What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale and service availability, see the Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers. See Integration with Citrix Workspace experience.

Mobile SSO to native SaaS apps (preview)

A preview of mobile SSO to native SaaS apps is now available for customers who meet these requirements:

  • Citrix Workspace Premium license
  • Your identity provider configured in Citrix Cloud
  • The following services configured:
    • Workspace service with Endpoint Management enabled. For information about enabling service integration, see Configure Workspaces.
    • Citrix Endpoint Management service
    • Citrix Gateway service

Single sign-on to native SaaS apps is available from iOS and Android devices that are enrolled into MDM. For more information, see Configure mobile SSO (preview).

Citrix Gateway service (preview)

A preview of Citrix Gateway service is now available for customers who meet these requirements:

  • Citrix Workspace experience enabled
  • Citrix Gateway service subscription

If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For more information, see Configure Citrix Gateway use with Endpoint Management.

Endpoint Management 20.3.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Enhanced enrollment profiles enabled for all customers

This release enables for all customers the enhanced enrollment profile features released to some customers in Endpoint Management 20.2.1. For information about this feature, see Configure multiple device and app management modes in a single environment.

Android devices are enrolled in Android Enterprise by default

Starting with this release, Android Enterprise is the default enrollment option for Android devices. If Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices by default.

This change supports changes Google is making to Android. Google deprecated the device administrator mode of device management and encourages customers to manage all Android devices using Android Enterprise. (See Device admin deprecation in the Google Android Enterprise developer guides.)

Starting with Endpoint Management 19.11.0, Citrix communicated actions required if you had not yet migrated all your organizations Android devices to Android Enterprise. For more information about Endpoint Management support for the transition to Android Enterprise, see the blog, Android Enterprise as default for Citrix Endpoint Management service.

If your Endpoint Management deployment includes devices that you must continue to manage in device admin mode, create an enrollment profile for these legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy devices in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

Fixed issues in Endpoint Management 20.3.0

Trying to sort devices by Last access or Inactivity days results in a 500 internal server error. [CXM-79414]

For customers using Amazon Web Services and the new Citrix enhanced enrollment profiles: iOS devices don’t enroll. As a work-around, create a default enrollment profile that includes all delivery groups. See To create an enrollment profile. [CXM-79019]

When you deploy a Passcode device policy to macOS devices, the policy applies to the system level instead of the user level. As a result, users aren’t prompted to change their passcode for hours, or even days. [CXM-75344]

Endpoint Management 20.2.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Configure multiple device and app management modes in a single environment

About this feature:

Enhanced enrollment profile support is rolling out over two releases. Citrix will send the usual notifications about upcoming releases.

Until the enhanced enrollment profile feature gets enabled for you, an enrollment profile only limits the number of devices a user can enroll.

You can now configure a single Endpoint Management site to support multiple enrollment configurations. The role of enrollment profiles expanded to include enrollment settings for device and app management.

Enrollment profiles support multiple use cases and device migration paths within a single Endpoint Management console. Use cases include:

  • Mobile Device Management (MDM only)
  • MDM+Mobile Application Management (MAM)
  • MAM only
  • Corporate-owned enrollments
  • BYOD enrollments (the ability to opt out of MDM enrollment)
  • Migration of Android device administrator enrollments to Android Enterprise enrollments (fully managed, work profile, dedicated device)

Enrollment profiles replace the now deprecated server property, xms.server.mode. This change does not impact your existing delivery groups and enrolled devices.

The following table shows the automated migration path from the existing server property mode to the new enrollment profile feature:

Existing server property New management mode
ENT mode (iOS) Apple device enrollment with Citrix MAM
ENT mode (Android) Legacy device administrator with Citrix MAM
ENT mode (Android Enterprise) Work profile on fully managed, with Citrix MAM
MAM mode (iOS and Android) Citrix MAM
MDM mode (iOS) Apple device enrollment
MDM mode (Android) Legacy device administrator
MDM mode (Android Enterprise) Work profile on fully managed

When you create a delivery group, you can attach an enrollment profile to the group. If you don’t attach an enrollment profile, Endpoint Management attaches the Global enrollment profile.

Enrollment profiles provide the following device management features:

  • Easier migration from Android device administrator (DA) mode to Android Enterprise. For Android Enterprise devices, settings include a device owner mode such as: Fully managed, work profile on fully managed, or dedicated. For more information, see Android Enterprise.

    Enrollment Profile page for Android

    For this upgrade, your current Endpoint Management configurations for server mode and Settings > Android Enterprise map to the new enrollment profile settings as follows.

    Current configuration Management setting Device owner mode setting Citrix MAM setting
    MDM; managed Google Play (Android Enterprise) Android Enterprise Work profile on fully managed Off
    MDM; G Suite (legacy DA) Legacy DA not applicable Off
    MAM Do not manage devices not applicable On
    MDM+MAM; managed Google Play (Android Enterprise) Android Enterprise* Work profile on fully managed On
    MDM+MAM; G Suite (legacy DA) Legacy DA* not applicable On

    * If enrollment is required, Allow users to decline device management is Off.

    After the upgrade, your current enrollment profiles reflect those mappings. Consider whether you want to create other enrollment profiles to handle any new use cases as you transition away from legacy DA.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Android

  • Easier iOS management. For iOS devices, settings include a choice between enrolling devices as managed or unmanaged.

    Enrollment Profile page for iOS

    For this upgrade, your prior configurations map to the new enrollment profile settings as follows.

    Server mode Management setting Citrix MAM setting
    MDM Device enrollment Off
    MAM Do not manage devices On
    MDM+MAM Device enrollment On

    If enrollment is required, Allow users to decline device management is Off.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for iOS

  • Allow Windows 10 devices to automatically enroll in Citrix Workspace app.

    Enrollment Profile page for Windows

    For this upgrade, your prior MDM configuration maps to the new enrollment profile setting Fully managed.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Windows

The following limitations exist for enhanced enrollment profiles:

  • The enhanced enrollment profile feature doesn’t work for iOS and Android devices when Endpoint Management is integrated with Citrix Workspace.

  • The enhanced enrollment profile feature isn’t available for one-time PIN or two-factor authentication enrollment invitations.

For more information, see Enrollment profiles.

Other updates in Endpoint Management 20.2.1

  • Simplified enrollment of dedicated Android Enterprise (COSU) devices. Endpoint Management now enables you to enroll dedicated Android Enterprise devices (also known as COSU devices) by creating an enrollment profile. You are no longer required to create a role-based access control (RBAC) role for enrolling dedicated devices. See Provisioning dedicated Android Enterprise devices.

  • Disable biometric authentication on Android devices with the Keyguard management policy. The Keyguard Management device policy now lets you disable fingerprint unlock, face authentication, iris authentication, or all biometric authentication for devices running Android 9.0 and later.

  • Get guidance in the Resource Center. Use the Resource Center to access the in-product data. For guidance from the dashboard, click the icon in the lower right corner.

    Resource Center icon

Fixed issues in Endpoint Management 20.2.1

You previously needed permission to edit devices before you can use the Endpoint Management API to send notifications to devices. You now need Send Notification permissions to send notifications. [CXM-76689]

Endpoint Management 20.1.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

  • Support for Android Enterprise COPE devices. Endpoint Management supports Android Enterprise fully managed devices with work profiles. Google previously referred to those devices as COPE (corporate-owned personally enabled) devices.

    Android Enterprise fully managed devices have a device profile and a work profile. You can apply separate policy settings to the device and the work profile. For this release:

    • You can apply separate setting to the device and the work profile using these device policies: Credentials, Keyguard Management, Passcode, and Restrictions.
    • You can apply the location mode setting of the Location device policy to COPE device itself but not to the work profile of the COPE device. Other settings in the Location device policy are not available for COPE devices. See the Location device policy.
    • You can apply the Lock security action separately to the device or the work profile.
  • Auto-enrollment of Windows 10 devices through Citrix Workspace app. Endpoint Management can now auto-enroll Windows 10 desktops and tablets using the Citrix Workspace app. For more information about this feature, see Integration with Citrix Workspace experience.

Fixed issues in Endpoint Management 20.1.0

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Get Started and Appearance. [CXM-71370]

The Filters tab is open by default for Manage > Devices. [CXM-75823]

ShareFile single sign-on (SSO) fails for multitenant customers on the same set of virtual machines. [CXM-75886]

Current known issues

Known issues in Endpoint Management 20.2.1

When you enroll a WEM enabled Windows Desktop/Tablet device and then enroll the same device in MDM, the Endpoint Management console displays two separate entries for the device. [CXM-77412]

For customers using a cloud hosting service and the new Citrix enhanced enrollment profiles: New devices may not successfully enroll. As a work-around, create a default enrollment profile that includes all delivery groups. See To create an enrollment profile. You might see an enrollment profile titled “FactoryDefault”. We use this enrollment profile for special logic. If you see the “FactoryDefault” enrollment profile, don’t modify or delete it. [CXM-79019]

After configuring Citrix Content Collaboration with a ShareFile URL in the Citrix Endpoint Management console, clicking the Test Connection button results in an error. To resolve this issue, disable multifactor authentication for ShareFile. Learn more about this issue and the workaround on this support page. [CXM-79240]

Sorting devices by Last access or Inactivity days results in a 500 internal server error. [CXM-79414]

Known issues in Endpoint Management 20.1.0

You can’t delete duplicate certificate files from Settings > Certificates. [CXM-72630]

When adding users to a library in Citrix Cloud, Endpoint Management reports success, but the users aren’t added. [CXM-73726]

Known issues in Endpoint Management 19.11.0

MDX and Public apps can’t be deleted from the console. As a workaround, select the app you want to delete and then click Edit. Deselect Android Enterprise and select any other platforms from the platform list. Save the app. You can then delete the app. [CXM-74468]

For sites with Workspace Environment Management (WEM) integrated with Endpoint Management: A Windows GPO configuration device policy created with User Configuration doesn’t deploy to user devices. A policy created with Device Configuration deploys as expected. [CXM-74762, WEM-6319]

Known issues in Endpoint Management 19.9.0

Enterprise apps deployed from Endpoint Management fail to install on macOS devices. This third-party issue is Apple bug #50311461. [CXM-65957]

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Express Language, Preferred Language, Get Started, and Appearance. [CXM-71370]

Known issues in Endpoint Management 19.6.1

On the Endpoint Management console, some apps’ status displays as “Pending” even though they are already installed. This limitation is due to macOS and is specific to PKG files with different pkg and app identifiers. [CXM-72203]

Known issues in Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace hub device, the Ethernet (eth0) MAC address needs to be defined in the whitelist or enrollment fails. [CXM-43141]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.19

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]