What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

Endpoint Management customers also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

About the Citrix unified product portfolio

If you’ve been a Citrix customer or partner for a while, you’ll notice new names in our products and in this product documentation. The new product and component names stem from the expanding Citrix portfolio and cloud strategy. For more detail about the Citrix unified portfolio, see the Citrix product guide.

Articles in this product documentation use the following names.

  • Citrix Endpoint Management: Citrix Endpoint Management is a solution for managing endpoints, offering mobile device management (MDM) and mobile application management (MAM) capabilities. With Endpoint Management, you manage device and app policies and deliver apps to users. Your business information stays protected with strict security for identity, devices, apps, data, and networks. Citrix Endpoint Management was formerly Citrix XenMobile Service.

  • Mobile productivity apps: XenMobile Apps is now mobile productivity apps. Citrix-developed mobile productivity apps are a group of enterprise mobile apps offering IT a secure choice for their users’ email, web browsing, and remote access. Mobile productivity apps include Citrix Secure Hub, Citrix Secure Mail, and Citrix Secure Web. The Endpoint Management Store is now the app store.

  • Citrix Workspace app: The Citrix Workspace app incorporates existing Citrix Receiver technology and the other Citrix Workspace client technologies. It has been enhanced to provide end users with a unified, contextual experience. Users can interact with all the work apps, files, and devices they need to do their best work. For more information, see this blog post.

    For Endpoint Management customers with the workspace experience enabled, users who open Secure Hub and click Add Apps are directed to the workspace. For more information, see Secure Hub.

  • Citrix Virtual Apps and Desktops: The Citrix Virtual Apps and Desktops service (formerly XenApp and XenDesktop) offers a virtual app and desktop solution. Provided as a cloud service and as an on-premises product, Virtual Apps and Desktops gives employees the freedom to work from anywhere on any device.

Implementing this transition in our products and their documentation is an ongoing process.

  • In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.
  • It is possible that some items (such as commands and MSIs) might continue to retain their former names to prevent breaking existing customer scripts.
  • Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.

Your patience during this transition is appreciated.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers.

  • For new Endpoint Management customers (as of August 27, 2018):

    During Workspace configuration (Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with workspace. By default, the integration is enabled.

    • If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Virtual Apps and Desktops and Citrix Content Collaboration.

    • If you disable the integration, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.


    After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.

  • For customers who onboarded before August 27, 2018:

    Workspace integration is disabled. Citrix Secure Hub aggregates mobile apps and your users access apps from Secure Hub. Citrix will notify you when migration to Workspace is supported without requiring re-enrollment for all users.

iOS MDM enrollment workflow change

To improve platform security by reducing misleading profile installations, Apple plans to introduce a new workflow for manually enrolling devices in MDM. Please note that this new workflow will affect all MDM solutions, including Citrix Endpoint Management.

The new enrollment workflow requires that users manually install the MDM profiles. To do that users navigate to the Settings page, tap General, and then tap Profiles. The list of Profiles available for installation then appears. If the user doesn’t install the profile within 24 hours of downloading it, the profile gets deleted automatically.

There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, the workflow for manually enrolling in MDM does change. Currently, iOS device users receive two prompts during enrollment, for the root CA and the MDM device certificate. Starting with the Endpoint Management 19.2.0 release, iOS device users receive only the MDM device certificate prompt during enrollment. To support this change, Citrix is changing the value of the server property, ios.mdm.enrollment.installRootCaIfRequired, to false. With that change, a Safari window opens during MDM enrollment to simplify the profile installation for users.

New iOS enrollment workflow

  1. After you install and launch Secure Hub, tap Yes, Enroll.

    Image of Server Property screen

  2. After you type your credentials, a prompt appears to allow opening the Settings page to view the profiles. Tap Allow.

    Image of iOS enrollment screen

  3. Click Done to install the downloaded profile.

    Image of iOS enrollment screen

  4. Navigate to the Settings page, tap General, and then tap Profiles.

    Image of iOS enrollment screen

  5. A list of downloaded profiles appears. To begin the installation, tap Install Profile.

    Image of iOS enrollment screen

  6. To verify the profile to install, tap Install.

    Image of iOS enrollment screen

  7. Tap Install.

    Image of iOS enrollment screen

  8. Tap Trust to complete the profile installation. Repeat these steps to install other profiles.

    Image of iOS enrollment screen

  9. After you finish installing the profiles, return to Secure Hub and tap Complete Enrollment.

    Image of iOS enrollment screen

  10. Allow Secure Hub to access your location.

    Image of iOS enrollment screen

  11. After the workflow completes, the device is enrolled.

    Image of iOS enrollment screen

Endpoint Management 19.2.0

  • Deliver enterprise apps from a content delivery network (CDN). When a user isn’t located near an Endpoint Management server, enterprise app delivery can take a while. For significantly faster app downloads, you can instead have enterprise apps delivered from content delivery network (CDN) locations throughout the world. CDN support for enterprise apps is available for iOS apps (MDM or MAM enrollment) and Android apps (MDM or MAM enrollment). CDN support for enterprise apps isn’t available for Windows apps. To get started, see Deliver Enterprise apps from a CDN.

  • DEP device enrollment change for Citrix Workspace. If Endpoint Management is integrated with Citrix Workspace, the Workspace App is included in the DEP deployment package as a required app. This feature requires that you configure your DEP account settings for iOS with required credentials set to off. Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.

  • The server property ios.mdm.enrollment.installRootCaIfRequired is now set to false. Endpoint Management uses a publicly trusted certificate chain, thus it isn’t necessary to push a root CA to devices. As a result, iOS device users no longer receive a prompt to install a root CA during enrollment.

  • The WiFi and Credentials policies now support Apple TV OS. In addition, you can now configure the Airplay Security device policy to control which devices can connect to Apple TV devices. For more information, see the WiFi, Credentials and Airplay Security device policy articles.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. See Location device policy.

  • Enhanced support for Alexa for Business. Endpoint Management now includes support for Alexa for Business conferencing, adding Alexa skills to your organizations, editing skill groups. See Alexa for Business.

  • Automated actions for Windows Agent policy. Using the Windows Agent policy, you can automate actions to run on Windows desktops and tablets based on registry values. For more information see the Windows Agent device policy and Automated Actions articles.

  • For Android Enterprise, the No Restrictions option for required characters in a passcode is now deprecated. Android Enterprise devices running Android 7 or higher no longer support a passcode created without character restrictions. If you previously set Required characters to No Restrictions, this update changes that value to Numbers only. This change doesn’t affect the current user signin experience. For more information, see Android Enterprise settings.

Fixed issues in Endpoint Management 19.2.0

When an app is deleted from the Intune library, and a user tries to delete it from the Citrix Cloud library, they can’t delete it. [CXM-61645]

After you upload a Google Play app in the Endpoint Manager console without adding an app icon image: If you later upload an image for the app, the image doesn’t appear in the apps list. [CXM-60965]

Endpoint Management 19.1.2

  • Files device policy now available for Android Enterprise. You can add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Configure time zone settings for Chrome OS devices. You can now select a time zone for the Chrome device and specify how to detect the time zone. For more information, see Restrictions device policy.

  • The user information shown on the Users and Enrollment Invitations pages is now restricted by an RBAC administrator’s group permissions. Previously, the Endpoint Management console included information for all local users and domain users on the Manage > Users and Manage > Enrollment Invitations pages.

    To specify which user groups an RBAC administrator has permission to view and manage, edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.

  • Launch third-party apps from the Workspace app. For customers with Citrix Workspace enabled: Before deploying new apps to users, you can add a comma-separated list of URLs to launch the apps from the Workspace app. For more information, see Add apps.

Fixed issues in Endpoint Management 19.1.2

You can’t upload Google Play services APK versions later than 11.5.09 in the Endpoint Management console. [CXM-59492]

Endpoint Management 10.19.1

The latest version of Endpoint Management has these new features and improvements:

  • Run multiple apps in a kiosk on Windows 10 Desktop and Tablet devices. You can now run multiple apps in Kiosk mode. With Citrix Endpoint Management 10.19.1 upgrade, your previous Kiosk policy has been removed. Be sure to configure the Kiosk policy for one or more applications. For more information, see Kiosk device policy.

  • Connection scheduling policy no longer allows continuous connections for Android, Android Enterprise, and Chrome devices. Citrix recommends that you use Firebase Cloud Messaging (FCM) to control connection from Android, Android Enterprise, and Chrome OS devices. If you chose not to use FCM, you can use the Connection scheduling policy, but the policy no longer allows you to configure continuous connections for these devices.

  • The Android Enterprise App Restriction policy is renamed to Android Enterprise Managed Configurations, to better reflect the scope of the policy settings.

Fixed issues in Endpoint Management 10.19.1

B2B apps uploaded to Apple Business Manager do not appear in the Endpoint Management console. [CXM-58864]

After the first user enrolls and signs on to a shared Android device with apps deployed: When that user signs off, the message “Please wait while we sign you on” appears. [CXM-59154]

Attempting to send an APNS notification fails with the error “java..lang.NullPointerException”. [CXM-60497]

Endpoint Management 10.18.20

The latest version of Endpoint Management has these new features and improvements:

  • Improvements to adding public apps from the Google Play store. When you add a public app, you now search for apps by package ID in the Endpoint Management console. You can upload a custom image for public apps, or leave the image field blank to use the stock Android image. See Add a public app store app.

  • New Restrictions device policy settings for Android Enterprise. New settings for the Restrictions device policy allow users access to these features on Android Enterprise devices: status bar, lock screen keyguard, account management, location sharing, and keeping the device screen on. See Restrictions device policy.

  • Android Enterprise WiFi device policy. You can now create WiFi device policies for Android Enterprise devices. See WiFi device policy.

  • Android Enterprise Custom XML device policy. You can now create Custom XML device policies for Android Enterprise devices. See Custom XML device policy.

  • Support for Knox Platform for Enterprise (KPE) Premium license keys. Samsung has upgraded the Knox License (KLM) and renamed it to the Knox Platform for Enterprise (KPE) Premium license key. When you obtain a KPE Premium license key, you can use it in place of the legacy Enterprise Licenses (ELM) and Knox Licenses (KLM). You can continue to use your existing ELM and KLM keys in Citrix Endpoint Management. When you obtain a KPE, you can create a Knox Platform for Enterprise device policy, to replace the Samsung MDM License Key device policy. See Knox Platform for Enterprise device policy.

  • Whitelist Android Enterprise apps by adding their package name in the Kiosk policy. You can now enter the package name that you want to whitelist in the Kiosk device policy for Android Enterprise. For more information, see Android Enterprise settings.

  • Changes to the micro VPN access settings in the EMS/Intune console. The micro VPN access settings are replaced with the following:

    • Network access: Select whether and how to allow micro VPN access to on-premises resources.
    • micro VPN session required: If you enable micro VPN access, you can require an online session for the app to work.
    • mVPN tunnel exclusion list: If you enable micro VPN access, you can specify the domains to exclude from the micro VPN policies.

    This update changes the Network access setting to Unrestricted. Existing apps will work as before. However, if you update an app, you must update your Network access setting. The following table shows the MvpnNetworkAccess setting to use to match your previous settings for MvpnRedirectWebTrafficWithSSO and MvpnDisableTCPRedirect.

    MvpnNetworkAccess MvpnRedirectWebTrafficWithSSO MvpnDisableTCPRedirect
    Unrestricted (Allowed) OFF ON
    Full Tunnel OFF OFF
    Web SSO ON ON
    Both (Full Tunnel + WebSSO) ON OFF

    The prior policy PermitVPNModeSwitching is replaced by Both (Full Tunnel + WebSSO).

    For more information, see To add apps to Endpoint Management integration with EMS/Intune console.

Current known issues

Known issues in Endpoint Management 19.2.0

When creating a public store app in XenMobile Server 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 19.1.2

Editing Windows Desktop and Tablet apps in Configure > Apps > Public App Store results in this message: “Application search failed”. Searching for those apps results in this message: “Error connecting to the windows desktop store url: Failed to retrieve public app details”. [CXM-61686]

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]