- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
BitLocker device policy
Windows 10 includes a disk encryption feature called BitLocker, which provides extra file and system protections against unauthorized access of a lost or stolen Windows device. For more protection, you can use BitLocker with Trusted Platform Module (TPM) chips, version 1.2 or later. A TPM chip handles cryptographic operations and generates, stores, and limits the use of cryptographic keys.
Starting with Windows 10, build 1703, MDM policies can control BitLocker. You use the BitLocker device policy in XenMobile to configure the settings available in the BitLocker wizard on Windows 10 devices. For example, on a device with BitLocker enabled, BitLocker can prompt users for how they want to unlock their drive at startup, how to back up their recovery key, and how to unlock a fixed drive. BitLocker device policy setting also configure whether to:
- Enable BitLocker on devices without a TPM chip.
- Show recovery options in the BitLocker interface.
- Deny write access to a fixed or removable drive when BitLocker isn’t enabled.
After BitLocker encryption starts on a device, you can’t subsequently change the BitLocker settings on the device by deploying an updated BitLocker device policy.
To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.
The BitLocker device policy requires Windows 10 Enterprise edition.
Before deploying the BitLocker device policy, prepare your environment for BitLocker use. For detailed information from Microsoft, including BitLocker system requirements and setup, see BitLocker and the articles under that node.
Require device to be encrypted: Determines whether to prompt users to enable BitLocker encryption on a Windows Phone system card. If On, devices show a message after enrollment completes, indicating that the enterprise requires device encryption. If the user opts out of device encryption, the user isn’t granted write access to the system card. If Off, the user isn’t prompted and the BitLocker policy determines whether the device is encrypted. Defaults to Off.
Require storage card encryption: Determines whether to prompt users to enable BitLocker encryption on a Windows Phone storage card. If On, storage card encryption is required to gain write permission on the card. Defaults to Off.
Require device to be encrypted: Determines whether to prompt users to enable BitLocker encryption on the Windows Desktop or Tablet. If On, devices show a message after enrollment completes, indicating that enterprise requires device encryption. If Off, the user isn’t prompted and BitLocker uses the policy settings. Defaults to Off.
Configure encryption methods: Determines the encryption methods to use for specific drive types. If Off, the BitLocker wizard prompts the user for the encryption method to use for a drive type. The encryption method for all drives defaults to XTS-AES 128 bit. The encryption method for removable drives defaults to AES-CBC 128-bit. If On, BitLocker uses the encryption method specified in the policy. If On, these extra settings appear: Operating system drive, Fixed drive, and Removable drive. Choose the default encryption method for each drive type. Defaults to Off.
Require additional authentication at startup: Specifies the additional authentication required during device startup. Also specifies whether to allow BitLocker on devices that don’t have a TPM chip. If Off, devices without TPM can’t use BitLocker encryption. For information about TPM, see the Microsoft article, Trusted Platform Module Technology Overview. If On, the following extra settings appear. Defaults to Off.
Block BitLocker on devices without TPM chip: On a device with no TPM chip, BitLocker requires users to create a unlock password or startup key. The startup key is stored in a USB drive, which the user must connect to the device before startup. The unlock password is a minimum of eight characters. Defaults to Off.
TPM startup: On a device with TPM, there are four unlock modes: TPM-only, TPM + PIN, TPM + Key, and TPM + PIN + Key. TPM startup is for the TPM-only mode, in which encryption keys are store in the TPM chip. This mode doesn’t require a user to provide additional unlock data. The user device automatically unlocks during restart, using the encryption key from the TPM chip. Defaults to Allow TPM.
TPM startup PIN: This setting is the TPM + PIN unlock mode. A PIN can have up to 20 digits. Use the Minimum PIN length setting to specify the minimum PIN length. A user configures a PIN during BitLocker setup and provides the PIN during device startup.
TPM startup key: This setting is the TPM + Key unlock mode. The startup key is stored in a USB or other removable drive, which the user must connect to the device before startup.
TPM startup key and PIN: This setting is the TPM + PIN + Key unlock mode.
If the unlock succeeds, the operating system starts loading. If the unlock fails, the device enters recovery mode.
Minimum PIN length: The minimum length of the TPM startup PIN. Defaults to 6.
Configure OS drive recovery: If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key. Default is Off.
Allow certificate based data recovery agent: Specifies whether to allow a certificate-based data recovery agent. Add a data recovery agent from Public Key Policies, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. For more information about data recovery agents, see the Microsoft article, BitLocker Group Policy settings. Default is Off.
Create 48-digit recovery password for OS drive recovery: Specifies whether to allow or require users to use a recovery password. BitLocker generates the password and stores it in a file or Microsoft Cloud account. Default is Allow 48-digit password.
Create 256-bit recovery key: Specifies whether to allow or require users to use a recovery key. A recovery key is a BEK file, which is stored on a USB drive. Default is Allow 256-bit recovery key.
Hide OS drive recovery options: Specifies whether to show or hide recovery options in the BitLocker interface. If On, no recovery options appear in the BitLocker interface. In that case, register the devices to Active Directory, save the recovery options to Active Directory, and set Save recovery info to AD DS to On. Default is Off.
Save recovery info to AD DS: Specifies whether to save the recovery options to Active Directory Domain Services. Default is Off.
Configure recovery info stored in AD DS: Specifies whether to store the BitLocker recovery password or the recovery password and the key package in Active Directory Domain Services. Storing the key package supports recovering data from a drive that is physically corrupted. Default is Backup recovery password.
Enable BitLocker after storing recovery info in AD DS: Specifies whether to prevent users from enabling BitLocker unless the device is domain-connected and the backup of BitLocker recovery information to Active Directory succeeds. If On, a device must be domain-joined before starting BitLocker. Default is Off.
Customize preboot recovery message and URL: Specifies whether BitLocker shows a customized message and URL on the recovery screen. If On, the following extra settings appear: Use default recovery message and URL, Use empty recovery message and URL, Use custom recovery message, and Use custom recovery URL. If Off, the default recovery message and URL display. Default is Off.
Configure fixed drive recovery: Configures the recovery options to users for a BitLocker-encrypted fixed drive. BitLocker doesn’t display a message to users about fixed drive encryption. To unlock a drive during startup, a user provides a password or smart card. The startup unlock settings, which aren’t in this policy, appear in the BitLocker interface when a user enables BitLocker encryption on a fixed drive. For information about the related settings, see Configure OS drive recovery, earlier in this list. Default is Off.
Block write access to fixed drives not using BitLocker: If On, users can write to fixed drives only when those drives are encrypted with BitLocker. Default is Off.
Block write access to removable drives not using BitLocker: If On, users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting according to whether your organization allows write access on other organization removable drives. Default is Off.
Prompt for other disk encryption: Allows you to disable the warning prompt for other disk encryption on devices. Defaults to Off.