Product Documentation

Secure Forms Preview

Aug 31, 2016

Citrix Secure Forms, formerly called WorxForms, is a two-part app for creating and completing customized forms. Users create forms on the web-based Secure Forms Composer and then publish the forms to the Secure Forms mobile app, available for download on With the mobile app, end users fill out and submit forms from wherever they're working. For more information about the Secure Forms mobile app, see Secure Forms Mobile App.

Secure Forms is integrated with ShareFile, so submitted forms are easily collected in a designated ShareFile folder. Forms can also be collected by email or through a web service.

System Requirements

The Secure Forms Composer, available at, is supported on Chrome browsers only, for both Mac and PC.  Chrome on iOS, Android and Chromebooks is not supported.

The mobile app is supported only on iPhones and iPads running iOS versions 9 to 10.

What's New in Secure Forms

Add end-user data to forms. In Post to web service under Settings, form creators can opt to include the following end-user information as header data in a post to web service call:

• Active Directory user name (domain name or the default domain for XenMobile plus the Active Directory user name)
• ShareFile user name
• ShareFile domain name

This data is included automatically when end users submit forms.

Integrating Secure Forms with ShareFile

To deploy Secure Forms, you must set up ShareFile folders either manually or by using PowerShell script.  For instructions, see Integrating Secure Forms with ShareFile.

Wrapping and Adding Secure Forms to XenMobile

You wrap the Secure Forms mobile app with the MDX Toolkit, v. 10.3 for iOS, available on Follow the instructions in Wrapping iOS Mobile Apps and To add an MDX app to XenMobile.

Secure Forms Policies in XenMobile

For best performance, configure Secure Forms policies in the XenMobile console as follows:

Block camera:  Off

Block Photo Library:  Off

Block mic record: Off

Block location services:  Off

localized image

1. Set Network access as Tunneled to internal network.

localized image

2. Set App URL schemes as ctxforms and Allowed URLs as:,,^http:=ctxmobilebrowser:,^https:=ctxmobilebrowsers:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^col-g2m-2:,+^col-g2w 2:,+^maps:ios_addr,+^mapitem:,+^ctxinternalmail:,+^ctxmail:

3. After saving these changes and publishing the apps, go to Secure Forms and then at the end of Allowed URLs, add +^ctxforms: 

Creating Forms with the Secure Forms Composer

To begin creating forms on the Secure Forms Composer, users go to on a Chrome browser.  From there, they enter a ShareFile email address and password that belongs to the CitrixSecureFormsAdminUsers group.

When users sign in, they see this landing screen: 

localized image

From here, they can do the following:

  • Click New to create a new form.
  • View saved, unpublished forms in Drafts.
  • View published forms in Published.
  • Search forms.

Note: Published forms are called Templates, both in the composer and the mobile app.

Creating a New Form

On the landing screen, click New. The composer dashboard appears.

localized image

Forms consist of three components:  Cover, Content and Settings. In the Cover area, users name their forms and add optional descriptions and images. Clicking Next takes them to the Content area, where they add fields to their forms.

Adding Fields to Forms

To build a form, in Content view, users simply drag fields over from the left side of the composer.

localized image


They can choose fields that allow users to enter text, numbers, video, and audio, as well to scan bar codes, check a box, or choose from a drop-down menu.

Secure Forms supports the following bar code types: 







Code 39


Code 128


ITF (interleaved 2 of 5)


Code 93




EAN 13








Field Setting

When users add a field, Field Setting appears on the right side of the composer.  This is where users can designate a field as required, add help text, or add a description

Some settings are specific to particular fields. For example, users can select an audio quality level or specify the format for numbers, when they add those fields.

They can also add page breaks and numbers for a multiple-page form.

In Custom field name, users can create a name that is compatible with formats in which data might be exported, such as XML and CSV. This name doesn't appear on the published form. For example, users may see a field labeled "First Name," but the custom field name may be "Employee_First_Name".

Testing Forms

Forms are saved automatically in Drafts. At any time, users can sign on to the Secure Forms mobile app to test the form. Their permissions allow them to see drafts that end users don't see.  If they're satisfied with the form, they can return to the composer to publish it.

Composer Settings

In Settings, users choose how to collect forms, how to format the data, and whether to collect additional data.

localized image

Form Collection Methods

When end users click Submit on the mobile app, completed forms are collected by the following selected methods:

  • Uploaded to the ShareFile folder, in XML or CSV format.
  • Sent to an email address as PDFs. The mobile app flips to a prepared message in WorxMail for users to send.
  • Posted to a web service in XML, CSV or JSON format. You must enter a key:value pair that's included as header information in the web service call. For details, see Posting to Web Services later in this article.
  • Uploaded to a Network File System. For details, see Configuring a Network File System later in this article.

Configuring a Network File System

When you select Save to Network File System (NFS) as a data collection method, you need to enter the path to the folder where data is collected. Windows enforces the NFS folder permissions, which you can manage and structure according to your organization's needs.

Before you begin setting up NFS permissions, you first need to have a network file share connector configured in ShareFile, if you don't already. For steps on how to set up a network file share connector, see Create and manage StorageZone connectors.

Once the file share connector is added, make sure to configure the domain controller to trust the StorageZones Controller for delegation. Follow the configuration steps here.

Then you need to add as an allowable top-level domain:

  1. Go to C:\inetpub\wwwroot\Citrix\StorageCenter\AppSettingsRelease.config. C is the drive where the StorageZone Controller is installed
  2. Add to the end of allowable-top-level-app-domains. This is a comma-separated list of allowable top-level application domains with which the Storage Center can communicate:

    <add key="allowable-top-level-app-domains" value=",,,,,,,,,,,,,,,,"/>

Now you're ready to create NFS folder permissions.

1.  In the Active Directory, create two groups called SecureFormsLOB and CitrixSecureFormsEndUsers.     

  • SecureFormsLOB includes users who are allowed to create and fill out forms.
  • CitrixSecureFormsEndUsers includes users who are allowed to fill out forms but not to create them.

2.  Create a folder on your Network File System. For this example, the folder is called SecureFormsData.

3.  Give full control to SecureFormsLOB so its members can read, write, and delete data.

localized image

4. Give CitrixSecureFormsEndUsers write-only access, to ensure that its members can't read each other's data.

  • Under Type, select Deny
  • Under Advanced permissions, select the items as shown in the following figure.
localized image

NFS Settings in Secure Forms Composer

1. Use a network that has access to your StorageZone Controller. Secure Forms authenticates against this network to verify that you have the proper connector.

2. Set Save to Network File System (NFS) to On.

3. Enter a folder path in this format: NFS connector name / rootFolderPath/ FormDataFolder, where:

  • NFS connector name is the name of the NFS connector on ShareFile.
  • rootFolderPath is the path to the root folder where all form data is stored.
  • FormDataFolder is the root folder where all form data is stored. The root folder is automatically created if the folder is not there and is given the same permissions applied to the parent folder. In this example, the root folder is named SecureFormsData.
localized image

Publishing a Form with NFS

Before publishing a form, users have to enter a user name and password to authenticate on the server where the NFS is located. 

localized image

Auto Collect Data

Users select the Auto collect data check boxes if they want to collect an end user's location and email address, or the form submission date. The end user's permission isn't required to collect this data.

localized image

Key:Value Pairs

In Advanced, users can enter key:value pairs that are included with the form data in an XML or JSON file.

localized image

Posting to Web Services

Any web service you use to collect form data must meet the following criteria:

  • Be an HTTPS (secure) service. Other URL schemes are currently not supported.
  • Intercept POST requests sent by the client.
  • Read multipart/form-data as content type.
  • Respond to the URL request with the HTTP response status code. The client does not read the response body.
  • Process optional custom headers sent as a part of the URL request headers.

Follow these steps to configure form collection by web service:

1. Sign on to the Secure Forms Composer and create a new form.

2. Go to Settings and turn on the Post to web service collection method.

3. Select one of the data formats for the payload. The default is XML.  

Note: Media content—images, audio and video—is saved in a shared folder in ShareFile, and the file path is included in the file name.

4. Add a web service URL. For security reasons, Secure Forms requires an HTTPS URL with a valid certificate. The Secure Forms iOS client performs a POST request to this URL, with the form payload in the request body. The  request is sent as a multipart/form-data content type. The actual file is uploaded with the key "file" in the request.

For testing purposes, you can create a self-signed certificate and trust it on your device (iPhone / iPad). Use following instructions to create a self-signed certificate:

5. You can opt to provide custom headers to the URL request. These headers are sent as part of the URL request headers.

Client-sent URL request sample

For purposes of explanation, this request is captured in RAW format.  In practice, this request is sent to the server in XML, CSV or JSON format. The essential parts of this request are highlighted in red. The custom headers configured in the Secure Forms Composer are sent as request headers.

localized image

The Secure Forms client does not interpret the response body. To validate the server submission, the client reads the HTTP response status codes that the server sends in the header.  A status code of 200 signifies a successful submission. If the submission fails, an error message appears to the user.


With iBeacon technology, you can track locations, people and assets using beacons and Bluetooth functionality. You can also link form fields to beacons to autofill information, which saves time and improves accuracy.

For more information on iBeacon, see What Is iBeacon?. To read about use cases, see Yes, Real World Market Verticals Use Beacon Technology.

Follow these instructions to use beacons with Secure Forms.

System requirements

  • Beacon hardware. Citrix has tested beacons from Gimbal, but you can use any brand.
  • Secure Forms Composer and Secure Forms mobile app version 10.3.6.
  • A ShareFile domain whitelisted to use beacons with Secure Forms. To request your domain to be whitelisted, send a message to Citrix by clicking on the message icon in the upper-right corner of the Secure Forms Composer dashboard.
  • An iPhone or iPad running iOS 9 - 9.3.

Every beacon configuration includes a universally unique identifier, or UUID. It's best to use just one UUID for your company. This UUID will apply to every beacon you use.

Major and minor values are added to the UUID. Major values identify subsets of beacons; for example, all devices in a particular location, such as a warehouse or a hospital. Minor values identify individual beacons.

To activate a beacon

1. Register for a free Gimbal account.

localized image

2. Download the Gimbal Beacon Manager app onto your iOS device to configure, test and manage beacons.

3. On the Gimbal website, go to Beacons > Beacon Management and click Activate Beacon.

localized image


4. To activate a beacon you need to name the beacon and enter its factory ID. Some IDs are inside the battery compartment; you may find yours in another spot. Enter the ID and then click Activate Gimbal Beacon.

localized image

To configure your beacon

1. Go to Beacons > Beacon Configurations and then click New Configuration.

localized image

2. Name your configuration and select the beacon type. The Proximity UUID field populates automatically.

3. In the Major and Minor fields, enter numbers that identify individual beacons and their locations. Major and minor numbers are found on the Gimbal console at Beacons > Beacon Configurations.

localized image

4. Click Create Configuration.

Your new beacon configuration appears at the bottom of the list.


localized image

To apply the configuration to the active beacon

1. Go to Beacons > Beacon Management, find your beacon, and then under the Actions column, click the edit icon.

2. Click Configuration, in the list, click your configuration and then click Save to apply this configuration to your activated beacon.

localized image

You should now see your beacon with the applied configuration. You can check the Gimbal app to make sure the beacon is on and broadcasting.

localized image

To update beacons

1. To make a beacon discoverable, pull the battery out of the beacon and put it back in.

2. In the Gimbal Beacon Manager app, go to Configure. When the beacon is found, click Update Beacon.

localized image
localized image

To testing beacons

1. Sign on to the Secure Forms Composer and then create a form to test your beacon.

localized image

2. For purposes of the test, drag a Text element from the left side of the composer and create fields in which a user would enter a first name and a last name.

3. In the Custom field name box on the right, enter First Name and Last Name for the respective fields.


localized image
localized image

4.  Map the data between form fields and beacons. Create a CSV file where the column headings match the values entered in the Custom field name —in this example, First Name and Last Name. The CSV file must also have the UUID and major and minor beacon configuration data added as shown in the following figure.

localized image

5. Save the CSV file to Secure Forms > Beacons.

localized image

6. Upload the file to Settings in Secure Forms Composer.


localized image

7. Test the beacon on the Secure Forms mobile app:

  • On the device, make sure that Location Services and Bluetooth are enabled. You can also check the Beacon Manager app to ensure that the beacon is visible to the device.
  • Open the Secure Forms mobile app and wait for the test form to download.
  • Open the test form. If the app finds a beacon nearby, an autofill confirmation dialog box appears.
localized image

8. The form data populates­ based on the CSV file.

localized image

For more information about working with beacons, see Gimbal Developer Resources.

Publishing Forms

When users are done building their form, they click Publish. At that point, the form is saved in Published and becomes available on the Secure Forms mobile app under Templates.


To troubleshoot errors that users may see when using Secure Forms Composer, see Troubleshooting in Secure Forms Composer.