MDX third-party app policies at a glance
This article describes the third-party MDX app policies for iOS and Android. The MDX Toolkit does not support Windows. The notes include restrictions and Citrix recommendations. To see which policies the Android for Work container supports, see the related section in Android for Work.
For policies for the Citrix mobile productivity apps, see MDX policies for mobile productivity apps at a glance.
Note:
Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.
Authentication
Device passcode
- iOS: Yes
- Android: No
- Default setting: Off
App passcode
- iOS: Yes
- Android: Yes
- Default setting: On
Online session required
- iOS: Yes
- Android: No
- Default setting: Off
Maximum offline period
- iOS: Yes
- Android: Yes
- Default setting: 168 hours (7 days)
Alternate NetScaler Gateway
- iOS: Yes
- Android: Yes
- Default setting: Empty
Device security
Block jailbroken or rooted
- iOS: Yes
- Android: Yes
- Default setting: On
Require device lock
- iOS: No
- Android: Yes
- Default setting: Off
Network requirements
Require Wi-Fi
- iOS: Yes
- Android: Yes
- Default setting: Off
Allowed Wi-Fi Networks
- iOS: Yes
- Android: Yes
- Default setting: Empty
Miscellaneous access
App update grace period (hours)
- iOS: Yes
- Android: Yes
-
Default setting: 168 hours (7 days)
Note:
Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.
Erase app data on lock
- iOS: Yes
- Android: Yes
- Default setting: Off
Active poll period (minutes)
- iOS: Yes
- Android: Yes
-
Default setting: 60 minutes (1 hour)
Note:
Only set this value lower than the default for high-risk apps, or performance may be affected.
Encryption
Encryption type
- iOS: Yes
- Android: Yes
- Default setting: MDX encryption
Caution:
For newly added apps, when you change from Platform encryption with compliance enforcement to MDX encryption, you are forced to remove and reinstall the app. The default setting for newly added apps is Platform encryption with compliance enforcement.
Non-compliant device behavior
- iOS: Yes
- Android: Yes
- Default setting: Allow app after warning
Enable MDX encryption
- iOS: Yes
- Android: No
- Default setting: On
Caution:
If you change this policy after deploying an app, users must reinstall the app.
Encryption keys
- iOS: No
- Android: Yes
- Default setting: Offline access permitted is the only available option.
MDX Private file encryption
- iOS: No
- Android: Yes
- Default setting: SecurityGroup
Private file encryption exclusions
- iOS: No
- Android: Yes
- Default setting: Empty
Access limits for public files
- iOS: No
- Android: Yes
- Default setting: Empty
Database encryption exclusions
- iOS: Yes
- Android: No
- Default setting: Empty
MDX Public file encryption
- iOS: No
- Android: Yes
- Default setting: SecurityGroup
Public file encryption exclusions
- iOS: No
- Android: Yes
- Default setting: Empty
Public file migration
- iOS: No
- Android: Yes
- Default setting: Write(WO/RW)
File encryption exclusions
- iOS: Yes
- Android: No
- Default setting: Empty
Security group
- iOS: Yes
- Android: Yes
- Default setting: Empty
Caution:
To apply this policy to an existing app, users must delete and reinstall the app.
App interaction
Cut and copy
- iOS: Yes
- Android: Yes
- Default setting: Restricted
Paste
- iOS: Yes
- Android: Yes
- Default setting: Unrestricted
Document exchange (Open in)
- iOS: Yes
- Android: Yes
- Default setting: Restricted
Restricted Open In exception list
- iOS: Yes
- Android: Yes
- Default setting: Empty (for Android); Office 365 apps (for iOS)
Caution:
Consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the secure MDX environment.
Inbound document exchange (Open In)
- iOS: Yes
- Android: Yes
- Default setting: Unrestricted (for Android and iOS); All (for Android for Work)
App URL schemes
- iOS: Yes
- Android: No
- Default setting: All registered app URL schemes are blocked.
URL domains excluded from filtering
- iOS: Yes
- Android: Yes
- Default setting: Empty
Allowed URLs
- iOS: Yes
- Android: No
- Default setting: +maps.apple.com +itunes.apple.com ^http:=ctxmobilebrowser: ^https:=ctxmobilebrowsers: ^mailto:=ctxmail: +^citrixreceiver: +^telprompt: +^tel: +^col-g2m-2: +^col-g2w-2: +^maps:ios_addr +^mapitem:
Allowed Secure Web domains
- iOS: Yes
- Android: Yes
- Default setting: Empty
App restrictions
Block camera
- iOS: Yes
- Android: Yes
- Default setting: On
Block gallery
- iOS: No
- Android: Yes
- Default setting: Off
Block Photo Library
- iOS: Yes
- Android: No
- Default setting: On
Block mic record
- iOS: Yes
- Android: Yes
- Default setting: On
Block dictation
- iOS: Yes
- Android: No
- Default setting: On
Block location services
- iOS: Yes
- Android: Yes
- Default setting: On
Block SMS compose
- iOS: Yes
- Android: Yes
- Default setting: On
Block screen capture
- iOS: No
- Android: Yes
- Default setting: On
Block device sensor
- iOS: No
- Android: Yes
- Default setting: On
Block NFC
- iOS: No
- Android: Yes
- Default setting: On
Block iCloud
- iOS: Yes
- Android: No
- Default setting: On
Block Look Up
- iOS: Yes
- Android: No
- Default setting: On
Block file backup
- iOS: Yes
- Android: No
- Default setting: On
Block AirPrint
- iOS: Yes
- Android: No
- Default setting: On
Block printing
- iOS: No
- Android: Yes
- Default setting: On
Block AirDrop
- iOS: Yes
- Android: No
- Default setting: On
Block Facebook and Twitter APIs
- iOS: Yes
- Android: No
- Default setting: On
Obscure screen contents
- iOS: Yes
- Android: No
- Default setting: On
Block third-party keyboards
- iOS: Yes
- Android: No
- Default setting: On
Block app logs
- iOS: Yes
- Android: Yes
- Default setting: Off
App network access
Network access
- iOS: Yes
- Android: Yes
- Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.
micro VPN session required
- iOS: Yes
- Android: Yes
- Default setting: No
micro VPN session required grace period (minutes)
- iOS: Yes
- Android: Yes
- Default setting: 0 (no grace period)
Certificate label
- iOS: Yes
- Android: Yes
- Default setting: Empty
Exclusion List
- iOS: Yes
- Android: Yes
- Default setting: Empty
Block localhost connections
- iOS: No
- Android: Yes
- Default setting: Off
App logs
Default log output
- iOS: Yes
- Android: Yes
- Default setting: File
Default log level
- iOS: Yes
- Android: Yes
- Default setting: 4 (informational messages)
Max log files
- iOS: Yes
- Android: Yes
- Default setting: 2
Max log file size
- iOS: Yes
- Android: Yes
- Default setting: 2 MB
Redirect system logs
- iOS: Yes
- Android: No
- Default setting: On
App geofence
Center point longitude
- iOS: Yes
- Android: Yes
- Default setting: 0
Center point latitude
- iOS: Yes
- Android: Yes
- Default setting: 0
Radius
- iOS: Yes
- Android: Yes
- Default setting: 0 (disabled)
Note:
Set the radius in meters. When set to zero, the geofence is disabled.
Analytics
Google Analytics level of detail
- iOS: Yes
- Android: Yes
- Default setting: Complete
Reporting
Citrix reporting
- iOS: Yes
- Android: No
- Default setting: Off
Note:
Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.
Upload token
- iOS: Yes
- Android: No
- Default setting: Empty
Send reports over WiFi only
- iOS: Yes
- Android: No
- Default setting: On
Reporting file cache maximum
- iOS: Yes
- Android: No
- Default setting: 2 MB