Administrator tasks and considerations

MDX policies for mobile productivity apps for Android

This article describes the MDX policies for Android apps. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.

The following list does not include MDX policies specific to Secure Web. For details about the policies that appear for Secure Web, see Secure Web policies.

Authentication

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note:

If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Maximum offline period (hours)

Defines the maximum period an app can run offline without a network logon for reconfirming entitlement and refreshing policies. Default value is 168 hours (7 days). The minimum period is 1 hour.

The user is reminded to log on at 30, 15, and 5 minutes before the period expires. After expiration, the app remains locked until the user completes a successful network logon.

Alternate Citrix Gateway

Note:

This policy name in the Endpoint Management console is Alternate NetScaler Gateway.

Address of a specific alternate Citrix Gateway (formerly, NetScaler Gateway) that is used for authentication and for micro VPN sessions with this app. Alternate NetScaler Gateway is an optional policy when used with the Online session required policy forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the server’s default is always used. Default value is empty.

Device Security

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Require device encryption

If On, the app is locked if the device does not have encryption configured. If Off, the app is allowed to run even if the device does not have encryption configured. Default value is Off.

Note:

This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to On prevents an app from running on older versions.

Require device lock

If Device PIN or passcode is selected, the app is locked if the device does not have a PIN or passcode. If Device pattern screen lock is selected, the app is locked if the device does not have a pattern screen lock set. If Off, the app is allowed to run even if the device does not have a PIN, passcode, or pattern screen lock set. Default value is Off.

Device PIN or passcode requires a minimum version of Android 4.1 (Jelly bean). Setting the policy to Device PIN or passcode prevents an app from running on older versions.

On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network Requirements

Require Wi-Fi

If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.

Allowed Wi-Fi Networks

Comma-delimited list of allowed Wi-Fi networks. If the network name contains any non-alphanumeric characters (including commas), the name must be enclosed in double-quotes. App runs only if connected to one of the networks listed. If left blank, all networks are allowed. This value does not affect connections to cellular networks. Default value is blank.

Miscellaneous Access

App update grace period (hours)

Defines the grace period in which an app can be used after the system discovers that an app update is available. Default value is 168 hours (7 days).

Note:

Using zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This value can lead to a situation where the user running the app is forced to exit the app (potentially losing work) to comply with the required update.

Disable required upgrade

Disables the requirement that users upgrade to the newest version of the app in the App store. Default value is ON.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MDX framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes (1 hour).

Important:

Only set this value lower for high-risk apps or performance might be affected.

Encryption

Encryption type

Allows you to choose whether MDX or the device platform handles the encryption of data. If you select MDX encryption, then MDX encrypts the data. If you select Platform encryption with compliance enforcement, then the device platform encrypts the data. Default value is MDX encryption.

Non-compliant device behavior

Allows you to choose an action when a device does not adhere to the minimum compliance requirements of encryption. Select Allow app for the app to run normally. Select Allow app after warning for the app to run after the warning appears. Select Block to block the app from running. Default value is Allow app after warning.

Encryption keys

Enables secrets used to derive encryption keys to be persisted on the device. Offline access permitted is the only available option.

Citrix recommends that you set the Authentication policy to enable a network logon or an offline password challenge to protect access to the encrypted content.

Private file encryption

Controls the encryption of private data files in the following locations: /data/data/<appname> and /mnt/sdcard/Android/data/<appname>.

The Disabled option means private files are not encrypted. The SecurityGroup option encrypts private files using a key shared by all MDX apps in the same security group. The Application option encrypts private files using a key unique to this app. Default value is SecurityGroup.

Private file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that are encrypted. The file paths are relative to the internal and external sandboxes. Default value is empty.

The exclusions only apply to the following folders:

  • Internal Storage:

    /data/data/<your_package_name>

  • SD Card:

    /storage/emulated/\<SD Card Slot>/Android/data/<your_package_name>

    /storage/emulated/legacy/Android/data/<your_package_name>

Examples

File to exclude Value in private file encryption exclusion
/data/data/com.citrix.mail/files/a.txt ^files/a.txt
All text files in /storage/emulated/0/Android/data/com.citrix.mail/files ^files/(.)+.txt$
All files in /data/data/com.citrix.mail/files ^files/

Access limits for public files

Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the first matching path is used to set the access limit. Default value is empty.

This policy is enforced only when Public file encryption is enabled (changed from the Disable option to the SecurityGroup or Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted.

Files to exclude Value in private file encryption
Downloads folder on external storage read only EXT:^Download/(RO)
All MP3 files in the Music folder on virtual storage no access VS:^Music/(.)+.mp3$(NA)

Public file encryption

Controls the encryption of public files. If Disabled, public files are not encrypted. If SecurityGroup, encrypts public files by using a key shared by all MDX apps in the same security group. If Application, encrypts public files by using a key unique to this app.

Default value is SecurityGroup.

Public file encryption exclusions

Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that are not encrypted. The file paths are relative to the default external storage and to any device-specific external storage.

Public file encryption exclusions include external folder locations only.

Examples

File to exclude Value in Public File Encryption Exclusion
Downloads folder on SD card Download
All MP3 files in Music folder ^Music/(.)+.mp3$

Public file migration

This policy is enforced only when you enable the Public file encryption policy (changed from Disabled to SecurityGroup or Application). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write (RO/RW).

The Disabled option means that the existing files are not encrypted. The Write (RO/RW) option encrypts the existing files only when they are opened for write-only or read-write access. The Any option encrypts the exist files when they are opened in any mode. Options:

  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.

Notes:

  • New files or existing unencrypted files that are overwritten encrypt the replacement files in every case.
  • Encryption an existing public file makes the file unavailable to other apps that we do not have the same encryption key.

App Interaction

Security Group

Leave this field blank if you want all mobile apps managed by Citrix Endpoint Management to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources).

Caution:

If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change.

Cut and Copy

Blocks, permits, or restricts clipboard cut and copy operations for this app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted.

Paste

Blocks, permits, or restricts clipboard paste operations for the app. If Restricted, the pasted clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted.

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for the app. If Restricted, documents can be exchanged only with other MDX apps and the app exceptions specified in the Restricted Open-In exception list policy. If Unrestricted, set the Private file encryption and Public file encryption policies to Disabled so that users can open documents in unwrapped apps. Default value is Restricted.

URL domains excluded from filtering

This policy is used to exclude certain outbound URLs from MDX filtering. Following comma-separated list of fully qualified domain names(FQDN) or DNS suffixes are excluded from any MDX filtering. If this policy contains any entries, then URLs with host fields matching at least one item in the list (via DNS suffix matching) is sent unaltered to the default browser. Default value is empty.

Allowed Secure Web domains

This policy is only in effect for the domains not excluded by a URL filtering policy. Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that are redirected to the Secure Web app when Document Exchange is Restricted.

If this policy contains any entries, only those URLs with host fields matching at least one item in the list (via DNS suffix match) are redirected to the Secure Web app when Document Exchange is Restricted.

All other URLs are sent to the default Android web browser (bypassing the Document Exchange Restricted policy). Default value is empty.

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, this list of Android intents is allowed to pass to unmanaged apps. A familiarity with Android intents is needed to add filters to the list. A filter can specify action, package, scheme, or any combination.

Examples

{action=android.intent.action.MAIN}
{package=com.sharefile.mobile}
{action=android.intent.action.DIAL scheme=tel}
{action=android.intent.action.VIEW scheme=msteams package=com.microsoft.teams}
<!--NeedCopy-->

Caution

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MDX environment.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app. For information about other policy interactions, see the Block Gallery policy.

Options: Unrestricted, Blocked, or Restricted

Inbound document exchange whitelist

When the Inbound document exchange policy is restricted or blocked, this comma-delimited list of app IDs, including non-MDX apps, is allowed to send documents to the app. This policy is hidden and cannot be edited.

Connection security level

Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS.

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is On.

If On, prevents an app from accessing the Gallery on the device. Default value is Off. This policy works along with the Inbound document exchange (Open In) policy.

  • If Inbound document exchange (Open In) is set to Restricted, users working in the managed app cannot attach images from the Gallery, regardless of the Block Gallery setting.
  • If Inbound document exchange (Open In) is set to Unrestricted, users working in the managed app experience the following:
    • Users can attach images if Block Gallery is set to Off.
    • Users are blocked from attaching images if Block Gallery is On.

Block mic record

If On, prevents an app from directly using the microphone hardware. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block screen capture

If On, prevents users from taking screen captures while the app is running. Also, when the user switches apps, obscures the app screen. Default value is On.

When using the Android Near Field Communication (NFC) feature, some apps take a screenshot of itself before beaming the content. To enable that feature in a wrapped app, change the Block screen capture policy to Off.

Block device sensor

If On, prevents an app from using the device sensors (such as accelerometer, motion sensor, and gyroscope). Default value is On.

Block NFC

If On, prevents an app from using the Near Field Communications (NFC). Default value is On.

Block app logs

If On, prohibits an app from using the mobile productivity app diagnostic logging facility. If Off, app logs are recorded and might be collected by using the Secure Hub email support feature. Default value is Off.

Block printing

If On, prevents an app from printing data. If an app has a Share command, you must set Document Exchange (Open in) to Restricted or Blocked to block printing fully. Default value is ON.

Enable ShareFile

Allows users to use ShareFile to transfer files. Default value is ON.

App Network Access

Network access

Note:

Tunneled - Web SSO is the name for the Secure Browse in the settings. The behavior is the same.

The settings options are as follows:

  • Use Previous Settings: Defaults to the values you had set in the earlier policies. If you change this option, you must not revert to this option. Also note that changes to the new policies do not take effect until the user upgrades the app to version 18.12.0 or later.
  • Blocked: Networking APIs used by your app fails. Per the previous guideline, you must gracefully handle such a failure.
  • Unrestricted: All network calls go directly and are not tunneled.
  • Tunneled - Full VPN: All traffic from the managed app tunnels through Citrix Gateway.
  • Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. THis option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage of Tunneled - Web SSO is single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.

If one of the Tunneled modes is selected, a per-app VPN tunnel in this initial mode is created back to the enterprise network. Here, Citrix Gateway split tunnel settings are used. Citrix recommends Tunneled Full VPN for connections that employ client certificates or end-to-end SSL to a resource in the enterprise network. Citrix recommends Tunneled - Web SSO for connections that require single sign-on (SSO).

Micro VPN session required

If Yes, the user must have a connection to the enterprise network and an active session. If No, an active session is not required. Default value is Use Previous Setting. For newly uploaded apps, the default value is No. Whichever setting was selected before the upgrade to this policy remains in effect until an option other than Use Previous Setting is selected.

Exclusion List

Comma-delimited list of FQDNs or DNS suffixes to be accessed directly instead of through a VPN connection. This policy only applies to the Tunneled - Web SSO mode when Citrix Gateway is configured with Split tunnel reverse mode.

Block localhost connections

If On, apps are not permitted to make localhost connections. Localhost is an address (such as 127.0.0.1) for communications occurring locally on the device. The localhost bypasses the local network interface hardware and accesses network services running on the host. If Off, this policy overrides the Network Access policy, meaning that apps can connect outside the secure container if the device is running a proxy server locally. Default is Off.

Certificate label

When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).

App Logs

Default log output

Determines which output mediums are used by Citrix Endpoint Management app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls the default verbosity of the mobile productivity app diagnostic logging facility. Higher-level numbers include more detailed logging.

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. The default value is 2.

Max log file size

Limits the size in MB of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. The default value is 2 MB.

Redirect app logs

If On, intercepts and redirects system or console logs from an app to the mobile productivity app diagnostic facility. If this setting is Off, app use of system or console logs is not intercepted. The default value is On.

Encrypt logs

If On, Citrix Endpoint Management encrypts diagnostic logs as it records the logs. If Off, diagnostic logs remain unencrypted in the app sandbox.

Caution:

Depending upon configured log levels, log encryption can have a noticeable impact on app performance and battery life.

Default value is Off.

App Geofence

Center point longitude

Longitude (X coordinate) of the center point of the point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. The value must be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes must be prefaced with a minus sign. Default value is 0.

Center point latitude

Latitude (Y coordinate) of the center point of the point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

The values must be expressed in signed degrees format (DDD.dddd), for example “43.06581”. Southern latitudes must be prefaced with a minus sign. Default value is 0.

Radius

The radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked. The value must be expressed in meters. When set to zero, the geofence is disabled. Default is 0 (disabled).

Analytics

Google Analytics of detail

Citrix collects analytics data to improve product quality. Selecting Anonymous opts you out of including company identifiable information.

App Settings

Secure Mail Exchange Server

The fully qualified domain name (FQDN) for Exchange Server or, for iOS only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.

Caution:

If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change.

Secure Mail user domain

Default Active Directory domain name for Exchange users or, for iOS only, Notes users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This value might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

Time period for which a background network service ticket remains valid. After expiration, an enterprise logon will be required to renew the ticket. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services, in the form FQDN:port. This address is the Citrix Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the Citrix Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server.

Default value is empty, implying that an alternate gateway does not exist.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes effect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.

Export contacts

Important:

Do not enable this feature if users can access your Exchange Server directly (that is, outside of Citrix Gateway). Otherwise, contacts are duplicated on the device and in Exchange.

If Off, prevents the one-way sync of Secure Mail contacts to the device and prevents the sharing of Secure Mail contacts (as vCards). The default value is Off.

Contact fields to export

Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name- and phone-related contact fields are exported. If Name, Phone and Email, all name-, phone- and email-related contact fields are exported. The default value is All.

Accept all SSL certificates

If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Off, Secure Mail blocks access when a certificate error occurs and displays a warning. Default value is Off.

Use secure connection

If On, Secure Mail uses a Secured Connection. If Off, Secure Mail does not use a Secure Connection. Default is On.

Information Rights Management

If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.

Control locked screen notifications

Controls whether mail and calendar notifications appear on a locked device screen. If Allow is selected, all information contained in the notification appears. If Block is selected, notifications do not appear. If Email sender or event title is selected, only the name of the email sender or the title of the calendar event appears. If Count only is selected, only the count of mail and meeting invitations plus the time of calendar reminders appear. Default value is Allow.

Default sync interval

Specifies the default sync interval for Secure Mail. Secure Mail users can change the default.

The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the maximum email age filter, the Maximum email age filter setting is used instead. Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.

Default value is 3 days.

Enable download of attachments over Wi-Fi

If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over internal Wi-Fi networks. If Off, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi. Default value is Off.

Allow offline documents

Specifies whether, and for how long, users can store offline documents on devices. Default value is Unlimited.

Enable auto-save of email drafts

If On, Secure Mail supports automatically saving messages to the Drafts folder. Default value is On.

Initial authentication Mechanism

This policy indicates whether the mail server address provided by MDX is used to populate the Address field on the first time use provisioning screen or the user email address is used. Default value is Mail Server address.

Initial authentication credentials

This policy defines the value that must be chosen as the user name to populate into the initial first time use provisioning screen. Default value is Enrollment user name.

Enable week number

If On, calendar views include the week number. Default value is Off.

Email classification

If On, Secure Mail supports email classification markings for SEC (security) and DLM (dissemination limiting markers). Classification markings appear in email headers as X-Protective-Marking values. Be sure to configure the related email classification policies. Default value is Off.

Email classification markings

Specifies the classification markings to be made available to end users. If the list is empty, Secure Mail does not include a list of protective markings. The markings list contains value pairs that are separated by semicolons. Each pair includes the value that appears in Secure Mail and the marking value that is the text appended to the email subject and header in Secure Mail. For example, in the marking pair "UNOFFICIAL,SEC=UNOFFICIAL;", the list value is “UNOFFICIAL” and the marking value is “SEC=UNOFFICIAL”.

Email classification namespace

Specifies the classification namespace that is required in the email header by the classification standard used. For example, the namespace “gov.au” appears in the header as “NS=gov.au”. Default value is empty.

Email classification version

Specifies the classification version that is required in the email header by the classification standard used. For example, the version “2012.3” appears in the header as “VER=2012.3”. Default value is empty.

Default email classification

Specifies the protective marking that Secure Mail applies to an email if a user does not choose a marking. This value must be in the list for the Email classification markings policy. Default value is UNOFFICIAL.

Mail Search Limit

Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. To restrict the amount of mail that is synced to a mobile device, configure the Max sync interval policy. Default value is Unlimited.

Max sync interval

Controls the amount of mail stored locally on a mobile device by limiting the sync period.

To restrict the time period that a device can search on the mail server, configure the Mail server search limit policy.

The values are:

  • 3 days
  • 1 week
  • 2 weeks
  • 1 month
  • All

Default value is All.

Calendar Web and Audio Options

  • GoToMeeting and User Entered - When this option is chosen, users are able to choose the type of conference they would like to set up. Options include GoToMeeting, which opens a GoToMeeting page, and Other Conference, which allows users to enter meeting information manually.
  • User Entered Only - When this option is chosen, users are taken directly to the Other Conference page where they can enter meeting information manually.

S/MIME Public Certificate Source

Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange.

LDAP Server Address

LDAP server address including port number. Default value is empty.

LDAP Base DN

LDAP Base distinguished name. Default value is empty.

Access LDAP Anonymously

If this policy is On, Secure Mail can search LDAP without prior authentication. Default is Off.

Allowed Email Domains

Define a list of allowed email domains in a comma-separated format such as server.company.com,server.company.co.uk. The default value is empty, which implies that Secure Mail does not filter email domains and supports all email domains. Secure Mail matches the listed domains with the domain name in the email address.

For instance, when server.company.com is a listed domain name and the email address is user@internal.server.company.com, Secure Mail supports the email address.

Push notifications

Enables FCM based notifications about mailbox activity. If On, Secure Mail supports push notifications. Default value is Off.

Push notifications EWS host name

The server that hosts Exchange Web Services (EWS) for mail. The value must be the URL of EWS, along with the port number. Default value is empty.

Push notifications region

The region where the FCM host is located for your Secure Mail users. Options are Americas, EMEA, and PAC. Default value is Americas.

Attempt user name Migration On Authentication Failure

This policy attempts to migrate the Exchange user name to a UPN for authentication. The default value is Off.

Report Phishing Mail Addresses

If configured, you can report suspected phishing mails to a given email address or a list of comma-separated email addresses. The default value is empty. If you do not configure this policy, you cannot report phishing messages.

Report Phishing Mechanism

This policy indicates the mechanism used to report suspected phishing mails.

  • Report via attachment (.eml) – Report phishing mails as an attachment. The attachment is sent to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.
  • Report via forward – Report phishing mails as a forward. The mail is forwarded to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.

Note:

This policy is available only for Microsoft Exchange server.

Default is Report via attachment (.eml).

Skype for Business Meeting Domains

This policy contains a comma-separated list of domains used for Skype for Business meetings. Secure Mail already handles meetings with URL prefix as the following:

  • https://join
  • https://meet
  • https://lync

With this policy, other Skype for Business domains can be added in the form https://*domain*. The domain can be a string of alphanumeric characters and cannot contain any special characters. Do not enter the preceding https:// or the succeeding dot.

Example

If the policy value is customDomain1,customDomain2, the supported URL prefixes for Skype for Business would be: https://customDomain1 http://customDomain1 https://customDomain2 http://customDomain2

Default value is empty.

Export Calendar

This policy allows Secure Mail calendar events to be exported to your device or personal calendar. You can view your events in your personal calendar. You can edit the events using Secure Mail. Default value is Meeting Time.

The following MDX policy values are available for the calendar event fields that appear in your personal calendar:

  • None (Don’t Export)
  • Meeting Time
  • Meeting Time, Location
  • Meeting Time, Subject, Location
  • Meeting Time, Availability, Attendees, Subject, Location, Notes

OAuth Support for Office 365

Use Modern authentication for O365

If this policy is On, Secure Mail uses the OAuth protocol for authentication while configuring an account on Office 365. If Off, Secure Mail uses Basic authentication. Default is Off.

Trusted Exchange Online Hostnames

Define a list of trusted Exchange Online host names that use the OAuth mechanism for authentication while configuring an account. This value is a comma-separated format such as server.company.com, server.company.co.uk. If the list is empty, then Secure Mail uses Basic authentication for account configuration. Default value is outlook.office365.com.

Trusted AD FS Hostnames

Define a list of trusted AD FS host names for webpages where the password populates during Office 365 OAuth authentication. This value is a comma-separated format, such as sts.companyname.com, sts.company.co.uk. If the list is empty, then Secure Mail does not auto populate passwords. Secure Mail matches the listed host names with the host name of the webpage encountered during Office 365 authentication and checks if the page uses the HTTPS protocol.

For instance, when sts.company.com is a listed host name and if the user navigates to https://sts.company.com, Secure Mail populates the password if the page has a password field. Default value is login.microsoftonline.com.

Custom user agent for modern authentication

This policy allows you to change the default user agent string for modern authentication. If configured, this user agent string is used for authentication with Microsoft AD FS. If you do not configure this policy, the default Secure Mail user agent is used during modern authentication.

Slack Integration

Enable Slack

Blocks or permits Slack integration. If On, the Secure Mail interface includes Slack features. If Off, the Secure Mail interface doesn’t include Slack features.

Slack workspace name

The Slack workspace name for your company. If you provide a name, Secure Mail pre-fills the workspace name during sign-on. If you don’t provide a name, users must type the workspace name (name.slack.com).

MDX policies for mobile productivity apps for Android