MDX policies for mobile productivity apps at a glance

The following tables list the MDX app policies for Citrix mobile productivity apps for iOS and Android. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication

Policy iOS Android Default Setting Notes
Device passcode X   Off  
App passcode X X On  
Online session required grace period (minutes) X   0  
Maximum offline period X X 72 hours  
Alternate NetScaler Gateway X X Empty  

Device security

Policy iOS Android Default Setting Notes
Block jailbroken or rooted X X On  
Require device encryption   X Off  
Require device lock   X Off On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network requirements

Policy iOS Android Default Setting Notes
Require Wi-Fi X X Off  
Allowed Wi-Fi Networks X X Empty  
Require device lock X X    

Miscellaneous access

Policy iOS Android Default Setting Notes
App update grace period (hours) X X 168 hours (7 days) Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.
Disable required update X X Off  
Erase app data on lock X X Off  
Active poll period (minutes) X X 60 Only set this value lower than the default for high-risk apps, or performance may be affected

Encryption

Policy iOS Android Default Setting Notes
Encryption keys   X Offline access permitted  
Private file encryption   X Security Group  
Private file encryption exclusions   X Empty  
Access limits for public files   X Empty Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). This policy applies only to existing, unencrypted public files and specifies when to encrypt the files.
Public file encryption   X Security Group  
Public file encryption exclusions   X Empty  
Public file migration   X Write (RO/RW) Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.
Enable encryption X   On If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Database encryption exclusions X   Empty  
File encryption exclusions X   Empty  

App interaction

Policy iOS Android Default Setting Notes
Security Group   X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Cut and copy X X Restricted  
Paste X X Unrestricted  
Document exchange (Open In) X X Restricted  
URL domains excluded from filtering   X Empty  
Allowed Secure Web domains   X Empty  
Connection security level X X TLS  
Inbound document exchange (Open In) X X Unrestricted (for Android and iOS); All (for Android for Work)  
Restricted Open In exception list X X Empty (for Android); Office 365 apps (for iOS) On Android, this policy was previously named Open In exclusions. On iOS, this policy is hidden. For details, see MDX policies for iOS apps.
App URL schemes X   All registered URL schemes are blocked (outbound)  
Allowed URLs X   For details about the default settings, see the App Interaction section in MDX policies for iOS apps  
Explicit logoff notifications X      

App interaction (outbound URL)

Policy iOS Android Default Setting Notes
Domains excluded from URL filtering X   Empty  
Allowed URLs X   For details about the default settings, see the App interaction (outbound URL) section in MDX policies for iOS apps  
Allowed Secure Web Domains X   Empty  

App restrictions

Policy iOS Android Default Setting Notes
Block Camera X X See Notes Default value for iOS and Android is On. Only accepted value for Android for Work is On. Default value for Windows Phone is Off.
Block Gallery   X Default for Android is Off. Only accepted value for Android for Work is On.  
Block Photo Library X   On  
Block mic record X X On  
Block dictation X   On  
Block location services X X See Notes For Android: Default value is Off for Secure Mail, Secure Notes, and Citrix for Salesforce. Default value is On for other apps. Only accepted value for Android for Work is On.
Block SMS compose X X On  
Block screen capture   X On  
Block device sensor   X On  
Block NFC   X On  
Block printing   X On  
Block iCloud X   On  
Block Look Up X   On  
Block file backup X   On  
Block AirPrint X   On  
Block AirDrop X   On  
Block file attachments X   Off  
Block email as attachment X   Off  
Block Facebook and Twitter APIs X   On  
Obscure screen contents X   On  
Block third-party keyboards X   On iOS 8 and later
Block app logs X X Off  
Enable ShareFile X X On  
Enable Attach from Files X   On  

App network access

Policy iOS Android Default Setting Notes
Network access X X See notes For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.
micro VPN session required X X No  
mVPN session required grace period (minutes) X X 0  
Exclusion List X X Empty  
Block localhost connections   X Off  
Certificate label X X Empty  

App logs

Policy iOS Android Default Setting Notes
Default log output X X File  
Default log level X X 4 (informational messages)  
Max log files X X 2  
Max log file size X X 2 MB  
Redirect app logs   X On  
Encrypt logs   X Off  

App geofence

Policy iOS Android Default Setting Notes
Center point longitude X X 0  
Center point latitude X X 0  
Radius X X 0 Set the radius in meters

App settings

Policy iOS Android Default Setting Notes
Secure Mail Exchange Server X X Empty If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Secure Mail user domain X X Empty  
Background network services X X Empty If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.
Background services ticket expiration X X 168 hours (7 days)  
Background network service gateway X X Empty If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use Citrix Gateway to proxy the connection to the internal Exchange Server. This policy takes effect when you configure the Network access policy.
Export contacts X X Off  
Contact fields to export X X All  
Accept all SSL certificates X X Off  
Control locked screen notifications X X Allow  
Use Secure Connection   X On  
Default email notification X   Off  
Default sync interval X X 3 days The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum email age filter.
Mail search limit X X Unlimited  
Max sync interval X X 1 month (iOS), All (Android)  
Enable week number X X Off  
Enable download of attachments over WiFi X X Off  
Allow offline documents X X Unlimited  
Information Rights Management X X Off  
Email classification X   See Notes See Email Security Classifications for the list of defaults.
Email classification markings X   Empty  
Email classification namespace X   Empty  
Email classification version X   Empty  
Default email classification X   UNOFFICIAL  
Enable auto-save of draft emails X X On  
Enable iOS data protection X   Off  
Push Notifications EWS HostName X   Empty  
Push notifications X   Off  
Push notifications region X   Americas  
S/MIME certificate source X X    
Enable S/MIME during first Secure Mail startup X   Off  
Initial authentication mechanism X X Use MDX provided mail server address  
Initial authentication credentials X X User Principal Name  
Calendar Web and Audio Options X X GoToMeeting and User Entered  
S/MIME public certificate source X X    
LDAP Server address X X Empty  
LDAP Base DN X X Empty  
Access LDAP anonymously X X Off  
Allowed email domains X   Empty If empty, does not restrict domains.
Attempt Username Migration On Auth Failure X X Off  
Report Phishing Mail Addresses X X Empty  
Report Phishing Mechanism   X Report via Attachment  
Skype for Business Meeting Domains X X Empty  
Export calendar X X Meeting time  
Enable Slack X X Off  
Slack workspace name X X Empty  
Caller Identification X   On If On, Secure Mail provides iOS with names and phone numbers of your saved contacts for caller identification.

Analytics

Policy iOS Android Default Setting Notes
Google Analytics level of detail X X Complete  

Reporting

Policy iOS Android Default Setting Notes
Citrix reporting X   Off Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.
Upload token X   Empty  
Send reports over WiFi only X   On  
Reporting file cache maximum X   2 MB  

App interaction

Policy iOS Android Default Setting Notes
Explicit logoff notification X X Shared devices only (for Secure Mail)  

OAuth support for Office 365

Policy iOS Android Default Setting Notes
Use modern authentication for Office 365   X Off  
Office 365 authentication mechanism X   Do not use OAuth  
Trusted Exchange Online Hostnames X X outlook.office365.com  
Trusted AD FS Hostnames X X login.microsoftonline.com  
Custom user agent for modern authentication   X See notes. If you do not configure this policy, the default Secure Mail user agent is used during modern authentication.

Mail redirection

Policy iOS Android Default Setting Notes
Mail redirection X      

Slack integration

Policy iOS Android Default Setting Notes
Enable Slack X X    
Slack workspace name X X