MDX third-party app policies at a glance

This article describes the third-party MDX app policies for iOS and Android. The MDX Toolkit does not support Windows. The notes include restrictions and Citrix recommendations. To see which policies the Android for Work container supports, see the related section in Android for Work.

For policies for the Citrix mobile productivity apps, see MDX policies for mobile productivity apps at a glance.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication

Device passcode

  • iOS: Yes
  • Android: No
  • Default setting: Off

    Note:

    This policy only applied to iOS 9 devices, which Citrix no longer supports.

App passcode

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Online session required

  • iOS: Yes
  • Android: No
  • Default setting: Off

Maximum offline period

  • iOS: Yes
  • Android: Yes
  • Default setting: 168 hours (7 days)

Alternate NetScaler Gateway

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Device security

Block jailbroken or rooted

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Require device lock

  • iOS: No
  • Android: Yes
  • Default setting: Off

Network requirements

Require Wi-Fi

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Allowed Wi-Fi Networks

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Miscellaneous access

App update grace period (hours)

  • iOS: Yes
  • Android: Yes
  • Default setting: 168 hours (7 days)

    Note:

    Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.

Erase app data on lock

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Active poll period (minutes)

  • iOS: Yes
  • Android: Yes
  • Default setting: 60 minutes (1 hour)

    Note:

    Only set this value lower than the default for high-risk apps, or performance may be affected.

Encryption

Enable encryption

  • iOS: Yes
  • Android: No
  • Default setting: On

    Caution:

    If you change this policy after deploying an app, users must reinstall the app.

Encryption keys

  • iOS: No
  • Android: Yes
  • Default setting: Offline access permitted is the only available option.

Private file encryption

  • iOS: No
  • Android: Yes
  • Default setting: SecurityGroup

Private file encryption exclusions

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Access limits for public files

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Database encryption exclusions

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Public file encryption

  • iOS: No
  • Android: Yes
  • Default setting: SecurityGroup

Public file encryption exclusions

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Public file migration

  • iOS: No
  • Android: Yes
  • Default setting: Write(WO/RW)

File encryption exclusions

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Security group

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

    Caution:

    To apply this policy to an existing app, users must delete and reinstall the app.

App interaction

Cut and copy

  • iOS: Yes
  • Android: Yes
  • Default setting: Restricted

Paste

  • iOS: Yes
  • Android: Yes
  • Default setting: Unrestricted

Document exchange (Open in)

  • iOS: Yes
  • Android: Yes
  • Default setting: Restricted

Restricted Open In exception list

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty (for Android); Office 365 apps (for iOS)

    Caution:

    Consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the secure MDX environment.

Inbound document exchange (Open In)

  • iOS: Yes
  • Android: Yes
  • Default setting: Unrestricted (for Android and iOS); All (for Android for Work)

App URL schemes

  • iOS: Yes
  • Android: No
  • Default setting: All registered app URL schemes are blocked.

URL domains excluded from filtering

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Allowed URLs

  • iOS: Yes
  • Android: No
  • Default setting: +maps.apple.com +itunes.apple.com ^http:=ctxmobilebrowser: ^https:=ctxmobilebrowsers: ^mailto:=ctxmail: +^citrixreceiver: +^telprompt: +^tel: +^col-g2m-2: +^col-g2w-2: +^maps:ios_addr +^mapitem:

Allowed Secure Web domains

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

App restrictions

Block camera

  • iOS: Yes
  • Android: Yes
  • Default setting: On
  • iOS: No
  • Android: Yes
  • Default setting: Off

Block Photo Library

  • iOS: Yes
  • Android: No
  • Default setting: On

Block mic record

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Block dictation

  • iOS: Yes
  • Android: No
  • Default setting: On

Block location services

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Block SMS compose

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Block screen capture

  • iOS: No
  • Android: Yes
  • Default setting: On

Block device sensor

  • iOS: No
  • Android: Yes
  • Default setting: On

Block NFC

  • iOS: No
  • Android: Yes
  • Default setting: On

Block iCloud

  • iOS: Yes
  • Android: No
  • Default setting: On

Block Look Up

  • iOS: Yes
  • Android: No
  • Default setting: On

Block file backup

  • iOS: Yes
  • Android: No
  • Default setting: On

Block AirPrint

  • iOS: Yes
  • Android: No
  • Default setting: On

Block printing

  • iOS: No
  • Android: Yes
  • Default setting: On

Block AirDrop

  • iOS: Yes
  • Android: No
  • Default setting: On

Block Facebook and Twitter APIs

  • iOS: Yes
  • Android: No
  • Default setting: On

Obscure screen contents

  • iOS: Yes
  • Android: No
  • Default setting: On

Block third-party keyboards

  • iOS: Yes
  • Android: No
  • Default setting: On

Block app logs

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

App network access

Network access

  • iOS: Yes
  • Android: Yes
  • Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.

micro VPN session required

  • iOS: Yes
  • Android: Yes
  • Default setting: No

micro VPN session required grace period (minutes)

  • iOS: Yes
  • Android: Yes
  • Default setting: 0 (no grace period)

Certificate label

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Exclusion List

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Block localhost connections

  • iOS: No
  • Android: Yes
  • Default setting: Off

App logs

Default log output

  • iOS: Yes
  • Android: Yes
  • Default setting: File

Default log level

  • iOS: Yes
  • Android: Yes
  • Default setting: 4 (informational messages)

Max log files

  • iOS: Yes
  • Android: Yes
  • Default setting: 2

Max log file size

  • iOS: Yes
  • Android: Yes
  • Default setting: 2 MB

Redirect system logs

  • iOS: Yes
  • Android: No
  • Default setting: On

App geofence

Center point longitude

  • iOS: Yes
  • Android: Yes
  • Default setting: 0

Center point latitude

  • iOS: Yes
  • Android: Yes
  • Default setting: 0

Radius

  • iOS: Yes
  • Android: Yes
  • Default setting: 0 (disabled)

    Note:

    Set the radius in meters. When set to zero, the geofence is disabled.

Analytics

Google Analytics level of detail

  • iOS: Yes
  • Android: Yes
  • Default setting: Complete

Reporting

Citrix reporting

  • iOS: Yes
  • Android: No
  • Default setting: Off

    Note:

    Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.

Upload token

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Send reports over WiFi only

  • iOS: Yes
  • Android: No
  • Default setting: On

Reporting file cache maximum

  • iOS: Yes
  • Android: No
  • Default setting: 2 MB