- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
App restrictions device policy
You use the App Restrictions device policy to specify allowed or blocked Chrome apps, Android apps running on Chrome OS, and Samsung KNOX apps. If you enable App Runtime for Chrome (ARC) in the Restrictions device policy, you configure Android app restrictions under Android apps in the App Restrictions device policy.
To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.
For each app you want to add to the Allow/Deny list, click Add and then do the following:
- Allow/Deny: Select whether users are allowed to install the app.
- New app restriction: Type the app package ID; for example, com.kmdm.af.crackle.
- Click Save to save the app to the Allow/Deny list or click Cancel to not save the app to the Allow/Deny list.
Chrome apps are both apps and extensions.
- App install allowed: A global setting to allow or block the installation of all Chrome apps on Chrome OS devices. If you choose Allowed, you can create a list of specific blocked apps. If you choose Not allowed, you can create a list of specific allowed apps. To do that, click Add under Chrome apps. To use the settings specified in your Chrome account, select Unspecified. Default is Allowed.
Chrome apps: To add Chrome apps that are exceptions to your selection for the App install allowed setting, click Add and then specify these settings:
- App name: A name used to identify an app in the XenMobile console.
- App ID: The unique identifier for a Chrome app. Don’t include the prefix “app:”.
To look up a Chrome app ID: Go to the Chrome store, https://chrome.google.com/webstore, and search for the app. Click the app to view the URL and app ID in the address bar. The last portion of the address is the app ID. For example, if the URL is https://chrome.google.com/webstore/detail/citrix-intranet/hjacpdaecmilhndcbllidcgaaicdlpff, the app id is “hjacpdaecmilhndcbllidcgaaicdlpff”.
You can look up Chrome apps only from Chromebook. You can look up Chrome extensions from any platform.
- App install allowed: Creates an exception to the global setting above. This setting allows or blocks the specified Chrome app.
- Installed: If On, forces the Chrome app to install for enrolled Chrome OS device users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
- Pinned: If On, pins the app to the Chromebook task bar. Default is Off.
- URL: Specifies the URL from which users can download an app that isn’t hosted in the Chrome Web Store.
- Extension policy: Defines, in JSON format, the app-specific policy defined by this app. For information, see Manifest for storage areas.
To enable enrolled Chrome OS device users to run Android apps, configure the Restrictions device policy as noted in the next section “Enable enrolled Chrome OS device users to run Android apps.” To configure ARC app restrictions, click Add under Android apps and then specify these settings.
App ID: A unique app identifier for an Android app running on Chrome OS. For example: com.android.camera. Don’t include the prefix “app:”.
To look up an Android app ID: Go to the Google Play store, https://play.google.com/store, and search for the app. Click the app to view the app ID in the address bar. The portion after id= is the app ID. For example, if the URL is
https://play.google.com/store/apps/details?id=com.citrix.mail, the app id is id=com.citrix.mail.
- Installed: Specifies whether to force the Android app to install for enrolled Chrome OS device users. If Off and an app is installed, the app is uninstalled. If Off and the app is no longer configured by the policy, the app remains installed. Default is Off.
- Pinned: If On, pins the Android app to the Chromebook task bar. Default is Off.
Enable enrolled Chrome OS device users to run Android apps
To enable enrolled Chrome OS device users to run Android apps: Go to Configure > Device Policies and add a Restrictions device policy for Chrome OS with the setting Enable App Runtime for Chrome (ARC) enabled.
- Enable App Runtime for Chrome (ARC): If On, allows enrolled Chrome OS device users to run Android apps. Specify ARC apps in the XenMobile App Restrictions device policy. Requires G Suite Chrome configuration. ARC isn’t available if either Ephemeral mode or multiple sign-on is enabled in the current user session. If Off, enterprise Chrome OS device users can’t run Android apps. The default is On.