What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google will remove the GCM server and client APIs on May 29, 2019.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.


  • Endpoint Management 19.3.0 or later
  • Secure Hub 19.3.5 or later

To continue support for push notifications to your Android devices: If you currently use GCM with Endpoint Management, migrate to FCM. Then, update Endpoint Management with the new FCM key available from the Firebase Cloud Messaging Console.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the Endpoint Management console, go to Settings > Firebase Cloud Messaging and configure your settings.

    Devices switch over to FCM the next time they check in with Endpoint Management and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy.

For more information about configuring FCM, see Firebase Cloud Messaging.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers.

  • For new Endpoint Management customers (as of August 27, 2018):

    During Workspace configuration (Citrix Cloud > Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with Citrix Workspace. By default, the integration is disabled.

    • If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Content Collaboration and Citrix Virtual Apps and Desktops.

    • If you leave the integration disabled, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.


    After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.

  • For customers who onboarded before August 27, 2018:

    You can enable Workspace integration (Citrix Cloud > Workspace Configuration > Service Integrations). Devices that are already enrolled in Secure Hub continue to use Secure Hub.

    New devices enroll in Workspace. However, if you prefer to enroll only selected devices in Workspace, you must create a delivery group called Workspace.

    • For devices already enrolled in Secure Hub and then added to the Workspace delivery group, a user must re-enroll the device. The user then accesses resources from the Citrix Workspace app.
    • For new devices added to the Workspace delivery group, users enroll in Workspace.
    • If you move a device from the Workspace delivery group to any other delivery group, a user must re-enroll the device. The user then accesses resources from Secure Hub.
    • Citrix will notify you when migration to Workspace is supported without requiring re-enrollment.

    To enable Citrix Workspace integration with Citrix Endpoint Management:

    1. Sign in to Citrix Cloud.
    2. Click Manage on the Endpoint Management tile. You can request a 30-day trial if the Manage tab is unavailable.
    3. In the upper-left menu, navigate to Workspace Configuration > Service Integration.
    4. Click Enable to integrate Citrix Workspace app with Endpoint Management.

Mobile SSO to native SaaS apps (preview)

A preview of mobile SSO to native SaaS apps is now available for customers who meet these requirements:

  • Citrix Workspace Premium license
  • Your identity provider configured in Citrix Cloud
  • The following services configured:
    • Workspace service with Endpoint Management enabled. For information about enabling service integration, see Workspace configuration.
    • Citrix Endpoint Management service
    • Citrix Gateway service

Single sign-on to native SaaS apps is available from iOS and Android devices that are enrolled into MDM. For more information, see Configure mobile SSO (preview).

Citrix Gateway service (preview)

A preview of Citrix Gateway service is now available for customers who meet these requirements:

  • Citrix Workspace experience enabled
  • Citrix Gateway service subscription

If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For more information, see Configure Citrix Gateway use with Endpoint Management.

Endpoint Management 19.6.0

  • Auto updates for Apple VPP apps. When you add a VPP account (Settings > iOS Settings), you can now enable auto updates for all iOS apps. See the App Auto Update setting in iOS Volume Purchase Program.

Fixed issues in Endpoint Management 19.6.0

The following error is displayed while adding a registry key to a Windows Embedded Compact policy if the length of the registry value exceeds 2048 characters: Console error: could not execute statement; SQL [n/a]; nested exception is org.hibernate.exception.DataException: could not execute statement. [CXM-59446]

During profile installation on an iOS device, “Not Verified” appears in the profile information. [CXM-64486]

When an Azure AD user signs in to some Windows 10 Azure AD joined devices configured as kiosks, kiosk mode does not activate. This issue doesn’t occur if you enter the Azure AD *User name** in the format azuread\user. For more information, see Kiosk device policy. [CXM-66123]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

When you add a VPP account (Settings > iOS Settings), the following message appears if the token exceeds 350 characters: “The entered company token is not valid, please enter a new one.” [CXM-68113]

Endpoint Management 19.5.0

  • iOS MDM enrollment workflow change. To improve platform security by reducing misleading profile installations, Apple released a new workflow for manually enrolling devices in MDM. This new workflow affects all MDM solutions, including Citrix Endpoint Management.

    There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. The workflow changes are only for manual enrollment in MDM.

    Citrix has also simplified the enrollment. Previously, iOS device users receive two prompts during enrollment: A prompt for the root CA and a prompt for the MDM device certificate. Citrix installed the root CA for flexibility in using unsigned and signed certificates. Because all Citrix Cloud deployments use trusted certificates, the root CA is no longer needed.

    iOS device users receive only the MDM device certificate prompt during enrollment. That prompt is labeled “XenMobile Profile Service”.

    To support this change, Citrix changed the value of the server property, ios.mdm.enrollment.installRootCaIfRequired, to false. A Safari window opens during MDM enrollment to simplify the profile installation for users. For more information, see Enroll iOS devices and the following YouTube video:

    iOS enrollment video

  • Changes for new Endpoint Management customers:
    • Workspace experience deployment. You can create a separate delivery group, named Workspace, to begin to deploy the Workspace experience to new devices. By using the Workspace delivery group, you can deliver the Workspace experience to a small group without disrupting all users. See Citrix Endpoint Management integration with Citrix Workspace.
    • Preconfigured policies and apps for new customers of as Endpoint Management 19.5.0. If you onboard starting with Endpoint Management 19.5.0 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to immediately deploy basic functionality to device users. See Default device policies and mobile productivity apps.
  • Knox Platform for Enterprise device policy for Android Enterprise. You can now enter the KPE Premium and Standard license keys for Android Enterprise devices running Knox version 3.0 or later. For information, see Knox Platform for Enterprise device policy.

  • Public session device policy for Chrome OS. You can now configure Chrome OS devices to support guest sessions. For information on configuring this policy, see Public session device policy.

  • RBAC permission changes. The RBAC permission Add/Delete Local Users is now split into two permissions: Add Local Users and Delete Local Users.

Fixed issues in Endpoint Management 19.5.0

Enterprise apps don’t silently upgrade on supervised devices running iOS 11.4 or later. [CXM-66005]

When you edit a device policy, the following error message appears: “A configuration error occurred. Please try again”. [CXM-66370]

Endpoint Management 19.4.1

  • Through Workspace Environment Management (WEM) integration with Endpoint Management, you can manage all supported domain-joined Windows devices. This integration offers the following benefits and features:

    • With WEM alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two, WEM has access to MDM features and you can manage a wider spectrum of Windows operating systems through Endpoint Management.

    • That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

    • MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

    • For a list of the devices supported, see Operating System requirements.

    • Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

    For more information, see Windows GPO Configuration device policy.

  • CDN delivery of enterprise apps is now the default for new multi-tenancy customers of as Endpoint Management 19.4.1. If you are a new customer in the Asia Pacific region, contact your Citrix support representative to enable CDN delivery. In all regions, existing customers who want to deliver enterprise apps using CDN must reupload existing apps after enabling the feature. See How enterprise apps work.

  • Support for Web and SaaS apps and Web links for Android Enterprise. Endpoint Management now supports delivering links for Web or SaaS apps and Web links to Android Enterprise devices. Web and SaaS apps and Web links are added for Android Enterprise in the same way they are added for other platforms. See Add a Web or SaaS app and Add a Web link.

  • More restrictions for Chrome OS devices:

    • Display instructions on disabled devices. You can now add a custom message to display on disabled Chrome OS devices.

    • Allow users to install specific extensions, apps, and themes. Enter the list of URLs to permit downloading from those sources.

    For more information, see Chrome OS settings.

Fixed issues in Endpoint Management 19.4.1

On Android Enterprise devices, the following app types might not appear in Secure Hub: Public app store apps configured in the Google Play platform and enterprise apps configured in the Android platform. [CXM-63638]

Android Enterprise apps don’t appear for devices until they are unenrolled and enrolled again. Apps also appear if you update them in their delivery groups. [CXM-64670]

Automated actions might not deploy to Android Enterprise devices. [CXM-64950]

The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console. [CXM-65647]

Current known issues

Known issues in Endpoint Management 19.6.0

The following error message displays when you attempt to configure a Public App by using the new app URL from the Apple Store. “Could not find the app you entered. Check the URL and try again.“

Refer to the workaround in https://support.citrix.com/article/CTX256704. [CXM-68537]

Known issues in Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace device, the Ethernet (eth0) MAC address needs to be defined in the whitelist or enrollment fails. [CXM-43141]

On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461. [CXM-65957]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to choose Intune MAM/Endpoint Management. [CXM-31272]

When you set up a smart action to email inactive devices, related dependencies fail to work properly, breaking the smart action. [CXM-62110]

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in XenMobile Server 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 19.1.2

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]