Encryption management

This feature helps you transition to platform-based encryption and add compliance checking before each app launch. We recommend platform-based encryption because Android and iOS have their own device-level encryption. In addition, MDX encryption reaches end of life (EOL) in September 2020. You must test and plan for migration off MDX encryption by July 2020.

Encryption management lets you use modern device platform security while ensuring the device remains in a sufficient state to use platform security effectively. A set of security criteria is identified that a device must adhere to, to be considered compliant for encryption management. With these criteria, you can then identify non-compliant devices and restrict access to apps on devices that are non-compliant.

By using encryption management, you eliminate local data encryption redundancy because file system encryption is provided by the Android and iOS platforms. Encryption management also improves performance (avoiding double encryption) and application compatibility with MDX.


To help get started, run a new report in Citrix Endpoint Management to list the non-compliant devices are in your organization. This report helps determine the impact of turning on compliance enforcement. To access the report, open the Endpoint Management console and navigate to Analyze > Reports > Non-Compliant Devices and generate the report. The Non-Compliant Devices report is available in environments running Citrix Endpoint Management version or later.

Encryption type

To use the encryption management feature, in the Endpoint Management console, set the Encryption type MDX policy to Platform encryption with compliance enforcement. This setting enables encryption management. All existing encrypted application data on users’ devices seamlessly transitions to a state that is encrypted by the device and not by MDX. During this transition, the app is paused for a one-time data migration. Upon successful migration, responsibility for encryption of locally stored data is transferred from MDX to the device platform. MDX continues to check compliance of the device upon each app launch. This feature works in both MDM + MAM and MAM-only environments.

When you set the Encryption type policy to Platform encryption with compliance enforcement, the new policy supersedes your existing MDX Encryption.

For details about the encryption management MDX policies, see the Encryption section in:

Non-compliant device behavior

When a device falls below the minimum compliance requirements, the Non-compliant device behavior MDX policy allows you to select the action to take:

  • Allow app – Allow the app to run normally.
  • Allow app after warning – Warn the user that an app does not meet the minimum compliance requirements and allows the app to run. This is the default value.
  • Block app – Block the app from running.

The following criteria determine whether a device meets the minimum compliance requirements.

Devices running iOS:

  • iOS 10: An app is running operation system version that is greater than or equal to the specified version.
  • Debugger access: An app does not have debugging enabled.
  • Jailbroken device: An app is not running on a jailbroken device.
  • Device passcode: Device passcode is ON.
  • Data sharing: Data sharing is not enabled for the app.

Devices running Android:

  • Android SDK 24 (Android 7 Nougat): An app is running operation system version that is greater than or equal to the specified version.
  • Debugger Access: An app does not have debugging enabled.
  • Rooted devices: An app is not running on a rooted device.
  • Device lock: Device passcode is ON.
  • Device encrypted: An app is running on an encrypted device.

Encryption management