What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

Endpoint Management customers also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Note about the Citrix unified product portfolio:

If you’ve been a Citrix customer or partner for a while, you’ll notice new names in our products and in this product documentation. The new product and component names stem from the expanding Citrix portfolio and cloud strategy. For more detail about the Citrix unified portfolio, see the Citrix product guide.

Articles in this product documentation use the following names.

  • Citrix Endpoint Management: Citrix Endpoint Management is a solution for managing endpoints, offering mobile device management (MDM) and mobile application management (MAM) capabilities. With Endpoint Management, you manage device and app policies and deliver apps to users. Your business information stays protected with strict security for identity, devices, apps, data, and networks. Citrix Endpoint Management was formerly Citrix XenMobile Service.

  • Mobile productivity apps: XenMobile Apps is now mobile productivity apps. Citrix-developed mobile productivity apps are a group of enterprise mobile apps offering IT a secure choice for their users’ email, web browsing, and remote access. Mobile productivity apps include Citrix Secure Hub, Citrix Secure Mail, and Citrix Secure Web. The Endpoint Management Store is now the app store.

  • Citrix Workspace app: The Citrix Workspace app incorporates existing Citrix Receiver technology and the other Citrix Workspace client technologies. It has been enhanced to provide end users with a unified, contextual experience. Users can interact with all the work apps, files, and devices they need to do their best work. For more information, see this blog post.

    For Endpoint Management customers with the workspace experience enabled, users who open Secure Hub and click Add Apps are directed to the workspace. For more information, see Secure Hub.

  • Citrix Virtual Apps and Desktops: The Citrix Virtual Apps and Desktops service (formerly XenApp and XenDesktop) offers a virtual app and desktop solution. Provided as a cloud service and as an on-premises product, Virtual Apps and Desktops gives employees the freedom to work from anywhere on any device.

Implementing this transition in our products and their documentation is an ongoing process.

  • In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.
  • It is possible that some items (such as commands and MSIs) might continue to retain their former names to prevent breaking existing customer scripts.
  • Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.

Your patience during this transition is appreciated.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers.

  • For new Endpoint Management customers (as of August 27, 2018):

    During Workspace configuration (Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with workspace. By default, the integration is enabled.

    • If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Virtual Apps and Desktops and Citrix Content Collaboration.

    • If you disable the integration, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.

    Important:

    After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.

  • For customers who onboarded before August 27, 2018:

    Workspace integration is disabled. Citrix Secure Hub aggregates mobile apps and your users access apps from Secure Hub. Citrix will notify you when migration to Workspace is supported without requiring re-enrollment for all users.

Endpoint Management 10.18.17

The latest version of Endpoint Management has these new features and improvements:

  • Mark devices out of compliance in Azure AD. You can use automated actions to mark Azure AD-enrolled Windows 10 devices out of compliance in Azure AD. When a device is marked out of compliance in Endpoint Management, it is also marked out of compliance in Azure AD. To enable this functionality in Azure AD, grant the on-premises MDM application permission to access the Graph API. For more information, see Automated Actions.

  • New Chrome OS restrictions policies. New settings in the Restrictions device policy for Chrome OS lets you:

    • Force users to re-enroll into their previous G Suite domain after a device wipe.
    • Control reporting on Chrome OS devices:

      • Device state reporting: Controls whether a device reports its current device state, including firmware, Chrome and platform version, and boot mode.
      • Device user tracking: Controls whether a device reports a list of users that recently logged on to the device. Users aren’t reported if the device is configured to erase all local user data.
    • Show the home button in the Chrome browser.
    • Control user access to external storage devices through the Chrome file browser.
    • Provide a domain name as an autocomplete option when users sign in.

    Each setting requires G Suite Chrome configuration. For more information, see Restrictions device policy.

  • Support for Samsung DeX mode. Samsung DeX enables users to connect KNOX-enabled devices to an external display to use apps, review documents, and watch videos on a PC-like interface. For information about Samsung DeX device requirements and setting up Samsung DeX, see How Samsung DeX works.

    To configure Samsung DeX mode features in Citrix Endpoint Management, update the Restrictions device policy for Samsung KNOX. For information, see “Samsung KNOX settings” in Restrictions device policy.

  • Support for Android SafetyNet. You can configure Endpoint Management to use the Android SafetyNet feature to assess the compatibility and security of Android devices that have Secure Hub installed. The results can be used to trigger automated actions on the devices. For information, see Android SafetyNet.

  • Prevent camera use for Android Enterprise devices. The new Allow use of camera setting for the Restrictions device policy lets you prevent users from using the camera on their Android Enterprise devices. For information, see Restrictions device policy.

  • A new version of the Get Devices by Filters API provides more details about devices. For more information, download the Public API for REST Services PDF. The new API is in the section “3.16.2 Get Devices by Filters (version 2)”.

  • New MDX policy to select how users report phishing: If the Report Phishing feature is enabled, you can use the Report Phishing Mechanism policy to control how users report phishing on Android. You can select whether Secure Mail forwards the phishing email as an attachment or if it forwards the entire email. For more information on the Report Phishing Mechanism policy, see MDX Policies for Android Apps.

Fixed issues in Endpoint Management 10.18.17

Third-party B2B VPP Secure apps don’t show as installed in Secure Hub. [CXM-55959]

Some models of Android phones cannot enroll after upgrading from Android 5.0 to 6.0.1. [CXM-56420]

On Android shared devices: If a user types an incorrect username, Secure Hub caches the wrong username even if the user corrects it. [CXM-56428]

When StoreFront is integrated with XenMobile Server, non-primary domains can’t enroll. [CXM-56640]

Endpoint Management 10.18.15

iOS 12 support announcement: We offer zero-day support for iOS 12. For Secure Mail, with iOS 12, we support the Group notifications feature. With this feature, conversations are grouped from a mail thread. You can quickly glance at grouped notifications on the lock screen of your device. Group notification settings are enabled by default on the device.

Note:

To prepare for device upgrades to iOS 12: The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Delete your VPN device policy and create a VPN device policy with the Citrix SSO connection type. For more information, see the “iOS settings” section in VPN device policy.

The latest version of Endpoint Management has these new features and improvements:

  • Apple Device Enrollment Program (DEP) account iOS setup assistant options for iOS 12.

    New options in the DEP account iOS setup assistant allow you to prevent users from seeing these screens during DEP devices:

    • Appearance: Prevents the user from seeing the Choose Your Look screen.
    • Software Update: Prevents the user from seeing the mandatory software update screen.
    • Screen Time: Prevents the user from seeing the Screen Time screen.

    These options are for DEP devices running iOS 12.0 and later. For more information, see “Step 3: Add a DEP account to Endpoint Management” in Bulk enrollment of Apple devices.

  • Notifications settings for iOS 12.
    • Show in CarPlay: Display notifications in Apple CarPlay.
    • Enable Critical Alert: Allow an app to mark a notification as a critical notification that ignores Do Not Disturb and ringer settings.

    For more information, see Apps notifications device policy.

  • Connecting Endpoint Management to G Suite. When configuring G Suite and Endpoint Management to enroll Chrome OS devices: You now provide your G Suite account administrator credentials in a window that pops up from the Endpoint Management console. This step verifies that you are the owner of the G Suite account and connects Endpoint Management to G Suite.

    For more information, see “Chrome OS devices” under Enroll devices.

  • Terminology change in the Endpoint Management console. The console now uses the term “Android Enterprise” instead of “Android for Work”.

Fixed issues in Endpoint Management 10.18.15

MDM configuration profiles aren’t renewed on iOS devices. The log error includes: Error MCInstallationErrorDomain-4001: Profile Installation Failed. [CXM-55170]

Endpoint Management (formerly Citrix XenMobile Service) 10.18.14

Important:

The AutoDiscovery Service URL discovery.mdm.zenprise.com will no longer be available after December 31, 2018. The new full-qualified domain name is ads.xm.cloud.com. For more information, see the Citrix support article https://support.citrix.com/article/CTX202044.

The latest version of Endpoint Management has these new features and improvements:

  • Device policy support for iOS 12.

    • Force automatic date and time setting for iOS 12

      The Restrictions device policy setting, Force automatic date and time, automatically sets the date and time on supervised devices running iOS 12. When this setting is enabled, device users can’t turn off Set Automatically under General > Date & Time. For more information, see Restrictions device policy.

    • OAuth settings for macOS 10.14 or later

      • Use OAuth: Configure the connection to use OAuth for authentication.
      • OAuth SignIn URL: Specify sign-in URL when authenticating using OAuth, if auto-discovery is not used.

      For more information, see Exchange device policy.

    • S/MIME signing and encryption settings for iOS 12

      Mail device policy and Exchange device policy settings are available to configure S/MIME signing and encryption on devices running iOS 12 and later. For more information, see Exchange device policy and Mail device policy.

  • More Chrome OS restrictions.
    • Prevent users from printing from the wrench menu, extensions, Javascript apps, and other locations.
    • Hide or display the bookmarks bar.
    • Prevent users from adding, updating, or deleting bookmarks.
    • Hide or display the End Process button in Task Manager.

    For more information, see Restrictions device policy.

  • New workflow for adding an app from the Google Play Store. Instead of specifying Google Play credentials when you add an app, you now add the package ID of the public store Android app.

    1. From the Google Play Store, copy the package ID. The ID is in the URL of the app.

      Image of searching for app

    2. When adding a Public Store app in the Citrix Endpoint Management console, paste the package ID in the search bar.

      Image of searching for app

    3. If the package ID is valid, a UI appears allowing you to enter app details.

      Image of searching for app

    For more information, see Add a public app store app.

  • Screen capture restriction for Android Enterprise. By default, users of devices enrolled in Android Enterprise can’t record or take a screen capture of the device screen. With the new Restrictions device policy setting, Allow screen capture, you can enable screen capture.

Important: iOS 12 and Citrix VPN

The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. For more information, see Known issues in Endpoint Management 10.18.14.

Fixed issues in Endpoint Management 10.18.14

Enterprise apps don’t silently upgrade on supervised devices running iOS 11.4 or later. [CXM-53190]

With no https proxy configured, you can’t send SMS messages through the Nexmo SMS gateway. [CXM-54309]

Submitting new or changed Google Play credentials in the Endpoint Management console results in the following message: Unable to render embedded object. This issue prevents you from adding apps and adding or updating Google Play credentials. [CXM-54758]

Known issues in Endpoint Management 10.18.14

The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. To prepare for device upgrades to iOS 12, delete your VPN device policy and create a VPN device policy with the Custom SSL connection type. For more information about configuring single sign-on, see Citrix SSO User Guide.

The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in the next Endpoint Management release, during user enrollment. [CXM-55292]

Endpoint Management 10.18.12

The latest version of Endpoint Management has these new features and improvements:

  • Deploy CA Certificates for Citrix Ready workspace hub devices. Using the credentials policy, you can now deploy CA certificates for Citrix Ready workspace hub devices. For more information about the policy, see Credentials Policy

  • Support for Alexa for Business. You can now configure and manage you Alexa for Business devices in the Endpoint Management console. See Alexa for Business.

  • Prevent users from saving or deleting history on Chrome OS devices. By default, users of Google Chrome devices can save browsing history or delete browsing and download history. Additions to the Restrictions device policy for Chrome OS let you:
    • Prevent users from saving browsing history.
    • Prevent users from deleting their browsing and download history.

    Both of those settings require G Suite Chrome configuration. For more information, see Chrome OS settings.

  • Control Google Safe Browsing behavior on Chrome OS devices. By default, Google Safe Browsing warns users when they navigate to sites that are potentially dangerous. Additions to the Restrictions device policy for Chrome OS let you:
    • Enable users to proceed from the Safe Browsing warning page.
    • Ensure that Safe Browsing is always active and prevent users from changing or overriding the “Protect you and your device from dangerous sites” setting in Chrome.

    Both of those settings require G Suite Chrome configuration. For more information, see Chrome OS settings.

  • Deploy device policies to selected Chrome OS devices. The Manage > Devices page now includes a Deploy button for Chrome OS devices. The button works only if G Suite is configured and pushes only Chrome Device Management policies and not extension policies.

Note:

When an upgrade includes new Restrictions device policy settings, you must edit and save the policy. Endpoint Management doesn’t deploy the upgraded Restrictions device policy until you save it.

Starting the second quarter of 2018, support for Symbian and Windows Mobile/CE devices is no longer available to new customers. For information about the Microsoft product lifecycle, see https://support.microsoft.com/en-us/lifecycle/search/1143.

Fixed issues in Endpoint Management 10.18.12

Some cloud instances are unable to perform NetScaler Gateway connectivity checks. [CXM-53113]

User names that contain umlauts can now authenticate on the Endpoint Management server without errors. [CXM-53238]

When using Endpoint Management MDM and Intune MAM, users can’t change or edit the PIN type from the EMS console. [CXM-53805]

Current known issues

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.14

The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. [CXM-55292]

  • To prepare for device upgrades to iOS 12, delete your VPN device policy and create a VPN device policy with the Custom SSL connection type. For more information about configuring single sign-on, see Citrix SSO User Guide.

  • The Citrix VPN connection continues to operate in previously deployed devices after you delete the VPN device policy. Your new VPN device policy configuration takes effect in the next Endpoint Management release, during user enrollment.

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.6

For a Restrictions device policy for Samsung SAFE: The Browser, YouTube, and Google Play/Marketplace options have been removed. Use the Disable Applications option to enable or disable those features. [CXM-43043]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]