What’s new history
We move sections about older Endpoint Management releases from What’s new to this article.
Endpoint Management 19.8.0
For existing customers: Restricted port access to the Endpoint Management console and Self-Help Portal:
For customers who onboarded before Endpoint Management 19.8.0 (August 1, 2019):
You can require that administrators sign on to the Citrix Cloud console for SSO access to the Endpoint Management console. Citrix highly recommends all console access through Citrix Cloud.
Set the new server property
enable.cloud.console.ssoto True, which means you can’t directly access the Endpoint Management console. Attempts to directly access the Endpoint Management console on port 4443 result in a 500 error.
enable.cloud.console.ssois False, which provides direct access to the Endpoint Management console through port 4443. Access attempts through port 443 now result in an “Access Denied” message. Access attempts through other ports now result in 404 errors.
Access to the Self-Help Portal is available only through port 443. Access attempts through port 4443 now result in an “Access Denied” message.
For customers who onboard starting with Endpoint Management 19.8.0 (August 1, 2019):
New customers sign on to the Citrix Cloud console for SSO access to the Endpoint Management console.
Access to the Self-Help Portal requires a server property change. By default, new customers can’t access the Self-Help Portal.
The server property
shp.console.enabledefaults to False, which prevents access to the Self-Help Portal. Users who navigate to the Self-Help Portal on port 443 get a 404 error. And, users who navigate to the portal on port 4443 get an “Access Denied” message.
To give your users access to the Self-Help Portal, update
Fixed issues in Endpoint Management 19.8.0
When importing a CA certificate, the console doesn’t display an updated or new certificate under PKI entities. [CXM-68419]
When configuring the VPN device policy for iOS to use the Citrix SSO protocol: After you enable the Prompt for PIN when connecting setting and save the policy, that setting reverts to Off. [CXM-68523]
For customers who have migrated from previous versions, opening the Manage tab in the console displays an error if a device’s enrollment profile has been deleted. [CXM-69750]
Endpoint Management 19.7.1
Access all Google Play apps in the managed Google Play store. The Access all apps in the managed Google Play store server property makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true whitelists the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps.
Enable system apps on Android Enterprise devices. To allow users to run pre-installed system apps in the Android Enterprise work profile mode or fully managed mode, configure the Restrictions device policy. That configuration grants user access to default device apps, such as camera, gallery, and others. To restrict access to a particular app, set app permissions using the Android Enterprise permissions policy.
Fixed issues in Endpoint Management 19.7.1
When sending an enrollment link using SMTP/SMS, the link being sent doesn’t work. [CXM-67458]
When attempting to update a public iOS app using the Endpoint Management console, a configuration error displays. [CXM-69190]
Some third-party VPP apps fail to auto-update. This issue occurred due to blocked host names. For more information, see https://support.apple.com/en-us/HT201999. [CXM-69341]
When adding Microsoft Word or PowerPoint for iOS to the cloud app library, assigning the app to a user group fails. You must delete and re-add any Intune apps experiencing this issue. [CXM-69349]
Endpoint Management 19.6.1
- Location device policy now enables device tracking for Android. You can now enable device tracking to poll specific devices at a frequency you define. You might use this policy to track delivery personnel for more accurate delivery estimates, track lost or stolen devices, or enforce geographic boundaries. For more information, see Location device policy.
Fixed issues in Endpoint Management 19.6.1
On macOS, enterprise apps pushed from Endpoint Management remain in a pending state. This third-party issue is Apple bug #50311461 and is fixed in macOS 10.14.4. [CXM-65957]
App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]
After the time period in the server property
bulk.enrollment.fetchRosterInfoDelay ends and an Apple School Manager DEP device syncs with the server: The Apple School Manager user account is deleted from the server and the device moves into an anonymous state. [CXM-67913]
Users with special German characters, such as umlauts, in their display name can’t enroll. [CXM-68097]
The following error message displays when you attempt to configure a Public App by using the new app URL from the Apple Store. “Could not find the app you entered. Check the URL and try again.” [CXM-68537]
Endpoint Management 19.6.0
- Auto updates for Apple VPP apps. When you add a VPP account (Settings > iOS Settings), you can now enable auto updates for all iOS apps. See the App Auto Update setting in iOS Volume Purchase Program.
Fixed issues in Endpoint Management 19.6.0
The following error is displayed while adding a registry key to a Windows Embedded Compact policy if the length of the registry value exceeds 2048 characters:
Console error: could not execute statement; SQL [n/a]; nested exception is org.hibernate.exception.DataException: could not execute statement. [CXM-59446]
During profile installation on an iOS device, “Not Verified” appears in the profile information. [CXM-64486]
When an Azure AD user signs in to some Windows 10 Azure AD joined devices configured as kiosks, kiosk mode does not activate. This issue doesn’t occur if you enter the Azure AD user name in the format
azuread\user. For more information, see Kiosk device policy. [CXM-66123]
App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]
When you add a VPP account (Settings > iOS Settings), the following message appears if the token exceeds 350 characters: “The entered company token is not valid, please enter a new one.” [CXM-68113]
Endpoint Management 19.5.0
iOS MDM enrollment workflow change. To improve platform security by reducing misleading profile installations, Apple released a new workflow for manually enrolling devices in MDM. This new workflow affects all MDM solutions, including Citrix Endpoint Management.
There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. The workflow changes are only for manual enrollment in MDM.
Citrix has also simplified the enrollment. Previously, iOS device users receive two prompts during enrollment: A prompt for the root CA and a prompt for the MDM device certificate. Citrix installed the root CA for flexibility in using unsigned and signed certificates. Because all Citrix Cloud deployments use trusted certificates, the root CA is no longer needed.
iOS device users receive only the MDM device certificate prompt during enrollment. That prompt is labeled “XenMobile Profile Service”.
To support this change, Citrix changed the value of the server property,
false. A Safari window opens during MDM enrollment to simplify the profile installation for users. For more information, see Enroll iOS devices and the following YouTube video:
Changes for new Endpoint Management customers:
- Workspace experience deployment. You can create a separate delivery group, named Workspace, to begin to deploy the Workspace experience to new devices. By using the Workspace delivery group, you can deliver the Workspace experience to a small group without disrupting all users. See Integration with Citrix Workspace experience.
- Preconfigured policies and apps for new customers of as Endpoint Management 19.5.0. If you onboard starting with Endpoint Management 19.5.0 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to immediately deploy basic functionality to device users. See Default device policies and mobile productivity apps.
Knox Platform for Enterprise device policy for Android Enterprise. You can now enter the KPE Premium and Standard license keys for Android Enterprise devices running Knox version 3.0 or later. For information, see Knox Platform for Enterprise device policy.
Public session device policy for Chrome OS. You can now configure Chrome OS devices to support guest sessions. For information on configuring this policy, see Public session device policy.
- RBAC permission changes. The RBAC permission Add/Delete Local Users is now split into two permissions: Add Local Users and Delete Local Users.
Fixed issues in Endpoint Management 19.5.0
Enterprise apps don’t silently upgrade on supervised devices running iOS 11.4 or later. [CXM-66005]
When you edit a device policy, the following error message appears: “A configuration error occurred. Please try again”. [CXM-66370]
Endpoint Management 19.4.1
Through Workspace Environment Management (WEM) integration with Endpoint Management, you can manage all supported domain-joined Windows devices. This integration offers the following benefits and features:
With WEM alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two, WEM has access to MDM features and you can manage a wider spectrum of Windows operating systems through Endpoint Management.
That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.
MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.
For a list of the devices supported, see Operating System requirements.
Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.
For more information, see Windows GPO Configuration device policy.
CDN delivery of enterprise apps is now the default for new multi-tenancy customers of as Endpoint Management 19.4.1. If you are a new customer in the Asia Pacific region, contact your Citrix support representative to enable CDN delivery. In all regions, existing customers who want to deliver enterprise apps using CDN must reupload existing apps after enabling the feature. See How enterprise apps work.
Support for Web and SaaS apps and Web links for Android Enterprise. Endpoint Management now supports delivering links for Web or SaaS apps and Web links to Android Enterprise devices. Web and SaaS apps and Web links are added for Android Enterprise in the same way they are added for other platforms. See Add a Web or SaaS app and Add a Web link.
More restrictions for Chrome OS devices:
Display instructions on disabled devices. You can now add a custom message to display on disabled Chrome OS devices.
Allow users to install specific extensions, apps, and themes. Enter the list of URLs to permit downloading from those sources.
For more information, see Chrome OS settings.
Fixed issues in Endpoint Management 19.4.1
On Android Enterprise devices, the following app types might not appear in Secure Hub: Public app store apps configured in the Google Play platform and enterprise apps configured in the Android platform. [CXM-63638]
Android Enterprise apps don’t appear for devices until they are unenrolled and enrolled again. Apps also appear if you update them in their delivery groups. [CXM-64670]
Automated actions might not deploy to Android Enterprise devices. [CXM-64950]
The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console. [CXM-65647]
Endpoint Management 19.3.1
Fixed issues in Endpoint Management 19.3.1
If you deployed a Store device policy for Windows 10 Desktop and Tablet devices before release 19.3.1: When a user clicks the Windows store link in the Start menu, a message appears: “500 Internal Server Error” or “HTTP Status 404 - Either you have reached an old URL or this device is not registered”. To resolve this issue, you must recreate and deploy your Store device policy. [CXM-61785]
If an Active Directory user group is assigned to an RBAC role permission, you can’t delete the LDAP configuration containing that user group. As a workaround, if you unassign the corresponding Active Directory group from RBAC, you can delete the domain. [CXM-62737]
Endpoint Management 19.3.0
Support for Samsung Knox on Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:
OS Update device policy. Control Samsung Enterprise FOTA updates. See OS Update device policy.
Passcode device policy. See Passcode device policy.
Restrictions device policy. See Restrictions device policy.
Samsung MDM license key device policy. Configure the Knox license key. See Samsung MDM license key device policy.
App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. For more information, see App inventory device policy.
Files device policy for Android Enterprise. You can now add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.
Lock and reset password for Android Enterprise. Endpoint Management now supports the Lock and Reset password security action for Android Enterprise devices enrolled in work profile mode running Android 8.0 and greater. See Security actions.
Azure Active Directory support in a kiosk on Windows 10 Desktop and Tablet devices. You can now add domain joined Azure AD devices in Kiosk mode. See Kiosk device policy.
For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports federated authentication through the Workspace app on iOS and Android. This feature does not support Azure Active Directory. For information, see Change authentication to workspaces.
Public REST API change. The Endpoint Management Public API for REST Services now includes an API to edit platform details inside the container for MDX apps. See “Section 22.214.171.124 Update platform details inside the container for MDX apps” in the PDF, Public API for REST Services.
Fixed issues in Endpoint Management 19.3.0
If the enterprise is deleted from Managed Google Play and updated on the Endpoint Management server, Android Enterprise devices can’t enroll sometimes. [CXM-62769]
For Citrix Endpoint Management integration with Microsoft Intune/EMS: Changes made to an Intune store app name or description don’t get saved. [CXM-62842]
After you edit an iOS Intune app, the app won’t install from the Microsoft Company Portal app. [CXM-62972]
If assigned permission as a Citrix Cloud custom administrator instead of a full administrator, you cannot click the Manage button to navigate resources. [CXM-63433]
Deprecation of TLS versions
To improve the security of the Citrix Endpoint Management service, Citrix now blocks any communication over Transport Layer Security (TLS) 1.0 and 1.1. As a result of its weakening security, the PCI Council is deprecating TLS 1.0.
How this change impacts you
If you use mobile application management through an on-premises Citrix Gateway (NetScaler Gateway), you must update your load balancer service to enable TLS 1.2.
Older versions of the following connectors support TLS 1.0 only:
- Endpoint Management connector for Exchange ActiveSync
- Citrix Gateway connector for Exchange ActiveSync
Upgrade your connector as follows:
If you use Endpoint Management connector for Exchange ActiveSync build 10.1.3 or lower, upgrade to build 10.1.4 or higher.
If you use Citrix Gateway connector for Exchange ActiveSync build 8.5.0 or lower, upgrade to build 126.96.36.199 or higher.
What to do
If you use an on-premises Citrix Gateway (NetScaler Gateway), enable TLS 1.2 on your load balancer service. For information, see https://support.citrix.com/article/CTX247095. Following is a video that shows how to enable TLS 1.2 on Citrix Gateway.
To download either connector for Exchange ActiveSync, go to the Server Components section under Endpoint Management Server on Citrix.com.
Endpoint Management 19.2.1
- Run multiple apps in a kiosk on Chrome devices. You can now add multiple apps to the Kiosk policy for Chrome OS. You can optionally automatically start apps when the user starts the device. See the Kiosk device policy.
Fixed issues in Endpoint Management 19.2.1
After an Android Enterprise is unenrolled and then re-enrolled, approved apps might not appear on devices enrolled in work profile mode. [CXM-59994]
When users first run Secure Mail on Intune MDM+MAM, the set up takes users through a workflow to select Intune MAM/XenMobile. [CXM-31272]
Endpoint Management 19.2.0
Deliver enterprise apps from a content delivery network (CDN). When a user isn’t located near an Endpoint Management server, enterprise app delivery can take a while. For significantly faster app downloads, you can instead have enterprise apps delivered from content delivery network (CDN) locations throughout the world. CDN support for enterprise apps is available for iOS apps (MDM or MAM enrollment) and Android apps (MDM or MAM enrollment). CDN support for enterprise apps isn’t available for Windows apps. To get started, see Deliver Enterprise apps from a CDN.
DEP device enrollment change for Citrix Workspace. If Endpoint Management is integrated with Citrix Workspace, the Workspace App is included in the DEP deployment package as a required app. This feature requires that you configure your DEP account settings for iOS with required credentials set to off. Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.
The server property ios.mdm.enrollment.installRootCaIfRequired is now set to false. Endpoint Management uses a publicly trusted certificate chain, thus it isn’t necessary to push a root CA to devices. As a result, iOS device users no longer receive a prompt to install a root CA during enrollment.
The WiFi and Credentials policies now support Apple TV OS. In addition, you can now configure the Airplay Security device policy to control which devices can connect to Apple TV devices. For more information, see the WiFi, Credentials and Airplay Security device policy articles.
Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. See Location device policy.
Enhanced support for Alexa for Business. Endpoint Management now includes support for Alexa for Business conferencing, adding Alexa skills to your organizations, editing skill groups. See Alexa for Business.
Automated actions for Windows Agent policy. Using the Windows Agent policy, you can automate actions to run on Windows desktops and tablets based on registry values. For more information see the Windows Agent device policy and Automated Actions articles.
For Android Enterprise, the No Restrictions option for required characters in a passcode is now deprecated. Android Enterprise devices running Android 7 or higher no longer support a passcode created without character restrictions. If you previously set Required characters to No Restrictions, this update changes that value to Numbers only. This change doesn’t affect the current user signin experience. For more information, see Android Enterprise settings.
Fixed issues in Endpoint Management 19.2.0
When an app is deleted from the Intune library, and a user tries to delete it from the Citrix Cloud library, they can’t delete it. [CXM-61645]
After you upload a Google Play app in the Endpoint Manager console without adding an app icon image: If you later upload an image for the app, the image doesn’t appear in the apps list. [CXM-60965]
Endpoint Management 19.1.2
Files device policy now available for Android Enterprise. You can add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.
Configure time zone settings for Chrome OS devices. You can now select a time zone for the Chrome device and specify how to detect the time zone. For more information, see Restrictions device policy.
The user information shown on the Users and Enrollment Invitations pages is now restricted by an RBAC administrator’s group permissions. Previously, the Endpoint Management console included information for all local users and domain users on the Manage > Users and Manage > Enrollment Invitations pages.
To specify which user groups an RBAC administrator has permission to view and manage, edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.
Launch third-party apps from the Workspace app. For customers with Citrix Workspace enabled: Before deploying new apps to users, you can add a comma-separated list of URLs to launch the apps from the Workspace app. For more information, see Add apps.
Fixed issues in Endpoint Management 19.1.2
You can’t upload Google Play services APK versions later than 11.5.09 in the Endpoint Management console. [CXM-59492]
Editing Windows Desktop and Tablet apps in Configure > Apps > Public App Store results in this message: “Application search failed”. Searching for those apps results in this message: “Error connecting to the windows desktop store url: Failed to retrieve public app details”. [CXM-61686]
What’s new history
In this article
- Endpoint Management 19.8.0
- Endpoint Management 19.7.1
- Endpoint Management 19.6.1
- Endpoint Management 19.6.0
- Endpoint Management 19.5.0
- Endpoint Management 19.4.1
- Endpoint Management 19.3.1
- Endpoint Management 19.3.0
- Deprecation of TLS versions
- Endpoint Management 19.2.1
- Endpoint Management 19.2.0
- Endpoint Management 19.1.2