Product Documentation

Download full document

MDX Toolkit

Feb. 06, 2017

What's new in the MDX Toolkit 10.4.10

  • IPv6 connectivity improvements for iOS. This version of the MDX Toolkit resolves issues with AAAA DNS records, IPv4 mapped IPv6 addresses, IPv6 network detection, and IPv6 network switching.  
  • For additional fixed issues, see Fixed Issues.  

What's new in the MDX Toolkit 10.4.5

The MDX Toolkit version 10.4.5 contains fixes. For details, see Fixed issues

What's new in the MDX Toolkit 10.4

  • Japanese and Russian support. The MDX Toolkit is now available in Japanese and Russian.
  • New XenMobile Apps names. As of version 10.4, Worx Mobile Apps are named XenMobile Apps.  Individual apps also have new names. The changes are reflected in the user interfaces of all the apps, as well as the MDX Toolkit and the XenMobile console. The new app names take effect automatically when you upgrade to version 10.4. For details, see About XenMobile Apps

What's new in the MDX Toolkit 10.3.10

  • Arabic support. The MDX Toolkit is now available in Arabic.
  • iOS 10/Android 7 support. The MDX toolkit now supports both iOS 10 and Android 7.

What's new in the MDX Toolkit 10.3.9

  • Arm64 Support for iOS Enterprise Apps. You can now wrap 64-bit application binaries in addition to 32-bit application binaries for iOS. This is not the case for Android applications. In addition, the MDX Toolkit verifies the binary after it's modified to ensure that it is a valid ELF MachO binary.
  • Block localhost Connections (Android only). The Block localhost Connections policy allows you to stop connections to the loopback address (

What's new in the MDX Toolkit 10.3.5

  • Secure Hub policy retrieval sign-on behavior. When you set the Maximum offline period MDX policy, with this release of the MDX Toolkit, if Secure Hub for iOS has a valid NetScaler Gateway token, the app retrieves new policies for MDX apps from XenMobile without any interruption to users. If Secure Hub does not have a valid NetScaler token, users must authenticate through Secure Hub in order for app policies to update. The NetScaler token may become invalid due to a NetScaler Gateway session inactivity or a forced session time-out policy. When users sign on to Secure Hub again, they can continue running the app.
  • Secure signoff (iOS). When users sign off from Secure Hub , the container automatically locks so that all XenMobile and MDX apps stay secure. To access the apps again, users have to enter their Citrix PINs. 
  • Remove iOS app extensions. You can remove iOS extensions from the app during the enterprise app wrapping process by selecting the Strip extensions (Today, Watch, etc.) from iOS application checkbox on the Verify App Details screen. Note that iOS apps with Apple Watch extensions are not supported when wrapping apps.
  • Reverse split tunnel exclusion list. If you don't want certain websites to tunnel through NetScaler Gateway, you can add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that connect by using the local area network (LAN) instead. This list applies only to Secure Browse mode when NetScaler Gateway is configured in Split tunnel reverse mode. Default value is empty.
  • Inactivity timer behavior. When the inactivity timer is set to 0, inactivity offline authentication is disabled for MDX apps.
  • Mail compose redirection (iOS). You have three choices for how users are allowed to compose mail from an enterprise app:  

    Secure Mail: If installed on the device, Secure Mail automatically opens. If not, native mail does not open. Instead, users get a message instructing them to install Secure Mail.
    Native email: The device's native mail program opens.
    Blocked: Both Secure Mail and native mail are blocked.

    Default is Secure Mail. This policy replaces the Block email compose policy, which is deprecated.

What's new in the MDX Toolkit 10.3

  • x86 support. With the MDX Toolkit 10.3, MDX enterprise wrapped apps are supported on Android x86-based devices.
  • Shared devices. If you're deploying XenMobile 10.3, you can configure devices to be shared by multiple users.  Only Secure Mail and Secure Web are currently supported.  For more information, see Shared devices in XenMobile.
  • Self-destruct app lock and wipe client property. This global security policy applies to Android platforms and is an enhancement of the existing app lock and wipe policies. Self-destruct prevents access to Secure Hub and managed apps, after a certain number of days of inactivity. After the time limit, apps are no longer usable, and the user device is unenrolled from the XenMobile server. Wiping the data includes clearing the app data for each installed app, including the app cache and user data. The inactivity time is when the server does not receive an authentication request to validate the user over a specific length of time. For example, if you set 30 days for the policy and the user does not use Secure Hub or other apps for more than 30 days, the policy takes effect.
  • Android PAC file support. When you add an MDX-wrapped Secure Web app to XenMobile, you can specify the Proxy Auto-Configuration (PAC) file URL or the proxy server for web browsers to use automatically when fetching a given URL. This functionality is supported in full tunnel mode only; you cannot use Secure Browse when you specify a PAC. When you configure this setting, also make sure the Permit VPN mode switching policy remains as the default value of Off.
  • Single sign-on (SSO) support in user entropy environments. If users have not used an MDX app on the device for a certain period of time, as defined by the inactivity timer, users are prompted to sign on. They can use either their Citrix PIN or Touch ID, if you have enabled Touch ID authentication. This feature is now available in environments that have user entropy turned on, as well as in environments that have user entropy turned off. This capability is available for iOS apps only.
  • Developing ISV apps for iOS with the XenMobile Framework. MDX Toolkit 10.3 has changed the process that ISV developers need to follow when preparing an app for distribution, after they have built the app using Xcode. Instead of using the graphical MDX tool or the wrap command at the command-line, with MDX Toolkit 10.3, developers can sign, deploy, and debug their app within the Xcode Integrated Development Environment (IDE). Developers now need to run the SDKPrep command of the MDX command-line tool as part of the Xcode build process, eliminating the need to wrap the app outside of Xcode. For details on the step-by-step procedures for ISV wrapping in the MDX Toolkit tool and command-line interface, see Developing iOS AppsNote: Enterprise apps that you build with the XenMobile Framework in Xcode and then wrap by using the enterprise mode of the MDX Toolkit are still supported.
  • App geofence. This feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam, but if the person travels to Belgium, the app locks and users cannot interact with the app. When the user returns to Amsterdam, the app unlocks and is available for normal use. There are three settings to enable geofencing:
    • GPS longitude and latitude also called a point.
    • The radius that defines the area in which apps can operate, such as in the Netherlands. If you set the radius to 0, the app does not support geofencing.

If the app supports geofencing and you disable location services, a message appears in which users can either quit the app or can click Settings that goes to the Settings screen on the Android device. If users enable locations services, they can return and continue using the app.

When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point (as specified in the policy) is greater than the specified radius, the user is blocked from using the app. When this occurs, users receive an option to quit the app. The user must be within the fence to continue using the app.

If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app.

The app checks the network provider (WiFi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which is also called high accuracy mode and helps in obtaining the location faster.

There is a two-minute time-out to allow for longer times in checking the location:

Center point longitude. Enter the longitude point to specify the area in which the app is allowed to work.

Center point latitude. Enter the latitude point to specify the area in which the app is allowed to work.

Radius. Enter the radius from the center point in which the app is allowed to work. If set to 0, geofencing is not allowed.

Note: To get an accurate location from the device, and to avoid users trying to circumvent geofence by disabling WiFi or the GPS, Citrix recommends setting the policy Online session required to On.

New MDX policies for Secure Mail. For a list of new Secure Mail policies available in the MDX Toolkit, see About XenMobile Apps. The policies for Windows Phone have not changed since the earlier release. For the complete list of app policies, see the articles in this section, MDX Policies at a Glance.

Back to Top