Product Documentation

Propiedades de cliente

Feb 09, 2017
Client properties contain information that is provided directly to Secure Hub on user devices. You can use these properties to configure advanced settings, such as the Citrix PIN. You obtain client properties from Citrix support.
 
Client properties are subject to change with every release of client apps, particularly Secure Hub. For details about more commonly configured client properties, see Client property reference, later in this article.
 
1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
2. Under Client, click Client Properties. The Client Properties page appears. You can add, edit, and delete client properties from this page.
localized image

To add a client property

1. Click Add. The Add New Client Property page appears.

localized image

2. Configure these settings:

  • Key: In the list, click the property key you want to add. Important: Contact Citrix Support before making any changes or request a special key to make a change.
  • Value: Enter the selected property's value.
  • Name: Enter a name for the property.
  • Description: Enter a description of the property.

3. Click Save.

To edit a client property

1. In the Client Properties table, select the client property you want to edit.

Note: When you select the check box next to a client property, the options menu appears above the client property list; when you click anywhere else in the list, the options menu appears on the right side of the listing.

2. Click Edit. The Edit Client Property page appears.

localized image

3. Change the following information as appropriate:

  • Key: You cannot change this field.
  • Value: The property's value.
  • Name: The property's name.
  • Description: The property's description.

4. Click Save to save your changes or Cancel to leave the property unchanged.

To delete a client property

1. In the Client Properties table, select the client property you want to delete.

Note: You can select more than one property to delete by selecting the check box next to each property.

2. Click Delete. A confirmation dialog box appears. Click Delete again.

Client property reference

The XenMobile predefined client properties and their default settings are as follows.

CONTAINER_SELF_DESTRUCT_PERIOD

Display name: MDX Container Self Destruct Period

Self-destruct prevents access to Secure Hub and managed apps, after a certain number of days of inactivity. After the time limit, apps are no longer usable, and the user device is unenrolled from the XenMobile server. Wiping the data includes clearing the app data for each installed app, including the app cache and user data.  The inactivity time is when the server does not receive an authentication request to validate the user over a specific length of time. For example, if you set 30 days for the policy and the user does not use Secure Hub or other apps for more than 30 days then the policy takes effect.

This global security policy applies to iOS and Android platforms and is an enhancement of the existing app lock and wipe policies.

To configure this global policy, go to Settings > Client Properties and add the custom key CONTAINER_SELF_DESTRUCT_PERIOD.

Value: Number of days

DEVICE_LOGS_TO_IT_HELP_DESK

Display name: Send device logs to IT help desk

This property enables or disables the ability to send logs to the IT help desk.

Possible values: true or false

Default value: false

DISABLE_LOGGING

Display name: Disable Logging

This property lets you disable the ability for users to collect and upload logs from their devices. Logging is disabled for Secure Hub and for all installed MDX apps. Users cannot send logs for any app from the Support page; even though the mail composition dialog box appears, logs are not attached, but a message is appended saying that logging is disabled. In addition to the effect on users' devices, you cannot modify log settings in the XenMobile console for Secure Hub and MDX apps.

When this property is set to true, Secure Hub sets Block application logs to true, ensuring that MDX apps stop logging when the new policy is applied.

Possible values: true or false

Default value: false (logging is not disabled)

ENABLE_CRASH_REPORTING

Display name: Enable Crash Reporting

This property enables or disables crash reporting using Crashlytics for XenMobile Apps.

Possible values: true or false

Default value: true

ENABLE_FIPS_MODE

Display name: Enable FIPS Mode

This property enables or disables FIPS mode on mobile devices. After you change the value, Secure Hub passes the new value to the device when Secure Hub does the next online authentication.

Possible values: true or false

Default value: false

ENABLE_NETWORK_EXTENSION

Display name: ENABLE_NETWORK_EXTENSION

By default, XenMobile enables the Apple Network Extension framework when Secure Hub installs. To disable Network Extension, go to Settings > Client Properties, add the custom key ENABLE_NETWORK_EXTENSION, and set the Value to false.

Default value: true

ENABLE_PASSCODE_AUTH

Display name: Enable Citrix PIN Authentication

This property allows you to turn on Citrix PIN functionality. With the Citrix PIN or passcode, users are prompted to define a PIN to use instead of their Active Directory password. This setting is automatically enabled when ENABLE_PASSWORD_CACHING is enabled or when XenMobile is using certificate authentication.

If users are performing offline authentication, the Citrix PIN is validated locally and users are allowed to access the app or content they requested. If users are performing online authentication, the Citrix PIN or passcode is used to unlock the Active Directory password or certificate, which is then sent to perform authentication with XenMobile.

Possible values: true or false

Default value: false

ENABLE_PASSWORD_CACHING

Display name: Enable User Password Caching

This property enables the users' Active Directory password to be cached locally on the mobile device. When you set this property to true, you must also set the ENABLE_PASSCODE_AUTH property to true. With user password caching enabled, XenMobile prompts users to set a Citrix PIN or passcode.

Possible values: true or false

Default value: false

ENABLE_TOUCH_ID_AUTH

Display name: Enable Touch ID Authentication

For devices that support Touch ID authentication, this property enables or disables Touch ID authentication on the device. Requirements:

User devices must have Citrix PIN or LDAP enabled. If LDAP authentication is off (for example, because only certificate-based authentication is used), users must set a Citrix PIN. In this case, XenMobile requires the Citrix PIN even if ENABLE_PASSCODE_AUTH is false.

Set ENABLE_PASSCODE_AUTH to false so that when users launch an app, they must respond to a prompt to use Touch ID.

Possible values: true or false

Default value: false

ENABLE_WORXHOME_CEIP

Display name: Enable Worx Home CEIP

This property turns on the Customer Experience Improvement Program. This will send anonymous configuration and usage data to Citrix periodically. This data helps Citrix improve the quality, reliability, and performance of XenMobile.

Value: true or false

Default value: false

ENABLE_WORXHOME_GA

Display name: Enable Google Analytics in Worx Home

This property enables or disables the ability to collect data using Google Analytics in Worx Home. When you change this setting, the new value is set only when the user next logs on to Secure Hub (Worx Home).

Possible values: true or false

Default value: true

ENCRYPT_SECRETS_USING_PASSCODE

Display name: Encrypt secrets using Passcode

This property lets sensitive data be stored on the mobile device in a secret vault instead of in a platform-based native store, such as the iOS keychain. This property enables strong encryption of key artifacts, but also adds user entropy (a user-generated random PIN code that only the user knows). 

Citrix recommends you enable this property to help provide higher security on user devices. As a result, users will experience more authentication prompts for the Citrix PIN.

Possible values: true or false

Default value: false

INACTIVITY_TIMER

Display name: Inactivity Timer

This property defines the time in minutes that users can leave their device inactive and then access an app without being prompted for a Citrix PIN or passcode. To enable this setting for an MDX app, you must set the App Passcode setting to On. If the App Passcode setting is set to Off, users are redirected to Secure Hub to perform a full authentication. When you change this setting, the value takes effect the next time users are prompted to authenticate.

Note: On iOS, the Inactivity Timer also governs access to Secure Hub for MDX and non-MDX apps.

Possible values: Any positive integer

Default value: 15

ON_FAILURE_USE_EMAIL

Display name: On failure Use Email to Send device logs to IT help desk

This property enables or disables the ability to use email to send device logs to IT.

Possible values: true or false

Default value: true

PASSCODE_EXPIRY

Display name: PIN Change Requirement

This property defines the time in days for which the Citrix PIN or passcode is valid, after which the user is forced to change their Citrix PIN or passcode. When you change this setting, the new value is set only when users' current Citrix PIN or passcode expires.

Possible values: 1 - 99 recommended. If you want users to never have to reset their PINs, set the value to a very high number (for example, 100,000,000,000).  If you originally set an expiry period of between 1 and 99 days and change to the large number during that period, PINs will still expire at the end of the initial period but never again afterward.

Default value: 90

PASSCODE_HISTORY

Display name: PIN History

This property defines the number of previously used Citrix PINs or passcodes that users cannot reuse when changing their Citrix PIN or passcode. When you change this setting, the new value is set the next time users reset their Citrix PIN or passcode.

Possible values: 1 - 99

Default value: 5

PASSCODE_MAX_ATTEMPTS

Display name: PIN Attempts

This property defines how many wrong Citrix PIN or passcode attempts users can make before being prompted for full authentication. After users successfully perform a full authentication, they are prompted to create a new Citrix PIN or passcode.

Possible values: Any positive integer

Default value: 15

PASSCODE_MIN_LENGTH

Display name: PIN Length Requirement

This property defines the minimum length of Citrix PINs.

Possible values: 1 - 99

Default value: 6

PASSCODE_STRENGTH

Display name: PIN Strength Requirement

This property defines the strength of Citrix PIN or passcode. When you change this setting, users are prompted to set a new Citrix PIN or passcode the next time they are prompted to authenticate.

Possible values: Low, Medium, or Strong

Default value: Medium

The following table describes the password rules for each strength setting based on the PASSCODE_TYPE setting:

Passcode strength

Rules for numeric passcode type

Rules for alphanumeric passcode type

Low

All numbers, any sequence allowed

Must contain at least one number and one letter.

Not allowed: AAAaaa, aaaaaa, abcdef

Allowed: aa11b1, Abcd1#, Ab123~, aaaa11, aa11aa

Medium
(default setting)

1. All numbers cannot be the same. For example, 444444 is not allowed.

2. All numbers cannot be consecutive. For example, 123456 or 654321 is not allowed.

Allowed: 444333, 124567, 136790, 555556, 788888

In addition to the rules for Low passcode strength:

1. Letters and all numbers cannot be same. For example, aaaa11, aa11aa, or aaa111 are not allowed.

2. Letters cannot be consecutive and numbers cannot be consecutive. For example, abcd12, bcd123, 123abc, xy1234, xyz345, or cba123 are not allowed.

Allowed: aa11b1, aaa11b, aaa1b2, abc145, xyz135, sdf123, ab12c3, a1b2c3, Abcd1#, Ab123~

High Same as for the Medium Citrix PIN passcode strength.

The passcode should include at least one capital letter and and one small letter.

Not allowed: abcd12, DFGH2

Allowed: Abcd12, jkrtA2, 23Bc#, AbCd

 

Strong

Same as for the Medium Citrix PIN passcode strength.

The passcode should include at least one number, one special symbol, one capital letter, and one small letter.

Not allowed: abcd12, Abcd12, dfgh12, jkrtA2

Allowed: Abcd1#, Ab123~, xY12#3, Car12#, AAbc1#

 

 

PASSCODE_TYPE

Display name: PIN Type

This property defines whether users are able to define a numerical Citrix PIN or an alphanumeric passcode. When you select Numeric, users can use numbers only (Citrix PIN). When you select Alphanumeric, users can use a combination of letters and numbers (passcode).

Note: If you change this setting, users must set a new Citrix PIN or passcode the next time that they are prompted to authenticate.

Possible values: Numeric or Alphanumeric

Default value: Numeric

REFRESHINTERVAL

Display name: REFRESHINTERVAL

By default, XenMobile pings the Auto Discovery Server (ADS) for pinned certificates every 3 days. To change the refresh interval, go to Settings > Client Properties, add the custom key REFRESHINTERVAL, and set the Value to the number of hours.

Default value: 72 hours (3 days)

SEND_LDAP_ATTRIBUTES

For MAM-only deployments, you can configure XenMobile so that users with Android or iOS devices who enroll in Secure Hub with email credentials are automatically enrolled in Secure Mail. This means users do not have to enter additional information or take additional steps to enroll in Secure Mail. You must also set the server property MAM_MACRO_SUPPORT.

To configure this global client policy, go to Settings > Client Properties, add the custom key SEND_LDAP_ATTRIBUTES, and set the Value as follows.

Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},
displayName=${user.displayName},mail=${user.mail}

The attribute values are specified as macros, similar to MDM policies.

Here is a sample account service response for this property:

<property value="userPrincipalName=eng1@xmslab.com,sAMAccountName=eng1,displayName=eng1\,
test1,email=eng1@xmslab.com\,eng1@xmslab.com" name="SEND_LDAP_ATTRIBUTES"/>

Note: For this property, XenMobile treats comma characters as string terminators. Therefore, if an attribute value includes a comma, you must precede it with a backslash to prevent the client from interpreting the embedded comma as the end of the attribute value. Represent backslash characters with "\\".