MAM SDK policies for third-party apps for iOS

This article describes the MAM SDK policies for third-party iOS apps. You can change policy settings directly in the policy XML files or in the Citrix Endpoint Management console when you add an app.

App Network Access

Network access

Note:

Tunneled - Web SSO is the name for the Secure Browse in the settings. The behavior is the same.

The settings options are as follows:

  • Blocked: Networking APIs used by your app fails. Per the previous guideline, you should gracefully handle such a failure.
  • Unrestricted: All network calls go directly and are not tunneled.
  • Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. This option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage of Tunneled - Web SSO is single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.

Authentication

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note:

If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Maximum offline period (hours)

Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from Citrix Endpoint Management. At expiration, log on to the server may be triggered if needed. Default value is 168 hours (7 days). Minimum period is 1 hour.

App logs

Default log output

Determines which output media are used by mobile productivity app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls default verbosity of the mobile productivity app diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size

Limits the size in megabytes (MB) of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

Obscure the URLs in logs

If On, intercepts and redirects system or console logs from an app to the Mobile Productivity Apps diagnostic facility. If Off, app use of system or console logs is not intercepted.

Default value is On.

Block app logs

If On, prohibits an app from using the mobile productivity app diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value is Off.

App interaction

Cut and Copy

Blocks, permits, or restricts Clipboard cut and copy operations for this app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to apps. Default value is Restricted.

Paste

Blocks, permits, or restricts Clipboard paste operations for this app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to apps. Default value is Unrestricted.

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for this app. If Restricted, documents can be exchanged only with other apps.

If Unrestricted, set the Enable encryption policy to On so that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, Citrix Endpoint Management decrypts the document. Default value is Restricted.

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, an app can share documents with this comma-delimited list of unmanaged app IDs, even if the Document exchange(Open In) policy is Restricted and Enable encryption is On. The default exception list allows Office 365 apps:

com.microsoft.Office.Word,com.microsoft.Office.Excel,com.microsoft.Office.Powerpoint, com.microsoft.onenote,com.microsoft.onenoteiPad,com.microsoft.Office.Outlook

Only Office 365 apps are supported for this policy.

Caution:

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MAM SDK environment.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app.

Note:

The Inbound Document Exchange Whitelist policy only supports devices running on iOS 12.

Options: Unrestricted, Blocked, or Restricted

App URL schemes

iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “http://”). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked.

The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix.

  • A minus “-“ prefix blocks the URL from being passed into this app.
  • A plus “+” prefix permits the URL to be passed into the app for handling.
  • If neither “+” or “-“ is provided with the pattern, “+” (allow) is assumed.
  • If an inbound URL does not match any pattern in the list, the URL is blocked.

The following table contains examples of App URL schemes:

Scheme App that requires the URL scheme Purpose
ctxmobilebrowser Secure Web- Permit Secure Web to handle HTTP: URLs from other apps.-
ctxmobilebrowsers Secure Web- Permit Secure Web to handle HTTPS: URLs from other apps.
ctxmail Secure Mail- Permit Secure Mail to handle mailto: URLs from other apps.
COL-G2M GoToMeeting- Permit a wrapped GoToMeeting app to handle meeting requests.
ctxsalesforce Citrix for Salesforce- Permit Citrix for Salesforce to handle Salesforce requests.
wbx WebEx Permit a wrapped WebEx app to handle meeting requests.

App interaction (outbound URL)

Allowed URLs

iOS apps can dispatch URL requests to other applications that have been registered to handle specific schemes (such as "http://"). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs).

The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix. A minus “-“ prefix blocks the URL from being passed out to another app. A plus “+’ prefix permits the URL to be passed out to another app for handling. If neither “+” or minus “-“ is provided with the pattern, “+” (allow) is assumed. A pair of valus separated by “=” indicates a substitution where occurrences of the first string are replaced with the second. You can use regular-expression “^” prefix to search string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it is blocked.

Compliance

Device passcode

If On, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value is Off.

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Non-compliant device behavior

Allows you to choose an action when a device does not adhere to the minimum compliance requirements of encryption. Select Allow app for the app to run normally. Select Allow app after warning for the app to run after the warning appears. Select Block to block the app from running. Default value is Allow app after warning.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MAM SDK Framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes (1 hour).

Important:

Only set this value lower for high-risk apps or performance may be affected.

App update grace period (hours)

Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days).

Note:

Using a value of zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This might lead to a situation where the user is forced to exit the app (potentially losing work) to comply with the required update.

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is OFF.

Block Photo Library

If On, prevents an app from accessing the Photo Library on the device. Default value is On.

Block mic record

If On, prevents an app from directly using the microphone hardware. Default value is On.

Block dictation

If On, prevents an app from directly using dictation services. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block iCloud

If On, prevents an app from using iCloud for the storing and sharing of settings and data.

Note:

iCloud data file is controlled by the Block file backup policy.

Default value is On.

Block look up

If On, prevents an app from using the Look Up feature, which searches for highlighted text in the Dictionary, iTunes, the App Store, movie showtimes, nearby locations and more. Default value is On.

Block file backup

If On, prevents data files from being backed up by iCloud or iTunes. Default value is On.

Block AirPrint

If On, prevents an app from using AirPrint features for printing data to AirPrint-enabled printers. Default value is On.

Block AirDrop

If On, prevents an app from using AirDrop. Default value is On.

Block Facebook and Twitter APIs

If On, prevents an app from using the iOS Facebook and Twitter APIs. Default value is On.

Obscure screen contents

If On, when users switch apps, the screen is obscured. This policy prevents iOS from recording screen contents and displaying thumbnails. Default value is On.

Block 3rd party keyboards (iOS 11 and later only)

If On, prevents an app from using third-party keyboard extensions on iOS 8+. Default value is On.

App geofence

Center point longitude

Longitude (X coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

Should be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes should be prefaced with a minus sign. Default value is 0.

Center point latitude

Latitude (Y coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

Should be expressed in signed degreed format (DDD.dddd), for example “43.06581”. Southern latitudes should be prefaced with a minus sign. Default value is 0.

Radius

Radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

Should be expressed in meters. When set to zero, the geofence is disabled. When the Block location serviced policy is enabled, geofencing does not work properly. Default is 0 (disabled).

MAM SDK policies for third-party apps for iOS