Product Documentation

XenMobile MDX policies for iOS Apps

Feb 27, 2018

This article describes the MDX policies for iOS apps. You can change policy settings directly in the policy XML files or in the XenMobile console when you add an app.

Authentication

Device passcode

Note:

This policy applies to iOS 9 devices only.

If On, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value is Off.

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 15 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Online session required

If On, the user must have a connection to the enterprise network and an active session. If Off, an active session is not required. Default value is Off.

Online session required grace period (minutes)

Determines how many minutes a user can use the app offline before the Online session required policy prevents the app from further use. Default value is 0 (no grace period).

Maximum offline period (hours)

Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from XenMobile. At expiration, logon to the server may be triggered if needed. Default value is 72 hours (3 days). Minimum period is one hour.

Users are reminded to log sign on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log sign on.

Alternate NetScaler Gateway

Address of a specific alternate NetScaler Gateway that is used for authentication and for micro VPN sessions with this app. This policy is an optional policy that, when used with the Online session required policy, forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the default gateway of the server is always used. Default value is empty.

Device Security

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Network Requirements

Require Wi-Fi

If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.

Miscellaneous Access

App update grace period (hours)

Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days).

Note: Using a value of zero is not recommended since a zero value immediately prevents a running app from being used until the update is downloaded and installed. This setting might lead to a situation in which the user is forced to exit the app (potentially losing work) to comply with the required update.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MDX framework polls XenMobile to determine current app and device status. Assuming the server running XenMobile can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes.

Important:

Only set this value lower for high-risk apps or performance may be affected.

Minimum data protection class

Note:

This policy is only enforced on iOS 9 devices.

Establishes the minimum iOS data protection class to be used for file operations. Default value is Complete unless open.

  • If Complete, uses NSFileProtectionComplete; when a device locks, files become unavailable.
  • If Complete unless open, uses NSFileProtectionCompleteUnlessOpen or higher. If a file is open when a device locks, the file remains available to the app.
  • If Until first unlock, uses NSFileProtectionCompleteUntilFirstUserAuthentication or higher. When a device restarts, until the user unlocks the device for the first time, files are locked and can’t be read.
  • If None, uses no specific data protection class. Files can be read from or written to at any time.

Important:

Developers must be sure to test wrapped apps that perform background processing, such as content refreshes on a locked device or background syncs.

Encryption

Minimum data protection class

Note:

This policy is only enforced on iOS 9 devices. This policy is hidden. To make the policy visible in XenMobile, open the policy_metadata.xml file for the app (in Applications/Citrix/MDXToolkit/data) and, in the DocumentExchangeExceptionList section, change the value of PolicyHidden to false. After you wrap your app, the policy appears when you add the app to XenMobile.

Establishes the minimum iOS data protection class to be used for file operations. If Complete, then NSFileProtectionComplete is used; when a device locks, files become unavailable. If Complete unless open, then NSFileProtectionCompleteUnlessOpen or higher is used. If a file is open when a device locks, the file remains available to the app. IfUntil first unlock, then NSFileProtectionCompleteUntilFirstUserAuthentication or higher is used. When a device restarts, until the user unlocks the device for the first time, files are locked and can’t be read. If None, then no specific data protection class is used and files can be read from or written to at any time.

Default value is Complete unless open.

Enable encryption

Note:

On iOS 9 devices, this policy enables database and keychain encryption only. To enable file encryption for those devices, set the Device passcode policy to On. For older iOS devices, this policy enables file, database, and keychain encryption.

If Off, the data stored on the device is not encrypted. If On, the data stored on the device is encrypted. Default value is On.

Caution: If you change this policy after deploying an app, users must reinstall the app.

Database encryption exclusions

Lists the databases that are excluded from automatic encryption. To prevent database encryption for a specific database, add an entry to this comma-separated list of regular expressions. If a database path name matches any of the regular expressions, the database is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.

Examples:

\.db$,\.sqlite$ excludes any database path name that ends with either “.db” or “.sqlite”.

\/Database\/unencrypteddb\.db matches database unencrypteddb.db in the Database subfolder.

\/Database\/ matches all databases that contain /Database/ in its path.

Default value is empty.

File encryption exclusions

Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.

Examples:

\.log$,\.dat$ excludes any file path name that ends with either “.log” or “.dat”.

\/Documents\/unencrypteddoc\.txt matches the contents of the file unencrypteddoc.txt in the Documents subfolder.

\/Documents\/UnencryptedDocs\/.*\.txt matches “.txt” files under the subpath /Documents/UnencryptedDocs/.

Default value is empty.

Warning:

If you use Secure Edit to encrypt a file and send it using another application (Secure Mail or native iOS Mail), the file is unencrypted.

App Interaction

Cut and Copy

Blocks, permits, or restricts Clipboard cut and copy operations for the app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted

Paste

Blocks, permits, or restricts Clipboard paste operations for the app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted. Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy.

If Unrestricted, set the Enable encryption policy to On so that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, XenMobile decrypts the document.

If the policy blocks the camera, audio, clipboard, or printing, each of these items maintain the last shown timestamp. Users receive a message of the status of the option. Default value is Restricted. Options: Unrestricted, Blocked, or Restricted

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, an MDX app can share documents with this comma-delimited list of unmanaged app IDs. This sharing happens even if the Document exchange (Open In) policy is Restricted and the Enable encryption policy is On. The default exception list allows Office 365 apps:

com.microsoft.Office.Word,com.microsoft.Office.Excel,com.microsoft.Office.Powerpoint, com.microsoft.onenote,com.microsoft.onenoteiPad,com.microsoft.Office.Outlook

Only Office 365 apps are supported for this policy.

Caution:

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the Secure environment. For more security, this policy does not appear in the XenMobile console. To make the policy visible in XenMobile, open the policy_metadata.xml file for the app (in Applications/Citrix/MDXToolkit/data) and, in the DocumentExchangeExceptionList section, change the value of PolicyHidden to false. After you wrap your app, the Restricted Open-In exception list policy appears when you add the app to XenMobile.

Connection security level

Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. Options: Unrestricted, Blocked, or Restricted

Explicit logoff notification

If Enabled, the app activates explicitly to inform the app of a user log off. If Disabled, the app does not activate during a user log off. If set to Shared devices only, then the app activates during user log off only when configuring the device as a shared device. Default is Disabled for all apps except Secure Mail, where the default is Shared Devices.

Inbound document exchange whitelist

When the Inbound document exchange policy is Restricted or Blocked, this comma-delimited list of app IDs, including non-MDX apps, is allowed to send documents to the app.

App URL schemes

iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “http://”). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked.

The policy is formatted as a comma-separated list of patterns in which a plus “+” or minus “-“ precedes each pattern. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix dictates the action taken. A minus sign (-) prefix blocks the URL from being passed into this app. A plus sign (+) prefix permits the URL to be passed into the app for handling. If “+” or “-“ are not provided with the pattern, “+” (allow) is assumed. If an inbound URL does not match any pattern in the list, the URL is blocked.

The following table contains examples of App URL schemes:

Scheme App that requires the URL scheme Purpose
ctxmobilebrowser Secure Web- Permit Secure Web to handle HTTP: URLs from other apps.-
ctxmobilebrowsers Secure Web- Permit Secure Web to handle HTTPS: URLs from other apps.
ctxmail Secure Mail- Permit Secure Mail to handle mailto: URLs from other apps.
COL-G2M GoToMeeting- Permit a wrapped GoToMeeting app to handle meeting requests.
ctxsalesforce Citrix for Salesforce- Permit Citrix for Salesforce to handle Salesforce requests.
wbx WebEx Permit a wrapped WebEx app to handle meeting requests.

Allowed URLs

iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “http://”). This facility provides a mechanism for an app to pass requests for help to another app.

This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs).

The policy is formatted as a comma-separated list of patterns in which a plus “+” or minus “-“ precedes each pattern. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix dictates the action taken. A minus sign (-) prefix blocks the URL from being passed out to another app. A plus sign (+) prefix permits the URL to be passed out to another app for handling. If “+” or “-“ are not provided with the pattern, “+” (allow) is assumed. A pair of values separated by “=” indicates a substitution where occurrences of the first string are replaced with the second. You can use the regular-expression “^” prefix to search string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it is blocked.

Default:

^http:

^https:

^mailto:=ctxmail:

+^ctxmailex:

+^ctxmailex2;

+^citrixreceiver:

+^telprompt:

+^tel:

+^col-g2m-2:

+^col-g2w-2:

+^col-g2t-2;

+^mapitem:

+^maps:ios_addr

+^itms-services:

+^itms-apps

+^ctx-sf

+^lmi-g2m:

+^lync:

If the the setting blank, all URLs are blocked, except for the following:

  • http:
  • https:
  • +citrixreceiver: +tel:

The following table contains examples of allowed URLs:

   
^mailto:=ctxmail: All mailto: URLs open in Secure Mail.
^http: All HTTP URLs open in Secure Web.
^https: All HTTPS URLs open in Secure Web.
^tel: Allows user to make calls.
-//www.dropbox.com Blocks Dropbox URLs dispatched from managed apps.
+^COL-G2M: Permits managed apps to open the GoToMeeting client app.
-^SMS: Blocks the use of a messaging chat client.
-^wbx: Blocks managed apps from opening the WebEx client app.
+^ctxsalesforce: Permits Citrix for Salesforce to communicate with your Salesforce server.

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is On.

Block Photo Library

If On, prevents an app from accessing the Photo Library on the device. Default value is On.

Block localhost Connections

If On, prevents an app from accessing the loopback address (127.0.0.1). Default value is Off.

Block mic record

If On, prevents an app from directly using the microphone hardware for recording. Default value is On.

Block dictation

If On, prevents an app from directly using dictation services. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block iCloud

If On, prevents an app from using iCloud for storing and sharing settings and data.

Note:

The Block file backup policy controls iCloud data file backup.

Default value is On.

Block file backup

If On, prevents iCloud or iTunrs from backing up data files. Default value is On.

Block AirPrint

If On, prevents access to printing by using AirPrint features to print data to AirPrint-enabled printers. Default value is On.

Block AirDrop

If On, prevents an app from using AirDrop. Default value is On.

Block email as attachment

Note:

This policy is enforced on iOS 9 only.

If On, disables sending a note as an email with a PDF attachment. Default value is Off.

Block file attachments

Note:

This policy is enforced on iOS 9 only.

If On, disables downloading attachments in Secure Mail. Default value is Off.

Block Facebook and Twitter APIs

If On, prevents an app from using the iOS Facebook and Twitter APIs. Default value is On.

Obscure screen contents

If On, when users switch apps, the screen is obscured. This policy prevents iOS from recording screen contents and displaying thumbnails. Default value is On.

Block 3rd party keyboards (iOS 9 and later only)

If On, prevents an app from using third-party keyboard extensions on iOS 9 and later devices. Default value is On.

Block app logs

If On, prohibits an app from using the XenMobile App diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value is Off.

Mail compose redirection

You have three choices for how users are allowed to compose mail from an enterprise app:

  • Secure Mail: If installed on the device, Secure Mail automatically opens. If not, native mail does not open. Instead, users get a message instructing them to install Secure Mail.
  • Native email: The native mail program of the device opens.
  • Blocked: Both Secure Mail and native mail are blocked.

Default is Secure Mail.

Block iOS Look Up

If On, prevents iOS from searching for highlighted terms across apps. Default value is On.

App Network Access

Network access

Prevents, permits, or redirects app network activity. If Unrestricted, no restrictions are placed on network access. Apps have unrestricted access to networks to which the device is connected. If Blocked, all network access is blocked. If Tunneled to the internal network, a per-app VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used.

Default value for Secure Web and Citrix for Salesforce is Tunneled to the internal network. Default value for Secure Mail, Secure Notes, ShareFile Phone, and ShareFile Tablet is Unrestricted. Default value for other apps is Blocked.

Certificate label

When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).

Preferred VPN mode

Sets the initial mode for connections that tunnel to the internal network. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Secure browse is recommended for connections that require single sign-on (SSO).

Permit VPN mode switching

When tunneling to the internal network, this policy permits switching between VPN modes automatically as needed. If On, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, full tunnel mode can accommodate server challenges for client certificates, but not when using secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode. If Off, the mode specified in the Preferred VPN mode policy is the only mode that is used. Default value is Off.

PAC file URL or proxy server

Defines the Proxy Auto-Configuration (PAC) file URL or the proxy server to use. Supported for full tunnel mode only. Specify a PAC file URL in the form http[s]://192.0.2.0/proxy.pac or http[s]://example.com/proxy.pac. For HTTPS, install the root CA on the device if the certificate is self-signed or untrusted. Specify a proxy server in the form myhost.example.com:port or 10.10.0.100:port. Default and non-default ports are accepted. Default value is empty.

Whitelisted Wi-Fi networks

Comma-delimited list of allowed networks. App runs only if connected to one of the networks listed. If left blank, all networks are allowed. This policy doesn’t affect connections to cellular networks. Default value is blank.

App Logs

Default log output

Determines which output media are used by XenMobile App diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls default verbosity of the XenMobile App diagnostic logging facility. Higher-level numbers include more detailed logging.

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size

Limits the size in MB of the log files retained by the XenMobile App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

App Geolocation and Geofencing

The Geolocation feature allows you to restrict app usage based on the location of the user device. For example, a person travels to Amsterdam. You can allow users to use the app when they are in Amsterdam. If the person travels to Belgium, the app locks and users cannot interact with the app. When the user returns to Amsterdam, the app unlocks and is available for normal use.

There are three settings to enable Geolocation:

  • Longitude (X coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Enter in a signed degrees format (DDD.dddd). For example, “-31.9635.” Preface west longitudes with a minus sign.
  • Latitude (Y coordinate) is the center point of the point or radius geofence in which the app is constrained to operate. Enter in a signed degrees format (DDD.dddd). For example, “43.06581.” Preface southern latitudes with a minus sign.
  • Radius of the geofence in which the app is constrained to operate. Express the radius in meters. Setting this value to zero disables geofencing.

If you enable Block locations services, geofencing does not work correctly.

Default is 0 (disabled).

If the app supports geofencing and you disable location services, users can either quit the app or can click Settings, which goes to the Android Settings screen. If users enable locations services, they can return and continue using the app.

When the radius and location services settings are correct, the app checks for a geofence breach. If the distance between the current location and the center point is greater than the specified radius, the user is blocked from using the app. When this block occurs, users receive an option to quit the app. The user must be within the fence to continue using the app.

If the distance between the current location and then the center point is less than the specified radius, the user can continue to use the app.

The app checks the network provider (Wi-Fi, 3G, or 4G) or the GPS Provider to find the location. The device can also use GPS and the cell phone carrier network together, which helps in obtaining the location faster.

There is a two-minute time-out to allow for longer times in checking the location.

Note:

To get an accurate location, and to avoid users circumventing the Geofence by disabling Wi-Fi or the GPS, Citrix recommends setting the policy Online session required to On.

ShareConnect App Settings

Save password

If On, enables users to save their user name and password for their remote computer. Default value is On.

Secure Mail App Settings

Secure Mail Exchange Server

The fully qualified domain name (FQDN) for Exchange Server or, for iOS only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.

Caution:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Secure Mail user domain

The default Active Directory domain name for Exchange or, for iOS only, Notes users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server in your internal network or another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

The time period that a background network service ticket remains valid. When Secure Mail connects to an Exchange Server running ActiveSync through NetScaler Gateway, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. This setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services, in the form fqdn:port. This address is the NetScaler Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway.

Default value is empty, implying that an alternate gateway does not exist.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Export contacts

Important:

Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, contacts are duplicated on the device and in Exchange.

If Off, prevents the one-way synchronization of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vCards). Default value is Off.

Contact fields to export

Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name- and phone-related contact fields are exported. If Name, Phone, and Email, all name-, phone-, and email-related contact fields are exported. Default value is All.

Accept all SSL certificates

If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Off, Secure Mail blocks access when a certificate error occurs and displays a warning. Default value is Off.

Control locked screen notifications

Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If Email sender or event title, only the name of the email sender or the title of the calendar event appears. If Count only, only the count of mail and meeting invitations plus the time of calendar reminders appear. Default value is Allow.

Default email notification

Users can change email notifications on their device from Off to On. The Default email notification policy allows you to set a global policy for email notifications for your organization.

When the app checks for new policies, the new value is sent to the user device. This check occurs when users install the app for the first time or upgrade the app.

If users set this policy locally and the global setting is different, the local setting does not change when users start the app.

Default value is Off.

Default sync interval

Specifies the default sync interval for Secure Mail. Secure Mail users can change the default.

The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum email age filter, the Maximum email age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.

Default value is three days.

Mail Search Limit

Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches.

The options are:

  • 90 days
  • 180 days
  • 1 year
  • Unlimited

To restrict the amount of mail synchronized to a mobile device, configure the Max sync interval policy.

Default value is Unlimited.

Max sync interval

Controls the amount of mail stored locally on a mobile device by limiting the sync period.

To restrict the time period that a device can search on the mail server, configure the policy Mail server search limit.

The values are:

  • 3 days
  • 1 week
  • 2 weeks
  • 1 month
  • All

Default value is 1 month.

Allowed Max Sync Period

Limits search on the device to a specified period. Search includes local search and server search that you configure by using two separate policies. Set the policy on the user device and the server for the policy to be effective.

The values are:

  • 3 days
  • 1 week
  • 2 weeks
  • 1 month
  • All

Default value is 1 month.

Enable week number

If On, calendar views include the week number. Default value is Off.

Enable download of attachments over Wi-Fi

If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over internal Wi-Fi networks. If Off, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi. Default value is Off.

Information Rights Management

If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.

Email classification

If On, Secure Mail supports email classification markings for security (SEC) and dissemination limiting markers (DLM). Classification markings appear in email headers as X-Protective-Marking values. Be sure to configure the related email classification policies. Default value is Off.

Email classification markings

Specifies the classification markings to be made available to users. The markings list contains value pairs that are separated by semicolons. Each pair includes the list value that appears in Secure Mail and the marking value that is the text appended to the email subject and header. For example, in the marking pair UNOFFICIAL,SEC=UNOFFICIAL, the list value is UNOFFICIAL and the marking value is SEC=UNOFFICIAL.

Default value is a list of classification markings that you can modify. For the list of default markings, see Email Security Classifications.

If the list is empty, Secure Mail does not include a list of protective markings.

Email classification namespace

Specifies the classification namespace that is required in the email header by the classification standard used. For example, the namespace gov.au appears in the header as NS=gov.au. Default value is empty.

Email classification version

Specifies the classification version that is required in the email header by the classification standard used. For example, the version 2012.3 appears in the header as VER=2012.3. Default value is empty.

Default email classification

If a user does not choose a marking, specifies the protective marking that Secure Mail applies to an email. This value must be in the list for the Email classification markings policy. Default value is UNOFFICIAL.

Enable auto-save of email drafts

If On, Secure Mail supports automatically saving messages to the Drafts folder. The auto-save occurs every 20 seconds. Default value is On.

Enable iOS data protection

This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements. Enables iOS data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Push notifications

Enables APNS-based notifications about mailbox activity. If On, Secure Mail supports push notifications. Default value is Off.

Push notifications region

The region where the APNs host is located for your Secure Mail users. Options are Americas, EMEA, and APAC. Default value is Americas.

Push notifications customer ID

Your APNs customer ID, used to identify your account to the Citrix notification service. Default value is empty.

S/MIME certificate source

Specifies the source of S/MIME certificates. If Email, you must email user certificates to users, who then open the email in Secure Mail and import the attached certificates. If Shared vault, a supported digital identity provider supplies certificates to the XenMobile App shared vault. The integration with the third-party provider requires that you publish a related app to users. If Derived Credentials, uses certificates from a source such as a smart card. For more information on derived credentials, see Derived Credentials for iOS. See the description for the Enable S/MIME during first Secure Mail startup policy (next) for details about the user experience.

Default value is Email.

Enable S/MIME during first Secure Mail startup

If the S/MIME certificate source policy is Shared vault, determines whether Secure Mail enables S/MIME during the first Secure Mail startup. If On, Secure Mail enables S/MIME if there are certificates for the user in the shared vault. If there are no certificates in the shared vault, the user is prompted to import the certificates. In both of those scenarios, users must configure certificates from a supported digital identity provider app before creating an account in Secure Mail.

If Off, Secure Mail does not enable S/MIME and the user can enable it in the Secure Mail settings. Default value is Off.

Initial Authentication Mechanism

This policy indicates whether the mail server address provided by MDX is used to populate the Address field on the first-time use provisioning screen or the user email address is used.

Default value is Use MDX provided mail server address.

Initial Authentication Credentials

This policy defines the value that is chosen as the user name to populate into the initial first-time use provisioning screen.

Default value is User Principal Name.

Web/Audio Conference Type

Web/Audio Conference Type: Controls which meeting types users can configure when setting up a meeting. If GoToMeeting and User Entered, users are able to select GoToMeeting or Other Conference when tapping the ‘Web & Audio’ section of the Create or Edit Event screen. Other Conference allows the user to enter conference details manually. If UserEntered Only, users are taken directly to the Other Conference screen. Default is GoToMeeting and User Entered.

S/MIME Public Certificate Source

LDAP Server Address: LDAP server address including port number. Default value is empty.

LDAP Server Address

LDAP server address including port number. Default value is empty.

LDAP Base DN

LDAP Base distinguished name. Default value is empty.

Access LDAP Anonymously

If this policy is ON, Secure Mail can search LDAP without prior authentication. Default is OFF.

If ON, LDAP authenticates by using the Active Directory user name and password only. There is no support for certificate-based authentication and other authentication modes.

Override Native Contacts Check

If On, the app syncs contacts to the device even if the native Contacts app is configured with Exchange/Hotmail Account.

If Off, the app continues to block contacts sync. Default is On.

Allowed Email Domains

Adding an email domain to this list allows users to configure an account from that domain. All other domains are blocked. The default is empty, meaning Secure Mail does not block any domains.

To allow Secure Mail to filter for prohibited domains, you need to add the allowed domains to the list. Secure Mail then compares the domain with the allowed list. For instance, if you list server.company.com as an allowed domain name, if the user’s email address is user@internal.server.company.com, Secure Mail supports the email address. In that example, Secure Mail does not support any other email address with a domain name that is not server.company.com.

In the policy settings, you add the allowed domains in comma-separated format, such as server.company.com, server.company.co.uk

Secure Notes App Settings

Secure Notes storage options

Secure Notes storage options: Allows you to set storage options for notes that users create when using Secure Notes. If ShareFile and Exchange Server, the user can choose the storage option for notes. If ShareFile only, notes are stored in ShareFile. If Exchange only, notes are stored in Exchange Server. Default value is ShareFile and Exchange Server.

Secure Notes Exchange Server

Fully qualified domain name (FQDN) for Exchange Server. Default value is empty.

Secure Notes user domain

Default Active Directory domain name for Exchange users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This address might be an Exchange Server or ActiveSync server in your internal network or another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the Network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway.

Accept all SSL certificates

If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Off, Secure Notes blocks access when a certificate error occurs and displays a warning. Default value is Off.

Usage analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Secure Tasks App Settings

You can configure the following policies for Secure Tasks on iOS devices:

Secure Tasks Exchange Server

Fully qualified domain name (FQDN) for Exchange Server. Default value is empty.

Secure Tasks user domain

Default Active Directory domain name for Exchange users. Default value is empty.

Background network services

Comma-separated list of service addresses and ports that are permitted for background network access. Each service is of the form fqdn:port. Default value is empty, implying background network services are not available.

Background services ticket expiration

Time period that a background network service ticket remains valid. After expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services in the form fqdn:port. Default value is empty, implying that there is no alternate gateway.

Accept all SSL certificates

If On, Secure Tasks accepts all SSL certificates (valid or not) and allows access. If Off, Secure Tasks blocks access when a certificate error occurs and displays a warning. Default value is Off.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Secure Web App Settings

Allowed or blocked websites

Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. A plus (+) or minus (-) precedes each pattern in the list. The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the the prefix dictates the action taken as follows:

  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address can not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If + or - are not provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed

    To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example:

  • The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLs anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users to open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, and Hotmail, regardless of protocol.

Default value is empty (all URLs allowed).

Preloaded bookmarks

Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list that includes folder name, friendly name, and web address. Each triplet is of the form folder,name,url where folder and name may optionally be enclosed in double quotes (“).

For example, the policy values ,"Mycorp, Inc. home page",http://www.mycorp.com, "MyCorp Links",Account logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact us",http://www.mycorp.com/IR/Contactus.aspx define three bookmarks. The first is a primary link (no folder name) titled “Mycorp, Inc. home page”. The second link is placed in a folder titled “MyCorp Links” and labeled “Account logon”. The third is placed in the “Investor Relations” subfolder of the “MyCorp Links” folder and displayed as “Contact us”.”

Default value is empty.

Home page URL

Defines the website that Secure Web loads when started. Default value is empty (default start page).

Browser user interface

Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible.

Options:

  • All controls visible. All controls are visible and users are not restricted from using them.
  • Read-only address bar. All controls are visible, but users cannot edit the browser address field.
  • Hide address bar. Hides the address bar, but not other controls.
  • Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience.

Enable web password caching

When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms.

If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. Default value is Off.

This policy is enabled only when you also set the Preferred VPN policy to Full VPN tunnel for this app.

Google analytics

If Complete, Citrix collects indentifiable data about your company to improve product quality. If Anonymous, only anonymous data is collected. Default value is Complete.

Enable iOS data protection

Note:

This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements.

Enables iOS data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off.

iOS 9 security restrictions

Note:

This policy is only enforced on iOS 9.

If On, disables downloading files and offline pages. Also disables cookie caching and HTML5 local storage. Default value is Off.

Secure Web domains

The Secure Web domains policy controls which domains are sent to the Secure Web browser instead of the native browser. A list of comma separated URL host domains are matched against the hostname portion of any URL the application would normally send to an external handler. Typically, admins configure this policy as a list of internal domains for Secure Web to handle. If the policy is left blank, all web traffic not explicitly excluded from filtering or otherwise redirected by Intent/URL filter logic is sent to Secure Web.

Exclude URL filter for domains

The ExcludeUrlFilterForDomains policy is a comma-separated list of website domains excluded from URL filtering. URLs including any domain in the list get sent to the user’s native browser instead of Secure Web. If the policy is empty, then all URLs are passed through the URL filters. This policy takes priority over the SecureWebDomains policy. The default policy value is empty.

ShareFile Secure Client App Settings

Enable secure viewer

If On, the client uses a secure viewer instead of the iOS Quick Look preview feature. The MDX-based secure viewer ensures that cut, copy, and paste operations occur only between MDX-wrapped apps. If Off, the secure viewer is not used. Default is On.