Product Documentation

Worx Home

Aug 23, 2016

Worx Home is the launchpad for the Citrix XenMobile experience. Users enroll their devices in Worx Home to gain access to the WorxStore, from which they can add Citrix-developed Worx apps—Secure Forms, WorxChat, WorxMail, WorxNotes, WorxWeb, WorxTasks, QuickEdit, and ShareFile Worx clients—and third-party apps, all of which you secure with the MDX Toolkit.

You can download Worx Home and other XenMobile components from the XenMobile downloads page

System Requirements for Worx Home

Worx Home is supported for any device that runs one of the following operating systems:

iOS: 8 - 10

Android: 4.1.x, 4.4.x, 5.x, 6.x, and 7

Android 4.1.x is supported in MDM mode only. Android 4.2 and 4.3 are not supported.

Windows Phone: 8.1 and 10.


Windows Phone 10 is currently supported for XenMobile 10 and 10.3.x only. It is not supported for XenMobile 10.1.  For XenMobile 9, you must install a patch for apps to work properly. You can download the patch at XenMobile downloads page.

Citrix has tested Worx Home on the following devices. Not all supported devices are listed.

  • iPhone 4 – iPhone 6 Plus
  • iPad 2 – iPad Air 2
  • iPad mini – iPad mini 3
  • Nexus
  • Samsung Note
  • Samsung Galaxy
  • Samsung Galaxy Tab
  • HTC One
  • Nokia Lumia

What's New in Worx Home

iOS 10 and Android N compatibility. Worx Home supports iOS 10 and Android N. Note that Worx Home for iOS 10.3.10 does not support iOS 8 or earlier.

iOS 10 VPN
. On iOS 10, a new VPN mechanism is used by default for secure local data sharing between Worx Home and MDX applications. For more information on the iOS VPN, please see XXX


The VPN mechanism does not apply to XenMobile MDM-only environments, and the VPN is not installed in MDM-only enrollments.

On iOS 9 and earlier, Worx Home does not use the new VPN mechanism.

VPN use on iOS 10 is the default deployment option. Worx Home 10.3.10 installs the VPN as part of the app installation process on iOS 10, or when users who have already installed Worx Home 10.3.10 upgrade their device to iOS 10. Users will see the an iOS message for permission to install the VPN. If the user does not allow the VPN configuration, a message informs them that in order to use Worx Home, they must allow the VPN configuration to install.

But in some circumstances, this functionality may not be possible, for example, if the customer is using a third-party VPN client, such as Cisco AnyConnect or Citrix VPN app. This is because iOS allows only one VPN to be running on the device at the same time. In those limited cases, you can disable the Worx Home VPN from installing on users’ devices. However, be aware that users may experience more flips from a managed app to Worx Home.

Scenario 1 (recommended, default): Worx Home VPN enabled
This is the default XenMobile deployment option. No configuration updates or changes are necessary. This is the recommended deployment option if users have no other VPNs on their devices.

Scenario 2: Worx Home VPN disabled
Suggested for deployments in which users have other VPNs on their devices.

To disable the Worx Home VPN, go to Settings > Client Properties > Add in the XenMobile console and add the following custom client property:
Custom client property name: ENABLE_NETWORK_EXTENSION
Value:  0

Tracking Worx apps. For wrapped Worx apps for iOS 9 and iOS 10, Worx Home and the Worx Apps SDK work together to track the installed app list. Worx Home displays apps in the My Apps view using this tracking list. To accommodate this app tracking method:

  • In the My Apps view, newly installed apps appear with a blue dot next to them.This blue dot disappears the first time the app opens successfully.
  • If users attempt to open an app that has not finished installing or is updating, they see a message instructing them to try again.
  • If users attempt to open an app that has been deleted, they see a message instructing them to tap More to remove the app from Worx Home or install it from WorxStore.
  • If a user deletes a required app from the device springboard, the user must go to WorxStore to install the app again. The app is not installed again during the next online authorization or store refresh.

MacOS Sierra support. Worx Home now supports MacOS Sierra.

Arabic support. Worx Home is now available in Arabic.

Administering Worx Home

You perform most of the administration tasks related to Worx Home during the initial configuration of XenMobile. To make Worx Home available to users, follow these guidelines:

  • For iOS and Android: Unlike other Worx apps, do not wrap Worx Home or add it to XenMobile. Instead, upload Worx Home to the iOS App Store and the Google Play Store.
  • For Windows Phone: Wrap Worx Home for Windows Phone and add the app to XenMobile.

    You must use the MDX Toolkit for Windows Phone to re-sign and wrap Worx Home so that Windows Phone users can access the company application store published by XenMobile. XenMobile then deploys Worx Home to Windows Phone devices after users complete enrollment.

In addition to providing a portal for Worx apps, Worx Home refreshes most MDX policies stored in the XenMobile server for the installed apps when a user's NetScaler Gateway session renews after authentication with NetScaler Gateway.

Important: Changes to any of the following policies require that a user delete and reinstall the app to apply the updated policy: Security Group, Enable encryption, and WorxMail Exchange Server.

Worx PIN

You can configure Worx Home to use the Worx PIN, a security feature enabled in the XenMobile console in Settings > Client Properties. The setting requires enrolled mobile device users to sign on to Worx Home and activate any MDX wrapped apps by using a personal identification number (PIN).

The Worx PIN feature simplifies the user authentication experience when logging on to the secured wrapped apps, keeping users from having to repeatedly enter another credential like their Active Directory user name and password.

Users who sign on to Worx Home for the first time must enter their Active Directory user name and password. During sign on, Worx Home saves the Active Directory credentials or a client certificate on the user device and then prompts the user to enter a PIN. When users sign on again, they enter the PIN to access their Worx apps and WorxStore securely, until the next idle timeout period ends for the active user session. Related client properties enable you to encrypt secrets using Worx PIN, specify the passcode type for Worx PIN, and specify Worx PIN strength and length requirements. For details, see To add, edit, or delete client properties.

For iOS 8 and iOS 9 devices, when single sign-on is enabled for Worx Home and Touch ID is enabled, this combination replaces the use of a PIN. Users will still have to enter a PIN when signing on to Worx Home for the first time or restarting the device, or when iOS terminates the app in the background after the inactivity timer expires.

On Android, the inactivity timer is set by the XenMobile server client property, Inactivity Timer. This property sets the number of minutes that users can leave their devices inactive and then access an app without being prompted for a Worx PIN or passcode. The timer resets whenever users interact with their devices.

Certificate Pinning

Worx Home for iOS and Android supports SSL certificate pinning. This feature ensures that the certificate signed by your enterprise is used when Worx communicates with XenMobile, thus preventing connections from Worx clients to XenMobile when installation of a root certificate on the device compromises the SSL session. When Worx Home detects any changes to the server public key, Worx Home denies the connection.

Before you enroll devices or upgrade Worx Home, consider whether you want to enable certificate pinning, which is off by default and managed by the XenMobile Auto Discovery Service (ADS).

To use certificate pinning, you must request that Citrix upload certificates to the Citrix ADS server: Navigate to and then click Request Auto Discovery. For more information, see XenMobile AutoDiscovery Service.

Configuring Certificate + One-Time-Password Authentication for Worx Home

You can configure NetScaler so that Worx Home authenticates with a certificate plus a security token that serves as a one-time password. This configuration provides a strong security option that doesn't leave an Active Directory footprint on devices.

To enable Worx Home to use this type of authentication, you need to add a rewrite action and a rewrite policy in NetScaler that inserts a custom response header of the form X-Citrix-AM-GatewayAuthType: CertAndRSA to indicate the NetScaler Gateway logon type.

Ordinarily, Worx Home uses the NetScaler Gateway logon type configured in the XenMobile console. However, this information isn’t available to Worx Home until Worx Home completes logon for the first time, so the custom header is required to allow Worx Home to do this.

Note: If different logon types are set in XenMobile and NetScaler, the NetScaler configuration overrides the XenMobile configuration.  For details, see NetScaler Gateway and XenMobile.

1. In NetScaler, navigate to Configuration > AppExpert > Rewrite > Actions.

2. Click Add

The Create Rewrite Action screen appears.

3. Fill in each field as shown in the following figure and then click Create.

localized image

The following result appears on the main Rewrite Actions screen.

localized image

4. You then need to bind the rewrite action to the virtual server as a rewrite policy. Go to Configuration > NetScaler Gateway > Virtual Servers and then select your virtual server.

localized image

5. Click Edit

6. On the Virtual Servers configuration screen, scroll down to Policies.

7. Click + to add a new policy.

localized image

8. In the Choose Policy field, enter Rewrite.

9. In the Choose Type field, enter Response.

localized image

10. Click Continue.

The Policy Binding section expands.

localized image

11. Click Select Policy.

A screen with available policies appears.

localized image

12. Click the row of the policy you just created and then click Select. The Policy Binding screen appears again, with your selected policy filled in.

localized image

13. Click Bind.

If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.

localized image

14. To view the policy details, click Rewrite Policy.

localized image

Port Requirement for ADS Connectivity for Android Devices

Port configuration ensures that Android devices connecting from Worx Home can access the Citrix ADS from within the corporate network. The ability to access ADS is important when downloading security updates made available through ADS.  ADS connections might not work with your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

Important: Worx Home 10.2 and 10.3 require you to allow Android devices to access the ADS. For details, see Port Requirements in the XenMobile documentation. Note that this communication is on outbound port 443. It's highly likely that your existing environment is designed to allow this access. Customers who cannot guarantee this communication are strongly discouraged from upgrading to Worx Home 10.2  If you have any questions, please contact Citrix Support.

Customers interested in enabling certificate pinning must do the following prerequisites:

  • Collect  XenMobile server and NetScaler certificates. The certificates need to be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

The new certificate pinning improvements require that devices connect to ADS before the device enrolls. This ensures that the latest security information is available to Worx Home for the environment in which the device is enrolling. If devices cannot reach ADS, Worx Home does not allow enrollment of the device. Therefore, opening up ADS access within the internal network is critical to enable devices to enroll.

To allow access to the ADS for Worx Home 10.2 for Android, open port 443 for the following IP addresses and FQDN:

FQDN  IP address

If certificate pinning is enabled: 

  • Worx Home pins your enterprise certificate during device enrollment.
  • During an upgrade, Worx Home discards any currently pinned certificate and then pins the server certificate on the first connection for enrolled users.

Note: If you enable certificate pinning after an upgrade, users must enroll again.

  • Certificate renewal does not require reenrollment, provided that the certificate public key did not change.
  • For Worx Home for iOS only: If the server certificate changes, and no longer matches the Worx Home certificate, users must uninstall Worx Home and re-enroll.

Certificate pinning supports leaf certificates, not intermediate or issuer certificates. Certificate pinning applies to Citrix servers, such as XenMobile and NetScaler Gateway, and not third-party servers.

Related Articles

Worx Home Features

Worx Home allows you to monitor and enforce mobile policies while providing access to the Worx Home app store and live support. Users begin by downloading Worx Home onto their devices from the Apple, Android, or Windows app store.  When Worx Home opens, users enter the credentials provided by their companies to enroll their devices in Worx Home. For more details about device enrollment, see Enrolling Devices in XenMobile.

Once enrolled, users will see any apps and desktops that you've pushed in their My Apps tab. 
localized image

Users can add more apps from the WorxStore. On phones, as shown above, the WorxStore link is under the Settings hamburger icon in the upper left-hand corner:

localized image


On tablets, WorxStore is a separate tab:  

localized image


If you want to customize your WorxStore, go to Settings > Client Branding to change the name, add a logo, and specify how apps appear.

localized image

You can edit app descriptions in the XenMobile console.  Click Configure, then click Apps. Select the app from the table and click Edit. Select the platforms for the app with the description you’re editing and then enter the text in the Description box.

localized image


In WorxStore, users can browse only those apps and desktops that you've configured and secured in XenMobile. To add the app, users tap Details and then tap Add.

localized image

Worx Home also offers users a variety of ways to get help.  On tablets, tapping the question mark in the upper-right corner opens help options. On phones, users tap the hamburger menu icon in the upper-left corner and then tap Help.

localized image

Your IT Department shows the telephone and email of your company help desk, which users can access directly from the app. You enter phone numbers and email addresses in the XenMobile console. Click the gear icon in the upper-right corner. The Settings page appears. Click More and then click Client Support. The screen where you enter the information appears.

localized image

Report Issue shows a list of apps. Users choose the app that has the issue. Worx Home automatically generates logs and then opens a message in WorxMail with the logs attached as a zip file. Users add subject lines and descriptions of the issue. They can also attach a screenshot.

localized image

Send Feedback to Citrix opens a message in WorxMail with a Citrix support address filled in. In the body of the message, the user can enter suggestions for improving WorxMail. If WorxMail isn’t installed on the device, the native mail program will open.

localized image

Users can also tap Citrix Support, which opens the Citrix Knowledge Center. From there, they can search support articles for all Citrix products.

In Preferences, users can find information about their accounts and devices.

localized image

Worx Home also provides geo-location and geo-tracking policies if, for example, you want to ensure that a corporate-owned device does not breach a certain geographic perimeter. For details, see Location Device Policies. Additionally, Worx Home automatically collects and analyzes failure information so you can see what led to a particular failure. This function is supported by the software Crashlytics.