Citrix Endpoint Management

What’s new

Citrix aims to deliver new features and product updates to Endpoint Management customers when they’re available. New releases provide more value, so there’s no reason to delay updates.

  • Rolling updates to Endpoint Management release approximately every two weeks.
  • These updates don’t result in any downtime for your instance or device users.
  • Not every release has new features and some updates include fixes and performance enhancements.

To you, the customer, this process is transparent. We apply initial updates to Citrix internal sites only, and then to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale and service availability, see the Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Continued support for the Classic policies deprecated from Citrix ADC

Citrix recently announced the deprecation of some Classic policy-based features starting with Citrix ADC 12.0 build 56.20. The Citrix ADC deprecation notices have no impact to existing Endpoint Management integrations with Citrix Gateway. Citrix Endpoint Management continues to support the Classic policies and no action is needed.

Before upgrading endpoints to iOS 14.5

Before upgrading any endpoint to iOS 14.5, Citrix recommends that you perform the following actions to mitigate app crashes:

  • Upgrade Citrix Secure Mail and Secure Web to 21.2.X or higher. See Upgrade MDX or enterprise apps.
  • If you use the MDX Toolkit, wrap all third-party iOS applications with MDX Toolkit 21.3.X or higher and upgrade those apps in the Endpoint Management console. Check the MDX Toolkit download page for the latest version.

Before you upgrade an on-premises Citrix ADC to 13.0-64.35+

If you use the on-premises version of Citrix ADC and upgrade to version 13.0–64.35+: Perform the workaround described in Known issues in Endpoint Management 20.10.1.

Endpoint Management 21.10.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Lock device after inactivity extension. The maximum amount of time of inactivity before a device locks has been increased to 15 minutes. For more information, see Passcode device policy.

Added the restriction setting for pasting content from iOS apps. The restrictions device policy now supports Require managed pasteboard for iOS. With this restriction setting, you can block or allow the pasting of content from managed apps to unmanaged apps, and the opposite way.

This setting applies to iOS 15 and later. For more information, see Restrictions device policy for iOS.

Fixed issues in Endpoint Management 21.10.1

The network policy fails to deploy to iOS and macOS devices using WPA2 and WPA3 network security types. [CXM-96166]

Endpoint Management 21.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Assign custom roles for cloud administrators in Citrix Cloud. New Endpoint Management customers onboarded after October 4, 2021 can now assign custom roles to cloud administrators in Citrix Cloud. Before, you had to assign custom roles in Endpoint Management. This feature lets you perform your administrator-related customizations without having to switch between Citrix Cloud and Endpoint Management. In addition, the COSU devices enroller and Shared devices enroller templates were removed from Endpoint Management. COSU devices enroller is now handled through enrollment profiles and Shared devices enroller is handled at the platform level with kiosk mode or Citrix Launcher.

Support for Windows 11 devices. You can now use Endpoint Management to manage Windows 11 devices. For more information, see Operating system support list.

iOS User Enrollment mode is now available as a public preview. You can now take advantage of Apple User Enrollment features on iOS and iPadOS devices. User Enrollment integrates Managed Apple IDs to create a user identity on devices. For more information about User Enrollment, see Managed Apple IDs.

Updated maximum value for tracking iOS device location. You can now configure the location policy to track the location of an iOS device for up to 10 hours. See Location device policy.

Fixed issues in Endpoint Management 21.10.0

When updating an administrator role in the Citrix Cloud console, the change is not reflected in the Citrix Endpoint Management console. This is strictly a user interface issue and does not impact any functionality. Only customers onboarded in version 21.10.0 or later are affected. [CXM-101044]

Endpoint Management 21.9.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Configure Azure AD or Okta as an identity provider to enroll and manage user devices without a Cloud Connector (Preview). If you configure an identity provider through Citrix Cloud, you don’t need a Cloud Connector to establish communication between Endpoint Management and Citrix Cloud. Endpoint Management still requires a Cloud Connector for the following:

  • LDAP
  • PKI Server
  • Internal DNS queries
  • Citrix Virtual Apps

For more information about this feature, see Identity provider authentication without a Cloud Connector.

Support for iOS 15 and macOS 12 devices. You can now use Endpoint Management to manage iOS 15 and macOS 12 devices. For more information, see Operating system support list.

Always-on VPN for Android Enterprise. You can now enable an always-on VPN for Android Enterprise devices. You can choose to enable a lockdown feature as well. Apps require a VPN connection to access the network unless you exclude them from the lockdown. For more information, see VPN device policy.

Fully managed Android 11+ devices enroll in work profile on corporate-owned devices mode. The new mode further separates the personal and work profiles on a device. This change offers an organization greater control on the managed profile and offers users more privacy on their personal profile. For more information, see Android Enterprise.

Ability to set global consent for client apps. You can now set global consent so that users don’t need to provide consent on each device. For details, see Configure Endpoint Management for Azure AD compliance management.

Azure AD permissions changes now detected. When a change occurs in Azure AD permissions, Endpoint Management now warns automatically about the change so you can approve it using the Azure AD compliance management setting. Follow the consent link and click Approve to accept the changes. Previously, you had to initiate this approval manually. For more information, see Configure Endpoint Management for Azure AD compliance management.

Fixed issues in Endpoint Management 21.9.1

If you add deployment rules to a delivery group, any new or existing deployment rules at the resource level (policies, apps, actions) no longer apply. [CXM-98013]

The Export Data feature of Endpoint Management doesn’t export complete sets of data. Use these workarounds to retrieve data about managed devices:

  • Export data from the console by navigating to Analyze > Reporting > Device Enrollment.
  • Export data by using the reporting API. For information about the reporting API, see the developer documentation. [CXM-99906]

If accessing Endpoint Management through Citrix Cloud, adding an enterprise app for macOS causes an authorization error to occur. As a workaround, contact support and request direct access to your Endpoint Management console. You can then add enterprise apps for macOS devices. [CXM-100046]

Current known issues

Known issues in Endpoint Management 21.10.0

The following device policies don’t work properly on managed Windows 11 devices:

  • App inventory
  • Kiosk
  • VPN
  • Windows information protection

We reported these issues to Microsoft and are working with Microsoft to resolve them. We will keep you updated on any progress.

Known issues in Endpoint Management 21.9.1

When creating an enrollment profile for Android devices to enroll in the work profile on corporate-owned devices mode, you must enable the BYOD work profile setting. If you don’t enable this setting, the devices fail to enroll. [CXM-100418]

On Android devices enrolled in work profile on corporate-owned devices mode: If users see errors saying that they can’t install or search apps on their personal profile, update the Google Play Store app and try again. [CXM-100678]

Intermittently, when you click Export Configuration Script from the Settings > Citrix Gateway page, you receive a corrupt CSV file. As a workaround, download the configuration script while adding or editing a Citrix Gateway configuration. [CXM-100908]

Known issues in Endpoint Management 21.5.0

Users can’t authenticate to Azure Active Directory (AAD) if they:

  1. Enroll their device in Endpoint Management using AAD credentials.
  2. Launch an Office 365 app and complete the AAD registration.
  3. Remove their account from the Microsoft Authenticator app.
  4. Launch an Office 365 app and sign out.

As a workaround, unenroll the device from Endpoint Management and re-enroll. [CXM-90235]

Known issues in Endpoint Management 21.4.0

Re-enrollment fails on iOS devices if the user trying to re-enroll is a different Azure Active Directory user than the user originally enrolled on the device. As a workaround, unregister the original user from the Microsoft Authenticator app on the device before re-enrolling. [CXM-90218]

When you use a package ID to search for a Google Play app to add to the Endpoint Management console, the mandatory Name field displays as empty. You can still enter the app name manually. [CXM-93655]

Known issues in Endpoint Management 21.2.0

When adding Secure Web as an MDX app for Android Enterprise, Managed Google Play can’t find the app using the app identifier. If you search for “Secure Web” instead of the app identifier, Managed Google Play can find the app. This issue is a Google bug. [CXM-91991]

Importing the SSL Listener certificate might fail. Repackage the certificate keystore by following the steps in CTX-297153. [XMHELP-3346]

Known issues in Endpoint Management 21.1.1

Accessing the new Endpoint Management console may result in a 401 error. Your account may not be added to Endpoint Management properly. For steps to resolve the issue, see Citrix Endpoint Management console error “Failed to retrieve”. [CXM-92007]

Known issues in Endpoint Management 20.12.0

In the Monitor tab, devices don’t appear as assigned to enrolled Active Directory users and you can’t perform security actions. To see the policies and apps assigned to those users and perform all security actions, go to Manage > Devices. [CXM-90210]

You can’t access the Endpoint Management console by clicking Manage from the Citrix Cloud tile on Internet Explorer 11. Access the console from another browser. Internet Explorer 11 is no longer supported for console use. [CXM-90540]

You can’t wrap iOS apps developed on macOS 10.14 and later using the MDX Service. To add iOS apps with MAM SDK or MDX functionality, prepare the app with the MAM SDK or wrap the apps using the on-premises MDX Toolkit. [XMHELP-3174]

Known issues in Endpoint Management 20.10.1

If you upgrade on-premises Citrix ADC to 13.0-64.35 or later, and Endpoint Management isn’t Workspace-enabled: Single sign-on to Citrix Files or the ShareFile domain URL in a browser with the Company Employee Sign in option results in an error. The user is unable to sign in.

To work around this issue: If you haven’t already run the following commands from the ADC CLI on Citrix Gateway, run them to enable global SSO:

set vpn parameter SSO ON

bind vpn vs <vsName> -portalTheme X1

For more information, see:

After you complete the workaround, users can authenticate to Citrix Files or the ShareFile domain URL using SSO in a browser with the Company Employee Sign in option. [CXM-88400]

Known issues in Endpoint Management 20.5.0

At the beginning of June 2020, the Google Play EMM API had an outage. During the outage, if you went to Settings > Android Enterprise, Endpoint Management removed the Android Enterprise configuration from the console. As a result, currently enrolled devices don’t receive the policy and app updates. To fix the issue, contact Citrix Technical Support for assistance. [XMHELP-2811]

Known issues in Endpoint Management 20.4.1

When you install multiple LDAP Active Directories (AD) on Endpoint Management using Citrix Cloud Connector, only the first installed AD populates in the Endpoint Management settings. As a workaround, you can check Citrix Cloud. If those domains are marked as unused, manually mark Used. Marking the domain as used makes it available in Endpoint Management. [CXM-81697]

Known issues in Endpoint Management 20.2.1

For customers using a cloud hosting service and the new Citrix enhanced enrollment profiles: New devices may not successfully enroll. As a work-around, create a default enrollment profile that includes all delivery groups. See To create an enrollment profile. You might see an enrollment profile titled “FactoryDefault”. We use this enrollment profile for special logic. If you see the “FactoryDefault” enrollment profile, don’t modify or delete it. [CXM-79019]

After configuring Citrix Content Collaboration with a ShareFile URL in the Citrix Endpoint Management console, clicking the Test Connection button results in an error. To resolve this issue, disable multifactor authentication for ShareFile. Learn more about this issue and the workaround on this support page. [CXM-79240]

Sorting devices by Last access or Inactivity days results in a 500 internal server error. [CXM-79414]

Known issues in Endpoint Management 20.1.0

You can’t delete duplicate certificate files from Settings > Certificates. [CXM-72630]

When adding users to a library in Citrix Cloud, Endpoint Management reports success, but the users aren’t added. [CXM-73726]

Known issues in Endpoint Management 19.11.0

MDX and Public apps can’t be deleted from the console. As a workaround, select the app you want to delete and then click Edit. Deselect Android Enterprise and select any other platforms from the platform list. Save the app. You can then delete the app. [CXM-74468]

For sites with Workspace Environment Management (WEM) integrated with Endpoint Management: A Windows GPO configuration device policy created with User Configuration doesn’t deploy to user devices. A policy created with Device Configuration deploys as expected. [CXM-74762, WEM-6319]

Known issues in Endpoint Management 19.9.0

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Express Language, Preferred Language, Get Started, and Appearance. [CXM-71370]

Known issues in Endpoint Management 19.5.0

On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461 and is fixed in macOS 10.14.4. [CXM-65957]

When enrolling a Citrix Ready workspace hub device, define the Ethernet (eth0) MAC address in the allow list to avoid failed enrollment. [CXM-43141]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. Google Workspace customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.19

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using the Citrix identity provider with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]