MDX policies for mobile productivity apps for iOS
This article describes the MDX policies for iOS apps. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.
The following list does not include MDX policies specific to Secure Web. For details about the policies that appear for Secure Web, see Secure Web policies.
If On, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value is Off.
If On, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value is On.
To configure the inactivity timer for all apps, set the INACTIVITY_TIMER value in minutes in Client Properties on the Settings tab. The default inactivity timer value is 60 minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.
If you select Secure offline for the Encryption keys policy, this policy is automatically enabled.
Maximum offline period (hours)
Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from Citrix Endpoint Management. At expiration, logon to the server may be triggered if needed. Default value is 168 hours (7 days). Minimum period is 1 hour.
Alternate Citrix Gateway
This policy name in the Endpoint Management console is Alternate NetScaler Gateway.
Address of a specific alternate Citrix Gateway that should be used for authentication and for micro VPN sessions with this app. This is an optional policy that, when used in conjunction with the Online session required policy, forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the server’s default gateway is always used. Default value is empty.
Block jailbroken or rooted
If On, the app is locked when the device is jailbroken or rooted. If Off, the app can run even if the device is jailbroken or rooted. Default value is On.
If On, the app is locked when the device is not connected to a Wi-Fi network. If Off, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value is Off.
Allowed Wi-Fi Networks
Comma-delimited list of Wi-Fi networks. If the network name contains any non-alphanumeric characters (including commas), the name must be enclosed in double-quotes. The app will run only if connected to one of the networks listed. If blank, all networks are allowed. This does not affect connections to cellular networks. Default value is blank.
Disable required upgrade
Disables the requirement that users upgrade to the newest version of the app in the App Store. Default value is On.
App update grace period (hours)
Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is 168 hours (7 days).
Using a value of zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This might lead to a situation where the user is forced to exit the app (potentially losing work) in order to comply with the required update.
Erase app data on lock
Erases data and resets the app when the app is locked. If Off, app data is not erased when the app is locked. Default value is Off.
An app can be locked for any of the following reasons:
- Loss of app entitlement for the user
- App subscription removed
- Account removed
- Secure Hub uninstalled
- Too many app authentication failures
- Jailbroken device detected (per policy setting)
- Device placed in locked state by other administrative action
Active poll period (minutes)
When an app starts, the MDX Framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is 60 minutes (1 hour).
Only set this value lower for high-risk apps or performance may be affected.
If Off, the data stored on the device is not encrypted. If On, the data stored on the device is encrypted. Default value is On.
If you change this policy after deploying an app, users must reinstall the app.
Database encryption exclusions
Exclusion list of databases that are not automatic encrypted. To prevent database encryption for a specific database, add an entry to this comma-separated list of regular expressions. If a database path name matches any of the regular expressions, the database is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.
\.db$,\.sqlite$ will exclude any database path name that ends with either “.db” or “.sqlite”.
\/Database\/unencrypteddb\.db will match database unencrypteddb.db in the Database subfolder.
\/Database\/ will match all databases that contain /Database/ in its path.
Default value is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case-insensitive.
\.log$,\.dat$ excludes any file path name that ends with either “.log” or “.dat”.
\/Documents\/unencrypteddoc\.txt matches the contents of the file unencrypteddoc.txt in the Documents subfolder.
\/Documents\/UnencryptedDocs\/.*\.txt matches “.txt” files under the subpath /Documents/UnencryptedDocs/.
Default value is empty.
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for this app. If Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value is Restricted.
Blocks, permits, or restricts Clipboard paste operations for this app. If Restricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value is Unrestricted.
Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps.
If Unrestricted, set the Enable encryption policy to On so that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, Citrix Endpoint Management decrypts the document. Default value is Restricted.
Restricted Open-In exception list
When the Document exchange (Open In) policy is Restricted, an MDX app can share documents with this comma-delimited list of unmanaged app IDs, even if the Document exchange(Open In) policy is Restricted and Enable encryption is On.The default exception list allows Office 365 apps:
Only Office 365 apps are supported for this policy.
Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MDX environment.
Connection security level
Determines the minimum version of TLS/SSL used for connections. If TLS, connections support all TLS protocols. If SSLv3 and TLS, connections support SSL 3.0 and TLS. Default value is TLS.
Inbound document exchange (Open In)
Blocks, restricts, or allows inbound document exchange operations for this app. If Restricted, documents can be exchanged only with other MDX apps. Default value is Unrestricted.
If Blocked or Restricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app.
Options: Unrestricted, Blocked, or Restricted
App URL schemes
iOS apps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “
http://”). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked.
The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix.
- A minus “-“ prefix blocks the URL from being passed into this app.
- A plus “+” prefix permits the URL to be passed into the app for handling.
- If neither “+” or “-“ is provided with the pattern, “+” (allow) is assumed.
- If an inbound URL does not match any pattern in the list, the URL is blocked.
The following table contains examples of App URL schemes:
|Scheme||App that requires the URL scheme||Purpose|
|ctxmobilebrowser||Secure Web-||Permit Secure Web to handle HTTP: URLs from other apps.-|
|ctxmobilebrowsers||Secure Web-||Permit Secure Web to handle HTTPS: URLs from other apps.|
|ctxmail||Secure Mail-||Permit Secure Mail to handle mailto: URLs from other apps.|
|COL-G2M||GoToMeeting-||Permit a wrapped GoToMeeting app to handle meeting requests.|
|ctxsalesforce||Citrix for Salesforce-||Permit Citrix for Salesforce to handle Salesforce requests.|
|wbx||WebEx||Permit a wrapped WebEx app to handle meeting requests.|
App interaction (outbound URL)
Domains excluded from URL filtering
This policy excludes outbound URLs from any “Allowed URLs” filtering. Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes to exclude from the “Allowed URLs” filtering. If this policy is empty (the default), the defined “Allowed URLs” filtering processes are URLs. If this policy contains any entries, those URLs with host fileds matching at least one item in the list (via DNS suffix match) are sent unaltered to iOS, bypassing the “Allowed URLs” filtering logic. Default value is empty.
iOS apps can dispatch URL requests to other applications that have been registered to handle specific schemes (such as
"http://"). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs).
The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix. A minus “-“ prefix blocks the URL from being passed out to another app. A plus “+’ prefix permits the URL to be passed out to another app for handling. If neither “+” or minus “-“ is provided with the pattern, “+” (allow) is assumed. A pair of valus separated by “=” indicates a substitution where occurrences of the first string are replaced with the second. You can use regular-expression “^” prefix to search string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it will be blocked.
If the setting is blank, all URLs are blocked, except for the following:
- +citrixreceiver: +tel:
The following table contains examples of allowed URLs:
|^mailto:=ctxmail:||All mailto: URLs open in Secure Mail.|
|^http:||All HTTP URLs open in Secure Web.|
|^https:||All HTTPS URLs open in Secure Web.|
|^tel:||Allows user to make calls.|
|-//www.dropbox.com||Blocks Dropbox URLs dispatched from managed apps.|
|+^COL-G2M:||Permits managed apps to open the GoToMeeting client app.|
|-^SMS:||Blocks the use of a messaging chat client.|
|-^wbx:||Blocks managed apps from opening the WebEx client app.|
|+^ctxsalesforce:||Permits Citrix for Salesforce to communicate with your Salesforce server.|
Allowed Secure Web domains
This policy only affects “Allowed URLs” policy entries that would redirect a URL to the Secure Web app (^ http:=ctxmobilebrowser: and ^https:=ctxmobilebrowsers:). Add a comma-separated list of fully qualifies domain names (FQDN) or DNS suffixes allowed to redirect to the Secure Web app. If this policy is empty (the default), all domains can redirect to the Secure Web app. If this policy contains any entries, then only those URLs with host fields matching at least one item in the list (via DNS suffix match) redirect to the Secure Web app. All other URLs are sent unaltered to iOS, bypassing the Secure Web app. Default value is empty.
Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies are Off, content can travel between unmanaged apps and the Secure environment.
If On, prevents an app from directly using the camera hardware. Default value is OFF.
Block Photo Library
If On, prevents an app from accessing the Photo Library on the device. Default value is On.
Block mic record
If On, prevents an app from directly using the microphone hardware. Default value is On.
If On, prevents an app from directly using dictation services. Default value is On.
Block location services
If On, prevents an app from using the location services components (GPS or network). Default value is Off for Secure Mail.
Block SMS compose
If On, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value is On.
Block email compose
If On, prevents an app from using the email compose feature used to send email messages from the app. Default value is On.
If On, prevents an app from using iCloud for the storing and sharing of settings and data.
iCloud data file is controlled by the Block file backup policy.
Default value is On.
Block look up
If On, prevents an app from using the Look Up feature, which searches for highlighted text in the Dictionary, iTunes, the App Store, movie showtimes, nearby locations and more. Default value is On.
Block file backup
If On, prevents data files from being backed up by iCloud or iTunes. Default value is On.
If On, prevents an app from using AirPrint features for printing data to AirPrint-enabled printers. Default value is On.
If On, prevents an app from using AirDrop. Default value is On.
Block file attachments
This policy is enforced on iOS 11 or later.
If On, attachment handling is disabled. Default value is Off.
Block Facebook and Twitter APIs
If On, prevents an app from using the iOS Facebook and Twitter APIs. Default value is On.
Obscure screen contents
If On, when users switch apps, the screen is obscured. This policy prevents iOS from recording screen contents and displaying thumbnails. Default value is On.
Block 3rd party keyboards (iOS 11 and later only)
If On, prevents an app from using third-party keyboard extensions on iOS 8+. Default value is On.
Block app logs
If On, prohibits an app from using the mobile productivity app diagnostic logging facility. If Off, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value is Off.
Allows users to use ShareFile to transfer files. Default value is On.
Enable Attach From Files
Allows users to add attachments from the iOS Files app. Default value is On.
App network access
Tunneled - Web SSO is the name for the Secure Browse in the settings. The behavior is the same.
The settings options are as follows:
- Use Previous Settings: Defaults to the values you had set in the earlier policies. If you change this option, you shouldn’t revert to Use Previous Settings. Also note that changes to the new policies do not take effect until the user upgrades the app to version 18.12.0 or later.
- Blocked: All network access is blocked. Networking APIs used by your app will fail. Per the previous guideline, you should gracefully handle such a failure.
- Unrestricted: All network calls go directly and are not tunneled.
- Tunneled - Full VPN: All traffic from the managed app tunnels through Citrix Gateway.
- Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. THis option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage of Tunneled - Web SSO is single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.
- Tunneled - Full VPN and Web SSO: Permits switching between VPN modes automatically as needed. If a network request fails due to an authentication request which cannot be handled in a specific VPN mode, it is retried in an alternate mode.
If one of the Tunneled modes is selected, a per-app VPN tunnel in this initial mode is created back to the enterprise network, and Citrix Gateway split tunnel settings are used. Citrix recommends Tunneled Full VPN for connections that employ client certificates or end-to-end SSL to a resource in the enterprise network. Citrix recommends Tunneled - Web SSO for connections that require single sign-on (SSO).
micro VPN session required
If Yes, the user must have a connection to the enterprise network and an active session. If No, an active session is not required. Default value is Use Previous Setting. For newly uploaded apps, the defaut value is No. Whichever setting was selected prior to the upgrade to this new policy remains in effect until an option other than Use Previous Setting is selected.
micro VPN session required grace period (minutes)
This value determines how many minutes users can use the app before the Online Session Required policy prevents them from further use (until the online session is validated). Default value is 0 (no grace period). This policy isn’t applicable for integration with Microsoft Intune/EMS.
When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).
Comma-delimited list of FQDNs or DNS suffixes to be accessed directly instead of through a VPN connection. This only applies to the Tunneled - Web SSO mode when Citrix Gateway is configured with Split tunnel reverse mode.
Default log output
Determines which output media are used by mobile productivity app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value is file.
Default log level
Controls default verbosity of the mobile productivity app diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:
- 0 - Nothing logged
- 1 - Critical errors
- 2 - Errors
- 3 - Warnings
- 4 - Informational messages
- 5 - Detailed informational messages
- 6 through 15 - Debug levels 1 through 10
Default value is level 4 (Informational messages).
Max log files
Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.
Max log file size
Limits the size in megabytes (MB) of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
Center point longitude
Longitude (X coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes should be prefaced with a minus sign. Default value is 0.
Center point latitude
Latitude (Y coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in signed degreed format (DDD.dddd), for example “43.06581”. Southern latitutes should be prefaced with a minus sign. Default value is 0.
Radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in meters. When set to zero, the geofence is disabled. When the Block location serviced policy is enabled, geofencing does not work properly. Default is 0 (disabled).
Enable Google Analytics
If On, Citrix collects anonymous data to improve product quality. If Off, no data is collected. Default value is On.
Google Analytics level of detail
Citrix collects analytics data to improve product quality. Selecting Anonymous opts users out of including company identifiable information. Default is Complete.
If On, Citrix collects crash reports and diagnostics to help troubleshoot issues. If Off, Citrix doesn’t collect data.
Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.
Default value is Off.
You can obtain an upload token from your Citrix Insight Services (CIS) account. If you specify this optional token, CIS gives you access to crash reports and diagnostics uploaded from your devices. Citrix has access to that same information. Default value is empty.
Send reports over Wi-Fi only
If On, Citrix sends crash reports and diagnostics only when you’re connected to a Wi-Fi network. Default value is On.
Report file cache maximum
Limits the size of the crash report and diagnostics bundles retained before clearing the cache. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
Explicit logoff notification
If Disabled, the app is not activated during a user logoff. If Shared devices only, the app is activated during user logoff, only if the device is configured as a shared device. Default is Shared devices only for Secure Mail.
Secure Mail Exchange Server
The fully qualified domain name (FQDN) for Exchange Server or, for iOS only, IBM Notes Traveler server. Default value is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.
If you change this policy for an existing app, users must delete and reinstall the app to apply the policy change.
Secure Mail user domain
Default Active Directory domain name for Exchange users or, for iOS only, Notes users. Default value is empty.
Background network services
The FQDN and port of service addresses permitted for background network access. This might be an Exchange Server or ActiveSync server, either in your internal network or in another network that Secure Mail connects to, such as mail.example.com:443.
If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network and you want to use Citrix Gateway (formerly, NetScaler Gateway) to proxy the connection to the internal Exchange Server.
Default value is empty, implying that background network services are not available.
Background services ticket expiration
Time period that a background network service ticket shall remain valid. After expiration, an enterprise logon will be required to renew the ticket. Default value is 168 hours (7 days).
Background network service gateway
Alternate gateway address to use for background network services, in the form fqdn:port. This is the Citrix Gateway FQDN and port number which Secure Mail uses to connect to the internal Exchange Server. In the Citrix Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. Default value is empty, implying that an alternate gateway does not exist.
If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.
Do not enable this feature if users can access your Exchange Server directly (that is, outside of Citrix Gateway). Otherwise, duplicate contacts are created on the device and in Exchange.
If Off, prevents the one-way sync of Secure Mail contacts to the device and sharing Secure Mail contacts (as vCards). Default value is Off.
Contact fields to export
Controls contact fields to be exported to the address book. If All, all contact fields are exported. If Name and Phone, all name- and phone-related contact fields are exported. If Name, Phone and Email, all name-, phone- and email-related contact fields are exported.
Default value is All.
Accept all SSL certificates
If On, Secure Mail accepts all SSL certificates (valid or not) and allows access. If Off, Secure Mail blocks access when a certificate error occurs and displays a warning.
Default value is Off.
Control locked screen notifications
Controls whether mail and calendar notifications appear on a locked device screen. If Allow, all information contained in the notification appears. If Block, notifications do not appear. If Email sender or event title, only the name of the email sender or the title of the calendar event appears. If Count only, only the count of mail and meeting invitations plus the time of calendar reminders appear.
Default value is Allow.
Default email notification
If On, Secure Mail shows the lock screen notification for emails. Default value is On.
Default sync interval
Specifies the default sync interval for Secure Mail. Secure Mail users can change the default. The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. If you specify a Default sync interval that is larger than the Maximum email age filter, the Maximum email age filter setting is used instead.
Secure Mail displays only the sync interval values that are less than the Active Sync Maximum email age filter setting.
Default value is 3 days.
Mail search limit
Restricts the amount of mail history that is accessible from mobile devices by limiting the number of days included in mail server searches. Default value is Unlimited.
To restrict the amount of mail that is synced to a mobile device, configure the Maximum client sync period policy.
Max sync interval
Controls the amount of mail stored locally on a mobile device by limiting the sync period. Default value is All. To restrict the time period that a device can search on the mail server, configure the Mail server search limit policy.
Enable week number
If On, calendar views include the week number. Default value is Off.
Enable download of attachments over Wi-Fi
If On, the Secure Mail Download attachments option is enabled so that users can, by default, download attachments over allowed internal Wi-Fi networks. If Off, the Secure Mail Download attachments option is disabled so that, by default, users cannot download attachments over Wi-Fi.
Default value is Off.
Allow offline documents
Specifies whether, and for how long, users can store offline documents on devices. Default value is Unlimited.
Information Rights Management
If On, Secure Mail supports Exchange Information Rights Management (IRM) capabilities. Default value is Off.
If On, Secure Mail supports email classification markings for SEC (security) and DLM (dissemination limiting markers). Classification markings appear in email headers as “X-Protective-Marking” values. Be sure to configure the related email classification policies.
Default value is Off.
Email classification markings
Specifies the classification markings to be made available to users. If the list is empty, Secure Mail does not include a list of protective markings. The markings list contains value pairs that are separated by semicolons. Each pair includes the list value that appears in Secure Mail and the marking value that is the text appended to the email subject and header in Secure Mail. For example, in the marking pair “UNOFFICIAL,SEC=UNOFFICIAL;”, the list value is “UNOFFICIAL” and the marking value is “SEC=UNOFFICIAL”.
Email classification namespace
Specifies the classification namespace that is required in the email header by the classification standard used. For example, the namespace “gov.au” appears in the header as “NS=gov.au”.
Default value is empty.
Email classification version
Specifies the classification version that is required in the email header by the classification standard used. For example, the version “2012.3” appears in the header as “VER=2012.3”.
Default value is empty.
Default email classification
Specifies the protective marking that Secure Mail applies to an email if a user does not choose a marking. This value must be in the list for the Email classification markings policy.
Default value is UNOFFICIAL.
Enable auto-save of email drafts
If On, Secure Mail supports automatically saving messages to the Drafts folder.
Default value is On.
Initial authentication mechanism
This policy indicates whether the mail server address as provided by MDX should be used to populate the “address” field on the first time use provisioning screen or whether the user’s email address should be used.
Default value is “Mail server address”.
Initial authentication credentials
This policy defines the value that should be chosen as the user name to populate into the initial first time use provisioning screen.
Default value is “Enrollment user name”.
Enable auto population of user name
If enabled, the user name is automatically populated in the account provisioning user interface. Default value is ON.
Enable iOS data protection
This policy is intended for enterprises which must meet Australian Signals Directorate (ASD) computer security requirements.
Enables iOS data protection when working with files. If On, specifies the file-protection level when creating and opening files in the app sandbox. Default value is Off.
Push Notifications EWS Hostname
The server that hosts Exchange Web Services (EWS) for mail. The value should be the URL of EWS, along with the port number. Default value is empty.
Enables APNs-based notifications about mailbox activity. If On, Secure Mail supports push notifications.
Default value is Off.
Push notifications region
The region where the APNs host is located for Secure Mail users. Options are Americas, EMEA, and APAC. Default value is Americas.
S/MIME public certificate source
Specifies the source of S/MIME certificates. If Email, you must email user certificates to users, who then open the email in Secure Mail and import the attached certificates.
If Shared vault, a supported digital identity provider supplies certificates to the Secure App shared vault. The integration with third-party provider requires that you publish a related app to users. See the description for the Enable S/MIME during first Secure Mail startup policy for details about the user experience.
Default value is Email.
Enable S/MIME during first Secure Mail startup
Determines whether Secure Mail enables S/MIME during the first Secure Mail startup, if the S/MIME certificate source policy is Shared vault. If On, Secure Mail enables S/MIME if there are certificates for the user in the shared vault. If there are no certificates in the shared vault, the user is prompted to import the certificates. In both of those scenarios, users must configure certificates from a supported digital identity provider app before creating an account in Secure Mail.
If Off, Secure Mail does not enable S/MIME and the user can enable it in the Secure Mail settings. Default value is Off.
Calendar Web and Audio Options
- GoToMeeting and User Entered: Users can choose the type of conference they would like to set up. Options include GoToMeeting, which will open a GoToMeeting page, and Other Conference, which allows users to enter meeting information manually.
- User Entered Only: Users are taken directly to the Other Conference page where they can enter meeting information manually.
S/MIME public certificate source
Specifies the source of S/MIME public certificates. If Exchange, Secure Mail fetches certificates from Exchange Server. If LDAP, Secure Mail fetches certificates from the LDAP server. Default value is Exchange.
LDAP server address
LDAP server address including port number. Default value is empty.
LDAP Base DN
LDAP base distinguished name. Default value is empty.
Access LDAP Anonymously
If this policy is On, Secure Mail can search LDAP without prior authentication. Default is Off.
Allowed Email Domains
Defines a list of allowed email domains in a comma-separated format such as server.company.com,server.company.co.uk. The default value is empty, which implies that Secure Mail does not filter email domains and supports all email domains. Secure Mail matches the listed domains with the domain name in the email address. For instance, when server.company.com is a listed domain name and the email address is email@example.com, Secure Mail supports the email address.
Attempt Username Migration On Auth Failure
Attempts to migrate the Exchange username to a UPN for authentication. The default value is Off.
Report Phishing Mail Address
If configured, you can report suspected phishing mails to a given email address or a list of comma-separated email addresses. The default value is empty. If you do not configure this policy, you will not be able to report phishing messages.
Report Phishing Mechanism
This policy indicates the mechanism used to report suspected phishing mails.
- Report via attachment: Report phishing mails as an attachment. The attachment is sent to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.
- Report via forward: Report phishing mails as a forward. The mail is forwarded to an email address or a list of comma-separated email addresses configured in the Report Phishing Mail Addresses policy.
This policy is available only for Microsoft Exchange Server.
Default is Report via attachment.
Skype For Business Meeting Domains
This policy contains a comma-separated list of domains used for Skype for Business meetings.
Secure Mail already handles meetings with URL prefix as the following:
With this policy, other Skype For Business domains can be added in the form
https://*domain*. The domain can be a string of alphanumeric characters and can not contain any special characters. Do not enter the preceding
https:// or the succeeding dot.
If the policy value is “customDomain1,customDomain2”, the supported URL prefixes for Skype for Business would be:
Default value is empty.
This policy allows Secure Mail calendar events to be exported to your device or personal calendar. You can view your events in your personal calendar. You can edit the events using Secure Mail. Default value is Meeting Time.
If On, Secure Mail provides the name and contact number of your saved contacts to iOS for caller identification purposes. This data is only used to identify and display details of incoming calls from your saved Secure Mail contact list. The default value is On.
OAuth Support for Office 365
Office 365 authentication mechanism
This policy indicates the OAuth mechanism used for authentication while configuring an account on Office 365.
- Do not use OAuth: OAuth is not used and Secure Mail uses Basic authentication for account configuration.
- Use OAuth with Username and Password: The user needs to provide their user name and password, and optionally a MFA code for the OAuth flow.
- Use OAuth with Client Certificate: The user will authenticate the OAuth flow using a client certificate.
Default is “Do not use OAuth”.
Trusted Exchange Online Hostnames
Defines a list of trusted Exchange Online host names that use the OAuth mechanism for authentication while configuring an account. This is a comma-separated format, such as server.company.com, server.company.co.uk. If the list is empty, Secure Mail uses Basic authentication for account configuration. Default value is outlook.office365.com.
Trusted AD FS Hostnames
Define a list of trusted AD FS hostnames for web pages where the password populates during Office 365 OAuth authentication. This is a comma-separated format, such as sts.companyname.com, sts.company.co.uk. If the list is empty, Secure Mail does not auto populate passwords. Secure Mail matches the listed host names with the host name of the webpage encountered during Office 365 authentication and checks if the page uses HTTPS protocol. For instance, when sts.company.com is a listed host name and if the user navigates to
https://sts.company.com, Secure Mail populates the password if the page has a password field. Default value is login.microsoftonline.com.
Blocks or restricts any mail compose. Secure Mail redirects mail compose to Secure Mail. The native mail redirects mail compose to native mail if an account is set up. Default value is Secure Mail.
Blocks or permits Slack integration. If ON, the Secure Mail interface includes Slack features. If OFF, the Secure Mail interface doesn’t include Slack features. Default value is OFF.
Slack workspace name
The Slack workspace name for your company. If you provide a name, Secure Mail pre-fills the workspace name during sign-on. If you don’t provide a name, users must type the workspace name (name.slack.com). Default value is empty.
MDX policies for mobile productivity apps for iOS
In this article
- Device security
- Network requirements
- Miscellaneous access
- App interaction
- App interaction (outbound URL)
- App Restrictions
- App network access
- App logs
- App geofence
- App interaction
- App settings
- OAuth Support for Office 365
- Mail Redirection
- Slack Integration