Product Documentation

Device policies

Sep 12, 2017

You can configure how XenMobile interacts with your devices by creating policies. Although many policies are common to all devices, each device has a set of policies specific to its operating system. As a result, you might find differences between platforms, and even between different manufacturers of Android devices.

For the policies per platform matrix, download the Device Policies by Platform Matrix PDF. For a summary description of each device policy, see Device policy summaries in this article.


Before you create a policy, complete these requirements:

  • Create any delivery groups you plan to use.
  • Install any necessary CA certificates.

The basic steps to create a device policy are as follows:

  1. Name and describe the policy.
  2. Configure the policy for one or more platforms.
  3. Create deployment rules (optional).
  4. Assign the policy to delivery groups.
  5. Configure the deployment schedule (optional).

To create and manage device policies, go to Configure > Device Policies.

localized image


Add a device policy

1. On the Device Policies page, click Add. The Add a New Policy page appears.

localized image

2. Click one or more platforms to view a list of the device policies for the selected platforms. Click a policy name to continue with adding the policy.

localized image

You can also type the name of the policy in the search box. As you type, potential matches appear. If your policy is in the list, click it. Only your selected policy remains in the results. Click it to open the Policy Information page for that policy.

3. Select the platforms you want to include in the policy. Configuration pages for the selected platforms appear in Step 5.

4. Complete the Policy Information page and then click Next. The Policy Information page collects information, such as the policy name, to help you identify and track your policies. This page is similar for all policies.

5. Complete the platform pages. Platform pages appear for each platform you selected in Step 3. These pages are different for each policy. A policy might differ among platforms. Not all policies apply to all platforms.

To configure deployment rules:

Note: For more information about configuring deployment rules, see Deploy resources.

a. Expand Deployment Rules and then configure the following settings. The Base tab appears by default.

  • In the lists, click options to determine when the policy should be deployed. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
  • Click New Rule to define the conditions.
  • In the lists, click the conditions, such as Device ownership and BYOD.
  • Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.

b. Click the Advanced tab to combine the rules with Boolean options. The conditions you chose on the Base tab appear.

c. You can use more advanced Boolean logic to combine, edit, or add rules.

  • Click AND, OR, or NOT.
  • In the lists, choose the conditions that you want to add to the rule. Then, click the Plus sign (+) on the right side to add the condition to the rule.

At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

  • Click New Rule to add another condition.

6. Click Next to move to the next platform page or, when all the platform pages are complete, to the Assignments page.

7. On the Assignments page, select the delivery groups to which you want to apply the policy. If you click a delivery group, the group appears in the Delivery groups to receive app assignment box.

Note: Delivery groups to receive app assignment doesn't appear until you select a delivery group.

localized image

8. On the Assignments page, expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.


  • This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
  • The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.
localized image

9. Click Save.

The policy appears in the Device Policies table.

Edit or delete a device policy

To edit or delete a policy, select the check box next to a policy to show the options menu above the policy list. Or, click a policy in the list to show the options menu to the right of the listing.

localized image

To view policy details, click Show more.

To edit all settings for a device policy, click Edit.

If you click Delete, a confirmation dialog box appears. Click Delete again.

Filter the list of added device policies

You can filter the list of added policies by policy types, platforms, and associated delivery groups. On the Configure > Device Policies page, click Show filter. In the list, select the check boxes for the items you want to see.

localized image

Click SAVE THIS VIEW to save a filter. The name of the filter then appears in a button below the SAVE THIS VIEW button.

Device policy summaries

Device Policy Name

Device Policy Description

AirPlay Mirroring

This policy adds specific AirPlay devices (such as Apple TV or another Mac computer) to iOS devices. You also have the option of adding devices to a whitelist for supervised devices, which limits users to only the AirPlay devices on the whitelist.


This policy allows you to add AirPrint printers to the AirPrint printer list on iOS devices. This policy makes it easier to support environments where the printers and the devices are on different subnets. Available for iOS 7.0 and later.

Note: Be sure to have the IP address and resource path for each printer.

Android for Work App Restrictions

This policy allows you to change the restrictions associated with Android apps, but before you can do so, you must meet the following prerequisites:


You use this policy if your organization doesn't use a consumer APN to connect to the internet from a mobile device. This policy determines the settings used to connect your devices to the General Packet Radio Service (GPRS) of a specific phone carrier. This setting is already defined in most newer phones.

App Access

This policy allows you to define a list of the following apps:

  • Apps that are required to be installed on the device
  • Or, apps that can be installed on the device
  • Or, apps that must not be installed on the device.

You can then create an automated action to react to the device compliance with that list of apps.

App Attributes

This policy lets you specify attributes, such as a managed app bundle ID or per-app VPN identifier, for iOS devices.

App Configuration

This policy lets you remotely configure various settings and behaviors of apps that support managed configuration. To do that, you deploy an XML configuration file (called a property list, or plist) to iOS devices. Or, you deploy key/value pairs to Windows 10 phone, desktop, or tablet devices.

App Inventory

This policy lets you collect an inventory of the apps on managed devices. XenMobile then compares the inventory to any app access policies deployed to those devices. In this way, you can detect apps that are on an app access blacklist or whitelist and then act accordingly.

App Lock

This policy defines a list of apps that users either can run on a device or can't run on a device.

You can configure this policy for both iOS and Android devices, but the way the policy works differs for each platform. For example, you cannot block multiple apps on an iOS device

The App Lock policy works on most Android L and M devices. However, the App Lock policy doesn't work on Android N or later devices because Google deprecated the required API.

For iOS devices, you can choose only one iOS app per policy. As a result, users can use their device to run a single app only. Users can't do any other activities on the device except for the options you specifically allow when the App Lock policy is enforced.

App Network Usage

This policy sets network usage rules to specify how managed apps use networks, such as cellular data networks, on iOS devices. The rules only apply to managed apps. Managed apps are apps that you deploy to user devices through XenMobile. Managed apps don't include these apps:

  • Apps that users download directly to their devices. That is, the apps aren't deployed through XenMobile.
  • Apps already installed on the devices when the devices were enrolled in XenMobile.

App Restrictions

This policy creates blacklists for apps you want to prevent users from installing on Samsung KNOX devices. You can also create whitelists for apps you want to allow users to install.

App Uninstall

This policy lets you remove apps from user devices for several reasons. For example, you might not want to support certain apps. Or, your company might want to replace existing apps with similar apps from different vendors. The apps are removed when this policy is deployed to user devices. Except for Samsung KNOX devices, users receive a prompt to uninstall the app. Samsung KNOX device users do not receive a prompt to uninstall the app.

App Uninstall Restrictions

This policy lets you specify the apps that users can or can't uninstall.


This policy configures the settings available in the BitLocker interface on Windows 10 devices. BitLocker is a disk encryption feature that provides extra file and system protections against unauthorized access of a lost or stolen computer.


This policy lets you define whether user devices can use the browser or which browser functions the devices can use. On Samsung devices, you can disable the browser, or you can enable or disable pop-ups, JavaScript, cookies, autofill, and whether to force fraud warnings.

Calendar (CalDav)

This policy adds a calendar (CalDAV) account to iOS or macOS devices. The CalDAV account enables users to synchronize scheduling data with any server that supports CalDAV.


This policy allows you to configure cellular network settings

Connection Manager

.This policy specifies the connection settings for apps that connect automatically to the internet and to private networks. This policy is only available on Windows Pocket PCs.

Contacts (CardDAV)

This policy adds an iOS contact (CardDAV) account to iOS or macOS devices. The CardDAV account enables users to synchronize contact data with any server that supports CardDAV.

Control OS Updates

This policy lets you deploy the latest OS updates to supervised devices.

Copy apps to Samsung Container

This policy copies the apps already installed on a device to a SEAMS or KNOX container on supported Samsung devices. Apps copied to the SEAMS container are available on the device home screen. Apps copied to the KNOX container are available only when users sign in to the KNOX container.


This policy enables integrated authentication with your PKI configuration in XenMobile. For example, with a PKI entity, a keystore, a credential provider, or a server certificate. For information about credentials, see Certificates and authentication.

Each device platform requires a different set of values, which are described in the Credentials policy article.

Custom XML

This policy customizes the following features:

  • Provisioning, such as configuring the device, and enabling or disabling features
  • Device configuration, such as allowing users to change settings and device parameters
  • Software upgrades, such as providing new software or bug fixes for loading onto the device, including apps and system software
  • Fault management, such as receiving error and status reports from the device


This policy configures Windows Defender settings for Windows 10 for desktop and tablet.

Delete Files and Folders

This policy deletes specific files or folders from Windows Mobile/CE devices.

Delete Registry Keys and Values

This policy deletes specific registry keys and values from Windows Mobile/CE devices.

Device Health Attestation

This policy requires that Windows 10 devices report the state of their health. To do that they send specific data and runtime information to the Health Attestation Service (HAS) for analysis. The HAS creates and returns a Health Attestation Certificate that the device then sends to XenMobile. When XenMobile receives the Health Attestation Certificate, based on the contents of that certificate, it can deploy automatic actions that you configured.

For more information, see the Microsoft Device HealthAttestation CSP page.

Device Name

This policy sets the names on iOS and macOS devices so that you can identify the devices. You can use macros, text, or a combination of both to define a device name. For information about macros, see Macros.

Education Configuration

This policy configures instructor and student devices for use with Apple Education. If instructors use the Classroom app, the Education Configuration device policy is required.

Enterprise Hub

This policy for Windows Phone lets you distribute apps through the Enterprise Hub Company store.

XenMobile supports only one Enterprise Hub policy for one mode of Windows Phone Secure Hub. For example, don't create multiple Enterprise Hub policies with different versions of Secure Home for XenMobile Enterprise Edition. You can deploy the initial Enterprise Hub policy only during device enrollment.


XenMobile provides two options to deliver email. You can use this MDM policy to enable ActiveSync email for the native email client on the device. Or, you can deliver ActiveSync email using the containerized Secure Mail app.


This policy adds script files to XenMobile that perform certain functions for users. Or, you can add document files that you want Android device users to be able to access on their devices. When you add the file, you can also specify the directory in which you want the file to be stored on the device. For example, to send Android users a company document or .pdf file, you deploy the file to the device. Then, let users know where the file is located.


This policy adds more fonts to iOS and macOS devices. Fonts must be TrueType (.TTF) or OpenType (.OFT) fonts. Font collections (.TTC or .OTC) are not supported. For iOS, this policy applies only to iOS 7.0 and later.

Home screen layout

This policy specifies the layout of apps and folders for the iOS Home screen on iOS 9.3 and later supervised devices.

Import iOS & macOS Profile

This policy imports device configuration XML files for iOS and macOS devices into XenMobile. The file contains device security policies and restrictions that you prepare by using the Apple Configurator. For more information about using the Apple Configurator to create a configuration file, see the Apple Configurator Help page.


This policy restricts app usage on Samsung SAFE devices. You can limit available apps to a specific app or apps. This policy is useful for corporate devices that are intended to run only a specific type or class of apps. This policy also lets you choose custom images for the device home screen and lock screen wallpapers for kiosk mode.

Launcher Configuration

This policy for Android devices specifies the following for Citrix Launcher:

  • The apps allowed
  • A custom logo image for the Citrix Launcher icon
  • A custom background image for Citrix Launcher
  • Password requirements to exit the launcher


This policy for iOS devices provides information about an LDAP server to use, including any necessary account information such as the LDAP server host name. The policy also provides a set of LDAP search policies to use when querying the LDAP server.


This policy lets you geo-locate devices on a map, assuming that the device has GPS enabled for Secure Hub. After deploying this policy to the device, you can send a locate command from the XenMobile Server. The device then responds with its location coordinates. XenMobile also supports geofencing and tracking policies.


This policy configures an email account on iOS or macOS devices.

Managed Domains

This policy defines managed domains that apply to email and the Safari browser. Managed domains help you protect corporate data by controlling which apps can open documents downloaded from domains using Safari. For iOS 8 and later supervised devices, you can specify URLs or subdomains to control how users can open documents, attachments, and downloads from the browser.

MDM Options

This policy manages Find My Phone and iPad Activation Lock on supervised iOS 7.0 and later phone devices. For the steps on putting an iOS device in supervised mode, see Bulk enrollment of iOS and macOS devices.

Organization Info

This policy specifies organization information for alert messages that XenMobile deploys to iOS devices. Available on iOS 7 and later.


This policy allows you to enforce a PIN code or password on a managed device. You can set the complexity and timeouts for the passcode on the device.

Personal Hotspot

This policy allows users to connect to the internet when they are not in range of a WiFi network. Users connect through the cellular data connection on their iOS device, using personal hotspot functionality. Available on iOS 7.0 and later.

Profile Removal

This policy, when deployed, removes the app profile from iOS or macOS devices.

Provisioning Profile

This policy specifies an enterprise distribution provisioning profile to send to devices. When you develop and code sign an iOS enterprise app, you usually include a provisioning profile. Apple requires the profile for the app to run on an iOS device. If a provisioning profile is missing or has expired, the app crashes when a user taps to open it.

Provisioning Profile Removal

This policy removes iOS provisioning profiles. For information on provisioning profiles, see Provisioning Profile device policy.


This policy specifies global HTTP proxy settings for devices running Windows Mobile/CE and iOS 6.0 or later. You can deploy only one global HTTP proxy policy per device.


The Windows Mobile/CE registry stores data about apps, drivers, user preferences, and configuration settings. This policy defines the registry keys and values that let you administer Windows Mobile/CE devices.

Remote Support

This policy gives you remote access to Samsung KNOX devices.


This policy provides hundreds of options to lock down and control features and functionality on managed devices. Examples of restriction options: Disable the camera or microphone, enforce roaming rules, and enforce access to third-party services, such as app stores.


This policy configures whether to allow voice and data roaming on iOS and Windows Mobile/CE devices. If voice roaming is disabled, data roaming is automatically disabled. For iOS, this policy is available on iOS 5.0 and later devices.

Samsung SAFE Firewall

This policy lets you configure the firewall settings for Samsung devices. You provide the IP addresses, ports, and host names that you want to allow devices to access or that you want to block devices from accessing. You can also configure the proxy and proxy reroute settings.

Samsung MDM License Key

This policy specifies the built-in Samsung Enterprise License Management (ELM) key that you must deploy to a device before you can deploy SAFE policies and restrictions. XenMobile supports and extends both Samsung for Enterprise (SAFE) and Samsung KNOX policies.


This policy is required for Android and Windows Mobile devices to connect back in to the XenMobile Server for MDM management, app push, and policy deployment. If you don't send this policy to devices and don't enable Google FCM, a device can't connect back to the server.


This policy configures iOS and macOS devices to retrieve a certificate from an external SCEP server. You can also deliver a certificate to the device using SCEP from a PKI that is connected to XenMobile. To do that, create a PKI entity and a PKI provider in distributed mode. For details, see PKI entities.

SSO Account

This policy creates single sign-on (SSO) accounts so users sign on one-time only to access XenMobile and your internal company resources. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is compatible with Kerberos authentication. Available for iOS 7.0 and later.

Storage Encryption

This policy encrypts internal and external storage. For some devices, this policy prevents users from using a storage card on their devices.

Subscribed Calendars

This policy adds a subscribed calendar to the calendars list on iOS devices. The list of public calendars to which you can subscribe is available at

Ensure that you subscribe to a calendar before you add it to the subscribed calendars list on user devices.

Terms and Conditions

This policy requires that users accept the specific policies of your company that govern connections to the corporate network. When users enroll their devices with XenMobile, they must accept the terms and conditions to enroll their devices. Declining the terms and conditions cancels the enrollment process.


This policy is supported only for XenMobile Service customers who use Remote Support. This policy increases service continuity and data transfer reliability for your mobile apps. App tunnels define proxy parameters between the client component of any mobile device app and the app server component. You can also use app tunnels to create remote support tunnels to a device for management support.

Note: Any app traffic sent through a tunnel that you define in this policy goes through XenMobile first. Then the traffic is redirected to the server running the app.


This policy provides access to back end systems that use legacy VPN Gateway technology. This policy provides VPN gateway connection details that you can deploy to devices. XenMobile supports several VPN providers, including Cisco AnyConnect, Juniper, and Citrix VPN. If your VPN gateway supports this option, you can link this policy to a CA and enable VPN on-demand.


This policy adds a .png or .jpg file to set wallpaper on an iOS device lock screen, home screen, or both. Available for iOS 7.1.2 and later. To use different wallpaper on iPads and iPhones, create different wallpaper policies and deploy them to the appropriate users.

Web Content Filter

This policy filters web content on iOS devices. XenMobile uses the Apple auto-filter function and the sites that you add to whitelists and blacklists. Available only for iOS 7.0 and later supervised devices. For information about placing an iOS device in Supervised mode, see Place an iOS device in Supervised mode by using the Apple Configurator.


This policy places shortcuts, or webclips, to websites so that they appear alongside apps on user devices. You can specify your own icons to represent the webclips for iOS, macOS, and Android devices. Windows tablet only requires a label and a URL.


This policy allows administrators to deploy WiFi router details to managed devices. The router details include SSID, authentication data, and configuration data.

Windows CE Certificate

This policy creates and delivers Windows Mobile/CE certificates from an external PKI to user devices. For more information about certificates and PKI entities, see Certificates and authentication.

Windows Information Protection

This policy specifies the apps that require Windows Information Protection at the enforcement level you set for the policy. The policy is for Windows 10 version 1607 and later supervised devices.

XenMobile Store

This policy specifies whether a XenMobile Store webclip appears on the home screen of user devices.

XenMobile Options

This policy configures the Secure Hub behavior when connecting to XenMobile from Android and Windows Mobile/CE devices.

XenMobile Uninstall

This policy uninstalls XenMobile from Android and Window Mobile/CE devices. When deployed, this policy removes XenMobile from all devices in the deployment group.