Product Documentation

MDX Toolkit

Oct 16, 2017


Before upgrading to Android O (version 8), users must upgrade Secure Hub and all XenMobile Apps to version 10.6.20. Otherwise, users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and Android 8, see What's new in XenMobile Apps, the XenMobile Apps Known issues, and XenMobile supported device operating systems

Before upgrading to iOS 11, users must upgrade Secure Hub and XenMobile Apps to version 10.7. That upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running iOS 11. For more information about anticipating this change, see the Knowledge Center article on XenMobile iOS 11 and Android O Support.

The MDX Toolkit version 10.7.5 contains fixes. For details, see Fixed issues

What's new in the MDX Toolkit 10.7.1

The MDX Toolkit version 10.7.1 contains fixes. For details, see Fixed issues

What's new in the MDX Toolkit 10.7

The MDX Toolkit now supports wrapping apps for Android O (version 8) and iOS 11.

What's new in the MDX Toolkit 10.6.20

The MDX Toolkit 10.6.20 is an Android-only release of the enterprise toolkit. 

With the XenMobile Apps 10.6.20 release, MDX no longer enforces app upgrades on Android by default. You can modify a new policy, Disable Required Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default. This feature was available for iOS apps in the 10.6.10 release of MDX.

With the XenMobile Apps 10.6.15 release, MDX supports the exclusion of domains from tunneling. 

By default, some service endpoints that XenMobile SDKs and apps use for various features need to be excluded from micro VPN tunneling. You can override the list by setting a client property on the XenMobile Server. For details about configuring client properties in the XenMobile console, see Client properties. For details about overriding the service endpoint list, see TUNNEL_EXCLUDE_DOMAINSThe default list of domains that are excluded from tunneling by default are as follows.


With the XenMobile Apps 10.6.10 release, MDX no longer enforces app upgrades on iOS by default. You can modify a new policy, Disable Required Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default.

What's new in the MDX Toolkit 10.6

  • Block iOS Look Up. You can now block the Look Up feature on iOS. When you highlight a term, you can select Look Up and iOS will search for that term across apps. Use the Block Look Up policy to prevent an app from using this feature.
  • Xamarin support. The MDX Toolkit now supports apps developed in Xamarin. Xamarin is a cross-platform mobile app development environment. Xamarin provides an implementation of the .NET runtime for Android, iOS, and Windows Phone. A common C# codebase can be developed for all 3 platforms. Targeting a particular platform can be a simple build switch. There are numerous third-party frameworks available to Xamarin developers. These frameworks offer common interfaces to basic OS functionality, such as taking a picture, accessing the gallery, and making a phone call. The frameworks tested to be compatible with XenMobile are listed below. We recommend that you use these frameworks, since others are untested and might not work.
    • System.*
    • Xamarin.*
    • SQLite.*
    • Plugin.*
    • ModernHttpClient.*
    • Android.*
    • Java.*
    • XLabs.*

Note:  Secure Browse does not support the default HttpMessageHandler for System.Net.Http.HttpClient. The supported handlers are NativeMessageHandler and AndroidClientHandler.

  • OkHttp support. The MDX Toolkit now supports the OkHttp framework. Web requests created with this library will now work properly.

What's new in the MDX Toolkit 10.4.10

  • IPv6 connectivity improvements for iOS. This version of the MDX Toolkit resolves issues with AAAA DNS records, IPv4 mapped IPv6 addresses, IPv6 network detection, and IPv6 network switching.  
  • For additional fixed issues, see Fixed Issues.  

What's new in the MDX Toolkit 10.4.5

The MDX Toolkit version 10.4.5 contains fixes. For details, see Fixed issues

What's new in the MDX Toolkit 10.4

  • Japanese and Russian support. The MDX Toolkit is now available in Japanese and Russian.
  • New XenMobile Apps names. As of version 10.4, Worx Mobile Apps are named XenMobile Apps.  Individual apps also have new names. The changes are reflected in the user interfaces of all the apps, in addition to the MDX Toolkit and the XenMobile console. The new app names take effect automatically when you upgrade to version 10.4. For details, see About XenMobile Apps

What's new in the MDX Toolkit 10.3.10

  • Arabic support. The MDX Toolkit is now available in Arabic.
  • iOS 10/Android 7 support. The MDX Toolkit now supports both iOS 10 and Android 7.

What's new in the MDX Toolkit 10.3.9

  • Arm64 Support for iOS Enterprise Apps. You can now wrap 64-bit application binaries in addition to 32-bit application binaries for iOS. This is not the case for Android applications. In addition, the MDX Toolkit verifies the binary after it's modified to ensure that it is a valid ELF MachO binary.
  • Block localhost Connections (Android only). The Block localhost Connections policy allows you to stop connections to the loopback address (

What's new in the MDX Toolkit 10.3.5

  • Secure Hub policy retrieval sign-on behavior. When you set the Maximum offline period MDX policy, with this release of the MDX Toolkit, if Secure Hub for iOS has a valid NetScaler Gateway token, the app retrieves new policies for MDX apps from XenMobile without any interruption to users. If Secure Hub does not have a valid NetScaler token, users must authenticate through Secure Hub in order for app policies to update. The NetScaler token may become invalid due to a NetScaler Gateway session inactivity or a forced session time-out policy. When users sign on to Secure Hub again, they can continue running the app.
  • Secure signoff (iOS). When users sign off from Secure Hub, the container automatically locks so that all XenMobile and MDX apps stay secure. To access the apps again, users have to enter their Citrix PINs. 
  • Remove iOS app extensions. You can remove iOS extensions from the app during the enterprise app wrapping process by selecting the Strip extensions (Today, Watch, and so on) from iOS application check box on the Verify App Details screen. Note that iOS apps with Apple Watch extensions are not supported when wrapping apps.
  • Reverse split tunnel exclusion list. If you don't want certain websites to tunnel through NetScaler Gateway, you can add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that connect by using the LAN instead. This list applies only to Secure Browse mode when NetScaler Gateway is configured in Split tunnel reverse mode. Default value is empty.
  • Inactivity timer behavior. When the inactivity timer is set to 0, inactivity offline authentication is disabled for MDX apps.
  • Mail compose redirection (iOS). You have three choices for how users are allowed to compose mail from an enterprise app:  

    Secure Mail: If installed on the device, Secure Mail automatically opens. If not, native mail does not open. Instead, users get a message instructing them to install Secure Mail.
    Native email: The device's native mail program opens.
    Blocked: Both Secure Mail and native mail are blocked.

    Default is Secure Mail. This policy replaces the Block email compose policy, which is deprecated.

What's new in the MDX Toolkit 10.3

  • Shared devices. If you're deploying XenMobile 10.3, you can configure devices so that multiple users can share them. Only Secure Mail and Secure Web are supported. For more information, see Shared devices in XenMobile.
  • Self-destruct app lock and wipe client property. This global security policy applies to Android platforms and is an enhancement of the existing app lock and wipe policies. Self-destruct prevents access to Secure Hub and managed apps, after a specified number of days of inactivity. After the time limit, apps are no longer usable, and the user device is unenrolled from the XenMobile Server. Wiping the data includes clearing the app data for each installed app, including the app cache and user data. The inactivity time is when the server does not receive an authentication request to validate the user over a specific length of time. For example, if you set the policy to 30 days and the user does not use an app for more than 30 days, the policy takes effect.
  • Android PAC file support. When you add MDX-wrapped Secure Web to XenMobile, you can specify the Proxy Auto-Configuration (PAC) file URL or proxy server to use when fetching a URL. This functionality is supported in full tunnel mode only; you cannot use Secure Browse when you specify a PAC. When you configure this setting, also ensure that the Permit VPN mode switching policy remains as the default value Off.
  • Single sign-on (SSO) support in user entropy environments. If users have not used an MDX app on the device for a certain period, as defined by the inactivity timer, users are prompted to sign on. They can use either their Citrix PIN or Touch ID, if you have enabled Touch ID authentication. This feature is now available in environments that have user entropy turned on, in addition to environments that have user entropy turned off. This capability is available for iOS apps only.
  • Developing ISV apps for iOS with the XenMobile Framework. MDX Toolkit 10.3 has changed the process that ISV developers need to follow when preparing an app for distribution, after they have built the app using Xcode. Instead of using the graphical MDX tool or the wrap command at the command-line, with MDX Toolkit 10.3, developers can sign, deploy, and debug their app within the Xcode Integrated Development Environment (IDE). Developers now need to run the SDKPrep command of the MDX command-line tool as part of the Xcode build process, eliminating the need to wrap the app outside of Xcode. For details on the step-by-step procedures for ISV wrapping in the MDX Toolkit tool and command-line interface, see Developing iOS AppsNote: Enterprise apps that you build with the XenMobile Framework in Xcode and then wrap by using the enterprise mode of the MDX Toolkit are still supported.
  • App geofence. This feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam, but if the person travels to Belgium, the app locks and users cannot interact with the app. When the user returns to Amsterdam, the app unlocks and is available for normal use. There are three settings to enable geofencing:
    • GPS longitude and latitude also called a point.
    • The radius that defines the area in which apps can operate, such as in the Netherlands. If you set the radius to 0, the app does not support geofencing.

If the app supports geofencing and you disable location services, a message appears in which users can either quit the app or can click Settings that goes to the Settings screen on the Android device. If users enable locations services, they can return and continue using the app.

When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point (as specified in the policy) is greater than the specified radius, the user is blocked from using the app. When this occurs, users receive an option to quit the app. The user must be within the fence to continue using the app.

If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app.

The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which is also called high accuracy mode and helps in obtaining the location faster.

There is a two-minute time-out to allow for longer times in checking the location:

Center point longitude. Enter the longitude point to specify the area in which the app is allowed to work.

Center point latitude. Enter the latitude point to specify the area in which the app is allowed to work.

Radius. Enter the radius from the center point in which the app is allowed to work. If set to 0, geofencing is not allowed.

Note: To get an accurate location from the device, and to avoid users trying to circumvent geofence by disabling Wi-Fi or the GPS, Citrix recommends setting the policy Online session required to On.

New MDX policies for Secure Mail. For a list of new Secure Mail policies available in the MDX Toolkit, see About XenMobile Apps. The policies for Windows Phone have not changed since the earlier release. For the complete list of app policies, see the articles in this section, MDX Policies at a Glance.