Product Documentation

Configuring MDX Policies for iOS Apps in App Controller

Oct 08, 2015

You can configure the following policies in App Controller 2.8 for apps that run on iOS devices.

Policies to Limit App Interaction

Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Paste
Blocks, permits, or restricts Clipboard paste operations for the app. When you choose Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default is Unrestricted.

Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose Restricted, documents can be exchanged only with other MDX applications. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Allowed URLs
Filters the outbound URLs that are passed from this app to other apps for handling. By leaving the setting blank, all URLs are blocked, except for the following:
  • http:=ctxmobilebrowser:
  • https:=ctxmobilebrowsers:
  • +citrixreceiver: +tel:

Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action as follows:

  • A Minus Sign (-) prefix. Blocks the URL from being passed to another app.
  • A Plus Sign (+) prefix. Permits the URL to be passed to another app.
  • No prefix. Assumes the URL can be passed into another app.

The following table contains examples of allowed URLs:

^mailto:=ctxmail:

All mailto: URLs open in WorxMail.

^http:=ctxmobilebrowser:

All HTTP URLs open in WorxWeb.

^https:=ctxmobilebrowsers:

All HTTPS URLs open in WorxWeb.

^tel:

Allows user to make calls.

-//www.dropbox.com

Blocks Dropbox URLs dispatched from managed apps.

+^COL-G2M:

Permits managed apps to open the GoToMeeting client app.

-^SMS: Blocks the use of a messaging chat client.
+^webex , +^wbx Permits managed apps to open the WebEx client app.

This policy is available only for iOS apps.

App URL schemes
Mobile iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes, such as http://. This feature enables an app to pass requests for help to another app. The App URL schemes policy serves to filter the schemes that are actually passed into the app for handling (that is, inbound URLs). Default is All registered app URL schemes are blocked.

Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action as follows:

  • A Minus Sign (-) prefix. Blocks the URL from being passed into the app.
  • A Plus Sign (+) prefix. Permits the URL to be passed into the app.
  • No prefix. Assumes the URL can be passed into the app.

If an inbound URL does not match any pattern in the list, the URL is blocked.

The following table contains examples of App URL schemes:

Scheme

App that requires the URL scheme

Purpose

ctxmobilebrowser

WorxWeb

Permit WorxWeb to handle HTTP: URLs from other apps.

ctxmobilebrowsers

WorxWeb

Permit WorxWeb to handle HTTPS: URLs from other apps.

ctxmail

WorxMail

Permit WorxMail to handle mailto: URLs from other apps.

COL-G2M

GoToMeeting

Permit a wrapped GoToMeeting app to handle meeting requests.

wbx Webex Permit a wrapped WebEx app to handle meeting requests.

This policy is available only for iOS apps.

Policies to Set App Restrictions

Block camera

Prevents access to the camera. Default is On.

Block mic record
Prevents access to the microphone for recording. Default is On.
Block location services
Prevents the use of location services (GPS or network). Default is On.
Block SMS compose
Prevents app use of SMS (compose). Default is On.
Block email compose
Prevents an app access to email (compose). Default is On.
Block iCloud
Prevents the use of iCloud features for Cloud-based backup of app settings and data. Default is On.
Block AirPrint
Prevents access to printing by using AirPrint features to print to AirPrint-enabled printers. Default is On.

Policies for Email Settings

The following policies establish email settings and apply to WorxMail or WorxWeb apps.

WorxMail Exchange Server
The fully qualified domain name (FQDN) for Exchange Server. Default is empty.
WorxMail user domain
The default Active Directory domain name for Exchange users. Default is empty.
Background network services
The FQDN and of the ActiveSync server, such as servername:443. This might be an Exchange Server, either in your internal network or in another network that WorxMail connects to, such as mail.mycompany.com:4443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. This policy is only available for WorxMail.
Background services ticket expiration
The time period that a background network service ticket remains valid. When WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting determines the duration that WorxMail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to Receiver to generate a new token. Default value is 168 hours (7 days). This policy is only available with WorxMail.
Background network services gateway
This is the NetScaler Gateway FQDN and port number with which WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. This policy is only available with WorxMail.

Policies to Address Authentication

Authentication
Determines if the app requires enterprise logon to run. The default is Offline access permitted after challenge.

Options:

  • Network logon. Requires Worx Home sign on to securely use the app. If you set the policy to require network logon, when users try to open an app, the following message appears: Sign on to Worx Home to securely use this app.
  • Offline access permitted after challenge. The app prompts for enterprise logon when possible, but allows offline use after the password challenge.
  • Offline challenge only. Allows the app to run with an offline password challenge.
  • Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, users must log on to Receiver logon regardless of the policy setting.
Maximum offline period (hours)
Defines the maximum period an app can run offline without requiring a enterprise logon for the purpose of entitlement and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between Receiver logons in order reconfirm entitlement and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to Network logon, this setting is ignored with no offline access allowed.
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts for logon each time the app is started or reactivated.

Policies to Determine Device Security

Block jailbroken or rooted
The app is locked when the device is jailbroken (iOS) or rooted (Android). Default is On.

Options:

  • On. The app is locked when the device is jailbroken or rooted.
  • Off. The app can run on a jailbroken or rooted device.

Policies for Encryption

Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Options:

  • Online access only. Secrets used to derive encryption keys may not be persisted on the device. Instead, the device must be recovered the keys from the key management service of XenMobile App Edition each time they are needed.
    Note: If you select Online access only, the authentication policy is assumed to be Network logon regardless of the authentication policy setting that you configured for the app.
  • Offline access permitted. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
Enable database encryption

Determines if the data held in local database files is encrypted. Default is On.

Options:

  • On. The data is encrypted in local database files.
  • Off. The data is not encrypted in local database files.
Database encryption exclusion list
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches the database file name used by the app, that database is not automatically encrypted. For example, if the database to be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the database contents from being encrypted. Default is empty.

Policies for Miscellaneous Situations

App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without warning, from using a running appl until they download and install the update. This could lead to a situation in which users are forced to exit the app and potentially lose work.
Auth failures before lock
Locks app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5 failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials
Erase app data on lock

Erases data and resets the app when the app is locked. Default is Off.

Options:

  • On. App data is automatically erased when the app is locked.
  • Off. App data is not erased automatically when the app is locked.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • Removal of app subscription
  • Removal of Receiver account
  • Uninstallation of Receiver
  • Too many application authentication failures
  • Jailbroken device and policy restricting the app to run on such a device
  • Other administrative action to lock device
Active poll period (minutes)
Determines how often XenMobile App Edition is polled to determine the current app (enabled or disabled) and device (lock or erase) status. When a device has network connectivity, polling allows the running app to detect and respond to changes in the app state. Default is 60 minutes (1 hour).
Important: Only set this value lower for high-risk apps or performance may be affected.

Policies on Network Access and Requirements

Network access

Prevents, permits, or redirects app network activity. App blocks network use or restricts it to an application-specific tunnel gateway. Default is Blocked.

Options:

  • Unrestricted. Allows unrestricted access to the internal network.
  • Blocked. When blocked, the app behaves as if the device has no network connection. All network access is blocked.
  • Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal network is used for all network access.
    Note: This setting requires Receiver logon.
Require WiFi

Determines if the device requires a WiFi connection in order for an app to run. Default is Off.

Options:

  • On. The app is locked when the device is not connected to a WiFi network.
  • Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a LAN connection.
Require internal network

The app requires a connection to a network within the organization. Default is Off.

Options:

  • On. The app is blocked when the device is not connected to an internal network.
  • Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier (SSID) with commas. The default is an empty list, which indicates that any internal WiFi network can be used if users log on from an external network (or they are not logged on), this policy is not enforced.
Network access
Prevents, permits, or redirects application network activity.
Options:
  • Unrestricted. No restrictions are placed on the network access
  • Tunneled to the internal network. A per-application VPN tunnel back to the internal network is used for all network access.
Certificate label
You can enter a label to identify the certificate for this app. When a certificate is required in order for HTTP traffic to meet a server authentication challenge, the label enables the micro VPN code to acquire the appropriate certificate. Default is empty.