Secure Mail integration with Microsoft Intune/EMS

With this integration, you can manage and deliver Citrix Secure Mail with more security and the means to enhance productivity.

Secure Mail now supports various Intune configurations. You can connect Secure Mail to on-premises Exchange or Office 365 mailboxes. To set up Endpoint Management integration with EMS/Intune, see Citrix Endpoint Management integration with Microsoft Intune/EMS

Secure Mail supports the following deployment modes:

  • Intune MAM
  • Intune MAM and Intune mobile device management (MDM)
  • Intune MAM with Endpoint Management MDM-only
  • Intune MAM with Endpoint Management MDM and MAM

Supported mail servers

  • Exchange Online
  • Exchange Server 2016
  • Exchange Server 2013


Secure Mail does not support certificate-based authentication.


To use Secure Mail in MDM mode along with Citrix Endpoint Management (MDM and MAM) you must configure Secure Hub in your environment.

To configure Secure Mail for Intune

If your environment is configured in the Citrix Endpoint Management MDM mode, Secure Mail automatically populates user names in an FTU experience. To enable this feature, you must configure the following custom policies first:

  1. From your Endpoint Management console, go to Settings > Server Properties and then click Add.

  2. In the list, click Custom Key and then in the Key field, type**.

  3. Set the value to true ** and then in Display name, type Click Save.

  4. Click Client Properties and then click Add.

  5. Select Custom Key and then type SEND_LDAP_ATTRIBUTES in the Key field.

  6. Type userPrincipalName=${user.userprincipalname},email=${user.mail},displayname=${user.displayname},sAMAccountName=${user.samaccountname},aadupn=${user.id_token.upn},aadtid=${user.id_token.tid} in the Value field, enter a description and then click Save.

    The following steps only apply for iOS devices:

  7. Go to Configure > Device Policies, click Add, and then select the App Configuration policy.

  8. Enter a policy name and then click Next. In the Identifier list, click Add new. In the text box that appears, enter the bundle ID for your Secure Mail app.

  9. In the Dictionary content box, type the following text:

  10. Clear the Windows Phone and Windows Desktop/Tablet check boxes and then click Next.

  11. Select the user groups to which you want the policy deployed and then click Save.

Features that are incompatible with Intune

The following table lists the Secure Mail features that are not compatible with Microsoft Intune/EMS:

  • Secure Ticket Authority (STA)
  • Email enrollment with single sign-on (SSO)
  • Rich push notifications
  • Citrix Files (Formerly ShareFile)
  • S/MIME signing and encryption
  • Microsoft Information Rights Management
  • Secure Browse + Non KCD SSO Internal Exchange server

Secure Mail integration with Microsoft Intune/EMS