The MDX Toolkit version is a release available on Citrix.com and XenMobile MDX Service for enterprise wrapping.

Transcription

1 MDX Toolkit Nov 20, 2017 Important T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. Before upgrading to Android O (version 8), users must upgrade Secure Hub and all XenMobile Apps to version Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and Android 8, see What's new in XenMobile Apps, the XenMobile Apps Known issues, and XenMobile supported device operating systems. Before upgrading to ios 11, users must upgrade Secure Hub and XenMobile Apps to version T hat upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running ios 11. For more information about anticipating this change, see the Knowledge Center article on XenMobile ios 11 and Android O Support. The MDX Toolkit version is a release available on Citrix.com and XenMobile MDX Service for enterprise wrapping. The MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For table listing the XenMobile Apps enterprise versions that you can wrap with the MDX Toolkit , see the Enterprise delivery of XenMobile Apps section in XenMobile Apps administration and delivery. The MDX Toolkit version contains fixes. For details, see Fixed issues. What's New in the MDX Toolkit The MDX Toolkit version contains fixes. For details, see Fixed issues. What's new in the MDX Toolkit The MDX Toolkit version contains fixes. For details, see Fixed issues. What's new in the MDX Toolkit 10.7 The MDX Toolkit now supports wrapping apps for Android O (version 8) and ios 11. What's new in the MDX Toolkit The MDX Toolkit is an Android-only release of the enterprise toolkit. With the XenMobile Apps release, MDX no longer enforces app upgrades on Android by default. You can modify a new policy, Disable Required Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default. This feature was available for ios apps in the release of MDX. With the XenMobile Apps release, MDX for Android supports the exclusion of domains from tunneling. By default, some service endpoints that XenMobile SDKs and apps use for various features need to be excluded from micro Citrix Systems, Inc. All rights reserved. p.1

2 VPN tunneling. You can override the list by setting a client property on the XenMobile Server. For details about configuring client properties in the XenMobile console, see Client properties. For details about overriding the service endpoint list, see TUNNEL_EXCLUDE_DOMAINS. The default list of domains that are excluded from tunneling by default are as follows. ssl.google-analytics.com app.launchdarkly.com mobile.launchdarkly.com events.launchdarkly.com stream.launchdarkly.com clientstream.launchdarkly.com firehose.launchdarkly.com hockeyapp.net rttf.citrix.com rttf-test.citrix.com rttf-staging.citrix.com cis.citrix.com cis-test.citrix.com cis-staging.citrix.com pushreg.xm.citrix.com crashlytics.com fabric.io With the XenMobile Apps release, MDX no longer enforces app upgrades on ios by default. You can modify a new policy, Disable Required Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default. What's new in the MDX Toolkit 10.6 Block ios Look Up. You can now block the Look Up feature on ios. When you highlight a term, you can select Look Up and ios will search for that term across apps. Use the Block Look Up policy to prevent an app from using this feature. Xamarin support. The MDX Toolkit now supports apps developed in Xamarin. Xamarin is a cross-platform mobile app development environment. Xamarin provides an implementation of the.net runtime for Android, ios, and Windows Phone. A common C# codebase can be developed for all 3 platforms. Targeting a particular platform can be a simple build switch. There are numerous third-party frameworks available to Xamarin developers. These frameworks offer common interfaces to basic OS functionality, such as taking a picture, accessing the gallery, and making a phone call. The frameworks tested to be compatible with XenMobile are listed below. We recommend that you use these frameworks, since others are untested and might not work. System.* Xamarin.* SQLite.* Plugin.* ModernHttpClient.* Android.* Java.* XLabs.* Note: Secure Browse does not support the default HttpMessageHandler for System.Net.Http.HttpClient. The supported handlers are NativeMessageHandler and AndroidClientHandler Citrix Systems, Inc. All rights reserved. p.2

3 OkHttp support. The MDX Toolkit now supports the OkHttp framework. Web requests created with this library will now work properly. What's new in the MDX Toolkit IPv6 connectivity improvements f or ios. This version of the MDX Toolkit resolves issues with AAAA DNS records, IPv4 mapped IPv6 addresses, IPv6 network detection, and IPv6 network switching. For additional fixed issues, see Fixed Issues. What's new in the MDX Toolkit The MDX Toolkit version contains fixes. For details, see Fixed issues. What's new in the MDX Toolkit 10.4 Japanese and Russian support. The MDX Toolkit is now available in Japanese and Russian. New XenMobile Apps names. As of version 10.4, Worx Mobile Apps are named XenMobile Apps. Individual apps also have new names. The changes are reflected in the user interfaces of all the apps, in addition to the MDX Toolkit and the XenMobile console. The new app names take effect automatically when you upgrade to version For details, see About XenMobile Apps. What's new in the MDX Toolkit Arabic support. The MDX Toolkit is now available in Arabic. ios 10/Android 7 support. The MDX Toolkit now supports both ios 10 and Android 7. What's new in the MDX Toolkit Arm64 Support f or ios Enterprise Apps. You can now wrap 64-bit application binaries in addition to 32-bit application binaries for ios. This is not the case for Android applications. In addition, the MDX Toolkit verifies the binary after it's modified to ensure that it is a valid ELF MachO binary. Block localhost Connections (Android only). The Block localhost Connections policy allows you to stop connections to the loopback address ( ). What's new in the MDX Toolkit Secure Hub policy retrieval sign-on behavior. When you set the Maximum offline period MDX policy, with this release of the MDX Toolkit, if Secure Hub for ios has a valid NetScaler Gateway token, the app retrieves new policies for MDX apps from XenMobile without any interruption to users. If Secure Hub does not have a valid NetScaler token, users must authenticate through Secure Hub in order for app policies to update. The NetScaler token may become invalid due to a NetScaler Gateway session inactivity or a forced session time-out policy. When users sign on to Secure Hub again, they can continue running the app. Secure signof f (ios). When users sign off from Secure Hub, the container automatically locks so that all XenMobile and MDX apps stay secure. To access the apps again, users have to enter their Citrix PINs. Remove ios app extensions. You can remove ios extensions from the app during the enterprise app wrapping process by selecting the Strip extensions (Today, Watch, and so on) f rom ios application check box on the Verif y App Details screen. Note that ios apps with Apple Watch extensions are not supported when wrapping apps. Reverse split tunnel exclusion list. If you don't want certain websites to tunnel through NetScaler Gateway, you can add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that connect by using the LAN instead. This list applies only to Secure Browse mode when NetScaler Gateway is configured in Split tunnel reverse mode. Default value is empty Citrix Systems, Inc. All rights reserved. p.3

4 Inactivity timer behavior. When the inactivity timer is set to 0, inactivity offline authentication is disabled for MDX apps. Mail compose redirection (ios). You have three choices for how users are allowed to compose mail from an enterprise app: Secure Mail: If installed on the device, Secure Mail automatically opens. If not, native mail does not open. Instead, users get a message instructing them to install Secure Mail. Native The device's native mail program opens. Blocked: Both Secure Mail and native mail are blocked. Default is Secure Mail. This policy replaces the Block compose policy, which is deprecated. What's new in the MDX Toolkit 10.3 Shared devices. If you're deploying XenMobile 10.3, you can configure devices so that multiple users can share them. Only Secure Mail and Secure Web are supported. For more information, see Shared devices in XenMobile. Self-destruct app lock and wipe client property. This global security policy applies to Android platforms and is an enhancement of the existing app lock and wipe policies. Self-destruct prevents access to Secure Hub and managed apps, after a specified number of days of inactivity. After the time limit, apps are no longer usable, and the user device is unenrolled from the XenMobile Server. Wiping the data includes clearing the app data for each installed app, including the app cache and user data. The inactivity time is when the server does not receive an authentication request to validate the user over a specific length of time. For example, if you set the policy to 30 days and the user does not use an app for more than 30 days, the policy takes effect. Android PAC file support. When you add MDX-wrapped Secure Web to XenMobile, you can specify the Proxy Auto- Configuration (PAC) file URL or proxy server to use when fetching a URL. This functionality is supported in full tunnel mode only; you cannot use Secure Browse when you specify a PAC. When you configure this setting, also ensure that the Permit VPN mode switching policy remains as the default value Of f. Single sign-on (SSO) support in user entropy environments. If users have not used an MDX app on the device for a certain period, as defined by the inactivity timer, users are prompted to sign on. They can use either their Citrix PIN or Touch ID, if you have enabled Touch ID authentication. This feature is now available in environments that have user entropy turned on, in addition to environments that have user entropy turned off. This capability is available for ios apps only. Developing ISV apps f or ios with the XenMobile Framework. MDX Toolkit 10.3 has changed the process that ISV developers need to follow when preparing an app for distribution, after they have built the app using Xcode. Instead of using the graphical MDX tool or the wrap command at the command-line, with MDX Toolkit 10.3, developers can sign, deploy, and debug their app within the Xcode Integrated Development Environment (IDE). Developers now need to run the SDKPrep command of the MDX command-line tool as part of the Xcode build process, eliminating the need to wrap the app outside of Xcode. For details on the step-by-step procedures for ISV wrapping in the MDX Toolkit tool and command-line interface, see Developing ios Apps. Note: Enterprise apps that you build with the XenMobile Framework in Xcode and then wrap by using the enterprise mode of the MDX Toolkit are still supported. App geof ence. This feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam, but if the person travels to Belgium, the app locks and users cannot interact with the app. When the user returns to Amsterdam, the app unlocks and is available for normal use. There are three settings to enable geofencing: GPS longitude and latitude also called a point. The radius that defines the area in which apps can operate, such as in the Netherlands. If you set the radius to 0, the app does not support geofencing Citrix Systems, Inc. All rights reserved. p.4

5 If the app supports geofencing and you disable location services, a message appears in which users can either quit the app or can click Settings that goes to the Settings screen on the Android device. If users enable locations services, they can return and continue using the app. When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point (as specified in the policy) is greater than the specified radius, the user is blocked from using the app. When this occurs, users receive an option to quit the app. The user must be within the fence to continue using the app. If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app. The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which is also called high accuracy mode and helps in obtaining the location faster. There is a two-minute time-out to allow for longer times in checking the location: Center point longitude. Enter the longitude point to specify the area in which the app is allowed to work. Center point latitude. Enter the latitude point to specify the area in which the app is allowed to work. Radius. Enter the radius from the center point in which the app is allowed to work. If set to 0, geofencing is not allowed. Note: To get an accurate location from the device, and to avoid users trying to circumvent geofence by disabling Wi- Fi or the GPS, Citrix recommends setting the policy Online session required to On. New MDX policies for Secure Mail. For a list of new Secure Mail policies available in the MDX Toolkit, see About XenMobile Apps. The policies for Windows Phone have not changed since the earlier release. For the complete list of app policies, see the articles in this section, MDX Policies at a Glance Citrix Systems, Inc. All rights reserved. p.5

6 About the MDX Toolkit Nov 20, 2017 The Mobile Device Experience (MDX) Toolkit is an app container technology that enhances the mobile device experience and lets you prepare apps for secure deployment with XenMobile by adding the following information to the apps: The code required to support mobile app management tasks, such as provisioning, custom authentication, per-app revocation, data containment policies, data encryption, and per-app virtual private networking Signed security certificates Policy information and other XenMobile settings The MDX Toolkit can securely wrap apps created within your organization or third-party mobile apps. Note T he MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores. For more information about the XenMobile Apps that you can wrap by using the MDX Toolkit version , see XenMobile Apps administration and delivery. You use the XenMobile console to add your app to XenMobile. When you add the app, you can change the policy configuration, add app categories, apply workflows, and deploy apps to delivery groups. To download XenMobile components, see You can also wrap apps using our cloud tool, the XenMobile MDX Service. For more information on the tool, see XenMobile MDX Service. Known Issues in the MDX Toolkit Fixed Issues in the MDX Toolkit Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your XenMobile environment, see the XenMobile Deployment Handbook. About App Wrapping You can wrap Android or ios apps you obtain from app vendors. With public app store distribution, you do not sign and wrap Citrix-developed apps with the MDX Toolkit. This process significantly streamlines deploying apps. Since the XenMobile Server already supports deploying apps from the public app store, no server update is required. However, you can still use the MDX Toolkit to wrap third-party or enterprise apps. For more information on public app store distribution, see Public App Delivery of XenMobile Apps. Note: Independent Software Vendors (ISVs) can wrap apps they develop and then make them available in an app store or the Citrix XenMobile App Gallery. For details, see the MDX Developer Guide. The MDX Toolkit combines app files (.ipa,.app, or.apk) with Citrix components and your keystore or signing certificate to produce a wrapped MDX app Citrix Systems, Inc. All rights reserved. p.6

7 Note The MDX Toolkit supports: Android and ios apps developed on the Xamarin platform Apps developed by using the PhoneGap (Apache Cordova) framework These are the third-party frameworks tested and supported by Citrix to work with the MDX toolkit. Other third-party frameworks, such as Swift, are not guaranteed to work unless explicitly stated. The MDX Toolkit and XenMobile App SDK for ios and Android includes the following tools: A macos GUI tool that can wrap both ios and Android apps. A macos command-line tool that wraps ios apps. A Java command-line tool that wraps Android apps. XenMobile App SDK: Third-party app developers can use the XenMobile App SDK to perform actions in wrapped apps based on XenMobile policies. For example, if a XenMobile policy prevents cut and copy in a XenMobile App, a developer can prevent text selection in the app. For details, see the MDX Developer Guide. The MDX Toolkit and XenMobile App SDK for ios and Android You can use the MDX Toolkit to wrap XenMobile Apps and native, compiled, non-public custom apps for Android and ios. These apps must be created using Objective-C on ios and Java on Android. Note: The MDX Toolkit is the final release that supports the wrapping of XenMobile Apps. Users access XenMobile Apps versions and later from the public app stores.. For enterprise application wrapping, you start with an ios application (.ipa) or an Android application (.apk). Be sure to acquire third-party applications directly from the application vendor. ios applications downloaded from the Apple store are encrypted and cannot be wrapped. The MDX Toolkit for Windows Phone The MDX Toolkit for Windows Phone 8.1 and Windows Phone 10 contains a Windows command-line tool that wraps Secure Mail and Secure Web. Windows Phone 8.1 and Windows Phone 10 require the same certificate to sign all apps to enable enrollment of deployed apps. Although the MDX Toolkit for Windows Phone 8.1 currently does not support wrapping other apps, you use it to resign Secure Hub. This also applies to any third-party Windows Phone apps you want to deploy Citrix Systems, Inc. All rights reserved. p.7

8 Fixed Issues Nov 30, 2017 The following issue is fixed in the MDX Toolkit On Android, after performing a selective wipe, Samsung Active Sync accounts still exist on the device. [CXM-41697] Fixed issues in version The following are fixed issues in version of the MDX Toolkit: On ios 11, when the Open-in policy is set to restricted and encryption is on, users can select open-in for managed or unmanaged apps from MDX apps. [CXM-34178][CXM-38705] On Android, MDX wrapped apps redirect to the incorrect Baidu store page. [CXM-38177] Fixed issues in version On ios 11, files from ShareFile opened in MDX-wrapped applications appear corrupted. [CXM-38900] On ios 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912] Fixed issues in version 10.7 In Secure Mail for Android, on Samsung S7 devices running Android 7, the paste option does not appear on long press when composing a mail. [CXM-23494] When upgrading to Android 7 on Samsung devices without , data corruption in SQLite databases may occur. This leads to app instability. [CXM-23499] On Samsung devices, users cannot deploy the Citrix VPN policy when trying to configure a per app VPN. [CXM-37344] On devices running Android 7, if secure boot or secure start-up is disabled, MDX applications do not launch. [CXM-38275] Fixed issues in version On ios, during data syncing, the access gateway cookie may be lost, resulting in Secure Hub taking a long time to start. [CXM-31212] Some internal apps do not load when wrapped with the MDX Toolkit for Android. [CXM-34665] On ios, when attaching a file from MDX-wrapped ShareFile to Secure Mail, "%20" replaces any space in the file name.[cxm ] MDX-wrapped apps on Android get an error displaying "Failed to get the correct encryption key to run this app". [CXM ] In MDX wrapped apps on ios, some wrapped apps do not display upload progress. [CXM-35215] In MDX-wrapped apps on Android, some apps crash while opening. [CXM-35220] In MDX-wrapped Cordova-based apps on ios, the Allowed URLs policy does not redirect to Secure Web. [CXM-36275] Citrix Systems, Inc. All rights reserved. p.8

9 Fixed issues in version 10.6 The following are fixed issues in version 10.6 of the MDX Toolkit. When an in-house app contains the same class as one that already exists in MDX, the app will crash after being wrapped. [CXM-19564] Visiting some external sites using Secure Browse causes an error and a return to Secure Hub. [CXM-20093] In some environments that use Active Directory and certificate authentication, when users updated to Worx Mail , issues occur with synchronization. [CXM-20153] You cannot wrap the Acronis Access app with the MDX Toolkit for ios 10 devices. [CXM-20596] On ios, a wrapped app may crash when trying to write to an empty database with a size of 1. [CXM-20597] On ios, when using certain APIs, the MDX Toolkit cannot restrict the cut, copy, or paste functions. [CXM-21058] On ios devices, after wrapping an app, the app's keychain item may not be returned upon query. [CXM-21195] Lack of coordination between MDX and Secure Hub for fetching STA tickets results in MDX apps failing to open. [CXM ] On ios, after wrapping an app with MDX, web links may open in the native browser instead of redirecting to the app. [CXM-21643] On ios, for sites that expect to use the NetScaler Gateway client certificate to authenticate, Secure Web fails to authenticate. [CXM-21644] On ios, users can not open attachments from Secure Mail with Quick Edit unless Quick Edit is already open in the background. [CXM-21815] On ios, background pictures in apps do not load correctly after wrapping. [CXM-21902] On ios, some applications that use NSURLSession for making network requests and which customize the NSURLSessionConfiguration were not able to connect to internal sites through the mvpn tunnel. [CXM-22042] On ios devices, Secure Web is unable to open internal web sites that use HTTP redirects which include special characters in their URL. [CXM-22300] On Android, some in-house apps crash after being wrapped due to a string table corruption. [CXM-22354] On ios, applications that use an NSProxy subclass as a UIWebView delegate did not receive delegate callbacks, resulting in the app not loading properly. [CXM-22900] On ios, third-party apps crash when passing a null value for a host name. [CXM-22920] On WorxMail or Secure Mail for ios, when users switch their Wi-Fi connection from the office to a T-Mobile cellular connection, s stop synchronizing and a connection failure error occurs. [CXM-22984] On ios, the Block icloud policy does not work with third party apps. [CXM-23060] On Huawei devices running Android, users are unable to open attachments in Quick Edit from Secure Mail. [CXM-23182] Citrix Systems, Inc. All rights reserved. p.9

10 On Android, when opening VPN enabled apps, a private build of Secure Hub shows the following error. "The VPN service has failed to connect. You might not have access to Internal networks. To continue running Secure Web, press OK." [CXM ] On ios 10.2, if a user takes a picture and tries to it, they are not redirected to the mail app successfully. [CXM-23542] On ios, when a wrapped app accesses the MFMailComposeViewController function to send files in an , the app crashes. [CXM-23922] On ios, some apps crash after authenticating using Touch ID, because MDX fails to login due to app inactivity and the app makes network calls assuming that the network tunnel is setup. [CXM-23661] When you wrap ShareConnect version with the MDX Toolkit version , single sign-on (SSO) to the app fails. [CXM-24028, AIR-5158] On ios, the third-party app MInventory crashes on start up when wrapped and the Network Access setting in XenMobile Server is set to Tunneled to Internal Network. [CXM-26038] On HTC One M9 devices running Android 7, Secure Mail fails to launch and the following error message displays. "This device doesn't support encryption features required by this application." [CXM-26244] The custom (in-house) app KoruLive version opens web links within the app itself and not through Secure Web. This issue occurs after wrapping this app with MDX Toolkit version [CXM-26427] On devices running Android, the third-party app BPM Mobile crashes when wrapped with MDX Toolkit version [CXM-29504] In Secure Web for Android, a white screen appears intermittently while launching. [CXM-29506] On ios, opening a Microsoft Office file from ShareFile in a Microsoft app which is not wrapped results in an error. [CXM ] On Huawei devices running Android, the previously updated Secure Mail settings are automatically reset to its default each time you launch the app. [CXM-29535] On Android, some internal apps crash after wrapping. [CXM-29729] On Android, MDX apps lose connectivity due to Android killing background services needed to maintain connectivity. [CXM ] On ios, when Secure Hub has an intranet page configured as the home page, Secure Hub displays a blank page. [CXM ] The third-party app CGB version 3.2 crashes when wrapped with the MDX Toolkit version This issue occurs on devices running Android 7, Android 6, and Android 5. [CXM-30253] On devices running ios, users are unable to browse external sites with certain NetScaler configurations. This occurs when external DNS forwarding requests are disabled, SplitDNS is set to "Both," and SplitTunnel is set to "OFF." [CXM-30413] On Android devices other than Motorola and Asus, when installing Secure Hub from the public app store while installation of non-app store apps is disabled: Users get a warning prompt: The option to install third-party apps is not enabled. Do you want to enable it now?' When users tap OK, Secure Hub redirects them to Application Settings instead of to Security Citrix Systems, Inc. All rights reserved. p.10

11 Settings. [CXM-30574] On ios, when using the app UCC wrapped, maps fail to load after a session timeout and flip to Secure Hub. [CXM-31838] When wrapping ios apps, the MDX Toolkit UI displays an incorrect app version number. [CXM-31927] On ios 10.3, from the mkate app, selecting Open In and choosing the DRM app with files that contain certain Korean characters in their title does not work. [CXM-31958] Fixed issues in On ios, after using the Open In option of Quick Edit to open a file in Verse for Citrix, a new mail is created, but the attachment is not visible. [CXM-19727] When opening an MDX wrapped app on a Samsung devices running Android 7, that app will crash. Likewise, when running an app using SQL Lite on Android 7, an error may occur. [CXM-20551] On ios, a wrapped app crashes when making a keychain query that contains a null value. [CXM-21071] On ios, users of wrapped apps were unable to log in because an IPv6 address was sent instead of an IPv4 address. [CXM-21193] On ios devices, after wrapping an app, the app's keychain item may not be returned upon query. [CXM-21195] On WorxMail or Secure Mail for ios, when users switch their WiFi connection from the office to a T-Mobile cellular connection, s stop synchronizing and a connection failure error occurs. [CXM-22984] On ios, when network access is set to Tunneled to the Internal Network, and Preferred VPN mode is Full tunnel, Secure Web doesn't render external websites on devices connected to T-Mobile. [CXM-23073] Fixed issues in Wrapped Android apps were crashing because a file type was being opened as read only when being encrypted. [CXM ] Third-party apps may crash if the WebView method is called. [CXM-19136] When a wrapped app has multiple objects inheriting their callbacks from the same superclass, the app will hang. [CXM ] When an in-house app contains the same class as one that already exists in MDX, the app will crash after being wrapped [CXM-19564] Visiting some external sites using Secure Browse causes an error and a return to Secure Hub. [CXM-20093] In some environments that use Active Directory and certificate authentication, when users updated to Worx Mail , issues occur with synchronization. [CXM-20153] You cannot wrap the Acronis Access app with the MDX Toolkit for ios 10 devices. [CXM-20596] Android LG V20 devices are not supported for MDX-wrapped apps because of an operating system customization that is incompatible with MDX encryption. If users try to start MDX-wrapped apps, such as XenMobile Apps, an error message appears. The message states that the device does not support encryption features required by the app. [CXM-20599] Fixed issues in When you use the MDX Toolkit to wrap a third-party app, the app fails to connect to backend resources through micro VPN. [#639313] When NetScaler is set up for reverse split tunneling, the VPN fails when no intranet apps are configured. [#651016] In the MDX Toolkit for ios, when users try to open a page in Secure Web after their authentication certificate has expired, they see a message that they can't open the page, rather than their certificate renewing automatically. [CXM ] In ios, attachments might fail to open within managed apps when the Inbound document exchange (Open In) Citrix Systems, Inc. All rights reserved. p.11

12 policy is set to Restricted. [CXM-14615] In Android, if the Secure Hub version installed is older than the MDX apps installed, users aren't prompted to upgrade Secure Hub. [CXM14835] In ios, MDX apps upgraded in XenMobile are not listed for upgrade in WorxStore. [CXM-14989] In ios, after upgrading to Secure Hub from or , the app crashes the first time it's opened. [CXM ] In ios, with the latest version of Secure Hub installed, if a user launches a web link or tries to send support logs from an MDX app, a pop up appears prompting the user to upgrade Secure Hub. [CXM-14988] If a user tries to use the MDX apps for Secure Web or Secure Mail after certs have expired, the apps will not use the new certs received through auto-discovery and security errors will be shown. [CXM-13465] In ios, if ShareFile and Secure Mail are both installed with different MDX wrapping profiles and a user opens both apps then logs out of both, a looping pop up will occur. [CXM-14238] If certificates expire and the user opens Secure Mail, a message appears, telling the user they need to renew their certificate and the user is sent to Secure Hub where they enter their authentication information which gets denied and the user is sent back to WorkMail where the same issue occurs, causing a loop. [CXM-14318] For fixed issues in MDX Toolkit and earlier, see XenMobile MDX Toolkit 10 Fixed Issues Citrix Systems, Inc. All rights reserved. p.12

13 Known Issues Nov 20, 2017 The following are known issues with the MDX Toolkit version On ios 11, users are able to move data from an MDX managed app to an unmanaged app using the drag and drop feature. [CXM-38106] On ios 11, when the Document Exchange policy is set to Restricted, unmanaged apps still appear in the open-in list. [CXM-38705] On ios 11, files from ShareFile opened in MDX wrapped applications appear corrupted. [CXM-38900] On ios, managed apps do not appear in the open in list on the first attempt in managed apps. [CXM-38897] On ios 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912] MDX Toolkit version On ios 11, when the Open-in policy is set to restricted and encryption is on, users cannot select open-in for managed or unmanaged apps from MDX apps. [CXM-34178] Users' attempts to access MDX apps might fail, showing the spinning icon continuously, after users change their Active Directory password. This error happens in systems that have StoreFront and MDX apps configured. If this occurs, advise users to sign into Secure Hub using the new Active Directory password after the user's NetScaler password grace period expires. [CXM-34928] In Secure Mail on Android O, the AutoFill option is enabled. [CXM-35112] MDX Toolkit version 10.6 On Android, when users install an MDX app for the first time from Google Play, or when users install an app from Google Play after the XenMobile Store hasn t been active for a while, for security reasons, they are prompted to delete and reinstall the app. When this occurs, they must refresh Secure Hub before opening the app or reinstall the app. [CXM ] When a certificate expires, apps on Android devices fail to synchronize on reopen until users close and reopen the app. [CXM-23311] MDX Toolkit version When users attempt to upgrade public app store apps for ios managed by XenMobile, an App Management change dialog box appears. [CXM-22791] When a certificate expires, apps on Android devices fail to synchronize on reopen until users close and reopen the app. [CXM-23311] In Secure Mail for Android, on Samsung S7 devices running Android 7, the paste option does not appear on long press when composing a mail. [CXM-23494] When upgrading to Android 7 on Samsung devices without , data corruption in SQLite databases may occur. This leads to app instability. [CXM-23499] When you wrap ShareConnect version with the MDX Toolkit version , single sign-on (SSO) to the app fails. [AIR-5158] MDX Toolkit Version On Android, when users install an MDX app for the first time from Google Play, or when users install an app from Google Play after the XenMobile Store hasn't been active for a while, for security reasons, they are prompted to delete and re Citrix Systems, Inc. All rights reserved. p.13

14 install the app. When this occurs, users must refresh Secure Hub before opening the app or they must reinstall the app. [CXM-19469] When opening an MDX wrapped app on a Samsung 7 running Android 7 beta, that app will crash. Likewise, when running an app using SQL Lite on Android 7, an error may occur. [CXM-20551] MDX Toolkit Version 10.4 In Secure Mail for Windows, when you set the Inactivity Timer MDX policy to 150 minutes and the Maximum offline policy to 1 hour, when users open Secure Mail and let the app go to the background, if the Maximum offline interval ends, users are not prompted to sign on again to Secure Mail as expected. [CXM-14634] In Secure Mail for Windows, when the Online session required MDX policy is set to OFF and the App passcode policy is set to ON, when users open Secure Mail, if the user session on NetScaler Gateway ends, they are not prompted to authenticate to Secure Hub, as expected. [CXM-14728, CXM-14716] MDX Toolkit Version In a high security setup with multiple NetScaler Gateway instances, subscribing to an MDX app will give an unexpected error after trying to download and install the app for some time. [CXM-13833] Secure Web fails to connect in Secure browse mode. [CXM-14212] Users can launch MDX apps after they are disabled on XenMobile Server. [CXM-14578] WorxHome does not ask for authentication after a forced time out in Secure Web in Android N. [CXM-14617] After upgrading WorxHome, MDX app names are not displayed in the MyApps screen of WorxHome. [CXM-14991] Users are unable to download ShareFile documents using Secure Web. [CXM-15098] Secure Web set up with a PAC proxy will fail to connect on Android N. [CXM-15401] MDX Toolkit Version Background sync and services fail to start after Secure Mail is forced closed by the OS due to resource constraints. [CXM-13794] MDX Toolkit Version On Android devices, the Self-Destruct policy works for MDX apps only and doesn't apply to Secure Hub. [#613302] When an ios device loses its network connection after the Maximum offline period policy expires for an MDX app, attempts to use the app result in prompts to tap Authorize. The prompts continue until the device regains a network connection. [#633285] When you make changes to the following keys in the XenMobile console in Settings > Client Properties, existing MDX apps may not allow users to authenticate with their current Active Directory password: ENABLE_PASSCODE_AUTH: from f alse to true ENABLE_PASSWORD_CACHING: from f alse to true [#637141] ios apps with Apple Watch extensions are not supported when wrapping apps. MDX Toolkit Version 10.3 Unusable icons for apps might remain on Android devices even after the MDX container is wiped. [#611647] When users try to open a newly installed MDX app for Android from Secure Hub, when the device is managed in MAM mode, an error, such as "App Not Registered," occurs. This issue occurs on these.x86 device types: Lenovo Yoga (4.4.2) and Dell Venue (4.4.4). [#612163] MDX Toolkit Version Citrix Systems, Inc. All rights reserved. p.14

15 When you create an APN device policy and deploy the policy to an Android device, if you refresh the policy or deploy the device policy again, the APN setting appears multiple times on the device.[#564593] In apps using the XenMobile App SDK, NSURLSession background download puts unencrypted content in the MDX sandbox when configured using the backgroundsessionconf igurationwithidentif ier (ios 8) and backgroundsessionconf iguration (ios 7). The content is encrypted only after the download completes. [#556634] On ios 9 devices, connections that tunnel to the internal network using a full VPN tunnel don't apply intranet app addresses and are based only on the configured DNS suffix. [#584426] For third-party apps managed by MDX, the ios data protection level of files isn't reset on first-time use. Users must restart the app to reset the protection level. [#589323] If your attempt to wrap apps fail when using the MDX Toolkit Version and the Android API 23, complete the following steps: 1. Install the MDX Toolkit Version Get the latest framework from any Android M device by using the following command: $ adb pull /system/framework/framework-res.apk <Destination Directory> 3. Rename the framework-res.apk to 1.apk 4. Replace ~/Library/apktool/mdx/framework/2.0.1/1.apk with the newly extracted 1.apk. [#593020] Attempts to attach a photo to an fails after an app upgrade occurs and the Open-in exclusion list is not overwritten or merged. After upgrading the apps, update the policy on XenMobile with the following settings: {action=android.media.action.image_capture}{action=android.provider.mediastore.record_sound} {action=android.media.action.video_capture} [#594466] Citrix Systems, Inc. All rights reserved. p.15

16 System Requirements Oct 16, 2017 This article provides the system requirements for using the MDX Toolkit to wrap mobile apps. The article also provides the requirements specific to app platforms. Quick links to sections in this article MDX Toolkit System Requirements Other Requirements for Wrapping ios Mobile Apps Other Requirements for Wrapping Android Mobile Apps Other Requirements for Wrapping XenMobile Apps for Windows Phone MDX Toolkit System Requirements MDX Toolkit and XenMobile App SDK (ios and Android) Important: The XenMobile App SDK 10.2 now requires the following components: JavaScriptCore.framework and LocalAuthentication.framework. Java Development Kit (JDK) 1.7 or 1.8. You can download the JDK 1.8 from Java SE Development Kit Downloads on the Oracle website. For installation instructions, see the JDK 8 and JRE 8 Installation Guide on the Oracle website. Be sure to install the full JDK and set JDK 1.8 as the default. macos (minimum version for ios 9 apps) The installer for the MDX Toolkit and XenMobile App SDK must run on macos. The installer includes macos tools that wrap both ios and Android apps and a Java command-line tool that wraps Android apps. For XenMobile App SDK: ios 9 SDK with Xcode 7; bitcode generation disabled Bitcode generation is on by default in Xcode 7. Disable it to use Xcode 7 with the XenMobile App SDK. Computers running Windows 10 for Windows 10 mobile devices. You use the command-line tool and Visual Studio 2013 Community Edition with all service packs installed. MDX Toolkit for Windows Phone 8.1. Windows 8.1 Requirements Microsoft.NET Framework Microsoft Silverlight 5 runtime and SDK Visual Studio 2013 (Professional or Enterprise version) Windows Phone 8.1 SDK Tools The MDX Toolkit has other requirements specific to the app platforms, as described in the following sections. Other Requirements for Wrapping ios Mobile Apps To obtain access to the app wrapping prerequisites for ios, you must register for an Apple distribution account. There are three types of ios developer accounts: Enterprise, Individual, and University. Citrix strongly recommends ios Citrix Systems, Inc. All rights reserved. p.16

17 Developer Enterprise accounts. ios Developer Enterprise accounts: The only type of Apple Developer account that allows you to provision, deploy, and test unlimited apps to unlimited devices, with or without app wrapping. Be sure to distribute your Developer Certificate to your developers so they can sign apps. ios Developer Individual accounts: Limited to 100 registered devices per year and do not qualify for app wrapping and enterprise distribution with XenMobile. ios Developer University accounts: Limited to 200 registered devices per year and do not qualify for app wrapping and enterprise distribution with XenMobile. ios 9 app wrapping prerequisites: OS X (Yosemite; minimum version) Xcode 6 (minimum version for ios 9) Xcode command-line tools (April 2014) Important Be sure to track when the provisioning profiles for your account are due to expire and renew the profiles before they expire. When a profile used to wrap apps expires, you must renew the profile, rewrap the apps, and then reinstall the apps on user devices. To renew a provisioning profile, log on to your Apple Developer account, go to Certificates, Identifiers & Profiles, and then select Provisioning Profiles. Download the Xcode command-line tools from the Xcode Apple Developer website. macos does not install the tools automatically. To install the tools, follow these steps: 1. In Applications > Utilities, click Terminal to use the Mac command line interface (CLI). 2. Type the following command: xcode-select --install Be sure to include two hyphens before the word install in the command. 3. After the Xcode command-line tools install, run Xcode to install any prerequisites. Other Requirements for Wrapping Android Mobile Apps To wrap Android wraps, you also need a compatible Android software development kid (SDK) and a valid keystore. To download, create, and properly configure the SDK and keystore, follow these instructions: Android sof tware development kit The MDX Toolkit is compatible with API Levels of the Android SDK. Note: For wrapping XenMobile Apps version , the minimum Android SDK required is API Level 23. For information on troubleshooting errors that can occur when wrapping Android apps by using MDX Toolkit , see this article. 1. Go to the Google developer website and download the Android SDK from the SDK download page. The full Android Studio is not required. You can download the command-line tools from the section near the bottom of the page Citrix Systems, Inc. All rights reserved. p.17

18 2. Install the latest tools, platform-tools, and build-tools. This installation requires using the Android tool in Android SDK > tools to start the SDK Manager: a. Unzip the SDK file you downloaded. b. Go to the tools folder and then click Android to run the SDK Manager Citrix Systems, Inc. All rights reserved. p.18

19 3. In the SDK Manager, select the latest versions of the following: Android SDK Tools Android SDK Platform Android SDK Platform-tools Android SDK Build-tools 4. Click Install Packages. 5. On the Choose Packages to Install screen, click Accept License for all the packages you are installing and then click Install Citrix Systems, Inc. All rights reserved. p.19

20 6. To verify that you downloaded the appropriate SDK Tools and APIs, check that the aapt file is in Android SDK > buildtools > When updating your SDK, you have to delete all aapt files from the platform-tools folder. Ensure that the.aapt file is in build-tools only. 8. If the zipalign file is missing from build-tools, copy the file from the platform-tools folder to the build-tools folder, and then delete it from platform-tools Citrix Systems, Inc. All rights reserved. p.20

21 9. Add the location of the newly installed folders to the android_settings.txt file in the MDX Toolkit install folder. 10. In Applications > Citrix > MDX Toolkit, open the android_settings.txt file and then add the full path for the following folders: Android SDK Android SDK > tools Android SDK > platform-tools Android SDK > build-tools > [version] Note: Be sure to remove the Android SDK > apktools path from the android_settings file, as that path is no longer required. To find the full path of your SDK folder, right-click on the file, select Get Info and then on the Info panel, review the Where information Citrix Systems, Inc. All rights reserved. p.21

22 11. Before editing the android_settings file, make a copy of the file. a. Go to Applications > Citrix > MDXToolkit > Android_settings. b. Add the new paths. c. Save the file outside of the Applications > Citrix > MDX Toolkit folder. d. Rename the original android_settings file in the Applications > Citrix > MDXToolkit f older; for example, android_settings.old. e. Copy the new android_settings file with the added paths into the Applications > Citrix > MDX Toolkit folder. The following example shows the file with the paths added: Citrix Systems, Inc. All rights reserved. p.22

23 Valid Keystore A valid keystore contains digitally signed certificates that you use to sign Android apps. You create a keystore one time and retain this file for current and future wrapping. If you do not use the same keystore when wrapping new versions of apps that you've previously deployed, upgrades of those apps don't work. Instead, users must manually remove older versions before installing new versions. A keystore can contain multiple private keys. Usually, though, the keystore has only one key. For details about certificates, see Signing Your Applications. Sign your apps with a key that meets the following guidelines: 2048-bit keysize DSA or RSA key algorithm (keyalg) Do not use MD5. The MDX Toolkit signs apps using SHA1 to support older versions of Android. This algorithm deprecates soon in favor of SHA256. If you want to sign your app with another algorithm, use another tool. If you don't want to use the debug keystore, create a keystore. To create a keystore, start Terminal and then enter the command: keytool -genkey -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize validity Provide the information requested, such as a password for the keystore and the domain name of your organization (example: example.com). The key is valid for 25 years Citrix Systems, Inc. All rights reserved. p.23

24 To sign an app, use this command: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name You can now wrap Android apps. For details, see Wrapping Android apps. Other Requirements for Wrapping XenMobile Apps for Windows Phone 8.1 / 10 Windows Phone 10 is supported for XenMobile 10 and 10.3.x only. It is not supported for XenMobile For XenMobile 9, you must install a patch for apps to work properly. You can download the patch in the Support Knowledge Center. Windows Store requirements: An open Microsoft Windows Store Developer Account (Corporate account type). For details, see Account types, locations, and fees. This account provides a Publisher ID and a Symantec enterprise certificate. Publisher ID (PHONEPUBLISHERID) from the Windows Store developer account profile. For details, see Managing your profile. Enterprise certificate from Symantec. The certificate is required to sign Windows mobile apps. For details, see Company app distribution for Windows Phone. Application Enrollment Token (AET). For details, see How to generate an application enrollment token for Windows Phone. When you use the MDX Toolkit to resign an app, the Toolkit uses the Symantec certificate to generate an Application Enrollment Token (AET) file. The Toolkit includes this file in the MDX file. The AET file is also needed when creating an Enterprise Hub device policy for Windows Phone 8.1. For more information, see To add an Enterprise Hub device policy for Windows Phone Citrix Systems, Inc. All rights reserved. p.24

25 XenMobile Compatibility Oct 16, 2017 For a summary of the versions of XenMobile components that you can integrate, including the version of the MDX Toolkit needed to wrap, configure, and distribute XenMobile Apps, see XenMobile compatibility. For more information, see Supported device platforms Citrix Systems, Inc. All rights reserved. p.25

26 Installing the MDX Toolkit Oct 16, 2017 Follow these procedures to install the MDX Toolkit and XenMobile App SDK for ios and Android, and the MDX Toolkit for Windows Phone 8.1/10. Installing the MDX Toolkit and XenMobile App SDK for ios and Android Perform the following steps from a computer running macos. The installer includes the following tools: macos tools that wrap both ios and Android apps. A Java command-line tool that wraps Android apps. You can also run this tool on a Windows computer. Note It is recommended to remove the previous version of the MDX toolkit before installing the new version. Remember to backup Android_settings.txt before uninstalling the toolkit. 1. Log on to the XenMobile downloads page. 2. Expand XenMobile Apps and MDX Toolkit. 3. Locate the MDX Toolkit version you want to install and then click its link to begin the download. 4. Open MDXToolkit.mpkg with the macos Finder tool on macos or later and Xcode 5.1 or later. For version requirements, see System Requirements. The default installation path is /Applications/Citrix/MDXToolkit. 5. If you want to run the Java command-line tool on a Windows computer, copy ManagedApp.jar and ManagedAppUtility.jar to a directory on a Windows computer that meets the Android wrapping prerequisites. For details, see MDX Toolkit System Requirements Citrix Systems, Inc. All rights reserved. p.26

27 6. To use the GUI tool to wrap Android apps, you must update path information in the android_settings.txt file that is installed in Applications/Citrix/MDXToolkit. If you do not complete these steps, the GUI tool will indicate that the prerequisites can not be located. Important: When wrapping Android apps, the MDX Toolkit might fail unless the locale of the computer on which you run the MDX Toolkit is English. a. Copy android_settings.txt to a folder that you can write to. b. Edit the android_settings.txt file with any text editor. To use Vim, you can use the following command line. Enter your user password when prompted. The file opens in your terminal window. sudo vim /Applications/Citrix/MDXToolkit/android_settings.txt c. Update the file with the path to the JDK and the Android SDK binaries in your environment. Add the following to the end of the PATH = line in your settings.txt file (separated by : on Mac/Unix, and ; on Windows): PATH = /bin:/usr/bin:/usr/sbin/sbin:/<install Location> /adt-bundle-mac-x86_ /sdk:/<install Location>/adt-bundle-mac-x86_ /sdk/tools:<Install Location>/adt-bundle-mac-x86_ /sdk/platform-tools:Documents/Android SDK/apktools d. Save the updated file to the same name, android_settings.txt, and then copy the file to Applications/Citrix/MDXToolkit. You might be prompted to enter a password to copy to that folder. The installation package includes a small utility for removing the MDX Toolkit. The utility is installed in the following location on your computer: /Applications/Citrix/CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility to start the uninstaller app and then follow the prompts. When you remove the tool, you receive a message prompting you for your user name and password. Important: If you use XenMobile 9, you must install a XenMobile Device Manager patch before wrapping Android apps. go to navigate to Legacy Sof tware > Product Sof tware > Patches and then download XenMobile Device Manager 9.0 Patch. Installing the MDX Toolkit for Windows Phone 8.1 / 10 Perform the following steps from a computer running Windows Log on to the XenMobile downloads page. 2. Expand XenMobile Apps and MDX Toolkit. 3. Locate the MDX Toolkit version you want to install and click its link to begin the download. 4. Extract the files and then start the installer, CGAppPrepTool. The installation path is Applications/Citrix/MDXToolkit. The installation package includes a small utility for removing the MDX Toolkit. The utility is installed in the following location on your computer: /Applications/Citrix/CGAppPrepTool/Uninstaller.app/Contents. Double-click the utility to start the uninstaller app and then follow the prompts. When you remove the tool, you receive a message prompting you for your user name and password Citrix Systems, Inc. All rights reserved. p.27

28 Wrapping ios Mobile Apps Nov 20, 2017 This article describes how XenMobile administrators wrap enterprise apps and how developers wrap ISV apps. To wrap ios mobile apps, use the MDX Toolkit, which includes a macos graphical interface tool and a macos command-line tool. The macos command-line tool has customization options, can be referenced from scripts that automate the app wrapping process, and lets you preset some MDX policies. The file type for a wrapped app is.mdx. You upload the.mdx file to the XenMobile console where you configure specific app details and policy settings that the XenMobile Store enforces. When users sign on, the app appears in the store. Users can then subscribe, download, and install the app on their device. The following figure provides an overview of the app wrapping steps, from installation of the MDX Toolkit through testing XenMobile Apps. Related topics are listed under the diagram Citrix Systems, Inc. All rights reserved. p.28

29 For details, see: MDX Toolkit System Requirements Other Requirements for Wrapping ios Mobile Apps XenMobile Compatibility Installing the MDX Toolkit For details, see: Creating Provisioning Profiles App Upgrades Policies and XenMobile Apps Enterprise App Wrapping Using the Graphical Interface Enterprise ios App Wrapping Using the Command Line Resigning Apps that contain the Worx SDK Command Options Presetting MDX Policies for ios Apps Identifying ios App Wrapping Errors Collecting System Logs on ios Devices To add an MDX app to XenMobile Important: Make sure that user devices are updated with a version of Secure Hub that is compatible with the version of MDX Toolkit used to wrap apps. Otherwise, users will see an error message about the incompatibility. For details, see XenMobile Compatibility. Deploying ios Devices through Apple DEP You must enroll in the Apple Deployment Program to take advantage of the Apple Device Enrollment Program (DEP). You can use Apple DEP to deploy and manage ios and macos devices in XenMobile. For more information, including how to enroll in the Apple Deployment Program, see Deploy ios and macos devices through Apple DEP. Creating Provisioning Profiles Any app that runs on a physical ios device (other than apps in the Apple App Store) must be signed with a provisioning profile and a corresponding distribution certificate. There are two kinds of developer programs for distribution: The ios Developer Program (Ad-Hoc) and the ios Developer Enterprise Program. To wrap apps, Citrix recommends using the Enterprise program. You can enroll in the program from the Apple web site. The Enterprise profile allows you to run an app on unlimited devices. The Ad Hoc profile allows you to run an app on up to about 100 devices. Apple no longer supports the use of wildcard App IDs for new Enterprise accounts. If your Enterprise account does not support wildcard App IDs, you must create multiple explicit App IDs and provisioning profiles, as follows. 1. Verify that you have a valid ios distribution certificate. Be aware that an existing ios Developer for Enterprise certificate and provisioning profile might not be compatible with ios 9. For details, see Wrapping XenMobile Apps for ios From the Apple Enterprise Developer portal, create an explicit App ID for each app you plan to wrap with the MDX Toolkit. An example of an acceptable App ID is: com.companyname.productname. 3. From the Apple Enterprise Developer portal, go to Provisioning Profiles > Distribution and create an in-house provisioning Citrix Systems, Inc. All rights reserved. p.29

30 profile. Repeat this step for each App ID created in the previous step. 4. Download all provisioning profiles. If your Apple Enterprise account supports wildcard App IDs, you can continue to use a wildcard provisioning profile to wrap apps. However, if you will use the Apple Push Notification service (APNs) for notifications when Secure Mail is in the background, you must use an explicit provisioning profile and App ID. Any device on which you want to install the MDX app needs to have the provisioning profile on the device. You can distribute the profile to user devices by using an attachment. Users can add the profile on their ios device by clicking the attachment. For details about provisioning profiles and distribution certificates, see Maintaining Identifiers, Devices, and Profiles in the Apple App Distribution Guide. App Upgrades Important: Before you upgrade apps, be aware how changes to App IDs or the use of a partial wildcard App ID provisioning profile impact app upgrades. Previously wrapped apps upgrade in place unless the App ID has changed. For example, if you change a bundle ID from com.citrix.mail to com.example.mail, there is no upgrade path. The user must reinstall the app. A device considers the app as a new app. The new and prior versions of the app can both reside on the device. If you use a partial provisioning profile, such as com.xxxx, to wrap an app with a bundle ID that includes com.citrix, Citrix recommends that you remove the installed MDX-wrapped apps and install the apps wrapped with the latest MDX Toolkit. As a result of a bundle ID change from com.citrix.mail to com.example, users will need to reinstall the app. An in-place upgrade succeeds if an app was wrapped with a full wildcard App ID and the new version of the app has an App ID that matches the installed app. Policies and XenMobile Apps Note T he MDX release is the final release that supports the wrapping of XenMobile Apps. You cannot use subsequent releases of MDX and later - or the MDX Service to wrap XenMobile Apps or later versions.you must access XenMobile Apps from the public app stores. Citrix provides a generic set of default policies that apply to all XenMobile Apps and a set of specific policies for some of the XenMobile Apps. Policy file names are based on the bundle ID. By default, the policy file name for a XenMobile app is in the form com.citrix.app_policy_metadata.xml, where app is a name such as "mail". If you have an Apple Enterprise account that does not support wildcard App IDs, you must change the company identifier in the bundle ID when you wrap a XenMobile app. For example, the bundle ID for Secure Mail is com.citrix.mail. You must replace "citrix" in that identifier with your company identifier. If your company identifier is "example", the bundle ID is com.example.mail. When you wrap that app, the policy file name is com.example.mail_policy_metadata.xml. To determine which policy file to apply to an app, the MDX Toolkit looks for files in the following order and uses the first file it finds: Citrix Systems, Inc. All rights reserved. p.30

31 1. A file name that matches your bundle ID, such as com.example.mail_policy_metadata.xml, as described in the preceding example. 2. A file name that matches the original bundle ID, such as com.citrix.mail_policy_metadata.xml. 3. A file name that matches the generic default policy file, policy_metadata.xml. You can create your own set of policy defaults for a specific XenMobile app by modifying the files that match your bundle ID or the original bundle ID. Enterprise App Wrapping Using the Graphical Interface The following steps describe the general process for wrapping an enterprise app that you will deploy from XenMobile. The general process for ISV app wrapping is described in ISV App Wrapping Using the Graphical Interface. Important: Both the private key and the certificate must be installed on the Keychain Access of your Mac before using the graphical interface to wrap ios apps. If the associated distribution certificate does not have the private key installed into Keychain Access, the graphical interface does not pre-populate the ios Distribution Certificate list. For details, see "Repairing Your Keychain when the Toolkit Can't Find a Distribution Certificate," later in this article. 1. Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if needed. 2. Start the MDX Toolkit from your ios Applications folder, select For IT administrators, and then click Next. 3. Click Browse, select the file, and then click Next Citrix Systems, Inc. All rights reserved. p.31

32 4. The Verify App Details screen shows information obtained from the app. As needed, change the pre-filled information. Optionally, specify a minimum and maximum OS version and list the device types on which the app is not allowed to run. You can also change the app details after uploading the app to XenMobile Citrix Systems, Inc. All rights reserved. p.32

33 5. In the Create Citrix Mobile App screen, click Browse, select the provisioning profile, and select a distribution certificate. If the ios Certificate list is empty, you might need to repair the keychain on the machine where you are running the MDX Toolkit. For details, see "Repairing Your Keychain when the Toolkit Can't Find a Distribution Certificate," later in this article. 6. If you selected a provisioning profile that has an explicit app ID, the tool prompts you to confirm the app ID. For example, the bundle ID for a XenMobile app is com.citrix.productname. The provisioning profile that you use must include your company identifier instead of "citrix". After you click Yes, click Create Citrix Systems, Inc. All rights reserved. p.33

34 7. If you selected a provisioning profile that has a wildcard app ID, the tool shows a list of available app IDs. If the app ID you want to use isn't listed, choose a different provisioning profile. After you choose an app ID, click Create Citrix Systems, Inc. All rights reserved. p.34

35 8. The toolkit lets you know when the MDX package is created. To wrap another app, click Start Over. The toolkit appends _ios to the end of the filename of a wrapped ios app. Enterprise ios App Wrapping Using the Command Line Note: Be sure to obtain third-party apps directly from the app vendor. ios apps downloaded from the Apple store are encrypted and cannot be wrapped. Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if needed. The following example shows a basic app wrapping command using default settings. Modify the bold information for your specific system. The trailing backslash signifies the command continues to the next line. Remove these symbols before running the command. To perform these commands, navigate to the /Applications/Citrix/MDXToolkit/ directory on your command line. A basic ios wrapping command line is as follows../cgappclpreptool \ Wrap \ Cert CERTIFICATE \ Profile PROFILE \ Citrix Systems, Inc. All rights reserved. p.35

36 -bundleid ID \ in INPUT_FILE \ out OUTPUT_FILE The following is an example of this command-line option../cgappclpreptool \ Wrap \ Cert iphone Developer: Joe Admin (12MMA4ASQB) \ Profile team_profile.mobileprovision \ -bundleid com.companyabc.sample \ in ~/Desktop/SampleApps/Sample.ipa \ out ~/Desktop/SampleApps/Sample.mdx Examples of options you may add to the preceding command include: -appname Wrapped Sample app -appdesc This is my newly wrapped ios application. Both of those options default to the value read from the app, if possible. For details about the options, see Command Options. For inline documentation, use the -help option. Command Options wrap command Option -Help Description Displays Help for this command. -In Required. Path and file name of the app you are wrapping. -Out -Cert Optional. Path and file name for the resulting.mdx file. If this option is omitted, the file has the same path and file name as the input file and has an.mdx extension. Required. Name of the certificate to use to sign the app. -Profile Required. Name of the provisioning profile to use to sign the app. -bundleid -Upgrade -AppName Required for Enterprise accounts that do not support wildcard App IDs. This is your Apple bundle ID. The MDX Toolkit verifies whether the bundle ID and provisioning profile are compatible. This option is intended for legacy apps and will be deprecated. Used for in-place upgrades when you use a partial wildcard provisioning profile. This option ensures that the new binary is signed with the same entitlement as the prior version. If the entitlements do not match, then attempts by users to install the upgrade from Secure Hub will fail. Optional. App name, obtained from the app if possible Citrix Systems, Inc. All rights reserved. p.36

37 -AppDesc Option Optional. Description App description, obtained from the app if possible. -MinPlatform Optional. Minimum supported platform version. Defaults to blank. -MaxPlatform Optional. Maximum supported platform version. Defaults to blank. - ExcludedDevices -PolicyXML Optional. List of device types on which the app is not allowed to run. Defaults to blank. Optional. Replacement XML policy definition file and path. Defaults to the built-in policy definitions. Example: -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml For details, see "Presetting MDX Policies for ios Apps," next. -LogFile Optional. Name of the log file. -LogWriteLevel Optional. Log level, 1 through 4. - LogDisplayLevel Optional. Log level for standard output, 0 through 4. sign command Option -Help Description Displays Help for this command. -In Required. Path and file name of the app you are wrapping. -Out -Cert Optional. Path and file name for the resulting.mdx file. If this option is omitted, the file has the same path and file name as the input file and has an.mdx extension. Required. Name of the certificate to use to sign the app. -Profile Required. Name of the provisioning profile to use to sign the app. setinfo command Option -Help Description Displays Help for this command Citrix Systems, Inc. All rights reserved. p.37

38 Option -In Description Required. Path and file name of the app to be modified. -Out For setinfo, the output path or file name must differ from the original. -AppDesc Optional. App description. Remains unchanged if not specified. -MinPlatform Optional. Minimum supported SDK level. Remains unchanged if not specified. -MaxPlatform Optional. Maximum supported SDK level. Remains unchanged if not specified. - ExcludedDevices -StoreURL Optional. List of device types on which the app is not allowed to run. Remains unchanged if not specified. Optional. URL of the app in the app store. Remains unchanged if not specified. -PolicyXML Optional. Replacement XML policy definition file and path. Defaults to the built-in policy definitions. Example: -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml For details, see "Presetting MDX Policies for ios Apps," next. Presetting MDX Policies for ios Apps For apps that you wrap with the MDX Toolkit command-line tool, you can preset some MDX policies. You can also configure policies in the XenMobile console when you add the apps. 1. Update policy values in the policy XML file. The MDX Toolkit installer creates this policy file: Applications/Citrix/MDXToolkit/data/policy_metadata.xml Note: The policies files for ios and Android differ. To preset policies for both of those platforms, you must update their respective policy XML files. 2. When you wrap the app with the command line, include -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml. Identifying ios App Wrapping Errors If you encounter an error when wrapping an ios app, you can use the MDX Toolkit logs to identify the error. You must have administrator rights to view the MDX Toolkit logs. When you run the MDX Toolkit, the tool saves a log file to the following location: Applications > Citrix > MDXToolkit > Logs > Citrix.log. By default, the tool saves warnings and errors in the log. If an error occurs for an ios app, a command line with arguments appears at the end of the log. You can copy the command line and run it in Terminal. To do that, in Applications > Utilities, click Terminal, and use the Mac command-line interface to evaluate the command. You may need to refer to the app requirements to evaluate the error Citrix Systems, Inc. All rights reserved. p.38

39 When you use the command-line tool to run the wrapping process, you can specify the log file location, log display level, and log write level in the command line. You can also specify verbose logging level and a different log file in the command line. Selecting the Correct Provisioning Profile When you wrap a mobile ios app, you might receive a warning indicating that the app was wrapped successfully, but may contain errors. Errors can occur if the provisioning profile you chose differs from the provisioning profile the app originally used. The MDX Toolkit can alert you about certain provisioning profile issues. For example, your app may require one or more of the following functions: icloud app that enables the use of icloud data storage for your ios app Push notification that uses the Apple push notification service to deliver messages to the ios device Special keychain-access-groups entitlement to access the keychain item for another app The logs show the missing key and value pairs for the app. For each key and value pair, you can decide whether you want to fix the error. If you do not fix the error, the app may not function correctly. Also, depending on the key and value pair, you need to check if you can fix your provisioning profile. Occasionally, you might not be able to fix the provisioning profile and can release the app with the defect. For details about provisioning profiles, see the Apple Developer Web site. Repairing Your Keychain when the Toolkit Can't Find a Distribution Certificate If the MDX Toolkit does not recognize your ios Distribution Certificate, there might be an issue between your icloud Keychain and the keychain on the computer running the MDX Toolkit. To repair your local keychain, follow these steps. 1. On your Mac, in System Preferences, tap icloud. 2. Clear the Keychain check box. This removes your locally synchronized keychain from icloud. 3. Open Keychain Access, which is in the Utilities folder within the Applications folder. 4. Delete the ios Developer Certificate used to sign your wrapped apps. This is typically the "iphone Distribution: Company Name" certificate with an associated private key. 5. From the Keychain Access menu, choose Keychain First Aid. 6. In the Keychain First Aid dialog box, tap Repair and then Start. 7. After the repair completes, tap Verif y and then Start. 8. If the repair is successful, import your ios Distribution Certificate again into the Keychain Access app. 9. Start the MDX Toolkit. The ios Distribution Provisioning Profile and ios Distribution Certificate fields should contain your information. 10. As needed, resync you keychain to icloud: In System Preferences, tap icloud and then select the Keychain check box. Resigning Apps that contain the Worx SDK If you have an application that already contains the Worx SDK built into it using Xcode, all you need to do is resign it with your enterprise certificate or provisioning profile. The following is a sample of the Sign Command. command COPY Citrix Systems, Inc. All rights reserved. p.39

40 ftllsuzane011:~ vikasnambiar$ /Applications/Citrix/MDXToolkit/CGAppCLPrepTool Sign -help Command Line Interface for MDX Toolkit, version (Env:Test) :21: CGAppCLPrepTool[88453: ] Sign Command CGAppCLPrepTool Sign -in INPUTFILE -out OUTPUTFILE -Cert CERTIFICATE -Profile PROFILE -Cert CERTIFICATE ==> (Required)Name of the certificate to sign the app with -Profile PROFILE ==> (Required)Name of the provisioning profile to sign the app with -in INPUTFILE ==> (Required)Name of the input app file, ipa/mdx file -out OUTPUTFILE ==> (Optional)Name of the output app, ipa(if ipa is input)/mdx file -upgrade ==> (Optional)Preserve in-place upgrade capabilty (not recommended for new apps) EXAMPLE Sign -Cert "iphone Distribution: Company Name" -Profile "distributionprovisioanl.mobileprovision" -in "/Users/user1/Archives/citrix.ipa" Citrix Systems, Inc. All rights reserved. p.40

41 EXAMPLE Collecting System Logs on ios Devices You an collect system logs on ios devices either by using iphone Configuration Utility tool or Xcode. You can then the files to Citrix support for help troubleshoot issues with apps. To use a Configuration Utility tool to collect system logs on ios devices 1. Download and install the Apple Configurator (previously the iphone Configuration Utility) tool from Apple. You can use the tool on both the iphone and IPad. 2. Ensure that your device meets the system requirements and supported languages. 3. Run the installer and follow the prompts to complete the wizard. 4. Open the Configurator tool. 5. Under Devices, click your device. 6. Click Console and then click Clear to clear existing logs. 7. Reproduce the issue, click Save Console As and then attach and the logs to support. To use Xcode to collect logs on ios devices 1. Download Xcode from the Apple store to your macos computer Citrix Systems, Inc. All rights reserved. p.41

42 2. Connect your ios device to your computer and then open Xcode. 3. Click Window and then click Organizer. 4. In the Organizer window, click Devices. 5. Under ipad, click Console to view the console logs. Note: The Device Logs pane in the Organizer contains information about app failures. You might have to unplug your device and plug it again to refresh the list. 6. Click Clear to clear existing logs. 7. Reproduce the issue. 8. Click Save Log As to save the log and then the attachment to support Citrix Systems, Inc. All rights reserved. p.42

43 Citrix Systems, Inc. All rights reserved. p.43

44 Wrapping XenMobile Apps for ios 9 or ios 10 Nov 20, 2017 To wrap XenMobile Apps for 9, your Apple ios Developer for Enterprise certificate and provisioning profile must each contain the necessary attribute properties to work properly. The provisioning profile must include a Team Identifier (ID) and the Organizational Unit (OU) field also used in the Apple ios Developer for Enterprise Certificate. The procedures in this article help you verify your existing certificate and provisioning profile and, if needed, create the properly formatted Apple ios Developer for Enterprise certificate and provisioning profile. After you have completed that setup, wrap the apps as described in Wrapping ios Mobile Apps. To use the apps, users must install the most recent version of Citrix Secure Hub from the Apple itunes App Store. Note: The certificate and provisioning profile requirement does not apply to third-party SDK apps, such as apps found in the XenMobile App Gallery. Quick links to sections in this article To generate a new enterprise certificate for ios 9 To create a new provisioning profile for ios 9 To validate an existing ios Developer for Enterprise certificate and provisioning profile for ios 9 To generate a new enterprise certificate f or ios 9 If you have an older certificate and want to see if it's supported, see To validate an existing ios Developer for Enterprise certificate and provisioning profile for ios Log on to the Apple ios Provisioning Portal using the agent role. 2. Go to ios Dev Center > Certificates, Identifiers & Profiles > Certificates. 3. In the Certificates section, click the Production tab and then click the Plus Sign (+), as shown in the following figure Citrix Systems, Inc. All rights reserved. p.44

45 4. In the Certificates section, click the Production tab and then click the Plus Sign (+). 5. Select the type as App Store and Ad Hoc, as shown in the following figure. 6. Generate a Certificate Signing Request (CSR), as shown in the following figure Citrix Systems, Inc. All rights reserved. p.45

46 7. Use the Certificate Assistant wizard available in the Keychain Access application on macos, as shown in the following figure. Important: Before starting the wizard, select the private key you want to use, or else you will generate a new public/private key pair. 8. Upload the CSR to the ios Provisioning Portal, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.46

47 9. Download the distribution certificate. 10. Save the certificate on the disk and then open the certificate using Key Chain Access. 11. To export the certificate to a different computer, such as a production computer, export the certificate in.p12 format, as follows: 1. In Key Chain Access, go to the My Certificates section. 2. Right-click the downloaded certificate and then click Export. 3. Save the certificate in.p12 format and then provide a secure password while saving. To create a new provisioning profile for 9 1. Log on to the ios Provisioning Portal using the Team Agent role. 2. Go to ios Dev Center > Certificates, Identifiers & Profiles > Provisioning Profiles > Distribution, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.47

48 3. On the Create ios Provisioning Profile page, click the Plus Sign (+). 4. Under Distribution, select Ad Hoc and then press Continue, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.48

49 5. Select an appropriate App ID, as shown in the following figure. Important: Apple no longer supports the use of wildcard App IDs for new Enterprise accounts. If your Enterprise account does not support wildcard App IDs, you must create a multiple explicit App IDs and provisioning profiles. If you will use the Apple Push Notification service (APNs) for notifications when Secure Mail is in the background, you must use an explicit provisioning profile and App ID. 6. Select one or more certificates to include in the profile, which are generally the certificate or certificates you created earlier, as shown in the following figure Citrix Systems, Inc. All rights reserved. p.49

50 To validate an existing ios Developer for Enterprise certificate and provisioning profile for ios 9 The following steps describe how to review the contents of your Apple ios Developer for Enterprise certificate and provisioning profile to make sure they meet these requirements: The certificate and provisioning profile must contain the OU and the Team ID attribute properties required by Apple ios 9. A valid ios Developer certificate with a private key must be installed in the Keychain Access utility of the wrapping macos workstation. An ios provisioning profile must reference that certificate. Apple no longer supports the use of wildcard App IDs for new Enterprise accounts. If your Enterprise account does not support wildcard App IDs, you must create a multiple explicit App IDs and provisioning profiles. For details, see Creating Provisioning Profiles. If your current certificate and provisioning profiles do not contain the OU field and Team ID, you must create a new certificate and provisioning profile. See the second procedure in this article for steps. Before adding the new Apple ios Developer for Enterprise certificate, make sure you remove the old certificate and the old provisioning profile from the Keychain Access utility of the wrapping macos workstation. Apple limits customers to two enterprise certificates per account. Therefore, to generate a new certificate, you must revoke an existing certificate. The result is that apps associated with that certificate stop working. 1. Copy and rename the existing wrapped MDX app extension from.mdx to.zip and then extract the contents to a folder. For example: /User/Username/Documents/MyMDXapp.mdx becomes /User/Username/Documents/MyMDXapp.zip and is extracted to the folder path /User/Username/Documents/MyMDXapp. 2. Rename the ios app extension from.ipa to.zip and then extract the contents to the default folder, Payload. For example: /User/Username/Documents/MyMDXapp/MyiOSapp.ipa becomes /User/Username/Documents/MyMDXapp/MyiOSapp.zip and is extracted to the folder path /User/Username/Documents/MyMDXapp/Payload Citrix Systems, Inc. All rights reserved. p.50

51 3. Open the macos Terminal app. 4. In the Terminal session, change the directory to the Payload folder containing the ios app contents. 5. Run the codesign utility as follows: codesign --display --verbose=4 <AppName>.app codesign --display --verbose=4 <AppName>.app/CitrixDylib.bundle/CitrixDylib 6. The resulting output for either codesign query should have the line of syntax indicating the presence of the Team ID property. For example: MyMacintosh:Payload Username$ codesign -display --verbose=4 MyApp.app The output is: Executable=/User/Username/Documents/MyMDXapp/Payload/MyiOSapp.app/MyApp Identifier=com.acmecompany.myapp Format=bundle with Mach-O universal (armv7 armv7s) CodeDirectory v=20100 size=39284 flags=0x0(none) hashes= location=embedded Hash type=sha1 size=20 CDHash=0ef4056z3789k0w6as2469ac360g000f123a1bc2 Signature size=4296 Authority=iPhone Distribution: ACME Company, Inc. Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Aug 30, 2014, 7:00:00 AM Info.plist entries=34 TeamIdentifier=01234ABCDEF Sealed Resources version=2 rules=4 files=500 Internal requirements count=2 size= Make sure your Apple ios Developer for Enterprise certificate contains the OU field as shown under Subject Name in the following figure Citrix Systems, Inc. All rights reserved. p.51

52 Citrix Systems, Inc. All rights reserved. p.52

53 Wrapping Android Mobile Apps Nov 20, 2017 This article describes how XenMobile administrators wrap enterprise apps and how developers wrap ISV apps. To wrap Android mobile apps, use the MDX Toolkit, which includes a macos graphical interface tool and a Java command-line tool. The command-line tool has customization options, can be referenced from scripts that automate the app wrapping process, and lets you preset some MDX policies. The file type for a wrapped app is.mdx. You upload the.mdx file to the XenMobile console where you then configure specific app details and policy settings that the XenMobile Store enforces. When users sign on, the app appears in the XenMobile Store. Users can then subscribe, download, and install the app on their device. The following figure provides an overview of the app wrapping steps, from installation of the MDX Toolkit through testing XenMobile Apps. Related topics are listed under the diagram. For details, see: MDX Toolkit System Requirements Other Requirements for Wrapping Android Mobile Apps XenMobile compatibility Installing the MDX Toolkit Citrix Systems, Inc. All rights reserved. p.53

54 For details, see: Enterprise Android App Wrapping by Using the Command Line ISV Android App Wrapping by Using the Command Line Command Options Presetting MDX Policies for Android Apps Identifying Android App Wrapping Errors Collecting App Logs from the Command Line To add an MDX app to XenMobile Important: Make sure that your user devices are updated with a version of Secure Hub that is compatible with the version of MDX Toolkit used to wrap apps. Otherwise, users receive an error message about the incompatibility. For details, see XenMobile compatibility. If you use XenMobile 9, you must install a XenMobile Device Manager patch before wrapping Android apps. To download the patch, go to navigate to Legacy Software > Product Software > Patches, and then download XenMobile Device Manager 9.0 Patch. ISV App Wrapping Using the Graphical Interface The following steps describe the general process for wrapping an ISV app that you will deploy from the Google Play Store. The general process for enterprise app wrapping is described in Enterprise App Wrapping Using the Graphical Interface. 1. Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if needed. 2. Start the MDX Toolkit from your ios Applications folder, select For Independent Software Vendors (ISVs), and then click Next Citrix Systems, Inc. All rights reserved. p.54

55 3. In the Deploy from App Store screen, select your app and click Next. 4. In the User Settings screen, if you already have the app store URL, enter it. If you don't have the URL, enter a placeholder such as You can update the URL later. For Premium apps, select MDX apps. For General apps, select App Store apps. 5. In the Verify App Details screen, update the details as needed. 6. Browse to your keystore and click Create Citrix Systems, Inc. All rights reserved. p.55

56 7. Save your app Citrix Systems, Inc. All rights reserved. p.56

57 When the GUI tool finishes wrapping an app, the app file name includes _andr. Enterprise Android App Wrapping Using the Command Line You can use enterprise app wrapping to wrap custom (in-house) apps and some third-party apps. You should acquire thirdparty apps directly from the app vendor. For enterprise app wrapping, begin with an Android application (.apk). Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if needed. The following example shows a basic app wrapping command using default settings. The app is signed with the provided keystore. A keystore is a file that contains certificates used to sign your Android app. If the keystore contains multiple private keys, you can specify the key alias. You create a keystore once and then use it to sign the apps that you wrap. If you do not use the same keystore to wrap the new version of an app you previously deployed, upgrades of that app will not work and your users will need to manually remove the old version before they can install the new one. Modify the bold information for your specific system. The trailing backslash signifies that the command continues to the next line. Please remove these symbols before running the command. Note: Because the /Applications/ directory is restricted, you may need to run the following command in super user mode. To do this, add sudo in front of the command. You will be prompted for your computer password when running from this restricted directory. java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar \ wrap \ -in ~/Desktop/SampleApps/Sample.apk \ -out ~/Desktop/SampleApps/Sample.mdx \ -keystore ~/Desktop/MyCompany.keystore \ -storepass MyKeystorePassword \ -keyalias MyCompanyKeyAlias \ -keypass MyKeyAliasPassword The following are examples of options you may add to the preceding command, after modifying the information in bold: -appname Wrapped Sample app -appdesc This is my newly wrapped Android application. In addition, if the release keystore is not available during development, use the following command to create a retail build of a mobile app that is signed with your key: java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar \ wrap \ -in ~/Desktop/SampleApps/Sample.apk \ -out ~/Desktop/SampleApps/Sample.mdx \ -keystore ~/Desktop/MyCompany.keystore \ -storepass MyKeystorePassword \ -keyalias MyCompanyKeyAlias \ -keypass MyKeyAliasPassword \ -createcert For details about the options, see Command Options. For inline documentation, use the -help option. ISV Android App Wrapping Using the Command Line Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if Citrix Systems, Inc. All rights reserved. p.57

58 needed. To generate wrapped ISV applications for Android, start with the following basic wrapping command. java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar \ wrap \ -in ~/Desktop/SampleApps/Sample.apk \ -out ~/Desktop/SampleApps/Sample.mdx \ -keystore ~/Desktop/MyCompany.keystore \ -storepass MyKeystorePassword \ -keyalias MyCompanyKeyAlias \ -keypass MyKeyAliasPassword \ -createcert To wrap an app as an ISV app, you must set the apptype parameter as follows: Premium. To wrap an app as a Premium app, in which some Citrix policies are enforced even for unmanaged users, add the following option: -apptype Premium General. To wrap an app as a General app, which contains no Citrix policy enforcement for an unmanaged user, add the following option: -apptype General If you need to upload the wrapped.apk file to the Google Play Store or web server and the URL is known when wrapping, add the -storeurl option. Make sure to also set the apptype parameter. -storeurl If you do not know the URL at the time of wrapping, you can modify the.mdx file later with the following command: java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar \ setinfo \ -in ~/Desktop/SampleApps/Sample.mdx \ -out ~/Desktop/SampleApps/wrapped/Sample.mdx \ -storeurl \ If you customized the policy file, be sure to point to your modified file: -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml For details about the options, see Command Options. For inline documentation, use the -help option. Command Options wrap command Option -Help Description Displays Help for this command. -In Required. Path and file name of the app you are wrapping. -Out Optional. Path and file name for the resulting.mdx file. If this option is omitted, the file has the same path and file name as the input file and has an.mdx extension Citrix Systems, Inc. All rights reserved. p.58

59 -AppType Option -KeyStore Optional. Defaults to MDXOnly. To generate ISV apps, use either General or Premium. Description Path to the keystore file. Required if signing the.apk file. -StorePass Password for the keystore. Required if signing the.apk file. -KeyAlias Name of the specific key in the keystore. Required if signing the.apk file. -KeyPass Password for the specific key. Required if signing the.apk file. -SigAlg Optional. Algorithm to use when signing. -AppName Optional. Application name, obtained from the app if possible. -AppDesc Optional. Application description, obtained from the app if possible. -MinPlatform Optional. Minimum supported SDK level. Defaults to blank. -MaxPlatform Optional. Maximum supported SDK level. Defaults to blank. - ExcludedDevices -PolicyXML Optional. List of device types on which the app is not allowed to run. Defaults to blank. Optional. Replacement XML policy definition file and path. Defaults to the built-in policy definitions. Example: -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml For details, see "Presetting MDX Policies for Android Apps," next. -StoreURL For ISV apps, the URL of the app in the Google App Store. Defaults to blank. sign command Option -Help Description Displays Help for this command. -In Required. Path and file name of the app you are wrapping. -Out Optional. Path and file name for the resulting.mdx file. If this option is omitted, the file has the same path and file name as the input file and has an.mdx extension Citrix Systems, Inc. All rights reserved. p.59

60 -KeyStore Option - StorePass -KeyAlias Required. Path to the keystore file. Description Required. Password for the keystore. Required. Name of the specific key in the keystore. -KeyPass Required. Password for the specific key. -SigAlg Optional. Algorithm to use when signing. setinfo command Option -Help Description Displays Help for this command. -In Required. Path and file name of the app to be modified. -Out For setinfo, the output path or file name must differ from the original. -AppType Optional. Defaults to MDXOnly. To generate ISV apps, use either General or Premium. -KeyStore Path to the keystore file. Required if signing the.apk file. -StorePass Password for the keystore. Required if signing the.apk file. -KeyAlias Name of the specific key in the keystore. Required if signing the.apk file. -KeyPass Password for the specific key. Required if signing the.apk file. -SigAlg Optional. Algorithm to use when signing. -AppName Optional. Application name, obtained from the app if possible. -AppDesc Optional. Application description, obtained from the app if possible. -MinPlatform Optional. Minimum supported SDK level. Defaults to blank. -MaxPlatform Optional. Maximum supported SDK level. Defaults to blank Citrix Systems, Inc. All rights reserved. p.60

61 Option - ExcludedDevices -StoreURL Description Optional. List of device types on which the app is not allowed to run. Defaults to blank. For ISV apps, the URL of the app in the Google App Store. Defaults to blank. -PolicyXML Optional. Replacement XML policy definition file and path. Defaults to the built-in policy definitions. Example: -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml For details, see "Presetting MDX Policies for Android Apps," next. Presetting MDX Policies for Android Apps For apps that you wrap with the MDX Toolkit command-line tool, you can preset some MDX policies. You can also configure policies in the XenMobile console when you add the apps. 1. Update policy values in the policy XML file. The MDX Toolkit installer creates this policy file: Applications/Citrix/MDXToolkit/data/policy_metadata.xml Note: Be aware that the policies files for Android and ios differ. To preset policies for both of those platforms, you must update their respective policy XML files. 2. When you wrap the app with the command line, include -policyxml /Applications/Citrix/MDXToolkit/data/policy_metadata.xml. Identifying Android App Wrapping Errors If you encounter an error when wrapping an Android app, you can use the MDX Toolkit logs to identify the error. You must have administrator rights to view the MDX Toolkit logs. When you run the MDX Toolkit, the tool saves a log file to the following location: Applications/CitrixMDXToolkit/Logs/Citrix.log. By default, the tool saves warnings and errors in the log. Collecting App Logs from the Command Line 1. Install the Android Debug Bridge from the Android Developer web site. 2. Enter the following command to clear existing logs. "adb logcat -c" 3. Reproduce the issue. 4. Enter the following command to capture the logs in a file. adb logcat -d > Name_of_Log_File.txt Citrix Systems, Inc. All rights reserved. p.61

62 Wrapping Secure Mail, Secure Web, and Secure Hub for Windows Phone Nov 20, 2017 The MDX Toolkit for Windows Phone helps you prepare Secure Mail, Secure Web, and Secure Hub for Windows Phone 10 and Windows Phone 8.1 publishing. The toolkit currently does not support wrapping other apps. You can, however, use the toolkit to re-sign third-party Windows Phone apps. Windows Phone 8.1/10 requires all apps to be signed by the same certificate to enable enrollment of deployed apps. You must use the toolkit to re-sign and wrap Secure Hub so that Windows Phone users can access the company application store published by XenMobile. Unlike Secure Hub for Android or ios, which you upload to app stores, you must add Secure Hub for Windows Phone to XenMobile. XenMobile then deploys Secure Hub to Windows Phone devices after users complete enrollment. The command-line tool has customization options and can be referenced from scripts that automate the app wrapping process. This article describes how to use the command-line tool. The file type for a wrapped app is.mdx. You upload the.mdx file to the XenMobile console where you configure specific app details and policy settings that the XenMobile Store enforces. When users sign on, the app appears in the store. Users can then subscribe, download, and install the app on their device. The following figure provides an overview of the app wrapping steps, from installation of the MDX Toolkit through testing XenMobile Apps. Related topics are listed under the diagram Citrix Systems, Inc. All rights reserved. p.62

63 For details, see: MDX Toolkit System Requirements Other Requirements for Wrapping XenMobile Apps for Windows Phone XenMobile compatibility Installing the MDX Toolkit For details, see: Command-Line Options for CGAppPrepTool.exe Command-Line Samples Identifying Windows Phone App Wrapping Errors To add an MDX app to XenMobile Important: Make sure that user devices are updated with a version of Secure Hub that is compatible with the version of MDX Toolkit used to wrap apps. Otherwise, users will see an error message about the incompatibility. For details, see XenMobile compatibility. Command-Line Options for CGAppPrepTool.exe Run the MDX Toolkit for Windows Phone on a Windows bit operating system. The toolkit uses the Windows 8.1 SDK for Windows Phone 10. Important Before you use the toolkit to wrap apps, be sure to back up the original version of those apps so you can return to them if needed. Also, create a separate folder for the files you want to wrap. Make sure that the folder does not contain other files. T he MDX Toolkit for Windows Phone clears the contents of the folder during the wrapping process. The app package must have an.xap or.appx extension. IN. Mandatory. Specifies the location of the app being signed. Syntax: -in:[path to application package] T. Required to wrap an app. When you create an MDX package, this command specifies the location of the MDX Template directory used during packaging. This directory contains a minimum of five application images, one manifest.xml file, and one policy_metadata.xml file. Syntax: -T:[MDX template directory] OUT. Optional. If you do not specify the T command, the OUT command specifies the name and location of output for the.xap or.appx package. Alternatively, the value of IN can also specify the name and location. If the T command is specified, the T command specifies the name and location of the MDX package. Syntax: -out:[path to output] C. Optional. Specifies the name and location of the certificate that is used to sign the app package. Default: [no certificate] Syntax: -C:[path to certificate] PASSWORD. Optional. Specifies the certificate password. Default: [no password] Syntax: -password:[password] Citrix Systems, Inc. All rights reserved. p.63

64 RESIGN. Optional. If this parameter is specified, the app package is re-signed. Default: false Syntax: -resign VERBOSE. Optional. Specifies whether the tool generates verbose diagnostic messages. Default: false Syntax: -verbose XAPSIGNTOOL. Optional. Signs.xap and.appx packages. Default: %ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.1\Tools\XapSignTool\XapSignTool.exe) Syntax: -xapsigntool:[path to xapsigntool.exe] APPXPACKAGETOOL. Optional. Creates.appx packages. Default: %ProgramFiles(x86)%\Windows Kits\8.1\bin\x86\makeappx.exe) Syntax: -appxpackagetool:[path to makeappx.exe] MDMSERVERURL. Required for Secure Hub only. Not applicable for other apps. Specifies the URL of the XenMobile server to embed in the manifest of the.xap or.appx package for Secure Hub. Syntax: -mdmserverurl:[url] PHONEPUBLISHERID. Required. Specifies the publisher ID of the wrapped apps (customer publisher ID). Syntax: -phonepublisherid:[aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee] Command-Line Samples The following samples show how the preceding command-line options may be used. CGAppPrepTool.exe -in:"tests\unsigned\mytest.appx" -out:"tests\output\secure Web.mdx" -T:"Templates\Secure Web" - C:"tests\Mytestcert.pfx" -verbose -resign -password:mypw Re-signs the mytest.appx package file with the Mytestcert.pfx signing certificate (the signing certificate has a separate password). The app package is then wrapped into an MDX package named Secure Web.mdx. The MDX package contains the template files stored in Templates\Secure Web. Verbose mode is on. CGAppPrepTool.exe -in:"tests\unsigned\mobil _release_x86.xap" -out:"tests\output\newwrapped.xap" - C:"tests\NoPwCert.pfx" -resign -phonepublisherid:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee Re-signs the Mobil _Release_x86.xap package file with the NoPwCert.pfx signing certificate (this certificate does not have a password) and stores the.xap package in NewWrapped.xap. The tool does not create an MDX package because the -T: parameter is not specified. Verbose mode is off. CGAppPrepTool.exe -in:"tests\unsigned\securehub.appx" -out:"tests\output\securehub.appx" -T:"Templates\SecureHub" -verbose -C:"tests\Mytestcert.pfx" -mdmserverurl:" -resign Embeds the URL in the app manifest file of the SecureHub.appx package file, then stores the resulting signed (with Mytestcert.pfx) and wrapped.appx package in tests\output\securehub.appx. The MDX package contains the template files stored in Templates\SecureHub. Verbose mode is on. CGAppPrepTool.exe -in:"tests\unsigned\securehub.xap" -C:"tests\Mytestcert.pfx" -T:"Templates\SecureHub" -verbose - resign -password:mypw -mdmserverurl:" Embeds the URL in the app manifest file of the mytest.appx package file, then re-signs the SecureHub.xap package file with the Mytestcert.pfx signing certificate, which has a separate password. The MDX package contains the template files stored in Templates\SecureHub. Because the -out: parameter is not specified, the SecureHub.xap app package is updated in place. Verbose mode is on. CGAppPrepTool.exe -in:"tests\unsigned\mytest.appx" -out:"tests\output\newwrapped.appx" -C:"tests\NoPwCert.pfx" - verbose -resign -appxpackagetool:"backcompat\makeappx.exe" Citrix Systems, Inc. All rights reserved. p.64

65 Re-signs the mytest.appx package file with the NoPwCert.pfx signing certificate and stores the resulting.appx package in NewWrapped.appx. This command uses the packing tool at backcompat\makeappx.exe to repackage the.appx file. It does not create an MDX package because the -T: parameter is not specified. Verbose mode is on. CGAppPrepTool.exe -in:"tests\unsigned\mytest.appx" -out:"tests\output\secure Web.mdx" -T:"Templates\Secure Web" - C:"tests\Mytestcert.pfx" -verbose -resign -phonepublisherid:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee -password:mypw - mdmserverurl:" Embeds the URL in the app manifest file of the mytest.appx package file, then re-signs the mytest.appx package file using the Mytestcert.pfx signing certificate, which has a separate password. The tool then wraps the app package into an MDX package named Secure Web.mdx, which contains the template files stored in Templates\Secure Web. Specifies the publisher ID of the wrapped app. Verbose mode is on. Identifying Windows Phone App Wrapping Errors If you encounter an error when wrapping a Windows Phone app, you can use the MDX Toolkit logs to identify the error. You must have administrator rights to view the MDX Toolkit logs. When you run the MDX Toolkit, the tool saves a log file to the following location: Applications/Citrix/MDXToolkit/Logs/Citrix.log. By default, the tool saves warnings and errors in the log Citrix Systems, Inc. All rights reserved. p.65

66 MDX Policies at a Glance Nov 06, 2017 The following tables list the MDX app policies for ios, Android, and Windows Phone. The notes include restrictions and Citrix recommendations. Note: Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub. Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes Authentication Device passcode X Off App passcode X X X On Online session required X X X Off Online session required grace period X 0 Maximum offline period X X X 72 hours Alternate NetScaler Gateway X X Empty Citrix Systems, Inc. All rights reserved. p.66

67 Windows Policy ios Android Phone 8.1 and 10 Def ault Setting Notes Device Security Block jailbroken or rooted X X On Require device X Off encryption On Android M devices, the Device PIN or passcode and Device pattern Require device lock X Off screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set. Require device PIN or X Off T his policy is supported only on Android 4.1 (Jelly Bean). Setting the policy to On prevents an app from running on older versions. passcode Use secure connection X Off (SSL) Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes Network Requirements Require Wi-Fi X X Off Citrix Systems, Inc. All rights reserved. p.67

68 Windows Policy ios Android Phone 8.1 and 10 Def ault Setting Notes Miscellaneous Access Citrix recommends using a value other than zero (0). A zero value App update 168 immediately prevents users, without warning, from using a running app grace period X X hours (7 until they download and install the update. T his setting may lead to a (hours) Days) situation in which users are forced to exit the app and potentially lose work. Erase app data on lock X X Off Active poll period (minutes) X X 60 Only set this value lower than the default for high-risk apps, or performance may be affected. Disable required update X X Off Windows Policy ios Android Phone 8.1 and 10 Def ault Setting Notes Encryption Encryption keys X Offline access permited File encryption version X Current Private file encryption X Security Group Private file encryption exclusions X Empty Citrix Systems, Inc. All rights reserved. p.68

69 Access limits for X public files Policy ios Android Public file encryption X Windows Phone 8.1 and 10 Empty Def ault Setting Security Group Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). T his policy applies only to existing, unencrypted public files and specifies when to encrypt the files. Notes Public file encryptions exclusions X Empty Public file migration X Write (RO/RW) Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key. Minimum data protection class X None ios 9 only. Enable encryption X On If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change. Database encryption exclusions X Empty File encryption exclusions X Empty Citrix Systems, Inc. All rights reserved. p.69

70 Windows Policy ios Android Phone 8.1 and 10 Def ault Setting Notes App Interaction Security Group X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change. Cut and copy X X Restricted Paste X X Unrestricted Document exchange (Open In) X X X Restricted Connection security level X X TLS Inbound document exchange (Open In) X X Unrestricted Inbound document exchange whitelist X X Empty On Android, this policy was previously Restricted Open In exception list X X Empty (for Android); Office 365 apps (for ios) named Open In exclusions. On ios, this policy is hidden. For details, see XenMobile MDX Policies for ios Apps. App URL schemes X All registered URL schemes are blocked (outbound) Empty list (all URLs are blocked except Allowed URLs X for ctxmobilebrowser (Secure Web) and citrixreceiver: +tel; (outbound) Explicit log off notification X Off Shared device Citrix Systems, Inc. All rights reserved. p.70

71 Policy ios Android Windows Phone 8.1 and 10 Def ault setting Notes App Restrictions Block Camera X X X See Notes Default value for ios and Android is On. Default value for Windows Phone is Off. Block Photo Library X On Block Gallery X Off Block localhost Connection X X X Off Block mic record X X On Block dictation X On Block location services X X See Notes Default value is Off for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps. Block SMS compose X X On Block screen capture X X On Block device sensor X On Block NFC X On Block printing X On Block icloud X On Block file backup X On Block AirPrint X On Citrix Systems, Inc. All rights reserved. p.71

72 Block AirDrop X On Block file X Policy attachments ios Android Windows Phone 8.1 and 10 Off Def ault setting Notes Block as attachment X Off Block Facebook and Twitter APIs X On Obscure screen contents X On Block third-party keyboards X On Block app logs X X X Off Mail compose redirection X Secure Mail Block ios Look Up X On Citrix Systems, Inc. All rights reserved. p.72

73 Windows Policy ios Android Phone 8.1 and 10 Def ault Setting Notes App Network Access Default value for Secure Web and Citrix for Salesforce is Tunneled to the Network access X X See Notes. internal network. Default value for Secure Mail, Secure Notes, ShareFile Phone, and ShareFile Tablet is Unrestricted. Default value for other apps is Blocked. Certificate label X X Empty Preferred VPN mode X X Secure Browse Permit VPN mode switching X X Off PAC file URL or proxy server X Empty Citrix Systems, Inc. All rights reserved. p.73

74 Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes App Logs Default log output X X X File Defualt log level X X X 4 (informational messages) Max log files X X X 2 Max log file size X X X 2 MB Redirect app logs X On Encrypt logs X Off Whitelist Wi-Fi networks X X Blank Doesn't affect cellular networks Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes App Geof ence Center point longitude X X 0 Center point latitude X X 0 Radius X X 0 Set the radius in meters Secure Mail App Settings Policy ios Android Windows 8.1 and Def ault Notes Citrix Systems, Inc. All rights reserved. p.74

75 10 Setting Secure Mail Mail App Exchange Settings Server X X X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change. Secure Mail user domain X X X Empty Background network services X X X Empty If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Background services ticket expiration X X X 168 hours (7 days) Background network service gateway X X X Empty If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. T his policy takes effect when you configure the Network access policy. Export contacts X X X Off Contact fields to export X X All Accept all SSL certificates X X Off Control locked screen notifications X X Allow Default notification X Off Default sync interval X X 3 Days The Exchange ActiveSync mailbox policy setting Maximum age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum age filter. Max sync interval X X 1 month (ios) All (Android) Allowed max sync period X X 1 month (ios) All (Android) Citrix Systems, Inc. All rights reserved. p.75

76 Enable week Secure number Mail App Settings Enable download attachments over Wi-Fi X X Off X X Off Information Rights Management X X Off classification X See Notes classification markings X Empty See Security Classifications for the list of defaults. classification namespace X Empty classification version X Empty Default classification X UNOFFICIAL Enable autosave of draft s X X On Enable ios data protection X Off Google analytics X X X Complete Push notifications X Off Push notifications region X Americas Push notifications customer ID X Empty Citrix Systems, Inc. All rights reserved. p.76

77 S/MIME Certificate Secure Source Mail App Settings Enable S/MIME during first Secure Mail startup X X Off FTU Preferred Mechanism X X X Use MDX provided mail server address FTU Preferred Credentials X X X User Principal Name Web/Audio Conference Type X X GoToMeeting and User Entered If you change this setting, users must sign off and sign on to apply the policy change. S/MIME Public Certificate Source X X Exchange LDAP Server address X X Empty LDAP Base DN X X Empty Access LDAP anonymously X X Off Override native contacts check X On If On, supports Active Directory user name and password only. Allowed domains X Empty If empty, does not restrict domains Citrix Systems, Inc. All rights reserved. p.77

78 Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes Secure Notes App Settings Secure Notes storage options X X ShareFile and Exchange Server Secure Notes Exchange Server X X Empty Secure Notes user domain X X Empty Background network services X X Empty Background services ticket expiration X X 168 hours (7 days) Background network service gateway X X Empty Accept all SSL certificates X X Off Google analytics X X Complete Information Rights Management X Off Citrix Systems, Inc. All rights reserved. p.78

79 Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes Secure Tasks App Settings Secure Tasks Exchange Server X Empty Secure Tasks user domain X Empty Background network services X X Empty Background services ticket expiration X X 168 hours (7 days) Background network service gateway X X Empty Accept all SSL certificates X X Off Google analytics X X Complete Citrix Systems, Inc. All rights reserved. p.79

80 Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes Secure Web App Settings Allowed or blocked websites X X X Empty (all URLs are allowed) Preloaded bookmarks X X X Empty Home page URL X X X Empty (default start page) Browser user interface X X All controls visible Enable web password caching X X Off Google analytics X X Complete Disable cookies X Off Disable HT ML5 local storage X Off File protection X Off Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes ShareFile Secure Client App Settings Enable Secure viewer X On Citrix Systems, Inc. All rights reserved. p.80

81 Policy ios Android Windows Phone 8.1 and 10 Def ault Setting Notes ShareConnect App Settings Save password X X On For ShareConnect only. Google analytics X X Complete Related articles See the following articles for policy descriptions: XenMobile MDX Policies for Android Apps XenMobile MDX Policies for ios Apps XenMobile MDX Policies for Windows Phone Apps Citrix Systems, Inc. All rights reserved. p.81

82 XenMobile MDX Policies for Android Apps Oct 16, 2017 This article describes the MDX policies for Android apps. You can change policy settings directly in the policy XML files or in the XenMobile console when you add an app. Authentication App passcode If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On. To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero. Note: If you select Secure offline for the Encryption keys policy, this policy is automatically enabled. Online session required If On, the user must have a connection to the enterprise network and an active session. If Off, an active session is not required. Default value is Off. Maximum of f line period (hours) Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. Default value is 72 hours (3 days). Minimum period is one hour. Users are reminded to sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users sign on. Alternate NetScaler Gateway Address of a specific alternate NetScaler Gateway that is used for authentication and for micro VPN sessions with this app. This policy is optional when used with the Online session required policy forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the default gateway of the server is always used. Default value is empty. Device Security Block jailbroken or rooted If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On. Require device encryption If On, the app is locked if the device does not have encryption configured. If Off, the app is allowed to run even if the device does not have encryption configured. Default value is Off. Important: This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to On prevents an app from running on older versions. Require device lock If Device PIN or passcode, the app is locked if the device does not have a PIN or passcode. If Device pattern screen lock, Citrix Systems, Inc. All rights reserved. p.82

83 the app is locked if the device does not have a pattern screen lock set. If Off, the app is allowed to run even if the device does not have a PIN, passcode, or pattern screen lock set. Default value is Off. Important: Device PIN or passcode requires a minimum version of Android 4.1 (Jellybean). Setting the policy to Device PIN or passcode prevents an app from running on older versions. On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set. Network Requirements Require Wi-Fi If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off. Miscellaneous Access App update grace period (hours) Defines the grace period in which an app can be used after the system discovers that an app update is available. Default value is 168 hours (7 days). Note: Citrix does not recommend using a value of zero. Doing so immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This setting can force the user to exit the app (potentially losing work) to comply with the required update. Erase app data on lock Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off. An app can be locked for any of the following reasons: Loss of app entitlement for the user App subscription removed Account removed Secure Hub uninstalled Too many app authentication failures Jailbroken device detected (per policy setting) Device placed in locked state by other administrative action Active poll period (minutes) When an app starts, the MDX framework polls XenMobile to determine current app and device status. Assuming the server running XenMobile can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes. Important: Only set this value lower for high-risk apps or performance may be affected. Disable required update When this policy is enabled, MDX does not enforce the upgrade of Public App Store apps. Disabling the policy will mean that users can use older versions of Public App Store apps. The default is On. Encryption Citrix Systems, Inc. All rights reserved. p.83

84 Encryption keys Enables secrets used to derive encryption keys to be persisted on the device. Offline access permitted is the only available option. Citrix recommends that you set the Authentication policy to enable a network log on or an offline password challenge to protect access to the encrypted content. File encryption version Specifies the encryption version for public and private file encryption. Citrix recommends Current to provide the maximum security, especially when a new app deployment. If you select Current, users must reinstall any apps that include a previous encryption version, such as Legacy, or else they may lose data. Default value is Current. Private f ile encryption Controls the encryption of private data files in the following locations: /data/data/<appname> and /mnt/sdcard/android/data/<appname>. If Disabled, private files are not encrypted. If Security Group, private files are encrypted using a key shared by all MDX apps in the same security group. If Application, private files are encrypted using a key unique to this app. Default value is Security Group. Private f ile encryption exclusions Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that is encrypted. The file paths are relative to the internal and external sandboxes. Default value is empty. The exclusions only apply to the following folders: Internal Storage: /data/data/<your_package_name> SD Card: /storage/emulated/<sd Card Slot>/Android/data/<your_package_name> /storage/emulated/legacy/android/data<your_package_name. Examples: File To exclude Value in private f ile encryption exclusion /data/data/com.citrix.mail/files/a.txt ^files/a.txt All text files in /storage/emulated/0/android/data/com.citrix.mail/files ^files/(.)+.txt$ All files in /data/data/com.citrix.mail/files ^files/ Access limits for public files Limits access to specific files: No Access, Read Only, or Read Write Citrix Systems, Inc. All rights reserved. p.84

85 Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). The list is processed in order and the first matching path is used to set the access limit. Default value is empty. This policy is enforced only when Public f ile encryption is enabled (changed from the Disable option to the SecurityGroup or Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Files to exclude Value in private f ile encryption exclusion Downloads folder on external storage read only EXT:^Download/(RO) All MP3 files in the Music folder on virtual storage no access VS:^Music/(.)+.mp3$(NA) Public f ile encryption Controls the encryption of public files. If Disabled, public files are not encrypted. If SecurityGroup, encrypts public files by using a key shared by all MDX apps in the same security group. If Application, encrypts public files by using a key unique to this app. Default value is SecurityGroup. Public f ile encryption exclusions Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that are not encrypted. The file paths are relative to the default external storage and to any device-specific external storage. Public f ile encryption exclusions include external f older locations only. Examples: File to exclude Value in Public File Encryption Exclusion Downloads folder on SD card ^Download/ All MP3 files in Music folder ^Music/(.)+.mp3$ Public f ile migration This policy is enforced only when you enable the Public file encryption policy (changed from Disabled to SecurityGroup or Application). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write (RO/RW). Options: Disabled. Does not encrypt existing files. Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access. Any. Encrypts the existing files when they are opened in any mode. Note: New files or existing unencrypted files that are overwritten encrypts the replacement files in every case Citrix Systems, Inc. All rights reserved. p.85

86 Caution: Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key. App Interaction Security Group Leave this field blank if you want all mobile apps managed by XenMobile to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources). Caution: If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change. Cut and Copy Blocks, permits, or restricts Clipboard cut and copy operations for the app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted Paste Blocks, permits, or restricts Clipboard paste operations for the app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted. Options: Unrestricted, Blocked, or Restricted Document exchange (Open In) Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy. If Unrestricted, you must set the Private file encryption and Public file encryption policies to Disabled so users can open documents in unwrapped apps. If the policy blocks the camera, audio, clipboard, or printing, each maintains the last shown timestamp. Users receive a message of the status of the option; for example, Camera: disabled. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted Restricted Open-In exception list When the Document exchange (Open In) policy is Restricted, this list of Android intents is allowed to pass to unmanaged apps. You need a familiarity with Android intents to add filters to the list. A filter can specify action, package, scheme, or any combination. Examples: {action=android.intent.action.main} {package=com.sharefile.mobile} {action=android.intent.action.dial scheme=tel} Caution: Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the Secure environment. Inbound document exchange (Open In) Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted. If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. For information about other policy interactions, see the Block Gallery policy. Options: Unrestricted, Blocked, or Restricted Citrix Systems, Inc. All rights reserved. p.86

87 Inbound document exchange whitelist When the Inbound document exchange policy is set to Restricted or Blocked, this comma-delimited list of app IDs, including non-mdx apps, is allowed to send documents to the app. Connection security level Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS. App Restrictions Important Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Of f, content can travel between unmanaged apps and the Secure environment. Block camera If On, prevents an app from directly using the camera hardware. Default value is On. Block Gallery If On, prevents an app from accessing the Gallery on the device. Default value is Of f. This policy works along with the policy Inbound document exchange (Open In). If Inbound document exchange (Open In) is set to Restricted, users working in the managed app cannot attach images from the Gallery, regardless of the Block Gallery setting. If Inbound document exchange (Open In) is set to Unrestricted, users working in the managed app experience the following: If Block Gallery is set to OFF, users can attach images. If Block Gallery is set to ON, users are blocked from attaching images. If Block Gallery is ON and there is an intent created from an app, such as the action Open_Document, intent types are handled as follows: image/*: MDX blocks the intent. */*: The document picker opens, but MDX prevents the user from selecting images or videos. Block localhost Connections If On, prevents an app from accessing the loopback address ( ). Default value is Of f. Block mic record If On, prevents an app from directly using the microphone hardware for recording. Default value is On. Block location services If On, prevents an app from using the location services components (GPS or network). Default value is Of f for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps. Block SMS compose If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On Citrix Systems, Inc. All rights reserved. p.87

88 Block screen capture If On, prevents users from taking screen captures while the app is running. Also, when the user switches apps, obscures the app screen. Default value is On. When using the Android Near Field Communication (NFC) feature, some apps take a screen shot of itself before beaming the content. To enable that feature in a wrapped app, change the Block screen capture policy to Off. Block device sensor If On, prevents an app from using the device sensors, such as accelerometer, motion sensor, or gyroscope. Default value is On. Block NFC If On, prevents an app from using the Near Field Communications (NFC). Default value is On. Block app logs If On, prohibits an app from using the XenMobile App diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub support feature. Default value is Of f. Block printing If On, prevents an app from printing data. If an app has a Share command, you must set Document Exchange (Open in) to Restricted or Blocked to block printing fully. Default value is On. App Network Access Network access Prevents, permits, or redirects app network activity. If Unrestricted, no restrictions are placed on network access. Apps have unrestricted access to networks to which the device is connected. If Blocked, all network access is blocked. If Tunneled to the internal network, a per-application VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used. Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail and Secure Notes is Unrestricted. Default value for other apps is Blocked. Certificate label When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used). Pref erred VPN mode Sets the initial mode for connections that tunnel to the internal network. Full VPN tunnel is recommended for connections that employ client certificates or end-to-end SSL to a resource in the internal network. Secure browse is recommended for connections that require single sign-on (SSO). Permit VPN mode switching When tunneling to the internal network, this policy permits switching between VPN modes automatically as needed. If On, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates are accommodated by full tunnel mode, but not when using secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. If Off, the mode specified in the Preferred VPN mode policy is the only mode that is used. Default value is Off Citrix Systems, Inc. All rights reserved. p.88

89 Whitelisted Wi-Fi networks Comma-delimited list of allowed networks. App runs only if connected to one of the networks listed. If left blank, all networks are allowed. This setting doesn't affect connections to cellular networks. Default value is blank. App Logs Def ault log output Determines which output media are used by XenMobile app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file. Default log level Controls default verbosity of the XenMobile App diagnostic logging facility. Higher-level numbers include more detailed logging. 0 - Nothing logged 1 - Critical errors 2 - Errors 3 - Warnings 4 - Informational messages 5 - Detailed informational messages 6 through 15 - Debug levels 1 through 10 Default value is level 4 (Informational messages). Max log files Limits the number of log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2. Max log file size Limits the size in MB of the log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB. Redirect app logs If On, intercepts and redirects system or console logs from an app to the XenMobile App diagnostic facility. If Of f, app use of system or console logs is not intercepted. Default value is On. Encrypt logs If On, XenMobile encrypts diagnostic logs as it records the logs. If Of f, diagnostic logs remain unencrypted in the app sandbox. Caution: Depending upon configured log levels, log encryption can have a noticeable impact on app performance and battery life. Default value is Off. App GeoLocation and GeoFencing The GeoLocation feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam, but if the person travels to Belgium, the app locks. When the user returns to Amsterdam, the app unlocks and is available for normal use Citrix Systems, Inc. All rights reserved. p.89

90 There are three settings to enable GeoLocation: Longitude (X coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Enter in a signed degrees format (DDD.dddd). For example, " " Preface west longitudes with a minus sign. Latitude (Y coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. Enter in a signed degrees format (DDD.dddd). For example, " " Preface southern latitudes with a minus sign. Radius of the geofence in which the app is constrained to operate. Express the radius in meters. Setting this value to zero disables geofencing. Note: If you enable Block locations services, geofencing does not work correctly. Default is 0 (disabled). If the app supports geofencing and you disable location services, a message appears where users can quit the app or click Settings, which goes to the Android Settings screen. If users enable locations services, they can return and continue using the app. When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point is greater than the specified radius, the user is blocked from using the app. When this block occurs, users receive an option to quit the app. The user must be within the fence to continue using the app. If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app. The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which helps in obtaining the location faster. There is a two-minute time-out to allow for longer times in checking the location. Note: To get an accurate location, and to avoid users trying to circumvent Geofence by disabling Wi-Fi or the GPS, Citrix recommends setting the policy Online session required to On. ShareConnect App Settings Save password If On, enables users to save their user name and password for their remote computer. Default value is On. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Secure Mail App Settings Secure Mail Exchange Server The fully qualified domain name (FQDN) for Exchange Server or, for ios only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information. Caution: If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change Citrix Systems, Inc. All rights reserved. p.90

91 Secure Mail user domain The default Active Directory domain name for Exchange or, for ios only, Notes users. Default value is empty. Background network services The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server. It can be in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Default value is empty, implying that background network services are not available. Background services ticket expiration The time period that a background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services, in the form fqdn:port. This address is the NetScaler Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The Default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Export contacts Important: Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, contacts are duplicated on the device and in Exchange. If Of f, prevents the one-way synchronization of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vcards). Default value is Of f. Contact fields to export Citrix Systems, Inc. All rights reserved. p.91

92 Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name and phone-related contact fields are exported. If Name, Phone and , all name, phone and -related contact fields are exported. Default value is All. Accept all SSL certificates If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Of f, Secure Mail blocks access when a certificate error occurs and displays a warning. Default value is Of f. Inf ormation Rights Management If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Of f. Control locked screen notifications Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If sender or event title, only the name of the sender or the title of the calendar event appears. If Count only, only the count of mail and meeting invitations plus the time of calendar reminders appear. Default value is Allow. Use secure connection (SSL) If On, Secure Mail uses a secure connection. If Off, Secure Mail does not use a secure connection. Default is On. Mail Search Limit Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. To restrict the amount of mail that is synced to a mobile device, configure the Max sync interval policy. Default value is Unlimited. Def ault sync interval Specifies the default sync interval for Secure Mail. Secure Mail users can change the default. The Exchange ActiveSync mailbox policy setting Maximum age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum age filter, the Maximum age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum age filter setting. Default value is three days. Allowed Max Sync Period Limits search on the device to a specified period. Search includes local search and server search that you configure with two separate policies. Set the policy on the user device and the server for the policy to be effective. The values are: Citrix Systems, Inc. All rights reserved. p.92

93 3 days 1 week 2 weeks 1 month All Default value is All. Max sync interval Controls the amount of mail stored locally on a mobile device by limiting the sync period. To restrict the time period that a device can search on the mail server, configure the Mail server search limit policy. The values are: 3 days 1 week 2 weeks 1 month All Default value is All. Def ault sync interval Specifies the default sync interval for Secure Mail. Secure Mail users can change the default. The Exchange ActiveSync mailbox policy setting Maximum age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum age filter, the Maximum age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum age filter setting. Default value is three days. Enable download of attachments over Wi-Fi If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over internal Wi-Fi networks. If Of f, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi. Default value is Of f. Enable auto-save of draf ts If On, Secure Mail supports automatically saving messages to the Drafts folder. The auto-save occurs every 20 seconds. Default value is On Citrix Systems, Inc. All rights reserved. p.93

94 Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Enable week number If On, calendar views include the week number. Default value is Of f. FTU Pref erred Mechanism This policy indicates whether the mail server address provided by MDX is used to populate the Address field on the first-time use provisioning screen or the user address is used. Default value is Use MDX-provided mail server address. FTU Pref erred Credentials This policy defines the value that is chosen as the user name to populate into the initial first-time use provisioning screen. Default value is User Principal Name. Web/Audio Conf erence Type Controls which meeting types users can configure when setting up a meeting. If GoToMeeting and User Entered, users are able to select GoToMeeting or Other Conference when tapping the Web & Audio section of the Create or Edit Event screen. Other Conf erence allows the user to enter conference details manually. If UserEntered Only, users are taken directly to the Other Conf erence screen. Default is GoToMeeting and User Entered. S/MIME Public Certificate Source Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange. LDAP Server Address LDAP server address including port number. Default value is empty. LDAP Base DN LDAP Base distinguished name. Default value is empty. Access LDAP Anonymously If this policy is ON, Secure Mail can search LDAP without prior authentication. Default is OFF. If ON, LDAP authenticates by using the Active Directory user name and password only. There is no support for certificatebased authentication and other authentication modes. Secure Notes App Settings Citrix Systems, Inc. All rights reserved. p.94

95 Secure Notes storage options Allows you to set storage options for notes that users create when using Secure Notes. If ShareFile and Exchange Server, the user can choose the storage option for notes. If ShareFile only, notes are stored in ShareFile. If Exchange only, notes are stored in Exchange Server. Default value is ShareFile and Exchange Server. Secure Notes Exchange Server Fully qualified domain name (FQDN) for Exchange Server. Default value is empty. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Secure Notes user domain Default Active Directory domain name for Exchange users. Default value is empty. Background network services The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Default value is empty, implying that background network services are not available. Background services ticket expiration Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway. Accept all SSL certif icates If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Off, Secure Notes blocks access when a certificate error occurs and displays a warning. Default value is Off. Inf ormation Rights Management If On, Secure Notes supports Exchange Information Rights Management (IRM) capabilities. Default value is Off. Secure Tasks App Settings Background network services The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect Citrix Systems, Inc. All rights reserved. p.95

96 when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Default value is empty, implying that background network services are not available. Background services ticket expiration Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days). Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Background network service gateway Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway. Accept all SSL certif icates If On, Secure Tasks accepts all SSL certificates (valid or not) and allows access. If Off, Secure Tasks blocks access when a certificate error occurs and displays a warning. Default value is Off. Secure Web App Settings Allowed or blocked websites Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Precede each pattern in the list a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action taken as follows: A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address can not be resolved. A plus (+) prefix allows the URL to be processed normally. If + or - are not provided with the pattern, + (allow) is assumed. If the URL does not match any pattern in the list, the URL is allowed To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example: The policy value + permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLs anywhere, and blocks all other URLs. The policy value + allows users to open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, and Hotmail, regardless of protocol. Default value is empty (all URLs allowed). Preloaded bookmarks Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list that includes folder name, friendly name, and web address. Each triplet is of the form folder,name,url where folder and name may optionally be enclosed in double quotes ("). For example, the policy values,"mycorp, Inc. home page", "MyCorp Links",Account Citrix Systems, Inc. All rights reserved. p.96

97 logon, "MyCorp Links/Investor Relations","Contact us", define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link is placed in a folder titled "MyCorp Links" and labeled "Account logon". The third is placed in the "Investor Relations" subfolder of the "MyCorp Links" folder and displayed as "Contact us". Default value is empty. Home page URL Defines the website that Secure Web loads when started. Default value is empty (default start page). Browser user interf ace Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible. Options: All controls visible. All controls are visible and users are not restricted from using them. Read-only address bar. All controls are visible, but users cannot edit the browser address field. Hide address bar. Hides the address bar, but not other controls. Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience. Enable web password caching When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms. If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. Default value is Off. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Disable cookies If On, deletes all Secure Web cookies when a user exits Secure Web. As a result, each time users start Secure Web they must reenter information such as website settings and user name. Default value is Of f. Disable HTML5 local storage If On, prevents websites from saving data in HTML5 local storage, where file names are stored as plain text and can be viewed from desktop apps such as Internet Explorer. Most websites support no HTML5 local storage. Default value is Of f Citrix Systems, Inc. All rights reserved. p.97

98 XenMobile MDX Policies for ios Apps Oct 16, 2017 This article describes the MDX policies for ios apps. You can change policy settings directly in the policy XML files or in the XenMobile console when you add an app. Authentication Device passcode Note: This policy applies to ios 9 devices only. If On, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value is Off. App passcode If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On. To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 15 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero. Online session required If On, the user must have a connection to the enterprise network and an active session. If Off, an active session is not required. Default value is Of f. Online session required grace period (minutes) Determines how many minutes a user can use the app offline before the Online session required policy prevents the app from further use. Default value is 0 (no grace period). Maximum of fline period (hours) Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. At expiration, logon to the server may be triggered if needed. Default value is 72 hours (3 days). Minimum period is one hour. Users are reminded to log sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log sign on. Alternate NetScaler Gateway Address of a specific alternate NetScaler Gateway that is used for authentication and for micro VPN sessions with this app. This policy is an optional policy that, when used with the Online session required policy, forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the default gateway of the server is always used. Default value is empty. Device Security Block jailbroken or rooted If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value ion Citrix Systems, Inc. All rights reserved. p.98

99 Network Requirements Require Wi-Fi If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off. Miscellaneous Access App update grace period (hours) Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days). Note: Using a value of zero is not recommended since a zero value immediately prevents a running app from being used until the update is downloaded and installed. This setting might lead to a situation in which the user is forced to exit the app (potentially losing work) to comply with the required update. Erase app data on lock Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off. An app can be locked for any of the following reasons: Loss of app entitlement for the user App subscription removed Account removed Secure Hub uninstalled Too many app authentication failures Jailbroken device detected (per policy setting) Device placed in locked state by other administrative action Active poll period (minutes) When an app starts, the MDX framework polls XenMobile to determine current app and device status. Assuming the server running XenMobile can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes. Important: Only set this value lower for high-risk apps or performance may be affected. Minimum data protection class Note: This policy is only enforced on ios 9 devices. Establishes the minimum ios data protection class to be used for file operations. Default value is Complete unless open. If Complete, uses NSFileProtectionComplete; when a device locks, files become unavailable. If Complete unless open, uses NSFileProtectionCompleteUnlessOpen or higher. If a file is open when a device locks, the file remains available to the app. If Until f irst unlock, uses NSFileProtectionCompleteUntilFirstUserAuthentication or higher. When a device restarts, until the user unlocks the device for the first time, files are locked and can't be read. If None, uses no specific data protection class. Files can be read from or written to at any time. Important: Developers must be sure to test wrapped apps that perform background processing, such as content refreshes on a locked device or background syncs. Encryption Citrix Systems, Inc. All rights reserved. p.99

100 Minimum data protection class Note: This policy is only enforced on ios 9 devices. This policy is hidden. To make the policy visible in XenMobile, open the policy_metadata.xml file for the app (in Applications/Citrix/MDXToolkit/data) and, in the DocumentExchangeExceptionList section, change the value of PolicyHidden to f alse. After you wrap your app, the policy appears when you add the app to XenMobile. Establishes the minimum ios data protection class to be used for file operations. If Complete, then NSFileProtectionComplete is used; when a device locks, files become unavailable. If Complete unless open, then NSFileProtectionCompleteUnlessOpen or higher is used. If a file is open when a device locks, the file remains available to the app. If Until f irst unlock, then NSFileProtectionCompleteUntilFirstUserAuthentication or higher is used. When a device restarts, until the user unlocks the device for the first time, files are locked and can t be read. If None, then no specific data protection class is used and files can be read from or written to at any time. Default value is Complete unless open. Enable encryption Note: On ios 9 devices, this policy enables database and keychain encryption only. To enable file encryption for those devices, set the Device passcode policy to On. For older ios devices, this policy enables file, database, and keychain encryption. If Off, the data stored on the device is not encrypted. If On, the data stored on the device is encrypted. Default value is On. Caution: If you change this policy after deploying an app, users must reinstall the app. Database encryption exclusions Lists the databases that are excluded from automatic encryption. To prevent database encryption for a specific database, add an entry to this comma-separated list of regular expressions. If a database path name matches any of the regular expressions, the database is excluded from encryption. The exclusion patterns support Posix Extended Regular Expressions syntax. The pattern matching is case-insensitive. Examples: \.db$,\.sqlite$ excludes any database path name that ends with either ".db" or ".sqlite". \/Database\/unencrypteddb\.db matches database unencrypteddb.db in the Database subfolder. \/Database\/ matches all databases that contain /Database/ in its path. Default value is empty. File encryption exclusions Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix Extended Regular Expressions syntax. The pattern matching is case-insensitive. Examples: \.log$,\.dat$ excludes any file path name that ends with either ".log" or ".dat" Citrix Systems, Inc. All rights reserved. p.100

101 \/Documents\/unencrypteddoc\.txt matches the contents of the file unencrypteddoc.txt in the Documents subfolder. \/Documents\/UnencryptedDocs\/.*\.txt matches ".txt" files under the subpath /Documents/UnencryptedDocs/. Default value is empty. Warning If you use Secure Edit to encrypt a file and send it using another application (Secure Mail or native ios Mail), the file is unencrypted. App Interaction Cut and Copy Blocks, permits, or restricts Clipboard cut and copy operations for the app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted Paste Blocks, permits, or restricts Clipboard paste operations for the app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted. Options: Unrestricted, Blocked, or Restricted Document exchange (Open In) Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy. If Unrestricted, set the Enable encryption policy to On so that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, XenMobile decrypts the document. If the policy blocks the camera, audio, clipboard, or printing, each of these items maintain the last shown timestamp. Users receive a message of the status of the option. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted Restricted Open-In exception list When the Document exchange (Open In) policy is Restricted, an MDX app can share documents with this comma-delimited list of unmanaged app IDs. This sharing happens even if the Document exchange (Open In) policy is Restricted and the Enable encryption policy is On. The default exception list allows Office 365 apps: com.microsoft.office.word,com.microsoft.office.excel,com.microsoft.office.powerpoint, com.microsoft.onenote,com.microsoft.onenoteipad,com.microsoft.office.outlook Only Office 365 apps are supported for this policy. Caution: Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the Secure environment. For more security, this policy does not appear in the XenMobile console. To make the policy visible in XenMobile, open the policy_metadata.xml file for the app (in Applications/Citrix/MDXToolkit/data) Citrix Systems, Inc. All rights reserved. p.101

102 and, in the DocumentExchangeExceptionList section, change the value of PolicyHidden to f alse. After you wrap your app, the Restricted Open-In exception list policy appears when you add the app to XenMobile. Connection security level Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS. Inbound document exchange (Open In) Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted. If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. Options: Unrestricted, Blocked, or Restricted Explicit logof f notif ication If Enabled, the app activates explicitly to inform the app of a user log off. If Disabled, the app does not activate during a user log off. If set to Shared devices only, then the app activates during user log off only when configuring the device as a shared device. Default is Disabled for all apps except Secure Mail, where the default is Shared Devices. Inbound document exchange whitelist When the Inbound document exchange policy is Restricted or Blocked, this comma-delimited list of app IDs, including non- MDX apps, is allowed to send documents to the app. App URL schemes ios apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as " This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked. The policy is formatted as a comma-separated list of patterns in which a plus "+" or minus "-" precedes each pattern. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix dictates the action taken. A minus sign (-) prefix blocks the URL from being passed into this app. A plus sign (+) prefix permits the URL to be passed into the app for handling. If "+" or "-" are not provided with the pattern, "+" (allow) is assumed. If an inbound URL does not match any pattern in the list, the URL is blocked. The following table contains examples of App URL schemes: Scheme App that requires the URL scheme Purpose ctxmobilebrowser Secure Web Permit Secure Web to handle HTTP: URLs from other apps. ctxmobilebrowsers Secure Web Permit Secure Web to handle HTTPS: URLs from other apps. ctxmail Secure Mail Permit Secure Mail to handle mailto: URLs from other Citrix Systems, Inc. All rights reserved. p.102

103 Scheme App that requires the apps. Purpose URL scheme COL-G2M GoToMeeting Permit a wrapped GoToMeeting app to handle meeting requests. ctxsalesforce Citrix for Salesforce Permit Citrix for Salesforce to handle Salesforce requests. wbx WebEx Permit a wrapped WebEx app to handle meeting requests. Allowed URLs ios apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as " This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs). The policy is formatted as a comma-separated list of patterns in which a plus "+" or minus "-" precedes each pattern. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix dictates the action taken. A minus sign (-) prefix blocks the URL from being passed out to another app. A plus sign (+) prefix permits the URL to be passed out to another app for handling. If "+" or "-" are not provided with the pattern, "+" (allow) is assumed. A pair of values separated by "=" indicates a substitution where occurrences of the first string are replaced with the second. You can use the regular-expression "^" prefix to search string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it is blocked. Default: +maps.apple.com +itunes.apple.com ^ ^ ^mailto:=ctxmail: +^citrixreceiver: +^telprompt: +^tel: +^col-g2m-2: +^col-g2w-2: +^mapitem: +^maps:ios_addr +^sms: +^facetime: Citrix Systems, Inc. All rights reserved. p.103

104 +^facetime-audio: +^ctxnotes: +^ctxtasks: +^itms-apps If the the setting blank, all URLs are blocked, except for the following: +citrixreceiver: +tel: The following table contains examples of allowed URLs: ^mailto:=ctxmail: All mailto: URLs open in Secure Mail. ^ All HTTP URLs open in Secure Web. ^ All HTTPS URLs open in Secure Web. ^tel: Allows user to make calls. -// Blocks Dropbox URLs dispatched from managed apps. +^COL-G2M: Permits managed apps to open the GoToMeeting client app. -^SMS: Blocks the use of a messaging chat client. -^wbx: Blocks managed apps from opening the WebEx client app. +^ctxsalesforce: Permits Citrix for Salesforce to communicate with your Salesforce server. App Restrictions Important Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Of f, content can travel between unmanaged apps and the Secure environment. Block camera Citrix Systems, Inc. All rights reserved. p.104

105 If On, prevents an app from directly using the camera hardware. Default value is On. Block Photo Library If On, prevents an app from accessing the Photo Library on the device. Default value is On. Block localhost Connections If On, prevents an app from accessing the loopback address ( ). Default value is Of f. Block mic record If On, prevents an app from directly using the microphone hardware for recording. Default value is On. Block dictation If On, prevents an app from directly using dictation services. Default value is On. Block location services If On, prevents an app from using the location services components (GPS or network). Default value is Of f for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps. Block SMS compose If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On. Block icloud If On, prevents an app from using icloud for storing and sharing settings and data. Note: The Block file backup policy controls icloud data file backup. Default value is On. Block file backup If On, prevents icloud or itunrs from backing up data files. Default value is On. Block AirPrint If On, prevents access to printing by using AirPrint features to print data to AirPrint-enabled printers. Default value is On. Block AirDrop If On, prevents an app from using AirDrop. Default value is On. Block as attachment Note: This policy is enforced on ios 9 only. If On, disables sending a note as an with a PDF attachment. Default value is Off. Block file attachments Note: This policy is enforced on ios 9 only. If On, disables downloading attachments in Secure Mail. Default value is Of f. Block Facebook and Twitter APIs If On, prevents an app from using the ios Facebook and Twitter APIs. Default value is On. Obscure screen contents If On, when users switch apps, the screen is obscured. This policy prevents ios from recording screen contents and Citrix Systems, Inc. All rights reserved. p.105

106 displaying thumbnails. Default value is On. Block 3rd party keyboards (ios 9 and later only) If On, prevents an app from using third-party keyboard extensions on ios 9 and later devices. Default value is On. Block app logs If On, prohibits an app from using the XenMobile App diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub support feature. Default value is Of f. Mail compose redirection You have three choices for how users are allowed to compose mail from an enterprise app: Secure Mail: If installed on the device, Secure Mail automatically opens. If not, native mail does not open. Instead, users get a message instructing them to install Secure Mail. Native The native mail program of the device opens. Blocked: Both Secure Mail and native mail are blocked. Default is Secure Mail. Block ios Look Up If On, prevents ios from searching for highlighted terms across apps. Default value is On. App Network Access Network access Prevents, permits, or redirects app network activity. If Unrestricted, no restrictions are placed on network access. Apps have unrestricted access to networks to which the device is connected. If Blocked, all network access is blocked. If Tunneled to the internal network, a per-app VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used. Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail, Secure Notes, ShareFile Phone, and ShareFile Tablet is Unrestricted. Default value for other apps is Blocked. Certificate label When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used). Pref erred VPN mode Sets the initial mode for connections that tunnel to the internal network. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Secure browse is recommended for connections that require single sign-on (SSO). Permit VPN mode switching When tunneling to the internal network, this policy permits switching between VPN modes automatically as needed. If On, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, full tunnel mode can accommodate server challenges for client certificates, but not when using secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. If Off, the mode specified in the Preferred VPN mode policy is the only mode that is used. Default value is Off Citrix Systems, Inc. All rights reserved. p.106

107 PAC file URL or proxy server Defines the Proxy Auto-Configuration (PAC) file URL or the proxy server to use. Supported for full tunnel mode only. Specify a PAC file URL in the form http[s]:// /proxy.pac or http[s]://example.com/proxy.pac. For HTTPS, install the root CA on the device if the certificate is self-signed or untrusted. Specify a proxy server in the form myhost.example.com:port or :port. Default and non-default ports are accepted. Default value is empty. Whitelisted Wi-Fi networks Comma-delimited list of allowed networks. App runs only if connected to one of the networks listed. If left blank, all networks are allowed. This policy doesn't affect connections to cellular networks. Default value is blank. App Logs Def ault log output Determines which output media are used by XenMobile App diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file. Default log level Controls default verbosity of the XenMobile App diagnostic logging facility. Higher-level numbers include more detailed logging. 0 - Nothing logged 1 - Critical errors 2 - Errors 3 - Warnings 4 - Informational messages 5 - Detailed informational messages 6 through 15 - Debug levels 1 through 10 Default value is level 4 (Informational messages). Max log files Limits the number of log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2. Max log file size Limits the size in MB of the log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB. App Geolocation and Geofencing The Geolocation feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam. If the person travels to Belgium, the app locks and users cannot interact with the app. When the user returns to Amsterdam, the app unlocks and is available for normal use. There are three settings to enable Geolocation: Longitude (X coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Enter in a signed degrees format (DDD.dddd). For example, " " Preface west longitudes with a minus sign Citrix Systems, Inc. All rights reserved. p.107

108 Latitude (Y coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. Enter in a signed degrees format (DDD.dddd). For example, " " Preface southern latitudes with a minus sign. Radius of the geofence in which the app is constrained to operate. Express the radius in meters. Setting this value to zero disables geofencing. If you enable Block locations services, geofencing does not work correctly. Default is 0 (disabled). If the app supports geofencing and you disable location services, users can either quit the app or can click Settings, which goes to the Android Settings screen. If users enable locations services, they can return and continue using the app. When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point is greater than the specified radius, the user is blocked from using the app. When this block occurs, users receive an option to quit the app. The user must be within the fence to continue using the app. If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app. The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which helps in obtaining the location faster. There is a two-minute time-out to allow for longer times in checking the location. Note: To get an accurate location, and to avoid users circumventing the Geofence by disabling Wi-Fi or the GPS, Citrix recommends setting the policy Online session required to On. ShareConnect App Settings Save password If On, enables users to save their user name and password for their remote computer. Default value is On. Secure Mail App Settings Secure Mail Exchange Server The fully qualified domain name (FQDN) for Exchange Server or, for ios only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information. Caution: If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change. Secure Mail user domain The default Active Directory domain name for Exchange or, for ios only, Notes users. Default value is empty. Background network services The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server in your internal network or another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network Citrix Systems, Inc. All rights reserved. p.108

109 and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Default value is empty, implying that background network services are not available. Background services ticket expiration The time period that a background network service ticket remains valid. When Secure Mail connects to an Exchange Server running ActiveSync through NetScaler Gateway, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services, in the form fqdn:port. This address is the NetScaler Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. Default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Export contacts Important: Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, contacts are duplicated on the device and in Exchange. If Of f, prevents the one-way synchronization of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vcards). Default value is Of f. Contact fields to export Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name- and phone-related contact fields are exported. If Name, Phone, and , all name-, phone-, and -related contact fields are exported. Default value is All. Accept all SSL certificates If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Of f, Secure Mail blocks access when a certificate error occurs and displays a warning. Default value is Of f. Control locked screen notifications Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If sender or event title, only the name of the sender or the title of the calendar event appears. If Count only, only the count of mail and meeting invitations plus the time of calendar reminders appear. Default value is Allow. Def ault notification Users can change notifications on their device from Off to On. The Default notification policy allows you to set a global policy for notifications for your organization Citrix Systems, Inc. All rights reserved. p.109

110 When the app checks for new policies, the new value is sent to the user device. This check occurs when users install the app for the first time or upgrade the app. If users set this policy locally and the global setting is different, the local setting does not change when users start the app. Default value is Off. Def ault sync interval Specifies the default sync interval for Secure Mail. Secure Mail users can change the default. The Exchange ActiveSync mailbox policy setting Maximum age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum age filter, the Maximum age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum age filter setting. Default value is three days. Mail Search Limit Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. The options are: 90 days 180 days 1 year Unlimited To restrict the amount of mail synchronized to a mobile device, configure the Max sync interval policy. Default value is Unlimited. Max sync interval Controls the amount of mail stored locally on a mobile device by limiting the sync period. To restrict the time period that a device can search on the mail server, configure the policy Mail server search limit. The values are: 3 days 1 week 2 weeks 1 month All Default value is 1 month. Allowed Max Sync Period Limits search on the device to a specified period. Search includes local search and server search that you configure by using two separate policies. Set the policy on the user device and the server for the policy to be effective Citrix Systems, Inc. All rights reserved. p.110

111 The values are: 3 days 1 week 2 weeks 1 month All Default value is 1 month. Enable week number If On, calendar views include the week number. Default value is Of f. Enable download of attachments over Wi-Fi If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over internal Wi-Fi networks. If Of f, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi. Default value is Of f. Inf ormation Rights Management If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Of f. classification If On, Secure Mail supports classification markings for security (SEC) and dissemination limiting markers (DLM). Classification markings appear in headers as X-Protective-Marking values. Be sure to configure the related classification policies. Default value is Of f. classification markings Specifies the classification markings to be made available to users. The markings list contains value pairs that are separated by semicolons. Each pair includes the list value that appears in Secure Mail and the marking value that is the text appended to the subject and header. For example, in the marking pair UNOFFICIAL,SEC=UNOFFICIAL, the list value is UNOFFICIAL and the marking value is SEC=UNOFFICIAL. Default value is a list of classification markings that you can modify. For the list of default markings, see Security Classifications. If the list is empty, Secure Mail does not include a list of protective markings. classification namespace Specifies the classification namespace that is required in the header by the classification standard used. For example, the namespace gov.au appears in the header as NS=gov.au. Default value is empty. classification version Specifies the classification version that is required in the header by the classification standard used. For example, the version appears in the header as VER= Default value is empty. Def ault classification If a user does not choose a marking, specifies the protective marking that Secure Mail applies to an . This value must be in the list for the classification markings policy. Default value is UNOFFICIAL. Enable auto-save of draf ts If On, Secure Mail supports automatically saving messages to the Drafts folder. The auto-save occurs every 20 seconds Citrix Systems, Inc. All rights reserved. p.111

112 Default value is On. Enable ios data protection Note: This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements. Enables ios data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Push notifications Enables APNS-based notifications about mailbox activity. If On, Secure Mail supports push notifications. Default value is Off. Push notifications region The region where the APNs host is located for your Secure Mail users. Options are Americas, EMEA, and APAC. Default value is Americas. Push notifications customer ID Your APNs customer ID, used to identify your account to the Citrix notification service. Default value is empty. S/MIME certificate source Specifies the source of S/MIME certificates. If , you must user certificates to users, who then open the in Secure Mail and import the attached certificates. If Shared vault, a supported digital identity provider supplies certificates to the XenMobile App shared vault. The integration with the third-party provider requires that you publish a related app to users. See the description for the Enable S/MIME during first Secure Mail startup policy (next) for details about the user experience. Default value is . Enable S/MIME during first Secure Mail startup If the S/MIME certificate source policy is Shared vault, determines whether Secure Mail enables S/MIME during the first Secure Mail startup. If On, Secure Mail enables S/MIME if there are certificates for the user in the shared vault. If there are no certificates in the shared vault, the user is prompted to import the certificates. In both of those scenarios, users must configure certificates from a supported digital identity provider app before creating an account in Secure Mail. If Off, Secure Mail does not enable S/MIME and the user can enable it in the Secure Mail settings. Default value is Off. FTU Pref erred Mechanism This policy indicates whether the mail server address provided by MDX is used to populate the Address field on the firsttime use provisioning screen or the user address is used. Default value is Use MDX provided mail server address. FTU Pref erred Credentials This policy defines the value that is chosen as the user name to populate into the initial first-time use provisioning screen Citrix Systems, Inc. All rights reserved. p.112

113 Default value is User Principal Name. Web/Audio Conf erence Type Controls which meeting types users can configure when setting up a meeting. If GoToMeeting and User Entered, users are able to select GoToMeeting or Other Conference when tapping the 'Web & Audio' section of the Create or Edit Event screen. Other Conference allows the user to enter conference details manually. If UserEntered Only, users are taken directly to the Other Conference screen. Default is GoToMeeting and User Entered. S/MIME Public Certificate Source Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange. LDAP Server Address LDAP server address including port number. Default value is empty. LDAP Base DN LDAP Base distinguished name. Default value is empty. Access LDAP Anonymously If this policy is ON, Secure Mail can search LDAP without prior authentication. Default is OFF. If ON, LDAP authenticates by using the Active Directory user name and password only. There is no support for certificatebased authentication and other authentication modes. Override Native Contacts Check If On, the app syncs contacts to the device even if the native Contacts app is configured with Exchange/Hotmail Account. If Of f, the app continues to block contacts sync. Default is On. Allowed Domains Adding an domain to this list allows users to configure an account from that domain. All other domains are blocked. The default is empty, meaning Secure Mail does not block any domains. To allow Secure Mail to filter for prohibited domains, you need to add the allowed domains to the list. Secure Mail then compares the domain with the allowed list. For instance, if you list server.company.com as an allowed domain name, if the user's address is user@internal.server.company.com, Secure Mail supports the address. In that example, Secure Mail does not support any other address with a domain name that is not server.company.com. In the policy settings, you add the allowed domains in comma-separated format, such as server.company.com, server.company.co.uk Secure Notes App Settings Secure Notes storage options Allows you to set storage options for notes that users create when using Secure Notes. If ShareFile and Exchange Server, the user can choose the storage option for notes. If ShareFile only, notes are stored in ShareFile. If Exchange only, notes Citrix Systems, Inc. All rights reserved. p.113

114 are stored in Exchange Server. Default value is ShareFile and Exchange Server. Secure Notes Exchange Server Fully qualified domain name (FQDN) for Exchange Server. Default value is empty. Secure Notes user domain Default Active Directory domain name for Exchange users. Default value is empty. Background network services The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server in your internal network or another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Default value is empty, implying that background network services are not available. Background services ticket expiration Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway. Accept all SSL certif icates If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Off, Secure Notes blocks access when a certificate error occurs and displays a warning. Default value is Off. Usage analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Secure Tasks App Settings You can configure the following policies for Secure Tasks on ios devices: Secure Tasks Exchange Server Fully qualified domain name (FQDN) for Exchange Server. Default value is empty. Secure Tasks user domain Default Active Directory domain name for Exchange users. Default value is empty. Background network services Comma-separated list of service addresses and ports that are permitted for background network access. Each service is of the form fqdn:port. Default value is empty, implying background network services are not available. Background services ticket expiration Citrix Systems, Inc. All rights reserved. p.114

115 Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway. Accept all SSL certif icates If On, Secure Tasks accepts all SSL certificates (valid or not) and allows access. If Off, Secure Tasks blocks access when a certificate error occurs and displays a warning. Default value is Off. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Secure Web App Settings Allowed or blocked websites Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. A plus (+) or minus (-) precedes each pattern in the list. The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the the prefix dictates the action taken as follows: A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address can not be resolved. A plus (+) prefix allows the URL to be processed normally. If + or - are not provided with the pattern, + (allow) is assumed. If the URL does not match any pattern in the list, the URL is allowed To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example: The policy value + permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLs anywhere, and blocks all other URLs. The policy value + allows users to open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, and Hotmail, regardless of protocol. Default value is empty (all URLs allowed). Preloaded bookmarks Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list that includes folder name, friendly name, and web address. Each triplet is of the form folder,name,url where folder and name may optionally be enclosed in double quotes ("). For example, the policy values,"mycorp, Inc. home page", "MyCorp Links",Account logon, "MyCorp Links/Investor Relations","Contact us", define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link is placed in a folder titled "MyCorp Links" and labeled "Account logon". The third is placed in the "Investor Relations" subfolder of the "MyCorp Links" folder and displayed as "Contact us"." Default value is empty Citrix Systems, Inc. All rights reserved. p.115

116 Home page URL Defines the website that Secure Web loads when started. Default value is empty (default start page). Browser user interf ace Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible. Options: All controls visible. All controls are visible and users are not restricted from using them. Read-only address bar. All controls are visible, but users cannot edit the browser address field. Hide address bar. Hides the address bar, but not other controls. Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience. Enable web password caching When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms. If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. Default value is Off. This policy is enabled only when you also set the Preferred VPN policy to Full VPN tunnel for this app. Google analytics If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete. Enable ios data protection Note: This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements. Enables ios data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off. ios 9 security restrictions Note: This policy is only enforced on ios 9. If On, disables downloading files and offline pages. Also disables cookie caching and HTML5 local storage. Default value is Off. ShareFile Secure Client App Settings Enable secure viewer If On, the client uses a secure viewer instead of the ios Quick Look preview feature. The MDX-based secure viewer ensures that cut, copy, and paste operations occur only between MDX-wrapped apps. If Off, the secure viewer is not used. Default is On Citrix Systems, Inc. All rights reserved. p.116

117 XenMobile MDX Policies for Windows Device Apps Oct 16, 2017 This article describes the MDX app policies for Windows Phone 10 and Windows Phone 8.1 devices. You can change policy settings directly in the policy XML files or in the XenMobile console when you add an app. Authentication App passcode If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On. To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero. Note: If you select Secure offline for the Encryption keys policy, this policy is automatically enabled. Online session required If On, the user must have a connection to the enterprise network and an active session. If Off, an active session is not required. Default value is Off. Maximum of f line period (hours) Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. Default value is 72 hours (3 days). Minimum period is 1 hour. Users are reminded to sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users sign on. App Interaction Document exchange (Open In) Blocks, permits, or restricts document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted. App Restrictions Caution: Be sure to consider the security implications of policies that block apps from accessing or using phone Sfeatures. When those policies are Off, content can travel between unmanaged apps and the secure environment. Block app logs If On, an app is prohibited from using the XenMobile App diagnostic logging facility. If Off, app logs are recorded and may be collected using the Secure Hub support feature. Default value is Of f. Block camera If On, prevents an app from directly using the camera hardware. Default value is Off. App Logs Def ault log output Citrix Systems, Inc. All rights reserved. p.117

118 Determines which output mediums XenMobile App diagnostic logging facilities use by default. Possibilities are f ile, console, or both f ile,console. Default value is f ile. Default log level Controls default verbosity of the XenMobile App diagnostic logging facility. Higher level numbers include more detailed logging. 0 - Nothing logged 1 - Critical errors 2 - Errors 3 - Warnings 4 - Informational messages 5 - Detailed informational messages 6 through 15 - Debug levels 1 through 10 Default value is level 4 (Informational messages). Max log files Limits the number of log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2. Max log file size Limits the size in megabytes (MB) of the log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB. Secure Mail App Settings Secure Mail Exchange Server The fully qualified domain name (FQDN) for Exchange Server or, for ios only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information. Caution: If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change. Secure Mail user domain The default Active Directory domain name for Exchange or, for ios only, Notes users. Default value is empty. Background network services The FQDN and port of service addresses permitted for background network access. This might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the Network access policy. In addition, use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server Citrix Systems, Inc. All rights reserved. p.118

119 Default value is empty, implying that background network services are not available. Background services ticket expiration The time period that a background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This property setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days). Background network service gateway Alternate gateway address to use for background network services, in the form fqdn:port. This is the NetScaler Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The Default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the Network access policy. In addition, use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. Export contacts Important: Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, contacts are duplicated on the device and in Exchange. If Of f, prevents the one-way synchronization of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vcards). Default value is Of f. Google analytics If On, Citrix collects anonymous data to improve product quality. If Of f, no data is collected. Default value is On. FTU Pref erred Mechanism This policy indicates whether the mail server address as provided by MDX should be used to populate the Address field on the first time use provisioning screen or whether the user's address should be used. Default value is Use MDX provided mail server address. FTU Pref erred Credentials This policy defines the value that should be chosen as the user name to populate into the initial first time use provisioning screen Citrix Systems, Inc. All rights reserved. p.119

120 Default value is User Principal Name. Secure Web App Settings Allowed or blocked websites Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows: A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved. A plus (+) prefix allows the URL to be processed normally. If neither + or - is provided with the pattern, + (allow) is assumed. If the URL does not match any pattern in the list, the URL is allowed To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example: The policy value + permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs. The policy value + allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol. Default value is empty (all URLs allowed). Preloaded bookmarks Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list that include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder and name may optionally be enclosed in double quotes ("). For example, the policy values,"mycorp, Inc. home page", "MyCorp Links",Account logon, "MyCorp Links/Investor Relations","Contact us", define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"." Default value is empty. Home page URL Defines the website that Secure Web loads when started. Default value is empty (default start page) Citrix Systems, Inc. All rights reserved. p.120

121 MDX Developer's Guide Oct 16, 2017 Citrix XenMobile is an enterprise solution that lets you manage mobile devices, apps, and data. The basic premise of XenMobile mobile app management (MAM) is that it injects enterprise functionality into preexisting apps, which are then hosted on a company's private app store, the Apple App Store, or the Google Play Store. To add XenMobile enterprise functionality to mobile apps, you wrap them with the MDX Toolkit. The MDX Toolkit is an app container technology that enhances the mobile device experience and prepares apps for secure deployment with XenMobile by adding Worx capabilities. The Worx capabilities include policies and settings, signed security certificates, and mobile app management code. The MDX Toolkit includes the Worx App SDK, which delivers a complete set of Worx capabilities to your mobile apps through the Citrix MDX app container technology. APIs enable you to: Perform actions in wrapped apps based on XenMobile policies. For example, if a XenMobile policy prevents cut and copy in a Worx app, you can prevent text selection in your app. Your app can communicate and share policies with other Worx-enabled apps. Detect activities within your Worx-enabled apps. For example, you can check whether an app is wrapped or managed. Add custom functionality, such as security and policy enforcement. Develop mobile apps that will run either inside or outside a Citrix environment. In addition to being centrally configurable with Worx policies when used with XenMobile, apps that use the Worx App SDK can operate standalone outside of Citrix environments. Quick links to article sections The rest of this article includes a list of new features in this release, background information about app management, wrapping, and how your implementation choices affect the Worx user experience. What's New in the Worx App SDK 10.2 MAM Capabilities XenMobile Components Unmanaged and Managed Modes for ISV Apps ISV App Wrapping Worx App User Experience Known Issues for Worx App SDK What's New in the Worx App SDK 10.2 The current release of Worx App SDK for ios includes these enhancements. Support for ios 9. The Worx App SDK 10.2 supports ios 9. Important: Secure Hub 10.0.x and apps wrapped with MDX Toolkit 10.0.x will not run on ios 9. Developers must rewrap ISV apps with MDX Toolkit Users must install the upgraded apps before upgrading their devices to ios 9. If users try to open on ios 9 any apps that were wrapped with MDX Toolkit 10.0.x, they will not be able to upgrade those apps and must reinstall a version of those apps wrapped with MDX Toolkit As a result of changes in ios 9, MDX file-based encryption is incompatible with ios9 for data downloaded to an ios Citrix Systems, Inc. All rights reserved. p.121

122 device from a wrapped app. Database and keychain encryption remain fully functional. MDX Toolkit 10.2 provides an alternative mechanism to encrypt app data stored on the device file system. You can choose from the following options to protect data: Use ios File Data Protection to encrypt data. Apple requires a device passcode to encrypt all app data on the device using ios File Data Protection. To support this ios protection, MDX Toolkit 10.2 includes a new policy, Device passcode, which you can use to enforce a PIN or passcode on an ios 9 device. By default, this policy is On. The policy applies on a per-app basis and can be used whether you run XenMobile in MDM or MAM mode. In addition to requiring a PIN or passcode, you can also specify a minimum ios data protection class that is used for the app data stored on the file system. Policies and ios 9: The user entropy feature, which is enabled through the Encrypt secrets using Passcode key, is not affected by ios 9. MDX encryption for data stored in databases, the keychain, and the secure vault on the device are not affected. On ios 9 devices, the Enable encryption policy now enables database and keychain encryption only. For older ios devices, the Enable encryption policy continues to also enable MDX file encryption. For additional protection on devices with a device passcode enabled, the Worx App SDK also includes a higher level of ios encryption for files that those apps store on the device. ios file encryption has several data protection levels. The new Minimum data protection class policy lets you specify a protection class that is used for the app data unless a higher protection level is already specified in the app. The policy values are: Complete unless open If a file is open when a device locks, the file continues to be available to the app. This value corresponds to NSFileProtectionCompleteUnlessOpen. Default value. Complete When a device locks, files become unavailable. This value corresponds to NSFileProtectionComplete. Until first lock When a device restarts, until the user unlocks the device for the first time, files are locked and can t be read. This value corresponds to NSFileProtectionCompleteUntilFirstUserAuthentication. None Files have no special protections and can be read from or written to at any time. This value corresponds to NSFileProtectionNone. Important: Developers, be sure to test wrapped apps that perform background processing, such as content refreshes on a locked device or background syncs. The Minimum data protection class policy is hidden. To make the policy visible in XenMobile, open the policy_metadata.xml file for the app (in Applications/Citrix/MDXToolkit/data) and, in the MinimumDataProtectionClass section, change the value of PolicyHidden to f alse. After you wrap your app, the policy appears when you add the app to XenMobile. For more information about ios 9 compatibility, see What's New in MDX Toolkit App wrapping integration with Xcode build process. Developers can now wrap and publish an ios app as part of the Xcode build process. For details, see Publishing an ios App Using Xcode. Support for shared vault in Android apps. The Worx App SDK now includes the Android API for the Worx shared vault feature, enabling you to share managed content between apps. For example, the shared vault enables the sharing of Citrix Systems, Inc. All rights reserved. p.122

123 certificates and private keys through an enrolled app so that apps can obtain a certificate from the secure vault instead of from Secure Hub. For details, see XenMobile API for Android. Fixed issues. See Fixed Issues in MDX Toolkit. MAM Capabilities The enterprise functionality added by XenMobile is controlled through policies that administrators update on a per-app basis from the XenMobile console. XenMobile pushes policies to mobile devices on the schedule determined by administrators. Policies manage features, such as the following: Authentication. When opening a managed app, XenMobile can require users to enter corporate credentials or a PIN. This credential challenge can be repeated on a periodic basis. App updates. XenMobile notifies users when updates to managed apps are available. The administrator can make updates mandatory within a certain time period. If a user doesn't accept an update, the old version of the app will not execute after the time period elapses. Remote locking and wiping. An administrator can temporarily lock or permanently wipe apps on a per-app or per-device basis. Data encryption. For ios 9 devices, XenMobile uses MDX file encryption for database and keychain files and, for locally stored data, uses Apple file encryption for locally stored data. For locally stored data on ios 9 you can also use the Minimum data protection class policy to specify a protection class that is used for the app data unless a higher protection level is already specified for the app. Network restrictions and VPN. A XenMobile policy controls network access: Access can be either blocked, routed through a full VPN, or routed through a proxy VPN. VPN routing is through a Citrix NetScaler Gateway device hosted by the enterprise. Communication restrictions between apps. A XenMobile policy determines whether document sharing between apps is blocked or permitted only between managed apps. Thus, the "Open In" pop-up in your app can omit unmanaged apps. Feature containment. XenMobile policies can disable various device capabilities for an app. Examples include the camera, microphone, and location sensor. XenMobile Components The following XenMobile components provide MAM functionality. XenMobile server This enterprise or cloud resident server hosts XenMobile Store, the internal app store. Administrators upload mobile apps to XenMobile and then configure app and device policies. Secure Hub Enterprise users install Secure Hub for Android or ios on their mobile device and then configure the app with a device enrollment URL and credentials. When Secure Hub opens, users select enterprise apps from XenMobile Store. After the apps download and install on the device, Secure Hub serves as a hub for managing these apps, performing tasks, such as user authentication and updates of centrally administered policies. MDX MDX is the source of the MAM functionality. The MDX Toolkit adds MDX code to your mobile app. Other than wrapping apps, you don't directly work with the MDX code. MDX Toolkit and Worx App SDK Citrix Systems, Inc. All rights reserved. p.123

124 The MDX Toolkit adds enterprise functionality to existing mobile apps, a process called app wrapping. The Worx App SDK lets developers and system integrators Worx-enable their mobile apps. Application wrapping performs three main tasks. First, it injects Citrix code into your app that implements the app management capabilities. The output of that task is a new app file. Second, app wrapping signs the new app file with a security certificate. Finally, app wrapping creates an MDX file, which contains policy information and other settings. In some situations, the signed app file is also directly contained in the MDX file. This developer's guide focuses on app wrapping for ISVs. Unmanaged and Managed Modes for ISV Apps The Worx App SDK offers dual-mode app behavior, enabling you to deploy apps that can run with or without the Worx infrastructure. Apps that are run independently of Secure Hub are referred to as unmanaged apps. When those apps meet certain conditions, they transition to managed apps and run under the control of Secure Hub. The dual-mode behavior is in contrast with the Worx Apps deployed from the XenMobile backend directly. Those apps always require the presence of Citrix Worx and authorization from a XenMobile XenMobile Store to run. You use the XenMobile APIs to specify the type of dual-mode behavior needed when integrating an app with Worx. You can either develop two versions of app, one that is unmanaged and one that is managed, or a single app for both independent use and for inclusion in Worx. The Worx framework enforces the default behaviors associated with unmanaged and managed apps. How an app transitions from unmanaged to managed depends on whether the app is wrapped as a General app or a Premium app: General app: A General app is hosted on the Apple App Store or the Google Play Store. Users who don t have Secure Hub can download and run the app normally in an unmanaged mode, just like any generic app store app. If an unmanaged user later installs Secure Hub, the ISV app transitions to managed mode if these conditions are met. The user signs on to a XenMobile enterprise store at least once. The user is in a XenMobile delivery group to which the app is deployed. Worx subscribes the user. When prompted, the user confirms that their enterprise can manage the app. If a user opts out of enterprise app management, they can continue to run the app for personal use. Premium app: A Premium app is an app targeted to enterprise users. Citrix Worx Apps are examples of Premium apps. Although Premium apps typically run in managed mode, the embedded Worx framework allows Premium apps to run in unmanaged mode with a default set of Worx policies that you set through default policy files. Thus, you can effectively control the app behavior and use Worx capabilities even if the user is not associated with an enterprise account. If an unmanaged user later installs Secure Hub, the app silently transitions to managed mode if the following conditions are met. The user is in a XenMobile delivery group to which the app is deployed. The user signs on to Secure Hub if required. Worx subscribes the user. Note: An app cannot transition from managed mode back to unmanaged mode. The following diagram summarizes the differences between General and Premium apps, based on whether they are managed or unmanaged Citrix Systems, Inc. All rights reserved. p.124

125 ISV App Wrapping This section provides general information about app wrapping for ISVs. App wrapping performed by enterprise administrators is discussed in About the MDX Toolkit. When you wrap ISV apps, the MDX Toolkit creates two files: an.mdx file and the app file (.ipa,.app, or.apk). The MDX Toolkit lets you embed the app store URL into the.mdx file, which you then deliver directly to your customers or upload to the Worx App Gallery, as described in the next section. You deliver the app file through app stores, by hosting it yourself, or by distributing it to your customers. As shown in the following diagram, the MDX Toolkit combines app files (.ipa,.app, or.apk) with Citrix components and your keystore or signing certificate to produce an.mdx file and the modified app file. The items added by ISV app wrapping include: An information file containing data needed by the Worx SDK framework when the framework binds with Secure Hub Citrix Systems, Inc. All rights reserved. p.125