What’s new

A goal of Citrix is to deliver new features and product updates to Endpoint Management customers when they are available. New releases provide more value, so there’s no reason to delay updates. Rolling updates to Endpoint Management release approximately every two weeks.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize availability.

Endpoint Management customers also receive Endpoint Management updates and communications directly from the Endpoint Management Cloud Operations Team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For details about the Endpoint Management Service Level Agreement for cloud scale and service availability, see Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Upgrade from GCM to FCM

As of April 10, 2018, Google deprecated Google Cloud Messaging (GCM). Google will remove the GCM server and client APIs on May 29, 2019.

Google recommends upgrading to Firebase Cloud Messaging (FCM) right away to begin taking advantage of the new features available in FCM. For information from Google, see https://developers.google.com/cloud-messaging/faq and https://firebase.googleblog.com/2018/04/time-to-upgrade-from-gcm-to-fcm.html.


  • Endpoint Management 19.3.0 or later
  • Secure Hub 19.3.5 or later

To continue support for push notifications to your Android devices: If you currently use GCM with Endpoint Management, migrate to FCM. Then, update Endpoint Management with the new FCM key available from the Firebase Cloud Messaging Console.

Upgrade steps:

  1. Follow the information from Google to upgrade from GCM to FCM.
  2. In the Firebase Cloud Messaging Console, copy your new FCM key. You will need it for the next step.
  3. In the Endpoint Management console, go to Settings > Firebase Cloud Messaging and configure your settings.

    Devices switch over to FCM the next time they check in with Endpoint Management and do a policy refresh. To force Secure Hub to refresh policies: In Secure Hub, go to Preferences > Device Information and tap Refresh Policy.

For more information about configuring FCM, see Firebase Cloud Messaging.

Deprecation of TLS versions

To improve the security of the Citrix Endpoint Management service, Citrix now blocks any communication over Transport Layer Security (TLS) 1.0 and 1.1. As a result of its weakening security, the PCI Council is deprecating TLS 1.0.

How this change impacts you

If you use mobile application management through an on-premises Citrix Gateway (NetScaler Gateway), you must update your load balancer service to enable TLS 1.2.

Older versions of the following connectors support TLS 1.0 only:

  • Endpoint Management connector for Exchange ActiveSync
  • Citrix Gateway connector for Exchange ActiveSync

Upgrade your connector as follows:

  • If you use Endpoint Management connector for Exchange ActiveSync build 10.1.3 or lower, upgrade to build 10.1.4 or higher.

  • If you use Citrix Gateway connector for Exchange ActiveSync build 8.5.0 or lower, upgrade to build or higher.

What to do

If you use an on-premises Citrix Gateway (NetScaler Gateway), enable TLS 1.2 on your load balancer service. For information, see https://support.citrix.com/article/CTX247095. Following is a video that shows how to enable TLS 1.2 on Citrix Gateway.

Video icon

To download either connector for Exchange ActiveSync, go to the Server Components section under Endpoint Management Server on Citrix.com.

About the Citrix unified product portfolio

If you’ve been a Citrix customer or partner for a while, you’ll notice new names in our products and in this product documentation. The new product and component names stem from the expanding Citrix portfolio and cloud strategy. For more detail about the Citrix unified portfolio, see the Citrix product guide.

Implementing this transition in our products and their documentation is an ongoing process. Your patience during this transition is appreciated.

Citrix Endpoint Management integration with Citrix Workspace

Endpoint Management integration with Citrix Workspace differs for new and existing customers.

  • For new Endpoint Management customers (as of August 27, 2018):

    During Workspace configuration (Workspace Configuration > Service Integrations), you choose whether to enable Endpoint Management integration with workspace. By default, the integration is enabled.

    • If you enable the integration, the Citrix Workspace app aggregates resources from Endpoint Management and other configured sources. Your users access resources from the Citrix Workspace app. Other configured sources might include Citrix Virtual Apps and Desktops and Citrix Content Collaboration.

    • If you disable the integration, Citrix Secure Hub aggregates mobile apps. Your users access apps from Secure Hub.


    After you configure your integration choice and enroll users: If you later change your integration choice, re-enrollment is required for all users.

  • For customers who onboarded before August 27, 2018:

    Workspace integration is disabled. Citrix Secure Hub aggregates mobile apps and your users access apps from Secure Hub. Citrix will notify you when migration to Workspace is supported without requiring re-enrollment for all users.

iOS MDM enrollment workflow change

To improve platform security by reducing misleading profile installations, Apple plans to introduce a new workflow for manually enrolling devices in MDM. Note that this new workflow will affect all MDM solutions, including Citrix Endpoint Management.

The new enrollment workflow will require that users manually install the MDM profiles. To do that users navigate to the Settings page, tap General, and then tap Profiles. The list of Profiles available for installation then appears. If the user doesn’t install the profile within 24 hours of downloading it, the profile gets deleted automatically.

There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, the workflow for manually enrolling in MDM does change. Currently, iOS device users receive two prompts during enrollment, for the root CA and the MDM device certificate. When this change goes into effect, iOS device users receive only the MDM device certificate prompt during enrollment.

To support this change, Citrix will change the value of the server property, ios.mdm.enrollment.installRootCaIfRequired, to false. With that change, a Safari window opens during MDM enrollment to simplify the profile installation for users.

For more information, see the blog Changes ahead for Citrix Endpoint Management MDM enrollment process.

Endpoint Management 19.4.1

  • Through Workspace Environment Management (WEM) integration with Endpoint Management, you can manage all supported domain-joined Windows devices. This integration offers the following benefits and features:

    • With WEM alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two, WEM has access to MDM features and you can manage a wider spectrum of Windows operating systems through Endpoint Management.

    • That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

    • Devices don’t need to be MDM managed for the WEM integration to work. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

    • For a list of the devices supported, see Operating System requirements.

    • Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

    For more information, see Windows GPO Configuration device policy.

  • CDN delivery of enterprise apps is now the default for new multi-tenancy customers of as Endpoint Management 19.4.1. If you are a new customer in the Asia Pacific region, contact your Citrix support representative to enable CDN delivery. In all regions, existing customers who want to deliver enterprise apps using CDN must reupload existing apps after enabling the feature. See How enterprise apps work.

  • Preconfigured policies and apps for new customers of as Endpoint Management 19.4.1. If you onboard starting with Endpoint Management 19.4.1 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to immediately deploy basic functionality to device users. See Default device policies and mobile productivity apps.

  • Support for Web and SaaS apps and Web links for Android Enterprise. Endpoint Management now supports delivering links for Web or SaaS apps and Web links to Android Enterprise devices. Web and SaaS apps and Web links are added for Android Enterprise in the same way they are added for other platforms. See Add a Web or SaaS app and Add a Web link.

  • More restrictions for Chrome OS devices:

    • Display instructions on disabled devices. You can now add a custom message to display on disabled Chrome OS devices.

    • Allow users to install specific extensions, apps, and themes. Enter the list of URLs to permit downloading from those sources.

    For more information, see Chrome OS settings.

Fixed issues in Endpoint Management 19.4.1

On Android Enterprise devices, the following app types might not appear in Secure Hub: Public app store apps configured in the Google Play platform and enterprise apps configured in the Android platform. [CXM-63638]

Android Enterprise apps don’t appear for devices until they are unenrolled and enrolled again. Apps also appear if you update them in their delivery groups. [CXM-64670]

Automated actions might not deploy to Android Enterprise devices. [CXM-64950]

The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console. [CXM-65647]

Endpoint Management 19.3.1

Fixed issues in Endpoint Management 19.3.1

If you deployed a Store device policy for Windows 10 Desktop and Tablet devices before release 19.3.1: When a user clicks the Windows store link in the Start menu, a message appears: “500 Internal Server Error” or “HTTP Status 404 - Either you have reached an old URL or this device is not registered”. To resolve this issue, you must recreate and deploy your Store device policy. [CXM-61785]

If an Active Directory user group is assigned to an RBAC role permission, you can’t delete the LDAP configuration containing that user group. As a workaround, if you unassign the corresponding Active Directory group from RBAC, you can delete the domain. [CXM-62737]

Endpoint Management 19.3.0

  • Support for Samsung Knox on Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:

  • App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. For more information, see App inventory device policy.

  • Files device policy for Android Enterprise. You can now add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Lock and reset password for Android Enterprise. Endpoint Management now supports the Lock and Reset password security action for Android Enterprise devices enrolled in work profile mode running Android 8.0 and greater. See Security actions.

  • Azure Active Directory support in a kiosk on Windows 10 Desktop and Tablet devices. You can now add domain joined Azure AD devices in Kiosk mode. See Kiosk device policy.

  • For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports federated authentication through the Workspace app on iOS and Android. This feature does not support Azure Active Directory. For information, see Change authentication to workspaces.

  • Public REST API change. The Endpoint Management Public API for REST Services now includes an API to edit platform details inside the container for MDX apps. See “Section Update platform details inside the container for MDX apps” in the PDF, Public API for REST Services.

Fixed issues in Endpoint Management 19.3.0

If the enterprise is deleted from Managed Google Play and updated on the Endpoint Management server, Android Enterprise devices can’t enroll sometimes. [CXM-62769]

For Citrix Endpoint Management integration with Microsoft Intune/EMS: Changes made to an Intune store app name or description don’t get saved. [CXM-62842]

After you edit an iOS Intune app, the app won’t install from the Microsoft Company Portal app. [CXM-62972]

If assigned permission as a Citrix Cloud custom administrator instead of a full administrator, you cannot click the Manage button to navigate resources. [CXM-63433]

Current known issues

Known issues in Endpoint Management 19.4.1

When tabbing through options in the Windows GPO device policy, radio buttons and check boxes get skipped. [CXM-58277]

Known issues in Endpoint Management 19.2.1

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to select Intune MAM/Endpoint Management. [CXM-31272]

When you set up a smart action to email inactive devices, related dependencies fail to work properly, breaking the smart action. [CXM-62110]

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Attempts to re-enroll the enterprise might fail. Always use the Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. G Suite customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Endpoint Management 19.2.0

When creating a public store app in XenMobile Server 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Endpoint Management 19.1.2

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

Known issues in Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: “A configuration error occurred. Please try again”. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Endpoint Management 10.18.17

On Endpoint Management instances installed on Microsoft Azure: Opening the Device Whitelist tab intermittently results in a message that indicates the whitelist service isn’t configured. The whitelist still functions appropriately. [CXM-57318]

Known issues in Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Endpoint Management doesn’t update the User Role in the Endpoint Management console until after the administrator logs in again from Secure Hub or the Self Help Portal. [CXM-45730]

Known issues in Endpoint Management 10.7.4

If you configure Endpoint Management for single sign-on using Citrix Identity Platform with Azure Active Directory: When an Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” That message should be “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]

Known issues in Endpoint Management 10.7.3

For devices running Windows 10 RS3 Version 1709 build 16299.19: App Configuration device policies created by importing a Citrix Receiver ADMX file might fail when pushed to those devices. This third-party issue is Microsoft bug ID #14280113. [CXM-40521]