What’s new history
We move sections about older Endpoint Management releases from What’s new to this article.
Endpoint Management 19.3.0
Support for Samsung Knox on Android Enterprise policy unification. For Android Enterprise devices running Samsung Knox 3.0 or later and Android 8.0 or later: Knox and Android Enterprise are combined into a unified device and profile management solution. Configure Knox settings on the Android Enterprise page of the following device policies:
OS Update device policy. Control Samsung Enterprise FOTA updates. See OS Update device policy.
Passcode device policy. See Passcode device policy.
Restrictions device policy. See Restrictions device policy.
Samsung MDM license key device policy. Configure the Knox license key. See Samsung MDM license key device policy.
App inventory device policy for Android Enterprise. You can now collect an inventory of the Android Enterprise apps on managed devices. For more information, see App inventory device policy.
Files device policy for Android Enterprise. You can now add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.
Lock and reset password for Android Enterprise. Endpoint Management now supports the Lock and Reset password security action for Android Enterprise devices enrolled in work profile mode running Android 8.0 and greater. See Security actions.
Azure Active Directory support in a kiosk on Windows 10 Desktop and Tablet devices. You can now add domain joined Azure AD devices in Kiosk mode. See Kiosk device policy.
For Endpoint Management customers with the workspace experience enabled: Citrix Endpoint Management supports federated authentication through the Workspace app on iOS and Android. This feature does not support Azure Active Directory. For information, see Change authentication to workspaces.
Public REST API change. The Endpoint Management Public API for REST Services now includes an API to edit platform details inside the container for MDX apps. See “Section 188.8.131.52 Update platform details inside the container for MDX apps” in the PDF, Public API for REST Services.
Fixed issues in Endpoint Management 19.3.0
If the enterprise is deleted from Managed Google Play and updated on the Endpoint Management server, Android Enterprise devices can’t enroll sometimes. [CXM-62769]
For Citrix Endpoint Management integration with Microsoft Intune/EMS: Changes made to an Intune store app name or description don’t get saved. [CXM-62842]
After you edit an iOS Intune app, the app won’t install from the Microsoft Company Portal app. [CXM-62972]
If assigned permission as a Citrix Cloud custom administrator instead of a full administrator, you cannot click the Manage button to navigate resources. [CXM-63433]
Deprecation of TLS versions
To improve the security of the Citrix Endpoint Management service, Citrix now blocks any communication over Transport Layer Security (TLS) 1.0 and 1.1. As a result of its weakening security, the PCI Council is deprecating TLS 1.0.
How this change impacts you
If you use mobile application management through an on-premises Citrix Gateway (NetScaler Gateway), you must update your load balancer service to enable TLS 1.2.
Older versions of the following connectors support TLS 1.0 only:
- Endpoint Management connector for Exchange ActiveSync
- Citrix Gateway connector for Exchange ActiveSync
Upgrade your connector as follows:
If you use Endpoint Management connector for Exchange ActiveSync build 10.1.3 or lower, upgrade to build 10.1.4 or higher.
If you use Citrix Gateway connector for Exchange ActiveSync build 8.5.0 or lower, upgrade to build 184.108.40.206 or higher.
What to do
If you use an on-premises Citrix Gateway (NetScaler Gateway), enable TLS 1.2 on your load balancer service. For information, see https://support.citrix.com/article/CTX247095. Following is a video that shows how to enable TLS 1.2 on Citrix Gateway.
To download either connector for Exchange ActiveSync, go to the Server Components section under Endpoint Management Server on Citrix.com.
Endpoint Management 19.2.1
- Run multiple apps in a kiosk on Chrome devices. You can now add multiple apps to the Kiosk policy for Chrome OS. You can optionally automatically start apps when the user starts the device. See the Kiosk device policy.
Fixed issues in Endpoint Management 19.2.1
After an Android Enterprise is unenrolled and then re-enrolled, approved apps might not appear on devices enrolled in work profile mode. [CXM-59994]
When users first run Secure Mail on Intune MDM+MAM, the set up takes users through a workflow to select Intune MAM/XenMobile. [CXM-31272]
Endpoint Management 19.2.0
Deliver enterprise apps from a content delivery network (CDN). When a user isn’t located near an Endpoint Management server, enterprise app delivery can take a while. For significantly faster app downloads, you can instead have enterprise apps delivered from content delivery network (CDN) locations throughout the world. CDN support for enterprise apps is available for iOS apps (MDM or MAM enrollment) and Android apps (MDM or MAM enrollment). CDN support for enterprise apps isn’t available for Windows apps. To get started, see Deliver Enterprise apps from a CDN.
DEP device enrollment change for Citrix Workspace. If Endpoint Management is integrated with Citrix Workspace, the Workspace App is included in the DEP deployment package as a required app. This feature requires that you configure your DEP account settings for iOS with required credentials set to off. Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.
The server property ios.mdm.enrollment.installRootCaIfRequired is now set to false. Endpoint Management uses a publicly trusted certificate chain, thus it isn’t necessary to push a root CA to devices. As a result, iOS device users no longer receive a prompt to install a root CA during enrollment.
The WiFi and Credentials policies now support Apple TV OS. In addition, you can now configure the Airplay Security device policy to control which devices can connect to Apple TV devices. For more information, see the WiFi, Credentials and Airplay Security device policy articles.
Location device policy now available for Android Enterprise. You can define location settings for Android Enterprise devices that are managed or running in managed profile mode. See Location device policy.
Enhanced support for Alexa for Business. Endpoint Management now includes support for Alexa for Business conferencing, adding Alexa skills to your organizations, editing skill groups. See Alexa for Business.
Automated actions for Windows Agent policy. Using the Windows Agent policy, you can automate actions to run on Windows desktops and tablets based on registry values. For more information see the Windows Agent device policy and Automated Actions articles.
For Android Enterprise, the No Restrictions option for required characters in a passcode is now deprecated. Android Enterprise devices running Android 7 or higher no longer support a passcode created without character restrictions. If you previously set Required characters to No Restrictions, this update changes that value to Numbers only. This change doesn’t affect the current user signin experience. For more information, see Android Enterprise settings.
Fixed issues in Endpoint Management 19.2.0
When an app is deleted from the Intune library, and a user tries to delete it from the Citrix Cloud library, they can’t delete it. [CXM-61645]
After you upload a Google Play app in the Endpoint Manager console without adding an app icon image: If you later upload an image for the app, the image doesn’t appear in the apps list. [CXM-60965]
Endpoint Management 19.1.2
Files device policy now available for Android Enterprise. You can add script files to Endpoint Management to perform functions on Android Enterprise devices. See Files device policy.
Configure time zone settings for Chrome OS devices. You can now select a time zone for the Chrome device and specify how to detect the time zone. For more information, see Restrictions device policy.
The user information shown on the Users and Enrollment Invitations pages is now restricted by an RBAC administrator’s group permissions. Previously, the Endpoint Management console included information for all local users and domain users on the Manage > Users and Manage > Enrollment Invitations pages.
To specify which user groups an RBAC administrator has permission to view and manage, edit the administrator role and specify the user groups. For more information, see Configure roles with RBAC.
Launch third-party apps from the Workspace app. For customers with Citrix Workspace enabled: Before deploying new apps to users, you can add a comma-separated list of URLs to launch the apps from the Workspace app. For more information, see Add apps.
Fixed issues in Endpoint Management 19.1.2
You can’t upload Google Play services APK versions later than 11.5.09 in the Endpoint Management console. [CXM-59492]
Editing Windows Desktop and Tablet apps in Configure > Apps > Public App Store results in this message: “Application search failed”. Searching for those apps results in this message: “Error connecting to the windows desktop store url: Failed to retrieve public app details”. [CXM-61686]