Encryption management

This feature helps you transition to platform-based encryption and add compliance checking before each app launch. We recommend platform-based encryption because Android and iOS have their own device-level encryption. In addition, MDX encryption reaches end of life (EOL) on September 1, 2020. Plan for migration off MDX encryption before the end of July 2020. If you don’t move to platform encryption before iOS 14 or Android 11, you must redeploy and reinstall apps for them to work.

Encryption management lets you use modern device platform security while ensuring the device remains in a sufficient state to use platform security effectively. Identify a set of security criteria that a device must adhere to, to be considered compliant for encryption management. With these criteria, you can then identify non-compliant devices and restrict access to apps on those devices.

By using encryption management, you eliminate local data encryption redundancy because file system encryption is provided by the Android and iOS platforms. Encryption management also improves performance (avoiding double encryption) and application compatibility with MDX.


To help get started, run a new report in Citrix Endpoint Management to list the non-compliant devices in your organization. This report helps determine the impact of turning on compliance enforcement. To access the report, open the Endpoint Management console and navigate to Analyze > Reports > Non-Compliant Devices and generate the report. The Non-Compliant Devices report is available in environments running Citrix Endpoint Management and XenMobile Server version 10.11 and later.

Encryption type

Setting the Encryption type to Platform encryption with compliance enforcement enables encryption management and supersedes MDX encryption. You must manually set the Encryption type policy only for existing apps. Any new apps you deploy default to platform encryption.

We recommend against toggling the Enable MDX encryption setting for iOS after the migration to platform encryption. Doing so forces the app to reinstall. No other MDX policy for iOS is affected.

For Android, we recommend against toggling MDX Private file encryption and MDX Public file encryption settings, which includes the SecurityGroup default setting. Doing so forces the app to reinstall. No other MDX policy for Android is affected.

When switching from MDX encryption to platform encryption, all existing encrypted application data on user devices seamlessly transitions to device encryption rather than MDX. During this transition, the app pauses for a one-time data migration. Upon successful migration, responsibility for encryption of locally stored data transfers from MDX to the device platform. MDX continues to check compliance of the device upon each app launch. This feature works for devices enrolled in MDM + MAM and MAM.

For details about the encryption management MDX policies, see the Encryption section in:

Non-compliant device behavior

When a device falls below the minimum compliance requirements, the Non-compliant device behavior MDX policy allows you to select the action to take:

  • Allow app: Allow the app to run normally.
  • Allow app after warning: Warn the user that an app does not meet the minimum compliance requirements and allows the app to run. This setting is the default value.
  • Block app: Block the app from running.

The following criteria determine whether a device meets the minimum compliance requirements.

Devices running iOS:

  • iOS 10: An app is running an operating system version that is greater than or equal to the specified version.
  • Debugger access: An app does not have debugging enabled.
  • Jailbroken device: An app is not running on a jailbroken device.
  • Device passcode: Device passcode is ON.
  • Data sharing: Data sharing is not enabled for the app.

Devices running Android:

  • Android SDK 24 (Android 7 Nougat): An app is running an operating system version that is greater than or equal to the specified version.
  • Debugger Access: An app does not have debugging enabled.
  • Rooted devices: An app is not running on a rooted device.
  • Device lock: Device passcode is ON.
  • Device encrypted: An app is running on an encrypted device.
Encryption management