Administrator tasks and considerations

MDX policies for mobile productivity apps at a glance

This article notes the MDX app policies for Citrix mobile productivity apps for iOS and Android, along with the default values. You change policy settings in the Citrix Endpoint Management console. For details, see Add apps.

Note:

Secure Hub refreshes policies during certain actions. For details, see Administering Secure Hub.

Authentication

Device passcode

  • iOS: Yes
  • Android: No
  • Default setting: Off

    Note:

    This policy only applied to iOS 9 devices, which Citrix no longer supports.

App passcode

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Online session required grace period (minutes)

  • iOS: Yes
  • Android: No
  • Default setting: 0

Maximum offline period

  • iOS: Yes
  • Android: Yes
  • Default setting: 168 hours (7 days)

Alternate Citrix Gateway

Note:

This policy name in the Endpoint Management console is Alternate NetScaler Gateway.

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Device security

Block jailbroken or rooted

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Require device lock

  • iOS: No
  • Android: Yes
  • Default setting: Off

Note:

On Android M devices, the Device PIN or passcode and Device pattern screen lock options have the same effect: With either of those options, the app is locked if the device does not have a PIN, passcode, or pattern screen lock set.

Network requirements

Require Wi-Fi

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Allowed Wi-Fi Networks

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Miscellaneous access

App update grace period (hours)

  • iOS: Yes
  • Android: Yes
  • Default setting: 168 hours (7 days)

    Note:

    Citrix recommends using a value other than zero (0). A zero value immediately prevents users, without warning, from using a running app until they download and install the update. This setting may lead to a situation in which users are forced to exit the app and potentially lose work.

Disable required upgrade

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Erase app data on lock

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Active poll period (minutes)

  • iOS: Yes
  • Android: Yes
  • Default setting: 60 minutes (1 hour)

    Note:

    Only set this value lower than the default for high-risk apps, or performance may be affected.

Encryption

Encryption type

  • iOS: Yes
  • Android: Yes
  • Default setting: MDX encryption

    Caution:

    For newly added apps, when you change from Platform encryption with compliance enforcement to MDX encryption, you are forced to remove and reinstall the app. The default setting for newly added apps is Platform encryption with compliance enforcement.

Non-compliant device behavior

  • iOS: Yes
  • Android: Yes
  • Default setting: Allow app after warning

Enable MDX encryption

  • iOS: Yes
  • Android: No
  • Default setting: On

    Caution:

    If you change this policy after deploying an app, users must reinstall the app.

Encryption keys

  • iOS: No
  • Android: Yes
  • Default setting: Offline access permitted is the only available option.

Private file encryption

  • iOS: No
  • Android: Yes
  • Default setting: SecurityGroup

Private file encryption exclusions

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Access limits for public files

  • iOS: No
  • Android: Yes
  • Default setting: Empty

    Note:

    Enabling the Public file encryption policy enforces this policy (changed from the Disable Option to the SecurityGroup or Application option). This policy applies only to existing, unencrypted public files and specifies when to encrypt the files.

Public file encryption

  • iOS: No
  • Android: Yes
  • Default setting: SecurityGroup

Public file encryption exclusions

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Public file migration

  • iOS: No
  • Android: Yes
  • Default setting: Write (RO/RW)

    Note:

    Encrypting an existing public file makes the file unavailable to other apps that do not have the same encryption key.

Enable encryption

  • iOS: Yes
  • Android: No
  • Default setting: On

    Note:

    If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Database encryption exclusions

  • iOS: Yes
  • Android: No
  • Default setting: Empty

File encryption exclusions

  • iOS: Yes
  • Android: No
  • Default setting: Empty

App interaction

Security Group

  • iOS: No
  • Android: Yes
  • Default setting: Empty

    Note:

    If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Cut and copy

  • iOS: Yes
  • Android: Yes
  • Default setting: Restricted

Paste

  • iOS: Yes
  • Android: Yes
  • Default setting: Unrestricted

Document exchange (Open in)

  • iOS: Yes
  • Android: Yes
  • Default setting: Restricted

URL domains excluded from filtering

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Allowed Secure Web domains

  • iOS: No
  • Android: Yes
  • Default setting: Empty

Connection security level

  • iOS: Yes
  • Android: Yes
  • Default setting: TLS

Inbound document exchange (Open In)

  • iOS: Yes
  • Android: Yes
  • Default setting: Unrestricted

Restricted Open In exception list

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty (for Android); Office 365 apps (for iOS)

    Note:

    On Android, this policy was previously named Open In exclusions. On iOS, this policy is hidden. For details, see MDX policies for iOS apps.

App URL schemes

  • iOS: Yes
  • Android: No
  • Default setting: Empty. All registered app URL schemes are blocked.

Allowed URLs

  • iOS: Yes
  • Android: No
  • Default setting: For details about the default settings, see the App Interaction section in MDX policies for iOS apps.

Explicit logoff notifications

  • iOS: Yes
  • Android: No
  • Default setting: Shared devices only, for Secure Mail

App interaction (outbound URL)

Domains excluded from URL filtering

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Allowed URLs

  • iOS: Yes
  • Android: No
  • Default setting: or details about the default settings, see the App interaction (outbound URL) section in MDX policies for iOS apps

Allowed Secure Web Domains

  • iOS: Yes
  • Android: No
  • Default setting: Empty

App restrictions

Block camera

  • iOS: Yes
  • Android: Yes
  • Default setting: Off for iOS; On for Android
  • iOS: No
  • Android: Yes
  • Default setting: Off

Block Photo Library

  • iOS: Yes
  • Android: No
  • Default setting: On

Block mic record

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Block dictation

  • iOS: Yes
  • Android: No
  • Default setting: On

Block location services

  • iOS: Yes
  • Android: Yes
  • Default setting: For Android: Default value is Off for Secure Mail. Default value is On for other apps.

Block SMS compose

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Block screen capture

  • iOS: No
  • Android: Yes
  • Default setting: On

Block device sensor

  • iOS: No
  • Android: Yes
  • Default setting: On

Block NFC

  • iOS: No
  • Android: Yes
  • Default setting: On

Block iCloud

  • iOS: Yes
  • Android: No
  • Default setting: On

Block Look Up

  • iOS: Yes
  • Android: No
  • Default setting: On

Block file backup

  • iOS: Yes
  • Android: No
  • Default setting: On

Block AirPrint

  • iOS: Yes
  • Android: No
  • Default setting: On

Block Printing

  • iOS: No
  • Android: Yes
  • Default setting: On

Block AirDrop

  • iOS: Yes
  • Android: No
  • Default setting: On

Block file attachments

  • iOS: Yes
  • Android: No
  • Default setting: Off

Block email compose

  • iOS: Yes
  • Android: No
  • Default setting: On

Block Facebook and Twitter APIs

  • iOS: Yes
  • Android: No
  • Default setting: On

Obscure screen contents

  • iOS: Yes
  • Android: No
  • Default setting: On

Block third-party keyboards

  • iOS: Yes
  • Android: No
  • Default setting: On

    Note:

    iOS 11 and later

Block app logs

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Enable ShareFile

  • iOS:
  • Android: Yes
  • Default setting: On

Enable Attach from Files

  • iOS: Yes
  • Android: No
  • Default setting: On

App network access

Network access

  • iOS: Yes
  • Android: Yes
  • Default setting: For newly uploaded apps, the default is Blocked for all apps, except Secure Mail. Because Intune does not have a blocked state, the default for Secure Mail is Unrestricted.

micro VPN session required

  • iOS: Yes
  • Android: Yes
  • Default setting: Use Previous Setting. For newly uploaded apps, the default value is No.

micro VPN session required grace period (minutes)

  • iOS: Yes
  • Android: Yes
  • Default setting: 0 (no grace period)

Exclusion List

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Block localhost connections

  • iOS: No
  • Android: Yes
  • Default setting: Off

Certificate label

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

App logs

Default log output

  • iOS: Yes
  • Android: Yes
  • Default setting: file

Default log level

  • iOS: Yes
  • Android: Yes
  • Default setting: 4 (informational messages)

Max log files

  • iOS: Yes
  • Android: Yes
  • Default setting: 2

Max log file size

  • iOS: Yes
  • Android: Yes
  • Default setting: 2 MB

Redirect app logs

  • iOS: No
  • Android: Yes
  • Default setting: On

Encrypt logs

  • iOS: No
  • Android: Yes
  • Default setting: Off

App geofence

Center point longitude

  • iOS: Yes
  • Android: Yes
  • Default setting: 0

Center point latitude

  • iOS: Yes
  • Android: Yes
  • Default setting: 0

Radius

  • iOS: Yes
  • Android: Yes
  • Default setting: 0 (disabled)

    Note:

    Set the radius in meters. When set to zero, the geofence is disabled.

App settings

Secure Mail Exchange Server

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

    Note:

    If you change this policy for an existing app, users must remove and reinstall the app to apply the policy change.

Secure Mail user domain

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Background network services

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

    Note:

    If you configure this policy, set the Network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network and you want to use Citrix Gateway to proxy the connection to the internal Exchange Server.

Background services ticket expiration

  • iOS: Yes
  • Android: Yes
  • Default setting: 168 hours (7 days)

Background network service gateway

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

    Note:

    If you configure this policy, set the network access policy to Tunneled to the internal network, after which this policy takes effect. Use this policy when the Exchange Server is in your internal network or if you want to use Citrix Gateway to proxy the connection to the internal Exchange Server. This policy takes effect when you configure the Network access policy.

Export contacts

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Contact fields to export

  • iOS: Yes
  • Android: Yes
  • Default setting: All

Accept all SSL certificates

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Control locked screen notifications

  • iOS: Yes
  • Android: Yes
  • Default setting: Allow

Use Secure Connection

  • iOS: No
  • Android: Yes
  • Default setting: On

Default email notification

  • iOS: Yes
  • Android: No
  • Default setting: On

Default sync interval

  • iOS: Yes
  • Android: Yes
  • Default setting: 3 days

    Note:

    The Exchange ActiveSync mailbox policy setting Maximum email age filter has priority over this policy. Secure Mail displays only the sync interval values that are less than the Maximum email age filter.

Mail search limit

  • iOS: Yes
  • Android: Yes
  • Default setting: Unlimited

Max sync interval

  • iOS: Yes
  • Android: Yes
  • Default setting: All

Enable week number

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Enable downloads of attachments over Wi-Fi

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Allow offline documents

  • iOS: Yes
  • Android: Yes
  • Default setting: Unlimited

Information Rights Management

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Email classification

  • iOS: Yes
  • Android: No
  • Default setting: Off

Email classification markings

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Email classification namespace

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Email classification version

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Default email classification

  • iOS: Yes
  • Android: No
  • Default setting: UNOFFICIAL

Enable auto-save of draft emails

  • iOS: Yes
  • Android: Yes
  • Default setting: On

Enable iOS data protection

  • iOS: Yes
  • Android: No
  • Default setting: Off

Push Notifications EWS HostName

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Push notifications

  • iOS: Yes
  • Android: No
  • Default setting: Off

Push notifications region

  • iOS: Yes
  • Android: No
  • Default setting: Americas

Enable S/MIME during first Secure Mail startup

  • iOS: Yes
  • Android: No
  • Default setting: Off

Initial authentication mechanism

  • iOS: Yes
  • Android: Yes
  • Default setting: Use MDX provided mail server address

Initial authentication credentials

  • iOS: Yes
  • Android: Yes
  • Default setting: Enrollment user name

Enable week number

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Calendar Web and Audio Options

  • iOS: Yes
  • Android: Yes
  • Default setting: GoToMeeting and User Entered

S/MIME public certificate source

  • iOS: Yes
  • Android: Yes
  • Default setting: Exchange

LDAP Server address

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

LDAP Base DN

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Access LDAP anonymously

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Allowed email domains

  • iOS: Yes
  • Android: No
  • Default setting: Empty

    Note:

    If empty, does not restrict domains.

Attempt Username Migration On Authentication Failure

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Report Phishing Mail Addresses

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Report Phishing Mechanism

  • iOS: No
  • Android: Yes
  • Default setting: Report via attachment (.eml)

Skype for Business Meeting Domains

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Export calendar

  • iOS: Yes
  • Android: Yes
  • Default setting: Meeting time

Enable Slack

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Slack workspace name

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty

Caller Identification

  • iOS: Yes
  • Android: No
  • Default setting: On

    Note:

    If On, Secure Mail provides iOS with names and phone numbers of your saved contacts for caller identification.

Analytics

Enable Google Analytics

  • iOS: Yes
  • Android: No
  • Default setting: On

Google Analytics level of detail

  • iOS: Yes
  • Android: Yes
  • Default setting: Complete

Reporting

Citrix reporting

  • iOS: Yes
  • Android: No
  • Default setting: Off

    Note:

    Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.

Upload token

  • iOS: Yes
  • Android: No
  • Default setting: Empty

Send reports over Wi-Fi only

  • iOS: Yes
  • Android: No
  • Default setting: On

Reporting file cache maximum

  • iOS: Yes
  • Android: No
  • Default setting: 2 MB

OAuth support for Office 365

Use modern authentication for Office 365

  • iOS: No
  • Android: Yes
  • Default setting: Off

Office 365 authentication mechanism

  • iOS: Yes
  • Android: No
  • Default setting: Do not use OAuth

Trusted Exchange Online Hostnames

  • iOS: Yes
  • Android: Yes
  • Default setting: outlook.office365.com

Trusted AD FS Hostnames

  • iOS: Yes
  • Android: Yes
  • Default setting: login.microsoftonline.com

Custom user agent for modern authentication

  • iOS: No
  • Android: Yes
  • Default setting: Empty

    Note:

    If you do not configure this policy, the default Secure Mail user agent is used during modern authentication.

Mail redirection

Mail redirection

  • iOS: Yes
  • Android: No
  • Default setting: Secure Mail

Slack integration

Enable Slack

  • iOS: Yes
  • Android: Yes
  • Default setting: Off

Slack workspace name

  • iOS: Yes
  • Android: Yes
  • Default setting: Empty
MDX policies for mobile productivity apps at a glance