Product Documentation

XenMobile MDX Policies for Android Apps

This article describes the MDX policies for Android apps. You can change policy settings directly in the policy XML files or in the XenMobile console when you add an app.

Authentication

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note:

If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Online session required

If On, the user must have a connection to the enterprise network and an active session. If Off, an active session is not required. Default value is Off.

Maximum offline period (hours)

Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. Default value is 72 hours (3 days). Minimum period is one hour.

Users are reminded to sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users sign on.

Alternate NetScaler Gateway

Address of a specific alternate NetScaler Gateway that is used for authentication and for micro VPN sessions with this app. This policy is optional when used with the Online session required policy forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the default gateway of the server is always used. Default value is empty.

Device Security

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Require device encryption

If On, the app is locked if the device does not have encryption configured. If Off, the app is allowed to run even if the device does not have encryption configured. Default value is Off.

Important:

This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to On prevents an app from running on older versions.

Require device lock

If Device PIN or passcode, the app is locked if the device does not have a PIN or passcode. If Device pattern screen lock, the app is locked if the device does not have a pattern screen lock set. If Off, the app is allowed to run even if the device does not have a PIN, passcode, or pattern screen lock set. Default value is Off.

Important:

Device PIN or passcode requires a minimum version of Android 4.1 (Jellybean). Setting the policy to Device PIN or passcode prevents an app from running on older versions. On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network Requirements

Require Wi-Fi

If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.

Miscellaneous Access

App update grace period (hours)

Defines the grace period in which an app can be used after the system discovers that an app update is available. Default value is 168 hours (7 days).

Note:

Citrix does not recommend using a value of zero. Doing so immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This setting can force the user to exit the app (potentially losing work) to comply with the required update.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MDX framework polls XenMobile to determine current app and device status. Assuming the server running XenMobile can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes.

Important:

Only set this value lower for high-risk apps or performance may be affected.

Disable required update

When this policy is enabled, MDX does not enforce the upgrade of Public App Store apps. Enabling the policy will mean that users can use older versions of Public App Store apps. The default is On.

Encryption

Encryption keys

Enables secrets used to derive encryption keys to be persisted on the device. Offline access permitted is the only available option. Citrix recommends that you set the Authentication policy to enable a network log on or an offline password challenge to protect access to the encrypted content.

File encryption version

Specifies the encryption version for public and private file encryption. Citrix recommends Current to provide the maximum security, especially when a new app deployment. If you select Current, users must reinstall any apps that include a previous encryption version, such as Legacy, or else they may lose data.

Default value is Current.

Private file encryption

Controls the encryption of private data files in the following locations: /data/data/<appname> and /mnt/sdcard/Android/data/<appname>. If Disabled, private files are not encrypted. If Security Group, private files are encrypted using a key shared by all MDX apps in the same security group. If Application, private files are encrypted using a key unique to this app. Default value is Security Group.

Private file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that is encrypted. The file paths are relative to the internal and external sandboxes. Default value is empty.

The exclusions only apply to the following folders:

  • Internal Storage:

    /data/data/

  • SD Card:

    /storage/emulated/<SD Card Slot>/Android/data/

    /storage/emulated/legacy/Android/data/

Examples:

File To exclude Value in private file encryption exclusion
/data/data/com.citrix.mail/files/a.txt ^files/a.txt
All text files in /storage/emulated/0/Android/data/com.citrix.mail/files ^files/(.)+.txt$
All files in /data/data/com.citrix.mail/files ^files/

Access limits for public files

Limits access to specific files: No Access, Read Only, or Read Write.

Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). The list is processed in order and the first matching path is used to set the access limit. Default value is empty.

This policy is enforced only when Public file encryption is enabled (changed from the Disable option to the SecurityGroup or Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted.

Files to exclude Value in private file encryption
Downloads folder on external storage read only EXT:^Download/(RO)
All MP3 files in the Music folder on virtual storage no access VS:^Music/(.)+.mp3$(NA)

Public file encryption

Controls the encryption of public files. If Disabled, public files are not encrypted. If SecurityGroup, encrypts public files by using a key shared by all MDX apps in the same security group. If Application, encrypts public files by using a key unique to this app.

Default value is SecurityGroup.

Public file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that are not encrypted. The file paths are relative to the default external storage and to any device-specific external storage.

Public file encryption exclusions include external folder locations only.

Examples:

File to exclude Value in Public File Encryption Exclusion
Downloads folder on SD card Download
All MP3 files in Music folder ^Music/(.)+.mp3$

Public file migration

This policy is enforced only when you enable the Public file encryption policy (changed from Disabled to SecurityGroup or Application). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write (RO/RW).

Options:

  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.

Caution:

New files or overwritten existing unencrypted files encrypt the replacement files in every case. Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.

App Interaction

Security Group

Leave this field blank if you want all mobile apps managed by XenMobile to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources).

Caution:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Cut and Copy

Blocks, permits, or restricts Clipboard cut and copy operations for the app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted.

Options: Unrestricted, Blocked, or Restricted

Paste

Blocks, permits, or restricts Clipboard paste operations for the app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted.

Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy. If Unrestricted, you must set the Private file encryption and Public file encryption policies to Disabled so users can open documents in unwrapped apps.

If the policy blocks the camera, audio, clipboard, or printing, each maintains the last shown timestamp. Users receive a message of the status of the option; for example, Camera: disabled.

When set to Restricted, apps listed in the Restricted Open-In exception list policy can receive files that have been encrypted in MDX apps. When receiving files, the content of those files is decrypted to local storage and is deleted from local storage upon closing the file. For example, adding {package=com.microsoft.office.word} to the Document Exchange (Open In) Policy enables the Word application to receive decrypted files from an MDX application.

Default value is Restricted.

Options: Unrestricted, Blocked, or Restricted

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, this list of Android intents is allowed to pass to unmanaged apps. You need a familiarity with Android intents to add filters to the list. A filter can specify action, package, scheme, or any combination.

Examples

{action=android.intent.action.MAIN}
{package=com.sharefile.mobile}
{action=android.intent.action.DIAL scheme=tel}

Caution

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the Secure environment.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. For information about other policy interactions, see the Block Gallery policy.

Options: Unrestricted, Blocked, or Restricted

Inbound document exchange whitelist

When the Inbound document exchange policy is set to Restricted or Blocked, this comma-delimited list of app IDs, including non-MDX apps, is allowed to send documents to the app. This policy is hidden and can not be edited.

Connection security level

Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS.

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is On.

If On, prevents an app from accessing the Gallery on the device. Default value is Off. This policy works along with the policy Inbound document exchange (Open In).

  • If Inbound document exchange (Open In) is set to Restricted, users working in the managed app cannot attach images from the Gallery, regardless of the Block Gallery setting.
  • If Inbound document exchange (Open In) is set to Unrestricted, users working in the managed app experience the following:
    • If Block Gallery is set to OFF, users can attach images.
    • If Block Gallery is set to ON, users are blocked from attaching images.
    • If Block Gallery is ON and there is an intent created from an app, such as the action Open_Document, intent types are handled as follows:
      • image/*: MDX blocks the intent.
      • */*: The document picker opens, but MDX prevents the user from selecting images or videos.

Block localhost Connections

If On, prevents an app from accessing the loopback address (127.0.0.1). Default value is Off.

Block mic record

If On, prevents an app from directly using the microphone hardware for recording. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block screen capture

If On, prevents users from taking screen captures while the app is running. Also, when the user switches apps, obscures the app screen. Default value is On.

When using the Android Near Field Communication (NFC) feature, some apps take a screen shot of itself before beaming the content. To enable that feature in a wrapped app, change the Block screen capture policy to Off.

Block device sensor

If On, prevents an app from using the device sensors, such as accelerometer, motion sensor, or gyroscope. Default value is On.

Block NFC

If On, prevents an app from using the Near Field Communications (NFC). Default value is On.

Block app logs

If On, prohibits an app from using the XenMobile App diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value is Off.

Block printing

If On, prevents an app from printing data. If an app has a Share command, you must set Document Exchange (Open in) to Restricted or Blocked to block printing fully. Default value is On.

App Network Access

Network access

Prevents, permits, or redirects app network activity. If Unrestricted, no restrictions are placed on network access. Apps have unrestricted access to networks to which the device is connected. If Blocked, all network access is blocked. If Tunneled to the internal network, a per-application VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used.

Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail and Secure Notes is Unrestricted. Default value for other apps is Blocked.

Certificate label

When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).

Preferred VPN mode

Sets the initial mode for connections that tunnel to the internal network. Full VPN tunnel is recommended for connections that employ client certificates or end-to-end SSL to a resource in the internal network. Secure browse is recommended for connections that require single sign-on (SSO).

Permit VPN mode switching

When tunneling to the internal network, this policy permits switching between VPN modes automatically as needed. If On, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates are accommodated by full tunnel mode, but not when using secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. If Off, the mode specified in the Preferred VPN mode policy is the only mode that is used. Default value is Off.

Whitelisted Wi-Fi networks

Comma-delimited list of allowed networks. App runs only if connected to one of the networks listed. If left blank, all networks are allowed. This setting doesn’t affect connections to cellular networks. Default value is blank.

App Logs

Default log output

Determines which output media are used by XenMobile app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls default verbosity of the XenMobile App diagnostic logging facility. Higher-level numbers include more detailed logging.

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size

Limits the size in MB of the log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

Redirect app logs

If On, intercepts and redirects system or console logs from an app to the XenMobile App diagnostic facility. If Off, app use of system or console logs is not intercepted. Default value is On.

Encrypt logs

If On, XenMobile encrypts diagnostic logs as it records the logs. If Off, diagnostic logs remain unencrypted in the app sandbox.

Caution:

Depending upon configured log levels, log encryption can have a noticeable impact on app performance and battery life.

Default value is Off.

App GeoLocation and GeoFencing

The GeoLocation feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam, but if the person travels to Belgium, the app locks. When the user returns to Amsterdam, the app unlocks and is available for normal use.

There are three settings to enable GeoLocation:

  • Longitude (X coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Enter in a signed degrees format (DDD.dddd). For example, “-31.9635.” Preface west longitudes with a minus sign.
  • Latitude (Y coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. Enter in a signed degrees format (DDD.dddd). For example, “43.06581.” Preface southern latitudes with a minus sign.
  • Radius of the geofence in which the app is constrained to operate. Express the radius in meters. Setting this value to zero disables geofencing.

Note:

If you enable Block locations services, geofencing does not work correctly.

Default is 0 (disabled).

If the app supports geofencing and you disable location services, a message appears where users can quit the app or click Settings, which goes to the Android Settings screen. If users enable locations services, they can return and continue using the app.

When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point is greater than the specified radius, the user is blocked from using the app. When this block occurs, users receive an option to quit the app. The user must be within the fence to continue using the app.

If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app.

The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which helps in obtaining the location faster.

There is a two-minute time-out to allow for longer times in checking the location.

Note:

To get an accurate location, and to avoid users trying to circumvent Geofence by disabling Wi-Fi or the GPS, Citrix recommends setting the policy Online session required to On.

ShareConnect App Settings

Save password

If On, enables users to save their user name and password for their remote computer. Default value is On.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Secure Mail App Settings

Secure Mail Exchange Server

The fully qualified domain name (FQDN) for Exchange Server or, for iOS only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.

Caution:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Secure Mail user domain

The default Active Directory domain name for Exchange or, for iOS only, Notes users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server. It can be in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

The time period that a background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services, in the form fqdn:port. This address is the NetScaler Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway.

The Default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Export contacts

Important:

Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, contacts are duplicated on the device and in Exchange.

If Off, prevents the one-way synchronization of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vCards). Default value is Off.

Contact fields to export

Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name and phone-related contact fields are exported. If Name, Phone and Email, all name, phone and email-related contact fields are exported. Default value is All.

Accept all SSL certificates

If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Off, Secure Mail blocks access when a certificate error occurs and displays a warning. Default value is Off.

Information Rights Management

If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.

Control locked screen notifications

Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If Email sender or event title, only the name of the email sender or the title of the calendar event appears. If Count only, only the count of mail and meeting invitations plus the time of calendar reminders appear. Default value is Allow.

Use secure connection (SSL)

If On, Secure Mail uses a secure connection. If Off, Secure Mail does not use a secure connection. Default is On.

Mail Search Limit

Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. To restrict the amount of mail that is synced to a mobile device, configure the Max sync interval policy. Default value is Unlimited.

Default sync interval

Specifies the default sync interval for Secure Mail. Secure Mail users can change the default.

The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum email age filter, the Maximum email age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.

Default value is three days.

Allowed Max Sync Period

Limits search on the device to a specified period. Search includes local search and server search that you configure with two separate policies. Set the policy on the user device and the server for the policy to be effective.

The values are:

  • 3 days
  • 1 week
  • 2 weeks
  • 1 month
  • All

Default value is All.

Max sync interval

Controls the amount of mail stored locally on a mobile device by limiting the sync period.

To restrict the time period that a device can search on the mail server, configure the Mail server search limit policy.

The values are:

  • 3 days
  • 1 week
  • 2 weeks
  • 1 month
  • All

Default value is All.

Default sync interval

Specifies the default sync interval for Secure Mail. Secure Mail users can change the default.

The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum email age filter, the Maximum email age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.

Default value is three days.

Enable download of attachments over Wi-Fi

If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over internal Wi-Fi networks. If Off, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi. Default value is Off.

Enable auto-save of email drafts

If On, Secure Mail supports automatically saving messages to the Drafts folder. The auto-save occurs every 20 seconds. Default value is On.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Enable week number

If On, calendar views include the week number. Default value is Off.

Initial Authentication Mechanism

This policy indicates whether the mail server address provided by MDX is used to populate the Address field on the first-time use provisioning screen or the user email address is used.

Default value is Use MDX-provided mail server address.

Initial Authentication Credentials

This policy defines the value that is chosen as the user name to populate into the initial first-time use provisioning screen.

Default value is User Principal Name.

Web/Audio Conference Type

Controls which meeting types users can configure when setting up a meeting. If GoToMeeting and User Entered, users are able to select GoToMeeting or Other Conference when tapping the Web & Audio section of the Create or Edit Event screen. Other Conference allows the user to enter conference details manually. If UserEntered Only, users are taken directly to the Other Conference screen. Default is GoToMeeting and User Entered.

S/MIME Public Certificate Source

Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange.

LDAP Server Address

LDAP server address including port number. Default value is empty.

LDAP Base DN

LDAP Base distinguished name. Default value is empty.

Access LDAP Anonymously

If this policy is ON, Secure Mail can search LDAP without prior authentication. Default is OFF.

If ON, LDAP authenticates by using the Active Directory user name and password only. There is no support for certificate-based authentication and other authentication modes.

Secure Notes App Settings

Secure Notes storage options

Allows you to set storage options for notes that users create when using Secure Notes. If ShareFile and Exchange Server, the user can choose the storage option for notes. If ShareFile only, notes are stored in ShareFile. If Exchange only, notes are stored in Exchange Server. Default value is ShareFile and Exchange Server.

Secure Notes Exchange Server

Fully qualified domain name (FQDN) for Exchange Server. Default value is empty.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Secure Notes user domain

Default Active Directory domain name for Exchange users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway.

Accept all SSL certificates

If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Off, Secure Notes blocks access when a certificate error occurs and displays a warning. Default value is Off.

Information Rights Management

If On, Secure Notes supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.

Secure Tasks App Settings

Background network services

The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days).

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Background network service gateway

Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway.

Accept all SSL certificates

If On, Secure Tasks accepts all SSL certificates (valid or not) and allows access. If Off, Secure Tasks blocks access when a certificate error occurs and displays a warning. Default value is Off.

Secure Web App Settings

Allowed or blocked websites

Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Precede each pattern in the list a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action taken as follows:

  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address can not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If + or - are not provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed

To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example:

  • The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLs anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users to open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, and Hotmail, regardless of protocol.

Default value is empty (all URLs allowed).

Preloaded bookmarks

Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list that includes folder name, friendly name, and web address. Each triplet is of the form folder,name,url where folder and name may optionally be enclosed in double quotes (“).

For example, the policy values ,"Mycorp, Inc. home page",http://www.mycorp.com, "MyCorp Links",Account logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact us",http://www.mycorp.com/IR/Contactus.aspx define three bookmarks. The first is a primary link (no folder name) titled “Mycorp, Inc. home page”. The second link is placed in a folder titled “MyCorp Links” and labeled “Account logon”. The third is placed in the “Investor Relations” subfolder of the “MyCorp Links” folder and displayed as “Contact us”.

Default value is empty.

Home page URL

Defines the website that Secure Web loads when started. Default value is empty (default start page).

Browser user interface

Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible.

Options:

  • All controls visible. All controls are visible and users are not restricted from using them.
  • Read-only address bar. All controls are visible, but users cannot edit the browser address field.
  • Hide address bar. Hides the address bar, but not other controls.
  • Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience.

Enable web password caching

When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms.

If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. Default value is Off.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Disable cookies

If On, deletes all Secure Web cookies when a user exits Secure Web. As a result, each time users start Secure Web they must reenter information such as website settings and user name. Default value is Off.

Disable HTML5 local storage

If On, prevents websites from saving data in HTML5 local storage, where file names are stored as plain text and can be viewed from desktop apps such as Internet Explorer. Most websites support no HTML5 local storage. Default value is Off.