Citrix Endpoint Management

What’s new

Citrix aims to deliver new features and product updates to Citrix Endpoint Management customers when they’re available. New releases provide more value, so there’s no reason to delay updates.

  • Rolling updates to Citrix Endpoint Management go out approximately every two weeks.
  • These updates don’t result in any downtime for your instance or device users.
  • Not every release has new features and some updates include fixes and performance enhancements.

To you, the customer, this process is transparent. We apply initial updates to Citrix internal sites only, and then to customer environments gradually. Delivering updates incrementally in waves helps to provide product quality and to maximize availability.

You also receive Citrix Endpoint Management updates and communications directly from the Citrix Endpoint Management Cloud Operations team. Those updates keep you current with new features, known issues, fixed issues, and so on.

For more details, including cloud scale, and service availability, see the Citrix Endpoint Management Service Level Agreement. To monitor service interruptions and scheduled maintenance, see the Service Health Dashboard.

Continued support for the Classic policies deprecated from Citrix ADC

Citrix recently announced the deprecation of some Classic policy-based features starting with Citrix ADC 12.0 build 56.20. The Citrix ADC deprecation notices have no impact to existing Citrix Endpoint Management integrations with NetScaler Gateway. Citrix Endpoint Management continues to support the Classic policies and no action is needed.

Before upgrading endpoints to iOS 14.5

Before upgrading any endpoint to iOS 14.5, Citrix recommends that you do the following to mitigate app crashes:

  • Upgrade Citrix Secure Mail and Citrix Secure Web to 21.2.X or higher. See Upgrade MDX or enterprise apps.
  • If you use the MDX Toolkit, wrap all third-party iOS applications with MDX Toolkit 21.3.X or higher and upgrade those apps in the Citrix Endpoint Management console. Check the MDX Toolkit download page for the latest version.

Before you upgrade an on-premises Citrix ADC to 13.0-64.35+

If you use the on-premises version of Citrix ADC and upgrade to version 13.0–64.35+: use the workaround described in Known issues in Citrix Endpoint Management 20.10.1.

Citrix Endpoint Management 24.10.0

  • Authentication with Azure Active Directory Group-Based Administration: Citrix Endpoint Management supports group-based identity authentication through Azure Active Directory (AAD) and SAML identity providers, allowing administrators to manage access at the group level using AAD group membership. This update offers greater flexibility and enhanced security through centralized group controls. While this new functionality streamlines access management, the legacy Citrix Identity login mechanism also remains available to ensure backward compatibility. For more information, see Authentication with Azure Active Directory Group-Based Administration.
  • Support blocking of web distributed third party apps: In Restriction policy, a new setting Web Distribution apps has been added to block the web distributed third party apps on iOS devices. This setting is applicable for iOS versions 17.5 and later. For more information see Restrictions Policy. Contact your admin to enable this feature if needed.
  • Unified Platform Experience: Citrix Endpoint Management enables a unified platform experience by providing unified navigation across Citrix products. This feature changes the location of the navigation bar in the overall user interface and adds a new left navigation bar.
  • Citrix Endpoint Management enhancement to support Windows 2022 CA server: Citrix Endpoint Management supports the following CA servers:

    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
  • Monitor tab is deprecated: Monitor Tab in Citrix Endpoint Management is deprecated from October 2024. For more information, see Deprecations and removals.
  • Update Public Rest API document to include device Lost Mode API: Added the Lost Mode API in Public Rest API document.
  • Modify API call to be post body instead of URL: Updated the API call to include the data in the request body rather than in the URL in Public Rest API document.
  • Support for Android 15: Citrix Endpoint Management and Citrix Mobile productivity apps now supports Android Enterprise device updates to Android 15. For more information about security and privacy benefits, see the Android developer documentation.
  • Support for iOS 18: Citrix Endpoint Management and Citrix Mobile productivity apps are now compatible with iOS 18, but don’t currently support all the new iOS 18 features.
  • Support for macOS 15: Citrix Endpoint Management and Citrix Mobile productivity apps are now compatible with macOS 15, but don’t currently support all the new macOS 15 features.

Fixed issues in CEM 24.10.0

  • VPP test connectivity and VPP synchronization failed for some apps. [CXM-117353]

Citrix Endpoint Management 24.8.0

Fixed issues in CEM 24.8.0

  • The secure action ‘Delete All Users’ failed on the shared iPad. [CXM-114866]
  • Some iOS public apps on Citrix Endpoint Management cannot be located in the Apple Store. [CXM-114970]
  • In Citrix Endpoint Management 24.4.0, SAML SSO fails after renewing the SAML certificate when using CEM as the SAML SSO Identity Provider (IDP). [CXM-115836]
  • In a Certificate Based Authentication scenario, Secure Hub is experiencing functionality issues due to a failure in certificate renewal. The system admin might notice the generation of PKI certificates never stops, particularly on the Android platform. [CXM-116012]
  • The Update option is not available in the Secure Hub store for MAM SDK enabled apps with new version. [CXM-116194]

Citrix Endpoint Management 24.6.0

  • Support block third party apps for iOS 17.4 and later: In Restriction policy, a new setting Alternative App Marketplace has been added to prevent installation of alternative marketplace apps from the web and prevent any installed alternative marketplace apps from installing apps. For more information, see Restrictions device policy.
  • Support Firebase Cloud Messaging to use new HTTP v1 API: The FCM legacy APIs for HTTP is going to be deprecated from Google on June 21, 2024. To make FCM work well with the new API, a new field Service Account Key File has been added to page Firebase Cloud Messaging for you to upload the service account key JSON file. For more information, see Firebase Cloud Messaging.

Fixed issues in CEM 24.6.0

  • After an admin updates the AD group, the mobile apps assigned to the delivery group become inaccessible to the end users and the users may become anonymous. [CXM-115649]
  • Secure Hub logs cannot be sent to the IT help desk when the customer selects Send device logs to IT help desk as directly in the Client Support settings. [CXM-115794]

Citrix Endpoint Management 24.4.0

  • Added new Knox Platform for Enterprise Key device policy: A new device policy Knox Platform for Enterprise Key is added. This policy allows you to provide the required Samsung Knox Platform for Enterprise (KPE) license information and use the KPE licenses to enhance the security of your Samsung device. For more information, see Knox Platform for Enterprise Key device policy.

  • Enforce a minimum OS version in order to complete setup on Automated Enrollment: With iOS 17, MDMs can now enforce a minimum operating system version on enrolling devices when using Automated Device Enrollment. For more information see, step 3 in Add your account to Citrix Endpoint Management.

  • Supports iOS 17 Return to Service: With the Return to Service feature, MDM server can send an erase command that includes Wi-Fi details and a default MDM enrollment profile to the user device. The device then automatically wipes all user data, connects to the specified Wi-Fi network, and re-enrolls itself back into the MDM server using the provided enrollment profile.

  • Support Samsung Enhanced Attestation v3: Samsung Enhanced Attestation v3 improves CEM security functionality on Samsung Knox devices. For more information see Samsung Knox Enhanced Attestation.

  • Modernize sorting and filtering in Device enrollment: The list views in CEM are currently difficult to navigate and less user-friendly. By moving filtering and sorting options to the column headers, customers can easily combine these functions, making it much simpler and intuitive to find the data they need.

  • Support to install OS updates immediately for iOS devices: In the OS Update device policy, a new radio button named Install ASAP is added in the OS update options for iOS. This feature allows you to install the previously downloaded OS updates immediately for iOS devices. For more information, see OS Update device policy for iOS.

  • Enhance automatic Always-On VPN connection restart: A new managed configuration setting Always On VPN (optional) has been added to Citrix Secure Access app, which must be set to “true” for this enhancement to work reliably for Always On VPN profiles. For more information, see Configure the Citrix SSO protocol for Android and Create an Android Enterprise managed configuration for Citrix SSO.

Fixed issues in CEM 24.4.0

  • Enterprise apps might report incorrect version number after upgrade in iOS devices. [CXM-112711]
  • Enrolled iOS devices are prompted to enter UPN on Secure Hub. [CXM-114316]

Citrix Endpoint Management 24.1.0

This version addresses several issues that help to improve overall performance and stability. No new features were added.

Citrix Endpoint Management 23.12.0

Added a new mandatory field “Domain” in the 802.1x settings for Android: A new field Domain is added in the Android Enterprise platform network policy settings page for 802.1x EAP authentication type. For more information, see 802.1x settings for Android.

Current known issues

Known issues in Citrix Endpoint Management 22.6.0

Intermittently, selecting all three log types (Debug, Admin Audit, User Audit) to download under Troubleshooting and Support > Logs isn’t working. Only Debug logs are being downloaded. As a workaround, you can download each log separately, or open your browser in incognito mode to download all logs by marking all three checkboxes. [CXM-105334]

When creating a web link in Android Enterprise, an error occurs when trying to save the app with an icon. This error is a Google services issue. As a workaround, save the app without uploading an icon. [CXM-105395]

Samsung Knox/SAFE policies are still active on enrolled devices even after deprecation, and cannot be disabled or configured. As a workaround, unenroll and reenroll the device. [CXM-104303]

Known issues in Citrix Endpoint Management 22.4.0

When searching for an enrolled active directory user on the Monitor tab, no enrolled devices are shown for the user. You can still see policies and apps assigned to the user, and use all security actions from Manage > Devices. Both iOS and Android enrolled devices are affected. [CXM-104283]

Private apps fail to publish using Android Enterprise because of an issue in Google services. We will update our documentation when the issue is resolved. [CXM-103690]

Known issues in Citrix Endpoint Management 21.12.0

After migrating to Citrix Cloud based RBAC, admin users with full access permission in Citrix Cloud also get full access permission in CEM, even if they had custom permission before the migration. As a workaround, you can update admin permissions on the Citrix Cloud Identity and Access Management page with the required access. [CXM-102765]

Customers who onboarded before 2018 have local admin access to the console. CEM admin users with permissions to add or edit local users can also add or edit local users in Citrix Cloud. These permissions include changing local users’ passwords. To remediate this issue, you can call Support to have direct local admin access to the console blocked, allowing only Citrix Cloud admin access. [CXM-102780]

Known issues in Citrix Endpoint Management 21.11.0

On iOS devices enrolled only in MAM, enterprise apps fail to install. [CXM-101852]

Using the Automatically Update Managed Apps policy for Android Enterprise fails to apply on devices when the CEM server is upgraded to 21.11.0. The policy failure impacts app updates on the device. As a workaround, an administrator can edit and save the policy to refresh the default values. [CXM-102446]

Known issues in Citrix Endpoint Management 21.10.0

The VPN device policy does not work properly on managed Windows 11 devices. We reported this issue to Microsoft and are working with them to resolve it. We’ll provide updates on any progress.

Known issues in Citrix Endpoint Management 21.9.1

On Android devices enrolled in work profile on corporate-owned devices mode: Users might see errors saying they can’t install or search apps on their personal profile. If they see those errors, update the Google Play Store app and try again. [CXM-100678]

Known issues in Citrix Endpoint Management 21.5.0

Users can’t authenticate to Azure Active Directory (AAD) if they:

  1. Enroll their device in Citrix Endpoint Management using AAD credentials.
  2. Launch an Office 365 app and complete the AAD registration.
  3. Remove their account from the Microsoft Authenticator app.
  4. Launch an Office 365 app and sign out.

As a workaround, unenroll the device from Citrix Endpoint Management and re-enroll. [CXM-90235]

Known issues in Citrix Endpoint Management 21.4.0

Re-enrollment fails on iOS devices if the user trying to re-enroll is a different Azure Active Directory user than the user originally enrolled on the device. As a workaround, unregister the original user from the Microsoft Authenticator app on the device before re-enrolling. [CXM-90218]

Known issues in Citrix Endpoint Management 21.2.0

When adding Citrix Secure Web as an MDX app for Android Enterprise, Managed Google Play can’t find the app using the app identifier. If you search for “Citrix Secure Web” instead of the app identifier, Managed Google Play can find the app. This issue is a Google bug. [CXM-91991]

Importing the SSL Listener certificate might fail. Repackage the certificate keystore by following the steps in CTX-297153. [XMHELP-3346]

Known issues in Citrix Endpoint Management 20.10.1

If you upgrade on-premises Citrix ADC to 13.0-64.35 or later, and Citrix Endpoint Management isn’t Workspace-enabled: Single sign-on to Citrix Files or the ShareFile domain URL results in an error. The user is unable to sign in. This error only occurs in a browser with the Company Employee Sign in option.

To work around this issue: If you haven’t already run the following commands from the ADC CLI on NetScaler Gateway, run them to enable global SSO:

set vpn parameter SSO ON

bind vpn vs <vsName> -portalTheme X1

For more information, see:

After you complete the workaround, users can authenticate to Citrix Files or the ShareFile domain URL using SSO in a browser with the Company Employee Sign in option. [CXM-88400]

Known issues in Citrix Endpoint Management 20.2.1

After configuring ShareFile with a ShareFile URL in the Citrix Endpoint Management console, clicking the Test Connection button results in an error. To resolve this issue, disable multifactor authentication for ShareFile. Learn more about this issue and the workaround on this support page. [CXM-79240]

Known issues in Citrix Endpoint Management 20.1.0

When adding users to a library in Citrix Cloud, Citrix Endpoint Management reports success, but the users aren’t added. [CXM-73726]

Known issues in Citrix Endpoint Management 19.11.0

MDX and Public apps can’t be deleted from the console. As a workaround, select the app you want to delete and then click Edit. Deselect Android Enterprise and select any other platforms from the platform list. Save the app. You can then delete the app. [CXM-74468]

Known issues in Citrix Endpoint Management 19.5.0

When enrolling a Citrix Ready workspace hub device, define the Ethernet (eth0) MAC address in the allow list to avoid failed enrollment. [CXM-43141]

Known issues in Citrix Endpoint Management 19.4.1

When tabbing through options in the Windows GPO device policy, radio buttons and checkboxes get skipped. [CXM-58277]

Known issues in Citrix Endpoint Management 19.2.1

If you unenroll an Android Enterprise enterprise by deleting it through the Google admin console: Trying to re-enroll the enterprise might fail. Always use the Citrix Endpoint Management console to unenroll an Android Enterprise enterprise, as described in Unenroll an Android Enterprise enterprise. Google Workspace customers, follow the instructions in Unenrolling an Android Enterprise enterprise. [CXM-62709] [CXM-62950]

Known issues in Citrix Endpoint Management 19.2.0

When creating a public store app in Citrix Endpoint Management 10.18.3: On the iPad App Settings page, if you click Back without searching for apps, and then you click Next, the following issue occurs. The navigation buttons appear unresponsive and don’t allow you to search for apps. The issue occurs when creating public store apps for both iOS or Android. [CXM-46820]

Known issues in Citrix Endpoint Management 10.19.1

After you complete the registration process on the Settings > Android Enterprise page, the following error message appears: A configuration error occurred. Please try again. When you close the error message, your Android Enterprise configuration is saved, however Enable Android Enterprise is Off. To work around this issue, reduce the number of app categories to 30 or fewer. [CXM-60899]

Known issues in Citrix Endpoint Management 10.18.5

When a Chrome app is configured as a required app for Chrome OS devices: Users might need to log off and log back on to install the app. This third-party issue is Google bug ID #76022819. [CXM-48060]

Known issues in Citrix Endpoint Management 10.18.3

After you delete a Citrix Cloud administrator who has a device enrolled: Citrix Endpoint Management doesn’t update the User Role in the Citrix Endpoint Management console until after the administrator logs in again from the Citrix Secure Hub app or the Self-Help Portal. [CXM-45730]

Known issues in Citrix Endpoint Management 10.7.4

If you configure Citrix Endpoint Management for single sign-on (SSO) using the Citrix identity provider with Azure Active Directory: When an Citrix Endpoint Management administrator or user gets redirected to the Azure Active Directory sign-in screen, the screen includes the message “Sign-in page for Citrix Secure Hub.” The correct message is “Sign-in page for Citrix Endpoint Management console.” [CXM-42309]