Product Documentation

Configuring MDX Policies for iOS Apps in App Controller

Oct 20, 2015

You can configure the following policies in App Controller for apps that run on iOS devices.

Authentication

Authentication
Determines if the app requires network logon to run. The default is Offline challenge only.

Options:

  • Network logon. Requires network logon to securely use the app, and users can only run the app while online. If you set the policy to require network logon, when users try to open an app, the following message appears: Sign on to Worx Home to securely use this app.
  • Offline access permitted after challenge. The app prompts for enterprise logon when possible, but allows offline use after the password challenge.
    Important: This option is deprecated.
  • Offline challenge only. Allows the app to run with an offline password challenge.
  • Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, users must log on to Worx Home regardless of the policy setting.
Maximum offline period (hours)
Defines the maximum period an app can run offline without requiring a enterprise logon for the purpose of entitlement and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between logons in order reconfirm entitlement and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to Network logon, this setting is ignored with no offline access allowed.
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts for logon each time the app is started or reactivated.
NetScaler Gateway address
The external NetScaler Gateway address to which users connect. This setting is used for the Step-up Authentication Feature. If NetScaler Gateway has been configured, the application will use that Gateway for initial authentication, then use this Gateway address for step-up authentication. Example: gateway.MyCorp.com. Default value is empty.

Device Security

Block jailbroken or rooted
The app is locked when the device is jailbroken (iOS) or rooted (Android). Default is On.

Options:

  • On. The app is locked when the device is jailbroken or rooted.
  • Off. The app can run on a jailbroken or rooted device.

Network Requirements

Require WiFi

Determines if the device requires a WiFi connection in order for an app to run. Default is Off.

Options:

  • On. The app is locked when the device is not connected to a WiFi network.
  • Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a LAN connection.
Require internal network

The app requires a connection to a network within the organization. Default is Off.

Options:

  • On. The app is blocked when the device is not connected to an internal network.
  • Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier (SSID) with commas. The default is an empty list, which indicates that any internal WiFi network can be used. If users log on from an external network (or they are not logged on), this policy is not enforced.

Miscellaneous Access

App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without warning, from using a running app until they download and install the update. This could lead to a situation in which users are forced to exit the app and potentially lose work.
Auth failures before lock
Locks app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5 failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials.
Erase app data on lock

Erases data and resets the app when the app is locked. Default is Off.

Options:

  • On. App data is automatically erased when the app is locked.
  • Off. App data is not erased automatically when the app is locked.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • Removal of app subscription
  • Removal of Worx Home account
  • Too many application authentication failures
  • Jailbroken device and policy restricting the app to run on such a device
  • Other administrative action to lock device
Active poll period (minutes)
When an app starts, the MDX framework polls App Controller to determine current app and device status. Assuming App Controller can be reached, the framework returns information about the lock and erase status of the device and the enable or disable status of the app. Whether App Controller can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted.
Important: Only set this value lower for high-risk apps or performance may be affected.

Encryption

Encryption keys
Enables secrets used to derive encryption keys to be persisted on the device. Default is Offline access permitted.

Options:

  • Online access only. Secrets used to derive encryption keys cannot be persisted on the device. Instead, they must be recovered each time they are needed from the key management service of App Controller.
    Note: If you select Online access only, the authentication policy is assumed to be Network logon regardless of the authentication policy setting that you configured for the app.
  • Offline access permitted. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the Authentication policy to enable a network logon or an offline password challenge in order to protect access to the encrypted content.
  • Secure offline access permitted.
Enable encryption

Determines if the data held in local database files is encrypted. Default is Strong.

Options:

  • On. The data is encrypted in local database files.
  • Off. The data is not encrypted in local database files.
  • Strong. The data is encrypted and complies with FIPS 140-2 encryption standards.
Database encryption exclusions
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches the database file name used by the app, that database is not automatically encrypted. For example, if the database to be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the database contents from being encrypted. Default is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case insensitive. Example: \.log$,\.dat$ excludes any file path name that ends with either ".log" or ".dat". The syntax */Documents/unencrypteddoc.txt will match the file unencrypteddoc.txt in the Documents folder. The syntax */Documents/UnencryptedDocs/* will match all files that contain the path /Documents/UnencryptedDocs/. Default value is empty.

App Interaction

Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Paste
Blocks, permits, or restricts Clipboard paste operations for the app. When you choose Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default is Unrestricted.

Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose Restricted, documents can be exchanged only with other MDX applications. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

App URL schemes
Mobile iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes, such as http://. This feature enables an app to pass requests for help to another app. The App URL schemes policy serves to filter the schemes that are actually passed into the app for handling (that is, inbound URLs). Default is All registered app URL schemes are blocked.

Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action as follows:

  • A Minus Sign (-) prefix. Blocks the URL from being passed into the app.
  • A Plus Sign (+) prefix or No prefix. Permits the URL to be passed into the app.

If an inbound URL does not match any pattern in the list, the URL is blocked.

The following table contains examples of App URL schemes:

Scheme

App that requires the URL scheme

Purpose

ctxmobilebrowser

WorxWeb

Permit WorxWeb to handle HTTP: URLs from other apps.

ctxmobilebrowsers

WorxWeb

Permit WorxWeb to handle HTTPS: URLs from other apps.

ctxmail

WorxMail

Permit WorxMail to handle mailto: URLs from other apps.

COL-G2M

GoToMeeting

Permit a wrapped GoToMeeting app to handle meeting requests.

Allowed URLs
Filters the outbound URLs that are passed from this app to other apps for handling. By leaving the setting blank, all URLs are blocked, except for the following:
  • http:=ctxmobilebrowser:
  • https:=ctxmobilebrowsers:
  • +citrixreceiver: +tel:

Enter a comma-separated list of patterns in which each pattern may be preceded by a Plus Sign (+) or Minus Sign (-). Inbound URLs are compared against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action as follows:

  • A Minus Sign (-) prefix. Blocks the URL from being passed to another app.
  • A Plus Sign (+) prefix or No prefix. Permits the URL to be passed to another app.

The following table contains examples of allowed URLs:

^mailto:=ctxmail:

All mailto: URLs open in WorxMail.

^http:=ctxmobilebrowser:

All HTTP URLs open in WorxWeb.

^https:=ctxmobilebrowsers:

All HTTPS URLs open in WorxWeb.

^tel:

Allows user to make calls.

-//www.dropbox.com

Blocks Dropbox URLs dispatched from managed apps.

+^COL-G2M:

Permits managed apps to open the GoToMeeting client app.

-^SMS:

Blocks the use of a messaging chat client.

App Restrictions

Block camera

Prevents an app from directly using the camera hardware. Default is On.

Block mic record
Prevents an app from directly using the microphone hardware for recording. Default is On.
Block dictation
If On, prevents an app from directly using dictation services. Default is On.
Block location services
Prevents an app from using the location services components (GPS or network). Default is On.
Block SMS compose
Prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default is On.
Block email compose
Prevents an app access to email (compose). Default is On.
Block iCloud
Prevents the use of iCloud features for Cloud-based backup of app settings and data. Default is On.
Block AirPrint
Prevents access to printing by using AirPrint features to print data to AirPrint-enabled printers. Default is On.
Block application logs
If On, prohibits an app from using the Worx App diagnostic logging facility. If Off, application logs are recorded and may be collected by using the Worx Home email support feature. Default is Off.

Network Access

Network access
Prevents, permits, or redirects app network activity. App blocks network use or restricts it to an application-specific tunnel gateway. Default is Blocked.
Note: The default for WorxMail and WorxWeb is Tunneled to the internal network.

Options:

  • Unrestricted. Allows unrestricted access to the internal network.
  • Blocked. When blocked, the app behaves as if the device has no network connection. All network access is blocked.
  • Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal network is used for all network access.
Certificate label
You can enter a label to identify the certificate for this app. When a certificate is required in order for HTTP traffic to meet a server authentication challenge, the label enables the micro VPN code to acquire the appropriate certificate. If configuring user certificate enrollment through Device Manager, the certificate label must match the Device Manager Certificate Enrollment configuration. Default is empty.
Initial VPN mode
Sets the initial mode for connections that tunnel to the internal network. Full VPN tunnel is recommended for connections that employ client certificates or end-to-end SSL to a resource in the internal network. Secure browse is recommended for connections that require single sign-on (SSO).

Application Logs

Default log output
Determines which output mediums are used by Worx app diagnostic logging facilities by default. Possibilities are file, console, or both file,console. Default value is file.
Default log level
Controls default verbosity of Worx app diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:
  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default is level 4 (Informational messages).

Max log files
Limits the number of log files retained by the Worx app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.
Max log file size
Limits the size in megabytes (MB) of the log files retained by the Worx app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

Application Settings

You can configure the following policies for WorxMail on both Android and iOS devices:

  • WorxMail Exchange Server. The fully qualified domain name (FQDN) for Exchange Server or IBM Notes Traveler server. Default is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.
  • WorxMail user domain. The default Active Directory domain name for Exchange or Notes users. Default is empty.
  • Background network services. The FQDN of the ActiveSync server, such as servername:443. This might be an Exchange Server, either in your internal network or in another network that WorxMail connects to, such as mail.mycompany.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.
  • Background services ticket expiration. The time period that a background network service ticket remains valid. When WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting determines the duration that WorxMail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days).
  • Background network service gateway. This is the NetScaler Gateway FQDN and port number with which WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.
  • Export contacts. If Off, prevents the one-way synchronization of WorxMail contacts to the device and prevents the sharing of WorxMail contacts (as vCards). Default is Off.
    Important: Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, duplicate contacts will result on the device and in Exchange.
  • Accept all SSL certificates. If On, WorxMail accepts all SSL certificates (valid or not) and allows access. If Off, WorxMail blocks access when a certificate error occurs and displays a warning. Default is Off.
  • Allow external attachments. If On, WorxMail accepts attachments sent from other apps. If Off, WorxMail rejects attachments sent from other apps and displays a warning. Default is On.

WorxWeb Application Settings

You can configure the following policies for WorxWeb on both Android and iOS devices:

Allowed or blocked websites
WorxWeb normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows:
  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If neither + or - is provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a Minus Sign followed by a Hyphen (-*). For example:
  • The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol.

Default value is empty (all URLs allowed).

Preloaded bookmarks
Defines a preloaded set of bookmarks for the WorxWeb browser. The policy is a comma-separated list that include folder name, friendly name, and web address. Each triplet should be in the syntax of folder,name,url. Folder and name may need to be enclosed in double quotes (") if a space exists.

For example, the following policy values define three bookmarks:

,"Mycorp, Inc. home page",http://www.mycorp.com,"MyCorp Links","Account logon",https://www.mycorp.com/Accounts,"MyCorp Links/Investor Relations","Contact us",http://www.mycorp.com/IR/Contactus.aspx

The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"."

Default value is empty.

Home page URL
Defines the website that WorxWeb loads when started. Default value is empty (default start page).
Browser user interface
Dictates the behavior and visibility of browser user interface controls for WorxWeb. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible.

Options:

  • All controls visible. All controls are visible and users are not restricted from using them.
  • Read-only address bar All controls are visible, but users cannot edit the browser address field.
  • Hide address bar Hides the address bar, but not other controls.
  • Hide all controls Suppresses the entire toolbar giving a frameless browsing experience with no browser chrome.