MAM SDK

MDX third-party app policies at a glance

March 4, 2024

Contributed by:

This article describes the third-party MDX app policies for iOS and Android. The MDX Toolkit does not support Windows. The notes include restrictions and Citrix recommendations. To see which policies the Android for Work container supports, see the related section in Android for Work.

For policies for the Citrix mobile productivity apps, see MDX policies for mobile productivity apps at a glance.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication

Device passcode

iOS: Yes
Android: No
Default setting: Off

App passcode

iOS: Yes
Android: Yes
Default setting: On

Online session required

iOS: Yes
Android: No
Default setting: Off

Maximum offline period

iOS: Yes
Android: Yes
Default setting: 168 hours (7 days)

Alternate NetScaler Gateway

iOS: Yes
Android: Yes
Default setting: Empty

Device security

Block jailbroken or rooted

iOS: Yes
Android: Yes
Default setting: On

Require device lock

iOS: No
Android: Yes
Default setting: Off

Network requirements

Require Wi-Fi

iOS: Yes
Android: Yes
Default setting: Off

Allowed Wi-Fi Networks

iOS: Yes
Android: Yes
Default setting: Empty

Miscellaneous access

App update grace period (hours)

iOS: Yes
Android: Yes
Default setting: 168 hours (7 days)

Note:

Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.

Erase app data on lock

iOS: Yes
Android: Yes
Default setting: Off

Active poll period (minutes)

iOS: Yes
Android: Yes
Default setting: 60 minutes (1 hour)

Note:

Only set this value lower than the default for high-risk apps, or performance may be affected.

Encryption

Encryption type

iOS: Yes
Android: Yes
Default setting: MDX encryption

Caution:

For newly added apps, when you change from Platform encryption with compliance enforcement to MDX encryption, you are forced to remove and reinstall the app. The default setting for newly added apps is Platform encryption with compliance enforcement.

Non-compliant device behavior

iOS: Yes
Android: Yes
Default setting: Allow app after warning

Enable MDX encryption

iOS: Yes
Android: No
Default setting: On

Caution:

If you change this policy after deploying an app, users must reinstall the app.

Encryption keys

iOS: No
Android: Yes
Default setting: Offline access permitted is the only available option.

MDX Private file encryption

iOS: No
Android: Yes
Default setting: SecurityGroup

Private file encryption exclusions

iOS: No
Android: Yes
Default setting: Empty

Access limits for public files

iOS: No
Android: Yes
Default setting: Empty

Database encryption exclusions

iOS: Yes
Android: No
Default setting: Empty

MDX Public file encryption

iOS: No
Android: Yes
Default setting: SecurityGroup

Public file encryption exclusions

iOS: No
Android: Yes
Default setting: Empty

Public file migration

iOS: No
Android: Yes
Default setting: Write(WO/RW)

File encryption exclusions

iOS: Yes
Android: No
Default setting: Empty

Security group

iOS: Yes
Android: Yes
Default setting: Empty

Caution:

To apply this policy to an existing app, users must delete and reinstall the app.

App interaction

Cut and copy

iOS: Yes
Android: Yes
Default setting: Restricted

Paste

iOS: Yes
Android: Yes
Default setting: Unrestricted

Document exchange (Open in)

iOS: Yes
Android: Yes
Default setting: Restricted

Restricted Open In exception list

iOS: Yes
Android: Yes
Default setting: Empty (for Android); Office 365 apps (for iOS)

Caution:

Consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the secure MDX environment.

Inbound document exchange (Open In)

iOS: Yes
Android: Yes
Default setting: Unrestricted (for Android and iOS); All (for Android for Work)

App URL schemes

iOS: Yes
Android: No
Default setting: All registered app URL schemes are blocked.

URL domains excluded from filtering

iOS: Yes
Android: Yes
Default setting: Empty

Allowed URLs

iOS: Yes
Android: No
Default setting: +maps.apple.com +itunes.apple.com ^http:=ctxmobilebrowser: ^https:=ctxmobilebrowsers: ^mailto:=ctxmail: +^citrixreceiver: +^telprompt: +^tel: +^col-g2m-2: +^col-g2w-2: +^maps:ios_addr +^mapitem:

Allowed Secure Web domains

iOS: Yes
Android: Yes
Default setting: Empty

App restrictions

Block camera

iOS: Yes
Android: Yes
Default setting: On

Block gallery

iOS: No
Android: Yes
Default setting: Off

Block Photo Library

iOS: Yes
Android: No
Default setting: On

Block mic record

iOS: Yes
Android: Yes
Default setting: On

Block dictation

iOS: Yes
Android: No
Default setting: On

Block location services

iOS: Yes
Android: Yes
Default setting: On

Block SMS compose

iOS: Yes
Android: Yes
Default setting: On

Block screen capture

iOS: No
Android: Yes
Default setting: On

Block device sensor

iOS: No
Android: Yes
Default setting: On

Block NFC

iOS: No
Android: Yes
Default setting: On

Block iCloud

iOS: Yes
Android: No
Default setting: On

Block Look Up

iOS: Yes
Android: No
Default setting: On

Block file backup

iOS: Yes
Android: No
Default setting: On

Block AirPrint

iOS: Yes
Android: No
Default setting: On

Block printing

iOS: No
Android: Yes
Default setting: On

Block AirDrop

iOS: Yes
Android: No
Default setting: On

Block Facebook and Twitter APIs

iOS: Yes
Android: No
Default setting: On

Obscure screen contents

iOS: Yes
Android: No
Default setting: On

Block third-party keyboards

iOS: Yes
Android: No
Default setting: On

Block app logs

iOS: Yes
Android: Yes
Default setting: Off

App network access

Network access

iOS: Yes
Android: Yes
Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.

micro VPN session required

iOS: Yes
Android: Yes
Default setting: No

micro VPN session required grace period (minutes)

iOS: Yes
Android: Yes
Default setting: 0 (no grace period)

Certificate label

iOS: Yes
Android: Yes
Default setting: Empty

Exclusion List

iOS: Yes
Android: Yes
Default setting: Empty

Block localhost connections

iOS: No
Android: Yes
Default setting: Off

App logs

Default log output

iOS: Yes
Android: Yes
Default setting: File

Default log level

iOS: Yes
Android: Yes
Default setting: 4 (informational messages)

Max log files

iOS: Yes
Android: Yes
Default setting: 2

Max log file size

iOS: Yes
Android: Yes
Default setting: 2 MB

Redirect system logs

iOS: Yes
Android: No
Default setting: On

App geofence

Center point longitude

iOS: Yes
Android: Yes
Default setting: 0

Center point latitude

iOS: Yes
Android: Yes
Default setting: 0

Radius

iOS: Yes
Android: Yes
Default setting: 0 (disabled)

Note:

Set the radius in meters. When set to zero, the geofence is disabled.

Analytics

Google Analytics level of detail

iOS: Yes
Android: Yes
Default setting: Complete

Reporting

Citrix reporting

iOS: Yes
Android: No
Default setting: Off

Note:

Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.

Upload token

iOS: Yes
Android: No
Default setting: Empty

Send reports over WiFi only

iOS: Yes
Android: No
Default setting: On

Reporting file cache maximum

iOS: Yes
Android: No
Default setting: 2 MB

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

MDX third-party app policies at a glance

March 4, 2024

Contributed by:

March 4, 2024

Contributed by: