Citrix Endpoint Management

Server properties

Server properties are global properties that apply to operations, users, and devices across an entire Citrix Endpoint Management instance. Citrix recommends that you evaluate for your environment the server properties covered in this article. Be sure to consult with Citrix before changing other server properties.

To update server properties, go to Settings > Server Properties.

Adding, Editing, or Deleting Server Properties

In Citrix Endpoint Management, you can apply properties to the server.

  1. In the Citrix Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Server, click Server Properties. The Server Properties page appears. You can add, edit, or delete server properties from this page.

    Server properties

To add a server property

  1. Click Add. The Add New Server Property page appears.

    Server properties

  2. Configure these settings:

    • Key: In the list, select the appropriate key. Keys are case-sensitive. Contact Citrix Support before you edit property values or to request a special key.
    • Value: Enter a value depending on the key that you selected.
    • Display Name: Enter a name for the new property value that appears in the Server Properties table.
    • Description: Optionally, type a description for the new server property.
  3. Click Save.

To edit a server property

  1. In the Server Properties table, select the server property you want to edit.

    When you select the checkbox next to a server property, the options menu appears above the server property list. Click anywhere else in the list to open the options menu on the right side of the listing.

  2. Click Edit. The Edit New Server Property page appears.

    Server properties

  3. Change the following information as appropriate:

    • Key: You cannot change this field.
    • Value: The property value.
    • Display Name: The property name.
    • Description: The property description.
  4. Click Save to save your changes or Cancel to leave the property unchanged.

To delete a server property

  1. In the Server Properties table, select the server properties you want to delete.

  2. Click Delete. A confirmation dialog box appears. Click Delete again.

Server Property Definitions

Access all apps in the managed Google Play store

  • If true, Citrix Endpoint Management makes all apps from the public Google Play store accessible from the managed Google Play store. You can use the Restrictions device policy to control access to these apps. Defaults to false.

Add Device Always

  • If true, Citrix Endpoint Management adds a device to the Citrix Endpoint Management console, even if it fails enrollment. As a result, you can see which devices tried to enroll. Defaults to false.

AG Client Cert Issuing Throttling Interval

  • The grace period between generating certificates. This interval prevents Citrix Endpoint Management from generating many certificates for a device in a short time period. Citrix recommends that you don’t change this value. Defaults to 30 minutes.

Allows The Removal of Devices That Have Been Marked Inactive For A Specified Period Of Time

  • If true, devices that have been inactive for a specified time (in days) are removed and deleted from Citrix Endpoint Management. The period of activity is set by the Length of Time Device Can Be Inactive Before Being Automatically Removed From CEM server property. The default is true. To change the value of this property, consult your Citrix representative.

Audit Logger

  • If False, does not log user interface (UI) events. Defaults to False.

Block Enrollment of Rooted Android and Jailbroken iOS Devices

When this property is set as true, Citrix Endpoint Management blocks enrollments for rooted Android devices and jailbroken iOS devices. The recommended setting is true for all security levels. Defaults to true.

cdn.s3.retry.interval and cdn.s3.max.retry

The cdn.s3.retry.interval and cdn.s3.max.retry server properties work together to set the maximum time limit on every macOS PKG file upload. By default, Citrix Endpoint Management limits file upload times to 100 seconds. If a file upload is over that limit, the upload fails. To change the default, configure the cdn.s3.retry.interval and cdn.s3.max.retry keys as follows:

  • cdn.s3.retry.interval. Lets you define the interval, in milliseconds, at which Citrix Endpoint Management verifies whether a file upload completes successfully. The default is 10000.
  • cdn.s3.max.retry. Lets you define the maximum number of verification retries after which the upload fails. The default is 10.

The two keys work together to limit file upload times. By default, the time limit is 100 seconds (10000*10 milliseconds).

Certificate Renewal in Seconds

  • The number of seconds before a certificate expires that Citrix Endpoint Management starts to renew certificates. An example is when a certificate expires on December 30 and this property is set to 30 days. If the device connects between December 1 and December 30, Citrix Endpoint Management tries to renew the certificate. Defaults to 2592000 seconds (30 days).

Connection Timeout

  • The session inactivity timeout, in minutes, after which Citrix Endpoint Management closes the TCP connection to a device. The session stays open. Applies to Android devices. Defaults to 5 minutes.

Default deployment channel

  • Determines how Citrix Endpoint Management deploys a resource to a device: At the user-level (DEFAULT_TO_USER) or device-level. Defaults to DEFAULT_TO_DEVICE.

Deprecate mobile service provider

  • Deprecates support for the mobile service provider interface used to query Blackberry and other Exchange ActiveSync devices. While enabled, the Mobile Service Provider interface is hidden from the console. Default is true.

Device tagging

  • If you set enable.device.tagging to true, Citrix Endpoint Management tags devices by device type automatically. You can use device tags to deploy policies and apps or configure delivery groups. Citrix Endpoint Management applies tags to devices for the following:
    • BYOD tags
      • iOS User Enrollment
      • Android Enterprise work profile
    • Corporate tags
      • Android Enterprise fully managed corporate devices
      • Bulk enrollment
        • Apple Business Manager devices
        • Apple School Manager devices
        • Windows AutoPilot devices
        • Android Enterprise bulk enrollment

Disable Hostname Verification

  • By default, host name verification is enabled on outgoing connections except for the Microsoft PKI server. When host name verification fails, the server log includes errors such as: “Unable to connect to the Volume Purchase Server: Host name ‘’ does not match the certificate subject provided by the peer”. If host name verification breaks your deployment, change this property to true. Defaults to false.

Disable SSL Server Verification

  • If True, disables SSL server certificate validation when all the following conditions are met:
    • You enabled certificate-based authentication on Citrix Endpoint Management
    • The Microsoft CA server is the certificate issuer
    • An internal CA, whose root Citrix Endpoint Management doesn’t trust, signed your certificate.

    Defaults to True.

Enable Crash Reporting

  • If true, Citrix collects crash reports and diagnostics to help troubleshoot issues with Citrix Secure Hub for iOS and Android. If false, no data is collected. The default value is true.

Enable/Disable Hibernate statistics logging for diagnostics

  • If True, enables Hibernate statistics logging to assist with troubleshooting application performance issues. Hibernate is a component used for Citrix Endpoint Management connections to a Microsoft SQL Server. By default, the logging is disabled because it impacts application performance. Enable logging only for a short duration to avoid creating a huge log file. Citrix Endpoint Management writes the logs to /opt/sas/logs/hibernate_stats.log. Defaults to False.

Enable macOS OTAE

  • If false, prevents the use of an enrollment link for macOS devices, meaning macOS users can enroll only by using an enrollment invitation. Defaults to true.

Enable Notification Trigger

  • Enables or disables Citrix Secure Hub client notifications. The value true enables notifications. Defaults to true.

Full Pull of ActiveSync Allowed and Denied Users

  • The interval in (in seconds) that Citrix Endpoint Management pulls a complete list (baseline) of ActiveSync allowed and denied users. Defaults to 28800 seconds.

Identifies if telemetry is enabled or not

  • Identifies if telemetry is enabled. Telemetry is also referred to as the Customer Experience Improvement Program (CEIP). You can opt in to CEIP when you install or upgrade Citrix Endpoint Management. If Citrix Endpoint Management has 15 consecutive failed uploads, it disables telemetry. Defaults to false.

Inactivity Timeout in Minutes

  • The number of minutes after which Citrix Endpoint Management logs out an inactive user. The user must have used the Citrix Endpoint Management Public API to access the Citrix Endpoint Management console or any third-party app. A time-out value of 0 means that an inactive user stays logged in. For third-party apps that access the API, being logged in is typically necessary. The default value is set as 5.

  • If the WebServices timeout type server property is INACTIVITY_TIMEOUT: This property defines the number of minutes after which Citrix Endpoint Management logs out an inactive administrator who did the following:

    • Used the Public API for REST Services to access the Citrix Endpoint Management console
    • Used the Public API for REST Services to access any third-party app. A timeout of 0 means that an inactive user stays logged in.

  • Includes all device properties in a device search. The default is Off, which limits the search scope to these device properties, for fast searching:
    • Serial Number
    • IMEI
    • Wi-Fi MAC address
    • Bluetooth MAC address
    • Active Sync ID
    • User Name

    When this property is set as On, device searches can take longer.

ios.delayBeforeDeclareUnreachable; macos.delayBeforeDeclareUnreachable

  • Specifies the number of days after which an offline iOS or macOS device is considered unreachable. When an iOS or macOS device reaches the limit specified, they stop checking back with Citrix Endpoint Management. Both properties default to 45 days.

iOS Device Management Enrollment Install Root CA if Required

  • The server property ios.mdm.enrollment.installRootCaIfRequired is set to False for all Citrix Endpoint Management environments. Citrix Endpoint Management uses a publicly trusted certificate chain, so that it isn’t necessary to push a root CA to devices. (This property is used only for on-premises environments.)

iOS Device Management Enrollment Last Step Delayed

  • During device enrollment, this property value specifies the amount of time to wait between installing the MDM profile and starting the Agent on the device. Citrix recommends that you edit this property only for network latency or speed issues. In that case, don’t set to the value to more than 5000 milliseconds (5 seconds). Defaults to 1000 milliseconds (1 second).

iOS Device Management Identity Delivery Mode

  • Specifies whether Citrix Endpoint Management distributes the MDM certificate to devices using SCEP (recommended for security reasons) or PKCS12. In PKCS12 mode, the key pair is generated on the server and no negotiation is done. Defaults to SCEP.

iOS Device Management Identity Key Size

  • Defines the size of private keys for MDM identities, iOS profile service, and Citrix Endpoint Management iOS agent identities. Defaults to 2048.

iOS Device Management Identity Renewal Days

  • Specifies the number of days before the certificate expiration that Citrix Endpoint Management starts renewing certificates. For example: If a certificate expires in 10 days and this property is 10 days: When a device connects 9 days before expiration, Citrix Endpoint Management issues a new certificate. Defaults to 30 days.

iOS MDM APNS Private Key Password

  • This property has the APNs password, which is required for Citrix Endpoint Management to push notifications to Apple servers.

Length of Inactivity Before Device Is Disconnected

  • Specifies how long a device can be inactive, including the last authentication, before Citrix Endpoint Management disconnects it. Defaults to 7 days.

Length of Time Device Can Be Inactive Before Being Automatically Removed From CEM

  • The length of time (in days) a device can be inactive before being automatically removed from Citrix Endpoint Management. The minimum is 14 days and the default is 30 days. The Allows The Removal of Devices That Have Been Marked Inactive For A Specified Period Of Time server property must be set to true for this property to take effect.


  • Specifies the number of minutes a user must wait after exceeding the lockout limit. Supported values are 0–999. The default is 30 minutes.


  • Specifies the maximum number of consecutive invalid login attempts per user. Supported values are 0–999. The default value is set as 6.


This server property lets you configure administrator password rotation intervals for macOS devices enrolled through the Apple Deployment Program. Citrix Endpoint Management checks whether to rotate the password of the administrator account daily. By default, Citrix Endpoint Management rotates the password every 10,080 minutes (7 days). Configure the mac.dep.admin.passwd.rotate key as follows:

  • Value: administrator-defined The interval, in minutes, at which Citrix Endpoint Management rotates the password. Type a value equal to or greater than 360 (6 hours). Citrix Endpoint Management ignores values smaller than 360 and rotates the password every 360 minutes (6 hours) instead.
  • Display name: administrator-defined
  • Description: administrator-defined

MAM Only Device Max

  • This Custom Key limits the number of MAM-only devices that each user can enroll. Configure the key as follows. A Value of 0 allows unlimited device enrollment.

  • Key = number.of.mam.devices.per.user
  • Value = 5
  • Display name = MAM Only Device Max
  • Description = Limits the number of MAM devices each user can enroll.


  • The number of threads used when importing many Volume Purchase licenses. Defaults to 3. If you need further optimization, you can increase the number of threads. However, a larger number of threads results in high CPU usage.

NetScaler Gateway (NetScaler) Single Sign-On

  • If False, disables the Citrix Endpoint Management callback feature during single sign-on from NetScaler Gateway to Citrix Endpoint Management. If the NetScaler Gateway configuration includes a callback URL, Citrix Endpoint Management uses the callback feature to verify the NetScaler Gateway session ID. Defaults to False.

Number of consecutive failed uploads

  • Displays the number of consecutive failures during Customer Experience Improvement Program (CEIP) uploads. Citrix Endpoint Management increments the value when an upload fails. After 15 upload failures, Citrix Endpoint Management disables CEIP, also called telemetry. For more information, see the server property Identifies if telemetry is enabled or not. Citrix Endpoint Management resets the value to 0 when an upload succeeds.

Number of Users Per Device

  • The maximum number of users who can enroll the same device in MDM. The value 0 means that an unlimited number of users can enroll the same device. Defaults to 0.


  • This server property lets you customize the optional Active Directory user attributes.

    Create the custom key and, in the Values field, edit user attributes to define which attributes Citrix Endpoint Management can access to create a user account. For more information, see Customize user properties.

    • Key: Custom Key
    • Key: optional.user.identity.attributes
    • Value: commonName, firstName, lastName, displayName, streetAddress, city, state, country, workPhone, homePhone, mobilePhone, company, department, description, employeeID, faxNumber, initials, ipPhone, manager, homePostalAddress, otherMobile, pager, physicalDeliveryOfficeName, postalCode, postOfficeBox, title, organization, preferredLanguage
    • Display Name: optional.user.identity.attributes
    • Description: Optional Active Directory user attributes

Organization Name for macOS and iOS/iPadOS Enrollment Profiles

  • The value you type for corresponds to the name of the organization that provides the enrollment profile. The name displays when users enroll their device to Citrix Endpoint Management. The default name that displays is Citrix Workspace.

Pull of Incremental Change of Allowed and Denied Users

  • The number of seconds that Citrix Endpoint Management waits for a response from the domain when running a PowerShell command to get a delta of ActiveSync devices. Defaults to 60 seconds.

Read Timeout to Microsoft Certification Server

  • The number of seconds that Citrix Endpoint Management waits for a response from the certificate server when doing a read. If the certificate server is slow and has much traffic, you can increase this value to 60 seconds or more. A certificate server that doesn’t respond after 120 seconds requires maintenance. Defaults to 15000 milliseconds (15 seconds).

REST Web Services

  • Enables the REST Web Service. Defaults to true.

Retrieves devices information in chunks of specified size

  • This value is used internally for multithreading during device exports. If the value is higher, a single thread parses more devices. If the value is lower, more threads fetch the devices. Reducing the value might increase the performance of exports and device list fetches, yet might reduce available memory. Defaults to 1000.


  • If False, prevents access to the Self-Help Portal. Users who navigate to the portal on port 4443 get an “Access Denied” message. If True, provides access to the Self-Help Portal over port 443.

    Defaults to False.

  • If False, prevents users from enabling their devices from the Self-Help Portal. If True, users can enable their devices from the Self-Help Portal.

    The BitLocker recovery key feature requires that you set this property to False and the shp.console.enable property to True.

    Defaults to False.

Session Log Cleanup (in Days)

  • The number of days that Citrix Endpoint Management keeps the session log. Defaults to 7.

ShareFile configuration type

  • Specifies the Citrix Files storage type. ENTERPRISE enables Citrix Files Enterprise mode. CONNECTORS provides access only to storage zone connectors that you create through the Citrix Endpoint Management console. Defaults to NONE, which shows the initial view of the Configure > Citrix Files screen where you choose between Citrix Files Enterprise and Connectors. Defaults to NONE.

Static Timeout in Minutes

  • If the WebServices timeout type server property is STATIC_TIMEOUT: This property defines the number of minutes after which Citrix Endpoint Management logs out an administrator after using the following:
    • The Public API for REST Services to access the Citrix Endpoint Management console.
    • The Public API for REST Services to access any third-party app.

    Defaults to 60.

Trigger Agent Message Suppression

  • Enables or disables Citrix Secure Hub client messaging. The value false enables messaging. Defaults to true.

Trigger Agent Sound Suppression

  • Enables or disables Citrix Secure Hub client sounds. The value false enables sounds. Defaults to true.

Unauthenticated App Download for Android Devices

  • If True, you can download self-hosted apps to Android devices running Android Enterprise. Citrix Endpoint Management needs this property if the Android Enterprise option to provide a download URL in the Google Play Store statically is enabled. In that case, download URLs can’t include a one-time ticket (defined by the XAM One-Time Ticket server property) which has the authentication token. Defaults to False.

Unauthenticated App Download for Windows Devices

  • Used only for older Citrix Secure Hub versions which don’t validate one-time tickets. If False, you can download unauthenticated apps from Citrix Endpoint Management to Windows devices. Defaults to False.

Use ActiveSync ID to Conduct an ActiveSync Wipe Device

  • If true, the Citrix Endpoint Management connector for Exchange ActiveSync uses the ActiveSync identifier as an argument for the asWipeDevice method. Defaults to false.

Users only from Exchange

  • If true, disables user authentication for ActiveSync Exchange users. Defaults to false.

Volume Purchase baseline interval

  • The minimum interval that Citrix Endpoint Management reimports Volume Purchase licenses from Apple. Refreshing license information makes sure that the Citrix Endpoint Management reflects all changes, such as when you manually delete an imported app from Volume Purchase. By default, Citrix Endpoint Management refreshes the Volume Purchase license baseline a minimum of every 1440 minutes.

    • If you have many Volume Purchase licenses installed (for example, more than 50,000): Citrix recommends that you increase the baseline interval to reduce the frequency and overhead of importing licenses.

    • If you expect frequent Volume Purchase license changes from Apple: Citrix recommends that you lower the value to keep Citrix Endpoint Management updated with the changes.

    • The minimum interval between the two baselines is 60 minutes. Also, the Citrix Endpoint Management does a delta import every 60 minutes, to capture the changes since the last import. So, if the Volume Purchase baseline interval is 60 minutes, the interval between baselines might be delayed up to 119 minutes.

WebServices Timeout Type

  • Specifies how to expire an authentication token retrieved from the public API.
    • If STATIC_TIMEOUT: Citrix Endpoint Management considers a token expired, based on the value of the server property Static Timeout in Minutes.

    • If INACTIVITY_TIMEOUT: Citrix Endpoint Management considers a token expired, based on the value of the server property Inactivity Timeout in Minutes. Defaults to STATIC_TIMEOUT.

Windows Tablet MDM Certificate Extended Validity (5y)

  • The validity period of the device certificate issued by MDM for the Windows Tablet. Devices use a device certificate to authenticate to the MDM server during device management. If true, the validity period is five years. If false, the validity period is two years. Defaults to true.

Windows WNS Channel - Number of Days Before Renewal

  • The renewal frequency for the ChannelURI. Defaults to 10 days.

Windows WNS Heartbeat Interval

  • How long Citrix Endpoint Management waits before connecting to a device after connecting to it every three minutes five times. Defaults to 6 hours.

XAM One-Time Ticket

  • The number of milliseconds that a one-time authentication token (OTT) is valid for downloading an app. This property and the properties Unauthenticated App download for Android and Unauthenticated App download for Windows work together. Those properties specify whether to allow unauthenticated app downloads. Defaults to 3600000.

Citrix Endpoint Management MDM Self-Help Portal console max inactive interval (minutes)

  • This property name reflects the older Citrix Endpoint Management versions. The property controls the Citrix Endpoint Management console max inactive interval. That interval is the number of minutes after which Citrix Endpoint Management logs an inactive user out of the Citrix Endpoint Management console. A time-out of 0 means that an inactive user stays logged in. Default is 30.
Server properties