A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.
To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.
Endpoint Management customers also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.
For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.
About the Citrix unified product portfolio
If you’ve been a Citrix customer or partner for a while, you’ll notice new names in our products and in this product documentation. The new product and component names stem from the expanding Citrix portfolio and cloud strategy. For more detail about the Citrix unified portfolio, see the Citrix product guide.
Articles in this product documentation use the following names.
Citrix Endpoint Management: Citrix Endpoint Management is a solution for managing endpoints, offering mobile device management (MDM) and mobile application management (MAM) capabilities. With Endpoint Management, you manage device and app policies and deliver apps to users. Your business information stays protected with strict security for identity, devices, apps, data, and networks. Citrix Endpoint Management was formerly Citrix XenMobile Service.
Mobile productivity apps: XenMobile Apps is now mobile productivity apps. Citrix-developed mobile productivity apps are a group of enterprise mobile apps offering IT a secure choice for their users’ email, web browsing, and remote access. Mobile productivity apps include Citrix Secure Hub, Citrix Secure Mail, and Citrix Secure Web. The Endpoint Management Store is now the app store.
Citrix Workspace app: The Citrix Workspace app incorporates existing Citrix Receiver technology and the other Citrix Workspace client technologies. It has been enhanced to provide end users with a unified, contextual experience. Users can interact with all the work apps, files, and devices they need to do their best work. For more information, see this blog post.
For Endpoint Management customers with the workspace experience enabled, users who open Secure Hub and click Add Apps are directed to the workspace. For more information, see Secure Hub.
Citrix Virtual Apps and Desktops: The Citrix Virtual Apps and Desktops service (formerly XenApp and XenDesktop) offers a virtual app and desktop solution. Provided as a cloud service and as an on-premises product, Virtual Apps and Desktops gives employees the freedom to work from anywhere on any device.
Implementing this transition in our products and their documentation is an ongoing process.
- In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.
- It is possible that some items (such as commands and MSIs) might continue to retain their former names to prevent breaking existing customer scripts.
- Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.
Your patience during this transition is appreciated.
Citrix Endpoint Management integration with Citrix Workspace
Endpoint Management integration with Citrix Workspace differs for new and existing customers.
For new Endpoint Management customers (as of August 27, 2018):
During Workspace configuration (Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with workspace. By default, the integration is enabled.
If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Virtual Apps and Desktops and Citrix Content Collaboration.
If you disable the integration, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.
After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.
For customers who onboarded before August 27, 2018:
Workspace integration is disabled. Citrix Secure Hub aggregates mobile apps and your users access apps from Secure Hub. Citrix will notify you when migration to Workspace is supported without requiring re-enrollment for all users.
Endpoint Management 10.18.19
The latest version of Endpoint Management has these new features and improvements:
Use Firebase Cloud Messaging instead of the Connection scheduling device policy. For customers who onboard with Endpoint Management 10.18.19, there is no option to set the Connection scheduling device policy to always require devices to connect. Citrix recommends that all customers use Firebase Cloud Messaging (FCM) to control notifications for Android, Android Enterprise, and Chrome OS devices. For an overview of FCM works, see this Google article, Firebase Cloud Messaging. For information on how to configure FCM with Endpoint Management, see this Endpoint Management article, Firebase Cloud Messaging.
More device policy restrictions for Samsung DeX mode. You can now configure restrictions to:
- Specify the DeX screen timeout
- Add an app shortcut to the DeX screen
- Remove an app shortcut from the DeX screen
- Specify the app packages to block from Samsung DeX mode
See the Restrictions device policy section, Samsung KNOX settings.
New Chrome OS device policy to restrict user access to your network when their device is out-of-compliance. Configure the Verified Access policy to restrict user’s access to your network when their Chrome OS device is out of compliance. This policy requires G Suite Chrome configuration. For more information on Verified Access, see the Google article Enable Verified Access with Chrome devices.
iOS DEP enrollment default has changed. The enrollment setting Require credentials for device enrollment is now enabled by default. Apple strongly recommends user authentication during enrollment for security reasons.
Apple Device Enrollment Program (DEP) account iOS setup assistant options for iOS 12. New options in the DEP account iOS setup assistant allow you to prevent users from seeing these screens during DEP device setup:
- SIM Setup: Prevents the user from seeing the Add Cellular Plan screen.
- iMessage & FaceTime: Prevents the user from seeing the iMessage and FaceTime screen.
These options are for DEP devices running iOS 12.0 and later. For more information, see “Step 3: Add a DEP account to Endpoint Management” in Bulk enrollment of Apple devices.
Endpoint Management now supports GroundControl. You can now add a supervision identity to use with GroundControl while setting up Apple DEP. For information about configuring Endpoint Management, see “Step 3: Add a DEP account to Endpoint Management” in Bulk enrollment of Apple devices.
Bulk enrollment enhancements for Windows 10 devices. When adding windows devices to the device whitelist, you can identify the devices by Device Name. You can also search for the associated user instead of typing the name manually. See Bulk enrollment of Windows devices.
Changes in Citrix Endpoint Management integration with Microsoft Intune/EMS.
- You can now publish and manage Microsoft Outlook for iOS and Android using Citrix Endpoint Management integration with Microsoft Intune/EMS.
- Some default values of micro VPN policies changed. The MvpnRedirectWebTrafficWithSSO policy now disables http/https redirection with SSO by default. The MvpnDisableTcpRedirect policy now disables TCP-level full-tunnel redirection by default. For more information, see MDX policies.
Fixed issues in Endpoint Management 10.18.19
For Android devices, the Device administrator disabled property is missing when you navigate to Device management > Device > Properties. [CXM-56099]
When you select certain VPP apps in Configure > Apps and then click Edit, the Search field and some table columns might not appear in the App details page. As a workaround, you can disable the search feature. Go to Settings > Server Properties and change the property
enable.vpp.search.enhancement to false. [CXM-57975]
Endpoint Management 10.18.18
The latest version of Endpoint Management has these new features and improvements:
Delegated Admin Access now available for Endpoint Management. You can now create administrators in Citrix Cloud with custom access for Endpoint Management. Administrators with custom access can only manage services to which they have access. To configure custom access, sign in to Citrix Cloud and navigate to Identity and Access Management > Administrators.
For information about configuring administrators, see Add administrators to a Citrix Cloud account.
Device certificate renewal. You can now request that Citrix Cloud Operations refresh or regenerate the internal PKI certificate authorities (CAs) in your Endpoint Management deployment. Open a Technical Support case for these requests.
When the new CAs are available, Cloud Operations lets you know that you can proceed with renewing the device certificates for your users.
For supported iOS, macOS, and Android devices, you can initiate certificate renewal through the security action, Certificate Renewal. You renew device certificates from the Endpoint Management console or the Public REST API. For enrolled Windows devices, users must re-enroll their devices to receive a new device CA.
- Return a list of devices still using the old CA (see section 3.16.2 in the Public API for REST Services PDF)
- Renew Device Certificate (see section 3.16.58)
Simplified Android Enterprise setup. The process for setting up Android Enterprise is now shorter and simpler for Google Play customers. Management Tools for Endpoint Management are no longer needed to bind Endpoint Management as your enterprise mobility management (EMM) provider. The process for setting up Android Enterprise for G Suite customers is unchanged. For information, see Android Enterprise.
More Chrome OS device policies.
Control Chrome OS web content. The new Content device policy lets you set a specific home page, allow or block popups, and choose pages to load on startup. For information, see Content device policy.
Choose a release channel for Chrome OS updates. Google offers updates over several channels, ranging from a fully tested Stable channel to a Dev channel that might be unstable. By default, Chrome OS updates get distributed over the Stable channel.
To choose a release channel, configure the Release channel setting in the OS Update device policy setting for Chrome OS. For information, see OS Update device policy.
WiFi device policy for Citrix Ready workspace hub devices. You can now manage how users connect their Citrix Ready workspace hub devices to WiFi networks. For information, see WiFi Policy.
Caller ID policy. Secure Mail can now provide contact names and phone numbers for iOS to use in identifying incoming phone calls. The Caller ID Support Enabled policy controls this feature. For information, see MDX Policies for iOS Apps.
Fixed issues in Endpoint Management 10.18.18
When enrolling devices using Android Enterprise, users’ UPNs do not map to their existing G Suite User ID. Instead, a new G Suite User ID is created. [CXM-53534]
When you add an administrator to Endpoint Management, certain international characters are incorrectly coded and those accounts aren’t added to delivery groups. [CXM-58051]
After upgrading Endpoint Management, some users can’t access resources using single sign-on. [XMHELP-1675]
Endpoint Management 10.18.17
Mark devices out of compliance in Azure AD. You can use automated actions to mark Azure AD-enrolled Windows 10 devices out of compliance in Azure AD. When a device is marked out of compliance in Endpoint Management, it is also marked out of compliance in Azure AD. To enable this functionality in Azure AD, grant the on-premises MDM application permission to access the Graph API. For more information, see Automated Actions.
New Chrome OS restrictions policies. New settings in the Restrictions device policy for Chrome OS let you:
- Force users to re-enroll into their previous G Suite domain after a device wipe.
Control reporting on Chrome OS devices:
- Device state reporting: Controls whether a device reports its current device state, including firmware, Chrome and platform version, and boot mode.
- Device user tracking: Controls whether a device reports a list of users that recently logged on to the device. Users aren’t reported if the device is configured to erase all local user data.
- Show the home button in the Chrome browser.
- Control user access to external storage devices through the Chrome file browser.
- Provide a domain name as an autocomplete option when users sign in.
Each setting requires G Suite Chrome configuration. For more information, see Restrictions device policy.
Support for Samsung DeX mode. Samsung DeX enables users to connect KNOX-enabled devices to an external display to use apps, review documents, and watch videos on a PC-like interface. For information about Samsung DeX device requirements and setting up Samsung DeX, see How Samsung DeX works.
To configure Samsung DeX mode features in Citrix Endpoint Management, update the Restrictions device policy for Samsung KNOX. For information, see “Samsung KNOX settings” in Restrictions device policy.
Support for Android SafetyNet. You can configure Endpoint Management to use the Android SafetyNet feature to assess the compatibility and security of Android devices that have Secure Hub installed. The results can be used to trigger automated actions on the devices. For information, see Android SafetyNet.
Prevent camera use for Android Enterprise devices. The new Allow use of camera setting for the Restrictions device policy lets you prevent users from using the camera on their Android Enterprise devices. For information, see Restrictions device policy.
A new version of the Get Devices by Filters API provides more details about devices. For more information, download the Public API for REST Services PDF. The new API is in the section “3.16.2 Get Devices by Filters (version 2)”.
New MDX policy to select how users report phishing: If the Report Phishing feature is enabled, you can use the Report Phishing Mechanism policy to control how users report phishing on Android. You can select whether Secure Mail forwards the phishing email as an attachment or if it forwards the entire email. For more information on the Report Phishing Mechanism policy, see MDX Policies for Android Apps.
Fixed issues in Endpoint Management 10.18.17
Third-party B2B VPP Secure apps don’t show as installed in Secure Hub. [CXM-55959]
Some models of Android phones cannot enroll after upgrading from Android 5.0 to 6.0.1. [CXM-56420]
On Android shared devices: If a user types an incorrect username, Secure Hub caches the wrong username even if the user corrects it. [CXM-56428]
When StoreFront is integrated with XenMobile Server, non-primary domains can’t enroll. [CXM-56640]
Current known issues
Known issues in Endpoint Management 10.18.17
On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]
Known issues in Endpoint Management 10.18.5
When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]
Known issues in Endpoint Management 10.18.3
After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]
Known issues in Endpoint Management 10.7.6
For a Restrictions device policy for Samsung SAFE: The Browser, YouTube, and Google Play/Marketplace options have been removed. Use the Disable Applications option to enable or disable those features. [CXM-43043]
Known issues in Endpoint Management 10.7.4
If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]
Known issues in Endpoint Management 10.7.3
For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]