MDX policies for third-party apps for Android

This article describes the MDX policies for Android third-party apps. You can change policy settings in the Citrix Endpoint Management console.

Authentication

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note:

If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Maximum offline period (hours)

Defines the maximum period an app can run offline without a network logon for the purpose of reconfirming entitlement and refreshing policies. Default value is 168 hours (7 days). Minimum period is 1 hour.

The user is reminded to log on at 30, 15, and 5 minutes before the period expires; after expiration, the app remains locked until the user completes a successful network logon.

Alternate Citrix Gateway

Note:

This policy name in the Endpoint Management console is Alternate NetScaler Gateway.

Address of a specific alternate Citrix Gateway (formerly, NetScaler Gateway) that is used for authentication and for micro VPN sessions with this app. This is an optional policy when used in conjunction with the Online session required policy forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the server’s default is always used. Default value is empty.

Device Security

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Require device lock

If Device PIN or passcode, the app is locked if the device does not have a PIN or passcode. If Device pattern screen lock, the app is locked if the device does not have a pattern screen lock set. If Off, the app is allowed to run even if the device does not have a PIN, passcode, or pattern screen lock set. Default value is Off.

Device PIN or passcode requires a minimum version of Android 4.1 (Jellybean). Setting the policy to Device PIN or passcode prevents an app from running on older versions.

On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network Requirements

Require Wi-Fi

If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.

Allowed Wi-Fi Networks

Comma-delimited list of allowed Wi-Fi networks. If the network name contains any non-alphanumeric characters (including commas), the name must be enclosed in double-quotes. App will run only if connected to one of the networks listed. If left blank, all networks are allowed. This does not affect connections to cellular networks. Default value is blank.

Miscellaneous Access

App update grace period (hours)

Defines the grace period in which an app can be used after the system discovers that an app update is available. Default value is 168 hours (7 days).

Note:

Using a value of zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This could lead to a situation where the user running the app is forced to exit the app (potentially losing work) in order to comply with the required update.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MDX framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes (1 hour).

Important:

Only set this value lower for high-risk apps or performance may be affected.

Encryption

Encryption type

Allows you to choose whether the encryption of data is handled either by MDX or the device platform. If you select MDX encryption, then MDX encrypts the data. If you select Platform encryption with compliance enforcement, then the device platform encrypts the data. Default value is MDX encryption.

Non-compliant device behavior

Allows you to choose an action when a device does not adhere to the minimum compliance requirements of encryption. Select Allow app for the app to run normally. Select Allow app after warning for the app to run after the warning appears. Select Block to block the app from running. Default value is Allow app after warning.

Encryption keys

Enables secrets used to derive encryption keys to be persisted on the device. Offline access permitted is the only available option.

Citrix recommends that you set the Authentication policy to enable a network log on or an offline password challenge to protect access to the encrypted content.

MDX Private file encryption

Controls the encryption of private data files in the following locations: /data/data/<appname> and /mnt/sdcard/Android/data/<appname>.

The Disabled option means private files are not encrypted. The SecurityGroup option encrypts private files using a key shared by all MDX apps in the same security group. The Application option encrypts private files using a key unique to this app. Default value is SecurityGroup.

Private file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that is encrypted. The file paths are relative to the internal and external sandboxes. Default value is empty.

The exclusions only apply to the following folders:

  • Internal Storage:

    /data/data/< your_package_name >

  • SD Card:

    /storage/emulated/<SD Card Slot>/Android/data/< your_package_name >

    /storage/emulated/legacy/Android/data/< your_package_name >

Examples

File to exclude Value in private file encryption exclusion
/data/data/com.citrix.mail/files/a.txt ^files/a.txt
All text files in /storage/emulated/0/Android/data/com.citrix.mail/files ^files/(.)+.txt$
All files in /data/data/com.citrix.mail/files ^files/

MDX Public file encryption

Controls the encryption of public files. If Disabled, public files are not encrypted. If SecurityGroup, encrypts public files by using a key shared by all MDX apps in the same security group. If Application, encrypts public files by using a key unique to this app.

Default value is SecurityGroup.

Public file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that are not encrypted. The file paths are relative to the default external storage and to any device-specific external storage.

Public file encryption exclusions include external folder locations only.

Examples

File to exclude Value in Public File Encryption Exclusion
Downloads folder on SD card Download
All MP3 files in Music folder ^Music/(.)+.mp3$

Public file migration

This policy is enforced only when you enable the Public file encryption policy (changed from Disabled to SecurityGroup or Application). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write (RO/RW).

The Disabled option means that the existing files are not encrypted. The Write (WO/RW) option encrypts the existing files only when they are opened for write-only or read-write access. The Any option encrypts the exist files when they are opened in any mode. Options:

  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.

Notes:

  • New files or existing unencrypted files that are overwritten encrypt the replacement files in every case.
  • Encryption an existing public file makes the file unavailable to other apps that we do not have the same encryption key.

Security Group

Leave this field blank if you want all mobile apps managed by Citrix Endpoint Management to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources).

Caution:

If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change.

Allowed Secure Web domains

This policy is only in effect for the domains not excluded by URL filtering policy. Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that are redirected to the Secure Web app when Document Exchange is Restricted.

If this policy contains any entries, only those URLs with host fields matching at least one item in the list (via DNS suffix match) will be redirected to the Secure Web app when Document Exchange is Restricted.

All other URLs will be sent to the default Android web browser (bypassing the Document Exchange Restricted policy). Default value is empty.

App Interaction

Cut and Copy

Blocks, permits, or restricts clipboard cut and copy operations for this app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted.

Paste

Blocks, permits, or restricts clipboard paste operations for the app. If Restricted, the pasted clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted.

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy. If Unrestricted, set the Private file encryption and Public file encryption policies to Disabled so that users can open documents in unwrapped apps. Default value is Restricted.

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, this list of Android intents is allowed to pass to unmanaged apps. A familiarity with Android intents is needed to add filters to the list. A filter can specify action, package, scheme, or any combination.

Examples

{action=android.intent.action.MAIN}
{package=com.sharefile.mobile}
{action=android.intent.action.DIAL scheme=tel}

Caution

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MDX environment.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. For information about other policy interactions, see the Block Gallery policy.

Options: Unrestricted, Blocked, or Restricted

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is On.

If On, prevents an app from accessing the Gallery on the device. Default value is Off. This policy works in conjunction with the policy Inbound document exchange (Open In).

  • If Inbound document exchange (Open In) is set to Restricted, users working in the managed app cannot attach images from the Gallery, regardless of the Block Gallery setting.
  • If Inbound document exchange (Open In) is set to Unrestricted, users working in the managed app experience the following:
    • Users can attach images if Block Gallery is set to Off.
    • Users are blocked from attaching images if Block Gallery is On.

Block mic record

If On, prevents an app from directly using the microphone hardware. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block screen capture

If On, prevents users from taking screen captures while the app is running. Also, when the user switches apps, obscures the app screen. Default value is On.

When using the Android Near Field Communication (NFC) feature, some apps take a screen shot of itself before beaming the content. To enable that feature in a wrapped app, change the Block screen capture policy to Off.

Block device sensor

If On, prevents an app from using the device sensors (such as accelerometer, motion sensor, and gyroscope). Default value is On.

Block NFC

If On, prevents an app from using the Near Field Communications (NFC). Default value is On.

Block app logs

If On, prohibits an app from using the mobile productivity app diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value is Off.

Block printing

If On, prevents an app from printing data. If an app has a Share command, you must set Document Exchange (Open in) to Restricted or Blocked to block printing fully. Default value is ON.

App Network Access

Network access

Note:

Tunneled - Web SSO is the name for the Secure Browse in the settings. The behavior is the same.

The settings options are as follows:

  • Use Previous Settings: Defaults to the values you had set in the earlier policies. If you change this option, you shouldn’t revert to this option. Also note that changes to the new policies do not take effect until the user upgrades the app to version 18.12.0 or later.
  • Blocked: Networking APIs used by your app will fail. Per the previous guideline, you should gracefully handle such a failure.
  • Unrestricted: All network calls go directly and are not tunneled.
  • Tunneled - Full VPN: All traffic from the managed app tunnels through Citrix Gateway.
  • Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. THis option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage of Tunneled - Web SSO is single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.

If one of the Tunneled modes is selected, a per-app VPN tunnel in this initial mode is created back to the enterprise network, and Citrix Gateway split tunnel settings are used. Citrix recommends Tunneled Full VPN for connections that employ client certificates or end-to-end SSL to a resource in the enterprise network. Citrix recommends Tunneled - Web SSO for connections that require single sign-on (SSO).

micro VPN session required

If Yes, the user must have a connection to the enterprise network and an active session. If No, an active session is not required. Default value is Use Previous Setting. For newly uploaded apps, the defaut value is No. Whichever setting was selected prior to the upgrade to this policy remains in effect until an option other than Use Previous Setting is selected.

micro VPN session required grace period (minutes)

Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days).

Note:

Using a value of zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This could lead to a situation where the user running the app is forced to exit the app (potentially losing work) in order to comply with the required update.

Certificate label

When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).

Exclusion List

Comma-delimited list of FQDNs or DNS suffixes to be accessed directly instead of through a VPN connection. This only applies to the Tunneled - Web SSO mode when Citrix Gateway is configured with Split tunnel reverse mode.

Block localhost connections

If On, apps are not permitted to make localhost connections. Localhost is an address (such as 127.0.0.1 or ::1) for communications occurring locally on the device. The localhost bypasses the local network interface hardware and accesses network services running on the host. If Off, this policy overrides the Network Access policy, meaning that apps can connect outside the secure container if the device is running a proxy server locally. Default is Off.

App Logs

Default log output

Determines which output mediums are used by Citrix Endpoint Management app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls default verbosity of the mobile productivity app diagnostic logging facility. Higher-level numbers include more detailed logging.

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size

Limits the size in megabytes (MB) of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

App Geofence

Center point longitude

Longitude (X coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Should be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes should be prefaced with a minus sign. Default value is 0.

Center point latitude

Latitude (Y coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

Should be expressed in signed degrees format (DDD.dddd), for example “43.06581”. Southern latitudes should be prefaced with a minus sign. Default value is 0.

Radius

Radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. Should be expressed in meters. When set to zero, the geofence is disabled. Default is 0 (disabled).

Analytics

Google Analytics of detail

Citrix collects analytics data to improve product quality. Selecting Anonymous opts you out of including company identifiable information.