What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale and service availability, see the Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Support for iOS 13

Endpoint Management supports devices upgraded to iOS 13. The upgrade impacts your users as follows:

  • During enrollment, a few new iOS Setup Assistant Option screens appear. Apple added new iOS Setup Assistant Option screens to iOS 13. The new options are not included in the Settings > Apple Deployment Program page in this release. As a result, you can’t configure Endpoint Management to skip those screens. Those pages appear to users on iOS 13 devices.

  • Some Restrictions device policy settings available on supervised or unsupervised devices for previous iOS versions are available only on supervised devices for iOS 13+. The current Endpoint Management console tool tips don’t yet indicate that these settings are for supervised devices for iOS 13+ only.

    • Allow hardware controls:
      • FaceTime
      • Installing apps
    • Allow apps:
      • iTunes Store
      • Safari
      • Safari > Autofill
    • Network - Allow iCloud actions:
      • iCloud documents & data
    • Supervised only settings - Allow:
      • Game Center > Add friends
      • Game Center > Multiplayer gaming
    • Media content - Allow:
      • Explicit music, podcasts, and iTunes U material

These restrictions apply as follows:

  • If an iOS 12 (or lower) device is already enrolled in Endpoint Management and then upgrades to iOS 13, the preceding restrictions apply to unsupervised and supervised devices.
  • If an unsupervised iOS 13+ device enrolls in Endpoint Management, the preceding restrictions apply only to supervised devices.
  • If a supervised iOS 13+ device enrolls in Endpoint Management, the preceding restrictions apply only to supervised devices.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers. See Integration with Citrix Workspace experience.

Mobile SSO to native SaaS apps (preview)

A preview of mobile SSO to native SaaS apps is now available for customers who meet these requirements:

  • Citrix Workspace Premium license
  • Your identity provider configured in Citrix Cloud
  • The following services configured:
    • Workspace service with Endpoint Management enabled. For information about enabling service integration, see Workspace configuration.
    • Citrix Endpoint Management service
    • Citrix Gateway service

Single sign-on to native SaaS apps is available from iOS and Android devices that are enrolled into MDM. For more information, see Configure mobile SSO (preview).

Citrix Gateway service (preview)

A preview of Citrix Gateway service is now available for customers who meet these requirements:

  • Citrix Workspace experience enabled
  • Citrix Gateway service subscription

If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For more information, see Configure Citrix Gateway use with Endpoint Management.

Endpoint Management 19.12.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

You can now configure delivery groups for Windows devices based on device properties. (Preview) When configuring delivery groups, you can now configure groups based on device properties. This feature is only available for Windows desktops and tablets. To request access to this Preview feature, contact your Citrix sales or support representative. For more information about this feature, see To add a delivery group (Preview).

Import Group Policy Objects (GPOs) into Endpoint Management and deploy them directly to Windows 10 devices. Rather than relying on an AD administrator to deploy GPOs from the Group Policy Management console, you can import and deploy GPOs through the Endpoint Management console. See Windows GPO Configuration device policy.

Install EXE apps for Windows desktops and tablets. You can now upload EXE applications as enterprise apps for Windows Desktops and Tablets. For more information, see Add Win32 apps as Enterprise apps.

Users can no longer remove policies from iOS devices. Some device policies no longer allow users to remove the policy from iOS devices. The setting Allow user to remove policy has been removed for iOS from the following policies: APN policy, Mail policy, Passcode policy, Provisioning Profile policy, Proxy policy, and VPN policy.

Fixed issues in Endpoint Management 19.12.0

If you update an app version number with the Endpoint Management Public REST API and then by using the console: The app version doesn’t update. [CXM-69216]

Sometimes Endpoint Management can’t install EXE apps on Windows devices because the file hash isn’t correct. [CXM-75506]

Endpoint Management 19.11.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Apple Volume Purchase Program migration to Apple Business Manager (ABM) and Apple School Manager (ASM)

Companies and institutions using Apple Volume Purchase Program (VPP) need to migrate to Apps and Books in Apple Business Manager or Apple School Manager before December 1, 2019.

Before migrating VPP accounts in Endpoint Management, see this Apple support article.

If your organization or school only uses the Volume Purchase Program (VPP), you can enroll in ABM/ASM and then invite existing VPP Purchasers to your new ABM/ASM account. For ASM, navigate to https://school.apple.com. For ABM, navigate to https://business.apple.com.

To update your volume purchase (formerly VPP) account on Endpoint Management:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Volume Purchase. The Volume Purchase configuration page appears.

  3. Ensure that your ABM or ASM account has same app config as your previous VPP account.

  4. In the ABM or ASM portal, download an updated token.

  5. In the Endpoint Management console, do the following:

    1. Edit the existing volume purchase account with the updated token info for that location.

    2. Edit your ABM or ASM credentials. Don’t change the suffix.

    3. Click Save twice.

For more information, see:

Enrollment profiles control enrollment options for Android devices

Enrollment profiles now control how Android devices are enrolled if Android Enterprise in enabled for your Endpoint Management deployment. Enrollment profiles determine whether Android devices are enrolled in the default Android Enterprise mode (fully managed or work profile) or in legacy (device administrator) mode.

By default, the Global enrollment profile enrolls new and factory reset Android Enterprise devices as fully managed devices and enrolls BYOD Android Enterprise devices as work profile devices. For more information, see Android Enterprise.

Preparing legacy Android devices for Android Enterprise as default enrollment

Google is deprecating the device administrator mode of device management and encouraging customers manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.) To support this change, Android Enterprise is now the default enrollment option for Android devices.

This change means that if Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

To prepare for this change, Endpoint Management now allows you to create enrollment profiles that control how Android devices are enrolled.

Your organization might not be ready to begin managing legacy Android devices in device owner mode or profile owner mode. In that case, you can continue to manage them in device administrator mode. Create an enrollment profile for legacy devices and re-enroll all enrolled legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

    Enrollment Profiles configuration screen

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

For more information about Endpoint Management support for the transition to Android Enterprise, see the blog, Android Enterprise as default for Citrix Endpoint Management service.

Fixed issues in Endpoint Management 19.11.0

When searching for a Google Play Store app in the Endpoint Management console, the app name is empty. You can enter the name manually to save the app. [CXM-73261]

After uploading an MDX app for Android Enterprise, the managed Google Play store UI might not open in the Endpoint Management console. Until the issue is fixed, go to the managed Google Play store to approve and save the app manually. [CXM-73398]

For iOS, location tracking doesn’t work if you do the following: Configure and deploy a location policy, enable tracking from device security actions, and then delete the deployed location policy and create a new one. [CXM-73470]

Users with apostrophes in their user names can’t enroll their devices when their user name is imported from LDAP. [CXM-73780]

Endpoint Management 19.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Expanded support for Zebra OEMConfig. Endpoint Management now supports managing Zebra devices using the Zebra Technologies administrative tool Zebra OEMConfig. (For information, see the Zebra Technologies website.) To manage devices using the Zebra OEMConfig app, publish the app and configure an Android Enterprise managed configurations device policy.

Content delivery network (CDN) availability for Windows apps. You can now deploy Windows apps by using a content delivery network. See Deliver enterprise apps from a CDN.

Group invitation support for users whose names include special characters. When you choose a group to receive enrollment invitations, Endpoint Management now gets the user list from Active Directory. The list includes users whose names contain special characters. See Enrollment invitations.

Fixed issues in Endpoint Management 19.10.0

After you enroll a new device or re-enroll an old device, an error message intermittently displays on Manage > Devices. [CXM-72634, CXM-73077]

When you select a Chrome or Workspace hub device in Manage > Devices > Enrolled Devices and then click Edit, the following message appears: “A configuration error occurred. Please try again.” That message also appears when you mouse over those devices in the devices list and click Show more. In either case, click OK to continue. [CXM-73010]

Current known issues

Known issues in Endpoint Management 19.11.0

MDX and Public apps can’t be deleted from the console. As a workaround, select the app you want to delete and then click Edit. Deselect Android Enterprise and select any other platforms from the platform list. Save the app. You can then delete the app. [CXM-74468]

For sites with Workspace Environment Management (WEM) integrated with Endpoint Management: A Windows GPO configuration device policy created with User Configuration doesn’t deploy to user devices. A policy created with Device Configuration deploys as expected. [CXM-74762, WEM-6319]

Known issues in Endpoint Management 19.9.0

Enterprise apps deployed from Endpoint Management fail to install on macOS devices. This third-party issue is Apple bug #50311461. [CXM-65957]

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Express Language, Preferred Language, Get Started, and Appearance. [CXM-71370]

The following setting label in the Passcode device policy is incorrect: Lock device after (minutes of inactivity) (0-999). The value range is 1-15. [CXM-73781]

Known issues in Endpoint Management 19.6.1

On the Endpoint Management console, some apps’ status displays as “Pending” even though they are already installed. This limitation is due to macOS and is specific to PKG files with different pkg and app identifiers. [CXM-72203]

Known issues in Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace hub device, the Ethernet (eth0) MAC address needs to be defined in the whitelist or enrollment fails. [CXM-43141]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]