What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

Endpoint Management customers also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

About the Citrix unified product portfolio

If you’ve been a Citrix customer or partner for a while, you’ll notice new names in our products and in this product documentation. The new product and component names stem from the expanding Citrix portfolio and cloud strategy. For more detail about the Citrix unified portfolio, see the Citrix product guide.

Articles in this product documentation use the following names.

  • Citrix Endpoint Management: Citrix Endpoint Management is a solution for managing endpoints, offering mobile device management (MDM) and mobile application management (MAM) capabilities. With Endpoint Management, you manage device and app policies and deliver apps to users. Your business information stays protected with strict security for identity, devices, apps, data, and networks. Citrix Endpoint Management was formerly Citrix XenMobile Service.

  • Mobile productivity apps: XenMobile Apps is now mobile productivity apps. Citrix-developed mobile productivity apps are a group of enterprise mobile apps offering IT a secure choice for their users’ email, web browsing, and remote access. Mobile productivity apps include Citrix Secure Hub, Citrix Secure Mail, and Citrix Secure Web. The Endpoint Management Store is now the app store.

  • Citrix Workspace app: The Citrix Workspace app incorporates existing Citrix Receiver technology and the other Citrix Workspace client technologies. It has been enhanced to provide end users with a unified, contextual experience. Users can interact with all the work apps, files, and devices they need to do their best work. For more information, see this blog post.

    For Endpoint Management customers with the workspace experience enabled, users who open Secure Hub and click Add Apps are directed to the workspace. For more information, see Secure Hub.

  • Citrix Virtual Apps and Desktops: The Citrix Virtual Apps and Desktops service (formerly XenApp and XenDesktop) offers a virtual app and desktop solution. Provided as a cloud service and as an on-premises product, Virtual Apps and Desktops gives employees the freedom to work from anywhere on any device.

Implementing this transition in our products and their documentation is an ongoing process.

  • In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.
  • It is possible that some items (such as commands and MSIs) might continue to retain their former names to prevent breaking existing customer scripts.
  • Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.

Your patience during this transition is appreciated.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers.

  • For new Endpoint Management customers (as of August 27, 2018):

    During Workspace configuration (Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with workspace. By default, the integration is enabled.

    • If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Virtual Apps and Desktops and Citrix Content Collaboration.

    • If you disable the integration, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.


    After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.

  • For customers who onboarded before August 27, 2018:

    Workspace integration is disabled. Citrix Secure Hub aggregates mobile apps and your users access apps from Secure Hub. Citrix will notify you when migration to Workspace is supported without requiring re-enrollment for all users.

Endpoint Management 10.18.20

The latest version of Endpoint Management has these new features and improvements:

  • Improvements to adding public apps from the Google Play store. When you add a public app, you now search for apps by package ID in the Endpoint Management console. You can upload a custom image for public apps, or leave the image field blank to use the stock Android image. See Add a public app store app.

  • New Restrictions device policy settings for Android Enterprise. New settings for the Restrictions device policy allow users access to these features on Android Enterprise devices: status bar, lock screen keyguard, account management, location sharing, and keeping the device screen on. See Restrictions device policy.

  • Android Enterprise WiFi device policy. You can now create WiFi device policies for Android Enterprise devices. See WiFi device policy.

  • Android Enterprise Custom XML device policy. You can now create Custom XML device policies for Android Enterprise devices. See Custom XML device policy.

  • Support for Knox Platform for Enterprise (KPE) Premium license keys. Samsung has upgraded the Knox License (KLM) and renamed it to the Knox Platform for Enterprise (KPE) Premium license key. When you obtain a KPE Premium license key, you can use it in place of the legacy Enterprise Licenses (ELM) and Knox Licenses (KLM). You can continue to use your existing ELM and KLM keys in Citrix Endpoint Management. When you obtain a KPE, you can create a Knox Platform for Enterprise device policy, to replace the Samsung MDM License Key device policy. See Knox Platform for Enterprise device policy.

  • Whitelist Android Enterprise apps by adding their package name in the Kiosk policy. You can now enter the package name that you want to whitelist in the Kiosk device policy for Android Enterprise. For more information, see Android Enterprise settings.

  • Changes to the micro VPN access settings in the EMS/Intune console. The micro VPN access settings are replaced with the following:

    • Network access: Select whether and how to allow micro VPN access to on-premises resources.
    • micro VPN session required: If you enable micro VPN access, you can require an online session for the app to work.
    • mVPN tunnel exclusion list: If you enable micro VPN access, you can specify the domains to exclude from the micro VPN policies.

    This update changes the Network access setting to Unrestricted. Existing apps will work as before. However, if you update an app, you must update your Network access setting. The following table shows the MvpnNetworkAccess setting to use to match your previous settings for MvpnRedirectWebTrafficWithSSO and MvpnDisableTCPRedirect.

    MvpnNetworkAccess MvpnRedirectWebTrafficWithSSO MvpnDisableTCPRedirect
    Unrestricted (Allowed) OFF ON
    Full Tunnel OFF OFF
    Web SSO ON ON
    Both (Full Tunnel + WebSSO) ON OFF

    The prior policy PermitVPNModeSwitching is replaced by Both (Full Tunnel + WebSSO).

    For more information, see To add apps to Endpoint Management integration with EMS/Intune console.

Endpoint Management 10.18.19

The latest version of Endpoint Management has these new features and improvements:

  • Use Firebase Cloud Messaging instead of the Connection scheduling device policy. For customers who onboard with Endpoint Management 10.18.19, there is no option to set the Connection scheduling device policy to always require devices to connect. Citrix recommends that all customers use Firebase Cloud Messaging (FCM) to control notifications for Android, Android Enterprise, and Chrome OS devices. For an overview of FCM works, see this Google article, Firebase Cloud Messaging. For information on how to configure FCM with Endpoint Management, see this Endpoint Management article, Firebase Cloud Messaging.

  • More device policy restrictions for Samsung DeX mode. You can now configure restrictions to:

    • Specify the DeX screen timeout
    • Add an app shortcut to the DeX screen
    • Remove an app shortcut from the DeX screen
    • Specify the app packages to block from Samsung DeX mode

    See the Restrictions device policy section, Samsung KNOX settings.

  • New Chrome OS device policy to restrict user access to your network when their device is out-of-compliance. Configure the Verified Access policy to restrict user’s access to your network when their Chrome OS device is out of compliance. This policy requires G Suite Chrome configuration. For more information on Verified Access, see the Google article Enable Verified Access with Chrome devices.

  • iOS DEP enrollment default has changed. The enrollment setting Require credentials for device enrollment is now enabled by default. Apple strongly recommends user authentication during enrollment for security reasons.

  • Apple Device Enrollment Program (DEP) account iOS setup assistant options for iOS 12. New options in the DEP account iOS setup assistant allow you to prevent users from seeing these screens during DEP device setup:

    • SIM Setup: Prevents the user from seeing the Add Cellular Plan screen.
    • iMessage & FaceTime: Prevents the user from seeing the iMessage and FaceTime screen.

    These options are for DEP devices running iOS 12.0 and later. For more information, see “Step 3: Add a DEP account to Endpoint Management” in Bulk enrollment of Apple devices.

  • Endpoint Management now supports GroundControl. You can now add a supervision identity to use with GroundControl while setting up Apple DEP. For information about configuring Endpoint Management, see “Step 3: Add a DEP account to Endpoint Management” in Bulk enrollment of Apple devices.

  • Bulk enrollment enhancements for Windows 10 devices. When adding windows devices to the device whitelist, you can identify the devices by Device Name. You can also search for the associated user instead of typing the name manually. See Bulk enrollment of Windows devices.

  • Changes in Citrix Endpoint Management integration with Microsoft Intune/EMS.

    • You can now publish and manage Microsoft Outlook for iOS and Android using Citrix Endpoint Management integration with Microsoft Intune/EMS.
    • Some default values of micro VPN policies changed. The MvpnRedirectWebTrafficWithSSO policy now disables http/https redirection with SSO by default. The MvpnDisableTcpRedirect policy now disables TCP-level full-tunnel redirection by default. For more information, see MDX policies.

Fixed issues in Endpoint Management 10.18.19

For Android devices, the Device administrator disabled property is missing when you navigate to Device management > Device > Properties. [CXM-56099]

When you select certain VPP apps in Configure > Apps and then click Edit, the Search field and some table columns might not appear in the App details page. As a workaround, you can disable the search feature. Go to Settings > Server Properties and change the property enable.vpp.search.enhancement to false. [CXM-57975]

Endpoint Management 10.18.18

The latest version of Endpoint Management has these new features and improvements:

  • Delegated Admin Access now available for Endpoint Management. You can now create administrators in Citrix Cloud with custom access for Endpoint Management. Administrators with custom access can only manage services to which they have access. To configure custom access, sign in to Citrix Cloud and navigate to Identity and Access Management > Administrators.

    Image of Citrix Cloud Identity and Access Management page

    For information about configuring administrators, see Add administrators to a Citrix Cloud account.

  • Device certificate renewal. You can now request that Citrix Cloud Operations refresh or regenerate the internal PKI certificate authorities (CAs) in your Endpoint Management deployment. Open a Technical Support case for these requests.

    When the new CAs are available, Cloud Operations lets you know that you can proceed with renewing the device certificates for your users.

    For supported iOS, macOS, and Android devices, you can initiate certificate renewal through the security action, Certificate Renewal. You renew device certificates from the Endpoint Management console or the Public REST API. For enrolled Windows devices, users must re-enroll their devices to receive a new device CA.

    For more information, see Device certificate renewal and download the Public API for REST Services PDF. Here are the new APIs for managing CA certificates:

    • Return a list of devices still using the old CA (see section 3.16.2 in the Public API for REST Services PDF)
    • Renew Device Certificate (see section 3.16.58)
  • Simplified Android Enterprise setup. The process for setting up Android Enterprise is now shorter and simpler for Google Play customers. Management Tools for Endpoint Management are no longer needed to bind Endpoint Management as your enterprise mobility management (EMM) provider. The process for setting up Android Enterprise for G Suite customers is unchanged. For information, see Android Enterprise.

  • More Chrome OS device policies.

    • Control Chrome OS web content. The new Content device policy lets you set a specific home page, allow or block popups, and choose pages to load on startup. For information, see Content device policy.

    • Choose a release channel for Chrome OS updates. Google offers updates over several channels, ranging from a fully tested Stable channel to a Dev channel that might be unstable. By default, Chrome OS updates get distributed over the Stable channel.

      To choose a release channel, configure the Release channel setting in the OS Update device policy setting for Chrome OS. For information, see OS Update device policy.

  • WiFi device policy for Citrix Ready workspace hub devices. You can now manage how users connect their Citrix Ready workspace hub devices to WiFi networks. For information, see WiFi Policy.

  • Caller ID policy. Secure Mail can now provide contact names and phone numbers for iOS to use in identifying incoming phone calls. The Caller ID Support Enabled policy controls this feature. For information, see MDX Policies for iOS Apps.

Fixed issues in Endpoint Management 10.18.18

When enrolling devices using Android Enterprise, users’ UPNs do not map to their existing G Suite User ID. Instead, a new G Suite User ID is created. [CXM-53534]

When you add an administrator to Endpoint Management, certain international characters are incorrectly coded and those accounts aren’t added to delivery groups. [CXM-58051]

After upgrading Endpoint Management, some users can’t access resources using single sign-on. [XMHELP-1675]

Current known issues

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.6

For a Restrictions device policy for Samsung SAFE: The Browser, YouTube, and Google Play/Marketplace options have been removed. Use the Disable Applications option to enable or disable those features. [CXM-43043]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]