Administrator tasks and considerations

MDX policies for mobile productivity apps at a glance

May 18, 2020

Contributed by:

B C S

This article notes the MDX app policies for Citrix mobile productivity apps for iOS and Android, along with the default values. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication

Device passcode

iOS: Yes
Android: No
Default setting: Off

Note:

This policy only applied to iOS 9 devices, which Citrix no longer supports.

App passcode

iOS: Yes
Android: Yes
Default setting: On

Online session required grace period (minutes)

iOS: Yes
Android: No
Default setting: 0

Maximum offline period

iOS: Yes
Android: Yes
Default setting: 168 hours (7 days)

Alternate Citrix Gateway

Note:

This policy name in the Endpoint Management console is Alternate NetScaler Gateway.

iOS: Yes
Android: Yes
Default setting: Empty

Device security

Block jailbroken or rooted

iOS: Yes
Android: Yes
Default setting: On

Require device lock

iOS: No
Android: Yes
Default setting: Off

Note:

On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network requirements

Require Wi-Fi

iOS: Yes
Android: Yes
Default setting: Off

Allowed Wi-Fi Networks

iOS: Yes
Android: Yes
Default setting: Empty

Miscellaneous access

App update grace period (hours)

iOS: Yes
Android: Yes
Default setting: 168 hours (7 days)

Note:

Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.

Disable required upgrade

iOS: Yes
Android: Yes
Default setting: On

Erase app data on lock

iOS: Yes
Android: Yes
Default setting: Off

Active poll period (minutes)

iOS: Yes
Android: Yes
Default setting: 60 minutes (1 hour)

Note:

Only set this value lower than the default for high-risk apps, or performance may be affected.

Encryption

Encryption type

iOS: Yes
Android: Yes
Default setting: MDX encryption

Caution:

For newly added apps, when you change from Platform encryption with compliance enforcement to MDX encryption, you are forced to remove and reinstall the app. The default setting for newly added apps is Platform encryption with compliance enforcement.

Non-compliant device behavior

iOS: Yes
Android: Yes
Default setting: Allow app after warning

Enable MDX encryption

iOS: Yes
Android: No
Default setting: On

Caution:

If you change this policy after deploying an app, users must reinstall the app.

Encryption keys

iOS: No
Android: Yes
Default setting: Offline access permitted is the only available option.

Private file encryption

iOS: No
Android: Yes
Default setting: SecurityGroup

Private file encryption exclusions

iOS: No
Android: Yes
Default setting: Empty

Access limits for public files

iOS: No
Android: Yes
Default setting: Empty

Note:

Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). This policy applies only to existing, unencrypted public files and specifies when to encrypt the files.

Public file encryption

iOS: No
Android: Yes
Default setting: SecurityGroup

Public file encryption exclusions

iOS: No
Android: Yes
Default setting: Empty

Public file migration

iOS: No
Android: Yes
Default setting: Write (RO/RW)

Note:

Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.

Enable encryption

iOS: Yes
Android: No
Default setting: On

Note:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Database encryption exclusions

iOS: Yes
Android: No
Default setting: Empty

File encryption exclusions

iOS: Yes
Android: No
Default setting: Empty

App interaction

Security Group

iOS: No
Android: Yes
Default setting: Empty

Note:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Cut and copy

iOS: Yes
Android: Yes
Default setting: Restricted

Paste

iOS: Yes
Android: Yes
Default setting: Unrestricted

Document exchange (Open in)

iOS: Yes
Android: Yes
Default setting: Restricted

URL domains excluded from filtering

iOS: No
Android: Yes
Default setting: Empty

Allowed Secure Web domains

iOS: No
Android: Yes
Default setting: Empty

Connection security level

iOS: Yes
Android: Yes
Default setting: TLS

Inbound document exchange (Open In)

iOS: Yes
Android: Yes
Default setting: Unrestricted

Restricted Open In exception list

iOS: Yes
Android: Yes
Default setting: Empty (for Android); Office 365 apps (for iOS)

Note:

On Android, this policy was previously named Open In exclusions. On iOS, this policy is hidden. For details, see MDX policies for iOS apps.

App URL schemes

iOS: Yes
Android: No
Default setting: Empty. All registered app URL schemes are blocked.

Allowed URLs

iOS: Yes
Android: No
Default setting: For details about the default settings, see the App Interaction section in MDX policies for iOS apps.

Explicit logoff notifications

iOS: Yes
Android: No
Default setting: Shared devices only, for Secure Mail

App interaction (outbound URL)

Domains excluded from URL filtering

iOS: Yes
Android: No
Default setting: Empty

Allowed URLs

iOS: Yes
Android: No
Default setting: or details about the default settings, see the App interaction (outbound URL) section in MDX policies for iOS apps

Allowed Secure Web Domains

iOS: Yes
Android: No
Default setting: Empty

App restrictions

Block camera

iOS: Yes
Android: Yes
Default setting: Off for iOS; On for Android

Block gallery

iOS: No
Android: Yes
Default setting: Off

Block Photo Library

iOS: Yes
Android: No
Default setting: On

Block mic record

iOS: Yes
Android: Yes
Default setting: On

Block dictation

iOS: Yes
Android: No
Default setting: On

Block location services

iOS: Yes
Android: Yes
Default setting: For Android: Default value is Off for Secure Mail. Default value is On for other apps.

Block SMS compose

iOS: Yes
Android: Yes
Default setting: On

Block screen capture

iOS: No
Android: Yes
Default setting: On

Block device sensor

iOS: No
Android: Yes
Default setting: On

Block NFC

iOS: No
Android: Yes
Default setting: On

Block iCloud

iOS: Yes
Android: No
Default setting: On

Block Look Up

iOS: Yes
Android: No
Default setting: On

Block file backup

iOS: Yes
Android: No
Default setting: On

Block AirPrint

iOS: Yes
Android: No
Default setting: On

Block Printing

iOS: No
Android: Yes
Default setting: On

Block AirDrop

iOS: Yes
Android: No
Default setting: On

Block file attachments

iOS: Yes
Android: No
Default setting: Off

Block email compose

iOS: Yes
Android: No
Default setting: On

Block Facebook and Twitter APIs

iOS: Yes
Android: No
Default setting: On

Obscure screen contents

iOS: Yes
Android: No
Default setting: On

Block third-party keyboards

iOS: Yes
Android: No
Default setting: On

Note:

iOS 11 and later

Block app logs

iOS: Yes
Android: Yes
Default setting: Off

Enable ShareFile

iOS:
Android: Yes
Default setting: On

Enable Attach from Files

iOS: Yes
Android: No
Default setting: On

App network access

Network access

iOS: Yes
Android: Yes
Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.

micro VPN session required

iOS: Yes
Android: Yes
Default setting: Use Previous Setting. For newly uploaded apps, the default value is No.

micro VPN session required grace period (minutes)

iOS: Yes
Android: Yes
Default setting: 0 (no grace period)

Exclusion List

iOS: Yes
Android: Yes
Default setting: Empty

Block localhost connections

iOS: No
Android: Yes
Default setting: Off

Certificate label

iOS: Yes
Android: Yes
Default setting: Empty

App logs

Default log output

iOS: Yes
Android: Yes
Default setting: file

Default log level

iOS: Yes
Android: Yes
Default setting: 4 (informational messages)

Max log files

iOS: Yes
Android: Yes
Default setting: 2

Max log file size

iOS: Yes
Android: Yes
Default setting: 2 MB

Redirect app logs

iOS: No
Android: Yes
Default setting: On

Encrypt logs

iOS: No
Android: Yes
Default setting: Off

App geofence

Center point longitude

iOS: Yes
Android: Yes
Default setting: 0

Center point latitude

iOS: Yes
Android: Yes
Default setting: 0

Radius

iOS: Yes
Android: Yes
Default setting: 0 (disabled)

Note:

Set the radius in meters. When set to zero, the geofence is disabled.

App settings

Secure Mail Exchange Server

iOS: Yes
Android: Yes
Default setting: Empty

Note:

If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Secure Mail user domain

iOS: Yes
Android: Yes
Default setting: Empty

Background network services

iOS: Yes
Android: Yes
Default setting: Empty

Note:

If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.

Background services ticket expiration

iOS: Yes
Android: Yes
Default setting: 168 hours (7 days)

Background network service gateway

iOS: Yes
Android: Yes
Default setting: Empty

Note:

If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use Citrix Gateway to proxy the connection to the internal Exchange Server. This policy takes effect when you configure the Network access policy.

Export contacts

iOS: Yes
Android: Yes
Default setting: Off

Contact fields to export

iOS: Yes
Android: Yes
Default setting: All

Accept all SSL certificates

iOS: Yes
Android: Yes
Default setting: Off

Control locked screen notifications

iOS: Yes
Android: Yes
Default setting: Allow

Use Secure Connection

iOS: No
Android: Yes
Default setting: On

Default email notification

iOS: Yes
Android: No
Default setting: On

Default sync interval

iOS: Yes
Android: Yes
Default setting: 3 days

Note:

The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum email age filter.

Mail search limit

iOS: Yes
Android: Yes
Default setting: Unlimited

Max sync interval

iOS: Yes
Android: Yes
Default setting: All

Enable week number

iOS: Yes
Android: Yes
Default setting: Off

Enable downloads of attachments over Wi-Fi

iOS: Yes
Android: Yes
Default setting: Off

Allow offline documents

iOS: Yes
Android: Yes
Default setting: Unlimited

Information Rights Management

iOS: Yes
Android: Yes
Default setting: Off

Email classification

iOS: Yes
Android: No
Default setting: Off

Email classification markings

iOS: Yes
Android: No
Default setting: Empty

Email classification namespace

iOS: Yes
Android: No
Default setting: Empty

Email classification version

iOS: Yes
Android: No
Default setting: Empty

Default email classification

iOS: Yes
Android: No
Default setting: UNOFFICIAL

Enable auto-save of draft emails

iOS: Yes
Android: Yes
Default setting: On

Enable iOS data protection

iOS: Yes
Android: No
Default setting: Off

Push Notifications EWS HostName

iOS: Yes
Android: No
Default setting: Empty

Push notifications

iOS: Yes
Android: No
Default setting: Off

Push notifications region

iOS: Yes
Android: No
Default setting: Americas

Enable S/MIME during first Secure Mail startup

iOS: Yes
Android: No
Default setting: Off

Initial authentication mechanism

iOS: Yes
Android: Yes
Default setting: Use MDX provided mail server address

Initial authentication credentials

iOS: Yes
Android: Yes
Default setting: Enrollment user name

Enable week number

iOS: Yes
Android: Yes
Default setting: Off

Calendar Web and Audio Options

iOS: Yes
Android: Yes
Default setting: GoToMeeting and User Entered

S/MIME public certificate source

iOS: Yes
Android: Yes
Default setting: Exchange

LDAP Server address

iOS: Yes
Android: Yes
Default setting: Empty

LDAP Base DN

iOS: Yes
Android: Yes
Default setting: Empty

Access LDAP anonymously

iOS: Yes
Android: Yes
Default setting: Off

Allowed email domains

iOS: Yes
Android: No
Default setting: Empty

Note:

If empty, does not restrict domains.

Attempt Username Migration On Authentication Failure

iOS: Yes
Android: Yes
Default setting: Off

Report Phishing Mail Addresses

iOS: Yes
Android: Yes
Default setting: Empty

Report Phishing Mechanism

iOS: No
Android: Yes
Default setting: Report via attachment (.eml)

Skype for Business Meeting Domains

iOS: Yes
Android: Yes
Default setting: Empty

Export calendar

iOS: Yes
Android: Yes
Default setting: Meeting time

Enable Slack

iOS: Yes
Android: Yes
Default setting: Off

Slack workspace name

iOS: Yes
Android: Yes
Default setting: Empty

Caller Identification

iOS: Yes
Android: No
Default setting: On

Note:

If On, Secure Mail provides iOS with names and phone numbers of your saved contacts for caller identification.

Analytics

Enable Google Analytics

iOS: Yes
Android: No
Default setting: On

Google Analytics level of detail

iOS: Yes
Android: Yes
Default setting: Complete

Reporting

Citrix reporting

iOS: Yes
Android: No
Default setting: Off

Note:

Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.

Upload token

iOS: Yes
Android: No
Default setting: Empty

Send reports over Wi-Fi only

iOS: Yes
Android: No
Default setting: On

Reporting file cache maximum

iOS: Yes
Android: No
Default setting: 2 MB

OAuth support for Office 365

Use modern authentication for Office 365

iOS: No
Android: Yes
Default setting: Off

Office 365 authentication mechanism

iOS: Yes
Android: No
Default setting: Do not use OAuth

Trusted Exchange Online Hostnames

iOS: Yes
Android: Yes
Default setting: outlook.office365.com

Trusted AD FS Hostnames

iOS: Yes
Android: Yes
Default setting: login.microsoftonline.com

Custom user agent for modern authentication

iOS: No
Android: Yes
Default setting: Empty

Note:

If you do not configure this policy, the default Secure Mail user agent is used during modern authentication.

Mail redirection

iOS: Yes
Android: No
Default setting: Secure Mail

Slack integration

Enable Slack

iOS: Yes
Android: Yes
Default setting: Off

Slack workspace name

iOS: Yes
Android: Yes
Default setting: Empty

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

MDX policies for mobile productivity apps at a glance

May 18, 2020

Contributed by:

B C S

May 18, 2020

Contributed by:

B C S