Administrator tasks and considerations

MDX policies for mobile productivity apps for iOS

This article describes the MDX policies for iOS apps. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.

The following list does not include MDX policies specific to Secure Web. For details about the policies that appear for Secure Web, see Secure Web policies.

Authentication

Device passcode

If On, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value is Off.

App passcode

If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.

To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.

Note:

If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.

Maximum offline period (hours)

Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from Citrix Endpoint Management. At expiration, log on to the server might be triggered if needed. Default value is 168 hours (7 days). The minimum period is 1 hour.

Alternate Citrix Gateway

Note:

This policy name in the Endpoint Management console is Alternate NetScaler Gateway.

Address of a specific alternate Citrix Gateway that must be used for authentication and for micro VPN sessions with this app. This policy is optional. When used with the Online session required policy, the policy forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the server’s default gateway is always used. Default value is empty.

Device security

Block jailbroken or rooted

If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.

Network requirements

Require Wi-Fi

If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.

Allowed Wi-Fi networks

Comma-delimited list of Wi-Fi networks. If the network name contains any non-alphanumeric characters (including commas), the name must be enclosed in double-quotes. The app runs only if connected to one of the networks listed. If blank, all networks are allowed. This value does not affect connections to cellular networks. Default value is blank.

Miscellaneous access

Disable required upgrade

Disables the requirement that users upgrade to the newest version of the app in the App Store. Default value is On.

App update grace period (hours)

Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days).

Note:

We recommend that you do not use a value of zero. A zero value immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). Using this value might lead to a situation where the user is forced to exit the app (potentially losing work) to comply with the required update.

Erase app data on lock

Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • App subscription removed
  • Account removed
  • Secure Hub uninstalled
  • Too many app authentication failures
  • Jailbroken device detected (per policy setting)
  • Device placed in locked state by other administrative action

Active poll period (minutes)

When an app starts, the MDX Framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes (1 hour).

Important:

Only set this value lower for high-risk apps or performance might be affected.

Encryption

Encryption type

Allows you to choose whether MDX or the device platform handles the encryption of data. If you select MDX encryption, then MDX encrypts the data. If you select Platform encryption with compliance enforcement, then the device platform encrypts the data. Default value is MDX encryption.

Non-compliant device behavior

Allows you to choose an action when a device does not adhere to the minimum compliance requirements of encryption. Select Allow app for the app to run normally. Select Allow app after warning for the app to run after the warning appears. Select Block to block the app from running. Default value is Allow app after warning.

Enable MDX encryption

If Off, the data stored on the device is not encrypted. If On, the data stored on the device is encrypted. Default value is On.

Caution:

If you change this policy after deploying an app, users must reinstall the app.

Database encryption exclusions

Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific database, add an entry to this comma-separated list of regular expressions. If a database path name matches any of the regular expressions, the database is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.

Examples

\\.db$,\\.sqlite$ excludes any database path name that ends with either .db or .sqlite.

\/Database\/unencrypteddb\.db matches database unencrypteddb.db in the Database subfolder.

\/Database\/ matches all databases that contain /Database/ in its path.

Default value is empty.

File encryption exclusions

Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.

Examples

\\.log$,\\.dat$ excludes any file path name that ends with either .log or .dat.

\/Documents\/unencrypteddoc\.txt matches the contents of the file unencrypteddoc.txt in the Documents subfolder.

\/Documents\/UnencryptedDocs\/.*\.txt matches “.txt” files under the subpath /Documents/UnencryptedDocs/.

Default value is empty.

App interaction

Cut and copy

Blocks, permits, or restricts Clipboard cut and copy operations for this app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted.

Paste

Blocks, permits, or restricts Clipboard paste operations for this app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted.

Document exchange (Open In)

Blocks, permits, or restricts document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps.

If Unrestricted, set the Enable encryption policy to On so that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, Citrix Endpoint Management decrypts the document. Default value is Restricted.

Restricted Open-In exception list

When the Document exchange (Open In) policy is Restricted, an MDX app can share documents with this comma-delimited list of unmanaged app IDs. This is true even if the Document exchange(Open In) policy is Restricted and Enable encryption is On. The default exception list allows Office 365 apps:

com.microsoft.Office.Word,com.microsoft.Office.Excel,com.microsoft.Office.Powerpoint, com.microsoft.onenote,com.microsoft.onenoteiPad,com.microsoft.Office.Outlook

Only Office 365 apps are supported for this policy.

Caution:

Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MDX environment.

Connection security level

Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS.

Inbound document exchange (Open In)

Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.

If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app.

Options: Unrestricted, Blocked, or Restricted

App URL schemes

iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “http://”). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked.

The policy must be formatted as a comma-separated list of patterns where a plus “+” or minus “-“ precedes each pattern. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix dictates the action taken.

  • A minus “-“ prefix blocks the URL from being passed into this app.
  • A plus “+” prefix permits the URL to be passed into the app for handling.
  • If neither “+” or “-“ is provided with the pattern, “+” (allow) is assumed.
  • If an inbound URL does not match any pattern in the list, the URL is blocked.

The following table contains examples of App URL schemes:

Scheme App that requires the URL scheme Purpose
ctxmobilebrowser Secure Web- Permit Secure Web to handle HTTP: URLs from other apps.-
ctxmobilebrowsers Secure Web- Permit Secure Web to handle HTTPS: URLs from other apps.
ctxmail Secure Mail- Permit Secure Mail to handle mailto: URLs from other apps.
COL-G2M GoToMeeting- Permit a wrapped GoToMeeting app to handle meeting requests.
ctxsalesforce Citrix for Salesforce - Permit Citrix for Salesforce to handle Salesforce requests.
wbx WebEx Permit a wrapped WebEx app to handle meeting requests.

App interaction (outbound URL)

Domains excluded from URL filtering

This policy excludes outbound URLs from any “Allowed URLs” filtering. Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes to exclude from the “Allowed URLs” filtering. If this policy is empty (the default), the defined “Allowed URLs” filtering processes are URLs. If this policy contains any entries, URLs with host fields matching at least one item in the list (via DNS suffix match) are sent unaltered to iOS. This communication bypasses the “Allowed URLs” filtering logic. Default value is empty.

Allowed URLs

iOS apps can dispatch URL requests to other applications that have been registered to handle specific schemes (such as "http://"). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs).

The policy must be formatted as a comma-separated list of patterns in which each pattern might be preceded by a plus “+” or minus “-“. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the prefix decides the action taken. A minus “-“ prefix blocks the URL from being passed out to another app. A plus “+’ prefix permits the URL to be passed out to another app for handling. If neither “+” or minus “-“ is provided with the pattern, “+” (allow) is assumed. A pair of values separated by “=” indicates a substitution where occurrences of the first string are replaced with the second. You can use regular-expression “^” prefix to search the string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it is blocked.

Default

+maps.apple.com

+itunes.apple.com

^http:=ctxmobilebrowser:

^https:=ctxmobilebrowsers:

^mailto:=ctxmail:

+^citrixreceiver:

+^telprompt:

+^tel:

+^lmi-g2m:

+^maps:ios_addr

+^mapitem:

+^sms:

+^facetime:

+^ctxnotes:

+^ctxnotesex:

+^ctxtasks:

+^facetime-audio:

+^itms-apps:

+^ctx-sf:

+^sharefile:

+^lync:

+^slack:

+^msteams:

If the setting is blank, all URLs are blocked, except for the following:

  • http:
  • https:
  • +citrixreceiver: +tel:

The following table contains examples of allowed URLs:

URL format Description
^mailto:=ctxmail All mailto: URLs open in Secure Mail.
^http All HTTP URLs open in Secure Web.
^https All HTTPS URLs open in Secure Web.
^tel Allows user to make calls.
-//www.dropbox.com Blocks Dropbox URLs dispatched from managed apps.
+^COL-G2M Permits managed apps to open the GoToMeeting client app.
-^SMS Blocks the use of a messaging chat client.
-^wbx Blocks managed apps from opening the WebEx client app.
+^ctxsalesforce Permits Citrix for Salesforce to communicate with your Salesforce server.

Allowed Secure Web domains

This policy only affects “Allowed URLs” policy entries that would redirect a URL to the Secure Web app (^ http:=ctxmobilebrowser: and ^https:=ctxmobilebrowsers:). Add a comma-separated list of fully qualifies domain names (FQDN) or DNS suffixes allowed to redirect to the Secure Web app. If this policy is empty (the default), all domains can redirect to the Secure Web app. If this policy contains any entries, then only those URLs with host fields matching at least one item in the list (via DNS suffix match) redirect to the Secure Web app. All other URLs are sent unaltered to iOS, bypassing the Secure Web app. Default value is empty.

App Restrictions

Important:

Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.

Block camera

If On, prevents an app from directly using the camera hardware. Default value is OFF.

Block Photo Library

If On, prevents an app from accessing the Photo Library on the device. Default value is On.

Block mic record

If On, prevents an app from directly using the microphone hardware. Default value is On.

Block dictation

If On, prevents an app from directly using dictation services. Default value is On.

Block location services

If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail.

Block SMS compose

If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.

Block email compose

If On, prevents an app from using the email compose feature used to send email messages from the app. Default value is On.

Block iCloud

If On, prevents an app from using iCloud for the storing and sharing of settings and data.

Note:

iCloud data file is controlled by the Block file backup policy.

Default value is On.

Block lookup

If On, prevents an app from using the Lookup feature, which searches for highlighted text in the Dictionary, iTunes, the App Store, movie showtimes, nearby locations and more. Default value is On.

Block file backup

If On, prevents iCloud or iTunes from backing up data files. Default value is On.

Block AirPrint

If On, prevents an app from using AirPrint features for printing data to AirPrint-enabled printers. Default value is On.

Block AirDrop

If On, prevents an app from using AirDrop. Default value is On.

Block file attachments

Note:

This policy is enforced on iOS 11 or later.

If On, attachment handling is disabled. Default value is Off.

Block Facebook and Twitter APIs

If On, prevents an app from using the iOS Facebook and Twitter APIs. Default value is On.

Obscure screen contents

If On, when users switch apps, the screen is obscured. This policy prevents iOS from recording screen contents and displaying thumbnails. Default value is On.

Block 3rd party keyboards (iOS 11 and later only)

If On, prevents an app from using third-party keyboard extensions on iOS 8+. Default value is On.

Block app logs

If On, prohibits an app from using the mobile productivity app diagnostic logging facility. If Off, app logs are recorded and might be collected by using the Secure Hub email support feature. Default value is Off.

Enable ShareFile

Allows users to use ShareFile to transfer files. Default value is On.

Enable Attach From Files

Allows users to add attachments from the iOS Files app. Default value is On.

App network access

Network access

Note:

Tunneled - Web SSO is the name for the Secure Browse in the settings. The behavior is the same.

The settings options are as follows:

  • Blocked: All network access is blocked. Networking APIs used by your app fails. Per the previous guideline, you must gracefully handle such a failure.
  • Unrestricted: All network calls go directly and are not tunneled.
  • Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. THis option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage of Tunneled - Web SSO is single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.

If you’re using the Tunneled - Full VPN or the Tunneled - Full VPN and Web SSO policies, then you must switch to the Tunneled - Web SSO policy. Your emails fail to sync if you continue to use the deprecated policies.

Note:

If you are using Tunneled - Full VPN and Secure Ticket Authority (STA) is configured, then the modern authentication screen fails to load.

Micro VPN session required

If Yes, the user must have a connection to the enterprise network and an active session. If No, an active session is not required. Default value is Use Previous Setting. For newly uploaded apps, the default value is No. Whichever setting was selected before the upgrade to this new policy remains in effect until an option other than Use Previous Setting is selected.

Micro VPN session required grace period (minutes)

This value determines how many minutes users can use the app before the Online Session Required policy prevents them from further use (until the online session is validated). Default value is 0 (no grace period). This policy isn’t applicable for integration with Microsoft Intune/EMS.

Certificate label

When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).

Exclusion List

Comma-delimited list of FQDNs or DNS suffixes to be accessed directly instead of through a VPN connection. This value only applies to the Tunneled - Web SSO mode when Citrix Gateway is configured with Split tunnel reverse mode.

App logs

Default log output

Determines which output media are used by mobile productivity app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.

Default log level

Controls default verbosity of the mobile productivity app diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:

  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default value is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size

Limits the size in MB of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

App geofence

Center point longitude

Longitude (X coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

The value must be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes must be prefaced with a minus sign. Default value is 0.

Center point latitude

Latitude (Y coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

The value must be expressed in signed degreed format (DDD.dddd), for example “43.06581”. Southern latitudes must be prefaced with a minus sign. Default value is 0.

Radius

The radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.

The value must be expressed in meters. When set to zero, the geofence is disabled. When the Block location serviced policy is enabled, geofencing does not work properly. Default is 0 (disabled).

Enable Google Analytics

If On, Citrix collects anonymous data to improve product quality. If Off, no data is collected. Default value is On.

Analytics

Google Analytics level of detail

Citrix collects analytics data to improve product quality. Selecting Anonymous opts users out of including company identifiable information. Default is Complete.

Reporting

Citrix reporting

If On, Citrix collects crash reports and diagnostics to help troubleshoot issues. If Off, Citrix doesn’t collect data.

Note:

Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.

Default value is Off.

Upload token

You can obtain an upload token from your Citrix Insight Services (CIS) account. If you specify this optional token, CIS gives you access to crash reports and diagnostics uploaded from your devices. Citrix has access to that same information. Default value is empty.

Send reports over Wi-Fi only

If On, Citrix sends crash reports and diagnostics only when you’re connected to a Wi-Fi network. Default value is On.

Report file cache maximum

Limits the size of the crash report and diagnostics bundles retained before clearing the cache. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.

App interaction

Explicit logoff notification

If Disabled, the app is not activated during a user logoff. If Shared devices only, the app is activated during user logoff, only if the device is configured as a shared device. Default is Shared devices only for Secure Mail.

App settings

Secure Mail Exchange Server

The fully qualified domain name (FQDN) for Exchange Server or, for iOS only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.

Caution:

If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change.

Secure Mail user domain

Default Active Directory domain name for Exchange users or, for iOS only, Notes users. Default value is empty.

Background network services

The FQDN and port of service addresses permitted for background network access. This value might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use Citrix Gateway (formerly, NetScaler Gateway) to proxy the connection to the internal Exchange Server.

Default value is empty, implying that background network services are not available.

Background services ticket expiration

Time period for which a background network service ticket will be valid. After expiration, an enterprise logon will be required to renew the ticket. Default value is 168 hours (7 days).

Background network service gateway

Alternate gateway address to use for background network services, in the form fqdn:port. This value is the Citrix Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the Citrix Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. Default value is empty, implying that an alternate gateway does not exist.

If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. Use this policy when the Exchange Server resides in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.

Export Contacts

Important:

Do not enable this feature if users can access your Exchange Server directly (that is, outside of Citrix Gateway). Otherwise, duplicate contacts are created on the device and in Exchange.

If Off, prevents the one-way sync of Secure Mail contacts to the device and sharing Secure Mail contacts (as vCards). Default value is Off.

Contact fields to export

Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name- and phone-related contact fields are exported. If Name, Phone and Email, all name-, phone- and email-related contact fields are exported.

The default value is All.

Accept all SSL certificates

If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Off, Secure Mail blocks access when a certificate error occurs and displays a warning.

Default value is Off.

Control locked screen notifications

Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If Email sender or event title, only the name of the email sender or the title of the calendar event appears. If Count only, the count of mail and meeting invitations plus the time of calendar reminders appear. The default value is Allow.

Default email notification

If On, Secure Mail shows the lock screen notification for emails. Default value is On.

Default sync interval

Specifies the default sync interval for Secure Mail. Secure Mail users can change the default. The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum email age filter, the Maximum email age filter setting is used instead.

Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.

Default value is 3 days.

Mail search limit

Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. Default value is Unlimited.

To restrict the amount of mail that is synced to a mobile device, configure the Maximum client sync period policy.

Max sync interval

Controls the amount of mail stored locally on a mobile device by limiting the sync period. Default value is All. To restrict the time period that a device can search on the mail server, configure the Mail server search limit policy.

Enable week number

If On, calendar views include the week number. Default value is Off.

Enable download of attachments over Wi-Fi

If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over allowed internal Wi-Fi networks. If Off, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi.

Default value is Off.

Allow offline documents

Specifies whether, and for how long, users can store offline documents on devices. Default value is Unlimited.

Information Rights Management

If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.

Email classification

If On, Secure Mail supports email classification markings for SEC (security) and DLM (dissemination limiting markers). Classification markings appear in email headers as “X-Protective-Marking” values. Be sure to configure the related email classification policies.

Default value is Off.

Email classification markings

Specifies the classification markings to be made available to users. If the list is empty, Secure Mail does not include a list of protective markings. The markings list contains value pairs that are separated by semicolons. Each pair includes the value that appears in Secure Mail and the marking value that is the text appended to the email subject and header in Secure Mail. For example, in the marking pair “UNOFFICIAL,SEC=UNOFFICIAL;”, the list value is “UNOFFICIAL” and the marking value is “SEC=UNOFFICIAL”.

Email classification namespace

Specifies the classification namespace that is required in the email header by the classification standard used. For example, the namespace “gov.au” appears in the header as “NS=gov.au”.

Default value is empty.

Email classification version

Specifies the classification version that is required in the email header by the classification standard used. For example, the version “2012.3” appears in the header as “VER=2012.3”.

Default value is empty.

Default email classification

Specifies the protective marking that Secure Mail applies to an email if a user does not choose a marking. This value must be in the list for the Email classification markings policy.

Default value is UNOFFICIAL.

Enable auto-save of email drafts

If On, Secure Mail supports automatically saving messages to the Drafts folder.

Default value is On.

Initial authentication mechanism

This policy indicates whether the mail server address as provided by MDX or the user’s email address must be used to populate the “address” field on the first time use provisioning screen.

Default value is “Mail server address”.

Initial authentication credentials

This policy defines the value that must be chosen as the user name to populate into the initial first time use provisioning screen.

Default value is “Enrollment user name”.

Enable auto population of user name

If enabled, the user name is automatically populated in the account provisioning user interface. Default value is ON.

Enable iOS data protection

Note:

This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements.

Enables iOS data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off.

Push Notifications EWS host name

The server that hosts Exchange Web Services (EWS) for mail. The value must be the URL of EWS, along with the port number. Default value is empty.

Push notifications

Enables APNs-based notifications about mailbox activity. If On, Secure Mail supports push notifications.

Default value is Off.

Push notifications region

The region where the APNs host is located for Secure Mail users. Options are Americas, EMEA, and APAC. Default value is Americas.

S/MIME public certificate source

Specifies the source of S/MIME certificates. If Email, you must email user certificates to users, who then open the email in Secure Mail and import the attached certificates.

If Shared vault, a supported digital identity provider supplies certificates to the Secure App shared vault. The integration with the third-party provider requires that you publish a related app to users. See the description for the Enable S/MIME during first Secure Mail startup policy for details about the user experience.

Default value is Email.

Enable S/MIME during first Secure Mail startup

Determines whether Secure Mail enables S/MIME during the first Secure Mail startup, if the S/MIME certificate source policy is Shared vault. If On, Secure Mail enables S/MIME if there are certificates for the user in the shared vault. If there are no certificates in the shared vault, the user is prompted to import the certificates. In both of those scenarios, users must configure certificates from a supported digital identity provider app before creating an account in Secure Mail.

If Off, Secure Mail does not enable S/MIME and the user can enable it in the Secure Mail settings. Default value is Off.

Calendar Web and Audio Options

  • GoToMeeting and User Entered: Users can choose the type of conference they would like to set up. Options include GoToMeeting, which opens a GoToMeeting page, and Other Conference, which allows users to enter meeting information manually.
  • User Entered Only: Users are taken directly to the Other Conference page where they can enter meeting information manually.

S/MIME public certificate source

Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange.

LDAP server address

LDAP server address including port number. Default value is empty.

LDAP Base DN

LDAP base distinguished name. Default value is empty.

Access LDAP Anonymously

If this policy is On, Secure Mail can search LDAP without prior authentication. Default is Off.

Allowed Email Domains

Defines a list of allowed email domains in a comma-separated format such as server.company.com,server.company.co.uk. The default value is empty, which implies that Secure Mail does not filter email domains and supports all email domains. Secure Mail matches the listed domains with the domain name in the email address. For instance, when server.company.com is a listed domain name and the email address is user@internal.server.company.com, Secure Mail supports the email address.

Attempt user name Migration On Authentication Failure

Attempts to migrate the Exchange user name to a UPN for authentication. The default value is Off.

Report Phishing Mail Address

If configured, you can report suspected phishing mails to a given email address or a list of comma-separated email addresses. The default value is empty. If you do not configure this policy, you will not be able to report phishing messages.

Report Phishing Mechanism

This policy indicates the mechanism used to report suspected phishing mails.

  • Report via attachment: Report phishing mails as an attachment. The attachment is sent to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.
  • Report via forward: Report phishing mails as a forward. The mail is forwarded to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.

Note:

This policy is available only for Microsoft Exchange Server.

Default is Report via attachment.

Skype for Business Meeting Domains

This policy contains a comma-separated list of domains used for Skype for Business meetings.

Secure Mail already handles meetings with URL prefix as the following:

  • https://join
  • https://meet
  • https://lync

With this policy, other Skype for Business domains can be added in the form https://*domain*. The domain can be a string of alphanumeric characters and cannot contain any special characters. Do not enter the preceding https:// or the succeeding dot.

Example:

If the policy value is customDomain1,customDomain2, the supported URL prefixes for Skype for Business would be:

  • https://customDomain1
  • http://customDomain1
  • https://customDomain2
  • http://customDomain2

Default value is empty.

Export Calendar

This policy allows Secure Mail calendar events to be exported to your device or personal calendar. You can view your events in your personal calendar. You can edit the events using Secure Mail. Default value is Meeting Time.

The following MDX policy values are available for the calendar event fields that appear in your personal calendar:

  • None (Don’t Export)
  • Meeting Time
  • Meeting Time, Location
  • Meeting Time, Subject, Location
  • Meeting Time, Subject, Location, Notes

Caller Identification

If On, Secure Mail provides the name and contact number of your saved contacts to iOS for caller identification purposes. This data is only used to identify and display details of incoming calls from your saved Secure Mail contact list. The default value is On.

OAuth Support for Office 365

Office 365 authentication mechanism

This policy indicates the OAuth mechanism used for authentication while configuring an account on Office 365.

  • Do not use OAuth: OAuth is not used and Secure Mail uses Basic authentication for account configuration.
  • Use OAuth with Username and Password: The user must provide their user name and password, and optionally an MFA code for the OAuth flow.
  • Use OAuth with Client Certificate: The user authenticates the OAuth flow using a client certificate.

Default is “Do not use OAuth”.

Trusted Exchange Online host names

Defines a list of trusted Exchange Online host names that use the OAuth mechanism for authentication while configuring an account. This value is a comma-separated format, such as server.company.com, server.company.co.uk. If the list is empty, Secure Mail uses Basic authentication for account configuration. Default value is outlook.office365.com.

Trusted AD FS host names

Define a list of trusted AD FS host names for webpages where the password populates during Office 365 OAuth authentication. This value is a comma-separated format, such as sts.companyname.com, sts.company.co.uk. If the list is empty, Secure Mail does not auto populate passwords. Secure Mail matches the listed host names with the host name of the webpage encountered during Office 365 authentication and checks if the page uses HTTPS protocol. For instance, when sts.company.com is a listed host name and if the user navigates to https://sts.company.com, Secure Mail populates the password if the page has a password field. Default value is login.microsoftonline.com.

Mail Redirection

Mail Redirection

Blocks or restricts any mail compose. Secure Mail redirects mail compose to Secure Mail. The native mail redirects mail compose to native mail if an account is set up. Default value is Secure Mail.

Slack Integration

Enable Slack

Blocks or permits Slack integration. If ON, the Secure Mail interface includes Slack features. If OFF, the Secure Mail interface doesn’t include Slack features. Default value is OFF.

Slack workspace name

The Slack workspace name for your company. If you provide a name, Secure Mail pre-fills the workspace name during sign-on. If you don’t provide a name, users must type the workspace name (name.slack.com). Default value is empty.

MDX policies for mobile productivity apps for iOS