Citrix Endpoint Management

What’s new history

We move sections about older Endpoint Management releases from What’s new to this article.

Endpoint Management 21.7.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

This release contains enhancements that help improve overall performance and stability.

Fixed issues in Endpoint Management 21.7.1

When configuring an identity provider for Endpoint Management, if you don’t configure the optional fields, end users can’t authenticate. [CXM-97394]

Endpoint Management 21.7.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

If you authenticate with Azure Active Directory or Okta through Citrix Cloud, you can now create different enrollment profiles for iOS and Android devices. When you configure Azure Active Directory or Okta as authentication methods through Citrix Cloud, Endpoint Management supports a number of enrollment profiles with different enrollment types. For more information, see Enrollment profiles.

Automatically tag devices by device type and enrollment mode. If you enable the server property enable.device.tagging, Endpoint Management tags any newly enrolled device. You can use device tags to deploy policies and apps or configure delivery groups. Endpoint Management applies tags to devices for the following:

  • BYOD tags
    • iOS User Enrollment
    • Android Enterprise work profile
  • Corporate tags
    • Android Enterprise fully managed corporate devices
    • Bulk enrollment
      • Apple Business Manager devices
      • Apple School Manager devices
      • Windows AutoPilot devices
      • Android Enterprise bulk enrollment

For more information, see Server properties

For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports authentication with Azure Active Directory, Okta, and an on-premises Citrix Gateway for users enrolling in MDM through the Citrix Workspace app. For more information, see Authentication with Azure Active Directory through Citrix Cloud, Authentication with Okta through Citrix Cloud, and Authentication with an on-premises Citrix Gateway through Citrix Cloud.

Endpoint Management 21.6.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Enroll Android devices using the Citrix Workspace app (Preview). You can now enroll Android devices with Endpoint Management using the Citrix Workspace app. Once configured, users no longer need to enroll through Secure Hub. Android for Workspace provides:

  • Greater security through the use of the MAM SDK.
  • More privacy through the use of Android Enterprise work profile.
  • A more streamlined experience with fewer authentication prompts and a simple enrollment process.

Endpoint Management must be Workspace enabled for you to configure the new Android for Workspace platform. The Android Enterprise and Android for Workspace platforms exist separately in the Endpoint Management console. To use both Secure Hub and the Citrix Workspace app for enrollment, configure both platforms.

For more information on the Android for Workspace platform, see Android for Workspace.

Renamed the Wi-Fi device policy to network device policy. We renamed the Wi-Fi device policy to “network device policy” to accommodate Ethernet support for macOS. For macOS, in addition to the Wi-Fi option, you now have the following Ethernet options:

  • Global Ethernet
  • First Active Ethernet
  • Second Active Ethernet
  • Third Active Ethernet
  • First Ethernet
  • Second Ethernet
  • Third Ethernet

For more information, see Network device policy.

Apple Business Manager (ABM) and Delete All Users support for Shared iPads. Users can now sign in to Shared iPads using ABM accounts. The Delete All Users security action is also available for Shared iPads. For more information, see Shared iPads.

Upload certificates to iOS devices in bulk with the Citrix Endpoint Management REST API. If uploading certificates one at a time isn’t practical, use the Citrix Endpoint Management Server REST API to upload the certificates to iOS devices in bulk.

  1. Configure an iOS VPN device policy with the connection type Always on IKEv2.
  2. Select Device Certificate Based on Device Identity as the device authentication method.
  3. Select the Device identity type to use.
  4. Bulk import your device certificates with the REST API.

For information about configuring the VPN device policy, see VPN device policy. For information about importing certificates in bulk, see Upload certificates to iOS devices in bulk with the REST API.

Deprecation of full tunnel mode for iOS apps. From this release onward, MDX no longer supports the full tunnel mode in the Citrix Mobile productivity apps for iOS. The following options are removed from the Network access app policy:

  • Use Previous Settings
  • Tunneled - Full VPN
  • Tunneled - Full VPN and Web SSO

If you’re using the Tunneled - Full VPN or the Tunneled - Full VPN and Web SSO policies, you must switch to the Tunneled - Web SSO policy. Your emails don’t synchronize if you continue to use the deprecated policies. For more information, see SSO and proxy considerations for MDX apps.

More informative certificate selection. When you configure a Microsoft PKI, generic PKI, credential policy, or credential providers, the certificate menu provides more helpful information to distinguish certificates. This information includes:

  • The certificate name
  • The date from which the certificate is valid
  • The date to which the certificate is valid
  • The certificate serial number

Endpoint Management 21.5.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

This release contains enhancements that help improve overall performance and stability.

Endpoint Management 21.5.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Secure Hub APNs certificate renewal. The Secure Hub Apple Push Notification Service (APNs) certificate for Endpoint Management expires on June 17, 2021. This update renews the Secure Hub APNs certificate, which will expire on May 7, 2022.

FIPS 140-2 compliance. Endpoint Management server-side components are now FIPS 140-2 compliant.

Fixed issues in Endpoint Management 21.5.0

We have a new “Get Devices by Filters” API which resolves issues in the prior “Get Devices by Filters” APIs and returns paginated results for up to 100 devices at a time. See the section “3.16.3 Get Devices by Filters” in the Public API for REST Services PDF. [CXM-92791]

When you use a package ID to search for a Google Play app to add to the Endpoint Management console, the mandatory Name field displays as empty. You can still enter the app name manually. [CXM-93655]

Endpoint Management 21.4.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Citrix received verification for the Google Android Enterprise Advanced Management Solution Set. See Citrix Endpoint Management earns new Android Enterprise verification.

Integrate with Azure AD Conditional Access (Preview). You can now configure Endpoint Management to apply Azure AD Conditional Access support to Office 365 applications. This feature, now in Preview, lets you deploy the Zero Trust methodology to device users when deploying Office 365 applications. You can use device state, risk score, location, and device protections to define access to the Office 365 applications on managed Android Enterprise and iOS devices. For information, see Integrate with Azure AD Conditional Access.

Use Android device property rules to manage the deployment of a delivery group to Android Enterprise devices. If you enroll multiple Android Enterprise devices to the same user, you can now deploy delivery group resources based on the device enrollment profile or the application package ID. Within the delivery group, use device properties for the Android platform to create advanced rules for new or existing Android Enterprise devices. For more information, see Add a delivery group.

Support for rotating administrator password for macOS devices enrolled through Apple Deployment Program. When adding your Apple Business Manager account to Endpoint Management, you can specify settings to create an administrator account on the macOS device. Endpoint Management automatically creates the administrator account on the device during the Setup Assistant workflow. Users then sign in to their macOS device with the specified information. Endpoint Management now supports rotating the password of that administrator account for enhanced security. For more information, see Deploy devices through the Apple Deployment Program.

The new AutoDiscovery service configuration through Citrix Cloud. The AutoDiscovery service is now hosted in Citrix Cloud. Citrix migrated all existing AutoDiscovery service configurations without a disruption in service. To access the new AutoDiscovery service or change your configuration, go to https://adsui.cloud.com (commercial) or https://adsui.cem.cloud.us/ (government). For more information, see Set up the AutoDiscovery service for Endpoint Management.

In the new AutoDiscovery service configuration, use the MAM Port setting instead of Citrix Gateway FQDN to direct MAM traffic to your data center. If you enter a fully qualified domain name along with the port of your Citrix Gateway, the client device uses the configuration from the MAM Port setting.

When you go to https://adsui.cloud.com (commercial) or https://adsui.cem.cloud.us/ (government) to access the new AutoDiscovery service user interface, an ad blocker can prevent the site from opening. To access the AutoDiscovery service, disable the ad blocker for the entire website.

Added settings to Android Enterprise restrictions. We added two settings to all enrollment modes in order to more closely align with Google settings and to simplify configuration.

  • Allow Bluetooth sharing: If unselected, users can’t establish outgoing Bluetooth sharing on their device.
  • Allow app uninstall: Allows users to uninstall apps from within the Managed Google Play Store.

Also, we moved the Allow over-the-air upgrade setting from the Restrictions policy to the OS update policy.

For more information about these changes, see Restrictions device policy and OS Update device policy.

Support for delivering MDX apps from a content delivery network (CDN). CDN support is now available for MDX apps. To speed the delivery of app downloads, CDN sends those MDX apps to user devices located near an Endpoint Management server. That use of the CDN reduces app download times. To get started, see Deliver MDX apps from the Citrix CDN.

Fixed issues in Endpoint Management 21.4.0

Enterprise apps fail to install on devices running macOS 11.0 or later, but the Endpoint Management console shows that they have installed successfully. [CXM-90839]

Endpoint Management 21.3.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Streamlined flow for adding Android Enterprise apps to Intune managed environments. You can now add Android Enterprise apps to the Endpoint Management console and the Intune console at the same time. For more information about this workflow, see Add Android Enterprise apps to the Citrix Cloud Library.

Generate a QR code for Android Enterprise enrollment. Endpoint Management can now generate QR codes for Android Enterprise enrollment. By using the Endpoint Management console to generate a QR code for enrollments, you avoid external sites that can be malicious. For more information about generating QR codes, see Create a QR code.

Bootstrap token support for macOS devices. Endpoint Management now supports escrowing bootstrap tokens for macOS devices. A bootstrap token is generated during the Setup Assistant workflow. One benefit of escrowing bootstrap tokens with Endpoint Management is that remote accounts can be enabled for FileVault and able to unlock the FileVault volume. For more information, see Bootstrap token.

Endpoint Management 21.2.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Updated Citrix Launcher app lets you restrict user access to one app or a small set of apps on Android Enterprise devices. You can also optionally upload a custom logo image for the Citrix Launcher icon and specify a password that users must enter to exit the app. For more information, see Citrix Launcher.

New Setup Assistant options for iOS and macOS. You can now specify more setup screens to skip when users set up iOS or macOS devices.

  • iOS
    • Restore completed: Prevents users from seeing whether a restore completes during setup. For iOS 14.0 and later.
    • Update completed: Prevents users from seeing whether a software update completes during setup. For iOS 14.0 and later.
  • macOS
    • Accessibility: Prevents the user from hearing Voice Over automatically. Only available if the device is connected to Ethernet. For macOS 11 and later.
    • Biometric: Prevents the user from setting up Touch ID and Face ID. For macOS 10.12.4 and later.
    • True Tone: Prevents users from setting up four-channel sensors to dynamically adjust the white balance of the display. For macOS 10.13.6 and later.
    • Apple Pay: Prevents users from setting up Apple Pay. If this setting is cleared, users must set up Touch ID and Apple ID. Ensure that the Apple ID and Biometric settings are cleared.
    • Screen Time: Prevents users from enabling Screen Time. For macOS 10.15 and later.

For more information about configuring setup options, see Deploy devices through the Apple Deployment Program.

macOS PKG file uploads now limited by upload time instead of file size. You can now upload larger PKG files such as Microsoft Office for macOS devices. Endpoint Management has removed the previous file size limit of 0.5 GB and instead limits file upload time. By default, you must complete your upload within 100 seconds. For more information, see Add an enterprise app.

Endpoint Management no longer supports weak cryptographic algorithms for certificate-based authentication. When you create a certificate signing request for a credential provider in the Endpoint Management console, choose a stronger cipher. For the list of removed signature algorithms, see Deprecation.

Fixed issues in Endpoint Management 21.2.0

When creating a user, two PKI certificates are created for the same user. The user may not be able to access internal websites through Secure Web or receive email through Secure Mail. [CXM-88134]

When adding an RBAC role, Endpoint Management becomes unresponsive after these actions:

  • Apply a permission to a specific user group, and then clear an Active Directory domain check box.
  • Select an authorized access item or console feature item repeatedly. [CXM-90861]

Endpoint Management 21.1.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Note:

As the result of an outage, your delivery group history might have been removed. Delivery group history collection has resumed.

New look and feel. Citrix has updated the Endpoint Management console with new colors, fonts, toggles, and other formatting changes. Some new UI elements may not load correctly until you clear your browser cache and refresh.

App uninstall policy now available for macOS. You can now remove managed apps from macOS devices by using the App uninstall policy. For more information, see App uninstall device policy.

Enhancements for a delivery group. You can now manage the deployment of a delivery group using device property rules along with the existing user property rules. If you enroll multiple devices to the same user, you can now create advanced filters within the delivery group based on the unique device properties, such as device ownership, model, OS version, compliance, and others. For more information, see Add a delivery group.

APIs are now available for creating reports. The Reporting APIs are read-only APIs using JSON as the query language. The APIs allow you to do the following:

  • Create robust compliance reports on application versioning, device OS patching, Android DA (Legacy) to Android Enterprise migration progress, and more.
  • Issue custom queries against your cloud database in a secure way.
  • Export data about your cloud service, such as lists of applications, devices, users, enrollments, and software.
  • Save information in JSON or CSV format.

These APIs are the cloud equivalent to having access to an on-premises database and running custom SQL queries. To learn more about the reporting APIs, see the documentation on the Citrix Developer portal.

Endpoint Management 21.1.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Authenticate to the REST API with the Citrix Cloud API keys. You can now generate the unique client ID and client secret to access the REST API using your Citrix Cloud account. For more information, see REST APIs.

Reorganization of Android Enterprise restrictions. The restriction settings for Android Enterprise have been reorganized for clarity. In some cases, minor changes to setting names have been made. For more information about the reorganization, see Android Enterprise settings.

Endpoint Management 20.12.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

This release contains enhancements that help improve overall performance and stability.

Use Azure Active Directory (AAD) or Okta to authenticate when enrolling Android Enterprise devices (Preview). The ability to use AAD or Okta as authentication methods when enrolling Android Enterprise devices is now available as a preview. This feature supports BYOD and fully managed modes in addition to enhanced enrollment profiles. For more information about using Okta for single sign on, see Authentication with Okta through Citrix Cloud. For more information about using AAD for single sign on, see Authentication with Azure Active Directory through Citrix Cloud.

Installing enterprise and volume purchase apps to macOS devices as managed apps. The Force app to be managed setting is now available for macOS. If you want to manage an app that is installed but not yet managed, turn on the setting for that app and deploy the app to the devices. The app automatically installs as a managed app. Users don’t receive any prompts. If you deploy an app to devices where the app doesn’t exist, the app is installed as a managed app regardless of the state of the setting. For more information, see Add an enterprise app and Configure the volume purchase apps.

Fixed issues in Endpoint Management 20.12.0

The default notification templates use the name XenMobile instead of Citrix Endpoint Management. [CXM-60513]

Android Enterprise users might not receive apps added after they enroll. [CXM-82840]

Endpoint Management 20.11.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Removal of Android TouchDown support. DigiCert stopped supporting Android TouchDown as of July 2, 2018. All Android TouchDown options have been removed from the Endpoint Management console.

Endpoint Management 20.10.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Limit methods to access the REST API. By contacting Citrix support, you can ensure that only Citrix Cloud accounts can access the REST API. Local administrator accounts can’t access the API with this feature enabled. See REST APIs.

Fixed issues in Endpoint Management 20.10.1

Users don’t receive enrollment invitation emails. [XMHELP-3081]

If you configure Endpoint Management as a discretionary certificate authority, the VPN, network, and other credentials device policies don’t deploy. [XMHELP-3093]

Endpoint Management 20.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Allow static or dynamic MAC addresses. As part of the network policy, iOS and iPadOS devices can now use a different MAC address each time they connect to the configured Wi-Fi network. You can also choose to have the MAC address remain static. However, using a dynamic MAC address makes it more difficult to identify the device consistently, enhancing privacy. See Network policy.

Use Azure Active Directory (AAD) or Okta as identity platforms. The ability to use AAD or Okta as your identity platform is now available as a public preview. Users enrolling through Citrix Secure Hub can use their AAD or Okta credentials. To use either of these methods for single sign-on, configure Citrix Gateway for certificate-based authentication. For more information about using Okta for single sign on, see Authentication with Okta through Citrix Cloud. For more information about using AAD for single sign on, see Authentication with Azure Active Directory through Citrix Cloud.

Use UPN or email for Okta authentication. When you set up Okta as your identity platform, you can allow users to log in with their UPN or their email address. See Single sign on with Okta.

Fixed issues in Endpoint Management 20.10.0

Users don’t receive enrollment invitation emails. [XMHELP-3081]

Endpoint Management 20.9.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Redeploy assigned policies to iOS and Android devices. If the user removes a policy, you can now redeploy the policy to iOS and Android devices. Go to Manage > Devices > Assigned Policies, select the policy, and click Reset status to change the deployment status to pending. For more information, see Supported enrollment methods for iOS and Supported enrollment methods for Android devices.

The FileVault device policy now allows for key storage and rotation. Using the FileVault device policy, you can now store personal recovery keys within Endpoint Management. End users can request their recovery key using the Self-Help Portal, and administrators can rotate personal recovery keys using security actions. For more information about the new features, see FileVault device policy.

More granular control over macOS update options. The OS Update device policy now allows you to control how macOS devices check for, download, and install updates. You can also configure the types of software updates allowed. For more information about the new settings, see OS Update device policy.

Fixed issues in Endpoint Management 20.9.1

The MDM certificate on some iOS devices doesn’t renew. In that case, the Manage > Devices > Device details > Certificates page shows an Apple MDM certificate that is close to expiration. The Endpoint Management server log includes the message The new MDM payload does not match the old payload. We recommend that you re-enroll the affected devices to resolve this issue. Citrix Technical Support can identify the devices to re-enroll and implement a temporary mitigation if needed. [CXM-86729]

Endpoint Management 20.9.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

This release contains enhancements that help improve overall performance and stability.

Fixed issues in Endpoint Management 20.9.0

When an Azure AD user logs into some Azure AD-joined Windows 10 devices configured to be a kiosk, kiosk mode does not activate. [CXM-66123]

Right after enrolling a device running macOS 10.14+, the device properties don’t always populate in the Endpoint Management console. Restart the device to view the properties. [CXM-84106]

Deployed resources sometimes don’t take effect on macOS 10.14+ devices until the device restarts. [CXM-84110]

Endpoint Management 20.8.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Easier use of the certificate alias in Managed configurations. Use the new Certificate alias setting in the Credentials device policy with the Android Enterprise managed configuration device policy. Doing so allows apps to authenticate on the VPN without user action. Instead of finding the credential alias in the app logs, you create the credential alias. Create the alias by typing it in the Certificate alias field of the Android Enterprise managed configuration device policy. Then you type the same certificate alias in the Certificate alias setting in the Credentials device policy. See Managed configurations policy and Credentials device policy.

Passcode device policy allows you to show apps and shortcuts on Android Enterprise devices that are not in compliance. The Passcode device policy for Android Enterprise has a new setting, Show apps and shortcuts while passcode is not in compliance. Enable the setting to cause the apps and shortcuts to remain visible when the device passcode is no longer compliant. Citrix recommends you create an automated action to mark the device as out of compliance when the passcode is not in compliance. See Passcode device policy.

Control of Use one lock setting on Android Enterprise devices. The new Enable unified passcode setting in the Passcode device policy lets you control whether a device requires a separate passcode for the device and the work profile. Before this setting, users controlled this behavior with the Use one lock setting on the device. When Enable unified passcode is On, users can use the same passcode for the device as the work profile. If Enabled unified passcode is Off users can’t use the same passcode for the device as the work profile. The default is Off. The Enable unified lock setting is available for Android Enterprise devices running Android 9.0 or later. See Passcode device policy.

Fixed issues in Endpoint Management 20.8.0

If you onboarded Endpoint Management in 19.12.0 or later, to remove the Android Enterprise subscription, unenroll Android Enterprise from the console. Then remove the configuration from Google Play. If you click Remove Enterprise in the Google Play store first, the Android Enterprise subscription remains active in the Endpoint Management console. [CXM-83601]

Endpoint Management 20.7.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Changed the profile name in enrollment screens to Citrix Workspace. When users enroll their device to Endpoint Management, the profile name that displays is now Citrix Workspace. You can customize this name and display your organization name instead. To customize the name, change the value for the new server property apple.mdm.enrollment.profile.organization.name. See Server properties.

Fixed issues in Endpoint Management 20.7.1

On some cloud sites, the Monitor page of the Endpoint Management console does not load. [CXM-83365]

When you edit the values in the optional.user.identity.attributes server property and save the changes, an error message appears. [CXM-84209]

Endpoint Management 20.7.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Endpoint Management supports authentication with an on-premises Citrix Gateway as a preview feature. You can now configure an on-premises Citrix Gateway as your identity provider for users enrolling through Citrix Secure Hub. For more information, see Authentication with an on-premises Citrix Gateway through Citrix Cloud (Preview).

Customize the list of optional Active Directory user attributes. A new server property, optional.user.identity.attributes, enables you to remove and restore optional attributes that Endpoint Management uses to identify a user account in Active Directory. For more information, see Customize Active Directory user attributes.

Fixed issues in Endpoint Management 20.7.0

Apple iTunes volume purchase apps can’t synchronize with Endpoint Management. [CXM-81271]

When you install multiple LDAP Active Directories (AD) on Endpoint Management using Citrix Cloud Connector, only the first installed AD populates in the Endpoint Management settings. As a workaround, you can check Citrix Cloud. If those domains are marked as unused, manually mark them as Used. Marking the domain as used makes it available in Endpoint Management. [CXM-81697]

If you onboarded Endpoint Management in 19.12.0 (December 2019) or later: When you add multiple LDAP authentication domains, you cannot change the default domain. [CXM-82952]

Endpoint Management 20.6.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

If you onboarded Endpoint Management after the 19.8.0 release (August 1, 2019), sign in to Citrix Cloud and click the Endpoint Management service tile to access the console. All customers who onboarded before 19.8.0 will soon transition to Citrix Cloud sign-in. To provide enhanced security, Citrix recommends that you configure single sign-on. For assistance, contact Citrix Technical Support.

The Secure Hub Apple Push Notification Service (APNs) certificate for Endpoint Management expires on July 12, 2020. As a result, the Agent Notification fails and the application push might be delayed on iOS devices. This update renews the Secure Hub APNs certificate, which expires on June 18, 2021.

Disable the ability to print on the Android Enterprise work profiles or fully managed devices. In the Restrictions device policy, the Don’t allow printing setting lets you specify whether users can print to any printer accessible from the Android Enterprise device. For more information, see Android Enterprise settings.

Configure the connection mode and network priority for macOS. In the network device policy, enable the Connection mode setting for macOS devices to choose how users join the network. The device can use the system credentials or credentials entered at the login window to authenticate the user. If you have multiple networks, type a number in the Priority field to set the priority of the network connection. The device chooses the network with the lowest number. For more information, see the macOS settings in Network device policy.

Enable a proxy configured on iOS devices. Endpoint Management now requires that you enable a new client property, ALLOW_CLIENTSIDE_PROXY, if you want to allow iOS users to use proxy servers that they configure in Settings > Network. For more information, see ALLOW_CLIENTSIDE_PROXY in Client property reference.

Automatically update managed apps policy for managed Google Play apps. This new policy allows you to restrict the ability of users to configure automatic app updates for managed Google Play apps on Android Enterprise devices. You can allow users to configure the policy. Or, you can specify that automatic updates apply always, never, or only when a device is connected to Wi-Fi.

Fixed issues in Endpoint Management 20.6.0

In the Endpoint Management console, you can’t see the package ID for MDX wrapped iOS and Android apps. [CXM-81021]

When Endpoint Management sends the queries for the Active Directory group members, the identity service runs the queries recursively. These queries consume more resources. Therefore, sites with many Active Directory users might experience a disturbance in daily operations. [CXM-81112]

On the Endpoint Management console, some apps’ status displays as “Pending” even though they are already installed. This limitation is due to macOS and is specific to PKG files with different pkg and app identifiers. [CXM-72203]

Endpoint Management 20.5.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Simplified configuration of Intune managed apps when using Endpoint Management integration with Microsoft Endpoint Manager. When you configure Intune managed apps, you no longer set the Force app to be managed option in the Endpoint Management console. You now set the option in the EMS console.

Support for restricting web content transfer for Intune managed apps published through Microsoft Edge using Endpoint Management integration with Microsoft Endpoint Manager. Endpoint Management integration with Microsoft Endpoint Manager supports the new managed browser policy for Microsoft Edge, Restrict web content transfer with other apps, in the EMS console.

Unlock a local user account. If a user reaches the maximum number of consecutive invalid login attempts, the local user account locks for 30 minutes. The system denies all further authentication attempts until the lockout period expires. To unlock the account in the Endpoint Management console, go to Manage > Users, select the user account, and click Unlock Local User. For more information, see To unlock a local user account. To change the number of failed login attempts and the lockout time, update the local.user.account.lockout.time and local.user.account.lockout.limit server properties. For more information, see Server properties.

The Citrix Content Delivery Network (CDN) now delivers enterprise apps for macOS (MDM enrollment). To speed the delivery of app downloads, CDN sends macOS apps to user devices located near the Endpoint Management servers throughout the world. For more information, see Deliver enterprise apps from the Citrix CDN.

Fixed issues in Endpoint Management 20.5.0

Administrators with the RBAC permission to export enrollment invitations can export all enrollment invitations, regardless of limitations. [CXM-79928]

Attempts to deploy a PowerShell script to trigger an automated action on Windows devices might fail with a 500 internal server error. The issue occurs if you leave the Description field on the Action Information page blank and select Policy returned value as a trigger. To work around the issue, do not leave the Description field blank when using Policy returned value as a trigger. [CXM-80997]

When you edit an existing iOS restriction policy, an error occurs. [CXM-82180]

Endpoint Management 20.4.1

Support for the latest HTTP/2-based APNs provider API. Apple support for the Apple Push Notification service legacy binary protocol ends as of March 31, 2021. Apple recommends that you use the HTTP/2-based APNs provider API instead. Citrix Endpoint Management now supports the HTTP/2-based API. For more information, see the news update, “Apple Push Notification Service Update” in https://developer.apple.com/. For help with checking connectivity to APNs, see Connectivity checks.

Password requirements for a local user account. When you add or edit a local user account in the Endpoint Management console, ensure that you follow the latest password requirements. For more information, see To add a local user account.

Use the app bundle ID number to add apps to the Apps notifications device policy. Click Add new and type the app bundle ID in the field that appears. For more information, see Apps notifications device policy.

Device policy updates for iOS 13. Device policies for iOS 13 now have the following features:

  • Network usage policy: We added more features to the App network usage policy and renamed it to Network usage policy. You can now also configure network usage rules based on SIM ICCIDs on iOS 13 devices. See Network usage device policy
  • Restrictions policy: You can now restrict shared device temporary sessions, eSIM modification, Find My iPhone, and more. For more information, see the iOS settings section in Restrictions device policy.

Fixed issues in Endpoint Management 20.4.1

With Azure Active Directory based authentication and device enrollment, users with Android devices fail to enroll. An error states that user authentication has no device access. [CXM-80404]

Endpoint Management 20.4.0

Publish web apps for Android Enterprise in the Endpoint Management console. You no longer need to go to managed Google Play or the Google Developer portal to publish Android Enterprise web apps for Endpoint Management. When you click Upload in Configure > Apps > Web link, a managed Google Play store UI opens for you to upload and save the file. The app approval and publishing can take about 10 minutes. For more information, see Add a Web link.

Device policy updates for iOS 13. Device policies for iOS 13 now have the following features:

Fixed issues in Endpoint Management 20.4.0

Data visualization charts on the Analyze dashboard don’t scale correctly when using your browser’s zoom. [CXM-79652]

When using MAM-only enrollment, users can still access the Apple Over-the-Air Enrollment portal for MDM. [CXM-77449]

The selective wipe action fails when the device is on standby. [CXM-76051]

Endpoint Management 20.3.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Enhanced enrollment profiles enabled for all customers

This release enables for all customers the enhanced enrollment profile features released to some customers in Endpoint Management 20.2.1. For information about this feature, see Configure multiple device and app management modes in a single environment.

Android devices are enrolled in Android Enterprise by default

Starting with this release, Android Enterprise is the default enrollment option for Android devices. If Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices by default.

This change supports changes Google is making to Android. Google deprecated the device administrator mode of device management and encourages customers to manage all Android devices using Android Enterprise. (See Device admin deprecation in the Google Android Enterprise developer guides.)

Starting with Endpoint Management 19.11.0, Citrix communicated the required actions to migrate all Android devices to Android Enterprise. For more information about Endpoint Management support for the transition to Android Enterprise, see the blog, Android Enterprise as the default for Citrix Endpoint Management service.

If your Endpoint Management deployment includes devices that you must continue to manage in device admin mode, create an enrollment profile for these legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy devices in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

Fixed issues in Endpoint Management 20.3.0

Trying to sort devices by Last access or Inactivity days results in a 500 internal server error. [CXM-79414]

For customers using Amazon Web Services and the new Citrix enhanced enrollment profiles: iOS devices don’t enroll. As a work-around, create a default enrollment profile that includes all delivery groups. See To create an enrollment profile. [CXM-79019]

When you deploy a Passcode device policy to macOS devices, the policy applies to the system level instead of the user level. As a result, users aren’t prompted to change their passcode for hours, or even days. [CXM-75344]

Endpoint Management 20.2.1

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Configure multiple device and app management modes in a single environment

About this feature:

Enhanced enrollment profile support is rolling out over two releases. Citrix sends notifications about upcoming releases.

Until the enhanced enrollment profile feature gets enabled for you, an enrollment profile only limits the number of devices a user can enroll.

You can now configure a single Endpoint Management site to support multiple enrollment configurations. The role of enrollment profiles expanded to include enrollment settings for device and app management.

Enrollment profiles support multiple use cases and device migration paths within a single Endpoint Management console. Use cases include:

  • Mobile Device Management (MDM only)
  • MDM+Mobile Application Management (MAM)
  • MAM only
  • Corporate-owned enrollments
  • BYOD enrollments (the ability to opt out of MDM enrollment)
  • Migration of Android device administrator enrollments to Android Enterprise enrollments (fully managed, work profile, dedicated device)

Enrollment profiles replace the now deprecated server property, xms.server.mode. This change does not impact your existing delivery groups and enrolled devices.

The following table shows the automated migration path from the existing server property mode to the new enrollment profile feature:

Existing server property New management mode
ENT mode (iOS) Apple device enrollment with Citrix MAM
ENT mode (Android) Legacy device administrator with Citrix MAM
ENT mode (Android Enterprise) Work profile on fully managed, with Citrix MAM
MAM mode (iOS and Android) Citrix MAM
MDM mode (iOS) Apple device enrollment
MDM mode (Android) Legacy device administrator
MDM mode (Android Enterprise) Work profile on fully managed

When you create a delivery group, you can attach an enrollment profile to the group. If you don’t attach an enrollment profile, Endpoint Management attaches the Global enrollment profile.

Enrollment profiles provide the following device management features:

  • Easier migration from Android device administrator (DA) mode to Android Enterprise. For Android Enterprise devices, settings include a device owner mode such as: Fully managed, work profile on fully managed, or dedicated. For more information, see Android Enterprise.

    Enrollment Profile page for Android

    For this upgrade, your current Endpoint Management configurations for server mode and Settings > Android Enterprise map to the new enrollment profile settings as follows.

    Current configuration Management setting Device owner mode setting Citrix MAM setting
    MDM; managed Google Play (Android Enterprise) Android Enterprise Work profile on fully managed Off
    MDM; Google Workspace (legacy DA) Legacy DA not applicable Off
    MAM Do not manage devices not applicable On
    MDM+MAM; managed Google Play (Android Enterprise) Android Enterprise* Work profile on fully managed On
    MDM+MAM; Google Workspace (legacy DA) Legacy DA* not applicable On

    * If enrollment is required, Allow users to decline device management is Off.

    After the upgrade, your current enrollment profiles reflect those mappings. Consider whether you want to create other enrollment profiles to handle any new use cases as you transition away from legacy DA.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Android

  • Easier iOS management. For iOS devices, settings include a choice between enrolling devices as managed or unmanaged.

    Enrollment Profile page for iOS

    For this upgrade, your prior configurations map to the new enrollment profile settings as follows.

    Server mode Management setting Citrix MAM setting
    MDM Device enrollment Off
    MAM Do not manage devices On
    MDM+MAM Device enrollment On

    If enrollment is required, Allow users to decline device management is Off.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for iOS

  • Allow Windows 10 devices to automatically enroll in Citrix Workspace app.

    Enrollment Profile page for Windows

    For this upgrade, your prior MDM configuration maps to the new enrollment profile setting Fully managed.

    If you onboard to Endpoint Management 19.12.0 or later, the Global enrollment profile has these predefined settings.

    Enrollment Profile page for Windows

The following limitations exist for enhanced enrollment profiles:

  • The enhanced enrollment profile feature doesn’t work for iOS and Android devices when Endpoint Management is integrated with Citrix Workspace.

  • The enhanced enrollment profile feature isn’t available for one-time PIN or two-factor authentication enrollment invitations.

For more information, see Enrollment profiles.

Other updates in Endpoint Management 20.2.1

  • Simplified enrollment of dedicated Android Enterprise (COSU) devices. Endpoint Management now enables you to enroll dedicated Android Enterprise devices (also known as COSU devices) by creating an enrollment profile. You are no longer required to create a role-based access control (RBAC) role for enrolling dedicated devices. See Provisioning dedicated Android Enterprise devices.

  • Disable biometric authentication on Android devices with the Keyguard management policy. The Keyguard Management device policy now lets you disable fingerprint unlock, face authentication, iris authentication, or all biometric authentication for devices running Android 9.0 and later.

  • Get guidance in the Resource Center. Use the Resource Center to access the in-product data. For guidance from the dashboard, click the icon in the lower right corner.

    Resource Center icon

Fixed issues in Endpoint Management 20.2.1

You previously needed permission to edit devices before you can use the Endpoint Management API to send notifications to devices. You now need Send Notification permissions to send notifications. [CXM-76689]

When you enroll a WEM enabled Windows Desktop/Tablet device and then enroll the same device in MDM, the Endpoint Management console displays two separate entries for the device. [CXM-77412]

Endpoint Management 20.1.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

  • Support for Android Enterprise COPE devices. Endpoint Management supports Android Enterprise fully managed devices with work profiles. Google previously referred to those devices as COPE (corporate-owned personally enabled) devices.

    Android Enterprise fully managed devices have a device profile and a work profile. You can apply separate policy settings to the device and the work profile. For this release:

    • You can apply separate setting to the device and the work profile using these device policies: Credentials, Keyguard Management, Passcode, and Restrictions.
    • You can apply the location mode setting of the Location device policy to COPE device itself but not to the work profile of the COPE device. Other settings in the Location device policy are not available for COPE devices. See the Location device policy.
    • You can apply the Lock security action separately to the device or the work profile.
  • Auto-enrollment of Windows 10 devices through Citrix Workspace app. Endpoint Management can now auto-enroll Windows 10 desktops and tablets using the Citrix Workspace app. For more information about this feature, see Integration with Citrix Workspace experience.

Fixed issues in Endpoint Management 20.1.0

The Settings > Apple Deployment Program page doesn’t include skip options for the new iOS 13 Setup Assistant screens. During enrollment, users must click through screens for Get Started and Appearance. [CXM-71370]

The Filters tab is open by default for Manage > Devices. [CXM-75823]

ShareFile single sign-on (SSO) fails for multitenant customers on the same set of virtual machines. [CXM-75886]

Endpoint Management 19.12.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

You can now configure delivery groups for Windows devices based on device properties. (Preview) When configuring delivery groups, you can now configure groups based on device properties. This feature is only available for Windows desktops and tablets. To request access to this Preview feature, contact your Citrix sales or support representative. For more information about this feature, see Add a delivery group (Preview).

Import Group Policy Objects (GPOs) into Endpoint Management and deploy them directly to Windows 10 devices. Rather than relying on an AD administrator to deploy GPOs from the Group Policy Management console, you can import and deploy GPOs through the Endpoint Management console. See Windows GPO Configuration device policy.

Install EXE apps for Windows desktops and tablets. You can now upload EXE applications as enterprise apps for Windows Desktops and Tablets. For more information, see Add Win32 apps as Enterprise apps.

Users can no longer remove policies from iOS devices. Some device policies no longer allow users to remove the policy from iOS devices. The setting Allow user to remove policy has been removed for iOS from the following policies: APN policy, Mail policy, Passcode policy, Provisioning Profile policy, Proxy policy, and VPN policy.

Fixed issues in Endpoint Management 19.12.0

If you update an app version number with the Endpoint Management Public REST API and then by using the console: The app version doesn’t update. [CXM-69216]

Sometimes Endpoint Management can’t install EXE apps on Windows devices because the file hash isn’t correct. [CXM-75506]

Endpoint Management 19.11.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Apple Volume Purchase Program migration to Apple Business Manager (ABM) and Apple School Manager (ASM)

Companies and institutions using Apple Volume Purchase Program (VPP) need to migrate to Apps and Books in Apple Business Manager or Apple School Manager before December 1, 2019.

Before migrating VPP accounts in Endpoint Management, see this Apple support article.

If your organization or school only uses the Volume Purchase Program (VPP), you can enroll in ABM/ASM and then invite existing VPP Purchasers to your new ABM/ASM account. For ASM, navigate to https://school.apple.com. For ABM, navigate to https://business.apple.com.

To update your volume purchase (formerly VPP) account on Endpoint Management:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Volume Purchase. The Volume Purchase configuration page appears.

  3. Ensure that your ABM or ASM account has same app config as your previous VPP account.

  4. In the ABM or ASM portal, download an updated token.

  5. In the Endpoint Management console, do the following:

    1. Edit the existing volume purchase account with the updated token info for that location.

    2. Edit your ABM or ASM credentials. Don’t change the suffix.

    3. Click Save twice.

For more information, see:

Enrollment profiles control enrollment options for Android devices

Enrollment profiles now control how Android devices are enrolled if Android Enterprise in enabled for your Endpoint Management deployment. Enrollment profiles determine whether Android devices are enrolled in the default Android Enterprise mode (fully managed or work profile) or in legacy (device administrator) mode.

By default, the Global enrollment profile enrolls new and factory reset Android Enterprise devices as fully managed devices and enrolls BYOD Android Enterprise devices as work profile devices. For more information, see Android Enterprise.

Preparing legacy Android devices for Android Enterprise as default enrollment

Google is deprecating the device administrator mode of device management and encouraging customers manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.) To support this change, Citrix will make Android Enterprise the default enrollment option for Android devices.

This change means that if Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

So you can prepare for this change, Endpoint Management now allows you to create enrollment profiles that control how Android devices are enrolled.

Your organization might not be ready to begin managing legacy Android devices in device owner mode or profile owner mode. In that case, you can continue to manage them in device administrator mode. Create an enrollment profile for legacy devices and re-enroll all enrolled legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

For more information about Endpoint Management support for the transition to Android Enterprise, see the blog, Android Enterprise as the default for Citrix Endpoint Management service.

Fixed issues in Endpoint Management 19.11.0

When searching for a Google Play Store app in the Endpoint Management console, the app name is empty. You can enter the name manually to save the app. [CXM-73261]

After uploading an MDX app for Android Enterprise, the managed Google Play store UI might not open in the Endpoint Management console. Until the issue is fixed, go to the managed Google Play store to approve and save the app manually. [CXM-73398]

For iOS, location tracking doesn’t work if you do the following: Configure and deploy a location policy, enable tracking from device security actions, and then delete the deployed location policy and create a new one. [CXM-73470]

Users with apostrophes in their user names can’t enroll their devices when their user name is imported from LDAP. [CXM-73780]

Endpoint Management 19.10.0

The following features are now rolling out to commercial customers. Releases to US government customers begin within three months. For feature differences between the commercial and US government offerings, see Endpoint Management service for US Government.

Expanded support for Zebra OEMConfig. Endpoint Management now supports managing Zebra devices using the Zebra Technologies administrative tool Zebra OEMConfig. (For information, see the Zebra Technologies website.) To manage devices using the Zebra OEMConfig app, publish the app and configure an Managed configurations device policy.

Content delivery network (CDN) availability for Windows apps. You can now deploy Windows apps by using a content delivery network. See Deliver enterprise apps from the Citrix CDN.

Group invitation support for users whose names include special characters. When you choose a group to receive enrollment invitations, Endpoint Management now gets the user list from Active Directory. The list includes users whose names contain special characters. See Enrollment invitations.

Fixed issues in Endpoint Management 19.10.0

After you enroll a new device or re-enroll an old device, an error message intermittently displays on Manage > Devices. [CXM-72634, CXM-73077]

When you select a Chrome or Workspace hub device in Manage > Devices > Enrolled Devices and then click Edit, the following message appears: “A configuration error occurred. Please try again.” That message also appears when you mouse over those devices in the devices list and click Show more. In either case, click OK to continue. [CXM-73010]

Endpoint Management 19.9.1

  • Support for encryption management for iOS and Android. Note: This feature is deprecated as of March 2021. Instead, Endpoint Management uses the device encryption provided by the iOS and Android platforms. Endpoint Management supplements platform-based encryption with features such as compliance checking, available through the Citrix MAM SDK.

  • Support for iPadOS. Citrix Endpoint Management supports iPadOS 13.x. Device policies for iOS apply to devices running iPadOS.

    • Simplified app management for Android Enterprise. You no longer must go to managed Google Play or the Google Developer portal to approve or publish apps for Endpoint Management. As a result, app approval and publishing take about 10 minutes rather than hours.

    • Approve Android Enterprise apps for the Public App Store in the Endpoint Management console. You can now approve managed Google Play store apps without leaving the Endpoint Management console. After you enter an app name in the search field, the managed Google Play store UI opens with the instructions for you to approve and save the app. Your app then populates in the results allowing you to configure its details. See Add a public app store app.

    • Approve the MDX apps for Android Enterprise in the Endpoint Management console. You can now approve managed Google Play store apps for Android Enterprise without leaving the Endpoint Management console. After you upload an MDX file, the managed Google Play store UI opens with the instructions for you to approve and save the app. See Add an MDX app.

    • Publish enterprise apps for Android Enterprise in the Endpoint Management console. You no longer must register for a Google Play developer account when you add an Android Enterprise private app. The Citrix Endpoint Management console opens a managed Google Play store UI for you to upload and publish the APK file. See Add an enterprise app.

  • More certificate management features for Android Enterprise devices in work profile mode or fully managed mode. In addition to installing certificate authorities in the managed keystore, you can now manage the following features:

    • Configure the certificates used by specific managed apps. The Credentials device policy for Android Enterprise now includes the setting Apps to use the certificates. You can specify the apps to use the user certificates issued by the credential provider selected in this policy. Apps are silently granted access to certificates during run time. To use the certificates for all apps, leave the apps list blank. See Credentials device policy.

    • Silently remove certificates from the managed keystore or uninstall all non-system Certificate Authority certificates. See Credentials device policy.

    • Prevent users from modifying credentials stored in the managed keystore. The Restrictions device policy for Android Enterprise now includes the setting Allow user to configure user credentials. By default, that setting is On. See Restrictions device policy.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. Android location tracking requires Android 8.5 and higher. See Location device policy.

  • Easy access to BitLocker recovery keys. If a user loses their BitLocker recovery key, unlocking their device can be a challenge. Endpoint Management now displays the BitLocker recovery key for Windows desktops and tablets under the device details. See BitLocker recovery key.

Fixed issues in Endpoint Management 19.9.1

After adding a custom property with a special character, admins cannot access the Devices page on the XenMobile console. [CXM-57322]

The RBAC role Tier 2 techs can’t create enrollment invitations to a user group with more than 2000 users. Only full administrative users can create the invitations. [CXM-72086]

On iOS devices, administrators might lose the ability to send an “unlock device” command to passcode protected devices after the device is upgraded to iOS 13.1.x. To resolve this issue, see https://support.citrix.com/article/CTX262076. [CXM-73151]

Endpoint Management 19.9.0

  • Manage keyguard features for Android Enterprise work profile and fully managed devices. Android keyguard manages the device and work challenge lock screens. Use the Keyguard Management device policy to control:

    • Keyguard management on work profile devices. You can specify the features available to users before they unlock the device keyguard and the work challenge keyguard. For example, by default users can use fingerprint unlock and view unredacted notifications on the lock screen.

    • Keyguard management on fully managed and dedicated devices. You can specify the features available, such as trust agents and secure camera, before they unlock the keyguard screen. Or, you can choose to disable all keyguard features.

    See Keyguard Management device policy.

  • Samsung Knox container password reset. The Container Password Reset security action is no longer available for Android Enterprise Samsung Knox devices. Use the Container Lock security action to reset passwords for Samsung Knox containers. The Container Password Reset security action is still available for Samsung devices in device administrator mode.

  • Configure the product track for your Android Enterprise apps. When adding a public store app or an MDX app for Android Enterprise, configure the product track you want to push to user devices. For example, if you have a track designed for testing, you can select and assign it to a specific delivery group. To learn more about rolling out your release, see Google Play Help Center. For information on configuring the product track, see Add an MDX app or Add a public app store app.

  • Windows GPO configuration policy enabled automatically. The Windows GPO configuration policy enables automatically if you provision a Citrix Workspace Environment Management site in the Citrix Cloud. For more information see Windows GPO Configuration device policy.

  • Mobile Device Management (MDM) and Workspace Environment Management (WEM) managed devices merged in the console. If a device is both MDM managed and WEM managed, it now displays as one device in the Endpoint Management console. The device label in the console is MDM, WEM. Previously, the device would show as two different devices. You can also delete devices that are MDM and WEM managed now.

Fixed issues in Endpoint Management 19.9.0

After you deploy the App Access device policy, non-compliant devices don’t trigger the configured action. [CXM-69842]

You can’t configure Google Workspace admin credentials for Chrome OS devices. [CXM-71665]

Connectivity between Endpoint Management and Apple School Manager fails. [CXM-71844]

MAM devices wipe apps and app data because of a failure to get the user domain details. As a result, the device considers the user as deleted. [CXM-72093]

After enrolling a new device or re-enrolling an old device, an error message intermittently displays on the Manage tab. [CXM-72224]

Endpoint Management 19.8.0

  • For existing customers: Restricted port access to the Endpoint Management console and Self-Help Portal:

    For customers who onboarded before Endpoint Management 19.8.0 (August 1, 2019):

    • You can require that administrators sign on to the Citrix Cloud console for SSO access to the Endpoint Management console. Citrix highly recommends all console access through Citrix Cloud.

      Set the new server property enable.cloud.console.sso to True, which means you can’t directly access the Endpoint Management console. Attempts to directly access the Endpoint Management console on port 4443 result in a 500 error.

    • Access to the Self-Help Portal is available only through port 443. Access attempts through port 4443 now result in an “Access Denied” message.

  • For customers who onboard starting with Endpoint Management 19.8.0 (August 1, 2019):

    • New customers sign on to the Citrix Cloud console for SSO access to the Endpoint Management console.

    • Access to the Self-Help Portal requires a server property change. By default, new customers can’t access the Self-Help Portal.

      To give your users access to the Self-Help Portal, update shp.console.enable to True.

Fixed issues in Endpoint Management 19.8.0

When importing a CA certificate, the console doesn’t display an updated or new certificate under PKI entities. [CXM-68419]

When configuring the VPN device policy for iOS to use the Citrix SSO protocol: After you enable the Prompt for PIN when connecting setting and save the policy, that setting reverts to Off. [CXM-68523]

For customers who have migrated from previous versions, opening the Manage tab in the console displays an error if a device’s enrollment profile has been deleted. [CXM-69750]

Endpoint Management 19.7.1

  • Access all Google Play apps in the managed Google Play store. The Access all apps in the managed Google Play store server property makes all apps from the public Google Play store accessible from the managed Google Play store. Setting this property to true allows the public Google Play store apps for all Android Enterprise users. Administrators can then use the Restrictions device policy to control access to these apps.

  • Enable system apps on Android Enterprise devices. To allow users to run pre-installed system apps in the Android Enterprise work profile mode or fully managed mode, configure the Restrictions device policy. That configuration grants user access to default device apps, such as camera, gallery, and others. To restrict access to a particular app, set app permissions using the App permissions policy.

Fixed issues in Endpoint Management 19.7.1

When sending an enrollment link using SMTP/SMS, the link being sent doesn’t work. [CXM-67458]

When attempting to update a public iOS app using the Endpoint Management console, a configuration error displays. [CXM-69190]

Some third-party volume purchase apps fail to auto-update. This issue occurred due to blocked host names. For more information, see https://support.apple.com/en-us/HT201999. [CXM-69341]

When adding Microsoft Word or PowerPoint for iOS to the cloud app library, assigning the app to a user group fails. You must delete and re-add any Intune apps experiencing this issue. [CXM-69349]

Endpoint Management 19.6.1

  • Location device policy now enables device tracking for Android. You can now enable device tracking to poll specific devices at a frequency you define. You might use this policy to track delivery personnel for more accurate delivery estimates, track lost or stolen devices, or enforce geographic boundaries. For more information, see Location device policy.

Fixed issues in Endpoint Management 19.6.1

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

After the time period in the server property bulk.enrollment.fetchRosterInfoDelay ends and an Apple School Manager device syncs with the server: The Apple School Manager user account is deleted from the server and the device moves into an anonymous state. [CXM-67913]

Users with special German characters, such as umlauts, in their display name can’t enroll. [CXM-68097]

The following error message displays when you attempt to configure a Public App by using the new app URL from the Apple Store. “Could not find the app you entered. Check the URL and try again.” [CXM-68537]

Endpoint Management 19.6.0

  • Auto updates for Apple volume purchase apps. When you add a volume purchase account (Settings > iOS Settings), you can now enable auto updates for all iOS apps. See the App Auto Update setting in Apple Volume Purchase.

Fixed issues in Endpoint Management 19.6.0

The following error is displayed while adding a registry key to a Windows Embedded Compact policy if the length of the registry value exceeds 2048 characters: Console error: could not execute statement; SQL [n/a]; nested exception is org.hibernate.exception.DataException: could not execute statement. [CXM-59446]

During profile installation on an iOS device, “Not Verified” appears in the profile information. [CXM-64486]

When an Azure AD user signs in to some Windows 10 Azure AD joined devices configured as kiosks, kiosk mode does not activate. This issue doesn’t occur if you enter the Azure AD user name in the format azuread\user. For more information, see Kiosk device policy. [CXM-66123]

App icons don’t show in the Endpoint Management console for apps that were automatically uploaded. [CXM-66444]

When you add a volume purchase account (Settings > iOS Settings), the following message appears if the token exceeds 350 characters: “The entered company token is not valid, please enter a new one.” [CXM-68113]

Endpoint Management 19.5.0

  • iOS MDM enrollment workflow change. To improve platform security by reducing misleading profile installations, Apple released a new workflow for manually enrolling devices in MDM. This new workflow affects all MDM solutions, including Citrix Endpoint Management.

    There is no change for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. The workflow changes are only for manual enrollment in MDM.

    Citrix has also simplified the enrollment. Previously, iOS device users receive two prompts during enrollment: A prompt for the root CA and a prompt for the MDM device certificate. Citrix installed the root CA for flexibility in using unsigned and signed certificates. Because all Citrix Cloud deployments use trusted certificates, the root CA is no longer needed.

    iOS device users receive only the MDM device certificate prompt during enrollment. That prompt is labeled “XenMobile Profile Service”.

    To support this change, Citrix changed the value of the server property, ios.mdm.enrollment.installRootCaIfRequired, to false. A Safari window opens during MDM enrollment to simplify the profile installation for users. For more information, see Enroll iOS devices and the following YouTube video:

    iOS enrollment video

  • Changes for new Endpoint Management customers:
    • Workspace experience deployment. You can create a separate delivery group, named Workspace, to begin to deploy the Workspace experience to new devices. By using the Workspace delivery group, you can deliver the Workspace experience to a small group without disrupting all users. See Integration with Citrix Workspace experience.
    • Preconfigured policies and apps for new customers of as Endpoint Management 19.5.0. If you onboard starting with Endpoint Management 19.5.0 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to immediately deploy basic functionality to device users. See Default device policies and mobile productivity apps.
  • Knox Platform for Enterprise device policy for Android Enterprise. You can now enter the KPE Premium and Standard license keys for Android Enterprise devices running Knox version 3.0 or later. For information, see Knox Platform for Enterprise device policy.

  • Public session device policy for Chrome OS. You can now configure Chrome OS devices to support guest sessions. For information on configuring this policy, see Public session device policy.

  • RBAC permission changes. The RBAC permission Add/Delete Local Users is now split into two permissions: Add Local Users and Delete Local Users.

Fixed issues in Endpoint Management 19.5.0

Enterprise apps don’t silently upgrade on supervised devices running iOS 11.4 or later. [CXM-66005]

When you edit a device policy, the following error message appears: “A configuration error occurred. Please try again”. [CXM-66370]

Endpoint Management 19.4.1

  • Through Workspace Environment Management (WEM) integration with Endpoint Management, you can manage all supported domain-joined Windows devices. This integration offers the following benefits and features:

    • With WEM alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two products:
      • WEM can access MDM features
      • You can manage a wider spectrum of Windows operating systems through Endpoint Management
    • That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

    • MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

    • For a list of the devices supported, see Operating System requirements.

    • Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

    For more information, see Windows GPO Configuration device policy.

  • CDN delivery of enterprise apps is now the default for new multi-tenancy customers of as Endpoint Management 19.4.1. If you are a new customer in the Asia Pacific region, contact your Citrix support representative to enable CDN delivery. In all regions, existing customers who want to deliver enterprise apps using CDN must reupload existing apps after enabling the feature. See Deliver enterprise apps from the Citrix CDN.

  • Support for Web and SaaS apps and Web links for Android Enterprise. Endpoint Management now supports delivering links for Web or SaaS apps and Web links to Android Enterprise devices. Web and SaaS apps and Web links are added for Android Enterprise in the same way they are added for other platforms. See Add a Web or SaaS app and Add a Web link.

  • More restrictions for Chrome OS devices:

    • Display instructions on disabled devices. You can now add a custom message to display on disabled Chrome OS devices.

    • Allow users to install specific extensions, apps, and themes. Enter the list of URLs to permit downloading from those sources.

    For more information, see Chrome OS settings.

Fixed issues in Endpoint Management 19.4.1

On Android Enterprise devices, the following app types might not appear in Secure Hub: Public app store apps configured in the Google Play platform and enterprise apps configured in the Android platform. [CXM-63638]

Android Enterprise apps don’t appear for devices until they are unenrolled and enrolled again. Apps also appear if you update them in their delivery groups. [CXM-64670]

Automated actions might not deploy to Android Enterprise devices. [CXM-64950]

The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console. [CXM-65647]

Endpoint Management 19.3.1

Fixed issues in Endpoint Management 19.3.1

If you deployed a Store device policy for Windows 10 Desktop and Tablet devices before release 19.3.1: When a user clicks the Windows store link in the Start menu, a message appears: “500 Internal Server Error” or “HTTP Status 404 - Either you have reached an old URL or this device is not registered”. To resolve this issue, you must recreate and deploy your Store device policy. [CXM-61785]

If an Active Directory user group is assigned to an RBAC role permission, you can’t delete the LDAP configuration containing that user group. As a workaround, if you unassign the corresponding Active Directory group from RBAC, you can delete the domain. [CXM-62737]

Endpoint Management 19.3.0

  • Support for Samsung Knox on Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:

  • App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. For more information, see App inventory device policy.

  • Files device policy for Android Enterprise. You can now add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Lock and reset the password for Android Enterprise. Endpoint Management now supports the Lock and Reset password security action for Android Enterprise devices enrolled in work profile mode running Android 8.0 and greater. See Security actions.

  • Azure Active Directory support in a kiosk on Windows 10 Desktop and Tablet devices. You can now add domain joined Azure AD devices in Kiosk mode. See Kiosk device policy.

  • For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports federated authentication through the Workspace app on iOS and Android. This feature does not support Azure Active Directory. For information, see Change authentication to workspaces.

  • Public REST API change. The Endpoint Management Public API for REST Services now includes an API to edit platform details inside the container for MDX apps. See “Section 3.15.2.4 Update platform details inside the container for MDX apps” in the PDF, Public API for REST Services.

Fixed issues in Endpoint Management 19.3.0

Locking fully managed Android Enterprise devices remotely using the Lock with passcode security action might fail without notifying you of the failure. To ensure a device is locked, set Lock with passcode twice. The device locks with the second passcode you set. [CXM-61095]

If the enterprise is deleted from Managed Google Play and updated on the Endpoint Management server, Android Enterprise devices can’t enroll sometimes. [CXM-62769]

For Citrix Endpoint Management integration with Microsoft Endpoint Manager: Changes made to an Intune store app name or description don’t get saved. [CXM-62842]

After you edit an iOS Intune app, the app won’t install from the Microsoft Company Portal app. [CXM-62972]

If assigned permission as a Citrix Cloud custom administrator instead of a full administrator, you cannot click the Manage button to navigate resources. [CXM-63433]

Deprecation of TLS versions

To improve the security of the Citrix Endpoint Management service, Citrix now blocks any communication over Transport Layer Security (TLS) 1.0 and 1.1. As a result of its weakening security, the PCI Council is deprecating TLS 1.0.

How this change impacts you

If you use mobile application management through an on-premises Citrix Gateway (NetScaler Gateway), you must update your load balancer service to enable TLS 1.2.

Older versions of the following connectors support TLS 1.0 only:

  • Endpoint Management connector for Exchange ActiveSync
  • Citrix Gateway connector for Exchange ActiveSync

Upgrade your connector as follows:

  • If you use the Endpoint Management connector for Exchange ActiveSync build 10.1.3 or lower, upgrade to build 10.1.4 or higher.

  • If you use the Citrix Gateway connector for Exchange ActiveSync build 8.5.0 or lower, upgrade to build 8.5.1.11 or higher.

What to do

If you use an on-premises Citrix Gateway (NetScaler Gateway), enable TLS 1.2 on your load balancer service. For information, see https://support.citrix.com/article/CTX247095.

To download either connector for Exchange ActiveSync:

1.  Go to <https://www.citrix.com/downloads>.
1.  Navigate to **Citrix Endpoint Management (and Citrix XenMobile Server) > XenMobile Server (on-premises) > Product Software > XenMobile Server 10 > Server Components**.
1.  Locate the connector tile and then click **Download File**.

Endpoint Management 19.2.1

  • Run multiple apps in a kiosk on Chrome devices. You can now add multiple apps to the Kiosk policy for Chrome OS. You can optionally automatically start apps when the user starts the device. See the Kiosk device policy.

Fixed issues in Endpoint Management 19.2.1

After an Android Enterprise is unenrolled and then re-enrolled, approved apps might not appear on devices enrolled in work profile mode. [CXM-59994]

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to select Intune MAM/XenMobile. [CXM-31272]

Endpoint Management 19.2.0

  • Deliver enterprise apps from a content delivery network (CDN). When a user isn’t located near an Endpoint Management server, enterprise app delivery can take a while. For faster app downloads, you can instead have enterprise apps delivered from content delivery network (CDN) locations throughout the world. CDN support for enterprise apps is available for iOS apps (MDM or MAM enrollment) and Android apps (MDM or MAM enrollment). CDN support for enterprise apps isn’t available for Windows apps. To get started, see Deliver enterprise apps from the Citrix CDN.

  • DEP device enrollment change for Citrix Workspace. If Endpoint Management is integrated with Citrix Workspace, the Workspace App is included in the DEP deployment package as a required app. This feature requires that you configure your DEP account settings for iOS with required credentials set to off. Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.

  • The server property ios.mdm.enrollment.installRootCaIfRequired is now set to false. Endpoint Management uses a publicly trusted certificate chain, thus it isn’t necessary to push a root CA to devices. As a result, iOS device users no longer receive a prompt to install a root CA during enrollment.

  • The network and Credentials policies now support Apple TV OS. In addition, you can now configure the AirPlay Security device policy to control which devices can connect to Apple TV devices. For more information, see the Network, Credentials, and Airplay Security device policy articles.

  • Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. See Location device policy.

  • Enhanced support for Alexa for Business. Endpoint Management now includes support for Alexa for Business conferencing, adding Alexa skills to your organizations, editing skill groups. See Alexa for Business.

  • Automated actions for Windows Agent policy. Using the Windows Agent policy, you can automate actions to run on Windows desktops and tablets based on registry values. For more information see the Windows Agent device policy and Automated Actions articles.

  • For Android Enterprise, the No Restrictions option for required characters in a passcode is now deprecated. Android Enterprise devices running Android 7 or higher no longer support a passcode created without character restrictions. If you previously set Required characters to No Restrictions, this update changes that value to Numbers only. This change doesn’t affect the current user sign-in experience. For more information, see Android Enterprise settings.

Fixed issues in Endpoint Management 19.2.0

When an app is deleted from the Intune library, and a user tries to delete it from the Citrix Cloud library, they can’t delete it. [CXM-61645]

After you upload a Google Play app in the Endpoint Manager console without adding an app icon image: If you later upload an image for the app, the image doesn’t appear in the apps list. [CXM-60965]

Endpoint Management 19.1.2

  • Files device policy now available for Android Enterprise. You can add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.

  • Configure time zone settings for Chrome OS devices. You can now select a time zone for the Chrome device and specify how to detect the time zone. For more information, see Restrictions device policy.

  • An RBAC administrator’s group permissions now restricts the user information shown on the Users and Enrollment Invitations pages. Previously, the Endpoint Management console included information for all local users and domain users on the Manage > Users and Manage > Enrollment Invitations pages.

    To specify which user groups an RBAC administrator has permission to view and manage, edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.

  • Launch third-party apps from the Workspace app. For customers with Citrix Workspace enabled: Before deploying new apps to users, you can add a comma-separated list of URLs to launch the apps from the Workspace app. For more information, see Add apps.

Fixed issues in Endpoint Management 19.1.2

You can’t upload Google Play services APK versions later than 11.5.09 in the Endpoint Management console. [CXM-59492]

Editing Windows Desktop and Tablet apps in Configure > Apps > Public App Store results in this message: “Application search failed”. Searching for those apps results in this message: “Error connecting to the windows desktop store url: Failed to retrieve public app details”. [CXM-61686]

What’s new history