What’s new

What’s new in the current release

MAM SDK 22.10

  • A new version of the MAM SDK is available for Android SDK 31 (Java, Cordova, and Xamarin). The MAM SDK is available for Android 10.x, 11.x, 12.x, and 13.x.

  • As a reminder, the MDX Toolkit reaches end of life (EOL) in July 2023, which was announced previously in Deprecations and removals. As of that time, you can’t wrap apps using this method anymore. To continue managing your enterprise applications, you must incorporate the MAM SDK.

MDX Toolkit 21.8.5

  • The MDX Toolkit reaches end of life (EOL) in July 2023 as announced previously in Deprecations and removals. As of that time, you can’t wrap apps using this method anymore. To continue managing your enterprise applications, you must incorporate the MAM SDK.

    For more information about the MAM SDK, see MAM SDK overview.

    The following MAM SDKs are available for download at Citrix downloads and GitHub:

    • MAM SDK version 21.9.0 for iOS Native (Supporting iOS 15)
    • MAM SDK version 21.7.0 for Xamarin iOS [Tech preview]
    • MAM SDK version 21.7.0 for Cordova iOS [Tech preview].
  • Support for iOS 15.

  • Support for Android 12.

MDX Toolkit 21.6.0

  • Citrix started supporting WKWebView for mobile productivity apps as of version 20.11.x, after Apple ended support for apps using UIWebView. If the iOS apps that you are wrapping using the MDX Toolkit have upgraded to WKWebView, then you must use the following Network Access policy options:

    • Blocked
    • Unrestricted
    • Tunneled - Web SSO

What’s new in earlier releases

MDX Toolkit 21.3.0

This MDX Toolkit version contains fixes. For details, see Fixed issues.

MDX Toolkit 20.10.5

This MDX Toolkit version contains fixes. For details, see Fixed issues.

MDX Toolkit 20.8.5

This MDX Toolkit version contains fixes. For details, see Fixed issues.

MDX Toolkit versions 19.9.5 to 20.7.0

These MDX Toolkit versions contain fixes. For details, see Fixed issues.

MDX Toolkit 19.9.0

This release supports iOS 13. Note the following policy change: The Allowed Wi-Fi network MDX policy is not supported on devices running iOS 13 or later.

MDX Toolkit 19.8.0

This release supports Android Q.

MDX Toolkit 19.6.5

Encryption management. Encryption management allows you to use modern device platform security while also ensuring the device remains in a sufficient state to use platform security effectively. A set of security criteria is identified that a device must adhere to, be considered compliant for encryption management. You are then able to identify non-compliant devices, and restrict access to apps on devices that are non-compliant with these criteria.

By using encryption management, you eliminate local data encryption redundancy since file system encryption is provided by the Android and iOS platforms. Encryption management also improves performance (avoiding double encryption) and application compatibility with MDX.


To help get started, run a new report in Citrix Endpoint Management to list the non-compliant devices are in your organization. This report helps determine the impact of turning on compliance enforcement. To access the report, open the Endpoint Management console and navigate to Analyze > Reports > Non-Compliant Devices and generate the report. The Non-Compliant Devices report is available in environments running Citrix Endpoint Management version or later.

Encryption type

To use the encryption management feature, in the Endpoint Management console, set the Encryption type MDX policy to Platform encryption with compliance enforcement. This enables encryption management and all the existing encrypted application data on users’ devices seamlessly transition to a state that is encrypted by the device and not by MDX. During this transition, the app is paused for a one-time data migration. Upon successful migration, responsibility for encryption of locally stored data is transferred from MDX to the device platform. MDX continues to check compliance of the device upon each app launch. This feature works in both MDM + MAM and MAM-only environments.

When you set the Encryption type policy to Platform encryption with compliance enforcement, the new policy supersedes your existing MDX Encryption.

For details about the encryption management MDX policies, see the Encryption section in:

Non-compliant device behavior

When a device falls below the minimum compliance requirements, the Non-compliant device behavior MDX policy allows you to select what action is taken:

  • Allow app – Allow the app to run normally.
  • Allow app after warning – Warn the user that an app does not meet the minimum compliance requirements and allows the app to run. This is the default value.
  • Block app – Block the app from running.

The following criteria determine whether a device meets the minimum compliance requirements.

Devices running iOS:

  • iOS 10: An app is running operation system version that is greater than or equal to the specified version.
  • Debugger access: An app does not have debugging enabled.
  • Jailbroken device: An app is not running on a jailbroken device.
  • Device passcode: Device passcode is ON.
  • Data sharing: Data sharing is not enabled for the app.

Devices running Android:

  • Android SDK 24 (Android 7 Nougat): An app is running operation system version that is greater than or equal to the specified version.
  • Debugger Access: An app does not have debugging enabled.
  • Rooted devices: An app is not running on a rooted device.
  • Device lock: Device passcode is ON.
  • Device encrypted: An app is running on an encrypted device.

Support for WkWebView. This release includes support for WkWebView. WKWebView is an Apple framework that displays web content and has performance and security improvements over the previously used UIWebView framework. The iOS apps that you build using the WKWebView framework allow traffic to go through micro VPN (also referred to as SSL VPN) when using the Tunneled – Web SSO policy. To use this feature, no setup configuration is required.


If you are already using the Full VPN tunnel, you can either continue using the UIWebView framework, or switch to using the Secure Browse mode (recommended).


WkWebView is not supported in the following scenarios:

  • Devices running iOS 10 or earlier.
  • Setups running Endpoint Management integration with EMS/Intune.
  • Apps that use two instances of the WKWebView component simultaneously.
  • Setups configured for Full VPN Mode.

Support for 64-bit apps for Google Play. Beginning on August 1, 2019, Google Play requires that apps support 64-bit architectures. This version of the MDX Toolkit supports the wrapping of 64-bit versions of apps. To assess if your app is prepared for 64-bit devices and for instructions on building apps with 64-bit libraries, see the Google Developers documentation on Google Play.

Updated crypto libraries. The MDX Toolkit 19.6.5 includes updated crypto libraries. These libraries are updated periodically to keep up with the latest security trends and to help fix security vulnerabilities. We also deprecated older ciphers. This update improves security because the update enforces the environment to use the latest and most secure ciphers. Not updating the ciphers, however, may result in an error when users update to apps that you wrap with the MDX Toolkit 19.6.5.

If you’re a Citrix Gateway customer and plan to allow SSL VPN through your iOS and Android third-party apps, confirm that you’ve completed the following steps.

  • On the Citrix Gateway, add the following cipher suite value in the SSL Ciphers option: - ECDHE-RSA-AES256-GCM-SHA384. For steps to add Secure Cipher, see Secure cipher alias.
  • Enable elliptical curve cryptography (ECC). For details, see ECDSA cipher suites support.

Support for Chrome 74 for devices running Android. This release includes micro VPN support on devices running Android that have upgraded to Chrome version 74.

Support for Apktool version 2.4. This release includes support for apps using Apktool version 2.4.

MDX Toolkit 19.3.5

The MDX Toolkit version 19.3.5 contains fixes. For details, see Fixed issues.

MDX Toolkit 18.12.0

Network policy behavior. New policies replace the previous network policies in order to unify functionality and make the policies more intuitive. See the following table for more information about the changes.

Legacy policies Intune Policy New policy Notes
Network access, Preferred VPN mode, and Permit VPN mode switching Enable http/https redirection (with SSO), Disable mVPN full tunnel (TCP level) redirection Network Access  
Split tunnel exclusion list mVPN tunnel exclusion list Exclusion list  
Online session required mVPN session required micro VPN session required If Endpoint Management MAM, a corresponding grace period policy controls how long users have to reestablish a VPN session. Intune MAM does not support a grace period.

For the new Network Access and micro VPN Session Required policies, we encourage you to select a new value. By default, Use Previous Settings is selected, which uses the values you had set in the earlier policies. Once changed, you shouldn’t revert to Use Previous Settings. If you are publishing a new app, do not select Use Previous Settings. Also note that changes to the new policies do not take effect until the user upgrades the app to 18.12.0.

For newly uploaded apps, the defaults are as follows:

  • Network access: Blocked for all apps except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.
  • Exclusion list: Empty
  • micro VPN session required: No

    Note for customers upgrading to 18.12.0:

    The Network access policy defaults to your previous VPN setting and requires no action. If you change the access type, that change doesn’t go into effect until you upgrade your apps to 18.12.0.

For details, see the App Network Access section in:

MDX Toolkit 10.8.60

MDX supports Android P. You can now wrap apps for Android P.

MDX is now available in Polish.

MDX Toolkit 10.8.35

Changes to the Exclusion policy. On Android devices, non-MDX apps can now receive decrypted copies of files encrypted within MDX apps. When the Document Exchange (Open In) policy is set to Restricted, apps listed in the Restricted Open-In exception list policy can receive files that have been encrypted in MDX apps. When receiving files, the content of those files is decrypted to local storage and is deleted from local storage upon closing the file. For example, adding {package=com.microsoft.office.word} to the Document Exchange (Open In) Policy enables the Word application to receive decrypted files from an MDX application.

MDX Toolkit 10.7.20

Control Net Promoter Score survey: A new policy for Citrix Files apps, Allow NPS Citrix Files, allows you to occasionally display a Net Promoter Score survey to users for feedback. The default value is Off.

Do not tunnel endpoints policy: Some service endpoints that Citrix Endpoint Management SDKs and apps use for various features need to be excluded from micro VPN tunneling. MDX does this by default, but it is possible to override this list by setting a client property on the Citrix Endpoint Management server. For details about configuring client properties in the Citrix Endpoint Management console, see Client properties. For details about overriding the service endpoint list, see TUNNEL_EXCLUDE_DOMAINS. The default list of domains that are excluded from tunneling by default are as follows.

  • ssl.google-analytics.com
  • app.launchdarkly.com
  • mobile.launchdarkly.com
  • events.launchdarkly.com
  • stream.launchdarkly.com
  • clientstream.launchdarkly.com
  • firehose.launchdarkly.com
  • hockeyapp.net
  • rttf.citrix.com
  • rttf-test.citrix.com
  • rttf-staging.citrix.com
  • cis.citrix.com
  • cis-test.citrix.com
  • cis-staging.citrix.com
  • pushreg.xm.citrix.com
  • crashlytics.com
  • fabric.io

New policies to control opening URLs from Secure Mail in the native browser: The SecureWebDomains policy controls which domains are sent to the Secure Web browser instead of the native browser. A list of comma-separated URL host domains is matched against the host name portion of any URL the application would normally send to an external handler. Typically, administrators configure this policy as a list of internal domains for Secure Web to handle.

This feature is available iOS and Android. An earlier known issue for the policy on Android devices was fixed in version 10.6.25.

The ExcludeUrlFilterForDomains policy is a comma-separated list of website domains excluded from URL filtering. URLs including any domain in the list get sent to the user’s native browser instead of Secure Web. If the policy is empty, then all URLs are passed through the URL filters. This policy takes priority over the SecureWebDomains policy. The default policy value is empty.

MDX support for crash reporting to the Citrix Insight Service (CIS): If Citrix Reporting policies are On and a crash happens, MDX creates a report bundle with any logs and crash reports available and uploads it to CIS. It then deletes the support bundle and notifies the related Mobile productivity app of the crash so that it creates a support bundle as well.

MDX Toolkit 10.7.10

The MDX Toolkit 10.7.10 is the final release that supports the wrapping of mobile productivity apps. Users access mobile productivity apps versions 10.7.5 and later from the public app stores. For table listing the mobile productivity apps enterprise versions that you can wrap with the MDX Toolkit 10.7.10, see the Enterprise delivery of mobile productivity apps section in Mobile productivity apps administration and delivery.

The MDX Toolkit version 10.7.10 contains fixes. For details, see Fixed issues.

MDX Toolkit 10.7.5

The MDX Toolkit version 10.7.5 contains fixes. For details, see Fixed issues.

What’s new