Product Documentation

Configuring MDX Policies for Android Apps in App Controller

Feb 28, 2014

You can configure the following policies in App Controller for apps that run on Android devices.

Authentication

Authentication
Determines if the app requires network logon to run. Default is Offline challenge only.

Options:

  • Network logon. Requires network logon to securely use the app, and users can only run the app while online. If you set the policy to require network logon, when users try to open an app, the following message appears: Sign on to Worx Home to securely use this app.
  • Offline access permitted after challenge. The app prompts for enterprise logon when possible, but allows offline use after the password challenge.
    Important: This option is deprecated.
  • Offline challenge only. Allows the app to run with an offline password challenge.
  • Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, Worx Home requires logon regardless of the policy setting.
Maximum offline period (hours)
Defines the maximum period an application can run offline without requiring a enterprise logon for the purpose of entitlement and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between logons in order reconfirm entitlement and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to Network logon, this setting is ignored with no offline access allowed.
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts for logon each time the app is started or reactivated.
NetScaler Gateway address
The external NetScaler Gateway address to which users connect. Example: gateway.MyCorp.com. This setting is used for the Step-up Authentication Feature. If NetScaler Gateway has been configured, the application will use that Gateway for initial authentication, then use this Gateway address for step-up authentication. Default value is empty.

Device Security

Block jailbroken or rooted
The app is locked if the device is jailbroken (iOS) or rooted (Android). Default is On.

Options:

  • On. The app is locked when the devices is jailbroken or rooted.
  • Off. The app can run on a jailbroken or rooted device.
Require device encryption
If On, the managed app is locked if the device does not have encryption configured. If Off, the app is allowed to run even if the device does not have encryption configured. Default is Off.
Important: This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to On prevents an app from running on older versions.
Require device pin or password
If On, the managed app is locked if the device does not have a PIN or password configured. If Off, the managed app is allowed to run even if the device does not have a PIN or password set. Default is Off.
Important: This policy is supported only on Android 4.1 (Jellybean). Setting the policy to On prevents an app from running on older versions.
Require device pattern screen lock
If On, the managed app is locked if the device does not have a pattern screen lock configured. If Off, the managed app is allowed to run even if the device does not have a pattern screen lock set. Default is Off.
Note: This policy is only enforced if the Require device pin or password setting is Off.

Network Requirements

Require WiFi

Determines if the device requires a WiFi connection in order for an app to run. Default is Off.

Options:

  • On. The app is locked when the device is not connected to a WiFi network.
  • Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a LAN connection.
Require internal network

The app requires a connection to a network within the organization. Default is Off.

Options:

  • On. The app is blocked when the device is not connected to an internal network.
  • Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier (SSID) with commas. The default is an empty list. If the list is empty, users can connect to any WiFi network. If users log on from an external network (or they are not logged on), this policy is not enforced. Default is empty.

Miscellaneous Access

App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without warning, from using a running app until they download and install the update. This could lead to a situation in which users are forced to exit the app and potentially lose work.
Auth failures before lock
Locks the app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5 failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials.
Erase app data on lock

Erases data and resets the app when the app is locked. Default is Off.

Options:

  • On. App data is automatically erased when the app is locked.
  • Off. App data is not erased automatically when the app is locked.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user
  • Removal of app subscription
  • Uninstallation of Worx Home.
  • Too many app authentication failures
  • Rooted device and policy restricting the app to run on such a device
  • Other administrative action to lock device
Active poll period (minutes)
When an app starts, the MDX framework polls App Controller to determine current app and device status. Assuming App Controller can be reached, the framework returns information about the lock and erase status of the device and the enable or disable status of the app. Whether App Controller can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll starts.
Important: Only set this value lower for high-risk app or performance may be affected.

Encryption

Encryption keys
Enables secrets used to derive encryption keys to be persisted on the device. Offline access permitted is the only available option. Citrix recommends that you set the Authentication policy to enable a network logon or an offline password challenge in order to protect access to the encrypted content.
File encryption version
Specifies the encryption version for public and private file encryption. Citrix recommends Current to provide the maximum security, especially in the case of a new app deployment. If you select Current, note that users must reinstall any apps that include a previous encryption version, such as Legacy, or else they may lose data. Default value is Current.
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/appname and /mnt/sdcard/Android/data/appname. Default is Application.
Options:
  • Disabled. Private files are not encrypted.
  • SecurityGroup. Encrypts private files by using a key shared by all MDX apps in the same security group.
  • Application. Encrypts private files using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Access limits for public files
Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the first matching path is used to set the access limit. Default value is empty. This policy is enforced only when Public file encryption is enabled (changed from the Disable option to the SecurityGroup or Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is empty.
Public file encryptions

The Disabled option means public files are not encrypted. The SecurityGroup option encrypts public files by using a key shared by all MDX apps in the same security group. The Application option encrypts public files by using a key unique to this app.

Default value is SecurityGroup.

Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the default external storage and to any device specific external storage.
Public file migration
This policy is enforced only when you enable Public file encryption (changed from Disabled to SecurityGroup or Application). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted.
Options:
  • Disabled. Does not encrypt public files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.
Note: New files or existing unencrypted files that are overwritten encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.

App Interaction

Security Group
Leave this field blank if you want all mobile apps managed by App Controller to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources).
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose Restricted, documents can be exchanged only with other MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Open In exclusions
When you set Document exchange (Open In) to Restricted, enter Android intents that serve as exceptions. As such, these intents are allowed to be passed to unmanaged apps.

App Restrictions

Block camera

Prevents an app from directly using the camera hardware. Default is On.

Block mic record
Prevents an app from directly using the microphone hardware. Default is On.
Block location services
Prevents an app from using the location services components (GPS or network). Default is On.
Block SMS compose
Prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default is On.
Block screen capture

Prevents user-initiated screen captures while the app is running. Default is On.

Block device sensor

Prevents an app from using the device sensors, like accelerometer, motion sensor, or gyroscope. Default is On.

Block application logs
If On, prohibits an app from using the Worx App diagnostic logging facility. If Off, application logs are recorded and may be collected using the Worx Home email support feature. Default is Off.

Network Access

Network access
Prevents, permits or redirects app network activity. App blocks network use or restricts it to an application-specific tunnel gateway. Default is Blocked.
Note: The default for WorxMail and WorxWeb is Tunneled to the internal network

Options:

  • Unrestricted. Allows unrestricted access to the internal network.
  • Blocked. When blocked, the app behaves as if the device has no network connection. All network access is blocked.
  • Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal network is used for all network access.
Certificate label
You can enter a label to identify the certificate for this app. When a certificate is required in order for HTTP traffic to meet a server authentication challenge, the label enables the micro VPN code to acquire the appropriate certificate. If configuring user certificate enrollment through Device Manager, the certificate label must match the Device Manager Certificate Enrollment configuration. Default is empty.

Application Logs

Default log output
Determines which output mediums are used by Worx App diagnostic logging facilities by default. Possibilities are:
  • File (default)
  • Console
  • Both file and console
Default log level
Controls default verbosity of Worx App diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:
  • 0 - Nothing logged
  • 1 - Critical errors
  • 2 - Errors
  • 3 - Warnings
  • 4 - Informational messages
  • 5 - Detailed informational messages
  • 6 through 15 - Debug levels 1 through 10

Default is level 4 (Informational messages).

Max log files

Limits the number of log files retained by the Worx App diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.

Max log file size
Limits the size in megabytes (MB) of the log files retained by the Worx App diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
Redirect system logs
If On, intercepts and redirects system or console logs from an application to the Worx App diagnostic facility. If Off, application use of system or console logs is not intercepted. Default is On.

Application Settings

You can configure the following policies for WorxMail on both Android and iOS devices:

  • WorxMail Exchange Server. The fully qualified domain name (FQDN) for Exchange Server or IBM Notes Traveler server. Default is empty. If you provide a domain name in this field, users cannot edit it. If you leave the field empty, users provide their own server information.
  • WorxMail user domain. The default Active Directory domain name for Exchange or Notes users. Default is empty.
  • Background network services. The FQDN and of the ActiveSync server, such as servername:443. This might be an Exchange Server, either in your internal network or in another network that WorxMail connects to, such as mail.mycompany.com:443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.
  • Background services ticket expiration. The time period that a background network service ticket remains valid. When WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting determines the duration that WorxMail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days).
  • Background network service gateway. This is the NetScaler Gateway FQDN and port number with which WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server.
  • Export contacts. If Off, prevents the one-way synchronization of WorxMail contacts to the device and prevents the sharing of WorxMail contacts (as vCards). Default is Off.
    Important: Do not enable this feature if users can access your Exchange Server directly (that is, outside of NetScaler Gateway). Otherwise, duplicate contacts will result on the device and in Exchange.
  • Accept all SSL certificates. If On, WorxMail accepts all SSL certificates (valid or not) and allows access. If Off, WorxMail blocks access when a certificate error occurs and displays a warning. Default is Off.
  • Information Rights Management. If On, WorxMail supports Exchange Information Rights Management (IRM) capabilities. Default is Off.
  • Allow external attachments. If On, WorxMail accepts attachments sent from other apps. If Off, WorxMail rejects attachments sent from other apps and displays a warning. Default is On.

WorxWeb Application Settings

You can configure the following policies for WorxWeb on both Android and iOS devices:

Allowed or blocked websites
WorxWeb normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows:
  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If neither + or - is provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example:
  • The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol.

Default value is empty (all URLs allowed).

Preloaded bookmarks
Defines a preloaded set of bookmarks for the WorxWeb browser. The policy is a comma-separated list of tuples that include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder and name may optionally be enclosed in double quotes (").

For example, the policy values ,"Mycorp, Inc. home page",http://www.mycorp.com, "MyCorp Links",Account logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact us",http://www.mycorp.com/IR/Contactus.aspx define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"."

Default value is empty.

Home page URL
Defines the website that WorxWeb loads when started. Default value is empty (default start page).
Browser user interface
Dictates the behavior and visibility of browser user interface controls for WorxWeb. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible.

Options:

  • All controls visible. All controls are visible and users are not restricted from using them.
  • Read-only address bar All controls are visible, but users cannot edit the browser address field.
  • Hide address bar Hides the address bar, but not other controls.
  • Hide all controls Suppresses the entire toolbar giving a frameless browsing experience with no browser chrome.