Citrix Endpoint Management

Managed domains device policy

You can define managed domains that apply to email and the Safari browser. Managed domains help you protect corporate data by controlling which apps can open documents downloaded from domains using Safari.

For iOS supervised devices, you specify:

  • URLs or subdomains to control how users can open documents, attachments, and downloads from the browser.
  • URLs from which users can save passwords in Safari.

For the steps on setting an iOS device to supervised mode, see Deploy devices using Apple Configurator 2.

When a user sends an email to a recipient whose domain isn’t on the managed email domains list, the message is flagged on the user’s device to warn them that they’re sending a message to someone outside your corporate domain.

For items such as documents, attachments, or downloads: When a user opens an item by using Safari from a web domain that is on the managed web domains list, the appropriate corporate app opens the item. If the item isn’t from a web domain on the managed web domains list, the user can’t open the item with a corporate app. They must use a personal, unmanaged app.

For supervised devices, even if you don’t specify Safari password autofill domains: If the device is configured as an ephemeral multi-user, users can’t save passwords. However, if the device isn’t configured as an ephemeral multi-user, users can save all passwords.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

To specify domains:

Format Description
example.com Treat any path under example.com as managed, but not site.example.com/.
foo.example.com Treat any path under foo.example.com as managed, but not example.com/ or bar.example.com/.
\*.example.com Treat any path under foo.example.com or bar.example.com as managed, but not example.com/.
example.com/sub Treat example.com/sub and any path under it as managed, but not example.com/.
foo.example.com/sub Treat any path under foo.example.com/sub as managed, but not example.com, example.com/sub, foo.example.com/, or bar.example.com/sub.
\*.example.com/sub Treat any path under foo.example.com/sub or bar.example.com/sub as managed, but not example.com or foo.example.com/.

Rules:

  • Leading “www.” and trailing slashes in URLs are ignored when domains are compared.
  • If an entry has a port number, only addresses that specify that port number are considered managed. Otherwise, only the standard ports are considered managed (port 80 for http and port 443 for https). For example, the pattern *.example.com:8080 matches https://site.example.com:8080/page.html, but not https://site.example.com/page.html, but the pattern *.example.com matches https://site.example.com/page.html and https://site.example.com/page.html, but not https://site.example.com:8080/page.html.
  • Managed Safari web domain definitions are cumulative. Patterns defined by all managed Safari web domain payloads are used to match a URL request.

Settings:

  • Managed Domains
    • Unmarked Email Domains: For each email domain you want to include in the list, click Add and then do the following:
      • Managed Email Domain: Type the email domain.
      • Click Save to save the email domain or click Cancel to not save the email domain.
    • Managed Safari Web Domains: For each web domain you want to include in the list, click Add and then do the following:
      • Managed Web Domain: Type the web domain.
      • Click Save to save the web domain or click Cancel to not save the web domain.
    • Safari Password AutoFill Domains: For each autofill domain you want to include in the list, click Add and then do the following:
      • Safari Password AutoFill Domain: Type the autofill domain.
      • Click Save to save the autofill domain or click Cancel to not save the autofill domain.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.
Managed domains device policy