Product Documentation

Worx App Administration and Delivery

Apr 08, 2016

You control the configuration and operation of Worx apps through administrative features, such as MDX policies and other XenMobile settings. This article provides an overview of Worx app administration and delivery.

MDX Policies for Worx Apps

MDX policies enable you to configure settings that the Worx Store enforces in the area of authentication, device security, network requirements and access, encryption, app interaction, app restrictions, and more. Many MDX policies apply to all Worx apps; some policies are app-specific.

Policy files are provided with the MDX Toolkit. You can directly edit the policy files and you can configure policies in the XenMobile console when you add an app.

The following sections describe the MDX policies related to user connections. For details about policies specific to Worx apps, see the Worx app articles. For a complete list of policies and their descriptions, see MDX Policies at a Glance and its sub-articles.

User Connections to the Internal Network

Connections that tunnel to the internal network can use a full VPN tunnel or a variation of a clientless VPN, referred to as secure browse. The Preferred VPN mode policy controls that behavior. By default, connections use secure browse, which is recommended for connections that require SSO. The full VPN tunnel setting is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network; the setting handles any protocol over TCP and can be used with Windows and Mac computers as well as iOS and Android devices.

WorxWeb for iOS supports use of a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment. For details, see Configuring User Connections.

The Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode.

Network Access Restrictions

The Network access policy specifies whether restrictions are placed on network access. By default, WorxMail and WorxNotes access is unrestricted, which means no restrictions are placed on network access; apps have unrestricted access to networks to which the device is connected. By default, WorxWeb access is tunneled to the internal network, which means a per-application VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel settings are used. You can also specify blocked access so that the app operates as if the device has no network connection.

Do not block the Network access policy if you want to allow features such as AirPrint, iCloud, and Facebook and Twitter APIs.

The Network access policy also interacts with the Background network services policy. For details, see Integrating Exchange Server or IBM Notes Traveler Server.

Worx Client Properties

Client properties contain information that is provided directly to Worx Home on user devices. Client properties are located in the XenMobile console in Settings > More > Client Properties.

localized image

Client properties are used to configure settings such as the following:

User password caching

User password caching allows the users' Active Directory password to be cached locally on the mobile device. If you enable user password caching, users are prompted to set a Worx PIN or passcode.

Inactivity timer

The inactivity timer defines the time in minutes that users can leave their device inactive and then can access an app without being prompted for a Worx PIN or passcode. To enable this setting for an MDX app, you must set the App passcode policy to On. If the App passcode policy is Off, users are redirected to Worx Home to perform a full authentication. When you change this setting, the value takes effect the next time users are prompted to authenticate.

Worx PIN authentication

Worx PIN simplifies the user authentication experience. Worx PIN is used to secure a client certificate or save Active Directory credentials locally on the device. If you configure Worx PIN settings, the user sign on experience is as follows:

1. When users start Worx Home for the first time, they receive a prompt to enter a PIN, which caches the Active Directory credentials.

2. When users subsequently start a Worx app, they enter the PIN and sign on.

You use client properties to enable Worx PIN authentication, specify the PIN type, and specify PIN strength, length, and change requirements.

Touch ID authentication

Touch ID is an alternative to Worx PIN when wrapped apps, except for Worx Home, need offline authentication, such as when the inactivity timer expires. You can enable this feature in the following authentication scenarios:

Worx PIN + Client certificate configuration
Worx PIN + Cached AD password configuration
Worx PIN + Client certificate configuration and Cached AD password configuration
Worx PIN is off

If Touch ID authentication fails or if a user cancels the Touch ID prompt, wrapped apps fall back to Worx PIN or AD password authentication.

Touch ID authentication requirements:

- iOS devices (minimum version 8.1) that support Touch ID and have at least one fingerprint configured.

- User entropy must be off.

To configure Touch ID authentication

Important: The Enable Touch ID Authentication property is ignored if user entropy, which is enabled through the Encrypt secrets using Passcode key, is on.

1. In the XenMobile console, go to Configure > Settings > More > Client Properties.

2. Click Add.

localized image

3. Add the key ENABLE_TOUCH_ID_AUTH, set its Value to True, and set the policy Name to Enable Touch ID Authentication.

Worx App Delivery

To deliver a new Worx app or an update of a previously delivered Worx app, follow these general steps:

1. Download the latest Worx apps and MDX Toolkit from

2. Review the article for each app in this section. In particular, be aware of upgrade considerations and known issues.

3. After installing the MDX Toolkit, use the toolkit to wrap the apps.

Citrix provides the MDX Toolkit that you use to wrap mobile apps for iOS, Android, and Windows Phone 8.1 devices with Citrix logic and policies. For details, see About the MDX Toolkit.

To take advantage of the latest MDX policies, be sure to re-wrap your apps with each updated release of the MDX Toolkit.

4. Upload Worx Home (unwrapped) to the iOS App Store and the Google Play Store. Wrap Worx Home for Windows Phone and add it to XenMobile.

5. Use the XenMobile web console to add mobile apps and then deliver them to user devices.