What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale and service availability, see the Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Preparing for Android Enterprise as default enrollment

Google is deprecating the device administrator mode of device management. Google encourages customers to manage all Android devices by using Android Enterprise in device owner mode or profile owner mode. See Device admin deprecation in the Google Android Enterprise developer guides.

Endpoint Management support for the transition to Android Enterprise will include making Android Enterprise the default enrollment option. For more information, see the blog, Android Enterprise as default for Citrix Endpoint Management service.

Support for iOS 13

Endpoint Management supports devices upgraded to iOS 13. The upgrade impacts your users as follows:

  • During enrollment, a few new iOS Setup Assistant Option screens appear. Apple added new iOS Setup Assistant Option screens to iOS 13. The new options are not included in the Settings > Apple Device Enrollment Program (DEP) page in this release. As a result, you can’t configure Endpoint Management to skip those screens. Those pages appear to users on iOS 13 devices.

  • Some Restrictions device policy settings available on supervised or unsupervised devices for previous iOS versions are available only on supervised devices for iOS 13+. The current Endpoint Management console tool tips don’t yet indicate that these settings are for supervised devices for iOS 13+ only.

    • Allow hardware controls:
      • FaceTime
      • Installing apps
    • Allow apps:
      • iTunes Store
      • Safari
      • Safari > Autofill
    • Network - Allow iCloud actions:
      • iCloud documents & data
    • Supervised only settings - Allow:
      • Game Center > Add friends
      • Game Center > Multiplayer gaming
    • Media content - Allow:
      • Explicit music, podcasts, and iTunes U material

These restrictions apply as follows:

  • If an iOS 12 (or lower) device is already enrolled in Endpoint Management and then upgrades to iOS 13, the preceding restrictions apply to unsupervised and supervised devices.
  • If an unsupervised iOS 13+ device enrolls in Endpoint Management, the preceding restrictions apply only to supervised devices.
  • If a supervised iOS 13+ device enrolls in Endpoint Management, the preceding restrictions apply only to supervised devices.

Requirements for trusted certificates in iOS 13 and macOS 15

Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176. For help with managing certificates, see Uploading certificates in Endpoint Management.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google removed the GCM server and client APIs on May 29, 2019.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.

Requirements:

  • Endpoint Management 19.3.0 or later
  • Secure Hub 19.3.5 or later

To continue support for push notifications to your Android devices: If you use GCM with Endpoint Management, migrate to FCM. Then, update Endpoint Management with the new FCM key available from the Firebase Cloud Messaging Console.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the Endpoint Management console, go to Settings > Firebase Cloud Messaging and configure your settings.

    Devices switch over to FCM the next time they check in with Endpoint Management and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy.

For more information about configuring FCM, see Firebase Cloud Messaging.

Android Q

Citrix supports Android Q the day it’s available, sometimes referred to as day zero (0) support.

Before upgrading to the Android Q platform: See Migrate from device administration to Android Enterprise for information about how the deprecation of Google Device Administration APIs impacts devices running Android Q. Also see the blog, https://www.citrix.com/blogs/2019/06/26/citrix-endpoint-management-and-android-enterprise-a-season-of-change/.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers. See Integration with Citrix Workspace experience.

Mobile SSO to native SaaS apps (preview)

A preview of mobile SSO to native SaaS apps is now available for customers who meet these requirements:

  • Citrix Workspace Premium license
  • Your identity provider configured in Citrix Cloud
  • The following services configured:
    • Workspace service with Endpoint Management enabled. For information about enabling service integration, see Workspace configuration.
    • Citrix Endpoint Management service
    • Citrix Gateway service

Single sign-on to native SaaS apps is available from iOS and Android devices that are enrolled into MDM. For more information, see Configure mobile SSO (preview).

Citrix Gateway service (preview)

A preview of Citrix Gateway service is now available for customers who meet these requirements:

  • Citrix Workspace experience enabled
  • Citrix Gateway service subscription

If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For more information, see Configure Citrix Gateway use with Endpoint Management.

Apple host names that must remain open

Apple recently published a knowledge article that lists host names that must remain open to ensure proper operation of macOS, iOS, and iTunes. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, see https://support.apple.com/en-us/HT201999.

Endpoint Management 19.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Expanded support for Zebra OEMConfig. Endpoint Management now supports managing Zebra devices using the Zebra Technologies administrative tool Zebra OEMConfig. (For information, see the Zebra Technologies website.) To manage devices using the Zebra OEMConfig app, publish the app and configure an Android Enterprise managed configurations device policy.

Content delivery network (CDN) availability for Windows apps. You can now deploy Windows apps by using a content delivery network. See Deliver enterprise apps from a CDN.

Group invitation support for users whose names include special characters. When you choose a group to receive enrollment invitations, Endpoint Management now gets the user list from Active Directory. The list includes users whose names contain special characters. See Enrollment invitations.

Fixed issues in Endpoint Management 19.10.0

After you enroll a new device or re-enroll an old device, an error message intermittently displays on Manage > Devices. [CXM-72634, CXM-73077]

When you select a Chrome or Workspace hub device in Manage > Devices > Enrolled Devices and then click Edit, the following message appears: “A configuration error occurred. Please try again.” That message also appears when you mouse over those devices in the devices list and click Show more. In either case, click OK to continue. [CXM-73010]

Endpoint Management 19.9.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

  • Support for encryption management for iOS and Android. When you add MDX apps, you can now choose whether MDX or the device platform encrypts data on your device.

    When you switch to platform-based encryption, compliance checks run before every app launch. If the compliance checks pass, the app runs and is protected by platform encryption. Analyze > Reporting now includes a report of non-compliant devices, such as devices that are jailbroken or don’t have a passcode.

    When you add an app, choose an Encryption type:

    • MDX encryption: MDX encrypts the data. MDX doesn’t enforce compliance. For existing apps, the default is MDX encryption.
    • Platform encryption with compliance enforcement: The device platform encrypts the data. You choose how compliance enforcement applies. For new apps, the default is Platform encryption with compliance enforcement.

    For more information about the MDX policies, see MDX policies for third-party apps for iOS and MDX policies for third-party apps for Android.

  • Support for iPadOS. Citrix Endpoint Management supports iPadOS 13.x. Device policies for iOS apply to devices running iPadOS. If you plan to enroll iPadOS devices by sending an invitation link to users, see the Citrix support article CTX261981.

  • Simplified app management for Android Enterprise. You no longer must go to managed Google Play or the Google Developer portal to approve or publish apps for Endpoint Management. As a result, app approval and publishing take about 10 minutes rather than hours.

    • Approve Android Enterprise apps for the Public App Store in the Endpoint Management console. You can now approve managed Google Play store apps without leaving the Endpoint Management console. After you enter an app name in the search field, the managed Google Play store UI opens with the instructions for you to approve and save the app. Your app then populates in the results allowing you to configure its details. See Add a public app store app.

    • Approve the MDX apps for Android Enterprise in the Endpoint Management console. You can now approve managed Google Play store apps for Android Enterprise without leaving the Endpoint Management console. After you upload an MDX file, the managed Google Play store UI opens with the instructions for you to approve and save the app. See Add an MDX app.

    • Publish enterprise apps for Android Enterprise in the Endpoint Management console. You no longer must register for a Google Play developer account when you add an Android Enterprise private app. The Citrix Endpoint Management console opens a managed Google Play store UI for you to upload and publish the APK file. See Add an enterprise app.

  • More certificate management features for Android Enterprise devices in work profile mode or fully managed mode. In addition to installing certificate authorities in the managed keystore, you can now manage the following features:

    • Configure the certificates used by specific managed apps. The Credentials device policy for Android Enterprise now includes the setting Apps to use the certificates. You can specify the apps to use the user certificates issued by the credential provider selected in this policy. Apps are silently granted access to certificates during run time. To use the certificates for all apps, leave the apps list blank. See Credentials device policy.

    • Silently remove certificates from the managed keystore or uninstall all non-system Certificate Authority certificates. See Credentials device policy.

    • Prevent users from modifying credentials stored in the managed keystore. The Restrictions device policy for Android Enterprise now includes the setting Allow user to configure user credentials. By default, that setting is On. See Restrictions device policy.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. Android location tracking requires Android 8.5 and higher. See Location device policy.

  • Easy access to BitLocker recovery keys. If a user loses their BitLocker recovery key, unlocking their device can be a challenge. Endpoint Management now displays the BitLocker recovery key for Windows desktops and tablets under the device details. See BitLocker recovery key.

Fixed issues in Endpoint Management 19.9.1

After adding a custom property with a special character, admins cannot access the Devices page on the XenMobile console. [CXM-57322]

The RBAC role Tier 2 techs can’t create enrollment invitations to a user group with more than 2000 users. Only full administrative users can create the invitations. [CXM-72086]

On iOS devices, administrators might lose the ability to send an “unlock device” command to passcode protected devices after the device is upgraded to iOS 13.1.x. To resolve this issue, see https://support.citrix.com/article/CTX262076. [CXM-73151]

Endpoint Management 19.9.0

  • Manage keyguard features for Android Enterprise work profile and fully managed devices. Android keyguard manages the device and work challenge lock screens. Use the Keyguard Management device policy to control:

    • Keyguard management on work profile devices. You can specify the features available to users before they unlock the device keyguard and the work challenge keyguard. For example, by default users can use fingerprint unlock and view unredacted notifications on the lock screen.

    • Keyguard management on fully managed and dedicated devices. You can specify the features available, such as trust agents and secure camera, before they unlock the keyguard screen. Or, you can choose to disable all keyguard features.

    See Keyguard Management device policy.

  • Samsung Knox container password reset. The Container Password Reset security action is no longer available for Android Enterprise Samsung Knox devices. Use the Container Lock security action to reset passwords for Samsung Knox containers. The Container Password Reset security action is still available for Samsung devices in device administrator mode.

  • Configure the product track for your Android Enterprise apps. When adding a public store app or an MDX app for Android Enterprise, configure the product track you want to push to user devices. For example, if you have a track designed for testing, you can select and assign it to a specific delivery group. To learn more about rolling out your release, see Google Play Help Center. For information on configuring the product track, see Add an MDX app or Add a public app store app.

  • Windows GPO configuration policy enabled automatically. The Windows GPO configuration policy enables automatically if you provision a Citrix Workspace Environment Management site in the Citrix Cloud. For more information see Windows GPO Configuration device policy.

  • SSO http error code is now 404. If the enable.cloud.console.sso server property is enabled, attempts to access the Endpoint Management console directly on port 4443 now result in a 404 error.

  • Mobile Device Management (MDM) and Workspace Environment Management (WEM) managed devices merged in the console. If a device is both MDM managed and WEM managed, it now displays as one device in the Endpoint Management console. The device label in the console is MDM, WEM. Previously, the device would show as two different devices. You can also delete devices that are MDM and WEM managed now.

Fixed issues in Endpoint Management 19.9.0

After you deploy the App Access device policy, non-compliant devices don’t trigger the configured action. [CXM-69842]

Connectivity between Endpoint Management and Apple School Manager fails. [CXM-71844]

MAM devices wipe apps and app data because of a failure to get the user domain details. As a result, the device considers the user as deleted. [CXM-72093]

After enrolling a new device or re-enrolling an old device, an error message intermittently displays on the Manage tab. [CXM-72224]

Current known issues

Known issues in Endpoint Management 19.9.1

After uploading an MDX app for Android Enterprise, the managed Google Play store UI might not open in the Endpoint Management console. Until the issue is fixed, go to the managed Google Play store to approve and save the app manually. [CXM-73398]

Known issues in Endpoint Management 19.9.0

Enterprise apps deployed from Endpoint Management fail to install on macOS devices. This third-party issue is Apple bug #50311461. [CXM-65957]

The Settings > Apple Device Enrollment Program (DEP) page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Express Language, Preferred Language, Get Started, and Appearance. [CXM-71370]

You can’t configure G Suite admin credentials for Chrome OS devices. [CXM-71665]

The following setting label in the Passcode device policy is incorrect: Lock device after (minutes of inactivity) (0-999). The value range is 1-15. [CXM-73781]

Known issues in Endpoint Management 19.6.1

On the Endpoint Management console, some apps’ status displays as “Pending” even though they are already installed. This limitation is due to macOS and is specific to PKG files with different pkg and app identifiers. [CXM-72203]

Known issues in Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace device, the Ethernet (eth0) MAC address needs to be defined in the whitelist or enrollment fails. [CXM-43141]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 19.1.2

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]