What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google will remove the GCM server and client APIs on May 29, 2019.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.


  • Endpoint Management 19.3.0 or later
  • Secure Hub 19.3.5 or later

To continue support for push notifications to your Android devices: If you use GCM with Endpoint Management, migrate to FCM. Then, update Endpoint Management with the new FCM key available from the Firebase Cloud Messaging Console.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the Endpoint Management console, go to Settings > Firebase Cloud Messaging and configure your settings.

    Devices switch over to FCM the next time they check in with Endpoint Management and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy.

For more information about configuring FCM, see Firebase Cloud Messaging.

Android Q

Citrix supports Android Q the day it’s available, sometimes referred to as day zero (0) support.

Before upgrading to the Android Q platform: See Migrate from device administration to Android Enterprise for information about how the deprecation of Google Device Administration APIs impacts devices running Android Q. Also see the blog, https://www.citrix.com/blogs/2019/06/26/citrix-endpoint-management-and-android-enterprise-a-season-of-change/.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers. See Integration with Citrix Workspace experience.

Mobile SSO to native SaaS apps (preview)

A preview of mobile SSO to native SaaS apps is now available for customers who meet these requirements:

  • Citrix Workspace Premium license
  • Your identity provider configured in Citrix Cloud
  • The following services configured:
    • Workspace service with Endpoint Management enabled. For information about enabling service integration, see Workspace configuration.
    • Citrix Endpoint Management service
    • Citrix Gateway service

Single sign-on to native SaaS apps is available from iOS and Android devices that are enrolled into MDM. For more information, see Configure mobile SSO (preview).

Citrix Gateway service (preview)

A preview of Citrix Gateway service is now available for customers who meet these requirements:

  • Citrix Workspace experience enabled
  • Citrix Gateway service subscription

If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For more information, see Configure Citrix Gateway use with Endpoint Management.

Apple host names that must remain open

Apple recently published a knowledge article that lists host names that must remain open to ensure proper operation of macOS, iOS, and iTunes. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, see https://support.apple.com/en-us/HT201999.

Endpoint Management 19.8.0

  • For existing customers: Restricted port access to the Endpoint Management console and Self-Help Portal:

    For customers who onboarded before Endpoint Management 19.8.0 (August 1, 2019):

    • You can require that administrators sign on to the Citrix Cloud console for SSO access to the Endpoint Management console. Citrix highly recommends all console access through Citrix Cloud.

      Set the new server property enable.cloud.console.sso to True, which means you can’t directly access the Endpoint Management console. Attempts to directly access the Endpoint Management console on port 4443 result in a 500 error.

      By default, enable.cloud.console.sso is False, which provides direct access to the Endpoint Management console through port 4443. Access attempts through port 443 now result in an “Access Denied” message. Access attempts through other ports now result in 404 errors.

    • Access to the Self-Help Portal is available only through port 443. Access attempts through port 4443 now result in an “Access Denied” message.

  • For customers who onboard starting with Endpoint Management 19.8.0 (August 1, 2019):

    • New customers sign on to the Citrix Cloud console for SSO access to the Endpoint Management console.

    • Access to the Self-Help Portal requires a server property change. By default, new customers can’t access the Self-Help Portal.

      The server property shp.console.enable defaults to False, which prevents access to the Self-Help Portal. Users who navigate to the Self-Help Portal on port 443 get a 404 error. And, users who navigate to the portal on port 4443 get an “Access Denied” message.

      To give your users access to the Self-Help Portal, update shp.console.enable to True.

Fixed issues in Endpoint Management 19.8.0

When importing a CA certificate, the console doesn’t display an updated or new certificate under PKI entities. [CXM-68419]

When configuring the VPN device policy for iOS to use the Citrix SSO protocol: After you enable the Prompt for PIN when connecting setting and save the policy, that setting reverts to Off. [CXM-68523]

For customers who have migrated from previous versions, opening the Manage tab in the console displays an error if a device’s enrollment profile has been deleted. [CXM-69750]

Endpoint Management 19.7.1

  • Access all Google Play apps in the managed Google Play store. The Access all apps in the managed Google Play store server property makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true whitelists the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps.

  • Enable system apps on Android Enterprise devices. To allow users to run pre-installed system apps in the Android Enterprise work profile mode or fully managed mode, configure the Restrictions device policy. That configuration grants user access to default device apps, such as camera, gallery, and others. To restrict access to a particular app, set app permissions using the Android Enterprise permissions policy.

Fixed issues in Endpoint Management 19.7.1

When sending an enrollment link using SMTP/SMS, the link being sent doesn’t work. [CXM-67458]

When attempting to update a public iOS app using the Endpoint Management console, a configuration error displays. [CXM-69190]

Some third-party VPP apps fail to auto-update. This issue occurred due to blocked host names. For more information, see https://support.apple.com/en-us/HT201999. [CXM-69341]

When adding Microsoft Word or PowerPoint for iOS to the cloud app library, assigning the app to a user group fails. You must delete and re-add any Intune apps experiencing this issue. [CXM-69349]

Endpoint Management 19.6.1

  • Location device policy now enables device tracking for Android. You can now enable device tracking to poll specific devices at a frequency you define. You might use this policy to track delivery personnel for more accurate delivery estimates, track lost or stolen devices, or enforce geographic boundaries. For more information, see Location device policy.

Fixed issues in Endpoint Management 19.6.1

After the time period in the server property bulk.enrollment.fetchRosterInfoDelay ends and an Apple School Manager DEP device syncs with the server: The Apple School Manager user account is deleted from the server and the device moves into an anonymous state. [CXM-67913]

Users with special German characters, such as umlauts, in their display name can’t enroll. [CXM-68097]

The following error message displays when you attempt to configure a Public App by using the new app URL from the Apple Store. “Could not find the app you entered. Check the URL and try again.” [CXM-68537]

Current known issues

Known issues in Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace device, the Ethernet (eth0) MAC address needs to be defined in the whitelist or enrollment fails. [CXM-43141]

On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461. [CXM-65957]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to choose Intune MAM/Endpoint Management. [CXM-31272]

Actions configured to email inactive devices don’t work. [CXM-62110]

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in XenMobile Server 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 19.1.2

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]