MDX Policies at a glance

The following tables list the MDX app policies for iOS and Android. The MDX Toolkit does not support Windows. The notes include restrictions and Citrix recommendations. To see which policies the Android for Work container supports, see the related section in Android for Work.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication        
Policy iOS Android Default Setting Notes
Device passcode X   Off  
App passcode X X On  
Online session required X X Off  
Online session required grace period X   0  
Maximum offline period X X 72 hours  
Alternate NetScaler Gateway X X Empty  
Device Security        
Policy iOS Android Default Setting Notes
Block jailbroken or rooted X X On  
Require device encryption   X Off  
Require device lock   X Off On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.
Require device PIN or passcode   X Off This policy is supported only on Android 4.1 (Jelly Bean). Setting the policy to On prevents an app from running on older versions.
Use secure connection (SSL)   X Off  
Network Requirements        
Policy iOS Android Default Setting Notes
Require Wi-Fi X X Off  
Miscellaneous Access        
Policy iOS Android Default Setting Notes
App update grace period (hours) X X 168 hours (7 days) Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.
Erase app data on lock X X Off  
Active poll period (minutes) X X 60 Only set this value lower than the default for high-risk apps, or performance may be affected
Disable required update X X Off  
Encryption        
Policy iOS Android Default Setting Notes
Encryption keys   X Offline access permitted  
File encryption version   X Current  
Private file encryption   X Security Group  
Private file encryption exclusions   X Empty  
Access limits for public files   X Empty Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). This policy applies only to existing, unencrypted public files and specifies when to encrypt the files.
Public file encryption   X Security Group  
Public file encryption exclusions   X Empty  
Public file migration   X Write (RO/RW) Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.
Minimum data protection class X   None iOS 9 only.
Enable encryption X   On If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Database encryption exclusions X   Empty  
File encryption exclusions X   Empty  
App Interaction        
Policy iOS Android Default Setting Notes
Security Group   X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Cut and copy X X Restricted  
Paste X X Unrestricted  
Document exchange (Open In) X X Restricted  
Connection security level X X TLS  
Inbound document exchange (Open In) X X Unrestricted (for Android and iOS); All (for Android for Work)  
Inbound document exchange whitelist X X Empty  
Restricted Open In exception list X X Empty (for Android); Office 365 apps (for iOS) On Android, this policy was previously named Open In exclusions. On iOS, this policy is hidden. For details, see MDX Policies for iOS Apps.
App URL schemese X   All registered URL schemes are blocked (outbound)  
Allowed URLs X   Emptyu list (all URLs are blocked except for ctxmobilebrowser (Secure Web) and citrixreceiver: +tel (outbound))  
Explicit log off notifications X   Off Shared device
App Restrictions        
Policy iOS Android Default Setting Notes
Block Camera X X See Notes Default value for iOS and Android is On. Only accepted value for Android for Work is On. Default value for Windows Phone is Off.
Block Photo Library X   On  
Block Gallery   X Default for Android is Off. Only accepted value for Android for Work is On.  
Block localhost Connection X X Off  
Block mic record X X On  
Block dictation X   On  
Block location services X X See Notes For Android: Default value is Off for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps. Only accepted value for Android for Work is On.
Block SMS compose X X On  
Block screen capture   X On  
Block device sensor   X On  
Block NFC   X On  
Block printing   X On  
Block iCloud X   On  
Block file backup X   On  
Block AirPrint X   On  
Block AirDrop X   On  
Block file attachments X   Off  
Block email as attachment X   Off  
Block Facebook and Twitter APIs X   On  
Obscure screen contents X   On  
Block third-party keyboards X   On  
Block app logs X X Off  
Mail compose redirection X   Secure Mail  
Block iOS Look Up X   On  
App Network Access        
Policy iOS Android Default Setting Notes
Network access X X See Notes Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail, Secure Notes, Citrix Files Phone, and Citrix Files Tablet is Unrestricted. Default value for other apps is Blocked.
Certificate label X X Empty  
Preferred VPN mode X X Secure Browse  
Permit VPN mode switching X X Off  
PAC file URL or proxy server X   Empty  
Block SMS compose X X On  
Block screen capture   X On  
Block device sensor   X On  
Block NFC   X On  
Block printing   X On  
Block iCloud X   On  
Block file backup X   On  
Block AirPrint X   On  
Block AirDrop X   On  
Block file attachments X   Off  
Block email as attachment X   Off  
Block Facebook and Twitter APIs X   On  
Obscure screen contents X   On  
Block third-party keyboards X   On  
Block app logs X X Off  
Mail compose redirection X   Secure Mail  
Block iOS Look Up X   On  
App Network Access        
Policy iOS Android Default Setting Notes
Network access X X See Notes Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail, Secure Notes, ShareFile Phone, and ShareFile Tablet is Unrestricted. Default value for other apps is Blocked.
Certificate label X X Empty  
Preferred VPN mode X X Secure Browse  
Permit VPN mode switching X X Off  
PAC file URL or proxy server X   Empty  
App Logs        
Policy iOS Android Default Setting Notes
Default log output X X File  
Default log level X X 4 (informational messages)  
Max log files X X 2  
Max log file size X X 2 MB  
Redirect app logs   X On  
Encrypt logs   X Off  
Whitelist Wi-Fi networks X X Blank Doesn’t affect cellular networks
App Geofence        
Policy iOS Android Default Setting Notes
Center point longitude X X 0  
Center point latitude X X 0  
Radius X X 0 Set the radius in meters
Secure Mail App Settings        
Policy iOS Android Default Setting Notes
Secure Mail Exchange Server X X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Secure Mail user domain X X Empty  
Background network services X X Empty If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.
Background services ticket expiration X X 168 hours (7 days)  
Background network service gateway X X Empty If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. This policy takes effect when you configure the Network access policy.
Export contacts X X Off  
Contact fields to export X X All  
Accept all SSL certificates X X Off  
Control locked screen notifications X X Allow  
Default email notification X   Off  
Default sync interval X X 3 days The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum email age filter.
Max sync interval X X 1 month (iOS), All (Android)  
Allowed max sync period X X 1 month (iOS), All (Android)  
Enable week number X X Off  
Enable download attachments over Wi-Fi X X Off  
Information Rights Management X X Off  
Email classification X   See Notes See Email Security Classifications for the list of defaults.
Email classification markings X   Empty  
Email classification namespace X   Empty  
Email classification version X   Empty  
Default email classification X   UNOFFICIAL  
Enable auto-save of draft emails X X On  
Enable iOS data protection X   Off  
Google Analytics X X Complete  
Push notifications X   Off  
Push notifications region X   Americas  
Push notifications customer ID X   Empty  
S/MIME Certificate source X   Email  
Enable S/MIME during first Secure Mail startup X   Off  
Initial authentication mechanism X X Use MDX provided mail server address  
Initial authentication credentials X X User Principal Name  
Web/Audio Conference Type X X GoToMeeting and User Entered If you change this setting, users must sign off and sign on the apply the policy change.
S/MIME Public Certificate Source X X Exchange  
LDAP Server address X X Empty  
LDAP Base DN X X Empty  
Access LDAP anonymously X X Off  
Override native contacts check X   On If On, supports Active Directory user name and password only.
Allowed email domains X   Empty If empty, does not restrict domains.
Report Phishing Mechanism   X Report via Attachment  
Enable Slack X X    
Slack Workspace name X X    
Caller ID Support Enabled X   On If On, Secure Mail provides iOS with names and phone numbers of your saved contacts for caller identification.
Secure Notes App Settings        
Policy iOS Android Default Setting Notes
Secure Notes storage options X X Citrix Files and Exchange Server  
Secure Notes Exchange Server X X Empty  
Secure Notes user domain X X Empty  
Background network services X X Empty  
Background services ticket expiration X X 168 hours (7 days)  
Background network service gateway X X Empty  
Accept all SSL certificates X X Off  
Google Analytics X X Complete  
Information Rights Management   X Off  
Secure Tasks App Settings        
Policy iOS Android Default Setting Notes
Secure Tasks Exchange Server X   Empty  
Secure Tasks user domain X   Empty  
Background network services X X Empty  
Background services ticket expiration X X 168 hours (7 days)  
Background network service gateway X X Empty  
Accept all SSL certificates X X Off  
Google Analytics X X Complete  
Secure Web App Settings        
Policy iOS Android Default Setting Notes
Allowed or blocked websites X X Empty (all URLs are allowed)  
Preloaded bookmarks X X Empty  
Home page URL X X Empty (default start page)  
Browser user interface X X All controls visible  
Enable web password caching X X Off  
Google Analytics X X Complete  
Disable cookies   X Off  
Disable HTML5 local storage   X Off  
File protection X   Off  
ShareFile Secure Client App Settings        
Policy iOS Android Default Setting Notes
Enable Secure viewer X   On  
ShareConnect App Settings        
Policy iOS Android Default Setting Notes
Save password X X On For ShareConnect only.
Google Analytics X X Complete  

MDX Policies at a glance

In this article