Citrix Endpoint Management

What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates.

  • Rolling updates to Endpoint Management release approximately every two weeks.
  • These updates don’t result in any downtime for your instance or device users.
  • Not every release has new features and some updates include fixes and performance enhancements.

To you, the customer, this process is transparent. We apply initial updates to Citrix internal sites only, and then to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

You also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale and service availability, see the Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Before you upgrade an on-premises Citrix ADC to 13.0-64.35+

If you use the on-premises version of Citrix ADC and upgrade to version 13.0-64.35+: Perform the workaround described in Known issues in Endpoint Management 20.10.1.

Endpoint Management 20.10.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Limit methods to access the REST API. By contacting Citrix support, you can ensure that only Citrix Cloud accounts can access the REST API. Local administrator accounts can’t access the API with this feature enabled. See REST APIs.

Fixed issues in Endpoint Management 20.10.1

Users don’t receive enrollment invitation emails. [XMHELP-3081]

If you configure Endpoint Management as a discretionary certificate authority, the VPN, Wi-Fi, and other credentials device policies don’t deploy. [XMHELP-3093]

Endpoint Management 20.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Allow static or dynamic MAC addresses. As part of the Wi-Fi policy, iOS and iPadOS devices can now use a different MAC address each time they connect to the configured Wi-Fi network. You can also choose to have the MAC address remain static. However, using a dynamic MAC address makes it more difficult to identify the device consistently, enhancing privacy. See Wi-Fi policy.

Use Azure Active Directory (AAD) or Okta as identity platforms. The ability to use AAD or Okta as your identity platform is now available as a public preview. Users enrolling through Citrix Secure Hub can use their AAD or Okta credentials. To use either of these methods for single sign-on, configure Citrix Gateway for certificate-based authentication. For more information about using Okta for single sign on, see Single sign on with Okta. For more information about using AAD for single sign on, see Single sign on with Okta.

Use UPN or email for Okta authentication. When you set up Okta as your identity platform, you can allow users to log in with their UPN or their email address. See Single sign on with Okta.

Fixed issues in Endpoint Management 20.10.0

Users don’t receive enrollment invitation emails. [XMHELP-3081]

Endpoint Management 20.9.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Redeploy assigned policies to iOS and Android devices. If the user removes a policy, you can now redeploy the policy to iOS and Android devices. Go to Manage > Devices > Assigned Policies, select the policy, and click Reset status to change the deployment status to pending. For more information, see Supported enrollment methods for iOS and Supported enrollment methods for Android devices.

The FileVault device policy now allows for key storage and rotation. Using the FileVault device policy, you can now store personal recovery keys within Endpoint Management. End users can request their recovery key using the Self-Help Portal, and administrators can rotate personal recovery keys using security actions. For more information about the new features, see FileVault device policy.

More granular control over macOS update options. The OS Update device policy now allows you to control how macOS devices check for, download, and install updates. You can also configure the types of software updates allowed. For more information about the new settings, see OS Update device policy.

Fixed issues in Endpoint Management 20.9.1

The MDM certificate on some iOS devices doesn’t renew. In that case, the Manage > Devices > Device details > Certificates page shows an Apple MDM certificate that is close to expiration. The Endpoint Management server log includes the message The new MDM payload does not match the old payload. We recommend that you re-enroll the affected devices to resolve this issue. Citrix Technical Support can identify the devices to re-enroll and implement a temporary mitigation if needed. [CXM-86729]

Current known issues

Known issues in Endpoint Management 20.10.1

If you upgrade on-premises Citrix ADC to 13.0-64.35 or later, and Endpoint Management isn’t Workspace-enabled: Single sign-on to Citrix Files or the ShareFile domain URL in a browser with the Company Employee Sign in option results in an error. The user is unable to sign in. To work around this issue, follow these steps:

  1. If you haven’t already run the following command from the ADC CLI on Citrix Gateway, run it to enable global SSO:

    set vpn parameter SSO ON

    For more information see Citrix ADC Release (Feature Phase) 13.0 Build 67.39 and Impacted SSO configurations.

  2. Run the following commands:

    • To switch to the FreeBSD CLI, run shell
    • To navigate to the /netscaler folder, run cd /netscaler
    • Run nsapimgr_wr.sh -ys call=ns_weak_sso_type_enable

    After you complete those steps, users can SSO to Citrix Files or the ShareFile domain URL in a browser with the Company Employee Sign in option. [CXM-88400]

Known issues in Endpoint Management 20.5.0

At the beginning of June 2020, the Google Play EMM API had an outage. During the outage, if you went to Settings > Android Enterprise, Endpoint Management removed the Android Enterprise configuration from the console. As a result, currently enrolled devices don’t receive the policy and app updates. To fix the issue, contact Citrix Technical Support for assistance. [XMHELP-2811]

Known issues in Endpoint Management 20.4.1

When you install multiple LDAP Active Directories (AD) on Endpoint Management using Citrix Cloud Connector, only the first installed AD populates in the Endpoint Management settings. As a workaround, you can check Citrix Cloud. If those domains are marked as unused, manually mark Used. Marking the domain as used makes it available in Endpoint Management. [CXM-81697]

Known issues in Endpoint Management 20.2.1

For customers using a cloud hosting service and the new Citrix enhanced enrollment profiles: New devices may not successfully enroll. As a work-around, create a default enrollment profile that includes all delivery groups. See To create an enrollment profile. You might see an enrollment profile titled “FactoryDefault”. We use this enrollment profile for special logic. If you see the “FactoryDefault” enrollment profile, don’t modify or delete it. [CXM-79019]

After configuring Citrix Content Collaboration with a ShareFile URL in the Citrix Endpoint Management console, clicking the Test Connection button results in an error. To resolve this issue, disable multifactor authentication for ShareFile. Learn more about this issue and the workaround on this support page. [CXM-79240]

Sorting devices by Last access or Inactivity days results in a 500 internal server error. [CXM-79414]

Known issues in Endpoint Management 20.1.0

You can’t delete duplicate certificate files from Settings > Certificates. [CXM-72630]

When adding users to a library in Citrix Cloud, Endpoint Management reports success, but the users aren’t added. [CXM-73726]

Known issues in Endpoint Management 19.11.0

MDX and Public apps can’t be deleted from the console. As a workaround, select the app you want to delete and then click Edit. Deselect Android Enterprise and select any other platforms from the platform list. Save the app. You can then delete the app. [CXM-74468]

For sites with Workspace Environment Management (WEM) integrated with Endpoint Management: A Windows GPO configuration device policy created with User Configuration doesn’t deploy to user devices. A policy created with Device Configuration deploys as expected. [CXM-74762, WEM-6319]

Known issues in Endpoint Management 19.9.0

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Express Language, Preferred Language, Get Started, and Appearance. [CXM-71370]

Known issues in Endpoint Management 19.5.0

On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461 and is fixed in macOS 10.14.4. [CXM-65957]

When enrolling a Citrix Ready workspace hub device, define the Ethernet (eth0) MAC address in the allow list to avoid failed enrollment. [CXM-43141]

Known issues in Endpoint Management 19.4.1

The Monitor tab doesn’t appear. [DIR-7483]

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.19

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self-Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using the Citrix identity provider with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]

What’s new