MDX policies for mobile productivity apps at a glance
This article notes the MDX app policies for Citrix mobile productivity apps for iOS and Android, along with the default values. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.
Note:
Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.
Authentication
Device passcode
- iOS: Yes
- Android: No
-
Default setting: Off
Note:
This policy only applied to iOS 9 devices, which Citrix no longer supports.
App passcode
- iOS: Yes
- Android: Yes
- Default setting: On
Online session required grace period (minutes)
- iOS: Yes
- Android: No
- Default setting: 0
Maximum offline period
- iOS: Yes
- Android: Yes
- Default setting: 168 hours (7 days)
Alternate Citrix Gateway
Note:
This policy name in the Endpoint Management console is Alternate NetScaler Gateway.
- iOS: Yes
- Android: Yes
- Default setting: Empty
Device security
Block jailbroken or rooted
- iOS: Yes
- Android: Yes
- Default setting: On
Require device lock
- iOS: No
- Android: Yes
- Default setting: Off
Note:
On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.
Network requirements
Require Wi-Fi
- iOS: Yes
- Android: Yes
- Default setting: Off
Allowed Wi-Fi Networks
- iOS: Yes
- Android: Yes
- Default setting: Empty
Miscellaneous access
App update grace period (hours)
- iOS: Yes
- Android: Yes
-
Default setting: 168 hours (7 days)
Note:
Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.
Disable required upgrade
- iOS: Yes
- Android: Yes
- Default setting: On
Erase app data on lock
- iOS: Yes
- Android: Yes
- Default setting: Off
Active poll period (minutes)
- iOS: Yes
- Android: Yes
-
Default setting: 60 minutes (1 hour)
Note:
Only set this value lower than the default for high-risk apps, or performance may be affected.
Encryption
Encryption type
- iOS: Yes
- Android: Yes
-
Default setting: MDX encryption
Caution:
For newly added apps, when you change from Platform encryption with compliance enforcement to MDX encryption, you are forced to remove and reinstall the app. The default setting for newly added apps is Platform encryption with compliance enforcement.
Non-compliant device behavior
- iOS: Yes
- Android: Yes
- Default setting: Allow app after warning
Enable MDX encryption
- iOS: Yes
- Android: No
-
Default setting: On
Caution:
If you change this policy after deploying an app, users must reinstall the app.
Encryption keys
- iOS: No
- Android: Yes
- Default setting: Offline access permitted is the only available option.
Private file encryption
- iOS: No
- Android: Yes
- Default setting: SecurityGroup
Private file encryption exclusions
- iOS: No
- Android: Yes
- Default setting: Empty
Access limits for public files
- iOS: No
- Android: Yes
-
Default setting: Empty
Note:
Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). This policy applies only to existing, unencrypted public files and specifies when to encrypt the files.
Public file encryption
- iOS: No
- Android: Yes
- Default setting: SecurityGroup
Public file encryption exclusions
- iOS: No
- Android: Yes
- Default setting: Empty
Public file migration
- iOS: No
- Android: Yes
-
Default setting: Write (RO/RW)
Note:
Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.
Enable encryption
- iOS: Yes
- Android: No
-
Default setting: On
Note:
If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Database encryption exclusions
- iOS: Yes
- Android: No
- Default setting: Empty
File encryption exclusions
- iOS: Yes
- Android: No
- Default setting: Empty
App interaction
Security Group
- iOS: No
- Android: Yes
-
Default setting: Empty
Note:
If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Cut and copy
- iOS: Yes
- Android: Yes
- Default setting: Restricted
Paste
- iOS: Yes
- Android: Yes
- Default setting: Unrestricted
Document exchange (Open in)
- iOS: Yes
- Android: Yes
- Default setting: Restricted
URL domains excluded from filtering
- iOS: No
- Android: Yes
- Default setting: Empty
Allowed Secure Web domains
- iOS: No
- Android: Yes
- Default setting: Empty
Connection security level
- iOS: Yes
- Android: Yes
- Default setting: TLS
Inbound document exchange (Open In)
- iOS: Yes
- Android: Yes
- Default setting: Unrestricted
Restricted Open In exception list
- iOS: Yes
- Android: Yes
-
Default setting: Empty (for Android); Office 365 apps (for iOS)
Note:
On Android, this policy was previously named Open In exclusions. On iOS, this policy is hidden. For details, see MDX policies for iOS apps.
App URL schemes
- iOS: Yes
- Android: No
- Default setting: Empty. All registered app URL schemes are blocked.
Allowed URLs
- iOS: Yes
- Android: No
- Default setting: For details about the default settings, see the App Interaction section in MDX policies for iOS apps.
Explicit logoff notifications
- iOS: Yes
- Android: No
- Default setting: Shared devices only, for Secure Mail
App interaction (outbound URL)
Domains excluded from URL filtering
- iOS: Yes
- Android: No
- Default setting: Empty
Allowed URLs
- iOS: Yes
- Android: No
- Default setting: or details about the default settings, see the App interaction (outbound URL) section in MDX policies for iOS apps
Allowed Secure Web Domains
- iOS: Yes
- Android: No
- Default setting: Empty
App restrictions
Block camera
- iOS: Yes
- Android: Yes
- Default setting: Off for iOS; On for Android
Block gallery
- iOS: No
- Android: Yes
- Default setting: Off
Block Photo Library
- iOS: Yes
- Android: No
- Default setting: On
Block mic record
- iOS: Yes
- Android: Yes
- Default setting: On
Block dictation
- iOS: Yes
- Android: No
- Default setting: On
Block location services
- iOS: Yes
- Android: Yes
- Default setting: For Android: Default value is Off for Secure Mail. Default value is On for other apps.
Block SMS compose
- iOS: Yes
- Android: Yes
- Default setting: On
Block screen capture
- iOS: No
- Android: Yes
- Default setting: On
Block device sensor
- iOS: No
- Android: Yes
- Default setting: On
Block NFC
- iOS: No
- Android: Yes
- Default setting: On
Block iCloud
- iOS: Yes
- Android: No
- Default setting: On
Block Look Up
- iOS: Yes
- Android: No
- Default setting: On
Block file backup
- iOS: Yes
- Android: No
- Default setting: On
Block AirPrint
- iOS: Yes
- Android: No
- Default setting: On
Block Printing
- iOS: No
- Android: Yes
- Default setting: On
Block AirDrop
- iOS: Yes
- Android: No
- Default setting: On
Block file attachments
- iOS: Yes
- Android: No
- Default setting: Off
Block email compose
- iOS: Yes
- Android: No
- Default setting: On
Block Facebook and Twitter APIs
- iOS: Yes
- Android: No
- Default setting: On
Obscure screen contents
- iOS: Yes
- Android: No
- Default setting: On
Block third-party keyboards
- iOS: Yes
- Android: No
-
Default setting: On
Note:
iOS 11 and later
Block app logs
- iOS: Yes
- Android: Yes
- Default setting: Off
Enable ShareFile
- iOS:
- Android: Yes
- Default setting: On
Enable Attach from Files
- iOS: Yes
- Android: No
- Default setting: On
App network access
Network access
- iOS: Yes
- Android: Yes
- Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.
micro VPN session required
- iOS: Yes
- Android: Yes
- Default setting: Use Previous Setting. For newly uploaded apps, the default value is No.
micro VPN session required grace period (minutes)
- iOS: Yes
- Android: Yes
- Default setting: 0 (no grace period)
Exclusion List
- iOS: Yes
- Android: Yes
- Default setting: Empty
Block localhost connections
- iOS: No
- Android: Yes
- Default setting: Off
Certificate label
- iOS: Yes
- Android: Yes
- Default setting: Empty
App logs
Default log output
- iOS: Yes
- Android: Yes
- Default setting: file
Default log level
- iOS: Yes
- Android: Yes
- Default setting: 4 (informational messages)
Max log files
- iOS: Yes
- Android: Yes
- Default setting: 2
Max log file size
- iOS: Yes
- Android: Yes
- Default setting: 2 MB
Redirect app logs
- iOS: No
- Android: Yes
- Default setting: On
Encrypt logs
- iOS: No
- Android: Yes
- Default setting: Off
App geofence
Center point longitude
- iOS: Yes
- Android: Yes
- Default setting: 0
Center point latitude
- iOS: Yes
- Android: Yes
- Default setting: 0
Radius
- iOS: Yes
- Android: Yes
-
Default setting: 0 (disabled)
Note:
Set the radius in meters. When set to zero, the geofence is disabled.
App settings
Secure Mail Exchange Server
- iOS: Yes
- Android: Yes
-
Default setting: Empty
Note:
If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.
Secure Mail user domain
- iOS: Yes
- Android: Yes
- Default setting: Empty
Background network services
- iOS: Yes
- Android: Yes
-
Default setting: Empty
Note:
If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.
Background services ticket expiration
- iOS: Yes
- Android: Yes
- Default setting: 168 hours (7 days)
Background network service gateway
- iOS: Yes
- Android: Yes
-
Default setting: Empty
Note:
If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use Citrix Gateway to proxy the connection to the internal Exchange Server. This policy takes effect when you configure the Network access policy.
Export contacts
- iOS: Yes
- Android: Yes
- Default setting: Off
Contact fields to export
- iOS: Yes
- Android: Yes
- Default setting: All
Accept all SSL certificates
- iOS: Yes
- Android: Yes
- Default setting: Off
Control locked screen notifications
- iOS: Yes
- Android: Yes
- Default setting: Allow
Use Secure Connection
- iOS: No
- Android: Yes
- Default setting: On
Default email notification
- iOS: Yes
- Android: No
- Default setting: On
Default sync interval
- iOS: Yes
- Android: Yes
-
Default setting: 3 days
Note:
The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum email age filter.
Mail search limit
- iOS: Yes
- Android: Yes
- Default setting: Unlimited
Max sync interval
- iOS: Yes
- Android: Yes
- Default setting: All
Enable week number
- iOS: Yes
- Android: Yes
- Default setting: Off
Enable downloads of attachments over Wi-Fi
- iOS: Yes
- Android: Yes
- Default setting: Off
Allow offline documents
- iOS: Yes
- Android: Yes
- Default setting: Unlimited
Information Rights Management
- iOS: Yes
- Android: Yes
- Default setting: Off
Email classification
- iOS: Yes
- Android: No
- Default setting: Off
Email classification markings
- iOS: Yes
- Android: No
- Default setting: Empty
Email classification namespace
- iOS: Yes
- Android: No
- Default setting: Empty
Email classification version
- iOS: Yes
- Android: No
- Default setting: Empty
Default email classification
- iOS: Yes
- Android: No
- Default setting: UNOFFICIAL
Enable auto-save of draft emails
- iOS: Yes
- Android: Yes
- Default setting: On
Enable iOS data protection
- iOS: Yes
- Android: No
- Default setting: Off
Push Notifications EWS HostName
- iOS: Yes
- Android: No
- Default setting: Empty
Push notifications
- iOS: Yes
- Android: No
- Default setting: Off
Push notifications region
- iOS: Yes
- Android: No
- Default setting: Americas
Enable S/MIME during first Secure Mail startup
- iOS: Yes
- Android: No
- Default setting: Off
Initial authentication mechanism
- iOS: Yes
- Android: Yes
- Default setting: Use MDX provided mail server address
Initial authentication credentials
- iOS: Yes
- Android: Yes
- Default setting: Enrollment user name
Enable week number
- iOS: Yes
- Android: Yes
- Default setting: Off
Calendar Web and Audio Options
- iOS: Yes
- Android: Yes
- Default setting: GoToMeeting and User Entered
S/MIME public certificate source
- iOS: Yes
- Android: Yes
- Default setting: Exchange
LDAP Server address
- iOS: Yes
- Android: Yes
- Default setting: Empty
LDAP Base DN
- iOS: Yes
- Android: Yes
- Default setting: Empty
Access LDAP anonymously
- iOS: Yes
- Android: Yes
- Default setting: Off
Allowed email domains
- iOS: Yes
- Android: No
-
Default setting: Empty
Note:
If empty, does not restrict domains.
Attempt Username Migration On Authentication Failure
- iOS: Yes
- Android: Yes
- Default setting: Off
Report Phishing Mail Addresses
- iOS: Yes
- Android: Yes
- Default setting: Empty
Report Phishing Mechanism
- iOS: No
- Android: Yes
- Default setting: Report via attachment (.eml)
Skype for Business Meeting Domains
- iOS: Yes
- Android: Yes
- Default setting: Empty
Export calendar
- iOS: Yes
- Android: Yes
- Default setting: Meeting time
Enable Slack
- iOS: Yes
- Android: Yes
- Default setting: Off
Slack workspace name
- iOS: Yes
- Android: Yes
- Default setting: Empty
Caller Identification
- iOS: Yes
- Android: No
-
Default setting: On
Note:
If On, Secure Mail provides iOS with names and phone numbers of your saved contacts for caller identification.
Analytics
Enable Google Analytics
- iOS: Yes
- Android: No
- Default setting: On
Google Analytics level of detail
- iOS: Yes
- Android: Yes
- Default setting: Complete
Reporting
Citrix reporting
- iOS: Yes
- Android: No
-
Default setting: Off
Note:
Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.
Upload token
- iOS: Yes
- Android: No
- Default setting: Empty
Send reports over Wi-Fi only
- iOS: Yes
- Android: No
- Default setting: On
Reporting file cache maximum
- iOS: Yes
- Android: No
- Default setting: 2 MB
OAuth support for Office 365
Use modern authentication for Office 365
- iOS: No
- Android: Yes
- Default setting: Off
Office 365 authentication mechanism
- iOS: Yes
- Android: No
- Default setting: Do not use OAuth
Trusted Exchange Online Hostnames
- iOS: Yes
- Android: Yes
- Default setting:
outlook.office365.com
Trusted AD FS Hostnames
- iOS: Yes
- Android: Yes
- Default setting:
login.microsoftonline.com
Custom user agent for modern authentication
- iOS: No
- Android: Yes
-
Default setting: Empty
Note:
If you do not configure this policy, the default Secure Mail user agent is used during modern authentication.
Mail redirection
Mail redirection
- iOS: Yes
- Android: No
- Default setting: Secure Mail
Slack integration
Enable Slack
- iOS: Yes
- Android: Yes
- Default setting: Off
Slack workspace name
- iOS: Yes
- Android: Yes
- Default setting: Empty