resource T iming API X Technologies work the same across devices; however, Secure Web returns different user agent strings for different devices. To determine the browser version used for Secure Web, you can view its user agent string. From Secure Web, navigate to To troubleshoot rendering issues when your intranet site is viewed in Secure Web, compare how the website renders on Secure Web and a compatible third-party browser. Operat ing syst em ios Compat ible t hird-part y browsers Chrome, Dolphin Android Dolphin Not e: e Chrome is a native browser on Android. Do not use it for the comparison Citrix Systems, Inc. All rights reserved. p.330

331 In ios, make sure the browsers have device-level VPN support. You can configure this on the device in Set t ings > VPN > Add VPN Configurat ion. You can also use VPN client apps available on the App Store, such as Citrix VPN, Cisco AnyConnect, or Pulse Secure. If a web page renders the same for the two browsers, the issue is with your website. Update your site and make sure it works well for the OS. If the issue on a web page appears only in Secure Web, contact Citrix Support to open a support ticket. Please provide your troubleshooting steps, including the tested browser and OS types. If Secure Web for ios has rendering issues, please include a web archive of the page as described in the following steps. Doing so helps Citrix resolve the issue faster. To creat e a web archive file Using Safari on macos 10.9 or later, you can save a web page as a web archive file (referred to as a reading list) that includes all linked files such as images, CSS, and JavaScript. 1. From Safari, empty the Reading List folder: In the Finder, click the Go menu in the Menu bar, choose Go t o Folder, type the path name ~/Library/Safari/ReadingListArchives/, and then delete all of the folders in that location. 2. In the Menu bar, go to Saf ari > Pref erences > Advanced and enable Show Develop menu in menu bar. 3. In the Menu bar, go to Develop > User Agent and enter the Secure Web user agent:(mozilla/5.0 (ipad; CPU OS 8_3 like macos) AppleWebKit/ (KHTML, like Gecko) Mobile/12F69 Secure Web/ (build 1.4.0) Safari/ ). 4. In Safari, open the web site you will save as a reading list (web archive file). 5. In the Menu bar, go to Bookmarks > Add t o Reading List. This can take a few minutes. The archiving occurs in the background. 6. Locate the archived reading list: In the Menu bar, go to View > Show Reading List Sidebar. 7. Verify the archive file: 1. Turn off network connectivity to your Mac. 2. Open the web site from the reading list. The web site should completely render. 8. Compress the archive file: In the Finder, click the Go menu in the Menu bar, choose Go t o Folder, type the path name ~/Library/Safari/ReadingListArchives/, and then compress the folder that has a random hex string as a file name. This is the file that you can send to Citrix support when you open a support ticket. Secure Web makes use of mobile data exchange technologies to create a dedicated VPN tunnel for users to access internal and external websites and all other websites - including sites with sensitive information - in an environment secured by your organization's policies. The integration of Secure Web with Secure Mail and ShareFile offers a seamless user experience within the secure XenMobile container. Here are some examples of integration features: When users tap mailto links, a new message opens in Citrix Secure Mail with no additional authentication required. In ios, users can open a link in Secure Web from a native mail app by inserting ct xmobilebrowser:// in front of the URL. For example, to open example.com from a native mail app, use the URL ctxmobilebrowser://example.com. When users click an intranet link in an message, Secure Web goes to that site with no additional authentication required. Users can upload files to ShareFile that they download from the web in Secure Web Citrix Systems, Inc. All rights reserved. p.331

332 Secure Web users can also perform the following actions: Block pop-ups. Not e: e Much of Secure Web memory goes into rendering pop-ups, so performance is often improved by blocking pop-ups in Settings. Bookmark their favorite sites. Download files. Save pages offline. Auto-save passwords. Clear cache/history/cookies. Disable cookies and HTML5 local storage. Securely share devices with other users. Search within the address bar. Allow web apps they run with Secure Web to access their location. Export and import settings. Open files directly in ShareFile without having to download the files. To enable this feature, add ct x-sf : to the Allowed URLs policy in XenMobile. In ios, use 3D Touch actions to open a new tab and access offline pages, favorite sites, and downloads directly from the home screen. In ios, download files of any size and open them in ShareFile or other apps. Not e: e Putting Secure Web in the background causes the download to stop. Search for a term within the current page view using Find in Page. Secure Web also has dynamic text support, so it displays the font that users set on their devices. The following figure shows what users see when first opening Secure Web, as well as the various options within the app. For the PDF version of the figure, download the Secure Web Quick Reference Guide Citrix Systems, Inc. All rights reserved. p.332

333 ios Android Windows Mobile VIDEO 1 H.263 AMR NB codec_mp4 X X H.263 AMR NB codec_3gp X X H.264 AAC codec_3gp X X H.264 AVC codec_mp4 X X MOV X X X 2 MP4 X X X 3GP X X WMV X Citrix Systems, Inc. All rights reserved. p.333

334 1 2 Secure Web currently doesn't support video playback. MP4 is not supported when Secure Web is running in full VPN mode. AUDIO Flac X X AAC X X X m4a X X 3GP(AMR-NB) X X mp3 X X X wav X X X wma X X AC3 X AMR X IMAGE JPEG X X PNG X X GIF X TIFF X Citrix Systems, Inc. All rights reserved. p.334

335 Progressive JPEG X Animated GIF X SVG X DOCUMENT 1 DOT X X Download only; open in PDF X QuickEdit or other app to preview. X PPT X X PPTX X X DOC X X DOCX X X XLS X X XLSX X X TXT X X X DAT X XSD X JSON X 1 To preview documents on Android, you need Office apps, like QuickEdit, installed Citrix Systems, Inc. All rights reserved. p.335

337 ios Data Protection Nov 21, 2017 Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the Enable ios dat a prot ect ion policies for Secure Mail and Secure Web. By default the policies are Of f. When Enable ios dat a prot ect ion is On for Secure Web, Secure Web uses Class A protection level for all files in the sandbox. For details about Secure Mail data protection, see Australian Signals Directorate Data Protection. If you enable this policy, the highest data protection class is used so there is no need to also specify the Minimum dat a prot ect ion class policy. To change the Enable ios dat a prot ect ion policy: 1. Use the latest MDX Toolkit to wrap the latest version of XenMobile Apps. For details, see Wrapping ios Mobile Apps and Wrapping XenMobile Apps for ios 8 or ios Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrade MDX or enterprise apps. 3. For Secure Mail, browse to the App settings, locate the Enable ios dat a prot ect ion policy, and set it to On. Devices running older operating system versions arel not affected when this policy is enabled. 4. For Secure Web, browse to the App settings, locate the Enable ios dat a prot ect ion policy, and set it to On. Devices running older operating system versions are not affected when this policy is enabled. 5. Configure the app policies as usual and save your settings to deploy the app to the XenMobile Store Citrix Systems, Inc. All rights reserved. p.337

338 Citrix QuickEdit for XenMobile Nov 21, 2017 Tip As of XenMobile Apps , an in-app guide is available to help users export their app settings and install the public store versions of apps like Citrix QuickEdit for XenMobile. Citrix QuickEdit is the editing tool for XenMobile Apps. Its compatibility with Citrix Secure Mail and Citrix ShareFile for XenMobile allow for a seamless workflow within the secure XenMobile environment. With this app on a mobile device or tablet, users can: Create and edit documents, presentations, spreadsheets, and image files. View and annotate PDFs. Open and edit Secure Mail attachments with either QuickEdit or ShareFile. Many of the standard features of the Microsoft Office suite are available in QuickEdit. For more details about QuickEdit features, consult the user guide included in the help menu of the ios app or the Help option in the overflow menu of the Android app. You may also view the Getting Started guide in the link below. You can configure QuickEdit to be pushed to user devices automatically when the devices are enrolled in Citrix Secure Hub, or users can add the app from the XenMobile Store. Information on integrating and delivering QuickEdit can be found further down this page. QuickEdit is also compatible with native mail programs for easy sharing or transferring of files, either as an attachment or ShareFile link. You can download QuickEdit from the XenMobile downloads page. For QuickEdit and other XenMobile App system requirements, see System requirements for XenMobile Apps. QuickEdit ios User Guide To integrate and deliver QuickEdit with XenMobile, follow these general steps: 1. You can optionally enable SSO from Secure Hub. To do that, configure ShareFile account information in XenMobile to enable XenMobile as a SAML identity provider for ShareFile. Configuring the ShareFile account information in XenMobile is a one-time setup used for all XenMobile, ShareFile, and non-mdx ShareFile clients. For details, see Integrating and Delivering ShareFile XenMobile Clients. 2. Download and wrap QuickEdit. For details, see About the MDX Toolkit. 3. Add QuickEdit to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app Citrix Systems, Inc. All rights reserved. p.338

339 Important Known Is s ue: Found in QuickEdit vers ion 6.14 (ios) When you try to send files to Secur from QuickEdit or ScanDirect, the transfer fails. As a workaround, add the following file encryption exclusion within the policy settings for these apps: "\/tmp\/\.com\.apple\.pasteboard" Citrix Systems, Inc. All rights reserved. p.339

340 ShareConnect Nov 21, 2017 With ShareConnect, users can securely connect to their computers through ipads, Android tablets, and Android phones to access their files and applications. Users can: Work on files that reside on both their computers and on connected and networked drives Run apps from the target machine within ShareConnect. Have mobile app access without the need to wrap other XenMobile apps. Run ShareConnect on XenDesktop for mobile-optimized access. You can download the MDX version of ShareConnect from the XenMobile downloads page. For general information on how to install and use ShareConnect, see the Citrix Knowledge Center. For ShareConnect and other XenMobile App system requirements, see System requirements for XenMobile Apps. T he f ollowing video demonst rat es ShareConnect f eat ures. Architecture Overview ShareConnect components include the Citrix-owned ShareConnect Broker and the ShareConnect Communication Servers, as shown in the following figure. The ShareConnect Broker is an application server and database that maps users to computers and lets users know whether their host computer is online or offline. ShareConnect Communication Servers are used to exchange data between host and client computers. That data can flow through a secure micro VPN tunnel between the host and client computers based on XenMobile settings Citrix Systems, Inc. All rights reserved. p.340

341 In addition, ShareFile can provide user authentication through single sign-on (SSO) with a SAML Identity Provider (IdP), such as XenMobile or Active Directory Federation Services (ADFS). Access to resources outside of the network is provided through NetScaler Gateway in a deployment with XenMobile. ShareConnect establishes either direct or indirect connections: Direct connect ions. ShareConnect establishes a direct connection between the client computer and host computer if the computers are on the same LAN or WiFi network. In this scenario, data flows directly between the client computer or mobile device being used to access a host computer. Data does not flow through the ShareConnect Communication Servers, resulting in optimal performance. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network. Indirect connect ions. ShareConnect establishes an indirect connection between the client computer and host computer if the computers are not directly reachable. In this scenario, data flows through the ShareConnect Communication Servers. The following figure shows the connections used when users access a host computer from a computer or mobile device running ShareConnect using direct connections. Connection steps are described after the figure Citrix Systems, Inc. All rights reserved. p.341

342 1 In this scenario, XenMobile is configured to act as a SAML IdP for ShareFile, to provide SSO from Worx Home. ShareConnect requests a SAML token from Worx Home, which in turn passes the request to XenMobile through NetScaler Gateway. XenMobile then sends the SAML token to ShareConnect. 2 ShareConnect sends the SAML token to ShareFile for validation and to exchange the SAML token for an OAuth token. 3 ShareConnect sends the OAuth token to the ShareConnect broker, which then sends a session token to ShareConnect. 4 ShareConnect gets a list of host computers from the ShareConnect Broker and prompts for host computer credentials. ShareConnect then establishes a direct connection with the ShareConnect Communication Server. After the host computer validates the credentials, ShareConnect gets a list of files and apps from the host computer. After the user opens a file or app, a direct connection occurs between ShareConnect and the host computer. 5 The ShareConnect agent on the host computer sends status messages to ShareConnect Poll Server to indicate whether it's online or offline. 6 The ShareConnect Poll Server sends load-balanced requests from the ShareConnect agent to the ShareConnect Broker and sends host status updates to the ShareConnect Broker. ShareConnect uses built-in 128-bit AES encryption so that all data sent between the ShareConnect client and a host computer running the ShareConnect agent is fully encrypted from end-to-end. The encryption key is unique for each connection. Even the most sophisticated devices cannot intercept the data necessary to decode the encryption Citrix Systems, Inc. All rights reserved. p.342

343 You typically configure ShareConnect so that data is routed directly between the ShareConnect client and a host computer. Data is not routed through the ShareConnect Communication Servers unless you configure the Network access policy for unrestricted access. For policy details, see To add ShareConnect to XenMobile in this article. For direct or indirect connections, encrypted metadata, such as the IP addresses and ports needed to establish connections, is sent to ShareConnect servers. In addition, MDX wrapping of ShareConnect provides data encryption through the MDX Vault, which encrypts MDXwrapped apps and associated stored data on both ios (pre-ios 9) and Android devices using FIPS-certified cryptographic modules provided by the OpenSSL. Information on Security Settings and Admin controls can be found in the security whitepaper linked below. ShareConnect Security Whitepaper ShareConnect Administrator Guide You must open the following ports to allow ShareConnect communications. The port requirements differ depending on the type of connection, either direction connections (if the computers are on the same LAN or WiFi network) or indirect connections (if the client and host computers cannot directly reach each other). T CP port Descript ion Source Dest inat ion For direct connect ions 80 Used for outbound connections from NetScaler Gateway to app.shareconnect.com. NetScaler Gateway app.shareconnect.com 80 / 443 / 8200 At least one of these ports is required for outbound connections from NetScaler Gateway to the ShareConnect Communication Server. For more information, see NetScaler Gateway ShareConnect Communication Servers 80 / 443 / 8200 Used for outbound connections from ShareConnect host computers to Citrix servers. ShareConnect host computers poll.shareconnect.com ShareConnect Communication Servers 443 Used for outbound connections from NetScaler Gateway to required sites. NetScaler Gateway crashlytics.com secure.sharefile.com ShareFile_subdomain.sharefile.com Used for outbound connections from NetScaler Gateway to ShareConnect host computers. NetScaler Gateway LAN-based ShareConnect host computers Citrix Systems, Inc. All rights reserved. p.343

344 Used for inbound connections from NetScaler Gateway T CP port Descript ion to ShareConnect host computers. NetScaler Source Gateway LAN-based Dest inat ion ShareConnect host computers For indirect connect ions 80 Used for outbound connections from the ShareConnect agent to app.shareconnect.com. 80 / 443 / 8200 At least one of these ports is required for outbound connections from the ShareConnect agent to the ShareConnect Communication Server. For more information, see 80 / 443 / 8200 Used for outbound connections from ShareConnect host computers to Citrix servers. ShareConnect agent ShareConnect agent ShareConnect host computers app.shareconnect.com ShareConnect Communication Servers poll.shareconnect.com ShareConnect Communication Servers 443 Used for outbound connections from the ShareConnect agent to required sites. ShareConnect agent crashlytics.com secure.sharefile.com ShareFile_subdomain.sharefile.com Integrating and Delivering ShareConnect To integrate and deliver ShareConnect with XenMobile, follow these general steps: 1. You can optionally enable SSO from Worx Home. To do that, you configure ShareFile account information in XenMobile to enable XenMobile as a SAML IdP for ShareFile. Configuring the ShareFile account information in XenMobile is a one-time setup used for all Worx clients, ShareFile Worx clients, and non-mdx ShareFile clients. For details, see To configure ShareFile account information in XenMobile for SSO. 2. Download and wrap ShareConnect. For details, see About the MDX Toolkit. 3. Add ShareConnect to XenMobile and configure MDX policies. For details, see To add ShareConnect to XenMobile, in this article. 4. Install the ShareConnect agent on host computers. The ShareConnect agent is an MSI package, so you can use your existing software deployment methods to distribute and install the agent. Users must then register the host computer by signing on to the Agent using their ShareFile credentials within one hour of installation. Alternatively, users can install the ShareConnect agent on the computer they will connect to with ShareConnect. For details, see To install the ShareConnect agent on a computer, in this article. To add ShareConnect to XenMobile You add ShareConnect to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app. When Citrix Systems, Inc. All rights reserved. p.344

345 adding ShareConnect, configure the MDX policies for it as shown in the following table. Policy Value Result s Network access Tunneled to the internal network or Unrestricted Tunneled to the internal network uses a per-application VPN tunnel back to the internal network for all network access. This configuration provides direct connection between ShareConnect and a host computer. Unrestricted uses Citrix-owned Communication Servers to route encrypted data between a host computer and ShareConnect. Be sure to test your setup with unrestricted access to ensure everything works, even if you plan to use Tunneled to the internal network for network access. Preferred VPN mode Secure browse Sets the initial connection mode appropriately for connections that require SSO. Enable encryption On Encrypts the data stored on the tablet. For details about data encryption and ios 9, see Advisory: ios 9 and XenMobile. Cut and copy Unrestricted Enables cut and copy operations for ShareConnect. Paste Unrestricted Enables paste operations for ShareConnect. Document Exchange (Open In) Unrestricted Permits users to open any file on the connected computer or a connected network drive from ShareConnect. Save Password Off Requires users to enter the user name and password for their computer each time they sign on to ShareConnect. For details, see About MDX Policies for XenMobile apps. To install the ShareConnect agent on a computer The following steps describe how a user installs the ShareConnect agent on each physical or virtual computer they want to connect to from a supported mobile device. Before performing these steps, the user must first install Worx Home and follow the prompts to allow the XenMobile apps to install on the supported mobile device. 1. Sign on to Worx Home on the tablet. 2. Open ShareConnect. 3. Tap download link Citrix Systems, Inc. All rights reserved. p.345

346 Citrix sends an to you from 4. From the host computer that you want to access from ShareConnect, open the In the , click Set up this computer. 6. Double-click ShareConnect _Inst aller.exe to begin the installation. The ShareConnect agent installs on your host computer. During the installation, ShareConnect prompts for an address (if ShareFile SSO is configured) or for ShareFile credentials (if ShareFile SSO is not configured). 7. Follow the instructions provided in the ShareConnect and Get Started wizards. The ShareConnect agent then registers the host computer, which can connect from a ShareConnect client provided that the host computer is powered on and can reach poll.shareconnect.com on at least one published port (80, 443, or 8200). ShareConnect Features Add host comput ers. Users can add and connect to remote host computers from supported mobile devices using ShareConnect. Access f iles. Users can view a list of recent files and browse and search for files on their host computer and connected drives. Edit f iles. From tablets, users can access desktop applications on their host computers to edit files. Users can work with the applications in full screen. Screen share. Instead of viewing a single file or app, users can use the screen-sharing feature to view their host computer's desktop. ShareFile int egrat ion. Users can move or share files between the host computer and ShareFile. Keyboard and mouse. ShareConnect supports the simultaneous use of a Bluetooth keyboard and the Citrix XI Prototype Mouse. Rest rict ed port s. s ShareConnect uses ports to only. Forced passwords f or each sign-on. For enhanced security, you can configure this option to require users to enter their computer passwords every time they sign on to ShareConnect. When the Save password policy is turned off, as shown in the following figure, users are forced to enter their sign-on credentials for every connection Citrix Systems, Inc. All rights reserved. p.346

347 Add or delet e apps. Users can add or delete apps from their app tray in ShareConnect by toggling the switch beside each app to select or deselect it. Cache previewed f iles. ShareConnect caches already-accessed files so that the files don't download again if users preview other files and then come back to the earlier ones. This feature improves load times when users subsequently access files. Troubleshooting ShareConnect Citrix Systems, Inc. All rights reserved. p.347

348 Is s ue Des cription and res olution If a user downloads the ShareConnect agent and waits an hour or more to start the installation, the user must enter their ShareFile account name and password to register the ShareConnect agent. T he ShareConnect agent installer includes a token that expires one hour after download. If a user doesn't start the installation before the token expires, the user must sign on to their ShareFile account twice, first to register the ShareConnect agent and then to sign on to the agent after the installation completes. If users download and install the ShareConnect agent within an hour, they are prompted to sign on only once. During registration of the ShareConnect agent, the agent does not connect and an error message such as "Please check your connection and try again." appears. Verify that the port to poll.shareconnect.com is not blocked. For details, see the System Requirements earlier in this article. Important As described in To add ShareConnect to XenMobile earlier in this article, Citrix recommends that, to test ShareConnect, you set the Network Access policy to Unres tricted to rule out issues with ports and network settings. Unrestricted access forces ShareConnect to connect through the ShareConnect Communication Servers, which typically enable you to test the connection if the ShareConnect mobile device and host computer have Internet access. Is s ue Des cription and res olution ShareConnect starts, but does not connect to the host computer and does not prompt for credentials. Verify that your setup meets the port requirements detailed earlier in this article under System Requirements. Users are unable to sign on to ShareConnect using their ShareFile account credentials. SSO to ShareConnect requires that your ShareFile account is configured with a SAML IdP. For details about using XenMobile as a SAML IdP, see To configure ShareFile account information in XenMobile for SSO. For details about configuring other IdPs, see ShareFile Single Sign-On. If SSO is not configured for your account, ShareConnect for ios prompts for the user's ShareFile username and password. After users sign on to ShareConnect, ShareConnect cannot connect to the host computer. When ShareConnect is configured for direct connections (that is, the Network access policy is set to Tunneled to the internal network), connection failures can occur if there are restrictions in network settings like firewalls blocking or proxy servers configured Citrix Systems, Inc. All rights reserved. p.348

349 Citrix ShareFile for XenMobile Nov 21, 2017 ShareFile is an enterprise file sync and sharing service that lets users exchange documents easily and securely. ShareFile gives users a variety of access options, including ShareFile mobile clients, such as ShareFile for Android Phone and ShareFile for ipad. You can integrate ShareFile with XenMobile to provide the full ShareFile Enterprise feature set or to provide access only to ShareFile Connectors. By default, the XenMobile console enables configuration of ShareFile Enterprise only. To configure XenMobile for use with StorageZones Connectors instead, see ShareFile Integration with XenMobile in the XenMobile documentation. ShareFile for XenMobile clients are MDX-capable versions of ShareFile mobile clients. These clients provide secure, integrated access to data in other MDX-wrapped apps. ShareFile for XenMobile clients also benefit from MDX features, such as micro VPN, single sign-on (SSO) with Secure Hub, and two-factor authentication. You use XenMobile, ShareFile, ShareFile StorageZones Controller, and NetScaler as follows to deploy and manage ShareFile for XenMobile clients: When XenMobile is configured with ShareFile Enterprise, XenMobile acts as a SAML identity provider (IdP) and deploys ShareFile for XenMobile clients. ShareFile manages ShareFile data. No ShareFile data travels through XenMobile. When XenMobile is configured with ShareFile Enterprise or with StorageZones Connectors, the ShareFile StorageZones Controller provides connectivity to data in network shares and SharePoint. Users access your stored data through the ShareFile XenMobile apps. Users can edit Microsoft Office documents as well as preview and annotate Adobe PDF files from mobile devices. NetScaler manages requests from external users, securing their connections, load balancing requests, and handling content switching for StorageZones Connectors. You can download ShareFile for XenMobile clients from You can download ShareFile for XenMobile clients for Android and ios, including separate ios clients for use with restricted StorageZones. For ShareFile for XenMobile and other XenMobile App system requirements, see System requirements for XenMobile Apps. Art icle Cont ent s How ShareFile for XenMobile Clients Differ from ShareFile Mobile Clients System Requirements for ShareFile for XenMobile Integrating and Delivering ShareFile for XenMobile clients Configure ShareFile account information for XenMobile SSO Add ShareFile for XenMobile Clients to XenMobile Validate ShareFile for XenMobile Clients The following table describes the differences between ShareFile for XenMobile clients and ShareFile mobile clients. ShareFile for XenMobile clients are also referred to as wrapped ShareFile. ShareFile mobile clients are also referred to as unwrapped ShareFile Citrix Systems, Inc. All rights reserved. p.349

350 Feat ures ShareFile f or XenMobile client s ShareFile mobile client s User access Users obtain and open ShareFile for XenMobile clients from Secure Hub. Users obtain ShareFile mobile clients from app stores. SSO For XenMobile integration with ShareFile Enterprise: You can configure XenMobile as a SAML IdP for ShareFile. In this configuration, Secure Hub obtains a SAML token for the ShareFile for XenMobile client, using XenMobile as the SAML IdP. A user who starts the ShareFile for XenMobile client, but is not signed on to Secure Hub is prompted to sign on to Secure Hub. The user does not have to know their ShareFile domain or account information. You can configure XenMobile and NetScaler Gateway as a SAML IdP for ShareFile. In this configuration, a user logging on to ShareFile using a web browser or other ShareFile clients is redirected to the XenMobile environment for user authentication. After successful authentication by XenMobile, the user receives a SAML token that is valid for logon to their ShareFile account. Micro VPN Remote users can connect using a VPN or micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network. This feature, available through NetScaler integration with XenMobile, is transparent to users. Not applicable. Two-factor authentication NetScaler integration with XenMobile also supports authentication using a combination of client certificate authentication and another authentication type, such as LDAP or RADIUS. Not applicable. Folder permissions For XenMobile integration with ShareFile Enterprise: Determined by ShareFile. Document access protection Users can open attachments received in Secure Mail or downloaded by any MDXwrapped app. Only MDX-wrapped apps appear when the user performs an Open In action. Data that is from a non-wrapped app is not available to a ShareFile for XenMobile client. Secure Mail users can attach files from their ShareFile repository without needing to download the file to the device. Users can open attachments from any app. If a user has wrapped ShareFile and unwrapped ShareFile on a device, the wrapped ShareFile client cannot access files in Citrix Systems, Inc. All rights reserved. p.350

351 Feat ures the user's personal ShareFile account. The ShareFile f or XenMobile client s wrapped ShareFile client can access only the ShareFile subdomain configured in XenMobile. ShareFile mobile client s ShareFile account access For XenMobile integration with ShareFile Enterprise: To access a personal ShareFile account or a third-party ShareFile account, users must use a non-mdx version of ShareFile on the device. For XenMobile integration with ShareFile Enterprise: Available from ShareFile clients. Device policies Both XenMobile and ShareFile device policies apply to ShareFile for XenMobile clients. For example, from the XenMobile console, you can perform a device wipe. From the ShareFile console, you can remotely wipe the ShareFile app. MDX policies Data encryption Availability MDX policies let you configure settings that the XenMobile Store enforces. Policies available only through MDX include the ability to block the camera, mic, compose, screen capture, and clipboard cut, copy, and paste operations. Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128-bit encryption. ShareFile for XenMobile clients are included with XenMobile Advanced and Enterprise editions. Not applicable. Encrypts all stored data using AES-256 and protects data in transit with SSL 3.0 and a minimum of 128- bit encryption. All XenMobile editions include all ShareFile Enterprise features. You can integrate XenMobile with the full ShareFile feature set or just StorageZones Connectors. To integrate and deliver ShareFile Worx clients with XenMobile, follow these general steps: 1. Enable XenMobile as a SAML IdP for ShareFile, to provide SSO from ShareFile Worx clients to ShareFile. To do so, you must configure ShareFile account information in XenMobile, as described in this article in To configure ShareFile account information in XenMobile for SSO. ShareFile for Android 3.9 is required for SSO with Worx Home Important: To use XenMobile as an SAML IdP for non-mdx ShareFile clients, such as the ShareFile web app and the ShareFile Sync clients, additional configuration is required. For details, see this article on the ShareFile support site: ShareFile Single Sign-On SSO. The article contains a download link to the XenMobile 10 configuration guide. 2. Download ( and wrap the ShareFile Worx clients. For details, see About the MDX Toolkit. 3. Add the ShareFile Worx clients to XenMobile. For details, see "To add ShareFile Worx clients to XenMobile", further down. 4. Validate your configuration. For details, see "To validate ShareFile Worx clients", further down Citrix Systems, Inc. All rights reserved. p.351

352 About the settings: Domain is the ShareFile subdomain to be used for the Worx clients. Only the users in the selected delivery groups will have SSO access to ShareFile from the Worx clients. If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile Worx client to XenMobile. The ShareFile Administrator Account Logon information is used by XenMobile to save the SAML settings in the ShareFile control plane. Important: The configuration that enables SSO from ShareFile Worx clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. Access to those Connector data sources requires authentication to the Active Directory domain in which the network shares or SharePoint servers reside. To configure ShareFile account information in XenMobile for SSO To enable SSO from Worx Home to XenMobile apps, you specify ShareFile account and ShareFile administrator service account information in the XenMobile console. With that configuration, XenMobile acts as a SAML IdP for ShareFile, for Worx clients, ShareFile Worx clients, and non-mdx ShareFile clients. When a user starts a Worx client, Worx Home obtains a SAML token for the user from XenMobile and sends it to the Worx client. In the XenMobile console, click Configure > Settings, expand More and then click ShareFile. To add ShareFile for XenMobile clients to XenMobile Citrix Systems, Inc. All rights reserved. p.352

When you add ShareFile for XenMobile clients to XenMobile, you can enable SSO access to Connector data sources from ShareFile for XenMobile clients.

353 When you add ShareFile for XenMobile clients to XenMobile, you can enable SSO access to Connector data sources from ShareFile for XenMobile clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section. Prerequisites XenMobile must be able to reach your ShareFile subdomain. To test the connection, ping your ShareFile subdomain from the XenMobile server. The time zone configured for your ShareFile account and for the hypervisor running XenMobile must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach ShareFile within the expected time frame. To configure the NTP server for XenMobile 10, use the XenMobile command-line interface. Note: Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC. Log in to the Sharefile administrator console using a ShareFile admin account and verify the SAML SSO settings in Admin > Configure Single Sign-On. Download and wrap the ShareFile for XenMobile clients. Steps: 1. In the XenMobile console, click Configure > Apps and then click Add. 2. Click MDX. 3. Enter a Name and, optionally, a Description and App category for the app. 4. Click Next and then upload the.mdx file for the ShareFile for XenMobile client. 5. Click Next to configure the app information and policies Citrix Systems, Inc. All rights reserved. p.353

354 The configuration that enables SSO from ShareFile for XenMobile clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. To enable SSO between the Secure Hub micro VPN and ShareFile StorageZones Controller, complete the following policy configuration: Set the Network access policy to Tunneled to the internal network. In this mode of operation, all network traffic from the ShareFile for XenMobile client is intercepted by the XenMobile MDX framework and redirected through NetScaler Gateway using an app-specific micro VPN. Set the Preferred VPN mode policy to Secure browse. In this mode of tunneling, SSL/HTTP traffic from an MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user's behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers. Complete the Approvals and Delivery Group Assignments as needed. Only the users in the selected delivery groups will have SSO access to ShareFile from the ShareFile for XenMobile clients. If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile for XenMobile client to XenMobile. To validate ShareFile for XenMobile clients 1. After completing the configuration described in this article, start the ShareFile for XenMobile client. ShareFile should not prompt you to sign on. 2. In Secure Mail, compose an and add an attachment from ShareFile. Your ShareFile Home page should open, without prompting you to sign on Citrix Systems, Inc. All rights reserved. p.354

355 Citrix ShareFile Workflows Nov 21, 2017 The ShareFile Workflows for XenMobile app is the mobile component of the ShareFile Custom Workflows feature. This feature allows users to create customized workflows that include multiple triggers and actions. Customized forms can be added to workflow templates and assigned to users. When a user is assigned a form, the user can complete and submit the form via the ShareFile Workflows Mobile App. Form data storage is securely integrated with ShareFile, where workflow files are stored for review, reference, and retrieval. Workflow and form templates are created and managed within the ShareFile web application. End-User Document at ion End-user documentation related to creating and managing workflow and form templates can be found at the Citrix Knowledge Center: Creating a Workflow Template Creating a Form Template Submitting Forms via the Workflows mobile app For ShareFile Workflows and other XenMobile App system requirements, see System requirements for XenMobile Apps. You wrap the ShareFile Workflows mobile app with the MDX Toolkit, available on the XenMobile downloads page. Follow the instructions in Wrapping ios Mobile Apps and Add an MDX app. For the ShareFile Workflows for XenMobile ios and Android apps, the following MDX policies are recommended for optimal functionality and feature support. You adjust these policies via the XenMobile console Citrix Systems, Inc. All rights reserved. p.355

356 MDX Policies Recommended Value App Restrictions: Block Camera OFF Block Photo Library OFF Block mic record OFF Block location service OFF App Network Access Network Access Tunneled to the internal network Encryption (Android only) Private file encryption exclusions (Android only) ^databases/[0-9]+\.db_img_store/,^databases/db_img_store/,^databases/db_video_store/,^files/temp_attachment/,^files/temp_log/ Citrix Systems, Inc. All rights reserved. p.356

Allowing secure interaction with Office 365 apps Nov 21, 2017 Citrix Secure Mail, Citrix Secure Web and ShareFile offer the option of opening the MDX container to allow users to transfer docs and

357 Allowing secure interaction with Office 365 apps Nov 21, 2017 Citrix Secure Mail, Citrix Secure Web and ShareFile offer the option of opening the MDX container to allow users to transfer docs and data to Microsoft Office 365 apps. You manage this capability for ios and Android platforms through the open-in policies on the XenMobile console. Once opened in a Microsoft app, data is no longer secured or encrypted in the MDX container. Consider the security implications before enabling this feature. Particularly, customers concerned with data loss prevention or who are subject to HIPAA or other strict compliance requirements should weigh the trade-offs of opening the container. 1. Download the latest versions of Secure Mail, Secure Web, or ShareFile apps from the XenMobile downloads page. 2. Wrap the files using the latest version of the MDX Toolkit and your usual provisioning profiles and certificates. 3. Upload the files to the XenMobile console. 4. Locate the Document exchange (Open In) policy and set it to Rest rict ed. In the Rest rict ed Open-in except ion list, Microsoft Word, Excel, PowerPoint, OneNote and Outlook are automatically listed. For example: com.microsoft.office.word, com.microsoft.office.excel, com.microsoft.office.powerpoint, com.microsoft.onenote, com.microsoft.onenoteipad, com.microsoft.office.outlook In MDM enrollments, additional controls are for ios devices are available. You can upload itunes apps to the XenMobile console and push the apps to devices. If you choose this option, set the following policies to ON: Remove app if MDM profile is removed Prevent app data backup Force app to be managed (note that a selective wipe will remove the app and any data) To prevent documents and data flowing from Microsoft apps to unmanaged apps on the device, go to Configure > Devices Policies > Rest rict ions > ios on the XenMobile console and then set Document s f rom managed apps in Citrix Systems, Inc. All rights reserved. p.357

Mobile productivity apps

Citrix Product Documentation docs.citrix.com September 24, 2018 Contents Mobile productivity apps release timeline 3 About the Secure Mail and Secure Web phased release process................ 3 Prerequisites