What’s new history

We move sections about older Endpoint Management releases from What’s new to this article.

Endpoint Management 20.2.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Configure multiple device and app management modes in a single environment

About this feature:

Enhanced enrollment profile support is rolling out over two releases. Citrix sends notifications about upcoming releases.

Until the enhanced enrollment profile feature gets enabled for you, an enrollment profile only limits the number of devices a user can enroll.

You can now configure a single Endpoint Management site to support multiple enrollment configurations. The role of enrollment profiles expanded to include enrollment settings for device and app management.

Enrollment profiles support multiple use cases and device migration paths within a single Endpoint Management console. Use cases include:

  • Mobile Device Management (MDM only)
  • MDM+Mobile Application Management (MAM)
  • MAM only
  • Corporate-owned enrollments
  • BYOD enrollments (the ability to opt out of MDM enrollment)
  • Migration of Android device administrator enrollments to Android Enterprise enrollments (fully managed, work profile, dedicated device)

Enrollment profiles replace the now deprecated server property, xms.server.mode. This change does not impact your existing delivery groups and enrolled devices.

The following table shows the automated migration path from the existing server property mode to the new enrollment profile feature:

Existing server property New management mode
ENT mode (iOS) Apple device enrollment with Citrix MAM
ENT mode (Android) Legacy device administrator with Citrix MAM
ENT mode (Android Enterprise) Work profile on fully managed, with Citrix MAM
MAM mode (iOS and Android) Citrix MAM
MDM mode (iOS) Apple device enrollment
MDM mode (Android) Legacy device administrator
MDM mode (Android Enterprise) Work profile on fully managed

When you create a delivery group, you can attach an enrollment profile to the group. If you don’t attach an enrollment profile, Endpoint Management attaches the Global enrollment profile.

Enrollment profiles provide the following device management features:

  • Easier migration from Android device administrator (DA) mode to Android Enterprise. For Android Enterprise devices, settings include a device owner mode such as: Fully managed, work profile on fully managed, or dedicated. For more information, see Android Enterprise.

    Enrollment Profile page for Android

    For this upgrade, your current Endpoint Management configurations for server mode and Settings > Android Enterprise map to the new enrollment profile settings as follows.

    Current configuration Management setting Device owner mode setting Citrix MAM setting
    MDM; managed Google Play (Android Enterprise) Android Enterprise Work profile on fully managed Off
    MDM; G Suite (legacy DA) Legacy DA not applicable Off
    MAM Do not manage devices not applicable On
    MDM+MAM; managed Google Play (Android Enterprise) Android Enterprise* Work profile on fully managed On
    MDM+MAM; G Suite (legacy DA) Legacy DA* not applicable On

    * If enrollment is required, Allow users to decline device management is Off.

    After the upgrade, your current enrollment profiles reflect those mappings. Consider whether you want to create other enrollment profiles to handle any new use cases as you transition away from legacy DA.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Android

  • Easier iOS management. For iOS devices, settings include a choice between enrolling devices as managed or unmanaged.

    Enrollment Profile page for iOS

    For this upgrade, your prior configurations map to the new enrollment profile settings as follows.

    Server mode Management setting Citrix MAM setting
    MDM Device enrollment Off
    MAM Do not manage devices On
    MDM+MAM Device enrollment On

    If enrollment is required, Allow users to decline device management is Off.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for iOS

  • Allow Windows 10 devices to automatically enroll in Citrix Workspace app.

    Enrollment Profile page for Windows

    For this upgrade, your prior MDM configuration maps to the new enrollment profile setting Fully managed.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Windows

The following limitations exist for enhanced enrollment profiles:

  • The enhanced enrollment profile feature doesn’t work for iOS and Android devices when Endpoint Management is integrated with Citrix Workspace.

  • The enhanced enrollment profile feature isn’t available for one-time PIN or two-factor authentication enrollment invitations.

For more information, see Enrollment profiles.

Other updates in Endpoint Management 20.2.1

  • Simplified enrollment of dedicated Android Enterprise (COSU) devices. Endpoint Management now enables you to enroll dedicated Android Enterprise devices (also known as COSU devices) by creating an enrollment profile. You are no longer required to create a role-based access control (RBAC) role for enrolling dedicated devices. See Provisioning dedicated Android Enterprise devices.

  • Disable biometric authentication on Android devices with the Keyguard management policy. The Keyguard Management device policy now lets you disable fingerprint unlock, face authentication, iris authentication, or all biometric authentication for devices running Android 9.0 and later.

  • Get guidance in the Resource Center. Use the Resource Center to access the in-product data. For guidance from the dashboard, click the icon in the lower right corner.

    Resource Center icon

Fixed issues in Endpoint Management 20.2.1

You previously needed permission to edit devices before you can use the Endpoint Management API to send notifications to devices. You now need Send Notification permissions to send notifications. [CXM-76689]

Endpoint Management 20.1.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

  • Support for Android Enterprise COPE devices. Endpoint Management supports Android Enterprise fully managed devices with work profiles. Google previously referred to those devices as COPE (corporate-owned personally enabled) devices.

    Android Enterprise fully managed devices have a device profile and a work profile. You can apply separate policy settings to the device and the work profile. For this release:

    • You can apply separate setting to the device and the work profile using these device policies: Credentials, Keyguard Management, Passcode, and Restrictions.
    • You can apply the location mode setting of the Location device policy to COPE device itself but not to the work profile of the COPE device. Other settings in the Location device policy are not available for COPE devices. See the Location device policy.
    • You can apply the Lock security action separately to the device or the work profile.
  • Auto-enrollment of Windows 10 devices through Citrix Workspace app. Endpoint Management can now auto-enroll Windows 10 desktops and tablets using the Citrix Workspace app. For more information about this feature, see Integration with Citrix Workspace experience.

Fixed issues in Endpoint Management 20.1.0

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Get Started and Appearance. [CXM-71370]

The Filters tab is open by default for Manage > Devices. [CXM-75823]

ShareFile single sign-on (SSO) fails for multitenant customers on the same set of virtual machines. [CXM-75886]

Endpoint Management 19.12.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

You can now configure delivery groups for Windows devices based on device properties. (Preview) When configuring delivery groups, you can now configure groups based on device properties. This feature is only available for Windows desktops and tablets. To request access to this Preview feature, contact your Citrix sales or support representative. For more information about this feature, see To add a delivery group (Preview).

Import Group Policy Objects (GPOs) into Endpoint Management and deploy them directly to Windows 10 devices. Rather than relying on an AD administrator to deploy GPOs from the Group Policy Management console, you can import and deploy GPOs through the Endpoint Management console. See Windows GPO Configuration device policy.

Install EXE apps for Windows desktops and tablets. You can now upload EXE applications as enterprise apps for Windows Desktops and Tablets. For more information, see Add Win32 apps as Enterprise apps.

Users can no longer remove policies from iOS devices. Some device policies no longer allow users to remove the policy from iOS devices. The setting Allow user to remove policy has been removed for iOS from the following policies: APN policy, Mail policy, Passcode policy, Provisioning Profile policy, Proxy policy, and VPN policy.

Fixed issues in Endpoint Management 19.12.0

If you update an app version number with the Endpoint Management Public REST API and then by using the console: The app version doesn’t update. [CXM-69216]

Sometimes Endpoint Management can’t install EXE apps on Windows devices because the file hash isn’t correct. [CXM-75506]

Endpoint Management 19.11.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Apple Volume Purchase Program migration to Apple Business Manager (ABM) and Apple School Manager (ASM)

Companies and institutions using Apple Volume Purchase Program (VPP) need to migrate to Apps and Books in Apple Business Manager or Apple School Manager before December 1, 2019.

Before migrating VPP accounts in Endpoint Management, see this Apple support article.

If your organization or school only uses the Volume Purchase Program (VPP), you can enroll in ABM/ASM and then invite existing VPP Purchasers to your new ABM/ASM account. For ASM, navigate to https://school.apple.com. For ABM, navigate to https://business.apple.com.

To update your volume purchase (formerly VPP) account on Endpoint Management:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Volume Purchase. The Volume Purchase configuration page appears.

  3. Ensure that your ABM or ASM account has same app config as your previous VPP account.

  4. In the ABM or ASM portal, download an updated token.

  5. In the Endpoint Management console, do the following:

    1. Edit the existing volume purchase account with the updated token info for that location.

    2. Edit your ABM or ASM credentials. Don’t change the suffix.

    3. Click Save twice.

For more information, see:

Enrollment profiles control enrollment options for Android devices

Enrollment profiles now control how Android devices are enrolled if Android Enterprise in enabled for your Endpoint Management deployment. Enrollment profiles determine whether Android devices are enrolled in the default Android Enterprise mode (fully managed or work profile) or in legacy (device administrator) mode.

By default, the Global enrollment profile enrolls new and factory reset Android Enterprise devices as fully managed devices and enrolls BYOD Android Enterprise devices as work profile devices. For more information, see Android Enterprise.

Preparing legacy Android devices for Android Enterprise as default enrollment

Google is deprecating the device administrator mode of device management and encouraging customers manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.) To support this change, Citrix will make Android Enterprise the default enrollment option for Android devices.

This change means that if Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

So you can prepare for this change, Endpoint Management now allows you to create enrollment profiles that control how Android devices are enrolled.

Your organization might not be ready to begin managing legacy Android devices in device owner mode or profile owner mode. In that case, you can continue to manage them in device administrator mode. Create an enrollment profile for legacy devices and re-enroll all enrolled legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

For more information about Endpoint Management support for the transition to Android Enterprise, see the blog, Android Enterprise as the default for Citrix Endpoint Management service.

Fixed issues in Endpoint Management 19.11.0

When searching for a Google Play Store app in the Endpoint Management console, the app name is empty. You can enter the name manually to save the app. [CXM-73261]

After uploading an MDX app for Android Enterprise, the managed Google Play store UI might not open in the Endpoint Management console. Until the issue is fixed, go to the managed Google Play store to approve and save the app manually. [CXM-73398]

For iOS, location tracking doesn’t work if you do the following: Configure and deploy a location policy, enable tracking from device security actions, and then delete the deployed location policy and create a new one. [CXM-73470]

Users with apostrophes in their user names can’t enroll their devices when their user name is imported from LDAP. [CXM-73780]

Endpoint Management 19.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Expanded support for Zebra OEMConfig. Endpoint Management now supports managing Zebra devices using the Zebra Technologies administrative tool Zebra OEMConfig. (For information, see the Zebra Technologies website.) To manage devices using the Zebra OEMConfig app, publish the app and configure an Android Enterprise managed configurations device policy.

Content delivery network (CDN) availability for Windows apps. You can now deploy Windows apps by using a content delivery network. See Deliver enterprise apps from a CDN.

Group invitation support for users whose names include special characters. When you choose a group to receive enrollment invitations, Endpoint Management now gets the user list from Active Directory. The list includes users whose names contain special characters. See Enrollment invitations.

Fixed issues in Endpoint Management 19.10.0

After you enroll a new device or re-enroll an old device, an error message intermittently displays on Manage > Devices. [CXM-72634, CXM-73077]

When you select a Chrome or Workspace hub device in Manage > Devices > Enrolled Devices and then click Edit, the following message appears: “A configuration error occurred. Please try again.” That message also appears when you mouse over those devices in the devices list and click Show more. In either case, click OK to continue. [CXM-73010]

Endpoint Management 19.9.1

  • Support for encryption management for iOS and Android. When you add MDX apps, you can now choose whether MDX or the device platform encrypts data on your device.

    When you switch to platform-based encryption, compliance checks run before every app launch. If the compliance checks pass, the app runs and is protected by platform encryption. Analyze > Reporting now includes a report of non-compliant devices, such as devices that are jailbroken or don’t have a passcode.

    When you add an app, choose an Encryption type:

    • MDX encryption: MDX encrypts the data. MDX doesn’t enforce compliance. For existing apps, the default is MDX encryption.
    • Platform encryption with compliance enforcement: The device platform encrypts the data. You choose how compliance enforcement applies. For new apps, the default is Platform encryption with compliance enforcement.

    For more information about the MDX policies, see MDX policies for third-party apps for iOS and MDX policies for third-party apps for Android.

  • Support for iPadOS. Citrix Endpoint Management supports iPadOS 13.x. Device policies for iOS apply to devices running iPadOS. If you plan to enroll iPadOS devices by sending an invitation link to users, see the Citrix support article CTX261981.

  • Simplified app management for Android Enterprise. You no longer must go to managed Google Play or the Google Developer portal to approve or publish apps for Endpoint Management. As a result, app approval and publishing take about 10 minutes rather than hours.

    • Approve Android Enterprise apps for the Public App Store in the Endpoint Management console. You can now approve managed Google Play store apps without leaving the Endpoint Management console. After you enter an app name in the search field, the managed Google Play store UI opens with the instructions for you to approve and save the app. Your app then populates in the results allowing you to configure its details. See Add a public app store app.

    • Approve the MDX apps for Android Enterprise in the Endpoint Management console. You can now approve managed Google Play store apps for Android Enterprise without leaving the Endpoint Management console. After you upload an MDX file, the managed Google Play store UI opens with the instructions for you to approve and save the app. See Add an MDX app.

    • Publish enterprise apps for Android Enterprise in the Endpoint Management console. You no longer must register for a Google Play developer account when you add an Android Enterprise private app. The Citrix Endpoint Management console opens a managed Google Play store UI for you to upload and publish the APK file. See Add an enterprise app.

  • More certificate management features for Android Enterprise devices in work profile mode or fully managed mode. In addition to installing certificate authorities in the managed keystore, you can now manage the following features:

    • Configure the certificates used by specific managed apps. The Credentials device policy for Android Enterprise now includes the setting Apps to use the certificates. You can specify the apps to use the user certificates issued by the credential provider selected in this policy. Apps are silently granted access to certificates during run time. To use the certificates for all apps, leave the apps list blank. See Credentials device policy.

    • Silently remove certificates from the managed keystore or uninstall all non-system Certificate Authority certificates. See Credentials device policy.

    • Prevent users from modifying credentials stored in the managed keystore. The Restrictions device policy for Android Enterprise now includes the setting Allow user to configure user credentials. By default, that setting is On. See Restrictions device policy.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. Android location tracking requires Android 8.5 and higher. See Location device policy.

  • Easy access to BitLocker recovery keys. If a user loses their BitLocker recovery key, unlocking their device can be a challenge. Endpoint Management now displays the BitLocker recovery key for Windows desktops and tablets under the device details. See BitLocker recovery key.

Fixed issues in Endpoint Management 19.9.1

After adding a custom property with a special character, admins cannot access the Devices page on the XenMobile console. [CXM-57322]

The RBAC role Tier 2 techs can’t create enrollment invitations to a user group with more than 2000 users. Only full administrative users can create the invitations. [CXM-72086]

On iOS devices, administrators might lose the ability to send an “unlock device” command to passcode protected devices after the device is upgraded to iOS 13.1.x. To resolve this issue, see https://support.citrix.com/article/CTX262076. [CXM-73151]

Endpoint Management 19.9.0

  • Manage keyguard features for Android Enterprise work profile and fully managed devices. Android keyguard manages the device and work challenge lock screens. Use the Keyguard Management device policy to control:

    • Keyguard management on work profile devices. You can specify the features available to users before they unlock the device keyguard and the work challenge keyguard. For example, by default users can use fingerprint unlock and view unredacted notifications on the lock screen.

    • Keyguard management on fully managed and dedicated devices. You can specify the features available, such as trust agents and secure camera, before they unlock the keyguard screen. Or, you can choose to disable all keyguard features.

    See Keyguard Management device policy.

  • Samsung Knox container password reset. The Container Password Reset security action is no longer available for Android Enterprise Samsung Knox devices. Use the Container Lock security action to reset passwords for Samsung Knox containers. The Container Password Reset security action is still available for Samsung devices in device administrator mode.

  • Configure the product track for your Android Enterprise apps. When adding a public store app or an MDX app for Android Enterprise, configure the product track you want to push to user devices. For example, if you have a track designed for testing, you can select and assign it to a specific delivery group. To learn more about rolling out your release, see Google Play Help Center. For information on configuring the product track, see Add an MDX app or Add a public app store app.

  • Windows GPO configuration policy enabled automatically. The Windows GPO configuration policy enables automatically if you provision a Citrix Workspace Environment Management site in the Citrix Cloud. For more information see Windows GPO Configuration device policy.

  • Mobile Device Management (MDM) and Workspace Environment Management (WEM) managed devices merged in the console. If a device is both MDM managed and WEM managed, it now displays as one device in the Endpoint Management console. The device label in the console is MDM, WEM. Previously, the device would show as two different devices. You can also delete devices that are MDM and WEM managed now.

Fixed issues in Endpoint Management 19.9.0

After you deploy the App Access device policy, non-compliant devices don’t trigger the configured action. [CXM-69842]

You can’t configure G Suite admin credentials for Chrome OS devices. [CXM-71665]

Connectivity between Endpoint Management and Apple School Manager fails. [CXM-71844]

MAM devices wipe apps and app data because of a failure to get the user domain details. As a result, the device considers the user as deleted. [CXM-72093]

After enrolling a new device or re-enrolling an old device, an error message intermittently displays on the Manage tab. [CXM-72224]

Endpoint Management 19.8.0

  • For existing customers: Restricted port access to the Endpoint Management console and Self-Help Portal:

    For customers who onboarded before Endpoint Management 19.8.0 (August 1, 2019):

    • You can require that administrators sign on to the Citrix Cloud console for SSO access to the Endpoint Management console. Citrix highly recommends all console access through Citrix Cloud.

      Set the new server property enable.cloud.console.sso to True, which means you can’t directly access the Endpoint Management console. Attempts to directly access the Endpoint Management console on port 4443 result in a 500 error.

    • Access to the Self-Help Portal is available only through port 443. Access attempts through port 4443 now result in an “Access Denied” message.

  • For customers who onboard starting with Endpoint Management 19.8.0 (August 1, 2019):

    • New customers sign on to the Citrix Cloud console for SSO access to the Endpoint Management console.

    • Access to the Self-Help Portal requires a server property change. By default, new customers can’t access the Self-Help Portal.

      To give your users access to the Self-Help Portal, update shp.console.enable to True.

Fixed issues in Endpoint Management 19.8.0

When importing a CA certificate, the console doesn’t display an updated or new certificate under PKI entities. [CXM-68419]

When configuring the VPN device policy for iOS to use the Citrix SSO protocol: After you enable the Prompt for PIN when connecting setting and save the policy, that setting reverts to Off. [CXM-68523]

For customers who have migrated from previous versions, opening the Manage tab in the console displays an error if a device’s enrollment profile has been deleted. [CXM-69750]

Endpoint Management 19.7.1

  • Access all Google Play apps in the managed Google Play store. The Access all apps in the managed Google Play store server property makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true whitelists the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps.

  • Enable system apps on Android Enterprise devices. To allow users to run pre-installed system apps in the Android Enterprise work profile mode or fully managed mode, configure the Restrictions device policy. That configuration grants user access to default device apps, such as camera, gallery, and others. To restrict access to a particular app, set app permissions using the Android Enterprise permissions policy.

Fixed issues in Endpoint Management 19.7.1

When sending an enrollment link using SMTP/SMS, the link being sent doesn’t work. [CXM-67458]

When attempting to update a public iOS app using the Endpoint Management console, a configuration error displays. [CXM-69190]

Some third-party volume purchase apps fail to auto-update. This issue occurred due to blocked host names. For more information, see https://support.apple.com/en-us/HT201999. [CXM-69341]

When adding Microsoft Word or PowerPoint for iOS to the cloud app library, assigning the app to a user group fails. You must delete and re-add any Intune apps experiencing this issue. [CXM-69349]

Endpoint Management 19.6.1

  • Location device policy now enables device tracking for Android. You can now enable device tracking to poll specific devices at a frequency you define. You might use this policy to track delivery personnel for more accurate delivery estimates, track lost or stolen devices, or enforce geographic boundaries. For more information, see Location device policy.

Fixed issues in Endpoint Management 19.6.1

On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461 and is fixed in macOS 10.14.4. [CXM-65957]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

After the time period in the server property bulk.enrollment.fetchRosterInfoDelay ends and an Apple School Manager device syncs with the server: The Apple School Manager user account is deleted from the server and the device moves into an anonymous state. [CXM-67913]

Users with special German characters, such as umlauts, in their display name can’t enroll. [CXM-68097]

The following error message displays when you attempt to configure a Public App by using the new app URL from the Apple Store. “Could not find the app you entered. Check the URL and try again.” [CXM-68537]

Endpoint Management 19.6.0

  • Auto updates for Apple volume purchase apps. When you add a volume purchase account (Settings > iOS Settings), you can now enable auto updates for all iOS apps. See the App Auto Update setting in Apple Volume Purchase.

Fixed issues in Endpoint Management 19.6.0

The following error is displayed while adding a registry key to a Windows Embedded Compact policy if the length of the registry value exceeds 2048 characters: Console error: could not execute statement; SQL [n/a]; nested exception is org.hibernate.exception.DataException: could not execute statement. [CXM-59446]

During profile installation on an iOS device, “Not Verified” appears in the profile information. [CXM-64486]

When an Azure AD user signs in to some Windows 10 Azure AD joined devices configured as kiosks, kiosk mode does not activate. This issue doesn’t occur if you enter the Azure AD user name in the format azuread\user. For more information, see Kiosk device policy. [CXM-66123]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

When you add a volume purchase account (Settings > iOS Settings), the following message appears if the token exceeds 350 characters: “The entered company token is not valid, please enter a new one.” [CXM-68113]

Endpoint Management 19.5.0

  • iOS MDM enrollment workflow change. To improve platform security by reducing misleading profile installations, Apple released a new workflow for manually enrolling devices in MDM. This new workflow affects all MDM solutions, including Citrix Endpoint Management.

    There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. The workflow changes are only for manual enrollment in MDM.

    Citrix has also simplified the enrollment. Previously, iOS device users receive two prompts during enrollment: A prompt for the root CA and a prompt for the MDM device certificate. Citrix installed the root CA for flexibility in using unsigned and signed certificates. Because all Citrix Cloud deployments use trusted certificates, the root CA is no longer needed.

    iOS device users receive only the MDM device certificate prompt during enrollment. That prompt is labeled “XenMobile Profile Service”.

    To support this change, Citrix changed the value of the server property, ios.mdm.enrollment.installRootCaIfRequired, to false. A Safari window opens during MDM enrollment to simplify the profile installation for users. For more information, see Enroll iOS devices and the following YouTube video:

    iOS enrollment video

  • Changes for new Endpoint Management customers:
    • Workspace experience deployment. You can create a separate delivery group, named Workspace, to begin to deploy the Workspace experience to new devices. By using the Workspace delivery group, you can deliver the Workspace experience to a small group without disrupting all users. See Integration with Citrix Workspace experience.
    • Preconfigured policies and apps for new customers of as Endpoint Management 19.5.0. If you onboard starting with Endpoint Management 19.5.0 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to immediately deploy basic functionality to device users. See Default device policies and mobile productivity apps.
  • Knox Platform for Enterprise device policy for Android Enterprise. You can now enter the KPE Premium and Standard license keys for Android Enterprise devices running Knox version 3.0 or later. For information, see Knox Platform for Enterprise device policy.

  • Public session device policy for Chrome OS. You can now configure Chrome OS devices to support guest sessions. For information on configuring this policy, see Public session device policy.

  • RBAC permission changes. The RBAC permission Add/Delete Local Users is now split into two permissions: Add Local Users and Delete Local Users.

Fixed issues in Endpoint Management 19.5.0

Enterprise apps don’t silently upgrade on supervised devices running iOS 11.4 or later. [CXM-66005]

When you edit a device policy, the following error message appears: “A configuration error occurred. Please try again”. [CXM-66370]

Endpoint Management 19.4.1

  • Through Workspace Environment Management (WEM) integration with Endpoint Management, you can manage all supported domain-joined Windows devices. This integration offers the following benefits and features:

    • With WEM alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two products:
      • WEM can access MDM features
      • You can manage a wider spectrum of Windows operating systems through Endpoint Management
    • That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

    • MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

    • For a list of the devices supported, see Operating System requirements.

    • Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

    For more information, see Windows GPO Configuration device policy.

  • CDN delivery of enterprise apps is now the default for new multi-tenancy customers of as Endpoint Management 19.4.1. If you are a new customer in the Asia Pacific region, contact your Citrix support representative to enable CDN delivery. In all regions, existing customers who want to deliver enterprise apps using CDN must reupload existing apps after enabling the feature. See How enterprise apps work.

  • Support for Web and SaaS apps and Web links for Android Enterprise. Endpoint Management now supports delivering links for Web or SaaS apps and Web links to Android Enterprise devices. Web and SaaS apps and Web links are added for Android Enterprise in the same way they are added for other platforms. See Add a Web or SaaS app and Add a Web link.

  • More restrictions for Chrome OS devices:

    • Display instructions on disabled devices. You can now add a custom message to display on disabled Chrome OS devices.

    • Allow users to install specific extensions, apps, and themes. Enter the list of URLs to permit downloading from those sources.

    For more information, see Chrome OS settings.

Fixed issues in Endpoint Management 19.4.1

On Android Enterprise devices, the following app types might not appear in Secure Hub: Public app store apps configured in the Google Play platform and enterprise apps configured in the Android platform. [CXM-63638]

Android Enterprise apps don’t appear for devices until they are unenrolled and enrolled again. Apps also appear if you update them in their delivery groups. [CXM-64670]

Automated actions might not deploy to Android Enterprise devices. [CXM-64950]

The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console. [CXM-65647]

Endpoint Management 19.3.1

Fixed issues in Endpoint Management 19.3.1

If you deployed a Store device policy for Windows 10 Desktop and Tablet devices before release 19.3.1: When a user clicks the Windows store link in the Start menu, a message appears: “500 Internal Server Error” or “HTTP Status 404 - Either you have reached an old URL or this device is not registered”. To resolve this issue, you must recreate and deploy your Store device policy. [CXM-61785]

If an Active Directory user group is assigned to an RBAC role permission, you can’t delete the LDAP configuration containing that user group. As a workaround, if you unassign the corresponding Active Directory group from RBAC, you can delete the domain. [CXM-62737]

Endpoint Management 19.3.0

  • Support for Samsung Knox on Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:

  • App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. For more information, see App inventory device policy.

  • Files device policy for Android Enterprise. You can now add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Lock and reset the password for Android Enterprise. Endpoint Management now supports the Lock and Reset password security action for Android Enterprise devices enrolled in work profile mode running Android 8.0 and greater. See Security actions.

  • Azure Active Directory support in a kiosk on Windows 10 Desktop and Tablet devices. You can now add domain joined Azure AD devices in Kiosk mode. See Kiosk device policy.

  • For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports federated authentication through the Workspace app on iOS and Android. This feature does not support Azure Active Directory. For information, see Change authentication to workspaces.

  • Public REST API change. The Endpoint Management Public API for REST Services now includes an API to edit platform details inside the container for MDX apps. See “Section 3.15.2.4 Update platform details inside the container for MDX apps” in the PDF, Public API for REST Services.

Fixed issues in Endpoint Management 19.3.0

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

If the enterprise is deleted from Managed Google Play and updated on the Endpoint Management server, Android Enterprise devices can’t enroll sometimes. [CXM-62769]

For Citrix Endpoint Management integration with Microsoft Intune/EMS: Changes made to an Intune store app name or description don’t get saved. [CXM-62842]

After you edit an iOS Intune app, the app won’t install from the Microsoft Company Portal app. [CXM-62972]

If assigned permission as a Citrix Cloud custom administrator instead of a full administrator, you cannot click the Manage button to navigate resources. [CXM-63433]

Deprecation of TLS versions

To improve the security of the Citrix Endpoint Management service, Citrix now blocks any communication over Transport Layer Security (TLS) 1.0 and 1.1. As a result of its weakening security, the PCI Council is deprecating TLS 1.0.

How this change impacts you

If you use mobile application management through an on-premises Citrix Gateway (NetScaler Gateway), you must update your load balancer service to enable TLS 1.2.

Older versions of the following connectors support TLS 1.0 only:

  • Endpoint Management connector for Exchange ActiveSync
  • Citrix Gateway connector for Exchange ActiveSync

Upgrade your connector as follows:

  • If you use the Endpoint Management connector for Exchange ActiveSync build 10.1.3 or lower, upgrade to build 10.1.4 or higher.

  • If you use the Citrix Gateway connector for Exchange ActiveSync build 8.5.0 or lower, upgrade to build 8.5.1.11 or higher.

What to do

If you use an on-premises Citrix Gateway (NetScaler Gateway), enable TLS 1.2 on your load balancer service. For information, see https://support.citrix.com/article/CTX247095. Following is a video that shows how to enable TLS 1.2 on Citrix Gateway.

Video icon

To download either connector for Exchange ActiveSync:

1.  Go to <https://www.citrix.com/downloads>.
1.  Navigate to **Citrix Endpoint Management (XenMobile) > XenMobile Server > Product Software > XenMobile Server 10 > Server Components**.
1.  Locate the connector tile and then click **Download File**.

Endpoint Management 19.2.1

  • Run multiple apps in a kiosk on Chrome devices. You can now add multiple apps to the Kiosk policy for Chrome OS. You can optionally automatically start apps when the user starts the device. See the Kiosk device policy.

Fixed issues in Endpoint Management 19.2.1

After an Android Enterprise is unenrolled and then re-enrolled, approved apps might not appear on devices enrolled in work profile mode. [CXM-59994]

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to select Intune MAM/XenMobile. [CXM-31272]

Endpoint Management 19.2.0

  • Deliver enterprise apps from a content delivery network (CDN). When a user isn’t located near an Endpoint Management server, enterprise app delivery can take a while. For faster app downloads, you can instead have enterprise apps delivered from content delivery network (CDN) locations throughout the world. CDN support for enterprise apps is available for iOS apps (MDM or MAM enrollment) and Android apps (MDM or MAM enrollment). CDN support for enterprise apps isn’t available for Windows apps. To get started, see Deliver Enterprise apps from a CDN.

  • DEP device enrollment change for Citrix Workspace. If Endpoint Management is integrated with Citrix Workspace, the Workspace App is included in the DEP deployment package as a required app. This feature requires that you configure your DEP account settings for iOS with required credentials set to off. Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.

  • The server property ios.mdm.enrollment.installRootCaIfRequired is now set to false. Endpoint Management uses a publicly trusted certificate chain, thus it isn’t necessary to push a root CA to devices. As a result, iOS device users no longer receive a prompt to install a root CA during enrollment.

  • The WiFi and Credentials policies now support Apple TV OS. In addition, you can now configure the AirPlay Security device policy to control which devices can connect to Apple TV devices. For more information, see the Wi-Fi, Credentials, and Airplay Security device policy articles.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. See Location device policy.

  • Enhanced support for Alexa for Business. Endpoint Management now includes support for Alexa for Business conferencing, adding Alexa skills to your organizations, editing skill groups. See Alexa for Business.

  • Automated actions for Windows Agent policy. Using the Windows Agent policy, you can automate actions to run on Windows desktops and tablets based on registry values. For more information see the Windows Agent device policy and Automated Actions articles.

  • For Android Enterprise, the No Restrictions option for required characters in a passcode is now deprecated. Android Enterprise devices running Android 7 or higher no longer support a passcode created without character restrictions. If you previously set Required characters to No Restrictions, this update changes that value to Numbers only. This change doesn’t affect the current user sign-in experience. For more information, see Android Enterprise settings.

Fixed issues in Endpoint Management 19.2.0

When an app is deleted from the Intune library, and a user tries to delete it from the Citrix Cloud library, they can’t delete it. [CXM-61645]

After you upload a Google Play app in the Endpoint Manager console without adding an app icon image: If you later upload an image for the app, the image doesn’t appear in the apps list. [CXM-60965]

Endpoint Management 19.1.2

  • Files device policy now available for Android Enterprise. You can add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Configure time zone settings for Chrome OS devices. You can now select a time zone for the Chrome device and specify how to detect the time zone. For more information, see Restrictions device policy.

  • An RBAC administrator’s group permissions now restricts the user information shown on the Users and Enrollment Invitations pages. Previously, the Endpoint Management console included information for all local users and domain users on the Manage > Users and Manage > Enrollment Invitations pages.

    To specify which user groups an RBAC administrator has permission to view and manage, edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.

  • Launch third-party apps from the Workspace app. For customers with Citrix Workspace enabled: Before deploying new apps to users, you can add a comma-separated list of URLs to launch the apps from the Workspace app. For more information, see Add apps.

Fixed issues in Endpoint Management 19.1.2

You can’t upload Google Play services APK versions later than 11.5.09 in the Endpoint Management console. [CXM-59492]

Editing Windows Desktop and Tablet apps in Configure > Apps > Public App Store results in this message: “Application search failed”. Searching for those apps results in this message: “Error connecting to the windows desktop store url: Failed to retrieve public app details”. [CXM-61686]