- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
App lock device policy
The App lock device policy defines a list of apps that are either:
- Allowed to run on a device.
- Blocked from running on a device.
The exact way the policy works differs for each supported platform. For example, you cannot block multiple apps on an iOS device.
Likewise, for iOS devices, you can select only one iOS app per policy. This means that users are only able to use their device to run a single app. They cannot do any other activities on the device except for the options you specifically allow when the app lock policy is enforced.
In addition, iOS devices must be supervised to push App Lock policies.
Although the device policy works on most Android L and M devices, app lock does not function on Android N or later devices because Google deprecated the required API.
For managed Windows Desktops and Tablets, you can create an App Lock device policy that defines the list of blacklisted and whitelisted apps. You can allow or block executables, MSI installers, store apps, DLLs, and scripts.
To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.
- App bundle ID: In the list, click the app to which this policy applies or click Add new to add a new app to the list. If you select Add new, type the app name in the field that appears.
Options: Each of the following options applies only to iOS 7.0 or later. For each option, the default is Off except for Disable touch screen, which defaults to On.
- Disable touch screen
- Disable device rotation sensing
- Disable volume buttons
Disable ringer switch
When Disable ringer switch is On, the ringer behavior depends on what position the switch was in when it was first disabled.
- Disable sleep/wake button
- Disable auto lock
- Disable VoiceOver
- Enable zoom
- Enable invert colors
- Enable AssistiveTouch
- Enable speak selection
- Enable mono audio
User Enabled Options: Each of the following options applies only to iOS 7.0 or later. For each option, the default is Off.
- Allow VoiceOver adjustment
- Allow zoom adjustment
- Allow invert colors adjustment
- Allow AssitiveTouch adjustment
You can’t block the Android Settings app by using the App Lock device policy.
App Lock parameters
- Lock message: Type a message that users see when they attempt to open a locked app.
- Unlock password: Type the password to unlock the app.
- Prevent uninstall: Select whether users are allowed to uninstall apps. The default is Off.
- Lock screen: Select the image that appears on the device’s lock screen by clicking Browse and navigating to the file’s location.
- Enforce: Click either Blacklist to create a list of apps that are not allowed to run on devices or click Whitelist to create a list of apps that are allowed to run on devices.
Apps: Click Add and then do the following:
- App name: In the list, click the name of the app to add to the whitelist or blacklist, or click Add new to add a new app to the list of available apps.
- If you select Add new, type the app name in the field that appears.
- Click Save or Cancel.
- Repeat these steps each app you want to add to the whitelist or blacklist.
Prerequisites for App lock
- In Windows, configure rules in the Local Security Policy editor on a Windows 10 Desktop running Windows 10 Enterprise or Education.
- Export the policy XML file. Citrix recommends that you create Default rules in Windows to avoid locking the default configuration or causing issues on devices.
- Then, upload the XML file to XenMobile by using the App Lock device policy. For more information about creating rules, see this Microsoft article: https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview
To configure and export the policy XML file from Windows
Important: When configuring the policy XML file through the Windows policy editor, use Audit Only mode.
- On the Windows computer, start the Local Security Policy editor. Click Start, type local security policy and then click Local Security Policy.
- In the console tree, click Computer Configuration > Windows Settings > Security Settings and then expand Application Control Policies.
- Click AppLocker and then in the center pane, click Configure rule enforcement.
- Select Enforce rules. When you enable a rule, Enforce rules is the default.
- You can create Executable Rules, Windows Installer Rules, Script Rules, and Packaged App Rules. To do so, right-click the folder and then click Create New Rule.
- Right-click AppLocker, click Export Policy, and then save the XML file.
To import the policy XML file into XenMobile
Create an App Lock policy. Across from the App Lock policy file setting, click Browse and navigate to the XML file.
To stop applying an App Lock policy
After you deploy an App Lock policy in XenMobile: To stop applying that App Lock policy, create an empty XML file. Then, create another App Lock policy, upload the file, and deploy the policy. Devices that have an App Lock enabled are not affected. Devices receiving the policy for the first time do not have the App Lock policy in place.