XenMobile Apps
XenMobile Apps
Nov 0 2, 20 17
Citrix-developed XenMobile Apps provide a suite of productivity and communication tools within the XenMobile
environment that are secured by your company's policies.
For an overview of XenMobile Apps, including new features in the more recent versions, see What's new in XenMobile Apps.
Important
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of
XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps. T he MDX Toolkit continues to
support enterprise wrapping for app developers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.1
Prior to version 10.4, some XenMobile Apps had different names. For details, see About XenMobile Apps.
For details about apps delivery, see XenMobile Apps delivery and administration.
XenMobile components are available on the XenMobile downloads page.
Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases
for your end-to-end XenMobile environment, see the XenMobile Deployment Handbook.
Related information
Citrix Blogs: XenMobile
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.2
XenMobile Apps release timeline
Oct 31, 20 17
T his release timeline illustrates the cadence of XenMobile Apps releases. Although exact dates may change, we want to
help you plan ahead. We also want to make it easier for you to manage app deployments and updates. T he tables list the
following basic app types:
P ublic app st ore apps . As of version 10.4.1, you can distribute XenMobile Apps directly from the Apple App Store and
Google Play Store. T hese apps are pre-wrapped and manageable through the XenMobile console.
Ent erprise apps . You sign third-party apps with the MDX T oolkit. You distribute wrapped secured apps through the
XenMobile Store. Users access the Store by enrolling their devices in Secure Hub. You control the configuration and
operation of XenMobile Apps through administrative features, such as MDX policies and other XenMobile settings.
For more information about public app store and enterprise delivery of XenMobile Apps, see XenMobile Apps administration
and delivery.
For a summary of the versions of the supported XenMobile components that you can integrate, see XenMobile
compatibility.
Important
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported. You can use in-app guide for moving from the enterprise versions of XenMobile Apps to the
public store versions. For details, see In-app guide for migrating to public store apps. T he MDX Toolkit continues to support
enterprise wrapping for app developers.
Proposed general availability release dates for public app store apps - Secure Hub and XenMobile Apps.
July 18
August 8
August 21*
September 6*
September 18
*Includes release of enterprise XenMobile Apps and the on-premises MDX Toolkit. Apps version 10.6.20 was the last
enterprise release for Android.
Proposed general availability release dates for the XenMobile Apps from the public app store.
October 10
October 31
November 21
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.3
December 12
Not e : As of the fourth quarter, we are no longer releasing enterprise versions of the XenMobile Apps.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.4
About XenMobile Apps
Nov 0 2, 20 17
Important
Before upgrading to Android O (version 8), users m us t upgrade Secure Hub and all XenMobile Apps to version 10.6.20. Otherwise,
users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and
Android 8, see What's new in XenMobile Apps, Known issues, and XenMobile supported device operating systems.
Before upgrading to iOS 11, users m us t upgrade Secure Hub and XenMobile Apps to version 10.7. T hat upgrade sequence is
required because Secure Hub no longer supports SHA-1 certificates on devices running iOS 11. For more information about
anticipating this change, see the Knowledge Center article on XenMobile iOS 11 and Android O Support.
Beginning with version 10.4.1, there are two ways to deliver XenMobile Apps:
T hrough public app st ores : Users download apps from the App Store for iOS and Google Play for Android. Windows
currently isn't supported for public-app-store distribution.
T hrough t he XenMobile St ore . Users enroll their devices in Secure Hub to gain access to the XenMobile Store. From the
store, users can add XenMobile Apps and third-party apps, all of which you secure with the MDX Toolkit. You control the
configuration and operation of XenMobile Apps through administrative features, such as MDX policies and other
XenMobile settings.
For known issues in the most recent versions, see Known issues.
For fixed issues in the most recent versions, see Fixed issues.
For new features in the current release, see What's new in XenMobile Apps.
For details about apps delivery, see XenMobile Apps delivery and administration.
XenMobile components are available on the XenMobile downloads page.
Important
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of
XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps.
Prior to version 10.4, some XenMobile Apps and tools had different names:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.5
Na m e s in v e rs io ns 10.3 a nd e a rlie r
Na m e s a s o f v e rs io n 10.4
Worx Home
Secure Hub
WorxStore
XenMobile Store
Worx PIN
Citrix PIN
WorxMail
Secure Mail
WorxWeb
Secure Web
WorxNotes
Secure Notes
WorxTasks
Secure Tasks
T he names for Citrix Secure Forms, QuickEdit, ShareConnect, and ShareFile haven't changed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.6
What's new in XenMobile Apps
Nov 0 2, 20 17
Important
Before upgrading to Android O (version 8), users m us t upgrade Secure Hub and all XenMobile Apps to version 10.6.20. Otherwise,
users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and
Android 8, see the information later in this article, the XenMobile Apps Known issues, and XenMobile supported device operating
systems.
Before upgrading to iOS 11, users m us t upgrade Secure Hub and XenMobile Apps to version 10.7. T hat upgrade sequence is
required because Secure Hub no longer supports SHA-1 certificates on devices running iOS 11. For more information about
anticipating this change, see the Knowledge Center article on XenMobile iOS 11 and Android O Support.
P rerequisit es f or f eat ure flag management
If an issue occurs with Secure Hub or Secure Mail in production, we can disable an affected feature within the app code. To
do so, we use feature flags and a third-party service called Launch Darkly. You do not need to make any configurations to
enable traffic to Launch Darkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you
enable traffic to Launch Darkly via specific URLs or IP addresses, depending on your policy requirements. For details about
support in MDX since XenMobile Apps 10.6.15 for the exclusion of domains from tunneling, see the MDX Toolkit
documentation. For a FAQ about feature flags and Launch Darkly, see this Support Knowledge Center article.
T he following features are new in XenMobile Apps 10.7.10.
Secure Mail
Support f or print ing emails, event s, or inline images. You can print emails , calendar events, or inline images from
Secure Mail for iOS.
Cont act order. Secure Mail on iOS maintains the order of contacts when sending an email or meeting invite.
T he following features are new in XenMobile Apps 10.7.5.
Secure Hub
Enable and disable biomet ric aut hent icat ion f or Samsung devices. XenMobile now allows you to enable and disable
biometric authentication (fingerprint and iris scan authentication) for Samsung devices without requiring any action from
users.
If you disable biometric authentication in XenMobile, users and third-party apps cannot enable the feature.
Secure Mail
Support f or Skype f or Business . Secure Mail for iOS and Android is now integrated with Skype for Business. You can use
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.7
Skype for Business to seamlessly join online meetings.
T he XenMobile Apps 10.7.1 release includes public app store versions of:
Secure Web for iOS
Secure Mail for iOS
T he release includes bug fixes. For details, see Fixed issues.
T he following features are new in XenMobile Apps 10.7.
Same-day support f or iOS 11. XenMobile Apps 10.7 support iOS 11. For details about testing and preparing for iOS, see
XenMobile supported device operating systems and Known issues.
XenMobile Apps 10.7 ent erprise versions . T he Secure Mail and Secure Web enterprise apps for iOS in this release
contain all new features and enhancements that we introduced in versions 10.6 and later in the XenMobile Apps public app
store versions.
Secure Mail
In Secure Mail for iOS with multiple Exchange accounts, you can view the Cont act s folders or subfolders of individual
accounts.
Support f or P P T M file f ormat . Secure Mail for iOS supports the Microsoft PowerPoint PPT M file format. Users can
attach, view, and open .pptm files in Secure Mail.
T he XenMobile Apps 10.6.20 release includes:
Ent erprise
Secure Hub 10.6.20 for Android
Secure Mail 10.6.20 for Android
Secure Notes 10.6.20 for Android
Secure T asks 10.6.20 for Android
Secure Web 10.6.20 for Android
P ublic App St ore
Secure Hub 10.6.20 for Android
Secure Hub 10.6.20 for iOS
Secure Mail 10.6.20 for Android
Secure Mail 10.6.20 for iOS
Secure Notes 10.6.20 for Android
Secure T asks 10.6.20 for Android
Secure Web 10.6.20 for Android
Secure Web 10.6.20 for iOS
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.8
T he following features and enhancements are new in XenMobile Apps 10.6.20.
Same-day support f or Android O . XenMobile Apps 10.6.20 noted in the preceding list support Android O (version 8). With
the release of Android O, Android 5 becomes the minimum supported version. For details about testing and preparing for
Android O, as well as for the iOS 11 release, see XenMobile supported device operating systems. Also be sure to review the
Known issues.
Not e: Google support for SSLv3 connections ends. XenMobile Apps that run on an Android O device cannot connect to
internal servers that use SSLv3 connections. Plan ahead to anticipate this change to avoid connectivity issues for users.
MDX no longer enf orces app upgrades on Android by def ault . You can modify a new policy, Disable Required
Update, to enforce upgrades for Public App Store apps. MDX does not enforce the upgrade by default. T his feature was
available for iOS apps in the 10.6.10 release of MDX.
Secure Hub f or Android
XenMobile shows the security patch level only for Samsung devices running Android 6.0 and later. [CXM-36345]
Secure Mail f or Android
In Secure Mail for Android, all replies or forwards to an encrypted email are encrypted even if the Encrypt by def ault
setting is OF F .
Mult iple Exchange account s on Android . Secure Mail now supports multiple Exchange accounts on Android. From
Set t ings within Secure Mail, you can now add multiple Exchange email accounts and switch between them. T his feature
allows you to monitor all your mails, contacts, and calendars in one place. T his feature was first available for iOS in version
10.6.15.
Secure Web f or Android
Of fline pages . T he Enable offline pages policy now controls the offline web pages feature for Android devices. T he
default value is OF F . Enable this policy to allow users to save offline web pages on their devices. XenMobile does not
encrypt these offline pages, but you can use device level encryption to achieve the same.
Additionally, previously saved offline pages will not be accessible after you upgrade to XenMobile Apps 10.6.20.
T he following features are new in XenMobile Apps 10.6.15.
Secure Mail 10.6.15
Secure Mail now support s mult iple Exchange account s on iOS. From Settings within Secure Mail, you can now add
multiple Exchange email accounts and switch between them. T his feature allows you to monitor all your mails, alerts, and
calendars in one place. For details, see Multiple Exchange accounts on iOS.
Secure Mail f or iOS and Android support s new f eat ures on swipe gest ures. You perform the following actions by
swiping an email either left or right.
More
Flag
Delete
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.9
Mark
For details, see Swipe to delete.
Encrypt ion f or replies or f orwards . In Secure Mail for iOS, all replies or forwards to an encrypted email are encrypted
even if the Encrypt by def ault setting is OF F .
P ersonal calendar conflict s . Secure Mail for Android displays conflicts with your personal calendar event while you
create or reschedule an Exchange account calendar event.
Support f or super-wide device screens f or Secure Mail f or Android. T his release supports displays on device screens
with aspect ratios of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8.
Secure Web 10.6.15
Support f or super-wide device screens f or Secure Web. T his release supports displays on device screens with aspect
ratios of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8.
T he following features are new in XenMobile Apps 10.6.10.
Secure Hub 10.6.10
Support f or super-wide device screens on Android . T his release supports displays on device screens with aspect ratios
of 18.5:9. Screens with this aspect ratio are available on devices including the Samsung S8.
Secure Mail 10.6.10
Bat t ery enhancement s . Improvements to Secure Mail reduce battery consumption on Android devices.
P ersonal Calendar account select ion. On Secure Mail for Android, you can select which personal calendars appear on
the settings screen. T his feature first appeared in Secure Mail for Android version 10.6.5.
Secure Mail for Android displays the following details about a personal calendar event:
Account name of the sender
Invitees
Meeting notes
For details, see Personal Calendar Overlay.
Rest rict users f rom using unknown or personal domains. In Secure Mail for iOS, as a security feature, you can keep
users from configuring email accounts from specific domains. For example, you may want to restrict users from using an
unknown or personal domain. To do so, you configure the Allowed Email Domains MDX policy when you update Secure Mail
in the XenMobile console.
To allow Secure Mail to filter for prohibited domains, you need to add the allowed domains to the list. Secure Mail then
compares the domain with the allowed list. For instance, if you list server.company.com as an allowed domain name, if the
user's email address is [email protected], Secure Mail supports the email address. In that example, Secure
Mail does not support any other email address with a domain name that is not server.company.com.
In the policy settings, you add the allowed domains in comma-separated format, such
as server.company.com, server.company.co.uk
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.10
For a matrix of MDX app policies per platform, see MDX Policies at a Glance.
T he following features are new in XenMobile Apps 10.6.5.
Secure Hub 10.6.5
Secure Hub Touch ID on iOS: F ingerprint aut hent icat ion when of fline or f or app inact ivit y . When fingerprint
authentication is enabled, users can now sign on by using a fingerprint when offline authentication is required because of
app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time and when restarting the
device. Fingerprint authentication is supported on iOS 9 and iOS 10.3 devices and some Android devices.
Secure Mail 10.6.5
P ersonal Calendar account select ion . On Secure Mail for Android, you can now select which personal calendars appear
on the settings screen.
New MDX analyt ics policy f or Secure Mail f or iOS and Android . Citrix collects analytics data to improve product
quality. T he Google Analytics level of detail policy allows you to specify whether the data collected can be associated with
your company domain or collected anonymously. Selecting Anonymous opts users out of including the company domain
with the data that is collected. T his new policy replaces an earlier Google analytics policy.
When the policy is set to Anonymous , we collect the following types of data. We have absolutely no way to link this data
to an individual user or company because we do not request user identifiable information. No personally identifiable
information is sent to Google.
Device statistics, such as the operating system version, app version, and device model
Platform information, such as ActiveSync version and Secure Mail server version
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.11
Failure points for product quality like APNs registrations, mail sync failures, mail send failures, attachment download
failures, calendar sync failures, and so on
Note that other than company domain, no other identifiable information is collected when the policy is set to Complet e .
Default is Complet e .
Secure Web 10.6.5
F ixed issues . To learn more about the issue fixed in this release see XenMobile Apps Fixed Issues.
Secure Mail 10.6
Upgrade t o Exchange Act iveSync (EAS) version 16 . Secure Mail supports both EAS version 16.1 and version 16.0 on
iOS and Android. However, an upgrade to the respective EAS version depends on the EAS protocol supported by
Exchange Server 2016 in your environment. During the upgrade, Secure Mail resynchronizes all your local data and
preserves any draft or unsent emails that you may have.
P ersonal Calendar overlay enhancement s. Secure Mail now notifies users when they make a calendar event that
conflicts with events in their native calendar. Additional fields appear for personal events as well. Users can see whom an
event is from and can show the invitee count. For details, see Personal Calendar Overlay.
Secure Hub 10.6
Cit rix VP N connect ion t ype f or Android devices
T he VPN device policy for Android now supports configuring Citrix VPN. Citrix VPN is a mobile application that connects to
NetScaler Gateway in full VPN mode, as opposed to a clientless VPN or ICA proxy mode.
On the Configure > Device P olicies page for Android, the Connect ion t ype menu now includes Cit rix VP N .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.12
Citrix VPN settings:
Server name or IP address : T ype the FQDN or IP address of the NetScaler Gateway.
User name and P assword : T ype your VPN credentials for the Aut hent icat ion t ypes of P assword or P assword and
Cert if icat e . Optional. If you don't provide the VPN credentials, the Citrix VPN app prompts for a user name and
password.
Ident it y credent ial: Appears for the Aut hent icat ion t ypes of Cert if icat e or P assword and Cert if icat e .
Enable per-app VP N : Select whether to enable per-app VPN. If you don't enable per-app VPN, all traffic goes through
the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. T he default is OF F .
Whit elist or Blacklist : Choose a setting. If Whit elist , all apps in the whitelist tunnel through this VPN. If Blacklist ,
all apps except those on the blacklist tunnel through this VPN.
Applicat ion List : Specify the whitelisted or blacklisted apps. Click Add and then type a comma-separated list of app
package names.
Cust om XML : Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN:
disableL3Mode : Optional. T o enable this parameter, type Yes for the Value . If enabled, no user-added VPN
connections are displayed and the user cannot add a new connection. T his is a global restriction and applies to all VPN
profiles.
userAgent : A string value. You can specify a custom User Agent string to send in each HT T P request. T he specified
user agent string is appended to the existing Citrix VPN user agent.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.13
For general information about configuring the VPN device policy, see VPN device policy.
Derived credent ials f or iOS device enrollment
Derived credentials provide strong authentication for mobile devices. T he credentials, derived from a smart card, reside in a
mobile device instead of the card. T he smart card is either a Personal Identity Verification (PIV) card or Common Access
Card (CAC).
T he derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the
credentials obtained from the credential provider in a secure vault on the device.
XenMobile can use derived credentials for iOS device enrollment. If configured for derived credentials, XenMobile doesn't
support enrollment invitations or other enrollment modes for iOS devices. However, you can use the same XenMobile server
to enroll Android devices through enrollment invitations and other enrollment modes.
For information on how users enroll using derived credentials, see Enrolling devices by using derived credentials. For more
information about requirements and the configuration for derived credentials, see Derived credentials for iOS.
T he following features are new in XenMobile Apps 10.5.20:
Secure Mail 10.5.20
P ersonal calendar support on Android . Import your personal calendar from the native calendar app and view events
from Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar. Select a
color for your personal events and the calendars that you want to display in Secure Mail. T his is a read-only view only
visible to the user. T he personal calendar information does not sync back to the Exchange or Lotus Notes mail server.
Select mult iple emails in search mode . When searching for emails on iOS, you can now select multiple mails on which
to perform an operation. Long press an email to begin selecting multiple mails.
Insert inline images on devices running iOS . Secure Mail now supports inserting inline images in the mail body.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.14
Export cont act s even if a nat ive mail account exist s . On iOS, Secure Mail contacts can be exported and synced
with the phone contacts even if a Hotmail or Exchange account is set up on the device. You configure this feature in
XenMobile through the Override Native Contacts Check policy for Secure Mail. T his policy determines if Secure Mail
should override the check for contacts from an Exchange/Hotmail Account configured in the native Contacts app. If
On , the app syncs contacts to the device even if the native Contacts app is configured with an Exchange/Hotmail
Account. If Of f , the app continues to block contacts sync. Default is On .
Secure Not es and Secure T asks f or Android
Support includes a fix for Samsung Android 7 devices related to SQLite encryption issues.
Secure Not es and Secure T asks f or iOS
Fix for a T Mobile VPN issue with Secure Notes and Secure T asks.
Fix for an autodiscovery failure for Secure T asks.
T he following features are new in XenMobile Apps 10.5.15.
Secure Hub 10.5.15
Supports the following devices:
Nexus 6P (operating system 7.1.1)
Moto T urbo (operating system 6.0.1)
F ingerprint aut hent icat ion support on Android . T he Enable T ouch ID Authentication client property enables users
to sign on by using a fingerprint when offline authentication is required because of app inactivity. When prompted, users
can sign on by using a fingerprint or choose to use a Citrix PIN or passcode instead.
Fingerprint authentication for Android was tested on the following devices:
Nexus 5X
Samsung S7 Edge
Samsung S6 Edge+
LG G5
Google Pixel
To add and enable t his propert y
1. In the XenMobile console, click the gear icon in the upper-right corner. T he Set t ings page appears.
2. Under Client , click Client P ropert ies . T he Client P ropert ies page appears.
3. Click Add . T he Add New Client P ropert y page appears.
4. Configure these settings:
Key = ENABLE_T OUCH_ID_AUT H
Value = T rue
Name = Enable Fingerprint Authentication
Descript ion = Enable Fingerprint Authentication
5. Click Save .
Secure Mail 10.5.15
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.15
S/MIME public key ret rieval f rom LDAP direct ories . Secure Mail now supports the retrieval of public key certificates
from LDAP. Users can encrypt or sign their emails with S/MIME. To enable the search of LDAP directories, you configure the
following new MDX policies in the XenMobile console.
S/MIME public cert if icat e source : Specifies the source of S/MIME public certificates. If Exchange , Secure Mail
fetches certificates from Exchange Server. If LDAP , Secure Mail fetches certificates from the LDAP server. Default value
is Exchange .
Ldap server address : LDAP server address including port number.
Ldap Base DN : LDAP Base distinguished name.
Access LDAP Anonymously : If this policy is ON , Secure Mail can search LDAP without prior authentication.
Select mult iple emails in search mode . When searching for emails on Android devices, users can now select multiple
mails on which to perform an operation. Long press on an email to begin selecting multiple mails.
P hone number f ormat support . Secure Mail 10.5.15 for Android and iOS supports more phone number formats and
conference code formats. Users can join meeting directly from invitations in their calendars. T he following formats for
Conference IDs or extensions are new in version 10.5.15.
For an audio conference, the following formats let users tap the Dial In button. If they tap the phone number from the
body of the calendar meeting, however, they can dial into the meeting. ; T hey must then enter conference codes manually.
T he following phone number and conference code formats are supported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.16
Co de s
Pho ne num be r fo rm a ts
"
+1 (631) 992-3240,,958209234#
'
+1 (631) 992-3240,958209234#
,,,
+1 (631) 992-3240,,,958209234#
,,,,
+1 (631) 992-3240,,,,958209234#
passcode
+1 (631) 992-3240 passcode 958209234#
ext:
+1 (631) 992-3240 ext:958209234#
ext.
+1 (631) 992-3240 ext. 958209234#
;ext=
+1 (631) 992-3240;ext=958209234#
extn
+1 (631) 992-3240 extn 958209234#
HC
+1 (631) 992-3240 HC 958209234#
xtn
+1 (631) 992-3240 xtn 958209234#
xt
+1 (631) 992-3240 xt 958209234#
x
+1 (631) 992-3240 x 958209234#
PC
+1 (631) 992-3240 PC 958209234#
pc
+1 (631) 992-3240 pc 958209234#
T he following features are new in XenMobile 10.5.10.
Secure Hub 10.5.10
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.17
Z ebra device support . With Secure Hub 10.5.10, for enrolled Zebra devices, the XenMobile console shows the MXMF
version, and patch version if applicable, in device properties.
Securit y improvement s . Secure Hub no longer trusts certificates issued by StartCom and WoSign Root certificate
authorities based on findings by Mozilla and other security teams.
Secure Web 10.5.10
T urkish language support . Secure Web for Android now supports the T urkish language.
Secure Mail 10.5.10
Support f or .pass f iles . You can download and import .pass files received as email attachments into the iOS Wallet
app.
P ersonal calendar support on iOS . You can import your personal calendar from the native calendar app and view
events from Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar.
Select a color for your personal events and the calendars that you want to display in Secure Mail. T his view for users is
read-only. T he personal calendar information is not synced back to the Exchange or Lotus Notes mail server. T o enable
the personal calendar overlay, you can either enable the feature from the pop-up notification or from Secure Mail
settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.18
After enabling the feature, ensure that you grant Secure Mail permission to read the native calendar.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.19
Select a color for your personal mail items.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.20
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.21
For a demonstration of this feature on an iOS device, see the following video:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.22
XenMobile Apps administration and delivery
Jul 31, 20 17
T his article provides an overview of app administration and delivery in XenMobile.
P rerequisit es f or f eat ure flag management
If an issue occurs with Secure Hub or Secure Mail in production, we can disable an affected feature within the app code. To
do so, we use feature flags and a third-party service called Launch Darkly. You do not need to make any configurations to
enable traffic to Launch Darkly, except in two cases.
You have a firewall or proxy blocking outbound traffic.
NetScaler split tunneling is set to Of f .
In those cases, you enable traffic to Launch Darkly via specific URLs or IP addresses, depending on your policy requirements.
For details, including a FAQ about feature flags and Launch Darkly, see this Support Knowledge Center article.
Quick links to sections in this article:
Public App Store Delivery of XenMobile Apps
Enterprise Delivery of XenMobile Apps
Not e : End of Life for enterprise XenMobile Apps is December 31, 2017
As of version 10.4.1, you can distribute XenMobile Apps from the Apple App Store and Google Play Store.
Public app store apps require a fresh installation the first time you deploy them. It is not possible to upgrade from the
current enterprise wrapped version of the app to the public store version.
Important
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported. For more information about the in-app guide for moving from the enterprise versions of
XenMobile Apps to the public store versions, see In-app guide for migrating to public store apps. T he MDX Toolkit continues to
support enterprise wrapping for app developers.
Public App Store Delivery of XenMobile Apps
With public app store distribution, you no longer have to sign and wrap Citrix-developed apps with the MDX Toolkit. T his
significantly streamlines the process of deploying apps. You can still use the MDX Toolkit to wrap third-party or enterprise
apps.
XenMobile 10.4 or later.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.23
Ensure that the apps can communicate with the following services if you have split tunneling on NetScaler set to OF F :
Launch Darkly service. For details, see this Support Knowledge Center article.
APNs listener service
XenMobile Apps are available on the Apple App Store and Google Play. For securing and deploying the native productivity
apps on Windows devices, see the Windows Information Protection device policy.
In China, where Google Play is unavailable, Secure Hub for Android is available on the following app stores:
http://shouji.baidu.com/
http://apk.hiapk.com
http://apk.91.com/soft/android/search/1_5_0_0_citrix%20secure
1. Download public-store .mdx files for both iOS and Android from the XenMobile downloads page.
2. Upload the .mdx files to the XenMobile console. T he public store versions of Xenmobile Apps are still uploaded as MDX
applications. Do not upload the apps as public store apps on the server. For steps, see Add apps.
3. Change policies from their defaults based on your security policies (optional).
4. Push the apps as required apps (optional). T his step requires your environment to be enabled for mobile device
management.
5. Install apps on the device from the App Store, Google Play, or the XenMobile Store.
If the app is directly installed from the Secure Hub store, the experience is similar to installing the Enterprise version of
the apps. T he exception is that the app is installed by Secure Hub from the public app store instead of from the
XenMobile Server. We recommend that users continue to install apps from the Secure Hub store.
On Android, the user is directed to the Play Store to install the app. On iOS, in deployments with MDM, the app
installs without the user being taken to the app store.
When the app is installed from the App Store or Play Store, the app transitions to a managed app as long the
corresponding .mdx file has been uploaded to the server. When transitioning to a managed app, the app prompts for a
Citrix PIN. When users enter the Citrix PIN, Secure Mail displays the account configuration screen.
6. Apps are accessible only if you're enrolled in Secure Hub and the corresponding .mdx file is on the server. If either
condition is not met, users can install the app, but usage of the app is blocked.
If you currently use apps from the Citrix Ready Marketplace that are on public app stores, you're already familiar with the
deployment process. XenMobile Apps adopt the same approach that many ISVs currently use. Embed the MDX SDK within
the app to make the app public-store ready. From an MDX perspective, this approach is not new. It is, however, a new
deployment model for XenMobile Apps.
Note
T he public store versions of the ShareFile app for both iOS and Android are now universal. T he ShareFile app is the same for
phones and tablet. Enterprise deployments require separate apps for phone and tablet.
T he move to the public app store also simplifies the process of setting up Apple Push Notifications for Secure Mail. For
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.24
more information on configuring push notifications, see Configuring Secure Mail for Push Notifications.
1. What 's t he recommended user flow? Should users inst all apps f rom t he XenMobile St ore t hrough Secure
Hub or f rom t he public app st ore?
To minimize changes for users, they should continue to install the public store versions of XenMobile Apps from the
XenMobile Store. In this case, Secure Hub initiates the install of the binary of the app from the public store on to the
device.
2. Can an ent erprise app and a public st ore app be inst alled on a device at t he same t ime?
iOS: Yes, but it isn't recommended. T he app IDs are different, and so deploying both apps is possible. However, because
the underlying URL schemes are the same for both apps, running two apps on the device causes conflicts in interactions
between apps.
Android: No. T he Play Store app cannot be installed unless the enteprise app is first uninstalled. Both apps leverage the
same provider authority string, which prevents apps from coexisting on the same device.
3. Can I deploy t he public st ore version of t he app as an upgrade t o t he ent erprise version?
No. T he app ID and signing certificate are different, so the public store version of the app requires a new installation.
4 . Can I cont inue t o deploy mult iple copies of t he public st ore app t o dif f erent user groups? F or example, I
may want t o deploy dif f erent policies t o dif f erent user groups.
Yes. You'll have to upload a different .mdx file for each user group. However, in this case, a single user cannot belong to
multiple groups. If users did belong to multiple groups, multiple copies of the same app are assigned to that user. Multiple
copies of a public store app cannot be deployed to the same device, because the app ID can't be changed.
5. Can I push public st ore apps as required apps?
Yes. T his is the same capability as that of enterprise versions of the apps. Pushing apps to devices requires MDM; it's not
supported for MAM-only deployments.
6. Do I need t o updat e any t raf fic policies or Exchange Server rules t hat are based on user agent ?
No. T he user agent strings remain the same and, therefore, the rules already in place for the enterprise wrapped apps don't
change for the public store apps.
Strings for any user agent-based policies and rules are as follows.
App
Citrix Secure
Android
iOS
Exchange
WorxMail
WorxMail
Lotus Notes Traveler
Apple-iPhone WorxMail
Apple-iPhone WorxMail
Mail
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.25
Citrix Secure Web
WorxWeb
com.citrix.browser
Citrix Secure Tasks (Exchange only)
WorxMail
WorxTasks
Citrix Secure
Exchange
WorxMail
WorxNotes
ShareFile
Secure Notes
Secure Notes
Notes
7 . What happens if I haven't swit ched users t o t he public st ore apps yet and t hey download t he app f rom
t he App St ore or P lay St ore?
On iOS, they can download the app. However, because the app hasn't been assigned to the user on the XenMobile Server,
the app indicates to the user that they are not entitled to use this version of the app when the app is opened.
On Android, users cannot download the app.
8. Can I prevent app upgrades?
No. When an update is posted on the public app store, any users who have auto updates enabled receive the update.
9. Can I enf orce app upgrades?
Yes, upgrades are enforced via the Upgrade grace period policy. T his policy is set when the new .mdx file corresponding to
the updated version of the app is uploaded to the XenMobile Server.
10. How do I t est t he apps bef ore t he updat e reaches users if I can't cont rol t he updat e t imelines?
Similar to the process for Secure Hub, the apps are available for testing on Test Flight for iOS during the EAR period. For
Android, the apps are available via the Google Play beta program during the EAR period. You can test app updates during
this time.
11. What happens if I don't updat e t he new .mdx file bef ore t he aut omat ic updat e reaches user devices?
T he updated app continues to work with the older .mdx file. Any new features that depend on a new policy are not
enabled.
12. Will t he app t ransit ion t o managed if Secure Hub is inst alled or does t he app need t o be enrolled?
Users must be enrolled in Secure Hub for the public store app to activate as a managed app (secured by MDX) and to be
usable. If Secure Hub is installed, but not enrolled, the user cannot use the public store app.
13. Do I need an Apple Ent erprise developer account f or t he public st ore apps?
No. Because Citrix is now maintaining the certificates and provisioning profiles for XenMobile Apps, an Apple Enterprise
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.26
developer account is not required to deploy the apps to users.
14 . Does t he end of ent erprise dist ribut ion apply t o any wrapped applicat ion I have deployed?
No, it applies only to the XenMobile productivity apps: Secure Mail, Secure Web, Secure Notes, Secure Tasks, Secure Forms,
Sharefile for XenMobile, ScanDirect for XenMobile, QuickEdit for XenMobile and ShareConnect for XenMobile. Any other
enterprise wrapped apps you have deployed that are either developed in-house or by third parties can continue to use
enterprise wrapping. T he MDX Toolkit will continue to support enterprise wrapping for app developers.
15. When I inst all an app f rom Google P lay, I get an Android error wit h error code 505.
T his is a known issue with Google Play and Android 5.x versions. If this error occurrs, you can follow these steps to clear
stale data on the device that prevents installation of the app:
1. Restart the device.
2. Clear the cache and data for Google Play through device settings.
3. As a last resort, remove and then add back the Google account on your device.
For more information, see this blog.
16. Alt hough t he app on Google P lay has been released t o product ion and t here isn't a new bet a release,
why do I st ill see Bet a af t er t he app t it le on t he Google P lay?
If you are part of our Early Access Release (EAR) program, you always see Beta next to the app title. T his name simply
notifies users of their access level for a particular app. T he Beta name indicates that users receive the most recent version
of the app available. T he most recent version may be the latest version is published to a production track or to a beta track.
17 . Af t er inst alling and opening t he app, users see t he message App Not Aut horized, even t hough t he .mdx
file is on t he XenMobile Server.
T his issue can happen if users install the app directly from the App Store or Google Play and Secure Hub is not refreshed.
Secure Hub needs to be refreshed when the inactivity timer is expired. Policies refresh when users opens Secure Hub and
reauthenticate. T he app is authorized the next time users open the app.
18. Do I need an access code t o use t he app? I see a screen prompt ing me t o ent er an access code when I
inst all t he app f rom t he App St ore or P lay St ore.
If you see a screen requesting an access code, you are not enrolled in XenMobile through Secure Hub. Enroll with Secure
Hub and ensure that the .mdx file for the app is deployed on the server. Also ensure that the app can be used. T he access
code is limited to Citrix internal use only. Apps require a XenMobile deployment to be activated.
19. Can I deploy iOS public st ore apps via VP P or DEP ?
XenMobile Server is optimized for VPP distribution of public store apps that are not MDX-enabled. Although you can
distribute the XenMobile public store apps with VPP, the deployment is not optimal, until we make further enhancements to
the XenMobile Server and the Secure Hub store to address the limitations. For a list of known issues with deploying the
XenMobile public store apps via VPP and potential workarounds, see this article in the Citrix knowledge center.
Enterprise delivery of XenMobile Apps
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.27
Note
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported.
With enterprise delivery of XenMobile Apps, you sign and secure apps by wrapping them in MDX policies. To deliver a new
XenMobile app or an update of a previously delivered XenMobile app, follow these general steps:
1. Download the latest XenMobile Apps and MDX Toolkit from the XenMobile downloads page.
2. Review the article for each app in this section. In particular, be aware of upgrade considerations and known issues.
3. After installing the MDX Toolkit, use the MDX Toolkit to wrap the apps.
Citrix provides the MDX Toolkit that you use to wrap mobile apps for iOS, Android, and Windows 10 Phone and Tablet
devices with Citrix logic and policies. For details, see About the MDX Toolkit.
To take advantage of the latest MDX policies, be sure to re-wrap your apps with each updated release of the MDX Toolkit.
4. In the XenMobile console, add the MDX apps and then deliver the apps to user devices.
MDX policies enable you to configure settings that the XenMobile Server enforces. T he policies cover authentication,
device security, network requirements and access, encryption, app interaction, app restrictions, and more. Many MDX
policies apply to all XenMobile Apps; some policies are app-specific.
Policy files are provided as .mdx files for the public store versions of the XenMobile Apps and with the MDX Toolkit, in the
case of enterprise distribution. You can directly edit the policy files. You can also configure policies in the XenMobile console
when you add an app.
T he following sections describe the MDX policies related to user connections. For details about policies specific to
XenMobile Apps, see the articles for each app. For a complete list of policies and their descriptions, see MDX Policies at a
Glance and its sub-articles.
Connections that tunnel to the internal network can use a full VPN tunnel or a variation of a clientless VPN, referred to as
secure browse. T he Preferred VPN mode policy controls that behavior. By default, connections use secure browse, which is
recommended for connections that require SSO. T he full VPN tunnel setting is recommended for connections that use
client certificates or end-to-end SSL to a resource in the internal network; the setting handles any protocol over TCP and
can be used with Windows and Mac computers as well as iOS and Android devices.
Secure Web for iOS and Android supports use of a Proxy Automatic Configuration (PAC) file with a full VPN tunnel
deployment, if you use NetScaler for proxy authentication. For details, see Configuring User Connections.
T he Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes
as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication
request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.28
for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HT T P
authentication challenges are more likely to be serviced with SSO when using secure browse mode.
T he Network access policy specifies whether restrictions are placed on network access. By default, Secure Mail and Secure
Notes access is unrestricted, which means no restrictions are placed on network access; apps have unrestricted access to
networks to which the device is connected. By default, Secure Web access is tunneled to the internal network, which
means a per-application VPN tunnel back to the internal network is used for all network access and NetScaler split tunnel
settings are used. You can also specify blocked access so that the app operates as if the device has no network
connection.
Do not block the Network access policy if you want to allow features such as AirPrint, iCloud, and Facebook and Twitter
APIs.
T he Network access policy also interacts with the Background network services policy. For details, see Integrating
Exchange Server or IBM Notes Traveler Server.
Client properties contain information that is provided directly to Secure Hub on user devices. Client properties are located in
the XenMobile console in Set t ings > Client > Client P ropert ies .
Client properties are used to configure settings such as the following:
User password caching
User password caching allows the users' Active Directory password to be cached locally on the mobile device. If you
enable user password caching, users are prompted to set a Citrix PIN or passcode.
Inact ivit y t imer
T he inactivity timer defines the time in minutes that users can leave their device inactive and then can access an app
without being prompted for a Citrix PIN or passcode. To enable this setting for an MDX app, you must set the App
passcode policy to On . If the App passcode policy is Of f , users are redirected to Secure Hub to perform a full
authentication. When you change this setting, the value takes effect the next time users are prompted to
authenticate.
Cit rix P IN aut hent icat ion
Citrix PIN simplifies the user authentication experience. T he PIN is used to secure a client certificate or save Active
Directory credentials locally on the device. If you configure PIN settings, the user sign on experience is as follows:
1. When users start Secure Hub for the first time, they receive a prompt to enter a PIN, which caches the Active
Directory credentials.
2. When users subsequently start a XenMobile app, they enter the PIN and sign on.
You use client properties to enable PIN authentication, specify the PIN type, and specify PIN strength, length, and
change requirements.
F ingerprint aut hent icat ion
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.29
Fingerprint authentication is an alternative to Citrix PIN when wrapped apps, except for Secure Hub, need offline
authentication, such as when the inactivity timer expires. You can enable this feature in the following authentication
scenarios:
Citrix PIN + Client certificate configuration
Citrix PIN + Cached AD password configuration
Citrix PIN + Client certificate configuration and Cached AD password configuration
Citrix PIN is off
If fingerprint authentication fails or if a user cancels the fingerprint authentication prompt, wrapped apps fall back to
Citrix PIN or AD password authentication.
Fingerprint authentication requirements:
- iOS devices (minimum version 8.1) that support fingerprint authentication and have at least one fingerprint
configured.
- User entropy must be off.
To configure fingerprint aut hent icat ion
Import ant : If user entropy is on, the Enable Touch ID Authentication property is ignored. User entropy is enabled through
the Encrypt secrets using Passcode key.
1. In the XenMobile console, go to Set t ings > Client > Client P ropert ies .
2. Click Add .
3. Add the key ENABLE_T OUCH_ID_AUT H , set its Value to T rue , and set the policy Name to Enable F ingerprint
Aut hent icat ion .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.30
In-app guide for migrating to public store apps
Oct 18 , 20 17
Important
Citrix supports both enterprise distribution and public app store distribution for XenMobile productivity apps until December 31,
2017. For details, see the Citrix product matrix. You must move to the public app store apps before this date. After that, only public
app store distribution is supported. T he MDX Toolkit continues to support enterprise wrapping for app developers.
Moving from the enterprise versions of XenMobile Apps to the public app store versions on user devices requires new
installations of the apps.
As of version 10.4.5, an in-app guide in some XenMobile Apps helps users export their app settings:
Secure Mail, Secure Web, ShareFile, and QuickEdit include an in-app migration guide that you enable with policies in the
MDX T oolkit.
Secure Notes and Secure T asks do not include an in-app migration guide.
T he following sections describe the steps to get ready for app migration, including how to enable the in-app migration
guide. For Secure Notes and Secure Tasks, the article shows how to migrate without the guide. T he article also includes
specific steps users take on their iOS or Android devices.
We recommend that you migrate your other apps, such as Secure Web, ShareFile, or QuickEdit, before you migrate
Secure Mail. Doing so ensures that Secure Mail exports the app settings for your other apps successfully.
For apps that include an in-app migration guide: Secure Mail, Secure Web, ShareFile, and QuickEdit.
For iOS, set the Cut and Copy MDX policy to Unrest rict ed . Note that you only need to change this setting if users
migrate Secure Mail for iOS first.
Upload the MDX file. Doing so ensures that Secure Hub authorizes the apps to be downloaded and installed from the
app stores.
Set up automatic enrollment and a credential store in the public store version of Secure Mail. Set the configuration to
configure the account automatically when users open the app, if the configuration does not include certificates. For
details, see Configure single sign-on for Secure Mail.
During the migration period, both the enterprise apps and public app store apps are available in Secure Hub. A best
practice is to prepend the display name of the enterprise apps with a phrase like Do Not Install. Move the apps to a new
folder named Deprecated - Do Not Install. When the migration period ends and the enterprise apps are wiped, you can
push the public store apps as required.
To enable the guide, turn on the App St ore migrat ion policy (iOS) or the P lay St ore Migrat ion policy (Android) on the
XenMobile console. T he next time users open the enterprise versions, the migration guide appears.
You can control how long the guide appears by configuring the Migrat ion grace period (hours) MDX policy. T he default
value is 72 hours. When the period ends, the enterprise app becomes inactive. At that time, users must move apps to the
public app store version.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.31
Other points to note about the in-app guide:
Wait for the migration grace period to pass before removing the enterprise apps from your user groups.
If you blocked app store access, the guide can't be enabled. In this case, users must move their apps to public store apps
manually.
Enabling the guide with shared devices isn't recommended. T he shared device administrator should manage the move to
public store apps.
Secure Notes and Secure T asks do not include an in-app migration guide. T o migrate Secure Notes and Secure T asks from
the enterprise app versions to the public app store apps, do the following.
1. Deploy an App uninstall device policy to remove the enterprise versions when the app store version of Secure Mail is
installed. T his policy is not supported in MAM-only environments.
2. Send Secure Hub notifications to install Secure Notes and Secure T asks from the app store. T he notifications appear to
users when they install the app store version of Secure Mail or Secure Web.
3. In environments without an MDM deployment, we recommend that you wipe the apps. T hen, users reinstall that app
when you send them an email migration template. For email templates, see the Citrix.com resource guide on XenMobile
End User Adoption.
1. When users tap the enterprise version of Secure Mail or Secure Web, a screen instructs them to download the app from
the App Store. T he screen also notifies them when the enterprise app becomes inactive.
2. A pop-up message appears, telling users to look for an email with an attachment that contains their settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.32
3. When users tap OK , a confirmation screen appears:
4. Users are taken to the App Store, where they download the app.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.33
5. After installing the public app store version of the app, users must delete the old, enterprise versions from their devices.
If they don't, when they open the enterprise version, they see a message. T he message instructs them to remove the old
version.
Note
On iOS, both the enterprise and public app store versions can exist on the device. On Android, however, users must uninstall the
enterprise version before installing the app store version.
On Android, it’s recommended that users migrate from the Secure Web enterprise version to the Secure Web app store
version first and then migrate Secure Mail.
Android requires users to uninstall an older version of an app. In this case, users uninstall the enterprise version. T hen, they
install the Google Play version. To export app settings, users must have Secure Mail on the device.
If a user taps the enterprise version of Secure Mail, the following sequence of screens appears:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.34
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.35
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.36
After users migrate their apps, do the following as appropriate for your scenario:
When using the migration guide for iOS devices, users have the enterprise apps and public store apps installed on their
devices simultaneously. T o remove the enterprise app upon install of the public store version, use the App Uninstall device
policy. T he policy is available in XenMobile Server 10.6 and later. T his policy is not supported in MAM-only environments.
We also recommended that you use the App Uninstall policy to trigger the removal of Secure Notes and Secure T asks.
In the following figure, in Managed app bundle ID , type the bundle ID of the app you want users to uninstall. In the
Deployment Rules , for Inst alled App Name is equal to, type the bundle ID of the app from the public app store that
you want users to install.
To use automated actions to trigger a Secure Hub notification, see Automated actions. You set the trigger based on the
Inst alled app name .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.37
Known issues
Oct 31, 20 17
For technical support articles and other support resources for XenMobile, such as software updates and security bulletins,
see the Citrix Support Knowledge Center.
Important
Before upgrading to Android O (version 8), users m us t upgrade Secure Hub and all XenMobile Apps to version 10.6.20. Otherwise,
users might not be able to sign on to Secure Hub or open XenMobile Apps. For more information about XenMobile Apps and
Android 8, see the information later in this article, the XenMobile Apps Known issues, and XenMobile supported device operating
systems.
Before upgrading to iOS 11, users m us t upgrade Secure Hub to to version 10.6.10 or later before upgrading their devices to iOS 11.
T hat upgrade sequence is required because Secure Hub no longer supports SHA-1 certificates on devices running iOS 11. For more
information about anticipating this change, see the Knowledge Center article on XenMobile iOS 11 and Android O Support.
T he XenMobile Apps 10.7.10 releases includes no known issues. For fixed issues, see Fixed issues.
In Secure Mail on iOS 11 devices, silent notifications do not work. As a result, notifications may not appear on the lock
screen. When mail synchronizes in the background, however, the notifications do appear. T his is a third-party issue. For
details and updates, see this Citrix Support Knowledge Center article.
Secure Hub 10.7
Devices running iOS 11 can't enroll in XenMobile or might have Secure Hub store access issues in the following conditions: If
T LS 1.2 isn't enabled on NetScaler and XenMobile is configured with any of the following authentication options:
LDAP and certificate authentication
Certificate authentication
Certificate authentication plus security token
T his issue affects:
New enrollments through Secure Hub on iOS 11.
Existing enrollments, after the device upgrades to iOS 11 and either of these actions occur:
T he user accesses the Secure Hub store.
A XenMobile App or MDX-wrapped app needs to renew a NetScaler Gateway cookie.
T his issue occurs because iOS 11 now requires that NetScaler is configured for T LS 1.2 for certificate-based authentication.
If you run one of the authentication modes listed above, resolve this issue by enabling T LS 1.2 on NetScaler Gateway.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.38
[CXM-33327]
For MDM-enrolled iOS 11 devices, when you deploy XenMobile in a cluster setup in MDM or MDM+MAM mode, MDM
commands may fail. As a result, you may not be able to push MDM policies, deploy apps, or carry out security actions, such
as lock or wipe, on iOS 11 devices. On user devices, the following issues may occur: Apps keep trying to install; VPN or WiFi
configurations fail to install; and security actions, such as Lock happen repeatedly. For more details and required action, see
this Citrix Knowledge Center article. [CXM-38331]
On iOS 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912]
Users might be locked out of Secure Hub after changing their Active Directory (AD) password. T he lockout can occur when
the user authenticates on Secure Mail with the new password without first authenticating on Secure Hub with the new
password. To prevent this, advise users to close and relaunch Secure Hub after changing their AD password, so that Secure
Hub prompts them to enter a password. It might take several tries until Secure Hub prompts for a password. [CXM-39899]
F ound in QuickEdit version 6.14 (iOS)
When you try to send files to SecureMail from QuickEdit or ScanDirect, the transfer fails. As a workaround, add the
following file encryption exclusion within the policy settings for these apps:
"\/tmp\/\.com\.apple\.Pasteboard"
Issues wit h Android O (version 8)
Before upgrading to Android O, users must upgrade Secure Hub and all XenMobile Apps to version 10.6.20. Otherwise, users
might not be able to sign on to Secure Hub or open XenMobile Apps. [CXM-36910]
If you run XenMobile Apps version 10.6.5, 10.6.10, or 10.6.15, and you upgrade to Android O, be aware of the following
known issues.
Users with Android O devices might not be prompted to change their passcodes to comply with new or updated policies
that require stronger passcodes. T o ensure users are prompted to change their passcodes, when creating or updating a
passcode policy, specify that numbers, letters, or both are required characters. [CXM-28102] [Found in 10.6.5]
If users are running a version of Secure Mail earlier than version 10.6.20 and they upgrade to Android O, the following
error may appear: T he device does not support encryption features required by application. T hen, when you update the
app in XenMobile, the account is deleted. [CXM-36763] [Found in 10.6.5]
In Secure Mail on Android O, the AutoFill option is enabled. [CXM-35112] [Found in 10.6.5 and 10.6.10]
On Android O, users are unable to upload files through Secure Web. [CXM-35407] [Found in 10.6.5 and 10.6.10]
On Android O, shortcuts created by policies do not appear on the device home screen. T his is by design in Android O.
[CXM-35460] [Found in 10.6.5 and 10.6.10]
If users are running a version of Secure Mail earlier than version 10.6.20 and they upgrade to Android O, the following
error may appear: T he device does not support encryption features required by application. T hen, when you update the
app in XenMobile, the account is deleted. [CXM-36763] [Found in 10.6.5 and 10.6.10]
T ouchdown for Smartphones might stop unexpectedly on devices running Android O. [CXM-36685] [Found in 10.6.5,
10.6.10, and 10.6.15]
In Secure Hub for Android, when you deploy a Wi-Fi policy with hidden network settings enabled, the settings don’t
appear on the device as expected. T his is a third-party issue. [CXM-37585][Found in 10.6.20]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.39
Not e : On Secure Mail for Android with IBM Lotus Notes version 9.0.1, invitees might not receive reminders for non-recurring
meetings. [CXM-37691]
Secure Web 10.6.15
On Secure Web for Android, after saving a page for offline viewing, the page does not render. [CXM-36270]
Secure Mail 10.6.15
On Secure Mail for iOS with multiple accounts, tapping the email triage action Move to from a secondary account displays
the folders of the primary account. T his issue affects iPhone devices. [CXM-35911]
T he XenMobile Apps 10.6.10 and 10.6.5 releases include no known issues. For fixed issues, see Fixed issues.
Secure Hub 10.5.20
On Android, if a device is enrolled in XenMobile Essentials and gets wiped, they can reenroll without supplying their Azure
Active Directory credentials again. [CXM-29653]
On Android devices, after a selective wipe, Secure Hub should revert to the first time user screen. Instead, the app hangs.
[CXM-29660]
After upgrading, Secure Hub might fail to prompt users to sign in using fingerprint authentication when expected. Instead,
users might be prompted twice to authenticate using a Citrix PIN or passcode before being prompted to authenticate
using fingerprint authentication. [CXM-31213]
On Android, users cannot see the upgrade progress bar when updating enterprise apps through Secure Hub without signing
off then signing back on. [CXM-32119]
Secure Mail 10.5.20
On Android, when a user scrolls to a native calendar event beyond one month in Secure Mail, switching to Week or Day view
and then back to Month view, the event does not display. T his happens intermittently. [CXM-30870]
On Android, if users enable personal calendar overlay in Secure Mail then scroll back through calendar events in agenda view,
tapping the Today button does not display today's events. T his happens intermittently. [CXM-30875]
On Android, when a user enables personal calendar overlay and scrolls back over three months in agenda view, a message
displays "Touch to view events after..." and the date. Touching this message does not load more events. T his happens
intermittently. [CXM-30877]
On Android, when a user enables personal calendar overlay and opens an event from Month view, upon closing the event,
random events are highlighted. T his happens consistently on devices running Android 4.x and intermittently on other
devices. [CXM-30879]
In Secure Mail for iOS, when users press Edit on the Mail screen to edit mail and then long press, when they exit the edit
mode, the folder list menu does not appear as expected. To resolve the issue, users must close and reopen Secure Mail.
[CXM-32147]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.40
Secure Hub 10.5.15
After users enroll and reenroll an iOS device, when you create and deploy, for the first time, a delivery group with required
apps, this issue occurs: MDX, public app store, and enterprise apps in the delivery group are not pushed to the device. Only
web SaaS and web links deploy. All apps deploy only if users refresh the app store or if they sign off and on again. [CXM30386]
Secure Mail 10.5.15
With NetScaler 12.0.41.16, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. T he issue is
fixed in NetScaler 12.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]
On a Nexus 6P device running Android 7.x, if S/MIME is enabled, Secure Mail crashes while trying to encrypt and sign an
email with a large attachment. [CXM-29544]
Secure Hub 10.5.10
Attempts to enroll devices running Android 4.4.x in an IDP-enabled XenMobile Server in Secure Hub for Android might fail,
showing a blank enrollment page. As a workaround, do one of the following:
Force Secure Hub to close on the device.
Restart the device after the second enrollment attempt. [CXM-24145]
Secure Web 10.5.10
When you set the Enable_Secret _Using_Passcode flag to t rue in the XenMobile console to enable user entropy, the
following issue occurs on Android devices. When users are enrolled in Secure Hub and have already opened Secure Web,
when they restart the device and then reopen the app, Secure Web closes. To resolve the issue, users can open Secure Hub
and then open Secure Web. [CXM-26413]
Secure Mail 10.5.10
In Secure Mail for iOS, a Download Complet e Message does not appear when the body of the message is larger than
the truncation size set in Exchange Server 2013 CU 15. [CXM-25885]
Values set in Exchange Server 2013 CU 15 for including past email items are not reflected in Secure Mail for Android or iOS.
[CXM-26017, CXM-26023]
Secure Hub 10.5.5
On Android, when Secure Hub attempts to re-authenticate the session of a user, the first authentication screen is slow or
unusable. [CXM-24293]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.41
In Secure Hub for Android, when the inactivity timer expires and users enter a wrong PIN, when they tap Having t rouble
and try to re-enroll, a Delet ing account message appears. At that time, the account is not deleted and a PIN screen
appears. If users enters the wrong PIN again and try to re-enroll by tapping Having T rouble , the account is deleted. [CXM24717]
Secure Mail 10.5.5
When users open Secure Mail for Android and are prompted for authentication, if they do not provide their credentials and
instead switch to Secure Hub for authentication, when they open the app from the home screen, the My Apps screen
appears instead of Secure Mail. As a workaround, users can restart Secure Mail. [CXM-24072]
In a XenMobile enterprise deployment (MDM + MAM), when you configure automatic app updates for enrolled iOS devices,
the following issue occurs intermittently. After users update XenMobile Apps from public app stores, an earlier version of
the apps installs. As a result, users are prompted to upgrade, and the pattern repeats. T he issue does not occur with Secure
Hub. As a workaround, users can update the app directly from the app store. For details, see
https://support.citrix.com/article/CT X220607.
Secure Hub 10.5
On Android devices, changing the required length of the Secure Hub PIN in XenMobile Server causes the old PIN to be
refused. T his requires a PIN reset. [CXM-23637]
On Android devices, when resetting your PIN in an MDX app due to exceeding invalid attempts, old PINs will be accepted
as replacements without honoring the value configured in PIN history [CXM-23638]
For known issues with Secure Hub that relate to XenMobile Server, see Known issues.
Secure Mail 10.5
On Samsung 7 devices running Android 7, when a user deletes VIP contacts in Secure Mail, the app crashes
intermittently. [CXM-23516]
On Android devices, long pressing a link in Secure Mail and attempting to share it with ShareFile does not work. [CXM23594]
Secure Hub 10.4 .10
On iOS devices, if a user enables the Credent ial St ore flag in XenMobile, enters their XenMobile Server FQDN or URL in
Secure Hub, enrolls using their user name and password, and then opens Secure Mail, the app is not configured
automatically. [CXM-23414]
Secure Web 10.4 .10
On Android 7 devices, after the inactivity timer expires, when a user opens Secure Web, enters an invalid PIN, and resets
the PIN, websites fail to load. If users then close and re-open Secure Web, the websites load properly. [CXM-23274]
Secure Mail f or Android 10.4 .6 f or ent erprise dist ribut ion
On Android devices, when you block location services in XenMobile, Secure Mail users are notified intermittently that the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.42
location service is blocked. [CXM-21770]
If Secure Mail version 10.4.5 or 10.4.10 is installed for the first time (not upgraded) on devices running Android 6.0.1 or
later, users cannot email a file with Secure Mail when using the ShareFile or QuickEdit apps, unless they grant the
Storage Access Permission for Secure Mail in Android device settings. [CXM-23277]
On Samsung S7 devices running Android 7, the paste option will not display on long press when composing a mail. [CXM23494]
On Samsung 7 devices running Android 7, when a user deletes VIP contacts in Secure Mail, the app crashes
intermittently. [CXM-23516]
For known issues with the MDX Toolkit, see Known issues.
T he following are known issues in version 10.4.5 of XenMobile Apps.
Secure Hub
T he XenMobile location policy setting that locks devices locally when the geofencing perimeter is breached fails to take
effect on devices running Android 7.0 or later, due to a limitation Android has placed on the resetPassword API. [CXM20320][CXM-14990]
When you convert XenMobile Apps to managed on an iOS device, when you delete a user account, the apps are not
removed from the device home screen. Instead, an "App Not Available" message appears. [CXM-19133]
On iOS, when XenMobile Apps are converted from unmanaged to managed mode and the inactivity timer expires, once WiFi
is restored, Secure Hub prompts users for their passcodes multiple times. [CXM-18694]
With Citrix Launcher, in MDM mode, when users open the XenMobile Store, the store opens in a default browser even if
you listed a different browser on a white list. [CXM-17097]
When you configure Citrix Launcher, the Just Once option does not work. You must click the Always option. [CXM-13413]
When you integrate StoreFront with XenMobile and deploy HDX apps, after you change an Active Directory password, the
HDX apps disappear from the Worx Store/XenMobile Store. [CXM-9859]
Secure Mail
On iOS in FIPS mode with S/MIME enabled, Secure Mail crashes when a user enters a password to import an attached
S/MIME certificate. [CXM-19526]
In Secure Mail for iOS, when you set an all-day event: After recipients accept the meeting invitation, the meeting appears
on a different day in Agenda view. T he issue occurs only when the organizer and attendees are in different time zones. T he
meeting day appears correctly in all other views. [CXM-21017]
Secure Web
On the public app store version of Secure Web for Android, Web Links do not open and a toast message appears to the
user. [CXM-20425]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.43
Secure Hub
With Citrix Launcher, in MDM mode, when users open the XenMobile Store, the store opens in a default browser even if
you listed a different browser on a whitelist. [CXM-17097]
When you configure Citrix Launcher, the Just Once option does not work. You must click the Always option. [CXM-13413]
When users install any public app store version of any XenMobile app on Android devices in unmanaged mode and open the
app and then install Secure Hub and enroll in XenMobile, when they open the XenMobile app again and the device is offline,
the app does not change to managed mode. Instead, a network connection error appears. [CXM-18068]
On iOS, when XenMobile Apps are converted from unmanaged to managed mode and the inactivity timer expires, once
WiFI is restored Secure Hub prompts users for their passcodes multiple times. [CXM-18694]
When you convert XenMobile Apps to managed on an iOS device, when you delete user account, the apps are not removed
from the device home screen. Instead, an "App Not Available" message appears. [CXM-19133]
Due to a third-party issue with the iOS operating system, devices set to a language other than English may nonetheless
show alerts for Secure Hub in English. For more information about the issue, see
https://forums.developer.apple.com/thread/45821.
Secure Mail
If a device is running a version of Secure Mail downloaded from the App Store and ShareFile is not installed on the device,
the user sees an alert to go to the App Store and download ShareFile. However, when the user taps the Go to App Store
button, the app flips to the main App Store page instead of flipping to the ShareFile App Store page, forcing the user to
search for ShareFile. [CXM-17389]
On iOS, when trying to attach documents from ShareFile, and ShareFile version 4.2 or below is installed on a device, the user
sees a message asking to upgrade to ShareFile from the App Store. However, when the user taps Go to App Store, the
XenMobile Store opens instead. [CXM-20170]
In some cases, Secure Mail is unable to display files attached to emails that are sent as attachments. [CXM-17127]
On iOS, when Secure Mail is restored from the background and a user opens a draft message and then tries to save it, the
draft message is deleted. [CXM-17048]
On iOS, Secure Mail crashes after a period of inactivity. [CXM-14959]
On iOS, if the size of a message is less than the message truncation size set on Exchange, users still see a Download
Complete Message request. If users forward the message without tapping Download Complete Message, the forwarded
messages also is truncated. [CXM-17590]
Secure F orms
When users submit forms from the mobile app, the form shows in the Submitted tab as not submitted and users see an
error message, such as "Unable to Sync," even though the form and related data are in fact collected by the configured
method. [CXM-20112]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.44
Secure Web
In Secure Web for Windows, when users try to view and download a file using a ShareFile link, the preview does not appear
and the file does not download properly. [CXM-13435]
In Secure Web on Android 4.4.4 devices, if a session timeout occurs on NetScaler Gateway, users are prompted to sign on in
Secure Hub. After users authenticate successfully, Secure Hub does not flip to Secure Web as expected. [CXM-18084]
Secure Mail
In Secure Mail for Windows, when you set the Inactivity T imer MDX policy to 150 minutes and the Maximum offline policy
to 1 hour, when users open Secure Mail and let the app go to the background, if the Maximum offline interval ends, users
are not prompted to sign on again to Secure Mail as expected. [CXM-14634]
In Secure Mail for Windows, when the Online session required MDX policy is set to OF F and the App passcode policy is set
to ON , when users open Secure Mail, if the user session on NetScaler Gateway ends, they are not prompted to
authenticate to Secure Hub, as expected. [CXM-14728, CXM-14716]
When you enable client certificate only authentication (for example, without a domain), when users install and open Secure
Mail for Windows, an authentication dialog box appears in error. [CXM-15191]
In Secure Mail on some Android devices, when users compose a mail and start typing in the To, CC, or BCC fields, a delay
occurs in the appearance of the characters. [CXM-18509]
Secure Hub
In a configuration with NetScaler, users cannot reenroll an iOS device in Secure Hub. [CXM-15405]
Enrollment fails on iOS devices through Secure Hub when the NetScaler session profile Account Services address does not
contain the XenMobile Server URL. [CXM-15408]
After you delete a device in the XenMobile console, on Android devices, users are prompted to sign on from Secure Hub
instead of being prompted to reenroll. After signing on, however, users cannot access their apps. [CXM-17833]
In a XenMobile MAM-only deployment, when XenMobile Apps are updated to version 10.4, but Secure Hub is version 10.3,
an app compatibility error appears on Android devices. [CXM-17993]
In Secure Home for iOS 10, users are not prompted to sign on again when Secure Hub remains in the foreground and the
inactivity timer expires. [CXM-18245]
Related information
XenMobile Support Knowledge Center
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.45
Fixed issues
Oct 31, 20 17
T he following issues are fixed in version 10.7.10:
Secure Mail 10.7 .10
In Secure Mail for Android, the calendar does not sync events with dates older than January 1, 1970. [CXM-40310]
In Secure Mail for iOS, the calendar does not sync across devices. [CXM-38510]
Secure Hub 10.7 .10
When logging in to Secure Hub for Android, intermittently, the progress spinner appears continuously and the error message
“AG tunneler not authenticated” appears. [CXM-38442]
In Secure Hub for Android, the client authentication (PIN/Passcode) dialog appears repeatedly even when the app is in the
background. [CXM-38143]
On iOS, when in Shared Device mode, Secure Hub shows a generic message that does not indicate an issue when there is
no Internet connection. [CXM-28353]
F ixed issues in QuickEdit 6.15
When users edit an email with Secure Mail for iOS by using Citrix QuickEdit for XenMobile, the attachment remains in the
Outbox. T he issue occurs when users create a Word document from a desktop computer that has a janusSEAL for
classification. Found in QuickEdit 6.13. [MEQE-6500]
Secure Hub 10.7 .5
On Android, Secure Hub crashes as soon as it establishes a micro VPN connection. [CXM-36464]
On Android, Secure Hub gets stuck loading MDX apps. [CXM-37801]
On Android, when Secure Hub sends the device lock and unlock code, the device unlock code does not overwrite the
current password. [CXM-39061]
Secure Mail 10.7 .5
On Android devices, when a user presses the dial-in button, a conference ID dials instead of a contact number. [CXM37915]
On Android, the Secure Mail dial-in button recognizes Indian toll free numbers as US numbers when dialing into Skype
meetings. [CXM37916]
On Android, the Secure Mail dial-in button does not recognize the correct prefix for Indian phone numbers when dialing into
a Skype meeting. [CXM-37917]
On Android, setting up a calendar event in Secure Mail contains a translation error in German. [CXM-38471]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.46
On iOS, Exchange Online does not accept credentials containing the umlaut character in the password when they are sent
by Secure Mail. [CXM-38539]
On Secure Mail for Android, the Locat ion field for a Calendar event does not prompt the user to select a number from the
list. Instead, it selects the first number in the list and dials that number. [CXM-38540]
On iOS, users are unable to upload photos to some sites using Secure Web. [CXM-38745]
T he following issues are fixed in version 10.7.1:
On iOS 11, files from ShareFile opened in MDX-wrapped applications appear corrupted. [CXM-38900]
On iOS 10 and 11, selecting open in from MDX managed apps displays an error message. [CXM-38912]
Secure Hub 10.7
On Android devices, users cannot deploy the VPN policy when trying to configure a per app VPN. [CXM-37344]
On Android devices with TouchDown that update to Secure Hub 10.7: If you remove enrollment in Secure Hub on the
device through an action, such as delete account, selective wipe, or app wipe, the TouchDown configuration is also
removed. [CXM-37435]
On iOS, when NetScaler Gateway has an invalid configuration to support the XenMobile micro VPN, XenMobile Apps crash
on launch after installation. [CXM-38449]
Secure Mail 10.7
Secure Mail for Android does not open from the springboard (home screen) on some devices. You can open the app only by
opening Secure Hub and selecting the app though the Store. [CXM-36921]
Secure Mail for Android does not recognize the 10-digit conference code when joining a WebEx meeting. [CXM-37488]
In Secure Mail for Android, corrupt or unreadable information appears in the “From:” and “To:” fields. T his issue occurs when
you reply to or forward an email using Secure Mail in the Arabic or Hebrew languages. [CXM-37723]
In Secure Mail for iOS, replying to or forwarding an email that is an attachment to another mail fails. [CXM-38083]
In Secure Mail for iOS in Simplified Chinese, the full email message does not appear until users refresh or reload the
message. [CXM-38113]
Secure Hub 10.6.20
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.47
On iOS, during data syncing, the access gateway cookie may be lost, resulting in Secure Hub taking a long time to start.
[CXM-31212]
Secure Mail 10.6.20
On Secure Mail for iOS, clicking a hyperlink that generates a new email with text opens an email with a blank body. [CXM36974]
Secure Web 10.6.20
On Secure Web for iOS, mailto links included in JavaScript do not redirect to Secure Mail. [CXM-35927]
In MDX-wrapped Cordova-based apps on iOS, the Allowed URLs policy does not redirect to Secure Web. [CXM-36275]
Secure Mail 10.6.15
On iOS, when attaching a file from MDX-wrapped ShareFile to Secure Mail, "%20" replaces any space in the file name.
[CXM-34801]
Secure Hub 10.6.10
When configuring the Connect every N minutes setting within the Connection Scheduling Policy page, users need to use a
value greater than or equal to 5 minutes to connect. If users have trouble connecting, they need to sign out and reconnect
to Secure Hub. [CXM-25119]
Secure Mail 10.6.10
In Android, if users enable personal calendar overlay in Secure Mail then scroll back through calendar events in agenda view,
tapping the Today button does not display today's events. T his happens intermittently. [CXM-30875]
On Secure Mail for iOS, replying to an alert email containing the quarantine release code from the Data Loss Prevention
(DLP) server fails. [CXM-32572]
On Secure Mail for Android, deleted custom holiday calendar entries (All day) of a recurring series still appear. [CXM-32990]
Secure Web 10.6.10
On Secure Web for iOS, users are unable to open certain links. [CXM-33366]
On Secure Web, certain links load in the same web page instead of loading in a new tab. [CXM-34120]
On Secure Web for iOS, users are unable to play videos through vimeo.com on iPhone devices. [CXM-34316]
Secure Hub 10.6.5
When logging on using derived credentials: If users exceed the maximum number (15 times) of incorrect PIN attempts, they
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.48
see a dialog box with a Reset Pin and Report button, where the Reset Pin button displays an overflowing label. [CXM30344]
In Secure Hub for Android, when you have fingerprint authentication configured: When the inactivity timer expires, users see
a notification that states the following: Sign on with %s. In addition, the message refers to Worx Home, the older product
name for Secure Hub. [CXM-31145]
On iOS devices running version 9.3.5, after users enroll in Secure Hub 10.5, Secure Hub crashes. [CXM-32356]
Secure Mail 10.6.5
When an iOS device is restored from a backup of another enrolled device: When the new device enrolls for the same user
and the user installs Secure Mail, mail synchronization keeps occurring. [CXM-26245]
On iOS, when previewing a video in Secure Mail attachments view, if a user changes orientation, the video does not fit the
screen.[CXM-31653]
On Android, the Dial In option does not work in Secure Mail when one number has a country code starting with "+" and the
other does not. [CXM-32191]
In the Secure Mail for Android public app store version on devices running Android 7.0, when users try to open a .wav file, the
option for the Secure Audio player does not appear as expected. [CXM-32989]
Secure Web 10.6.5
On iOS, Secure Web opens dynamically inserted hyperlinks in the same tab instead of a new tab as expected. [CXM-32192]
Secure Hub 10.6
On Android, if a device is enrolled in XenMobile Essentials and gets wiped, they can reenroll without supplying their Azure
Active Directory credentials again. [CXM-29653]
On Android devices, after a selective wipe, Secure Hub should revert to the first time user screen. Instead, Secure Hub
shows a spinner. [CXM-29660]
On iOS, when Secure Hub has an intranet page configured as the home page, Secure Hub displays a blank page. [CXM30178]
When logging on using derived credentials: If users exceed the maximum number (15 times) of incorrect PIN attempts, they
see a dialog box with a Reset Pin and Report button, where the Reset Pin button displays an overflowing label. [CXM30344]
On Android devices other than Motorola and Asus, when installing Secure Hub from the public app store while installation
of non-app store apps is disabled: Users get a warning prompt: T he option to install third-party apps is not enabled. Do you
want to enable it now?' When users tap OK , Secure Hub redirects them to Application Settings instead of to Security
Settings. [CXM-30574]
On Android, users cannot see the upgrade progress bar when updating enterprise apps through Secure Hub without signing
off then signing back on. [CXM-32119]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.49
On some Android devices, the device serial number displays as all zeroes in Secure Hub, preventing more than one of these
devices from enrolling. [CXM-32535]
On Secure Hub for Android, users may see an intermittent error when using WebClip or WebLink applications in an
environment that uses XenMobile cluster mode deployment. [CXM-32656]
Secure Mail 10.6
On Android, if a user replies to a long email while it is still loading, Secure Mail loses the conversation history. [CXM-30211]
In Secure Mail for Android, a street address that contains a comma does not appear as a hyperlink. [CXM-30663]
On Secure Mail for Android, verification of the email address fails in the signing certificate. [CXM-31502]
On Android, when a user taps on the location field with conference details in a Calendar event, the passcode for the
conference does not get passed to the dialer. [CXM-31513]
In Secure Mail for Android, mail flagged in Outlook does not sync to Secure Tasks. [CXM-31514]
On iOS, when modifying individual occurrences of a series of meetings in Outlook, Secure Mail does not reflect the
modification. [CXM-32348]
Secure Hub 10.5.20
On Android, when upgrading to Secure Hub 10.3.10 or 10.4, multiple NetScaler Gateway sessions are opened. To resolve this
issue, contact Citrix support. [CXM-19567]
On Android, users may see an Invalid Certificates message due to erroneous SSL alerts resulting in Secure Mail creating
multiple certificates for each user. [CXM-31999]
iOS and Android devices running Citrix Secure Hub might over-consume NetScaler Gateway licenses. [#492788, #578867,
#603244, #493944, #510249, #561243, #594831, #634473]
Secure Mail 10.5.20
Secure Mail for iOS crashes after the Sync Mail Period is set to one month. [CXM-26039]
On devices running Android 7, Secure Mail fails to launch and the following error message displays. "T his device doesn't
support encryption features required by this application." [CXM-26244]
On devices running Android, Secure Mail crashes when the Microsoft Exchange Server restricts the ActiveSync mailbox
policies. [CXM-28178]
When using Secure Mail to compose an email in response to an email notification from ShareFile, [email protected]fications.com
displays as a suggestion in the recipient field. [CXM-29505]
On Android, when replying or forwarding an email to an address with specific text in them, formatting is applied to the
address and the body of the email. For instance, a mail address like [email protected] results in the address and body of
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.50
the email becoming bold. [CXM-29730]
Samsung devices updated in early 2017 face issues with email sync. Users will get an "Access to company network is
unavailable" error. [CXM-29838]
On Android, when trying to add a second account to Secure Mail, users see a popup instead of the manual account
configuration screen. Since users cannot edit the domain in this popup, they are unable to add the account. [CXM-29898]
Secure Mail for Android requests a new user certificate from the certificate authority (CA) when it receives an SSL
exception from NetScaler Gateway, even when the existing certificate is valid. T he CA server issues duplicate certificates for
the same user, and an "invalid certificate" error appears on the device. T his issue is seen only in XenMobile deployments
configured with certificate-based authentication. [CXM-31402]
Secure Web 10.5.20
On Secure Web for iOS, when a user tries to submit a search query through a HT ML form, they don't see any response
after tapping the search button. [CXM-29572]
On iOS, when the popup blocker in Secure Web is not enabled, quick links do not appear. [CXM-30018]
Secure Hub 10.5.15
When you integrate StoreFront with XenMobile and deploy HDX apps, after you change an Active Directory password, the
HDX apps disappear from the XenMobile Store. [CXM-9859, CXM-22821]
On Android devices, when users install a managed app from the Secure Hub store, the following message appears: T his
managed application is no longer registered with Secure Hub. [CXM-22899]
On devices running Android 6, when enrolled in XenMobile Server, Secure Hub cannot provide the device MAC address
properly. [CXM-23454]
On Android, when opening VPN enabled apps, a private build of Secure Hub shows the following error. “T he VPN service has
failed to connect. You might not have access to Internal networks. To continue running Secure Web, press OK.” [CXM23455]
Secure Mail 10.5.15
In Secure Mail for Android, when a STA ticket with NetScaler Gateway expires or the Secure Hub inactivity timer expires,
users can't synchronize their mail. Instead, a network access error appears. [CXM-25699]
When certificate-based authentication is configured for Secure Mail on Android devices, after users update from WorxMail
10.3.10 to Secure Mail 10.4, synchronization to Exchange Server fails. [CXM-29507]
On Android, if a server certificate is not installed on the device and the Accept All Certificates policy is set on XenMobile,
Secure Mail does not sync after upgrading from 10.5.5 to 10.5.15. [CXM-29699]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.51
T he following are fixed issues in the 10.5.10 version of the XenMobile Apps.
Secure Hub 10.5.10
In Secure Hub for iOS with shared devices, the following issue occurs. When users try to sign on by using their shared
account credentials, two error messages appear. Subsequently, sign on for the shared user fails. [CXM-25761]
Secure Web 10.5.10
On iOS, for sites that expect to use the NetScaler Gateway client certificate to authenticate, Secure Web fails to
authenticate. [CXM-21644]
On iOS devices, Secure Web is unable to open internal web sites that use HT T P redirects which include special characters in
their URL. [CXM-22300]
In Secure Web for iOS, anchor links within a page don't work. [CXM-22800]
On Android, users are unable to open Microsoft Excel files downloaded through Secure Web in the Microsoft Excel app.
[CXM-23231]
On iOS, Secure Web does not open custom links that flip to a different app. [CXM-23621]
Secure Mail 10.5.10
On Huawei devices running Android, users are unable to open attachments in QuickEdit from Secure Mail. [CXM-23182]
On Android, when replying to an existing conversation in a language other than English, Secure Mail begins a new
conversation instead of continuing the existing one. [CXM-23232]
On iOS, account configuration fails because Secure Mail does not handle an HT T P 451 redirect response from the
Exchange Server in certain environments. [CXM-24069]
On iOS, when users compose an email in Secure Mail, the search and auto-suggest features in the To , CC , and BCC fields
do not find users whose first name and user name do not match. [CXM-24184]
On Android, when trying to view or create a meeting invite for a user with special characters in their email address, Secure
Mail crashes. [CXM-25506]
On Android, when sending a calendar invite to one person, the reply option is not available. [CXM-25649]
On Android, locally synced contacts do not appear on cars over Bluetooth. [CXM-25893, CXM-28086]
T he following are fixed issues in the 10.5.5 version of the XenMobile Apps.
Secure Hub 10.5.5
On devices running Android 6, when enrolled in XenMobile Server, Secure Hub cannot provide the device MAC address
properly. [CXM-23454]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.52
On Android, KNOX requires users to provide their old password before setting a new password, resulting in users being
unable to reset their passwords. [CXM-23972]
Secure Mail 10.5.5
On iOS, users can not open attachments from Secure Mail with Quick Edit unless Quick Edit is already open in the
background. [CXM-21815]
On Android 6 and 7 devices, when the default notification sound is changed in Secure Mail settings, the selection is not
reflected. [CXM-23716]
In Secure Mail for Android, after starting the app for the first time, synchronization does not work. When users close the
app and restart it, synchronization works. [CXM-25542]
Secure Hub 10.5
On an iOS 9 device, if Secure Hub was previously installed, users may see an error when opening XenMobile Apps after a
fresh installation of Secure Hub 10.4.10 or later. [CXM-23823] T his issue was reported in the following Knowledge Base
article: https://support.citrix.com/article/CT X220583.
For Secure Hub fixed issues that relate to XenMobile Server, see Fixed issues.
Secure Mail 10.5
When users reply to an email without using smart reply, the response indicator does not appear. [CXM-21690]
On an iOS 9 device, if Secure Hub was previously installed, users may see an error when opening XenMobile Apps after a
fresh installation of Secure Hub 10.4.10 or later. [CXM-23823] T his issue was reported in the following Knowledge Base
article: https://support.citrix.com/article/CT X220583.
Secure Hub 10.4 .10
On iOS in MAM-only mode, when users sign off from Secure Hub, the Authenticating message shows indefinitely. [CXM20880]
On Secure Hub for iOS, when users enter the FQDN for the XenMobile Server for which certificate pinning is enabled,
the message "Certificate Not T rusted: We cannot connect securely to your company's network" is shown. [CXM-21987]
On iOS, when users sign on to Secure Hub 9.3.5 after a device restart and then open an MDX app, an Incompatible App
message shows. [CXM-22013]
On iOS, enrollment fails with Secure Hub 10.4.5 if the HT T PS secure port is not the default 443 port. [CXM-22941]
On Secure Hub for iOS when certificate pinning is configured, users see a Certificate Not T rusted message with an Exit
button when enrolling in Secure Hub. If they open Secure Hub a second time, when they tap the Exit button, the
message goes away. [CXM-23145]
Secure Web f or Android 10.4 .10
On the public app store version of Secure Web for Android, Web Links do not open and a toast message appears. [CXM20425]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.53
After users open public app store apps for Android from Google Play one time, the apps do not open on subsequent
tries. [CXM-21246]
Secure Mail f or Android 10.4 .10
On Android, when Secure Mail is installed on a device and opened for the first time, automatic mail sync fails for users
with large numbers of mailboxes (more than 500). However, users can sync individual mailboxes manually. [CXM-18066]
Edits to messages that users make in Outlook, such as changing text in the subject line or body of the email, don't sync
in Secure Mail for Android. [CXM-21366]
On Android, Secure Mail 10.4 crashes when users open a hosted Office 365 mailbox in a hybrid environment that also
includes on-premise Exchange 2010 Server mailboxes. [CXM-21733]
On Android devices, when you block location services in XenMobile, Secure Mail users are notified intermittently that the
location service is blocked. [CXM-21770]
On Android, when the background services list includes more than one Exchange Server, users cannot activate Secure
Mail for Android 10.4.1 when installing the app for the first time or when updating the app. [CXM-23176]
Secure Mail f or iOS 10.4 .10
In Secure Mail for iOS, users cannot disable an event reminder notification. [CXM-21700]
On WorxMail or Secure Mail for iOS, when users switch their WiFi connection from the office to a T -Mobile cellular
connection, emails stop synchronizing and a connection failure error occurs. [CXM-22984]
After updating Secure Mail for iOS to version 10.4.5, when users tap the Secure Mail icon to open the app, they are
prompted that Secure Hub needs to start and then Secure Hub opens. When they return to Secure Mail from Secure
Hub, a grey screen appears and the app crashes. [CXM-23831]
Secure Mail f or Android 10.4 .6 f or ent erprise dist ribut ion
On Android 7 devices, users trying to sign on to Secure Mail by using certificates see an error indicating that the
certificate is not trusted. As a result, users cannot sign on. [CXM-23252]
Note
T he Worx Mobile Apps mentioned in these fixed issues were renamed in version 10.4. For details, see About XenMobile Apps.
T he following are fixed issues in version 10.4.5 of XenMobile Apps.
Secure Hub
In XenMobile configurations with client certificate authentication, when XenMobile Apps attempt to connect to NetScaler
Gateway after Secure Hub has accessed the client certificate, the following issues may occur:
Users cannot sync new mails in Secure Mail.
Users cannot browse to web pages in Secure Web.
To resolve the issues, users must reenroll in Secure Hub. [CXM-20421]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.54
Android devices might return to the enrollment screen after the device has been successfully enrolled if the device is
selectively wiped while Secure Hub is running in the background. [CXM-20722]
When an iOS user logs on to Secure Hub using an Active Directory passcode, the first app on the user's My Apps list might
automatically open. [CXM-19793]
Xoro devices might fail to enroll in XenMobile because XenMobile fails to read the devices' serial number correctly, instead
associating them with the generic serial number 012345678912345. [CXM-646116, CXM-16449]
After Worx Home 10.3.5 is upgraded to version 10.3.6, iOS devices fail to enroll and users see the error message
"URLRequestFailedMessage". [CXM-13731]
Secure Hub might freeze at the credentials screen after installation on iOS devices using Device Enrollment Program.
[0656084]
Secure Mail
After upgrading to iOS 10, Secure Mail can't open links in the RSA SecurID app. [CXM-20895]
When a message is larger than the initial download size specified on the Exchange Server and the user taps Download F ull
Message, the message scrolls back to the top instead of remaining at the position from which the rest of the message
was downloaded, resulting in a loss of reading continuity. [CXM-20794, CXM-21409]
When users configure large text as an Accessibility setting in Secure Mail on iOS 10 devices, the text appears as small when
composing or replying to a message. [CXM-19773]
When Secure Mail for iOS has been in the background for 15 minutes or longer, push notifications stop working. Bringing
the app to the foreground makes push notifications start working again. [CXM-19597]
On iOS, in WorxMail/Secure Mail versions 10.3.5 and later, emails sometimes get stuck in the Outbox. [CXM-19568]
In Secure Mail for Android configured with Secure T icket Authority (STA), when the STA time period expires, Secure Mail
stops syncing and does not redirect to Secure Hub for re-authentication. As a workaround, users can open Secure Hub and
enter their credentials to regain access to Secure Mail. [CXM-19372]
When the Email Classification policy is disabled, the Email Classification option is still visible on the device. [CXM-18503]
If a device is running a version of Secure Mail downloaded from the App Store and ShareFile is not installed on the device,
the user sees an alert to go to the App Store and download ShareFile. However, when the user taps Go t o App St ore , the
app flips to the main App Store page instead of flipping to the ShareFile App Store page, forcing the user to search for
ShareFile. [CXM-17389]
On iOS, when trying to attach documents from ShareFile, and ShareFile version 4.2 or earlier is installed on a device, the user
sees a message asking to upgrade to ShareFile from the App Store. However, when the user taps Go t o App St ore , the
XenMobile Store opens instead. [CXM-20170]
On iOS, Secure Mail is sometimes unable to display files attached to emails that are sent as attachments. [CXM-17127]
On iOS, when Secure Mail is restored from the background and a user opens a draft message and then tries to save it, the
draft message is deleted. [CXM-17048]
On iOS, Secure Mail crashes after a period of inactivity. [CXM-14959]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.55
On iOS, if the size of a message is less than the message truncation size set on Exchange, users still see a Download
Complet e Message request. If users forward the message without tapping the Download Complet e Message , the
forwarded messages are also truncated. [CXM-17590]
Secure Web
On Secure Web for iOS, tapping on a PDF link produces an error message. In some cases, PDFs open only when the user
presses the link for several seconds. [CXM-21014]
On Secure Web for iOS, users are not able to print from within a third-party app. [CXM-20535]
On iOS, WorxWeb versions 10.3.10 and earlier sometimes did not open URLs when WorxWeb is in Secure Browse mode.
[CXM-20094]
In some cases, URLs with special characters result in an error in WorxWeb for Android. [CXM-15245]
When Secure Web for iOS opens, occasionally a PAC file is not downloaded and error occurs. [CXM-15756]
Secure F orms
T he date format configured in the Composer affects only how dates appear in the Dat e field on the device.
On submitted forms, dates appear in the following ways, depending on the form submission format selected in the
Composer:
PDF: T he date is always localized, using the device's location and calendar.
CSV / XML / JSON: Dates are in RFC3339 format; for example: 2016-11-15T 18:30:00Z [CXM-20623]
When users submit forms from the mobile app, the form shows in the Submit t ed tab as not submitted and users see an
error message, such as "Unable to Sync," even though the form and related data are in fact collected by the configured
method. [CXM-20112]
Not e : T he Worx Mobile Apps mentioned in these fixed issues were renamed in version 10.4. For details, see About
XenMobile Apps.
Secure Hub
After Worx Home 10.3.5 is upgraded to version 10.3.6, iOS devices fail to enroll and users see the error message
"URLRequestFailedMessage". [CXM-13731]
When iOS devices are upgraded to Secure Hub 10.3.10 from version 10.3.8 or 10.3.9, a few devices might be selectively
wiped, causing them to be re-enrolled. [CXM-18240]
Secure Mail
On iOS, Secure Mail crashes after a period of inactivity. [CXM-14959]
In some cases, Secure Mail is unable to display files attached to emails that are sent as attachments. [CXM-17127]
On Secure Mail for iOS, the user agent string sometimes shows as "SecureMail" instead of "WorxMail". [CXM-19193]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.56
On iOS 10, when Secure Mail is in the background for some time, badge counts on the home screen do not update. To
update the badge counts, bring the app into the foreground. [CXM-19320]
Secure Web
In some cases, URLs with special characters result in an error in WorxWeb for Android. [CXM-15245]
On Android, when full tunnel VPN is configured and online connection switches from one source to another, such as from
WiFi to cellular, apps may lose connectivity. [CXM-15606]
Not e : T he Worx Mobile Apps mentioned in these fixed issues have new names in versions 10.4. For details, see About
XenMobile Apps.
In WorxMail for iOS, users cannot connect to WorxMail due to an issue with the HT T P 451 redirect address. T his fix
addresses the issues with the 451 redirect. You should use the 451 redirect address as the supported ActiveSync redirect,
and not the 301 redirect address. [CXM-14827]
In WorxWeb for iOS, if URLs contain certain special characters, such as ";", WorxWeb opens a Google search or an error
message appears. [CXM-14997]
In WorxMail for iOS, the Sync to local contacts option does not work correctly on the device when users change the
option from On to Off. [CXM-15375]
On WorxWeb for iOS, contact pages on certain websites sometimes don't load. [#635994]
If a user's outbox includes a large attachment because it exceeds the Exchange server limit for outbound attachments,
WorxMail for Android uses a large amount of cellular data over a short period of time. [#644054]
Related information
XenMobile Support Knowledge Center
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.57
System requirements for XenMobile Apps
Nov 0 6, 20 17
To run XenMobile Apps, you need the following system requirements.
To run Secure Hub, you need devices running operating systems that XenMobile supports in XenMobile Enterprise and
MDM-only modes. For details, see Supported device operating systems.
ScanDirect requires a ShareFile account. It is compatible with iOS versions 9 and later. ScanDirect currently is not supported
for Android.
T he Secure Forms Composer, available at secureforms.citrix.com is supported on Chrome browsers only, for both Mac and
PC. Chrome on iPad is not supported.
T he mobile app is supported only on iPhones and iPads running iOS versions 9 to 9.3.
Not e : End of Life (EOL) lifecycle date for Secure Forms: December 31, 2017. When a product release reaches EOL, you can
use the product within the terms of your product licensing agreement, but the available support options are limited.
Historical information appears in the Knowledge Center or other online resources. T he documentation is no longer updated
and is provided on an as-is basis. For more information about product lifecycle milestones, see the Product Matrix.
Customers are encouraged to transition to the ShareFile Workflows for XenMobile Apps included with ShareFile Platinum
and Premium accounts.
Secure Mail is supported for any device that runs one of the following operating systems:
iOS: 9, 10, 11
Android: 5.x, 6.x, 7.x, and 8.0. Android 4.2, 4.3, and 4.4.x are not supported.
Citrix has tested Secure Mail on the following devices. Not all supported devices are listed.
Google Pixel
iPhone 5 - iPhone 8
iPad 3, iPad fourth generation
iPad Air 1 and 2
iPad mini 3 (touch ID)
iPad Pro
Nexus
Samsung Note
Samsung Galaxy S series
Samsung Galaxy T ab
Samsung T ablet SM-T 311
HT C One
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.58
Motorola Nexus
Huawei Honor 7 and Nexus 6P
XenMobile currently doesn’t support NetScaler 12.0.41.16 due to an issue with Secure T icket Authority (STA) and Secure
Mail. T he issue is fixed in NetScaler 12.0 build 41.22. For details and updates, see this Support Knowledge Center article.
Secure Mail is compatible with:
Exchange Server 2016 Cumulative Update 4
Microsoft Office 365 (Exchange Online)
Support for Exchange Server 2016 only supports calendar attachments as a feature of ActiveSync 16. Secure Mail will
continue to make use of ActiveSync 14.1 features and functionality when syncing mail and contacts with Exchange
Server 2016.
Exchange Server 2013 Cumulative Update 15
Exchange Server 2010 SP3 Update Rollup 16
IBM Domino Mail Server version 9.0.1 FP4
IBM Lotus Notes T raveler version 9.0.1.9
As of Secure Mail 10.5, Exchange 2007 and Lotus Notes 8.5.3 will not be supported for new features. Existing features and
functionality introduced in versions prior to 10.5 will continue to be supported on all versions until the End of Support and
End of Life dates below:
No s uppo rt fo r ne w fe a ture s
End o f s uppo rt
End o f Life
Lotus Notes 8.5.3
10.5 and later
September 30, 2017
September 30, 2017
Exchange 2007
10.5 and later
March 31, 2017
June 30, 2017
For the best performance when sending ShareFile attachments, the latest versions of ShareFile are recommended.
ShareFile is not supported for Windows.
In IBM Notes environments, you must configure IBM Domino Traveler server, version 9.0. For details, see Configuring Notes
Traveler Server for Secure Mail.
Secure Notes is supported on any device that runs one of the following operating systems:
iOS: 9 and 10
Android: Any phone with versions 5.x, 6.x, 7, or 8 that has Secure Mail installed.
Not e : Secure Notes is not currently supported for Android tablets.
Citrix has tested Secure Notes on the following devices. Not all supported devices are listed.
iPhone 4 – iPhone 6 Plus
iPad 2 – iPad Air 2
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.59
iPad mini – iPad mini 3
Nexus phone
Samsung Galaxy phone
HT C One phone
Secure Notes can sync notes with the following compatible services:
ShareFile
Exchange Server 2013 SP1
Exchange Server 2013
Exchange Server 2010 SP3
Exchange Server 2010 SP2
Secure Notes is not compatible with Lotus Notes.
Secure Tasks requires Microsoft Exchange Server versions 2007, 2010, or 2013, and is supported for any device that runs
one of the following operating systems:
iOS: 9-10
Not e : Secure Tasks is not supported on iPad.
Android: 5.x, 6.x, 7, or 8
In Android, a valid Secure Mail account, 10.0.7 or higher, is required. Secure Tasks accesses flagged mail from the Secure Mail
database, so Citrix strongly recommends rolling out Secure Tasks together with Secure Mail to avoid potential conflicts. If
users have an earlier version of Secure Mail, they will follow in-app instructions for upgrading and resetting their accounts.
Secure Tasks is not compatible with Lotus Notes.
Citrix has tested Secure Tasks on the following devices. Not all supported devices are listed.
iPhone 5 – iPhone 6 Plus
Nexus
Samsung Note
Samsung Galaxy
Samsung Galaxy T ab
HT C One
Secure Web is supported for any device that runs one of the following operating systems:
iOS: 9, 10, and 11
Android: 5.x, 6.x, 7, and 8. Devices should have the latest version of Android WebView installed; users can download Android
WebView from the Google Play Store.
Citrix has tested Secure Web on the following devices. Not all supported devices are listed.
Google Pixel
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.60
iPhone 5 - iPhone 6 Plus
iPhone 7
iPad Pro
iPad 3
iPad Air 1 and 2
iPad mini 3 (touch ID)
Nexus
Samsung Note
Samsung Galaxy
Samsung Galaxy T ab
HT C One
Motorola
Device operat ing syst em
Android 5.x or later
iOS 10 or later
F ile t ypes
Microsoft Word – .doc, .docx, .docm*
Microsoft Excel – .xls, .xlsx, .xlsm*
Microsoft PowerPoint – .ppt, .pptx, .pptm*
.csv, .txt, .rtf
.jpeg, .gif, .png, .svg, .bmp, .ico, .webp
* T hese files are opened, but Macros are disabled
Citrix has tested QuickEdit on the following devices. Not all supported devices may be listed.
iPhone 4 – iPhone 7 Plus
iPad 2 – iPad Air 2
iPad mini – iPad mini 3
Nexus
Samsung Note
Samsung Galaxy
Samsung Galaxy T ab
LG G
HT C One
Google Pixel (phone and tablet)
Host computer operating systems: Windows 7 (minimum version)
Supported iOS devices: iPad 2 – iPad Air 2 with iOS versions 7.0 – 9.0
Supported Android devices:
Any tablet with a screen 7 inches or larger running Android versions 4.1.x, 4.4.x, 5.x, and 6.x
Any phone using Android version 4.1.x, 4.4.x, 5.x, and 6.x
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.61
Android 4.1.x is supported in MDM mode only.
Android 4.2 and 4.3 are not supported.
Device operating system:
Android 5.x or later
iOS 10 or later
Citrix has tested ShareFile on the following devices. Not all supported devices may be listed.
iPhone 5 – iPhone 7 Plus
iPad 4th Gen – iPad Pro 12”
Nexus phones
Nexus tablets
Samsung Note
Samsung Galaxy
Samsung Galaxy T ab
LG G
HT C One
Google Pixel (phone)
iOS 9.0 or later (iPhone, iPad, iPod T ouch)
Android 4.4 or later
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.62
Supported device operating systems
Apr 0 4 , 20 17
You can find the list of device operating systems that XenMobile 10.x supports for enterprise mobility management in
Supported device operating systems.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.63
XenMobile Apps features by platform
Oct 11, 20 17
T he following tables summarize features for each XenMobile app. X indicates the feature is available for that platform. For
features in QuickEdit, see the Citrix QuickEdit for XenMobile article. For features in the most recent releases, see What's
New in XenMobile Apps.
Citrix S e cure Hub
iOS
Andro id
Sign on to authenticate
X
X
Monitor policy adherence
X
X
Access apps and desktops
X
X
HDX apps and desktops
X
X
Create and send issue logs
X
X
Attach screenshots to logs
X
X
Contact help desk within app
X
X
Contact Citrix support within app
X
X
Crash collection and analysis
X
X
Offline authentication
X
X
Send logs with Citrix Secure Mail
X
X
Google Analytics
X
X
Portrait and landscape mode
X
X
In-app guide for trusting apps
X
X
When enrolled with email, automatic enrollment in Secure Mail (MAM only)
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.64
When enrolled with email, automatic enrollment in Secure Mail (MAM only)
X
Citrix S e cure Hub
Touch ID offline authentication
iOS
X
Enroll with derived credentials
X
Andro id
X
X
BioMetric Authentication
X
Citrix S e cure Ma il
iOS
Andro id
Em a il Pro ductiv ity
Send, receive, reply, reply all, forward mail
X
X
Create, edit, delete drafts
X
X
Flag mail
X
X
Mark as unread
X
X
View all folders and subfolders
X
X
Auto-save drafts when app put in background
X
X
Email-to-note with Citrix Secure Notes
X
X
Search mail (local and server)
X
X
Select mail sync period (up to 1 month or All mails)
X
X
View unread mail
X
X
X
X
X
X
Secure attachment viewing/playing of images, video,
and audio
Multiple attachments
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.65
Reply and forward attachments
X
Citrix S e cure Ma il
iOS
Attach files from ShareFile
X
Andro id
X
X
X
X
Attachment repository
X
X
Rich text editing
X
X
Mail notification with subject, preview on lock screen
X
X
Attach files from ShareFile Restricted Zones and
connectors
Reply to and delete mail and invitations from
notification screen
X
Attach or take photo
X
X
Select multiple messages
X
X
Download attachments
X
X
Load images inline
X
X
Fast sort
X
X
Send, receive, open, and save .zip file attachments
X
X
X
X
Portrait and landscape modes
Accross mail list, mail read, compose, calendar,
For mail read and
and contacts views
compose views only
Pasted text maintains formatting
X
X
SMS from contacts
X
X
FaceT ime from contacts
X
Messages unsent due to connectivity issues or full
mailbox stored in Outbox
https://docs.citrix.com
X
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
p.66
Recent folders bubble up
X
Citrix S e cure Ma il
iOS
Andro id
Pull-down mail refresh
X
X
Last-refresh time stamp
X
X
Left-swipe for message actions
X
X
Microsfot Exchange and IBM Notes Traveler support
X
X
Tap to refresh mail, calendar, and contacts
X
X
X
X
S/MIME signing and encryption
X
X
S/MIME cert import by email
X
X
S/MIME, Intercede integration
X
S/MIME, Entrust integration
X
Microsoft IRM protection for message body
X
Push notifications
X
Honor device accessibility/font-size settings in mail
views
Push notifications to Inbox automatically update all
folders, including calendar
X
X
Open Office 365 documents
X
3D Touch actions
X
Contextual icons on lock screen
X
X
Search folders
X
X
VIP mail folder
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
p.67
Dynamic Type support
Citrix S e cure Ma il
iOS
X
Andro id
X
Maintain expanded folders
X
X
Message classification markers
X
X
Spell check
X
Attach last photo taken
X
X
URL preview
X
X
Open ShareFile links in ShareFile
X
X
Support for .pass files
X
Select multiple emails in search mode
X
X
Insert images inline
X
X
Upgrade to Exchange ActiveSync (EAS) version 16
X
X
Restrict users from using unknown or personal
domains
X
Support super-wide device screens
X
Configure multiple Exchange accounts
X
X
Swipe left or right for more actions
X
X
Encrypt replies to or forwards of encrypted mails
X
Ca le nda r
iOS
Day, week, month, and agenda views
https://docs.citrix.com
Andro id
X
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
p.68
Detailed reminders on lock screen
Ca le nda r
iOS
X
Andro id
X
Sync for six months
X
X
Set events as private
X
X
Scroll to hour before first event
X
Manual refresh options
X
X
Set reminders
X
X
Tap to map address
X
X
Week numbers
X
X
Dynamic Type support
X
X
Security classification markers
X
X
Long taps on addresses
X
Set workweek start day
X
Focus view on week of selected date
X
Current date always highlighted
X
X
Calendar attachments from attachment repository
X
X
Personal calendar support
X
X
X
Display conflicts with personal calendar events
Me e tings
https://docs.citrix.com
X
iOS
© 1999-2017 Citrix Systems, Inc. All rights reserved.
Andro id
p.69
Reply, reply all, forward meetings
Me e tings
X
iOS
X
Andro id
Organizer view of invite responses
X
X
Organizer view of invitees' availability with suggested availability
X
X
X
X
Tap to join audio conferences
X
X
Schedule online meeting, audio, conference in new invite
X
X
Add ShareFile links to new invites
X
X
Forward invites with attachments
X
X
Tap to send "running late" email
X
X
Tap to reply to meeting organizer
X
X
Tap to reply to all meeting invites
X
X
Tap to reply to all meeting invitees
X
X
Tap to reply to all meeting invitees with attachments
X
X
Dial in to GoToMeeting
X
X
Respond to invite from lock screen or notification screen
X
X
Dial in to WebEx or Lync meetings
X
X
Hide declined events
X
X
Display more than 3 simultaneous events
X
X
Quick view of invitee status
X
X
Tap to join online meetings
Note: For WebEx and Lync, App Controller must be configured to allow these apps.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.70
Me
e tings
Delete,
reply, reply all, add comments on canceled events
iOS
X
AndroXid
Show organizer name on forwarded invites
X
X
Shared devices
X
X
Join Skype for Business meetings
X
X
Co nta cts
iOS
Andro id
Detailed contact information GAL search
X
X
Export and sync Secure Mail contacts to local contacts
X
X
Contacts: Favorite and Category
X
Control which contact fields get exported
X
X
Non-Secure Mail contact details
X
X
Dynamic Type support
X
X
Mark contacts as VIPs
X
X
Share contacts with .vcards
X
X
View contacts with long press
X
Export contacts even if native mail account exists
X
View folders and subfolders
X
S e ttings co nfigure d o n the de v ice
https://docs.citrix.com
iOS
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
Andro id
p.71
iMessage support
S e ttings co nfigure d o n the de v ice
iOS
X
Andro id
Advanced opions to control notifications
X
X
Lock-screen notification control
X
X
Mail and calendar notifications sounds
X
X
Auto refresh folders
X
X
Set internal and external out-of-office notifications
X
X
Ask before deleting
X
X
T hreaded conversation or chronological views
X
X
Load attachments on WiFi
X
X
Make load attachments on WiFi default
X
X
Set sync mail period
X
X
Unlimited sync/sync all mail
X
Set email signature
X
X
List contacts by first name or last name
X
X
Auto advance
X
Use home time zone
X
Quick-response templates
X
Push mail configuration frequency
X
Export/import settings
https://docs.citrix.com
X
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
p.72
S e ttings co nfigure d o n the de v ice
S e cure We b
iOS
iOS
Andro id
Andro id
Download files
X
X
Add favorites
X
X
Clear saved user names and passwords
X
X
Delete cache/history/cookies
X
X
Block pop-ups
X
X
Save offline pages
X
X
Search in address bar
X
X
Open downloaded items from notifications
X
X
Passwords auto-saved
X
X
Enterprise proxies
X
X
URL black and white lists
X
X
History
X
X
Default homepage
X
X
Tabs
X
X
Push bookmarks
X
X
Proxy support
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.73
Screen capture block
X
S e cure We b
iOS
Andro id
Search in current page
X
3D Touch actions
X
Shared devices
X
File tampering protection with shared devices
X
Export/import settings
X
X
Portrait and landscape mode
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
X
p.74
Citrix S e cure No te s
iOS
Andro id
Create notes with text, image, or audio
X
X
Link to Microsoft Exchange
X
X
Link to ShareFile
X
X
Web-based access
X
X
ShareFile StorageZones support
X
Tag, sort and search notes
X
X
Organize notes into notebooks
X
X
Send notes to Secure Mail contacts
X
X
Upload notes to ShareFile
X
X
Format and spellcheck text
X
X
Map location when creating note
X
X
Set reminders
X
X
Move notes between notebooks
X
X
Mark notes as favorites
X
X
Auto-save notes
X
X
Portrait and landscape mode
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.75
Citrix S e cure T a s ks
iOS
Andro id
Create tasks
X
X
Sync flagged mail from Outlook
X
X*
Sync tasks from Outlook
X
X*
Sync categories from Outlook
X
X*
Categorize tasks
X
X
Prioritize tasks
X
X
Sort by due date
X
X
Filter by category
X
X
Search tasks
X
X
Set due dates
X
X
Set repeating tasks
X
X
Reply to/forward flagged mail
X
X
Set reminders
X
X
View tasks offline
X
X
Portrait and landscape mode
X
X
Portrait only (phone)
Portrait only (phone)
Not supported (tablet)
Not supported (tablet)
* Requires valid Secure Mail account
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.76
Citrix S ha re Co nne ct fo r Xe nMo bile
iOS
Andro id
Restricted ports
X
Require passwords each time (optional)
X
X
Cache previewed files
X
X
Add host computers
X
X
Access and edit files
X
X
Access and run applications
X
X
Access networked drives
X
X
Compatible with Citrix XI Mouse
X
X
Apps displayed in dock
X
X
View files on phone
X
Non-SSO support
X
X
Switch between apps
X
Access app menus
X
Portrait and landscape mode
X
Citrix S e cure Fo rm s
Co m po s e r (Chro m e bro ws e r)
Create customized forms
X
Add text, number, photo, audio and video input fields
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
iPho ne
iPa d
p.77
Add bar code fields
Citrix S e cure Fo rm s
X
Co m po s e r (Chro m e bro ws e r)
Add dropdown menus and checkboxes
X
Add drawing fields
X
Collect forms and attachments in ShareFile
X
Collect forms and attachments by email
X
Collect forms and attachments by web service
X
Auto-fill data with beacons
X
Creator's name on forms
X
Submitted forms include user's name and timestamp
X
iPho ne
iPa d
Complete and submit forms on device
X
X
Forms automatically saved
X
X
Take and attach photos
X
X
Complete forms offline
X
X
Upload on Wi-Fi only
X
X
Electronic signature
X
X
Access through Secure Hub
X
X
Access with single sign-on
X
X
Portrait and landscape mode
X
X
Draw with finger and save drawing
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.78
Citrix
S e cure numbers
Fo rm s onto forms
Enter negative
https://docs.citrix.com
Co m po s e r (Chro m e bro ws e r)
© 1999-2017 Citrix Systems, Inc. All rights reserved.
iPhoXne
iPaXd
p.79
XenMobile compatibility
Apr 0 6, 20 17
For a summary of the XenMobile components that you can integrate, see XenMobile compatibility.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.80
Citrix Secure Hub
Oct 12, 20 17
Citrix Secure Hub is the launchpad for the Citrix XenMobile experience. Users enroll their devices in Secure Hub to gain
access to the Store. From the store, they can add Citrix-developed apps (Secure Forms, Secure Mail, Secure Notes, Secure
Web, Secure Tasks, QuickEdit, and ShareFile) and third-party apps.
You can download Secure Hub and other XenMobile components from the XenMobile downloads page.
For Secure Hub and other XenMobile App system requirements, see System requirements for XenMobile Apps.
You perform most of the administration tasks related to Secure Hub during the initial configuration of XenMobile. To make
Secure Hub available to users, follow these guidelines:
For iOS and Android: Unlike other Citrix apps, do not wrap Secure Hub or add it to XenMobile. Instead, upload Secure Hub
to the iOS App Store and the Google Play Store.
For Windows Phone: Wrap Secure Hub for Windows Phone and add the app to XenMobile.
Use the MDX Toolkit for Windows Phone to re-sign and wrap Secure Hub so that Windows Phone users can access the
company application store published by XenMobile. XenMobile then deploys Secure Hub to Windows Phone devices
after users complete enrollment.
In addition to providing a portal for Citrix apps, Secure Hub refreshes most MDX policies stored in the XenMobile Server for
the installed apps when a user's NetScaler Gateway session renews after authentication using NetScaler Gateway.
Important
Changes to any of the following policies require that a user delete and reinstall the app to apply the updated policy: Security Group,
Enable encryption, and Secure Mail Exchange Server.
You can configure Secure Hub to use the Citrix PIN, a security feature enabled in the XenMobile console in Set t ings >
Client P ropert ies . T he setting requires enrolled mobile device users to sign on to Secure Hub and activate any MDX
wrapped apps by using a personal identification number (PIN).
T he Citrix PIN feature simplifies the user authentication experience when logging on to the secured wrapped apps, keeping
users from having to repeatedly enter another credential like their Active Directory user name and password.
Users who sign on to Secure Hub for the first time must enter their Active Directory user name and password. During signon, Secure Hub saves the Active Directory credentials or a client certificate on the user device and then prompts the user to
enter a PIN. When users sign on again, they enter the PIN to access their Citrix apps and the Store securely, until the next
idle timeout period ends for the active user session. Related client properties enable you to encrypt secrets using the PIN,
specify the passcode type for the PIN, and specify PIN strength and length requirements. For details, see Client properties.
When fingerprint authentication is enabled, users can sign on by using a fingerprint when offline authentication is required
because of app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time, restarting the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.81
device, and after the inactivity timer expires. Fingerprint authentication is supported for iOS 9 and iOS 10.3 devices and
some Android devices. For information about enabling fingerprint authentication, see the ENABLE_TOUCH_ID_AUT H
setting in Client properties.
Secure Hub for iOS and Android supports SSL certificate pinning. T his feature ensures that the certificate signed by your
enterprise is used when Citrix clients communicate with XenMobile, thus preventing connections from clients to XenMobile
when installation of a root certificate on the device compromises the SSL session. When Secure Hub detects any changes
to the server public key, Secure Hub denies the connection.
As of Android N, the operating system no longer allows user-added certificate authorities (CAs). Citrix recommends using a
public root CA in place of a user-added CA.
Users upgrading to Android N may experience problems if they use private or self-signed CAs. Connections on Android N
devices break under the following scenarios:
Private/self-signed CAs and the Required T rusted CA for XenMobile option on XenMobile AutoDiscovery Service is set to
ON.
Private/self-signed CAs and the AutoDiscovery Service (ADS) is not reachable. Due to security concerns, when ADS is not
reachable, Required T rusted CA turns ON even it was set as OFF initially.
Before you enroll devices or upgrade Secure Hub, consider whether you want to enable certificate pinning, which is of f by
default and managed by the XenMobile Auto Discovery Service (ADS).
To use certificate pinning, request that Citrix upload certificates to the Citrix ADS server. Open a technical support case
using the Citrix Support portal and then provide the following information:
T he domain containing the accounts with which users will enroll.
T he XenMobile Server fully qualified domain name (FQDN).
T he XenMobile instance name. By default, the instance name is zdm and is case-sensitive.
User ID T ype, which can be either UPN or Email. By default, the type is UPN.
T he port used for iOS enrollment if you changed the port number from the default port 8443.
T he port through which the XenMobile Server accepts connections if you changed the port number from the default
port 443.
T he full URL of your NetScaler Gateway.
Optionally, an email address for your XenMobile administrator.
T he PEM-formatted certificates you want added to the domain.
How to handle any existing server certificates: Whether to remove the old server certificate immediately (because it is
compromised) or to continue to support the old server certificate until it expires.
Your technical support case is updated when your details and certificate have been added to the Citrix servers.
You can configure NetScaler so that Secure Hub authenticates using a certificate plus a security token that serves as a
one-time password. T his configuration provides a strong security option that doesn't leave an Active Directory footprint on
devices.
To enable Secure Hub to use this type of authentication, add a rewrite action and a rewrite policy in NetScaler that inserts
a custom response header of the form X-Cit rix-AM-Gat ewayAut hT ype: Cert AndRSA to indicate the NetScaler
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.82
Gateway logon type.
Ordinarily, Secure Hub uses the NetScaler Gateway logon type configured in the XenMobile console. However, this
information isn't available to Secure Hub until Secure Hub completes logon for the first time, so the custom header is
required to allow Secure Hub to do this.
Not e : If different logon types are set in XenMobile and NetScaler, the NetScaler configuration overrides the XenMobile
configuration. For details, see NetScaler Gateway and XenMobile.
1. In NetScaler, navigate to Configurat ion > AppExpert > Rewrit e > Act ions .
2. Click Add .
T he Creat e Rewrit e Act ion screen appears.
3. Fill in each field as shown in the following figure and then click Creat e .
T he following result appears on the main Rewrit e Act ions screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.83
4. Bind the rewrite action to the virtual server as a rewrite policy. Go to Configurat ion > Net Scaler Gat eway > Virt ual
Servers and then select your virtual server.
5. Click Edit .
6. On the Virt ual Servers configurat ion screen, scroll down to P olicies .
7. Click + to add a policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.84
8. In the Choose P olicy field, choose Rewrit e .
9. In the Choose T ype field, choose Response .
10. Click Cont inue .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.85
T he P olicy Binding section expands.
11. Click Select P olicy .
A screen with available policies appears.
12. Click the row of the policy you just created and then click Select . T he P olicy Binding screen appears again, with your
selected policy filled in.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.86
13. Click Bind .
If the bind is successful, the main configuration screen appears with the completed rewrite policy shown.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.87
14. To view the policy details, click Rewrit e P olicy .
Port configuration ensures that Android devices connecting from Secure Hub can access the Citrix ADS from within the
corporate network. T he ability to access ADS is important when downloading security updates made available through
ADS. ADS connections might not be compatible with your proxy server. In this scenario, allow the ADS connection to bypass
the proxy server.
Import ant : Secure Hub version 10.2 and later require you to allow Android devices to access ADS. For details, see Port
requirements in the XenMobile documentation. Note that this communication is on outbound port 443. It's highly likely
that your existing environment is designed to allow this access. Customers who cannot guarantee this communication are
strongly discouraged from upgrading to Secure Hub 10.2. If you have any questions, please contact Citrix support.
Customers interested in enabling certificate pinning must do the following prerequisites:
Collect XenMobile Server and NetScaler certificates. T he certificates must be in PEM format and must be a public
certificate and not the private key.
Contact Citrix support and place a request to enable certificate pinning. During this process, you are asked for your
certificates.
T he new certificate pinning improvements require that devices connect to ADS before the device enrolls. T his ensures that
the latest security information is available to Secure Hub for the environment in which the device is enrolling. If devices
cannot reach ADS, Secure Hub does not allow enrollment of the device. T herefore, opening up ADS access within the
internal network is critical to enable devices to enroll.
To allow access to the ADS for Secure Hub 10.2 for Android, open port 443 for the following IP addresses and FQDN:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.88
FQDN
IP a ddre s s
Po rt
IP a nd po rt us a ge
discovery.mdm.zenprise.com
52.5.138.94
443
Secure Hub - ADS Communication
discovery.mdm.zenprise.com
52.1.30.122
443
Secure Hub - ADS Communication
ads.xm.cloud.com*
34.194.83.188
443
Secure Hub - ADS Communication
ads.xm.cloud.com*
34.193.202.23
443
Secure Hub - ADS Communication
* SecureHub version 10.6.15 and later uses ads.xm.cloud.com.
If certificate pinning is enabled:
Secure Hub pins your enterprise certificate during device enrollment.
During an upgrade, Secure Hub discards any currently pinned certificate and then pins the server certificate on the first
connection for enrolled users.
Not e: If you enable certificate pinning after an upgrade, users must enroll again.
Certificate renewal does not require reenrollment, provided that the certificate public key did not change.
Certificate pinning supports leaf certificates, not intermediate or issuer certificates. Certificate pinning applies to Citrix
servers, such as XenMobile and NetScaler Gateway, and not third-party servers.
T he following XenMobile articles include other information about requirements and configuration related to Secure Hub:
XenMobile Port requirements
XenMobile preinstallation checklist
NetScaler Gateway and XenMobile
Creating and updating notification templates
XenMobile Store and Citrix Secure Hub branding
Android at Work
Citrix Launcher
Secure Hub allows you to monitor and enforce mobile policies while providing access to the Store and live support. Users
begin by downloading Secure Hub onto their devices from the Apple, Android, or Windows app store.
T he following figure shows what users see when first opening Secure Hub and signing on. T he figure shows what appears
for each option on the main screen, such as My Apps, Store, Preferences, and Help. For a PDF version of this figure,
download the Secure Hub Quick Reference Guide.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.89
When Secure Hub opens, users enter the credentials provided by their companies to enroll their devices in Secure Hub. For
more details about device enrollment, see Enroll devices.
Once enrolled, users see any apps and desktops that you've pushed in their My Apps tab. Users can add more apps from the
Store. On phones, the Store link is under the Settings hamburger icon in the upper left-hand corner.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.90
On tablets, the Store is a separate tab.
When users with iPhones running iOS 9 or later install XenMobile Apps from the XenMobile Store, they see a message
stating that the enterprise developer, Citrix, is not trusted on that iPhone and the app will not be available for use until the
developer is trusted. When this message appears, Secure Hub prompts users to view a guide that coaches them through
the process of trusting Citrix enterprise apps for their iPhone.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.91
For wrapped XenMobile Apps for iOS 9 and iOS 10, Secure Hub and the Worx Apps SDK work together to track the
installed app list. Secure Hub displays apps in the My Apps view using this tracking list. To accommodate this app tracking
method:
In the My Apps view, newly installed apps appear with a blue dot next to them. T his blue dot disappears the first time
the app opens successfully.
If users attempt to open an app that has not finished installing or is updating, they see a message instructing them to
try again.
If users attempt to open an app that has been deleted, they see a message instructing them to tap More to remove
the app from Secure Hub or install it from the Store.
If a user deletes a required app from the device home screen, the user must go to the Store to install the app again. T he
app is not installed again during the next online authorization or store refresh.
For MAM-only deployments, you can configure XenMobile so that users with Android or iOS devices who enroll in Secure
Hub using email credentials are automatically enrolled in Secure Mail. Users do not have to enter more information or take
more steps to enroll in Secure Mail.
On first-time use of Secure Mail, Secure Mail obtains the user's email address, domain, and user ID from Secure Hub. Secure
Mail uses the email address for autodiscovery. T he Exchange server is identified using the domain and user ID, which enables
Secure Mail to authenticate the user automatically. T he user is prompted to enter a password if the policy is set to not
pass through the password, but the user is not required to enter any more information.
To enable this feature, create three properties:
T he server property MAM_MACRO_SUPPORT . For instructions, see Server properties.
T he client properties ENABLE_CREDENT IAL_ST ORE and SEND_LDAP_AT T RIBUT ES. For instructions, see Client
properties.
If you want to customize your Store, go to Set t ings > Client Branding to change the name, add a logo, and specify how
apps appear.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.92
You can edit app descriptions in the XenMobile console. Click Configure , then click Apps . Select the app from the table and
click Edit . Select the platforms for the app with the description you're editing and then type the text in the Descript ion
box.
In the Store, users can browse only those apps and desktops that you've configured and secured in XenMobile. To add the
app, users tap Det ails and then tap Add .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.93
Secure Hub also offers users a variety of ways to get help. On tablets, tapping the question mark in the upper-right corner
opens help options. On phones, users tap the hamburger menu icon in the upper-left corner and then tap Help .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.94
Your IT Depart ment shows the telephone and email of your company help desk, which users can access directly from the
app. You enter phone numbers and email addresses in the XenMobile console. Click the gear icon in the upper-right corner.
T he Set t ings page appears. Click More and then click Client Support . T he screen where you enter the information
appears.
Report Issue shows a list of apps. Users select the app that has the issue. Secure Hub automatically generates logs and
then opens a message in Secure Mail with the logs attached as a zip file. Users add subject lines and descriptions of the
issue. T hey can also attach a screenshot.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.95
Note
On iOS devices, Secure Hub automatically uses native email clients to send logs. Secure Hub does not allow users to send logs as
email attachments using Secure Mail. T his is a third-party issue. As a workaround, you can configure XenMobile 10.3 to send logs to
the server automatically. Go to S e ttings > Clie nt S uppo rt > S e nd lo gs to IT he lp de s k and select dire ctly .
Send F eedback t o Cit rix opens a message in Secure Mail with a Citrix support address filled in. In the body of the
message, the user can enter suggestions for improving Secure Mail. If Secure Mail isn't installed on the device, the native
mail program opens.
Users can also tap Cit rix Support , which opens the Citrix Knowledge Center. From there, they can search support articles
for all Citrix products.
In P ref erences , users can find information about their accounts and devices.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.96
Secure Hub also provides geo-location and geo-tracking policies if, for example, you want to ensure that a corporateowned device does not breach a certain geographic perimeter. For details, see Location device policies. Additionally, Secure
Hub automatically collects and analyzes failure information so you can see what led to a particular failure. T his function is
supported by the software Crashlytics.
You can configure XenMobile to enroll users automatically in Secure Mail when they enroll in Secure Hub. T his means users
do not have to enter additional information or take additional steps to enroll in Secure Mail.
T his single-sign on (SSO) feature is available only for App Store versions of the apps, not enterprise versions, so that both
Secure Hub and Secure Mail are signed with the same certificate.
For users who enroll in Secure Hub with email credentials, this feature requires that autodiscovery is enabled. If
autodiscovery is not enabled, you can enable this feature for the following enrollment methods:
T he XenMobile Server address is passed to Secure Mail from Secure Hub. Users enter the XenMobile Server address when
enrolling in Secure Hub.
To enable the automatic enrollment in Secure Mail, set these XenMobile client properties to t rue :
ENABLE_PASSCODE_AUT H ENABLE_PASSWORD_CACHING ENABLE_CREDENT IAL_STORE
Add this XenMobile client property:
Display name: SEND_LDAP_AT T RIBUT ES
Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}, displayName= ${
user.displayName} ,mail= ${ user.mail}
Add this XenMobile server property:
MAM_MACRO_SUPPORT set to t rue
Configure these Secure Mail properties:
Set Initial Authentication Mechanism to User email address
Set Initial Authentication Credentials to userP rincipalName
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.97
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.98
Samsung KNOX Bulk Enrollment
Oct 11, 20 17
To enroll multiple Samsung KNOX devices into XenMobile (or any Mobile Device Manager) without manually configuring
each device, use KNOX Mobile Enrollment. T he enrollment occurs upon first-time use or after a factory reset.
Note
T he setup for KNOX Mobile Enrollment is not related to the XenMobile KNOX container.
Samsung devices running KNOX 2.4 or later
Some devices lacking a device root key (DRK) support Mobile Enrollment with the KNOX 2.4.1 binary. For a list of
supported devices, see KNOX Mobile Enrollment. Samsung must whitelist the devices to be enrolled.
When you add devices to the KNOX portal, you enter device IMEIs or serial numbers. T he only way to bulk enroll is to:
Purchase devices from a list of approved Samsung resellers, or
Purchase devices from resellers willing to share the IMEIs directly with Samsung. A list of resellers for your country can
be obtained from KNOX customer support.
For details on device verification requirements, contact KNOX Support.
KNOX partner account
You must have permission to access the KNOX Mobile Enrollment features.
XenMobile server must be configured (including licenses and certificates) and running.
Secure Hub APK file. You will upload the file when setting up KNOX Mobile Enrollment.
To download the Secure Hub APK file:
1. Log in to the Citrix download site and go to the XenMoble downloads.
2. Go to XenMobile Apps and MDX Toolkit and choose your edition.
3. Download the Citrix Secure Hub for Android file
Configure Firewall Exceptions
To access Knox Mobile Enrollment, configure the following firewall exceptions. Some of these firewall exceptions are
required for all devices and some are specific the device's geographical region.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.99
De v ice 's Re gio n
URL
Po rt
All
https://gslb.secb2b.com
443
De s tina tio n
Global load balancer
for Knox Mobile
Enrollment initiation
Global load balancer
for Knox Mobile
All
http://gslb.secb2b.com
80
Enrollment initiation
on some limited legacy
devices
All
umc-cdn.secb2b.com
443
All
bulkenrollment.s3.amazonaws.com
80
Samsung agent
update servers
Knox Mobile
Enrollment customer
EULAs
Knox Mobile
All
eula.secb2b.com
443
Enrollment customer
EULAs
All
us-be-api-mssl.samsungknox.com
443
United States
https://us-segd-api.secb2b.com
443
Europe
https://eu-segd-api.secb2b.com
443
Samsung servers for
IMEI verification
Samsung Enterprise
Gateway for US region
Samsung Enterprise
Gateway for European
region
Samsung Enterprise
China
https://china-segd-api.secb2b.com
443
Gateway for China
region
Device’s region
URI
P ort
Dest inat ion
All
https://gslb.secb2b.com
443
Global load balancer
for Knox Mobile
Enrollment initiation
All
http://gslb.secb2b.com
80
Global load balancer
for Knox Mobile
Enrollment initiation
on some limited legacy
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.100
devices
All
umc-cdn.secb2b.com
443
Samsung agent
update servers
All
bulkenrollment.s3.amazonaws.com
80
Knox Mobile
Enrollment customer
EULAs
All
eula.secb2b.com
443
Knox Mobile
Enrollment customer
EULAs
All
us-be-api-mssl.samsungknox.com
443
Samsung servers for
IMEI verification
United States
https://us-segd-api.secb2b.com
443
Samsung Enterprise
Gateway for US region
Europe
https://eu-segd-api.secb2b.com
443
Samsung Enterprise
Gateway for European
region
China
https://china-segd-api.secb2b.com
443
Samsung Enterprise
Gateway for China
region
If you have a KNOX web port al account
1. Log on to the KNOX web portal and go to your Samsung KNOX Dashboard.
2. Under KNOX Mobile Enrollment, click Get St art ed .
3. Fill out the applicable fields and then click Apply .
After Samsung approves your application, you will receive a welcome email with instructions on how to start using the
KNOX Mobile Enrollment tool. For a faster approval process, provide any essential information, including contact details for
your reseller, Samsung sales representative, or any other information that will assist in your approval.
If you don't have a KNOX web port al account
1. On the KNOX Mobile Enrollment page, click Get St art ed .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.101
2. Fill out the required fields.
3. You will receive an email to confirm your registration with the KNOX portal. Click Complet e Regist rat ion to continue.
4. Enter and confirm your KNOX web portal password.
5. In your Samsung KNOX Dashboard, under KNOX Bulk Enrollment Program, click Launch KNOX Mobile Enrollment .
6. For faster approval, please provide any essential information; this includes contact details for your reseller, Samsung sales
representative, or any other information that will assist in your approval.
After you get access to KNOX Mobile Enrollment, go to the KNOX portal and click Launch Mobile Enrollment .
If Samsung cannot authorize the account to use Bulk Enrollment, you will see this screen:
T he enrollment process then follows these general steps, described in detail in the following sub-sections.
1. Create an MDM profile with your MDM console information and settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.102
T he MDM profile tells your devices how to connect to your MDM.
2. Add devices to your MDM profile.
You can either upload a CSV file with device information or scan the devices with the Mobile Enrollment app from
Google Play.
3. Samsung will let you know when device ownership is verified.
4. Provide users with MDM credentials. Instruct them to connect to the Internet using WiFi and to accept the prompt to
enroll their device.
You must create an MDM profile that defines the XenMobile server to use. Create one profile per XenMobile server.
1. Log on to the KNOX Mobile Enrollment website.
2. Click the MDM P rofiles tab, click Add , and then click Server URI not required f or my MDM .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.103
Do NOT specify an MDM server URI. XenMobile does not use the Samsung MDM protocol.
3. In the Create an MDM Profile screen, provide the following:
A name for the profile.
For MDM Agent APK, the Secure Hub APK download URL. For example:
http://example.com/zdm/worxhome.apk
https://pmdm.mycorp-inc.net/zdm/worxhome.apk
T he APK file can reside on any server that the devices can access during enrollment. During the enrollment, a device
downloads Secure Hub from that URL, installs Secure Hub, and then opens Secure Hub with the custom JSON data
described next.
Not e : T he capitalization of the .apk file name must match the URL you enter. For example, if the file name is all
lowercase, it must also be all lowercase in the URL.
For Custom JSON Data, the XenMobile server address in the format:
{"serverURL":"URL"}
Examples:
{"serverURL":"https://example.com/zdm"}
{"serverURL":"https://pmdm.mycorp-inc.net/zdm"}
Not e: T he Secure Hub APK file must be uploaded on the specified server (example: https://pmdm.mycorpinc.net:4443) under the Apps section. T his is similar to uploading enterprise apps.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.104
When a device starts bulk enrollment, the device uses the profile data: First, the device downloads Secure Hub from the
given URL, installs Secure Hub, and opens Secure Hub with the custom JSON data as parameter. T hen, Secure Hub opens
the credentials page. Secure Hub already has the XenMobile server address, so Secure Hub doesn't need to prompt for it.
To add devices, upload device IDs and associate them to one of the previously created MDM profiles. T his is best done by
uploading a .csv file. T he different ways of building the file are documented on the KNOX website, but the simplest way is
to enter one IMEI per line, as follows.
Note
You can alternatively add devices by scanning them, as described in the next section.
1. Go to Devices > All Devices and click Upload devices .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.105
2. Under CSV F ile F ormat , click Download file t emplat e .
3. Enter information in corresponding columns in the template:
Device inf o : IMEI, MEID, or serial number
Username (optional): If the user has been provisioned with a user name for your enterprise MDM setup.
Password (optional): If the user has been provisioned with a password for your enterprise MDM setup.
Ot her inf o (optional): Any other information that you want to include about the device.
4. Highlight all the cells in the spreadsheet.
5. Right-click the highlighted cells and select F ormat cells .
6. On the Number tab, under Cat egory , click Text .
7. Click OK .
8. Save the spreadsheet as a .csv file.
1. Click the Devices tab.
2. Click Upload Devices .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.106
3. In the Add Devices dialog, click Browse , select your .csv file and then click Upload .
4. Enter your purchase details. T he KNOX Mobile Enrollment tool verifies your purchase details to ensure that each device is
enrolled in the proper enterprise.
5. Under Assign t o P rofile , select the MDM profile that you added.
6. Click Submit .
T he All Devices list displays the enrollment status and profile of all the devices that you attempted to enroll.
Only T IMA-enabled Samsung 2.4 devices are supported out of the box by the Samsung KNOX Mobile Enrollment tool. Also,
for a device to successfully enroll in the enterprise, the device must connect to WiFi and users must agree to download and
install Secure Hub.
1. Download and install the KNOX Mobile Enrollment app from Google Play.
2. Enter your Samsung Portal credentials and then tap SIGN IN .
3. Tap Scan Devices .
4. Tap Scan new devices .
5. Align the barcode of your device with the red line to scan.
6. If the scan succeeds, the device IMEI appears. Tap Save .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.107
7. Your scanned devices are shown in the scan queue. Tap Upload .
1. Log on to your KNOX Web Portal account and click Launch Mobile Enrollment .
2. Tap Scanned to view all added devices.
3. Select the devices that you want to enroll and tap Submit select ed . To submit all scanned devices, tap Submit all.
4. In the Submit scanned devices pop-up, enter your P urchase det ails to confirm device ownership.
5. In the Assign MDM profile menu, select the profile to use for device enrollment.
6. Click Submit .
You will receive a confirmation email when the device information is verified.
For security reasons, devices are not immediately assigned to this bulk enrollment account. Samsung first must verify that
the devices belong to the entity that is setting up the bulk enrollment account.
For that purpose, the next screen prompts for the identity of the reseller and for matching invoices.
Important
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.108
For legal reasons, Samsung maintains two distinct server groups: Americas and EU. U.S. devices must register with a KNOX account
for the U.S. region. EU devices, as well as devices from any other region except China, which is not supported, must register with a
KNOX account for the EU region.
A device from the wrong region will actually be accepted into the account, but bulk enrollment will fail on the device with a
cryptic error. To check whether the device country code or origin is a non-U.S. country, download the simple Phone Info
Samsung app from Google Play.
After the preceding configuration is completed, the first time a user starts a device and connects to the Internet using WiFi,
the following sequence of screens appears. T he enrollment process starts automatically and users needs to download and
install Secure Hub and then enter valid credentials on the Secure Hub screen to complete the enrollment.
Note
Enrollment doesn't use a cellular connection to avoid any network costs for the user.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.109
On devices that have KNOX API earlier than version 2.4, bulk enrollment will not work out of the box, so users must initiate
enrollment by going to a Samsung site to download the new Mobile Enrollment client and start the enrollment.
T he downloaded enrollment client uses the same MDM profile and APKs configured in the KNOX Bulk enrollment portal for
the KNOX 2.4/2.4.1 devices.
Users typically follow these steps:
1. Turn on the device and connect to WiFi. If the Mobile Enrollment doesn't start or WiFi is not available, do the following:
a. Go to https://me.samsungknox.com.
b. Tap the Enroll button to enroll devices with mobile data.
2. When the prompt Enroll wit h KNOX appears, tap Cont inue .
3. Read the EULAs (if available). Tap Next .
4. If prompted, enter the User ID and Password provided by the IT administrator.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.110
At this point, the user's credentials are validated and their device is enrolled in your organization's enterprise IT environment.
XenMobile allows you to enable and disable biometric authentication (fingerprint and iris scan authentication) for Samsung
devices without requiring any action from users.
If you disable biometric authentication in XenMobile, users and third-party apps cannot enable the feature.
1. In the XenMobile console, click Conf igure > Device P olicies. T he Device P olicies page appears.
2. Click Add . T he Add New P olicy page appears.
3. Click P asscode . T he P asscode P olicy inf ormat ion page appears.
4. In the P olicy Inf ormat ion pane, enter the following information:
P olicy Name : T ype a descriptive name for the policy.
Descript ion : Optionally, type a description of the policy.
5. Descript ion : Optionally, type a description of the policy.
6. Click Next . T he P lat f orms page appears.
7. Under P lat f orms , select Android or Samsung KNOX .
8. Set Conf igure biomet ric aut hent icat ion to ON .
9. If you selected Android , under Samsung SAFE, select Allow f ingerprint or Allow Iris or both.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.111
Authentication Prompt Scenarios
Jul 0 5, 20 17
Various scenarios prompt users to authenticate with XenMobile by entering their credentials on their devices.
T he scenarios change depending on these factors:
Your MDX app policy and Client Property configuration in the XenMobile console settings.
Whether the authentication occurs offline, or needs to be an online authentication (the device needs a network
connection to XenMobile).
In addition, the kind of credentials that users enter— Active Directory password, Citrix PIN or passcode, one-time password,
fingerprint authentication (known as Touch ID in iOS) — also change based on the type of authentication and frequency of
authentication that you require.
Let's start with the scenarios that result in an authentication prompt.
Device rest art . When users restart their device, they must reauthenticate with Secure Hub.
Of fline inact ivit y (t ime-out ). With the App Passcode MDX policy enabled, which it is by default, the XenMobile client
property called Inactivity T imer comes into play. T he Inactivity T imer limits the length of time that can pass without user
activity in any of the apps that use the secure container.
When the Inactivity T imer expires, users must reauthenticate to the secure container on the device. If, for example, users
set down their devices and walk away, if the Inactivity T imer has expired, someone else can't pick up the device and access
sensitive data within the container. You set the Inactivity T imer client property in the XenMobile console. T he default is 15
minutes. T he combination of the App Passcode set to ON and the Inactivity T imer client property is responsible for
probably the most common of the authentication prompt scenarios.
Signing of f f rom Secure Hub . When users sign off from Secure Hub, they have to reauthenticate the next time they
access Secure Hub or any MDX app, when the app requires a passcode as determined by the App Passcode MDX policy and
the Inactivity T imer status.
Maximum of fline period . T his scenario is specific to individual apps because it is driven by a per-app MDX policy. T he
Maximum offline period MDX policy has a default setting of 3 days. If the time period for an app to run without online
authentication with Secure Hub elapses, a check-in with XenMobile Server is required in order to confirm app entitlement
and to refresh policies. When this check-in occurs, the app triggers Secure Hub for an online authentication. Users must
reauthenticate before they can access the MDX app.
Note the relationship between the Maximum offline period and the Active poll period MDX policy:
T he Active poll period is the interval during which apps check in with XenMobile server for performing security actions,
such as app lock and app wipe. In addition, the app also checks for updated app policies.
After a successful check for policies via the Active poll period policy, the Maximum offline period timer is reset and begins
counting down again.
Both check-ins with the XenMobile server, for Active poll period and Maximum offline period expiry, require a valid NetScaler
Gateway token on the device. If the device has a valid NetScaler Gateway token, the app retrieves new policies from
XenMobile without any interruption to users. If the app needs a NetScaler Gateway token, a flip to Secure Hub occurs, and
users see an authentication prompt in Secure Hub.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.112
On Android devices, the Secure Hub activity screens open directly on top of the current app screen. On iOS devices,
however, Secure Hub must come to the foreground, which temporarily displaces the current app.
After users enter their credentials, Secure Hub flips back to the original app. If, in this case, you allow for cached Active
Directory credentials or you have a client certificate configured, users can enter a PIN, password, or fingerprint
authentication. If you do not, users must enter their complete Active Directory credentials.
T he NetScaler token may become invalid due to NetScaler Gateway session inactivity or a forced session time-out policy,
as discussed in the following list of NetScaler Gateway policies. When users sign on to Secure Hub again, they can continue
running the app.
Net Scaler Gat eway session policies . Two NetScaler Gateway policies also affect when users are prompted to
authenticate. In these cases, they authenticate in order to create an online session with NetScaler for connecting to
XenMobile server.
Session t ime-out . T he NetScaler session for XenMobile is disconnected if no network activity occurs for the set period
of time. T he default is 30 minutes. If you use the NetScaler Gateway wizard to configure the policy, however, the
default is 1440 minutes. Users will then see an authentication prompt to reconnect to their corporate network.
F orced t ime-out . If On , the NetScaler session for XenMobile is disconnected after the forced time-out period elapses.
T he forced time-out makes reauthentication mandatory after a set period of time. Users will then see an authentication
prompt to reconnect to their corporate network upon the next use. T he default is Of f . If you use the NetScaler
Gateway wizard to configure the policy, however, the default is 1440 minutes.
Credential Types
T he preceding section discussed when users are prompted to authenticate. Let's now discuss the kinds of credentials they
must enter. Authentication is necessary through various authentication methods in order to gain access to encrypted data
on the device. To initially unlock the device, you unlock the primary container. After this occurs and the container is secured
again, to gain access again, you unlock a secondary container.
Not e : When the article refers to a managed app, the term refers to an app wrapped by the MDX Toolkit, in which you've
left the App Passcode MDX policy enabled by default and are leveraging the Inactivity T imer client property.
T he circumstances that determine the credential types are as follows:
P rimary cont ainer unlock . An Active Directory password, Citrix PIN or passcode, one-time password, T ouch ID or
fingerprint ID are required to unlock the primary container.
On iOS, when users open Secure Hub or a managed app for the first time after the app is installed on the device.
On iOS, when users restart a device and then open Secure Hub.
On Android, when users open a managed app if Secure Hub is not running.
On Android, when users restart Secure Hub for any reason, including a device restart.
Secondary cont ainer unlock . Fingerprint authentication (if configured), a Citrix PIN or passcode, or Active Directory
credentials, to unlock the secondary container.
When users open a managed app after the inactivity timer expires.
When users sign off of Secure Hub and subsequently open a managed app.
Active Directory credentials are required for either container unlock circumstance when the following conditions are true:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.113
When users change the passcode associated with their corporate account.
When you have not set the client properties in the XenMobile console to enable the Citrix PIN:
ENABLE_PASSCODE_AUT H and ENABLE_PASSCODE_AUT H.
When the NetScaler Gateway session ends, which occurs when the session time-out or forced time-out policy timer
expires, if the device does not cache the credentials or does not have a client certificate.
When fingerprint authentication is enabled, users can sign on by using a fingerprint when offline authentication is required
because of app inactivity. Users still have to enter a PIN when signing on to Secure Hub for the first time and when
restarting the device. Fingerprint authentication is supported for iOS 9 and iOS 10.3 devices and some Android devices. For
information about enabling fingerprint authentication, see the ENABLE_TOUCH_ID_AUT H setting in Client properties.
T he following flowchart summarizes the decision flow that determines which credentials a user must enter when prompted
to authenticate.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.114
About Secure Hub Screen Flips
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.115
Another situation to note is when a flip from an app to Secure Hub and then back to an app is required. T he flip displays a
notification that users must acknowledge. Authentication is not required when this occurs. T he situation occurs after a
check-in happens with XenMobile server, as specified by the Maximum offline period and Active poll period MDX policies,
and XenMobile detects updated policies that need to be pushed to the device through Secure Hub.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.116
iOS VPN Installation
Jul 18 , 20 17
On iOS 10 and later devices, Secure Hub VPN is used for secure local data sharing between Secure Hub and MDX apps.
Secure Hub VPN runs on the iOS 10 and later device. Secure Hub VPN provides the ideal user experience, because Secure
Hub and MDX apps can communicate seamlessly through this VPN.
Secure Hub VPN works for apps signed by Apple Enterprise developer account ("team id") certificates, Citrix certificates,
Enterprise certificates, or third-party ISV certificates.
Secure Hub VPN is used by default on iOS 10 devices. If Secure Hub VPN is not running on the iOS 10 device, MDX uses the
iOS shared keychain for secure data sharing. T he iOS shared keychain mechanism requires all participating apps to be signed
with the same certificate to access the specific shared keychain for that iOS "team id" certificate. If an app is not signed
with the same certificate as the Citrix-signed Secure Hub app, the app might flip to Secure Hub to get the required
information.
Secure Hub VPN is available only for XenMobile Enterprise and MAM-only deployments. Secure Hub VPN does not apply to
XenMobile MDM-only environments, and the VPN is not installed in MDM-only enrollments. On iOS 9 and earlier versions,
Secure Hub does not use Secure Hub VPN.
Secure Hub VPN is used for communication between Secure Hub and XenMobile or enterprise apps. It does not filter or
monitor network traffic on the device and is independent of the MDX micro-VPN mechanism.
Note
Citrix recommends that you leave Secure Hub VPN enabled in environments where it is enabled by default.
Because iOS does not allow more than one VPN client to run on an iOS device simultaneously, however, be aware of the following
situation. T he Secure Hub VPN cannot be used if another VPN app, such as Cisco AnyConnect or Citrix VPN, needs to run on iOS
devices to establish a device-level VPN. You can set up an iOS per-app VPN even if Secure Hub VPN is not disabled. T he app using the
iOS per-app VPN establishes a per-app VPN connection when the app is in the foreground.
To disable Secure Hub VPN, see the following section in this article. When Secure Hub VPN is disabled, users might experience more
flips from a managed app to Secure Hub.
Disabling or reenabling Secure Hub VPN in XenMobile
Secure Hub VPN is enabled by default when users start using Secure Hub 10.3.10 and later on iOS 10.
To disable Secure Hub VPN and set iOS devices in your deployment to use the shared keychain mechanism, do the
following:
1. In the XenMobile console, go to Set t ings > Client > Client P ropert ies .
2. On the Client P ropert ies page, create a custom client property called ENABLE_NET WORK_EXT ENSION and set the
value to 0.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.117
T o reenable Secure Hub VPN, go to the Secure Hub VPN and set the value of ENABLE_NET WORK_EXT ENSION to 1.
Installing Secure Hub VPN on the client device
T he Secure Hub VPN is installed in two cases: after Secure Hub 10.3.10 or later is installed on an iOS 10 device or when a
user upgrades a device running Secure Hub 10.3.10 or later to iOS 10.
Users see this informational message.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.118
Next, users see an iOS message asking for permission to add VPN configurations. T his message is shown only one time,
when the VPN is first installed. It is not shown when users open Secure Hub again.
T he message on this screen is not customizable. It is a standard iOS dialog box used for all VPN installations.
On the screen asking for permission to add the VPN configuration: If users select Don't Allow, they see another message
indicating that they must install the VPN to access Secure Hub.
Running Secure Hub VPN on the client device
When the Secure Hub VPN is running as designed, the text Connect ing appears in the General > VP N screen of the iOS
Settings app.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.119
T his is expected and does not mean that the MDX sharing and communication mechanisms are not functioning. T here is no
action required from users if they see this message.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.120
Enrolling devices by using derived credentials
Jul 27, 20 17
Derived credentials provide strong authentication for mobile devices. T he credentials, derived from a smart card, reside in a
mobile device instead of the card. T he smart card is either a Personal Identity Verification (PIV) card or Common Access
Card (CAC).
T he derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile Stores the
credentials obtained from the credential provider in a secure vault on the device.
XenMobile can use derived credentials for iOS device enrollment. If configured for derived credentials, XenMobile doesn't
support enrollment invitations or other enrollment modes for iOS devices. However, you can use the same XenMobile Server
to enroll Android devices through enrollment invitations and other enrollment modes.
Device enrollment steps when using derived
credentials
Enrollment requires that users insert their smart card to a reader attached to their desktop.
1. T he user installs Secure Hub and the app from your derived credential provider.
In this example, the identity provider app is the Intercede MyID Identity Agent.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.121
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.122
2. T he user starts Secure Hub. When prompted, the user types the XenMobile Server fully qualified domain name and then
clicks Next . Enrollment in Secure Hub starts. If the XenMobile Server supports derived credentials, Secure Hub prompts the
user to create a Citrix PIN.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.123
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.124
3. T he user follows the instructions to activate their smart credential. A splash screen appears, followed by a prompt to
scan a QR code.
4. T he user inserts their card into the smart card reader that's attached to their desktop. T he desktop app then displays a
QR code and prompts the user to scan the code using their mobile device.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.125
T he user enters their Secure Hub PIN when prompted.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.126
After authenticating the PIN, Secure Hub downloads the certificates. T he user then follows the prompts to complete
enrollment.
To view device information in the XenMobile console:
Go to Manage > Devices and then select a device to display a command box. Click Show more.
Go to Analyze > Dashboard .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.127
Citrix ScanDirect
Oct 12, 20 17
Citrix ScanDirect allows users to capture, edit, and save documents for easy sharing. ScanDirect automatically detects the
edges of documents and whiteboards and applies document-specific filters to ensure superior image quality. Users can
quickly export the captured images to ShareFile as PDF, Microsoft Word, or Microsoft PowerPoint files.
For ScanDirect and other XenMobile App system requirements, see System requirements for XenMobile Apps.
ScanDirect requires access to a device's camera, so turn off the Block camera policy on the XenMobile server.
With ScanDirect, users can:
Quickly digitize and store handwritten notes, documents, and receipts for later use.
Add multiple images to a single capture to create a case or project file for associated content.
Save digitized captures as a PDF, Microsoft Word, or Microsoft PowerPoint files.
Export captures to their most common collaboration resources, such as email, photo gallery, and cloud storage.
Crop captured notes any time to modify for future use.
For information about how users can take their first scan and add ShareFile as a cloud service, see this article.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.128
Citrix Secure Forms
Oct 12, 20 17
Important
End of Life (EOL) lifecycle date for Secure Forms: December 31, 2017.
When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the available support options are limited. Historical information
appears in the Knowledge Center or other online resources. T he documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle
milestones, see the Product Matrix.
Customers are encouraged to transition to the ShareFile Workflows for XenMobile Apps included with ShareFile Platinum and Premium accounts.
Citrix Secure Forms is a two-part app for creating and completing customized forms. Users create forms on the web-based Secure Forms Composer and then publish the
forms to the Secure Forms mobile app, available for download on the XenMobile downloads page. With the mobile app, end users fill out and submit forms from wherever
they're working. For more information about the Secure Forms mobile app, see Secure Forms Mobile App.
Secure Forms is integrated with ShareFile, so submitted forms are easily collected in a designated ShareFile folder. Forms can also be collected by email or through a web
service.
For Secure Forms and other XenMobile App system requirements, see System requirements for XenMobile Apps.
To deploy Secure Forms, you must set up ShareFile folders either manually or by using PowerShell script. For instructions, see Integrating Secure Forms with ShareFile.
You wrap the Secure Forms mobile app with the MDX Toolkit, v. 10.3 for iOS, available on the XenMobile downloads page. Follow the instructions in Wrapping iOS Mobile
Apps and Add an MDX app.
For best performance, configure Secure Forms policies in the XenMobile console as follows:
Block camera : Off
Block P hot o Library : Off
Block mic record : Off
Block locat ion services : Off
1. Set Net work access as T unneled t o int ernal net work .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.129
2. Set App URL schemes as ct xf orms and Allowed URLs as:
+ maps.apple.com,+ it unes.apple.com,^ht t p:= ct xmobilebrowser:,^ht t ps:= ct xmobilebrowsers:,^mailt o:= ct xmail:,+ ^cit rixreceiver:,+ ^t elprompt :,+ ^t el:,+ ^colg2m-2:,+ ^col-g2w 2:,+ ^maps:ios_addr,+ ^mapit em:,+ ^ct xint ernalmail:,+ ^ct xmail:
3. After saving these changes and publishing the apps, go to Secure Forms and then at the end of Allowed URLs , add + ^ct xf orms:
To begin creating forms on the Secure Forms Composer, users go to securef orms.cit rix.com on a Chrome browser. From there, they enter a ShareFile email address and
password that belongs to the CitrixSecureFormsAdminUsers group.
When users sign in, they see this landing screen:
From here, they can do the following:
Click New to create a new form.
View saved, unpublished forms in Draf t s .
View published forms in P ublished .
Search forms.
Not e : Published forms are called Templat es , both in the composer and the mobile app.
Creating a New Form
On the landing screen, click New . T he composer dashboard appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.130
Forms consist of three components: Cover, Cont ent and Set t ings . In the Cover area, users name their forms and add optional descriptions and images. Clicking Next
takes them to the Cont ent area, where they add fields to their forms.
Adding Fields to Forms
To build a form, in Cont ent view, users simply drag fields over from the left side of the composer.
T hey can choose fields that allow users to enter text, numbers, video, and audio, as well to scan bar codes, check a box, or choose from a drop-down menu.
Secure Forms supports the following bar code types:
One-Dimensional
https://docs.citrix.com
T wo-Dimensional
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.131
UPC
QR
EAN
DataMatrix
Code 39
PDF417
Code 128
Aztec
IT F (interleaved 2 of 5)
MaxiCode
Code 93
EAN 8
EAN 13
UPCe
UPCa
GS1-128
One -Dim e ns io na l
T wo -Dim e ns io na l
UPC
QR
EAN
DataMatrix
Code 39
PDF417
Code 128
Aztec
IT F (interleaved 2 of 5)
MaxiCode
Code 93
EAN 8
EAN 13
UPCe
UPCa
GS1-128
Field Setting
When users add a field, F ield Set t ing appears on the right side of the composer. T his is where users can designate a field as required, add help text, or add a description
Some settings are specific to particular fields. For example, users can select an audio quality level or specify the format for numbers, when they add those fields.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.132
T hey can also add page breaks and numbers for a multiple-page form.
In Cust om field name , users can create a name that is compatible with formats in which data might be exported, such as XML and CSV. T his name doesn't appear on the
published form. For example, users may see a field labeled "First Name," but the custom field name may be "Employee_First_Name".
Testing Forms
Forms are saved automatically in Draf t s . At any time, users can sign on to the Secure Forms mobile app to test the form. T heir permissions allow them to see drafts that
end users don't see. If they're satisfied with the form, they can return to the composer to publish it.
In Set t ings , users choose how to collect forms, how to format the data, and whether to collect additional data.
Form Collection Methods
When end users click Submit on the mobile app, completed forms are collected by the following selected methods:
Uploaded to the ShareFile folder, in XML or CSV format.
Sent to an email address as PDFs. T he mobile app flips to a prepared message in WorxMail for users to send.
Posted to a web service in XML, CSV or JSON format. You must enter a key:value pair that's included as header information in the web service call. For details, see
Posting to Web Services later in this article.
Uploaded to a Network File System. For details, see Configuring a Network File System later in this article.
Configuring a Network File System
When you select Save t o Net work F ile Syst em (NF S) as a data collection method, you need to enter the path to the folder where data is collected. Windows
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.133
enforces the NFS folder permissions, which you can manage and structure according to your organization's needs.
Before you begin setting up NFS permissions, you first need to have a network file share connector configured in ShareFile, if you don't already. For steps on how to set
up a network file share connector, see Create and manage StorageZone connectors.
Once the file share connector is added, make sure to configure the domain controller to trust the StorageZones Controller for delegation. Follow the configuration steps
here.
T hen you need to add cit rix.com as an allowable top-level domain:
1. Go to C:\inetpub\wwwroot\Citrix\StorageCenter\AppSettingsRelease.config. C is the drive where the StorageZone Controller is installed
2. Add cit rix.com to the end of allowable-top-level-app-domains. T his is a comma-separated list of allowable top-level application domains with which the Storage
Center can communicate:
<add key="allowable-top-level-app-domains" value="sf-api.eu,sharefile.com,securevdr.com,sf-api.com,sharefilenext.com,sf-apitest.com,sharefiletest.com,sfapidev.com,sharefiledev.com,sharefile.eu,citrixdata.com,citrixvdr.com,citrixsecure.com,citrixdataroom.com,
citrixsharefile.com,citrixsharefile.eu,cit rix.com"/>
Now you're ready to create NFS folder permissions.
1. In the Active Directory, create two groups called SecureF ormsLOB and Cit rixSecureF ormsEndUsers .
SecureFormsLOB includes users who are allowed to create and fill out forms.
CitrixSecureFormsEndUsers includes users who are allowed to fill out forms but not to create them.
2. Create a folder on your Network File System. For this example, the folder is called SecureF ormsDat a .
3. Give full control to SecureFormsLOB so its members can read, write, and delete data.
4. Give Cit rixSecureF ormsEndUsers write-only access, to ensure that its members can't read each other's data.
Under T ype , select Deny .
Under Advanced permissions , select the items as shown in the following figure.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.134
NF S Set t ings in Secure F orms Composer
1. Use a network that has access to your StorageZone Controller. Secure Forms authenticates against this network to verify that you have the proper connector.
2. Set Save t o Net work F ile Syst em (NF S) to On .
3. Enter a folder path in this format: NFS connector name / rootFolderPath/ FormDataFolder, where:
NF S connect or name is the name of the NFS connector on ShareFile.
root F olderP at h is the path to the root folder where all form data is stored.
F ormDat aF olde r is the root folder where all form data is stored. T he root folder is automatically created if the folder is not there and is given the same permissions
applied to the parent folder. In this example, the root folder is named SecureF ormsDat a.
P ublishing a F orm wit h NF S
Before publishing a form, users have to enter a user name and password to authenticate on the server where the NFS is located.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.135
Auto Collect Data
Users select the Aut o collect dat a check boxes if they want to collect an end user's location and email address, or the form submission date. T he end user's permission
isn't required to collect this data.
In Advanced , users can enter key:value pairs that are included with the form data in an XML or JSON file.
Posting to Web Services
Any web service you use to collect form data must meet the following criteria:
Be an HT T PS (secure) service. Other URL schemes are currently not supported.
Intercept POST requests sent by the client.
Read multipart/form-data as content type.
Respond to the URL request with the HT T P response status code. T he client does not read the response body.
Process optional custom headers sent as a part of the URL request headers.
Follow these steps to configure form collection by web service:
1. Sign on to the Secure Forms Composer and create a new form.
2. Go to Set t ings and turn on the P ost t o web service collection method.
3. Select one of the data formats for the payload. T he default is XML.
Not e : Media content— images, audio and video— is saved in a shared folder in ShareFile, and the file path is included in the file name.
4. Add a web service URL. For security reasons, Secure Forms requires an HT T PS URL with a valid certificate. T he Secure Forms iOS client performs a POST request to this
URL, with the form payload in the request body. T he request is sent as multipart/form-data content type. T he actual file is uploaded with the key "file" in the request.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.136
For testing purposes, you can create a self-signed certificate and trust it on your device (iPhone / iPad). Use the following instructions to create a self-signed certificate:
Windows
Mac
5. You can opt to provide custom headers to the URL request. T hese headers are sent as part of the URL request headers.
Client -sent URL request sample
For purposes of explanation, this request is captured in RAW format. In practice, this request is sent to the server in XML, CSV or JSON format. T he essential parts of this
request are highlighted in red. T he custom headers configured in the Secure Forms Composer are sent as request headers.
T he Secure Forms client does not interpret the response body. To validate the server submission, the client reads the HT T P response status codes that the server sends in
the header. A status code of 200 signifies a successful submission. If the submission fails, an error message appears to the user.
Beacons
With iBeacon technology, you can track locations, people and assets using beacons and Bluetooth functionality. You can also link form fields to beacons to autofill
information, which saves time and improves accuracy.
For more information on iBeacon, see What Is iBeacon?. To read about use cases, see Yes, Real World Market Verticals Use Beacon Technology.
Follow these instructions to use beacons with Secure Forms.
Syst em requirement s
Beacon hardware. Citrix has tested beacons from Gimbal, but you can use any brand.
Secure Forms Composer and Secure Forms mobile app version 10.3.6.
A ShareFile domain whitelisted to use beacons with Secure Forms. T o request your domain to be whitelisted, send a message to Citrix by clicking on the message icon in
the upper-right corner of the Secure Forms Composer dashboard.
An iPhone or iPad running iOS 9 - 9.3.
Every beacon configuration includes a universally unique identifier, or UUID. It's best to use just one UUID for your company. T his UUID will apply to every beacon you use.
Major and minor values are added to the UUID. Major values identify subsets of beacons; for example, all devices in a particular location, such as a warehouse or a hospital.
Minor values identify individual beacons.
To act ivat e a beacon
1. Register for a free Gimbal account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.137
2. Download the Gimbal Beacon Manager app onto your iOS device to configure, test and manage beacons.
3. On the Gimbal website, go to Beacons > Beacon Management and click Act ivat e Beacon.
4. To activate a beacon you need to name the beacon and enter its factory ID. Some IDs are inside the battery compartment; you may find yours in another spot. Enter
the ID and then click Act ivat e Gimbal Beacon .
To configure your beacon
1. Go to Beacons > Beacon Configurat ions and then click New Configurat ion .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.138
2. Name your configuration and select the beacon type. T he P roximit y UUID field populates automatically.
3. In the Major and Minor fields, enter numbers that identify individual beacons and their locations. Major and minor numbers are found on the Gimbal console at
Beacons > Beacon Configurat ions .
4. Click Creat e Configurat ion .
Your new beacon configuration appears at the bottom of the list.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.139
To apply t he configurat ion t o t he act ive beacon
1. Go to Beacons > Beacon Management , find your beacon, and then under the Act ions column, click the edit icon.
2. Click Configurat ion , in the list, click your configuration and then click Save to apply this configuration to your activated beacon.
You should now see your beacon with the applied configuration. You can check the Gimbal app to make sure the beacon is on and broadcasting.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.140
To updat e beacons
1. To make a beacon discoverable, pull the battery out of the beacon and put it back in.
2. In the Gimbal Beacon Manager app, go to Configure . When the beacon is found, click Updat e Beacon .
To t est ing beacons
1. Sign on to the Secure Forms Composer and then create a form to test your beacon.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.141
2. For purposes of the test, drag a Text element from the left side of the composer and create fields in which a user would enter a first name and a last name.
3. In the Cust om field name box on the right, enter F irst Name and Last Name for the respective fields.
4. Map the data between form fields and beacons. Create a CSV file where the column headings match the values entered in the Custom field name — in this example,
First Name and Last Name. T he CSV file must also have the UUID and major and minor beacon configuration data added as shown in the following figure.
5. Save the CSV file to Secure Forms > Beacons.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.142
6. Upload the file to Settings in Secure Forms Composer.
7. Test the beacon on the Secure Forms mobile app:
On the device, make sure that Location Services and Bluetooth are enabled. You can also check the Beacon Manager app to ensure that the beacon is visible to the
device.
Open the Secure Forms mobile app and wait for the test form to download.
Open the test form. If the app finds a beacon nearby, an autofill confirmation dialog box appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.143
8. T he form data populates based on the CSV file.
For more information about working with beacons, see Gimbal Developer Resources.
When users are done building their form, they click P ublish . At that point, the form is saved in P ublished and becomes available on the Secure Forms mobile app under
Templat es .
To troubleshoot errors that users may see when using Secure Forms Composer, see Troubleshooting in Secure Forms Composer.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.144
Secure Forms Mobile App
Jun 29, 20 17
Important
End of Life (EOL) lifecycle status for Secure Forms Mobile App: December 31, 2017.
When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the
available support options are limited. Historical information appears in the Knowledge Center or other online resources. T he
documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones,
see the Product Matrix.
Customers are encouraged to consider the S ha re File Wo rkfl o ws fo r Xe nMo bile m o bile a pp . For more information on this
feature, please see ShareFile Workflows in the sidebar.
You can download the Secure Forms QuickStart Guide here. Scroll to the bottom of the page and click on iOS.
With Citrix Secure Forms, users can fill out and submit forms that were created with the Secure Forms Composer.
You can download the Secure Forms mobile app at the XenMobile downloads page. After you download the app, you can
then secure the app with the MDX Toolkit.
Secure Forms is supported only on iPhones and iPads running iOS versions 9 to 9.3.
Users sign on to Secure Hub, tap XenMobile St ore and then select Secure F orms from the list of apps. Secure Forms will
automatically install on their devices.
When users open Secure Forms, they'll see a list of forms available to them, under Templat es .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.145
Forms are auto-saved as users fill them out, so users can pause while completing a form and return to the form later.
In Submit t ed and In P rogress , a left swipe brings up options to delete a form or send the form as a PDF attachment
with Secure Mail.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.146
Tapping a blue question mark next to a field brings up help text pertaining to that field. Help text is added to a field in the
Secure Forms Composer when the form is created.
Secure Forms allows users to take or attach photos, as well as record audio and video. It may take a few minutes to submit
forms that contain media. Users should wait until the form is successfully submitted before navigating away from the app,
because the submission process might pause if Secure Forms is put in the background.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.147
If users are in a location without an Internet connection, they can still fill out and submit a form. T he form uploads when
connectivity is restored.
If users want to upload forms only with WiFi to save cell phone data, in Set t ings , they can turn on Save F orm Dat a > On
Wi-F i Only .
If users have an unlimited data plan, in Set t ings , they can turn on Save F orm Dat a > On Mobile Dat a and Wi-F i. T he
form uploads when users return to a coverage area.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.148
Integrating Secure Forms with ShareFile
Jun 29, 20 17
Important
End of Life (EOL) lifecycle status for Secure Forms: December 31, 2017.
When a product release reaches EOL, you can use the product within the terms of your product licensing agreement, but the
available support options are limited. Historical information appears in the Knowledge Center or other online resources. T he
documentation is no longer updated and is provided on an as-is basis. For more information about product lifecycle milestones,
see the Product Matrix.
Customers are encouraged to consider the ShareFile Workflows f or XenMobile app, which is integrated with a ShareFile
account at the time of creation. For more information on this feature, please see ShareFile Workflows in the sidebar.
To deploy Citrix Secure Forms, you must set up ShareFile folders either manually or by using PowerShell script. ShareFile
Restricted Zones are also supported.
PowerShell Script Setup
Note
T he script works only if you have a Citrix-managed (cloud) ShareFile StorageZone. If you have a customer-managed (on-premise)
StorageZone, use the steps for manual setup later in this article.
1. Install the ShareFile PowerShell SDK, available here.
2. Open the PowerShell console in administrative mode and run the CitrixSecureForms.ps1 script, available here.
If you get the error CitrixSecureForms.ps1 cannot be loaded because the execution of scripts is disabled on this
system, run the following command:
Set-ExecutionPolicy Unrestricted
3. Enter a user name and password that has permission to create root-level folders and user and distribution groups.
T he script automatically creates the groups CitrixSecureFormsAdminUsers and CitrixSecureFormsEndUsers, as well as
the required folders with appropriate permissions assigned.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.149
You can now add users to these groups from the ShareFile console.
User Permissions
Users added to CitrixSecureFormsAdminUsers can access the composer at securef orms.citrix.com, create and publish
forms, and read data from submitted forms.
Users added to CitrixSecureFormsEndUsers can use the mobile app only. T hey can sign on to secureforms.citrix.com, but
they have read-only access to forms. T hey can't edit or publish forms, or access submitted data.
Form Storage
All published forms are saved in Shared Folders > Citrix_SecureFormsTemplate.root > Default.workspace.
All submitted forms are saved in Citrix_SecureFormsData.root.
Manual Setup
If the PowerShell script doesn't work, you can set up the necessary folders manually.
1. Log on to ShareFile with a user name and password that has permission to create root-level folders, as well as user and
distribution groups.
2. Go to Manage Users > Distribution Groups and then select New Group.
3. Create a distribution group called CitrixSecureFormsAdminUsers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.150
4. Click Add Member to add users who can access the Secure Forms Composer. Members of this group can create, update,
publish and delete forms.
5. Create a distribution group called CitrixSecureFormsEndUsers. Members of this group can use the Secure Forms mobile
app to fill out and submit forms. On the composer, members have read-only access to forms. T hey can't publish forms or
view submitted data.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.151
T he distribution groups you've just created appear in Manage Users > Distribution Groups.
6. Return to Home and go to Shared Folders.
7. Create a folder called Citrix_SecureFormsTemplate.root.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.152
8. Give all permissions for the Citrix_SecureFormsTemplate.root folder - download, upload, delete, and admin - to
CitrixSecureFormsAdminUsers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.153
9. Give download permission only to CitrixSecureFormsEndUsers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.154
10. Inside the Citrix_SecureFormsTemplate.root folder, create another folder named Def ault .workspace. Make sure
Default.workspace has the same distribution group permissions as Citrix_SecureFormsTemplate.root. All published forms are
saved inside Default.workspace.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.155
11. Return to Home and go to Shared Folders.
12. Create a folder named Citrix_SecureFormsData.root. All submitted forms data goes into this folder.
13. Give all Citrix_SecureFormsData.root permissions - download, upload, delete, and admin - to
CitrixSecureFormsAdminUsers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.156
14. Give CitrixSecureFormsEndUsers upload only permissions for the Citrix_SecureFormsData.root folder.
CitrixSecureFormsEndUsers members can submit but not view form data.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.157
Troubleshooting in Secure Forms Composer
T he following troubleshooting tips apply to errors users may see when using Secure Forms Composer. Many of these errors
result from mistakes made during the initial ShareFile setup.
Error
Message User Sees
What It Means
What To Do
You don't have
T he user can't publish the template.
Log in to ShareFile as an administrator
permission to publish.
T his usually happens because the user
and add the user to the
Please contact your
doesn't have permission to access
CitrixSecureFormsAdminUsers
ShareFile administrator.
Personal Folders >
distribution group, following the
Citrix_SecureForms.root > My
instructions at Integration with
Unpublished Templates, or
ShareFile > Manual Setup. T his gives the
Shared Folders >
user permission to access these folders.
Code
12501
Citrix_SecureFormsTemplate.root >
Default.workspace.
12502
You don't have
https://docs.citrix.com
T he user doesn't have permission to
Log in to ShareFile as an administrator
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.158
permission to delete.
delete the particular form or template.
Please contact your
and give the user delete permission:
Add the user to the
ShareFile administrator.
CitrixSecureFormsAdminUsers
distribution group, following the
instructions at Integration with
ShareFile > Manual Setup. Make sure
that CitrixSecureFormsAdminUsers has
delete permissions.
12503
You don't have
T he user can't unpublish a template.
permission to unpublish.
Please contact your
ShareFile administrator.
T his happens when the user has readonly access to the shared location,
Log in to ShareFile as an administrator
and give the user full permission to the
shared location.
Shared Folders >
Add the user to the
Citrix_SecureFormsTemplate.root >
CitrixSecureFormsAdminUsers
Default.workspace.
distribution group, following the
instructions at Integration with
ShareFile > Manual Setup. Make sure
that CitrixSecureFormsAdminUsers has
write permission tso the shared folder.
12504
Couldn't find or create
One of several possible Network File
Make sure the NFS connector name
the given NFS path.
System (NFS) errors has occurred:
exists and is accessible in ShareFile.
Invalid NFS connector name or no
such connector (this returns a 404
HT T P)
Not enough permission to create a
new folder in the NFS connector
NetScaler/NetScaler Gateway isn't
handling the OPT IONS request
through a separate load
balancer/policy
Anonymous/Windows
authentication is disabled in the
Check Shared Folders permissions.
Check load balancer configuration in
NetScaler.
Make sure both Anonymous and
Basic authentication are enabled in
the Storage Zone Controller.
Manually check to make sure the
Storage Zone Controller is available.
Verify the user's credentials.
Add citrix.com as an allowable toplevel domain.
Storage Zone Controller
For more information, see Configuring a
Storage Zone Controller is
Network File System.
down/unavailable
Invalid credentials (user name,
password, domain name)
Citrix.com is not an allowable toplevel domain.
12505
You've reached the
A template has reached 100,000
duplication limit. Please
duplicates, the maximum allowed.
https://docs.citrix.com
Delete some templates.
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.159
delete some copies to
continue.
12506
Couldn't find Personal
T he top folder, Personal Folders, is
Make sure that the user is added to the
Folders in your ShareFile
unavailable. Usually, Personal Folders is
folder as an employee, not as a client.
account.
created automatically in ShareFile
For more information on the differences
when a user is added to a particular
between employees and clients in
subdomain. Secure Forms creates a
ShareFile, see this article.
root folder in Personal Folders where
all user-specific data is stored.
T here also may be a licensing issue, in
which case you should contact ShareFile
support or go to the MyCitrix portal for
help.
12507
12508
Couldn't find Shared
T he folder Shared Folders is
Log in to ShareFile as an administrator.
Folders in your ShareFile
unavailable. Usually, Shared Folders is
Make sure Shared Folders is available
account.
created automatically in ShareFile
and that the user is in the group that
when a user is added to a particular
has permission to access it. Follow the
subdomain. Secure Forms uses this
instructions at Integration with
location to access shared data.
ShareFile > Manual Setup.
Couldn't find the root
T he folder Shared Folders >
Log in to ShareFile as an administrator.
folder in Shared Folders.
Citrix_SecureFormsT emplate.root is
Make sure
unavailable. T his folder contains the
default.workspace folder, where
Citrix_SecureFormsTemplate.root exists
published forms are stored.
access it.
and that the user has permission to
Go to Integration with ShareFile >
Manual Setup and follow the
instructions at Create a f older called
Citrix_SecureFormsTemplate.root.
12509
Couldn't find the data
T he folder Shared Folders >
Log in to ShareFile as an administrator.
folder in Shared Folders.
Citrix_SecureFormsData.root is
Make sure Citrix_SecureFormsData.root
unavailable. Submitted forms are
exists and that the user has permission
stored in this folder.
to access it.
Go to Integration with ShareFile >
Manual Setup and follow the
instructions at Create a f older called
Citrix_SecureFormsData.root.
12510
Couldn't find the
T he folder Shared Folders >
Log in to ShareFile as an administrator.
default workspace in
Citrix_SecureFormsT emplate.root >
Make sure the default.workspace folder
the Shared Folders.
default.workspace isn't available.
exists and that the user has permission
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.160
Published forms are stored in this
to access it.
folder.
Go to Integration with ShareFile >
Manual Setup and follow the
instructions at Create a f older called
def ault .workspace.
12511
Couldn't load the root
T he folder Shared Folders >
Log in to ShareFile as an administrator
folder in Shared Folders.
Citrix_SecureFormsTemplate.root
and make sure the user has permission
failed to load.
to accessr Shared Folders >
Citrix_SecureFormsTemplate.root.
Go to Integration with ShareFile >
Manual Setup and follow the
instructions at Give all f older
permissions—download, upload,
delete, and admin—to
CitrixSecureFormsAdminUsers.
12513
Couldn't access
T he Secure Forms mobile app is trying
Log in to ShareFile as an administrator,
ShareFile user
to access basic user information, such
go to Manage Users > Search Users and
information.
as first name, last name, or email, but
make sure the user isn't disabled.
ShareFile fails to respond. T his usually
happens when the administrator has
disabled the user.
12514
12515
Please refresh this page
In ShareFile Restricted Zone setups, a
T he user should refresh the page and
and enter your company
credentials.
user entered the wrong credentials.
enter the correct credentials.
Access this website
from within your
A user canceled or closed the
organization's network.
sign-on attempt.
Contact your help desk
T here are self-signed certificates
if you continue to see
that the browser doesn't trust.
this error.
composer after an unsuccessful
T he user should try again later or
contact the help desk.
T he user is trying to access a
Restricted Zone from outside the
network.
A general network, Internet, or DNS
failure has occurred.
Error Code 12000
An error code of 12000 is an unidentified issue. You need to contact Citrix support. Follow these steps to generate console
logs and send them to Citrix.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.161
1. Open the Chrome inspector. Right-click anywhere within the Chrome window and then select Inspect. T he page source
code appears.
2. Get console logs. Click the Console tab in the inspector window. Right-click and then select Save as to save the logs as a
file. Close the inspector.
3. Contact Citrix. Click the dialog bubble icon in the upper-right corner of Secure Forms Composer. In the message window,
write a short description of the issue. T hen, take a screen shot and attach the console log file.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.162
Citrix Secure Mail
Nov 0 2, 20 17
Citrix Secure Mail lets users manage their email, calendars and contacts on their mobile phones and tablets. To maintain
continuity from Microsoft Outlook or IBM Notes accounts, Secure Mail syncs with Microsoft Exchange Server and IBM
Notes Traveler Server.
As part of the Citrix suite of apps, Secure Mail benefits from single sign-on (SSO) compatibility with Citrix Secure Hub. After
users sign on to Secure Hub, they can move seamlessly into Secure Mail without having to reenter their user names and
passwords. You can configure Secure Mail to be pushed to users' devices automatically when the devices enroll in Secure
Hub, or users can add the app from the Store.
To begin, download Secure Mail and other XenMobile components from XenMobile Downloads.
For Secure Mail and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Deploying Secure Mail as an enterprise app
Important
T he MDX Toolkit 10.7.5 release is the final release that supports the wrapping of XenMobile Apps. You cannot use the MDX Toolkit
or the MDX Service 10.7.10 or later to wrap 10.7.5 or later versions of the XenMobile Apps. You must access XenMobile Apps
versions 10.7.5 and later from the public app stores.
Citrix will support both enterprise distribution and public app store distribution until December 31, 2017. After that, only
public app store distribution will be supported. T he MDX Toolkit will continue to support enterprise wrapping for app
developers.
To deploy Secure Mail with XenMobile as an enterprise app, follow these general steps:
1. You can integrate Secure Mail with an Exchange Server or IBM Notes T raveler Server to keep Secure Mail in sync with
Microsoft Exchange or IBM Notes. If you use IBM Notes, configure the IBM Notes T raveler server. T he configuration
uses Active Directory credentials to authenticate to Exchange or the IBM Notes T raveler server. For details, see
Integrating Exchange Server or IBM Notes T raveler Server.
2. You can optionally enable SSO from Secure Hub. T o do so, you configure ShareFile account information in XenMobile to
enable XenMobile as a SAML identity provider for ShareFile. T he configuration uses Active Directory credentials to
authenticate to ShareFile.
Configuring the ShareFile account information in XenMobile is a one-time setup used for all Citrix clients, ShareFile
clients, and non-MDX ShareFile clients. For details, see To configure ShareFile account information in XenMobile for SSO.
3. Download Secure Mail from the Citrix Downloads site and then wrap Secure Mail. For details, see About the MDX
T oolkit.
Add Secure Mail to XenMobile and configure MDX policies. For details, see Add an MDX app. For details about Secure Mail
policies, see the articles under MDX Policies at a Glance.
Note: As of Secure Mail version 10.6.5, you can configure a new MDX analytics policy for Secure Mail for iOS and Android.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.163
Citrix collects analytics data to improve product quality.T he Google Analytics level of detail policy allows you to specify
whether the data collected can be associated with your company domain or collected
anonymously. Selecting Anonymous opts users out of including the company domain with the data that is collected. T his
new policy replaces an earlier Google analytics policy.
When the policy is set to anonymous, we collect the following types of data. We have absolutely no way to link this data
to an individual user or company because we do not request user identifiable information. No personally identifiable
information is sent to Google.
Device statistics, such as the operating system version, app version, and device model
Platform information, such as ActiveSync version and Secure Mail server version
Failure points for product quality like APNs registrations, mail sync failures, mail send failures, attachment download
failures, calendar sync failures, and so on
Note that other than company domain, no other identifiable information is collected when the policy is set to
Complete. Default is Complete.
Quick links to sections in this article
Microsoft IRM support
Email security classifications
Australian Signals Directorate Data Program
Secure Mail for iOS background app refresh
Secure Mail and ActiveSync
Exporting Contacts in Secure Mail
Secure Mail notifications
Secure Mail features
Spellcheck feature for iOS
Attaching files in Android
Joining meetings from calendar
Personal calendar overlay
Insert an inline image
Multiple Exchange accounts for iOS
Swipe to delete feature
Multiple Exchange accounts for Android
Print emails, calendar events, or inline images on iOS
Microsof t IRM support
Secure Mail for Android and Secure Mail for iOS support messages protected with Microsoft Information Rights
Management (IRM), subject to the configured IRM policy.
T his feature allows organizations use IRM to apply persistent protection to messaging content and allows mobile device
users to be able to create and consume IRM-protected content. By default IRM support is Of f . To enable IRM support, set
the Information Rights Management policy to On.
Secure Mail supports the following template attributes:
Important: Attachments are not included in IRM support.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.164
Attribute
Label in Secure Mail
Description
ContentExpiryDate
No expiration
Allows you to purge the body and attachments of the
or the expiration date
email message when the ContentExpiryDate has
passed. Additionally, Secure Mail provides the ability to
fetch the content again from the server.
EditAllowed
Edit Content
Specifies whether the user can modify the email
message when the user forwards, replies, or replies all to
the message.
ExportAllowed
Specifies whether the user can remove the IRM
protection on the email message.
ExtractAllowed
Copy Content
Specifies whether the user can copy content out of the
email messages.
ForwardAllowed
Forward
Specifies whether the user is allowed to forward the
email message.
Modif yRecipientsAllowed
Modify Recipients
Specifies whether the user can modify the recipient list
when the user forwards or replies to the email message.
ProgrammaticAccessAllowed
Send to Other Apps
Specifies whether the contents of the email message
can be accessed programmatically by third-party
applications.
ReplyAllAllowed
Reply All
Specifies whether the user can reply to all of the
recipients of the original email message.
ReplyAllowed
Reply
Specifies whether the user is allowed to reply to the
email message.
Users see the following Restrictions screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.165
Some organizations may require strict adherence to their IRM policy. Users with access to Secure Mail may attempt to
bypass the IRM policy by tampering with Secure Mail, the operating system, or even the hardware platform.
Although XenMobile can detect certain attacks, you may want to consider the following precautionary measures to
increase security:
Review the security guidance supplied by the device vendor.
Configure devices accordingly, using XenMobile capabilities or otherwise.
Provide guidance to your users for the appropriate use of IRM features, including Secure Mail.
Deploy additional third-party security software to resist this type of attack.
Email security classifications
Secure Mail for iOS and Android supports email classification markings, enabling users to specify security (SEC) and
dissemination limiting markers (DLM) when sending emails. SEC markings include Protected, Confidential, and Secret. DLM
includes Sensitive, Legal or Personal. When composing an email, a Secure Mail user can select a marking to indicate the
classification level of the email, as shown in the following images.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.166
Recipients can view the classification marking in the email subject. For example:
Subject: Planning [SEC = PROT ECT ED, DLM = Sensitive]
Subject: Planning [DLM = Sensitive]
Subject: Planning [SEC = UNCLASSIFIED]
Email headers include classification markings as an Internet Message Header Extension, shown in bold in this example:
Date: Fri, 01 May 2015 12:34:50 +530
Subject: Planning [SEC = PROT ECT ED, DLM = Sensitive]
Priority: normal
X-Priority: normal X-Protective-Marking: VER-2012.3, NS=gov.au,SEC = PROTECTED, DLM =
Sensitive,[email protected]
From: [email protected]
To: Team <[email protected]>
MIME-Version: 1.0 Content-Type: multipart/ alternative;boundary="_com.example.email_6428E5E4-9DB3-4133-9F48155913E39A980"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.167
Secure Mail only displays classification markings. T he app does not take any actions based on those markings.
When a user replies to or forwards an email that has classification markings, the SEC and DLM values default to those of
the original email. T he user can choose a different marking. Secure Mail does not validate such changes in relation to the
original email.
You configure email classification markings through the following MDX policies.
Email classification
If On, Secure Mail supports email classification markings for SEC and DLM. Classification markings appear in email headers as
"X-Protective-Marking" values. Be sure to configure the related email classification policies. Default value is Of f .
Email classification namespace
Specifies the classification namespace that is required in the email header by the classification standard used. For example,
the namespace "gov.au" appears in the header as "NS=gov.au". Default value is empty.
Email classification version
Specifies the classification version that is required in the email header by the classification standard used. For example, the
version "2012.3" appears in the header as "VER=2012.3". Default value is empty.
Def ault email classification
Specifies the protective marking that Secure Mail applies to an email if a user does not choose a marking. T his value must
be in the list for the Email classification markings policy. Default value is UNOFFICIAL.
Email classification markings
Specifies the classification markings to be made available to users. If the list is empty, Secure Mail does not include a list of
protective markings. T he markings list contains value pairs that are separated by semicolons. Each pair includes the list value
that appears in Secure Mail and the marking value that is the text appended to the email subject and header in Secure Mail.
For example, in the marking pair"UNOFFICIAL,SEC=UNOFFICIAL;", the list value is "UNOFFICIAL" and the marking value is
"SEC=UNOFFICIAL".
Default value is a list of classification markings that you can modify. T he following markings are provided with Secure Mail.
UNOFFICIAL,SEC=UNOFFICIAL
UNCLASSIFIED,SEC=UNCLASSIFIED
For Official Use Only,DLM=For-Official-Use-Only
Sensitive,DLM=Sensitive
Sensitive:Legal,DLM=Sensitive:Legal
Sensitive:Personal,DLM=Sensitive:Personal
PROT ECT ED,SEC=PROT ECT ED
PROT ECT ED+Sensitive,SEC=PROT ECT ED
PROT ECT ED+Sensitive:Legal,SEC=PROT ECT ED,DLM=Sensitive:Legal
PROT ECT ED+Sensitive:Personal,SEC=PROT ECT ED,DLM=Sensitive:Personal
PROT ECT ED+Sensitive:Cabinet,SEC=PROT ECT ED,DLM=Sensitive:Cabinet
CONFIDENT IAL,SEC=CONFIDENT IAL
CONFIDENT IAL+Sensitive,SEC=CONFIDENT IAL,DLM=Sensitive
CONFIDENT IAL+Sensitive:Legal,SEC=CONFIDENT IAL,DLM=Sensitive:Legal
CONFIDENT IAL+Sensitive:Personal,SEC=CONFIDENT IAL,DLM=Sensitive:Personal
CONFIDENT IAL+Sensitive:Cabinet,SEC=CONFIDENT IAL,DLM=Sensitive:Cabinet
SECRET,SEC=SECRET
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.168
SECRET +Sensitive,SEC=SECRET,DLM=Sensitive
SECRET +Sensitive:Legal,SEC=SECRET,DLM=Sensitive:Legal
SECRET +Sensitive:Personal,SEC=SECRET,DLM=Sensitive:Personal
SECRET +Sensitive:Cabinet,SEC=SECRET,DLM=Sensitive:Cabinet
TOP-SECRET,SEC=TOP-SECRET
TOP-SECRET +Sensitive,SEC=TOP-SECRET,DLM=Sensitive
TOP-SECRET +Sensitive:Legal,SEC=TOP-SECRET,DLM=Sensitive:Legal
TOP-SECRET +Sensitive:Personal,SEC=TOP-SECRET,DLM=Sensitive:Personal
TOP-SECRET +Sensitive:Cabinet,SEC=TOP-SECRET,DLM=Sensitive:Cabinet
Australian Signals Directorate Data Protection
Secure Mail supports Australian Signals Directorate data protection for those enterprises that must meet ASD computer
security requirements. By default, the Enable iOS data protection policy is Of f and Secure Mail provides Class C data
protection or uses the data protection set in the provisioning profile.
If the policy is On, Secure Mail specifies the protection level when creating and opening files in the app sandbox. Secure
Mail sets Class A data protection on:
Outbox items
Photos from the camera or camera roll
Images pasted from other apps
Downloaded file attachments
Secure Mail sets Class B data protection on:
Stored mail
Calendar items
Contacts
ActiveSync policy files
Class B protection enables a locked device to sync and enables downloads to complete if a device is locked after the
download starts.
With data protection enabled, queued outbox items are not sent when a device is locked because the files cannot be
opened. And, if the device terminates and then restarts Secure Mail when a device is locked, Secure Mail is unable to sync
until the device is unlocked and Secure Mail starts.
Citrix recommends that, if you enable this policy, you enable Secure Mail logging only when needed to avoid the creation of
log files with Class C data protection.
Secure Mail f or iOS background app ref resh
If Secure Mail for iOS is configured to provide notifications through iOS background app refresh (and not APNs), Secure
Mail email refresh works in the following ways:
When user enable Background App Ref resh on the device (Settings > General > Background App Ref resh) and
Secure Mail is running in the background, mail is synced with the server. T he sync frequency depends on a variety of
factors.
If the user disables Background App Ref resh, the app never receives email while running in the background.
When users move Secure Mail to the background, the app continues to run within a grace period before the app is
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.169
suspended.
While running in the foreground, Secure Mail shows real-time email activity, regardless of the Background App Ref resh
setting.
Secure Mail and ActiveSync
Secure Mail syncs with Exchange Server via the ActiveSync messaging protocol to give users real-time access to their
Outlook mail, contacts, calendar events, automatically generated mailboxes, and user-created folders.
Note: ActiveSync doesn't support the synchronization of Exchange public folders. In Exchange Server 2013, ActiveSync
doesn't sync the Drafts folder.
To sync user-created folders, follow these steps:
iOS:
1. Go to Settings > Auto Ref resh.
2. Set Auto Ref resh to On.
3. T ap On. A list of all mailboxes appears.
4. T ap the folders you want to sync.
Android:
1. Go to the Mailboxes list.
2. T ap the mailbox you want to sync.
3. T ap the More icon in the lower-right corner.
4. T ap Sync options.
5. Under Check f requency, select how often you want the folder to sync.
Exporting contacts in Secure Mail
Secure Mail users can continuously sync their contacts with the phone address book, do a one-time export of an individual
contact to the phone address book, or share a contact as a vCard attachment.
To allow these features, set the Export Contacts policy for Secure Mail in the XenMobile console to ON.
When the policy is ON, the following options are enabled in Secure Mail:
Sync with Local Contacts in Settings
Exporting individual contacts
Share contacts as vCard attachments
When the Export Contacts policy is OFF, those options do not appear in the app.
Once the policy is enabled, to continuously sync contacts from the mail server to the phone address book, users need to
set Sync with Local Contacts to ON. As long as Sync with Local Contacts is ON, any updates to contacts in Exchange
or Secure Mail triggers an update to local contacts.
Due to Android limitations, if any Exchange or Hotmail account is already set to sync with local contacts, Secure Mail is
unable to sync contacts.
On iOS, Secure Mail contacts can be exported and synced with the phone contacts even if a Hotmail or Exchange account
is set up on the device. You configure this feature in XenMobile through the Override Native Contacts Check policy for
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.170
Secure Mail. T his policy determines if Secure Mail should override the check for contacts from an Exchange/Hotmail
Account configured in the native Contacts app. If On, the app syncs contacts to the device even if the native Contacts app
is configured with Exchange/Hotmail Account. If Of f , the app continues to block contacts sync. Default is On.
Secure Mail notifications
T he following table summarizes how notifications are handled for supported mobile devices when Secure Mail is running in
the foreground or background.
With Secure
Mail running in
the:
Foreground
Notif ications are handled as f ollows:
iOS
Android
Secure Mail maintains a persistent ActiveSync connection to
Secure Mail maintains a persistent ActiveSync
sync email and calendar activity.
connection to sync email and calendar activity.
Secure Mail receives notifications through the iOS
Background (or
background app refresh functionality or, if configured, APNs.
Secure Mail maintains a persistent ActiveSync
terminated)
For configuration details, see Push Notifications for Secure
connection.
Mail for iOS.
Secure Mail f eatures
Secure Mail interactivity with other XenMobile Apps and ShareFile lets users access, edit, share, and save documents
seamlessly, without leaving the secure environment set by your organization's policies. For example, tapping a link in Secure
Mail opens the site in Secure Web. Users can open and edit attachments with Citrix QuickEdit for XenMobile, and they can
select text from one or multiple emails and then add the information to Secure Notes. Attachments are downloaded into
the user's Citrix ShareFile for XenMobile space.
Other security-enhancing features include the ability to control which contact fields a user can export and which mail and
calendar notifications pop up on a locked screen.
For a full list of Secure Mail features for each platform, see XenMobile Apps Features by Platform.
T he following two figures show what users see when first opening Secure Mail, as well as the various options within the
app. For the PDF version of the figures, download the Secure Mail Quick Reference Guide.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.171
Spellcheck f eature f or iOS
Secure Mail spellcheck interacts with the device Auto-Capitalization and Check Spelling settings under General > Keyboard
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.172
in the following ways:
Auto-Correction
on Device
Check Spelling
on Device
Check Spelling in
Secure Mail
ON
ON
ON
OFF
OFF
ON
ON
ON
OFF
OFF
OFF
OFF
ON
OFF
ON
OFF
ON
ON
ON
OFF
OFF
OFF
ON
OFF
Behavior
Red underline shows. When tapped, the word is highlighted in pink
and a suggestion appears.
Red line shows. When tapped, no suggestion appears.
No red underline shows. When tapped, the word is highlighted in
pink and a suggestion appears
No red underline, highlighting, or suggestion appear.
Red underline shows. When tapped, the word is highlighted in pink
and a suggestion appears.
Red underline shows. When tapped, the word is highlighted in pink
and a suggestion appears.
No red underline shows. When tapped, the word is highlighted in
pink and a suggestion appears.
No red underline shows. When tapped, the word is highlighted in
pink and a suggestion appears.
Attaching files in Android
In Secure Mail/WorxMail versions 10.3.5 and later, Android users can't attach images directly from the Gallery app when the
Inbound document exchange (Open-in) policy is set to Restricted. If you want to keep this policy set to Restricted but
still allow users to add photos from the Gallery, follow these configuration steps in the XenMobile console.
1. Set Block gallery to Of f .
2. Get the Gallery package ID for devices. Some examples:
LG Nexus 5:
com.google.android.gallery3d, com.google.android.apps.photos
Samsung Galaxy Note 3:
com.sec.android.gallery3d, com.sec.android.gallery3d.panorama360view, com.google.android.apps.photos
Sony Expire:
com.sonyericsson.album, com.google.android.apps.photos
HT C:
com.google.android.apps.photos, com.htc.album
Huawei:
com.android.gallery3d, com.google.android.apps.photos
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.173
3. Make the hidden policy InboundDocumentExchangeWhitelist visible:
Download the WorxMail APK file and wrap the file with the MDX T oolkit.
Find the .mdx file on your computer and change the file suffix to .zip.
Open the .zip file and find the policy_metadata.xml file
Search for and change InboundDocumentExchangeWhitelist from <PolicyHidden>true</PolicyHidden> to
<PolicyHidden>f alse</PolicyHidden>.
Save the policy_metadata.xml file.
Select all the files in that folder and compress to create the .zip file.
Note: Don't zip the outer folder. Select all files inside the folder and compress the selected files.
Click on the resulting compressed file.
Choose Get Inf o and change the file suffix back to .mdx
4. Upload the modified .mdx file to the XenMobile console and add the list of Gallery package IDs to the now-visible
Inbound document exchange whitelist policy.
Ensure that the package IDs are comma-separated:
com.sec.android.gallery3d, com.sec.android.gallery3d.panorama360view, com.google.android.apps.photos
5. Save and deploy Secure Mail.
Android users can now attach an image from the Gallery app.
Supported file f ormats
An X indicates a file format that can be attached, viewed, and opened in Secure Mail.
iOS
Android
VIDEO *
H.263 AMR NB codec_Mp4
X
H.263 AMR NB codec_3gp
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.174
H.264 AAC codec_3gp
X
X
H.264 AAC codec_mp4
X
X
H.264 Acclc codec_mp4
X
X
GT M recorded_wmv
X
AVI
X
FLV
X
WAV
X
X
MP4
X
X
3GP
X
X
Flac
X
AAC
X
X
M4A
X
X
3GP(AMR-NB)
X
X
MP3
X
X
WAV
X
X
WMA
X
OGG
X
ICO
X
X
JPEG
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.175
PNG
X
T IF (single-page only)
X
BMP
X
X
GIF
X
X
WebP
X
X
.dot
X
X
PDF
X
X
PPT
X
X
PPT X
X
X
DOC
X
X
DOCX
X
X
XLS
X
X
XLSM
X
X
XLSX
X
X
T XT
X
X
POT
X
X
HT M
X
X
HT ML
X
X
ZIP
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.176
EML
X
X
Joining meetings f rom Calendar
In Secure Mail, users can join meetings directly from invitations in Calendar. T he following tables list which meeting types
and phone number formats are supported, and dial-in requirements for each.
Supported Meeting Types
Meeting
type
Identif ication requirements
Action af ter tapping Join Meeting
One of the following in the meeting content:
1. T his type of URL:
https://www1.gotomeeting.com/join/1234567892.
GoToMeeting
GT M access code in any of these formats:
(GT M)
2. GT M: 123456789
3. GT M – 123456789
4. G2M – 123456789
If the GT M app is installed, the app opens and user joins meeting.
If the app is not installed, the user sees an option to go the app
store to install GT M.
For GT Ms in the gotomeet.me/username format, the app opens
and the user joins the meeting.
5. G2M: 123456789
Citrix Secure Web opens and opens the unwrapped WebEx app,
WebEx
T his type of URL anywhere in the meeting content:
https://companyname.webex.com/...
if installed on the device.
WebEx must be added as an exception in the Secure Web
Restricted Open-in exception list on Android and in the Allowed
URLs policy on iOS.
Join Meeting is not supported for Lync meetings. Only dial-in is
supported. For details, see the dial-in specifications later in this
article.
Lync
Users can click a link that opens in Secure Web, which then
opens the unwrapped Lync app if installed on the device.
Add the Lync app as an exception in the Secure Web Restricted
Open-In exception list policy on Android. Add the exception in the
Allowed URLs policy on iOS.
Configuring the following table of policies allows users to tap a meeting link to open the relevant app.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.177
Meeting type
Webex
(Unwrapped
app)
iOS - "Allow URLs" Policy
+^wbx:
Skype f or
{action=android.intent.action.VIEW
Eg. Policy string :
^http:,^https:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^colg2m-2:,+^col-g2w-2:,+^wbx:,+^maps:ios_addr:
Lync of
Android - "Open-in Exclusions" Policy
scheme=wbx
package=com.cisco.webex.meetings}
{action=android.intent.action.VIEW
+^lync:
Business
scheme=lync
package=com.microsoft.office.lync15}
{action=android.intent.action.VIEW
Skype
+^skype:
scheme=skype
package=com.skype.raider}
Dial-In Specifications
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.178
Meeting
type
Supported phone number f ormats
Supported conf erence code f ormats
T he conference code is picked up from any of the
1. Any phone number in GT M formats.
following formats in the meeting body:
Examples:
URL (*.gotomeeting.com/join/123456789)
GoToMeeting
India (toll-free): 000 800 100 7855
URL (gotomeet.me/username format)
(GT M)
United States (toll-free): 1 877 309 2073
"GT M" formats such as "GT M:123456789"
2. Any phone number that satisfies RFC 3966 format
"G2M" formats such as "G2M:123456789"
standards. (http://www.ietf.org/rfc/rfc3966.txt)
Formats such as "Access Code: 123456789"
Any phone number in WebEx Call-in formats.
Examples (both Verizon and U.S.):
1-866-652-5088
T he meeting content must contain one of these formats:
1-517-466-3109
WebEx
2. Any phone number in WebEx Audio Connection
formats.
1. Meeting number: 123 456 789
2. Access code: 123 456 789
Note: For conference codes that are nine digits or fewer,
Example:
the # key is added automatically to dial in to the meeting.
1-650-479-3207 (US toll)
3. Any phone number that satisfies RFC 3966 format
standards.
Lync
Any phone number in RFC 3966 formats
(http://www.ietf.org/rfc/rfc3966.txt).
T he meeting body contains this text:
"Conference ID: 123456789"
Note: T he # key is added automatically for Lync meetings.
Any phone number in RFC 3966 formats
(http://www.ietf.org/rfc/rfc3966.txt).
Examples:
5555555555
Generic audio
conference
information
Recommended format:
(555) 555-5555
"(phone number)","(code)"
555-555-5555
555-555-555-5555 (in case of country code)
1-555-555-5555
You can specify up to four commas and provide the # key if
necessary. See the table later in this document for a list of
supported formats.
+1-555-555-5555
Note: Use a single separator between digits in the
phone number. For example, “) –“ can cause the
number not to be recognized.
For an audio conference, the following formats let users tap Dial In. If they tap the phone number from the body of the
calendar meeting, however, they can dial into the meeting. T hey must then type conference codes manually. T he following
phone number and conference code formats are supported.
Supported phone number f ormats
Conf erence code separator
Example
Any phone number in RFC 3966 formats
Examples:
5555555555
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.179
5555555555
(555) 555-5555
555-555-5555phone number f ormats
Supported
555-555-555-5555 (in case of country code)
Participant Code
Conf erence code separator
1-888-999-9999 Participant Code: 9999999
Example
Participant PIN
1-888-999-9999 Participant PIN: 99999999
Guest Code
1-888-999-9999 Guest Code: 99999999
Guest PIN
1-888-999-9999 Guest PIN:99999999
Participant/Guest Code
1-888-999-9999 Participant/Guest Code:99999999
Chair Code
1-888-999-9999 Chair Code:99999999
Chair PIN
1-888-999-9999 Chair PIN:99999999
Chairperson Code
1-888-999-9999 Chairperson Code:99999999
Chairperson PIN
1-888-999-9999 Chairperson PIN:99999999
Host PIN
1-888-999-9999 Host PIN:99999999
PIN
1-888-999-9999 PIN:99999999
Access Code
1-888-999-9999 Access Code:99999999
Code
1-888-999-9999 Code:99999999
Conference Code
1-888-999-9999 Conference Code:99999999
Conference ID
1-888-999-9999 Conference ID:99999999
,
+1 (631) 992-3240,958209234#
,,
+1 (631) 992-3240,,958209234#
,,,
+1 (631) 992-3240,,,958209234#
1-555-555-5555
+1-555-555-5555
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.180
Supported phone number f ormats
,,,
+1 (631) 992-3240,,,958209234#
Conf
erence code separator
,,,,
Example
+1 (631) 992-3240,,,,958209234#
passcode
+1 (631) 992-3240 passcode 958209234#
ext:
+1 (631) 992-3240 ext:958209234#
ext.
+1 (631) 992-3240 ext. 958209234#
;ext=
+1 (631) 992-3240; ext. 958209234#
extn
+1 (631) 992-3240 extn 958209234#
HC
+1 (631) 992-3240 HC 958209234#
xtn
+1 (631) 992-3240 xtn 958209234#
xt
+1 (631) 992-3240 xt 958209234#
x
+1 (631) 992-3240 x 958209234#
PC
+1 (631) 992-3240 PC 958209234#
pc
+1 (631) 992-3240 pc 958209234#
Personal calendar overlay
On iOS and Android devices, you can import your personal calendar from the native calendar app and view your personal
events in Secure Mail. Enable this feature by going to Secure Mail settings and then turning On Personal Calendar. Select a
color for your personal events that you want to display in Secure Mail. T his is a read-only view that is only visible to users.
T he personal calendar information does not sync back to the Exchange or Lotus Notes mail server.
You enable the personal calendar overlay either from the pop up notification or from Secure Mail settings.
T he first set of figures show the feature on an iOS device. T he subsequent set of figures show the feature on an Android
device.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.181
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.182
Once you have enabled the feature, you can select a color for your personal mail items.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.183
You can select which personal calendars appear from the settings screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.184
T he following figures show the feature on an Android device.
Secure Mail also displays the following details about a personal calendar event:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.185
• Account name of the sender
• Invitees
• Meeting notes
Secure Mail for Android, displays any conflicts with your personal calendar event while creating or rescheduling an Exchange
account calendar event.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.186
Below is a video demonstrating the Personal Calendar overlay feature.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.187
Insert an inline image
1. To attach an inline image to your email, long press in the mail body. From the options that appear, tap Insert Picture.
2. Secure Mail may prompt you for access to your Photos. T he Photos gallery appears. Navigate to the gallery and tap
picture you want to insert.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.188
3. T he mail now contains the image you selected.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.189
Multiple Exchange accounts f or iOS
From Settings within Secure Mail, you can now add multiple Exchange email accounts and switch between them. T his
feature allows you to monitor all your mails, contacts, and calendars in one place.
Prerequisites
A user name and password is required to configure additional accounts. Automatic enrollment or credential store
configurations applies only to the first account setup in the app. Type the user name and password for all additional
accounts.
T o allow additional accounts to connect to a domain or Exchange Server in an external network, you must set split
tunneling to ON in Citrix NetScaler.
Secure Mail for iOS supports Exchange and Office 365 mail servers only.
To add an Exchange email account f or iOS
1. Open Secure Mail and then tap Settings.
2. Under ACCOUNTS, tap + Add Exchange Account.
3. In the Exchange screen, type the credentials for the new account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.190
Optionally, you can set values for the following parameters:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.191
Sync Mail Period – T ap to select a value for the sync mail period. T he value you set specifies the number of mail days
for Secure Mail to synchronize. Your administrator sets the default value.
Make this my def ault account – T ap to set the new account as your default account. T he value is set to OFF by
default.
4. Tap Sign On to create the account.
You can view the new account in the Settings screen under the ACCOUNTS menu.
Note: T he default or primary account uses certificate-based authentication because Secure Mail can only receive a single
user certificate from XenMobile Server. Additional accounts must use authentication based on Active Directory.
Note: Citrix recommends that you do not configure multiple accounts on shared devices.
To edit an account
You can edit the password and description of email account.
1.
Open Secure Mail and then tap Settings.
2.
Under ACCOUNTS, tap the account you want to edit.
3.
In the Account screen, edit the fields.
4.
Tap Save to confirm your action or tap Cancel to return to the Settings screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.192
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.193
To delete an account
1. Open Secure Mail and then tap Settings.
2. Under ACCOUNTS, tap the account you want to delete.
3. In the Account screen, tap Delete Account at the bottom of the screen or tap Cancel to return to the Settings
screen.
4. T ap Delete to confirm your action.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.194
Note: If you delete the default account, the next account will become the default account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.195
To set a def ault account
Secure Mail uses the default account in the following scenarios:
Composing emails. T he From: field auto-populates with the email ID of the default account.
Creating calendar events.T he Organizer field auto-populates with the email ID of the default account.
App badge count. Indicates the unread mail count of the default account.
When you add one or more email accounts, the first account you create is the default account. To change the default
account, navigate to Settings > General > Def ault .
In the Def ault Email screen, tap the account you want to set as default.
Alternatively, you can navigate to Settings > ACCOUNTS and then tap the account you want to set as default. In the
Account screen, enable the Make this my def ault account feature.
Settings
If you have configured multiple Exchange accounts, some of the Secure Mail settings are available to each of these
accounts individually, whereas other settings are global. T he following settings are account-specific:
Default
Notifications
Auto Refresh
Out of Office
Sync Mail Period
S/MIME
Offline Files
Signature
Sync with Local Contacts
Export Settings
T hese settings appear with the > icon. Tap the > icon to view the accounts on your device.
To apply the setting to a specific account, expand a setting item by tapping > and then select the email account.
Note: You can only import the previously exported Secure Mail settings to the default or primary account.
Mail
T he Mailboxes screen displays all the accounts you have configured and has the following views:
All Accounts. Contains emails from all Exchange accounts that you have configured.
Individual accounts. Contains emails and folders of an individual account. T hese accounts appear as a list that you can
expand to view the subfolders.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.196
T he All Accounts mailbox is the global view by default. T his view contains attachments and emails from all Exchange
accounts that you have configured on your device.
T he All Accounts mailbox has the following menu items:
All attachments
Inbox
Unread
Flagged
Drafts
Sent Items
Outbox
Deleted Items
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.197
Although the All Accounts view displays your emails from multiple accounts collectively, the following actions use the
email address of the default or primary account:
New message
New event
To change the email address of the sender while composing a new mail from the All Accounts view, tap the default
address in the From: field and select a different account from the mail accounts that appear.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.198
Note: Composing an email from the conversation view auto-populates the From: field with the email address that
conversation is addressed to.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.199
Individual accounts
All the accounts you have configured appear as a list below All Accounts. T he default or the primary account always
appears first followed by the other accounts in alphabetical order .
T he individual accounts display any subfolders you might have created. You can view the subfolders folders by tapping the V
icon next to the folder.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.200
T he following actions are limited to individual accounts only:
Moving items.
Composing emails from conversation view.
Importing vCard.
Saving contacts.
Contacts
To view your contacts, tap CONTACTS from the slide-out menu and then tap the hamburger icon on the top left. T he
Contacts screen displays the following items:
All Contacts. Displays all contacts from multiple email accounts.
Individual accounts. Displays contacts pertaining to the individual accounts that you have configured.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.201
You can synchronize contacts pertaining to an individual account to your local contacts.
To sync with local contacts:
1. Navigate to Settings > Contacts > Sync with Local Contacts and then tap > to expand the menu.
2. In the Sync Local Contacts screen, enable the account whose contacts you want to sync.
3. T ap OK.
4. When prompted to allow Secure Mail to access your contacts, tap OK.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.202
You have now successfully exported contacts for the account.
To undo this action, go to Settings > Contacts > Sync with Local Contacts and then tap on the switch next to the
account to disable this feature. Tap Yes, Delete to confirm your action.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.203
If you have created folders or subfolders for your contacts using Microsoft Outlook, you can view them in Secure Mail.
To view the contact f olders:
1. T ap Contacts form the slide-out menu.
T he Contacts folders and subfolders pertaining to the individual accounts are displayed.
2. T ap an account to view all the contacts associated with that account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.204
3. To view contacts from a folder or subfolder, tap the respective folder or subfolder.
T he contacts associated with that folder are displayed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.205
Calendar
T he calendar displays all events pertaining to the multiple accounts on your device. You can set colors to individual accounts
to differentiate calendars events pertaining to individual accounts.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.206
To set colors to calendar events
1. Select CALENDAR from menu.
2. T ap the hamburger icon on the top left.
T he Calendars screen is displays all the accounts you have configured.
3. T ap on the default color displayed on the right of an Exchange account.
T he Colors screen displays the available colors for that account.
4. Select a color of your choice and then tap Save.
5. T o return to the previous screen, tap Cancel.
T he selected color is set for all calendar events pertaining to that Exchange account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.207
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.208
When you are creating a calendar invitation or event, the Organizer field auto-populates with the email address of the
default account. To change the mail account, tap this email address and select another account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.209
Note: When you exit and then launch Secure Mail, the app restores the last configured calendar settings on your device.
Search
You can perform a global search from the All Accounts or the All Contacts view. T his action displays the appropriate
results after searching all the accounts in the app.
All searches from within an individual account displays results pertaining to that account only.
Swipe to delete
On iOS and Android devices, you perform the following actions by swiping an email either left or right.
• More
• Flag
• Delete
• Mark
T he following table captures the actions available on swipe gestures in various folders:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.210
Folders
Lef t swipe
Long lef t swipe
Right swipe
Delete
Read/Unread
Delete
Read/Unread
Delete
No Action
Reply/Reply All
No Action
Delete
Inbox/Sent/Delete
Flag/Unflag
More
Delete
Drafts
Flag/Unflag
Delete
Outbox
Resend/Cancel
Forward
Server Results
Reply/Reply All
Tap on one of the menu items to perform further actions.
You swipe right to perform the Mark action.
T he following sections provide more information about each menu item.
T he More menu displays the following options:
Reply
Reply All
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.211
Forward
Move
Cancel
T he Flag option allows you to mark the email for faster reference. You can also use this option to clear the status of a
previously flagged email.
T he Delete option allows you to delete the selected email.
You can also delete an email by long swiping the email item toward the left.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.212
In both delete scenarios, the Undo button appears for a few seconds so you can reverse the action.
You can delete multiple emails by long pressing an email item and then selecting the emails that you want to delete.
T he Mark option allows you to mark an email as read or unread. T his swipe gesture lets you toggle among the two Mark as
states - Read and Unread.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.213
Multiple Exchange accounts f or Android
From Settings within Secure Mail, you can now add multiple Exchange email accounts and switch between them. T his
feature allows you to monitor all your mails, contacts, and calendars in one place.
Prerequisites
A user name and password is required to configure additional accounts. Automatic enrollment or credential store
configurations applies only to the first account setup in the app. Type the user name and password for all additional
accounts.
If the first account you create is certificate-based, you cannot add further certificate-based accounts.
T o allow additional accounts to connect to a domain or Exchange Server in an external network, you must set split
tunneling to ON in Citrix NetScaler.
Secure Mail for iOS supports Exchange and Office 365 mail servers only.
To add an Exchange email account f or Android
1. Open Secure Mail and then tap Settings.
2. Under ACCOUNTS, tap + Add account.
3. In the Add account screen, type the credentials for the new account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.214
Optionally, you can set values for the following parameters:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.215
Sync mail period – T ap to select a value for the sync mail period. T he value you set specifies the number of mail days
for Secure Mail to synchronize. Your administrator sets the default value.
Make this my def ault account – T ap to set the new account as your default account. T he value is set to OFF by
default.
4. Tap Sign In to create the account.
You can view the new account in the Settings screen under the ACCOUNTS menu.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.216
Note
Additional accounts must use authentication based on Active Directory. Secure Mail does not support certificate-based
authentication when configuring multiple accounts.
To edit an account
You can edit the password and description of email account.
1.
Open Secure Mail and then tap Settings.
2.
Under ACCOUNTS, tap the account you want to edit.
3.
In the Account details screen, edit the fields.
4.
Tap Save to confirm your action or tap Cancel to return to the Settings screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.217
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.218
To delete an account
1. Open Secure Mail and then tap Settings.
2. Under ACCOUNTS, tap the account you want to delete.
3. In the Account details screen, tap Delete account at the bottom of the screen or tap Cancel to return to the
Settings screen.
4. T ap Delete to confirm your action.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.219
Note
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.220
If you delete the default account, the next account will become the default account.
To set a def ault account
Secure Mail uses the default account in the following scenarios:
Composing emails. T he From: field auto-populates with the email ID of the default account.
Creating calendar events.T he Organizer field auto-populates with the email ID of the default account.
When you add one or more email accounts, the first account you create is the default account. To change the default
account, navigate to Settings and then tap Def ault under General.
In the Def ault account screen, tap the account you want to set as default.
Settings
If you have configured multiple Exchange accounts, some of the Secure Mail settings are available to each of these
accounts individually, whereas other settings are global. T he following settings are account-specific:
Default
Notifications
Out of Office
Sync inbox frequency
Sync mail period
Sync email
S/MIME
Offline Files
Signature
Quick responses
Sync calendar
Sync contacts
Sync with local contacts
Export Settings
T hese settings appear with the > icon. Tap the > icon to view the accounts on your device.
To apply the setting to a specific account, expand a setting item by tapping > and then select the email account.
Mail
T he Mailboxes screen displays all the accounts you have configured and has the following views:
All Accounts. Contains emails from all Exchange accounts that you have configured.
Individual accounts. Contains emails and folders of an individual account. T hese accounts appear as a list that you can
expand to view the subfolders.
To view your mailboxes, select Mail from the slide-out menu. In the Mailboxes screen, tap the account to expand the
options.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.221
T he All Accounts mailbox is the global view by default. T his view contains attachments and emails from all Exchange
accounts that you have configured on your device.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.222
Although the All Accounts view displays your emails from multiple accounts collectively, the following actions use the
email address of the default or primary account:
New message
New event
To change the email address of the sender while composing a new mail from the All Accounts view, tap the default
address in the From: field and select a different account from the mail accounts that appear.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.223
Note
Composing an email from the conversation view auto-populates the From: field with the email address that conversation is
addressed to.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.224
Individual accounts
T he default or the primary account always appears first followed by the other accounts in alphabetical order .
T he individual accounts display any subfolders you might have created.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.225
T he following actions are limited to individual accounts only:
Moving items.
Composing emails from conversation view.
Saving contacts.
Contacts
To view your contacts, tap CONTACTS from the slide-out menu and then tap the hamburger icon on the top left. T he
Contacts screen displays the following items:
All Contacts. Displays all contacts from multiple email accounts.
Individual accounts. Displays contacts pertaining to the individual accounts that you have configured.
Categories. Displays any contact categories that you may have created.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.226
You can synchronize contacts pertaining to an individual account to your local contacts.
To sync with local contacts:
1. Navigate to Settings and then tap Sync with local contacts listed under Contacts to expand the menu.
2. In the Sync with local contacts screen, enable the account whose contacts you want to sync.
3. T ap OK.
4. When prompted to allow Secure Mail to access your contacts, tap OK.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.227
You have now successfully exported contacts for the account.
To undo this action, go to Settings > Contacts > Sync with Local Contacts and then tap on the switch next to the
account to disable this feature. Tap OK to confirm your action.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.228
Calendar
T he calendar displays all events pertaining to the multiple accounts on your device. You can set colors to individual accounts
to differentiate calendars events pertaining to individual accounts.
Note
T he Personal calendar feature will always be associated with your primary or default account if enabled.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.229
To set colors to calendar events
1. Select CALENDAR from menu.
2. T ap on the default color displayed on the right of an Exchange account.
T he Colors screen displays the available colors for that account.
3. Select a color of your choice and then tap Save. T o return to the previous screen, tap Cancel.
T he selected color is set for all calendar events pertaining to that Exchange account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.230
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.231
When you are creating a calendar invitation or event, the Organizer field auto-populates with the email address of the
default account. To change the mail account, tap this email address and select another account.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.232
Search
You can perform a global search from the All Accounts or the All Contacts view. T his action displays the appropriate
results after searching all the accounts in the app.
All searches from within an individual account displays results pertaining to that account only.
Join Skype f or Business meetings on iOS and Android
Secure Mail is integrated with Skype for Business. You can join Skype for Business meetings seamlessly through the app.
T his feature requires the Skype for Business app to be installed on your device.
To join a Skype f or Business meeting
1. T ap on the Skype for Business meeting reminder or calendar event.
2. In the Event Details screen, tap the Skype Join Meeting. T he Skype for Business meeting starts in a new window.
If you have not installed Skype for Business on your device, tap Install Skype to install the app.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.233
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.234
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.235
Print emails, calendar events, or inline images on iOS
You can now print emails, calendar events, or inline images from your iOS device.
Prerequisites:
Before you begin, ensure that the following requirements are met:
1. T he Block AirPrint option is set to OFF.
2. T he Allow viewers to print option is disabled in IRM.
By default, the print feature is enabled in Secure Mail for iOS. T he printing feature might be controlled by your
administrator through administrative policies via Apple AirPrint or Microsoft Information Rights Management (IRM). In these
scenarios, printing an email, calendar event, or inline image will not work and an error message might appear.
To print emails
1. Open the email item you want to print.
2. T ap the Reply/Forward icon.
T he following options appear:
Reply
Forward
Print
3. Tap Print.
T he Printer Options screen appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.236
4. To select a printer, tap Select Printer.
T he Printer screen appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.237
5. Select the printer you want to print to.
6. Tap – or + to decrease or increase the number of copies you want to print.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.238
7. To print a specific page or a range of pages, tap Range.
T he Page Range screen appears. By default, All Pages is selected.
8. To change the page selection, swipe the page numbers up or down.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.239
9. Tap Printer Options to go back to the Printer Options screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.240
10. To print in black and white, tap the Black & White button.
By default, Secure Mail prints in color.
11. Tap Print on the top right to print the email.
12. To cancel the print job, tap Cancel on the top left.
To print a calendar event
1. Navigate to calendar and select an event.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.241
2. Tap the Reply/Forward icon.
T he following options appear:
Reply
Reply All
Forward
Print
Cancel
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.242
3. Tap Print and follow the same instructions as mentioned in the section To print emails above.
To print inline images:
1. Open the email item with the inline image.
2. Long press the image.
T he following options appear:
Reply
Forward
Print
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.243
3. Tap Print and follow the instructions as mentioned in the section To print emails above.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.244
Integrating Exchange Server or IBM Notes Traveler
Server
Oct 31, 20 17
To keep Secure Mail in sync with Microsoft Exchange or IBM Notes, you can integrate Secure Mail with an Exchange Server
or IBM Notes Traveler Server that resides in your internal network or is behind NetScaler Gateway.
Syncing is also available for Secure Notes and Secure Tasks, as follows.
You can integrate Secure Notes for iOS with an Exchange Server.
Secure Notes for Android and Secure T asks for Android use the Secure Mail for Android account to sync Exchange notes
and tasks.
To learn about known limitations with IBM/Lotus Notes, please see this Citrix blog post.
When you add Secure Mail, Secure Notes, and Secure Tasks to XenMobile, configure the following MDX policies for
integration with Exchange or IBM Notes:
For Secure Mail: Set the Secure Mail Exchange Server policy to the fully qualified domain name (FQDN) for Exchange
Server or IBM Notes T raveler server.
T he Secure Mail requirements for specifying a connection to a Notes T raveler Server differ by platform, as follows:
Secure Mail f or Android and Secure Mail f or iOS support the full path specified for a Notes T raveler Server. For
example: https://mail.example.com/traveler/Microsoft-Server-ActiveSync. (It is no longer necessary to configure your
Domino Directory with web site substitution rules for the T raveler Server.)
For Secure Notes and Secure Tasks: Specify values for the Secure Notes Exchange Server, Secure Notes user domain,
Secure T asks Exchange Server, and Secure T asks user domain policies.
T he following MDX policies affect Secure Mail communication flow:
Network access. T he Network access policy specifies whether restrictions are placed on network access. By default,
Secure Mail access is tunneled to the internal network, which means no restrictions are placed on network access; apps
have unrestricted access to networks to which the device is connected. T he Network access policy interacts with the
Background network service policy, as follows.
Background network service. T he Background network services policy specifies the service addresses permitted for
background network access. T he service addresses might be for Exchange Server or ActiveSync server, either in your internal
network or in another network that Secure Mail connects to, such as mail.example.com:443.
When you configure the Background network services policy, also set the Network access policy to Tunneled to the
internal network. T he Background network services policy takes affect when you configure the Network access policy.
Background network service gateway. T he Background network service gateway policy specifies the NetScaler Gateway
that Secure Mail uses to connect to the internal Exchange Server. If you specify an alternate gateway address, set the
Network access policy to Tunneled to the internal network. T he Background network service gateway policy takes
affect when you configure the Network access policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.245
Background services ticket expiration. T he Background services ticket expiration policy specifies the time period that a
background network service ticket remains valid. When Secure Mail connects through NetScaler Gateway to an Exchange
Server running ActiveSync, XenMobile issues a token that Secure Mail uses to connect to the internal Exchange Server. T his
setting determines the duration that Secure Mail can use the token without requiring a new token for authentication and
the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token.
Default value is 168 hours (7 days).
For details about related XenMobile server settings, see these XenMobile articles: ActiveSync Gateway and Mobile Service
Provider.
T he following figures show the types of Secure Mail connections to a mail server. After each figure is a list of the related
policy settings.
Policies for a direct connection to a mail server:
Network access: Unrestricted
Background network services: blank
Background services ticket expiration: 168
Background network service gateway: blank
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.246
Policies for a direct connection to a mail server:
Network access: Tunneled to the internal network
Background network services: blank
Background services ticket expiration: 168
Background network service gateway: blank
Policies for STA access to a mail server:
Network access: Tunneled to the internal network
Background network services: mail.example.com: 4 4 3
Background services ticket expiration: 168
Background network service gateway: gateway3.example.com:4 4 3
T he following figure shows where those policies apply:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.247
Configuring IBM Notes Traveler Server for Secure Mail
In IBM Notes environments, you must configure the IBM Notes Traveler server before you deploy Secure Mail. T his section
shows a diagram of this configuration in a XenMobile deployment as well as system requirements.
Important
If your Notes Traveler Server uses SSL 3.0, be aware that SSL 3.0 contains a vulnerability called the Padding Oracle On Downgraded
Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting any app that connects to a server using SSL 3.0.
To address the vulnerabilities introduced by the POODLE attack, Secure Mail disables SSL 3.0 connections by default and uses T LS
1.0 to connect to the server. As a result, Secure Mail cannot connect to a Notes Traveler Server that uses SSL 3.0. See the following
section, Configuring SSL/T LS Security Level, for details on a recommended workaround.
In IBM Notes environments, you must configure the IBM Notes Traveler server before deploying Secure Mail.
T he following diagram shows the network placement of IBM Notes Traveler servers and an IBM Domino mail server in a
sample XenMobile deployment.
System Requirements
Inf rastructure Server Requirements
IBM Domino Mail Server
IBM Notes T raveler 9.0.1
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.248
Authentication Protocols
Domino Database
Lotus Notes Authentication Protocol
Lightweight Directory Authentication Protocol
Port Requirements
Exchange: Default SSL port is 443.
IBM Notes: SSL is supported on port 443. Non-SSL is supported, by default, on port 80.
Configuring SSL/TLS Security Level
Citrix made modifications to Secure Mail to address vulnerabilities introduced by the POODLE attack, as described in the
preceding Important note. If your Notes Traveler Server uses SSL 3.0, therefore, to enable connections, the recommended
workaround is to use T LS 1.2 on the IBM Notes Traveler Server 9.0.
IBM has a patch to prevent the use of SSL 3.0 in Notes Traveler secure server-to-server communication. T he patch, released
in November 2014, is included as interim fix updates for the following Notes Traveler server versions: 9.0.1 IF7, 9.0.0.1 IF8 and
8.5.3 Upgrade Pack 2 IF8 (and will be included in all future releases). For details about the patch, see LO82423: DISABLE
SSLV3 FOR T RAVELER SERVER TO SERVER COMMUNICAT ION.
As an alternative workaround, when you add Secure Mail to XenMobile, change the Connection security level policy to
SSLv3 and TLS. For the latest information about this issue, see SSLv3 Connections Disabled by Default on Secure Mail
10.0.3.
T he following tables indicate the protocols that Secure Mail supports, by operating system, based on the Connection
security level policy value. Your mail server must also be able to negotiate the protocol.
T he following table shows supported protocols for Secure Mail when the connection security level is SSLv3 and T LS.
Operating system type
SSLv3
TLS
Earlier than iOS 9
Yes
Yes
iOS 9 and later
No
Yes
Earlier than Android M
Yes
Yes
Android M and Android N
Yes
Yes
Android O
No
Yes
T he following table shows supported protocols for Secure Mail when the connection security level is T LS.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.249
Operating system type
SSLv3
TLS
Earlier than iOS 9
No
Yes
iOS 9 and later
No
Yes
Earlier than Android M
No
Yes
Android M and Android N
No
Yes
Android O
No
Yes
Configuring Notes Traveler Server
T he following information corresponds to the configuration pages in the IBM Domino Administrator client.
Security. Internet authentication is set to Fewer name variations with higher security. T his setting is used to map UID to
AD User ID in LDAP authentication protocols.
NOTES.INI Settings. Add NTS_AS_ENFORCE_POLICY=f alse. T his allows Secure Mail policies to be managed by
XenMobile rather than T raveler. T his setting may conflict with current customer deployments, but will simplify the
management of the device in XenMobile deployments.
Synchronization protocols. SyncML on IBM Notes and mobile device synchronization are not supported by Secure Mail
at this time. Secure Mail synchronizes Mail, Calendar and Contacts items through the Microsoft ActiveSync protocol built
into T raveler servers. If SyncML is forced as the primary protocol, Secure Mail cannot connect back through the T raveler
infrastructure.
Domino Directory Conf iguration - Web Internet Sites. Override Session Authentication for /traveler to disable formbased authentication.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.250
S/MIME for Secure Mail
Oct 31, 20 17
Secure Mail supports Secure/Multipurpose Internet Mail Extensions (S/MIME), enabling users to sign and encrypt messages
for greater security. Signing assures the recipient that the identified sender sent the message not an imposter. Encryption
allows only the recipients with a compatible certificate to open the message.
For details about S/MIME, go to Microsoft TechNet article - Understanding S/MIME.
In the following table, X indicates that Secure Mail supports an S/MIME feature on a device OS.
S/MIME Feature
iOS
Android
Windows
Phone
Digital identity provider integration
You can integrate Secure Mail with a supported third-party digital identity
provider. Your identity provider host supplies certificates to an identity provider
app on user devices. T hat app sends certificates to the XenMobile shared vault, a
secure storage area for sensitive app data. Secure Mail obtains certificates from
X
the shared vault.
For details, see Integrating with a Digital Identity Provider.
Certif icate distribution by email
Distributing certificates by email requires that you create certificate templates
and then use those templates to request user certificates. After you install and
validate the certificates, you export the user certificates and then email them to
X
X
X
users. Users then open the email in Secure Mail and import the certificates.
For details, see Distributing Certificates by Email.
Auto-import of single-purpose certif icates
Secure Mail detects if a certificate is only for signing or encryption and then
automatically imports the certificate and notifies the user. If a certificate is for
X
both purposes, users are prompted to import it.
Integrating with a Digital Identity Provider
T he following diagram shows the path that a certificate takes from the digital identity provider host to Secure Mail. T his
happens when you integrate Secure Mail with a supported third-party digital identity provider.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.251
T he MDX shared vault is a secure storage area for sensitive app data such as certificates. Only XenMobile enabled apps can
access the shared vault.
Prerequisites
Secure Mail supports integration with Entrust IdentityGuard.
Configuring the Integration
1. Prepare the identity provider app and provide it to users:
1. Contact Entrust to get the .ipa to wrap.
2. Use the MDX T oolkit to wrap the app.
If you deploy this app to users who already have a version of the app outside of the XeMobile environment, use a
unique app ID for this app. Use the same provisioning profile for this app and Secure Mail.
3. Add the app to XenMobile and publish it to the XenMobile Store.
4. Let your users know that they must install the identity provider app from Secure Hub. Provide guidance, as needed,
about any post-installation steps.
Depending on how you configure the S/MIME policies for Secure Mail in the next step, Secure Mail might prompt
users to install certificates or enable S/MIME in Secure Mail settings. Steps for both of those procedures are in
Enabling S/MIME on Secure Mail for iOS.
2. When you add Secure Mail to XenMobile, be sure to configure these policies:
Set the S/MIME certificate source policy to Shared vault. T his setting means that Secure Mail uses the certificates
stored in its shared vault by your digital identity provider.
T o enable S/MIME during the initial startup of Secure Mail, configure the Enable S/MIME during first Secure Mail
startup policy. T he policy determines if Secure Mail enables S/MIME when there are certificates in the shared vault. If
no certificates are available, Secure Mail prompts the user to import certificates. If the policy isn't enabled, users can
enable S/MIME in the Secure Mail settings.
By default, Secure Mail does not enable S/MIME, which means that users must enable S/MIME through Secure Mail
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.252
settings.
Distributing Certificates by Email
Instead of integrating with a digital identity provider, you can distribute certificates to users by email. T his option requires
the following general steps, detailed in this section.
1. Use Server Manager to enable web enrollment for Microsoft Certificate Services and to verify your authentication
settings in IIS.
2. Create certificate templates for signing and encrypting email messages. Use those templates to request user
certificates.
3. Install and validate the certificates, then export the user certificates and email them to users.
4. Users open the email in Secure Mail and import the certificates. T he certificates are thus available only to Secure Mail.
T hey do not appear in the iOS profile for S/MIME.
Smart cards are not supported.
Prerequisites
T he instructions in this section are based on the following components:
XenMobile Server 10 and later
A supported version of NetScaler Gateway
Secure Mail for iOS (minimum version 10.6.0); Secure Mail for Android devices (minimum version 10.6.20)
Microsoft Windows Server 2008 R2 or later with Microsoft Certificate Services acting as the Root Certificate Authority
(CA)
Microsoft Exchange:
Exchange Server 2016 Cumulative Update 4
Exchange Server 2013 Cumulative Update 15
Exchange Server 2010 SP3 Update Rollup 16
Complete the following prerequisites before configuring S/MIME:
Deliver the root and intermediate certificates to the mobile devices either manually or through a credentials device policy
in XenMobile. For details, see Credentials device policies.
If you are using private server certificates to secure the ActiveSync traffic to Exchange Server, do the following: Have all
the root and intermediate certificates installed on the mobile devices.
Wrap Secure Mail with the latest MDX T oolkit available on the Citrix downloads site.
Enabling Web Enrollment for Microsoft Certificate Services
1. Go to Administrative Tools and select Server Manager.
2. Under Active Directory Certif icate Services, check to see if Certif icate Authority Web Enrollment is installed.
3. Select Add Role Services to install Certificate Authority Web Enrollment, if needed.
4. Check Certif icate Authority Web Enrollment and then click Next.
5. Click Close or Finish when the installation is complete.
Verifying your authentication settings in IIS
Ensure that the Web enrollment site used to request user certificates (for example, https://ad.domain.com/certsrv/) is
secured with an HT T PS server certificate (private or public).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.253
T he Web enrollment site must be accessed through HT T PS.
1. Go to Administrative Tools and select Server Manager.
2. In Web Server (IIS), look under Role Services. Verify that Client Certificate Mapping Authentication and IIS Client
Certificate Mapping Authentication are installed. If not, install these role services.
3. Go to Administrative Tools and select Internet Inf ormation Services (IIS) Manager.
4. In the left pane of the IIS Manager window, select the server running the IIS instance for web enrollment.
5. Click Authentication.
6. Ensure that Active Directory Client Certif icate Authentication is Enabled.
7. Click Sites > Def ault site f or Microsof t Internet Inf ormation Services > Bindings in the right pane.
8. If an HT T PS binding does not exist, add one.
9. Go to the Default Web Site Home.
10. Click SSL Settings and then click Accept f or Client Certif icates.
Creating new certificate templates
To sign and encrypt email messages, Citrix recommends that you create certificates on Microsoft Active Directory
Certificate Services. If you use the same certificate for both purposes and archive the encryption certificate, it is possible to
recover a signing certificate and allow impersonation.
T he following procedure duplicates the certificate templates on the Certificate Authority (CA) server:
Exchange Signature Only (for Signing)
Exchange User (for Encryption)
1. Open the Certificate Authority snap-in.
2. Expand the CA and then go to Certif icate Templates.
3. Right-click and then click Manage.
4. Search for the Exchange Signature Only template, right-click the template and then click Duplicate Template.
5. Assign any name.
6. Select the Publish certif icate in Active Directory check box.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.254
Note: If you do not select the Publish certif icate in Active Directory check box, users must publish the user
certificates (for signing and encryption) manually. T hey can do this through Outlook mail client > Trust Center > Email
Security > Publish to GAL (Global Address List). For details, see the Microsoft topic Add or import a certificate into
Contacts.
7. Click the Request Handling tab and then set the following parameters:
Purpose: Signature
Minimum key size: 2048
Allow private key to be exported check box: selected
Enroll subject without requiring any user input check box: selected
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.255
8. Click the Security tab and, under Group or user names, ensure that Authenticated Users (or any desired Domain
Security Group) is added. Also ensure that, under Permissions f or Authenticated Users, the Read and Enroll check
boxes are selected for Allow.
9. For all other tabs and settings, leave the default settings.
10. In Certif icate Templates, click Exchange User and then repeat steps 4 though 9.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.256
For the new Exchange User template, use the same default settings as for the original template.
11. Click the Request Handling tab and then set the following parameters:
Purpose: Encryption
Minimum key size: 2048
Allow private key to be exported check box: selected
Enroll subject without requiring any user input check box: selected
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.257
12. When both templates are created, be sure to issue both certificate templates. Click New and then click Certif icate
Template to Issue.
Requesting user certificates
T his procedure uses "user1" to navigate to the Web enrollment page; for example, https://ad.domain.com/certsrv/. T he
procedure requests two new user certificates for secure email: one certificate for signing and the other for encryption. You
can repeat the same procedure for other domain users that require the use of S/MIME through Secure Mail.
Manual enrollment is used through the Web enrollment site (example, https://ad.domain.com/certsrv/) on Microsoft
Certificate Services to generate the user certificates for signing and encryption. An alternative is to configure autoenrollment through a Group Policy for the group of users who would use this feature. For details, see the Microsoft
TechNet article: Configure User Certificate Autoenrollment.
1. On a Windows-based computer, open Internet Explorer and go to the Web enrollment site to request a new user
certificate.
Note: Be sure you log on with the correct domain user to request the certificate.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.258
2. When logged in, click Request a certif icate.
3. Click Advanced Certif icate Request.
4. Click Create and Submit a request to this CA.
5. Generate the user certificate for signing purposes. Select the appropriate template name and type your user settings,
and then next to Request Format, select PKCS10.
T he request has been submitted.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.259
6. Click Install this certif icate.
7. Verify that the certificate is installed successfully.
8. Repeat the same procedure but now for encrypting email messages. With the same user logged on to the Web
enrollment site, go to the Home link to request a new certificate.
9. Select the new template for encryption and then type the same user settings you entered in step 5.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.260
10. Ensure you installed the certificate successfully and then repeat the same procedure to generate a pair of user
certificates for another domain user. T his example follows the same procedure and generates a pair of certificates for
"User2".
Note: T his procedure uses the same Windows-based computer to request the second pair of certificates for "User2".
Validating Published Certificates
1. T o ensure that the certificates are properly installed in the domain user profile, go to Active Directory Users and
Computers > View > Advanced Features.
2. Go to the properties of the user (User1 for this example) and then click the Published Certif icates tab. Ensure that
both certificates are available. You can also verify that each certificate has a specific usage.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.261
T his figure shows a certificate to encrypt email messages.
T his figure shows a certificate to sign email messages.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.262
Ensure that the correct encrypted certificate is assigned to the user. You can verify this information under Active
Directory Users and Computers > user properties.
T he way Secure Mail works is by checking the userCertificate user object attribute via LDAP queries. You can read this
value on the Attribute Editor tab. If this field is empty or has the incorrect user certificate for encryption, Secure Mail
cannot encrypt (or decrypt) a message.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.263
Exporting the user certificates
T his procedure exports both "User1" and "User2" pair certificates in .PFX (PKCS#12) format with the private key. When
exported, the certificates are sent through email to the user using Outlook Web Access (OWA).
1. Open the MMC console and go to the snap-in for Certif icates - Current User. You see both "User1" and User2" pair of
certificates.
2. Right-click the certificate and then click All Tasks > Export.
3. Export the private key by selecting Yes, export the private key.
4. Select the Include all certif icates in the certif ication path if possible and Export all extended properties check
boxes.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.264
5. When you export the first certificate, repeat the same procedure for the remaining certificates for users.
Note: Clearly label which certificate is the signing certificate and which certificate is the encryption certificate. In the
example, the certificates are labeled as userX-sign.pfx and "userX-enc.pfx.
Sending certificates through email
When all certificates are exported in PFX format, you can use Outlook Web Access (OWA) to send them through email. T he
logon name for this example is User1 the sent email contains both certificates.
Repeat the same procedure for User2 or other users in your domain.
Enabling S/MIME on Secure Mail for iOS and Android
After the email is delivered, the next step is to open the message using Secure Mail and enable S/MIME with the
appropriate certificates for signing and encryption.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.265
1. In Secure Mail, open the email message.
2. Download the first certificate (for signing) and then tap Import certif icate f or Signing.
3. T ype the password assigned to the private key when the certificate was exported.
4. Go to Settings to enable signing on Secure Mail.
5. T ap S/MIME and next to Signing, tap Of f .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.266
6. In Signing, enable and verify that the correct signing certificate is selected.
T his figure shows signing enabled with user certificate (for signing).
7. Go back to the email message to download and import the certificate for encryption.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.267
8. T ype the password assigned to the private key.
9. Go to Settings to enable encryption on Secure Mail. Next to Encrypt by Def ault, tap Of f . Ensure that the correct user
certificate is selected for encryption.
T his figure shows encryption enabled with user certificate (for encryption).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.268
Note: If an email is digitally signed with S/MIME, has attachments, and the recipient does not have S/MIME enabled,
attachments are not received. T his behavior is an Active Sync limitation. To receive S/MIME messages effectively, turn on
S/MIME in Secure Mail settings.
Testing S/MIME on iOS and Android
If everything has been performed correctly, when User1 or User2 sends an email signed and encrypted, the recipient can
read the message.
T he following figure shows an example of an encrypted message read by the recipient.
T he following figure shows an example of verification of signed trusted certificate.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.269
Secure Mail searches the Active Directory domain for public encryption certificates of recipients. If a user sends an
encrypted message to a recipient who does not have a valid public encryption key, the message is sent unencrypted. In a
group message, if even one recipient doesn't have a valid key, the message is sent unencrypted to all recipients.
Enabling S/MIME on Secure Mail f or Windows Phone
After the email is delivered, the next steps are as follows: Open the message by using Secure Mail for Windows Phone.
T hen, enable S/MIME with the appropriate certificates for signing and encryption.
1. In Secure Mail, open the email message.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.270
2. Download the first certificate (for signing) and then tap Import for signing & encryption.
3. T ype the password assigned to the private key when the certificate was exported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.271
4. T ap settings to enable signing for Secure Mail.
5. Next to S/MIME, select the check box.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.272
6. In SIGNING, enable Sign Outgoing Messages and verify that the correct signing certificate is selected.
7. Go back to the email message to download and import the certificate for encryption.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.273
8. T ype the password assigned to the private key.
9. Go to Settings and, under ENCRYPT ION, tap Encrypt by Def ault to enable encryption for Secure Mail.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.274
Testing S/MIME on Windows Phone
If everything has been performed correctly, when User 9 sends an email signed and encrypted, the recipient can read the
message.
T he following figure shows an example of an encrypted message read by the recipient.
T he following figure shows an example of verification of a signed trusted certificate.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.275
Configuring Public Certificate Sources
To use S/MIME public certificates, configure the S/MIME public certificate source, LDAP server address, LDAP Base DN, and
Access LDAP Anonymously policies. For more information about these policies, see MDX Policies at a Glance.
In addition to the app policies, do the following.
If the LDAP servers are public, ensure that the traffic goes directly to LDAP servers. T o do so, configure the network
policy for Secure Mail to be Tunneled to the internal network and configure split DNS for NetScaler.
If the LDAP servers are on an internal network, do the following:
For iOS, ensure that you don’t configure the Background network service gateway policy. If you do configure the
policy, users receive frequent authentication prompts.
For Android, ensure that you add the LDAP server URL in the list for the Background network service gateway policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.276
Push Notifications for Secure Mail for iOS
Oct 31, 20 17
Secure Mail for iOS can receive notifications about email and calendar activity when the app is running in the background or
is closed. Secure Mail supports notifications provided through Background App Refresh or push notifications provided
through the Apple Push Notification service (APNs).
How Push Notifications Work
Secure Mail sends push notifications for the following Inbox activities:
New mail, meeting requests, meeting cancellations, meeting updates.
When APNs pushes notifications to an inbox, Secure Mail updates all folders, including Calendar, so that meeting changes
are reflected immediately in users' calendars.
Mail status changes f rom read to unread and vice versa.
T he Secure Mail icon shows the total count of unread and new messages in the Exchange Inbox folder only. Secure Mail
updates the icon after users read emails on a desktop or laptop computer.
Secure Mail still provides the count of unread Inbox emails for the sync period. If the Control locked screen notifications
policy is On, push notifications appear on a locked device screen after iOS wakes up Secure Mail to perform a sync.
During an installation or upgrade, Secure Mail prompts users to allow push notifications. Users can also allow push
notifications later by using iOS Settings.
To provide push notifications, Citrix hosts a listener service on Amazon Web Services (AWS) to perform the following
functions:
Listen for Exchange Web Services (EWS) push notifications sent by Exchange Servers when there is Inbox activity.
Exchange does not send any mail content to the Citrix service.
No personally identifiable information is stored by the Citrix service. Instead, a device token and subscription ID identifies
the specific device and Inbox folder to be updated within Secure Mail.
Send APNs notifications, containing only badge counts, to Secure Mail on iOS devices.
T he Citrix listener service does not impact mail data traffic, which continues to flow between user devices and Exchange
Servers through ActiveSync. T he listener service, which is configured for high availability and disaster recovery, is available in
three regions:
Americas
Europe, Middle East and Africa (EMEA)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.277
Asia Pacific (APAC)
For details about the EWS push notification service, see the Microsoft article Notification subscriptions, mailbox events,
and EWS in Exchange.
System Requirements f or Push Notifications
If your NetScaler Gateway configuration includes Secure T icket Authority (STA) and split tunneling is off, NetScaler
Gateway must allow traffic (when tunneled from Secure Mail) to the following Citrix listener service URLs:
Region
URL
IP Address
Americas
https://us-east-1.pushreg.xm.citrix.com
EMEA
https://eu-west-1.pushreg.xm.citrix.com
APAC
https://ap-southeast-1.pushreg.xm.citrix.com
52.7.65.6
52.7.147.0
54.154.200.233
54.154.204.192
52.74.236.173
52.74.25.245
Provisioning profiles and app IDs:
APNs requires a provisioning profile created with an explicit and unique app ID. APNs does not support apps that use a
provisioning profile created with a wildcard (*) app ID.
XenMobile Management Tools for APNs signature signing is compatible with these browsers:
Chrome (minimum version 36)
Firefox (minimum version 31)
Internet Explorer 10 or 9
Safari (minimum version 7)
To access the tools, see XenMobile Management Tools.
Configuring Secure Mail f or Push Notifications
App Store distribution
T he move to the public app store also simplifies the process of setting up Apple Push Notifications for Secure Mail. You no
longer have to request a certificate from Apple and upload it to XenMobile Tools. Instead, on the console, set Push
notifications to ON and then select your region.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.278
Configure Exchange and NetScaler to allow traffic to flow to the listener service.
Exchange Server configuration
Allow outbound SSL (over port 443) from your firewall to the Citrix listener service URL for the region where your Exchange
Server is located. For example:
Region
Americas
URL
https://us-east-1.mailboxlistener.xm.citrix.com
IP Address
52.6.252.176
52.4.180.132
EMEA
https://eu-west-1.mailboxlistener.xm.citrix.com
54.77.174.172
52.17.147.220
APAC
https://ap-southeast1.mailboxlistener.xm.citrix.com
52.74.231.240
54.169.87.20
If you have a proxy server between EWS and the Citrix listener device, you can do one of the following.
Send EWS traffic through the proxy and then on to the listener device.
Bypass the proxy and route EWS traffic to the listener device directly.
To send EWS traffic through the proxy server, configure the EWS web.config file in the ClientAccess\exchweb\ews folder,
as follows.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.279
<configuration>
<system.net>
<defaultProxy>
<proxy usesystemdefault="false"
proxyaddress="http://proxy.example:8080"
bypassonlocal="true” />
</defaultProxy>
</system.net>
</configuration>
For Exchange 2013 environments, you must add the system.net section to the web.config file manually. Otherwise,
configurations described in this article should work for Exchange 2013. For troubleshooting, contact your Exchange
administrator.
To bypass the proxy server, configure the bypass list to allow Exchange to make connections to the Citrix listener service.
For details, see "Push Event Notifications" in https://msdn.microsoft.com/en-us/library/office/aa579128(v=exchg.140).aspx.
When Secure Hub is enrolled with certificate-based authentication, you must also configure Exchange Server for
certificate-based authentication. For details, see this XenMobile Advanced Concepts article.
NetScaler Gateway configuration
While the Exchange server needs to allow traffic to the listener service, NetScaler must allow traffic to the registration
service. In this way, devices can connect to register for push notifications.
If your EWS and ActiveSync servers are different, configure your NetScaler traffic policy to allow EWS traffic.
Enterprise distribution
If you distribute Secure Mail as an enterprise app through Secure Hub, you must generate an Apple Provisioning Profile,
which involves requesting a certificate from Apple using XenMobile Tools and uploading the certificate to the XenMobile
server. An explicit app ID is required to be able to request a certificate.
Follow these steps to configure enterprise Secure Mail for push notifications :
1. Verify that your environment meets the system requirements, described earlier in System Requirements for Push
Notifications.
2. If your deployed version of Secure Mail was wrapped with an explicit app ID with its own distribution profile, enable the
Push Notification service for the app ID. For details, see Registering App IDs in the Apple App Distribution Guide.
3. If your deployed version of Secure Mail was wrapped with a wildcard app ID or this is a new deployment, you must use a
new app ID and provisioning profile when wrapping the new version of Secure Mail. From the Apple Enterprise Developer
portal, create a new provisioning profile and a unique, explicit app ID.
You must register an explicit Secure Mail app ID, use the explicit distribution profile for that app ID, and enable the
Push Notification service for the app ID. For details, see Registering App IDs in the Apple App Distribution Guide.
If you have staging and production environments, you will need separate app IDs and certificates for each
environment.
4. Wrap Secure Mail with the MDX T oolkit, using the explicit app ID prepared in Steps 2 or 3.
5. Generate a Secure Mail APNs certificate for the explicit Secure Mail app ID. Be sure to choose the Production SSL
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.280
certificate and not the Development SSL certificate.
Secure Mail requires an APNs certificate to support push notifications. T his cannot be the same APNs certificate
uploaded to the XenMobile server.
To obtain and upload an APNs certificate:
1. Request a new APNs certificate from Apple.
2. Export, as a .p12 file, the certificate and private key using the Keychain Access feature on your Mac. For details on
generating and exporting the APNs certificate from the Apple Developer portal, see Configuring Push Notifications in
the Apple App Distribution Guide.
6. Register your APNs certificate and obtain a customer ID.
1. Use your Citrix Login ID to log in to the XenMobile Management T ools portal at https://xenmobiletools.citrix.com.
2. Click Upload WorxMail APNs certif icates. (Note: XenMobile Management T ools do not yet reflect the new names
for XenMobile Apps.)
3. Choose the region where your Exchange Server is located.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.281
4. Specify your explicit Secure Mail app ID, choose your APNs certificate (.p12 file), and enter your certificate password.
5. When the upload completes, your customer ID displays. You will need the customer ID to configure the Push
notifications customer ID policy, as described in Step 5.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.282
You can return to the Dashboard view to view details, obtain your customer ID, or delete certificates.
7. When you add Secure Mail to XenMobile, update the following policies to enable and configure push notifications.
Push notif ications
Enables APNs-based notifications about Inbox activity. If On, Secure Mail supports push notifications. Default value is
Off.
Push notif ications region
T he region where the APNs host is located for your Secure Mail users. Options are Americas, EMEA, and APAC. Default
value is Americas. Select the same value you specified for Step 6c.
Push notif ications customer ID
Your APNs customer ID, used to identify your account to the Citrix notification service. T his is the customer ID that
displayed in Step 6e.
8. If your previously deployed Secure Mail had a wildcard app ID, let your users know that they must reinstall Secure Mail.
Troubleshooting
To troubleshoot outbound connections, check the Exchange event logs, which include log entries when a subscription
request or the notification for a subscription is invalid or fails. You can also run Wireshark traces on the Exchange Server to
track outbound traffic to the Citrix listener service.
For other issues, try the Secure Mail Test Tool.
Secure Mail Push Notifications FAQs
When does iOS deliver notifications to Secure Mail?
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.283
If Secure Mail is running in the foreground, notifications are always delivered to Secure Mail. T his is the only time that Citrix
can guarantee that notifications are delivered. When Secure Mail enters the background, the application badge count
always updates. However, notifications (lockscreen and banner notifications) rely on Background App Refresh and,
particularly when iOS suspends or terminates the app, notifications are not a certainty. T he following factors are outside
the control of Citrix.
T he following cases may affect the delivery of notifications:
T he battery is low.
Secure Mail is not used frequently (rarely opened into the foreground).
Emails received outside of core usage times in which the app is suspended for an extended period in the background; for
example, between midnight and 6 a.m.
Notifications are not delivered to Secure Mail in the following cases:
If the user closes Secure Mail, until the user manually reopens the app.
If the system has terminated Secure Mail. and the app has not been automatically restarted.
When Secure Mail is not active. Important note: Notifications may not be delivered to Secure Mail when it is not active
for many reasons, including but not limited to the following cases:
If the device is in Low Power Mode and Secure Mail is in the background. T his is the most common case in which
notifications are not delivered.
If Background App Refresh is off for Secure Mail and if Secure Mail is in the background. Note that users control this
setting.
If the device has poor network connectivity. T his situation depends entirely on the iOS device.
When Secure Mail does not receive a notification, Secure Mail does not sync new data to the device. As a consequence,
the following situations occur:
Secure Mail syncs data only when users bring the app to the foreground.
Lockscreen notifications stop occurring for new mail. Calendar reminders still appear, however.
How does Background App Ref resh af f ect Secure Mail and APNs?
If the user turns off Background App Refresh, the following situations occur:
Secure Mail does not receive notifications when Secure Mail is not the background app.
Secure Mail does not update the lockscreen with new email notifications.
Disabling Background App Refresh has a major effect on the behavior of Secure Mail. As stated earlier, badge updates
based on APNs still occur, but no email is synced to the device in this mode.
How does Low Power Mode af f ect Secure Mail and APNs?
T he behavior of the system with respect to Secure Mail is the same in Low Power Mode as it is when Background App
Refresh is disabled. In Low Power Mode, the device does not wake up apps for periodic refresh and does not deliver
notifications to apps in the background. T he side effects are therefore the same as those listed in the Background App
Refresh section above. Note that in Low Power Mode, badge updates still occur, based on APNs notifications.
How does APNs af f ect email notifications that appear on the lock screen?
New mail notifications that appear on the device lock screen are generated based on data that is synced down to the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.284
device by Secure Mail. Importantly, this information does not come from the listener service.
In order to show new mail notifications, Secure Mail needs to be able to sync data from Exchange so that Secure Mail has
the information available to create the notifications.
If APNs notifications are not delivered to Secure Mail in the background, Secure Mail does not detect the notifications and
hence does not sync new data. Because no new data is available to Secure Mail, no email notifications are generated on
the device lockscreen, even when APNs notifications are not delivered.
What other issues can cause APNs-driven sync to f ail in the background?
A number of issues can cause APNs-driven sync requests to fail, including the following:
An invalid ST A ticket.
A slow network connection. When Secure Mail is woken in the background, the app has 30 seconds to sync all data from
the server.
If the data protection policy is enabled and Secure Mail is woken by an APNs notification, when the device is locked,
Secure Mail cannot access the data store and sync does not occur. Note that this is only the case in which the system is
attempting to cold start Secure Mail. If a user has already started Secure Mail at some point after unlocking the device,
APNs-driven sync succeeds even when the device is locked.
If any of the preceding conditions occur, Secure Mail cannot sync data and hence cannot display locksscreen notifications.
How else does Secure Mail generate lockscreen notifications when notifications are not delivered or APNs is not
in use?
If APNs is disabled, Secure Mail is still woken by periodic Background App Refresh events from iOS, assuming that
Background App Refresh is enabled and assuming that Low Power Mode is off.
During these wakeup events, Secure Mail syncs new email from the Exchange Server. T his new email can then be used to
generate email notifications on the lock screen. T hus, even when APNs notifications are not delivered or APNs is disabled,
Secure Mail can sync data in the background.
It's important to note that this will occur less in real time than when APNs is in use and when APNs notifications are
delivered to Secure Mail. When iOS routes APNs notifications to Secure Mail, the app immediately syncs data from the
server and the lockscreen notifications appear to be real time.
In the event that Background App Refresh wakeups are required, lockscreen notifications do not occur in real time. In this
case, Secure Mail is woken up at a frequency that iOS completely determines. As such, some time may elapse between
when an email arrives in a user's Inbox on Exchange and Secure Mail syncs that message and generates the lockscreen
notification.
Also note that Secure Mail receives these periodic wakeups even when APNs is in use. In all cases in which Background App
Refresh wakes up Secure Mail, Secure Mail attempts to sync data from Exchange.
How does Secure Mail dif f er f rom other apps that show content on the lock screen?
A very important difference - and one that leads to confusion - is that Secure Mail does not always show new email in real
time on the lock screen in the same way that Gmail, Microsoft Outlook, and other apps do. T he primary reason for this
difference is security. To align with the behavior of the other apps, the Citrix listener service would require the user
credentials to authenticate with Exchange to get the email content and also pass this email content through the Citrix
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.285
listener service, as well as the Apple APNs service. T he approach by Citrix to APNs notifications does not require the Citrix
listener service to acquire or store the users' password. T he listener service has no access to the users' mailbox or password.
A note about the native iOS mail app: iOS allows its own email app to maintain a persistent connection with the mail server,
which ensures that notifications are always delivered. T hird-party apps outside of the native mail are not allowed this
capability.
Gmail app behavior. Google owns and controls both the Gmail app and the Gmail server. T his means that Google can read
message content and include that message content in the APNs notification payload. When iOS receives this APNs
notification from Gmail, iOS does the following:
Sets the application badge to the value that is specified in the notification payload.
Displays the lockscreen notification using the message text that is contained in the notification payload.
T his is a critical difference: It is iOS, not the Gmail app, that displays the lockscreen notification, based on the data
contained in the payload. In fact, iOS may never wake the Gmail app, similar to the way that iOS may not wake Secure Mail
when a notification arrives. However, because the payload contains the message snippet, iOS can display the lockscreen
notification without any mail data having to be synced to the device.
In Secure Mail, this situation is different. Secure Mail must first sync message data from Exchange before the app can show
the lockscreen notification.
Outlook f or iOS app behavior. Microsoft controls Outlook for iOS. T he organization to which the user belongs, however,
controls the Exchange Servers from which data is obtained. Despite this setup, Outlook can display lockscreen notifications
based on data that Microsoft provides in the APNs notification, because Outlook for iOS makes use of a model in which
Microsoft stores user credentials. Microsoft then directly accesses the user's mailbox from its cloud service and determines
the existence of new mail.
If new mail is available, the Microsoft cloud service generates an APNs notification that contains the new mail data. T his
model operates in a similar way to the Gmail model, in which iOS simply takes the data and generates a lockscreen
notification based on that data. T he Outlook iOS app is not involved in the process.
Important security note on Outlook f or iOS: T here are clear security implications in the Outlook for iOS approach.
Organizations need to trust Microsoft with passwords for their users so that Microsoft can access the user's mailbox,
which poses a security risk. For more information about the way Microsoft manages user's passwords, see this Microsoft
Technet article.
For more FAQs specific to administrators on push notifications, please see this Support Knowledge Center article. For more
user-specific FAQs, see this article.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.286
Testing and Troubleshooting Secure Mail
Oct 31, 20 17
When Secure Mail isn't working properly, connection issues are typically the cause. T his article describes how to avoid
connection issues. If issues occur, this article describes to troubleshoot the issues.
Testing ActiveSync connections, user authentication, and APNs configuration
T he Mail Test App helps you verify that ActiveSync is ready for deployment in a XenMobile environment. T he app also
verifies that your environment meets the system requirements for Secure Mail push notifications. T he Mail Test App verifies
the following.
iOS and Android device connections with Microsoft Exchange or IBM T raveler servers.
User authentication.
Push notification configuration for iOS, including Exchange Server, Exchange Web Services (EWS), NetScaler Gateway,
APNs certificates, and Secure Mail.
For information about configuring push notifications, see Push Notifications for Secure Mail for iOS.
T he tool provides a comprehensive list of recommendations for correcting issues.
Installing the Mail Test App
T he Mail Test App, MailTest.ipa, is available for download from http://support.citrix.com/article/CT X141685.
T he Mail Test App supports environments configured with client certificate authentication. To install, you wrap MailTest.ipa
with the MDX Toolkit and then add the app to XenMobile.
To uninstall the Mail Test App
1. Press and hold the Mail T est App icon on your home screen until the icon begins to move back and forth.
2. T ap the X in the upper left corner of the icon.
3. When prompted, tap Delete.
Mail Test App Logs
T he Mail Test App writes all logs to /documents/citrixlogs/ on a device. If you wrap Mail Test App, the app generates two
files: CtxLog_AppInfo.txt and CtxLog_AppPolicies.xml. Use the Send Log command in Mail Test App to email all log files.
Testing with the Mail Test App
Prerequisites for testing:
Ensure that the Network Access policy is not blocked.
Set the Block Email Compose policy to Of f .
To set up a test
1. On the device where you installed the Mail T est App, open the tool.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.287
2. To add the server you are testing, tap Add new server. Specify any of the following to connect to a server:
FQDN (subdomain.example.com)
IP address (10.20.30.40)
Email address ([email protected])
For a cluster configuration, add all the servers including the load balancing server. T ap Next to add more servers or tap
Dismiss to continue with the next step. T o delete an added server, swipe left on its name and tap Delete.
3. Enter the following items for the account to be used to test the connection. To enter an item, tap the field, type the
value, and then tap Next.
Username: Specify either the userPrincipalName (UPN) or sAMAccountName attribute.
Domain: Provide the user domain. If you are using an internal domain for the T raveler server, you can leave Domain
blank.
Password: Specify the user password.
T o enable Accept All Certificates, set it to On.
By default, the Client OS is set to Auto Detect.
T o change the OS, Version, or Device Type, select them from the provided lists.
T o add a Version or Device Type, tap its label, tap + and then enter the information as shown in the following example.
When you are finished, tap <. T o return to the main screen, tap < again.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.288
4. To change the number of times the test runs, tap Repeat Count and then tap a value.
5. To run the test, tap Diagnose in top right corner.
Test results appear as shown in the following example:
T he following example shows how issues are reported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.289
T he following example shows how the tool notifies you that Secure Mail successfully received a test push notification.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.290
If there are issues during the test, the results appear as shown in the following example:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.291
6. For a detailed list of ActiveSync policies, tap Send Logs and then tap Send.
7. To reset the test, tap Reset on the main screen. A reset performs the following actions:
Deletes all Server names.
Clears all Credentials.
Sets Accept All Certif icates to Of f .
Sets Client Settings to Auto Detect.
Sets Repeat Count to 1.
Using Secure Mail logs to troubleshoot connection issues
All XenMobile Apps generate several logs to assist with troubleshooting. To obtain Secure Mail logs, do the following.
1. Go to Secure Hub > Help > Report Issue.
2. Select Secure Mail from the list of apps.
An email addressed to your organization help desk opens.
3. Fill in the subject line and body with a few words describing your issue.
4. Select the time when it happened.
5. Change log settings only if your support team has instructed you to do so.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.292
6. Click Send.
T he completed message opens with zipped log files attached.
7. Click Send again.
T he zip files sent include the following logs:
CtxLog_AppInfo.txt (iOS), Device_And_AppInfo.txt (Android), logx.txt and WH_logx.txt (Windows Phone)
App info logs include information about the device and app. Verify that the hardware model and platform version in
use are supported. Verify that the versions of Secure Mail and MDX Toolkit in use are the latest and are compatible.
For details, see System Requirements for Secure Mail and XenMobile compatibility.
CtxLog_VPNConfig.xml (iOS) and VpnConfig.xml (Android)
T he VPN configuration logs are provided for Secure Hub only. Check the NetScaler version (<ServerBuildVersion>) to
ensure the latest NetScaler release is in use. Check the <SplitDNS> and <SplitT unnel> settings as follows:
If Split DNS is set to Remote, Local, or Both, verify that you are correctly resolving the mail server FQDN through
DNS. (Split DNS is available for Secure Hub on Android.)
If Split T unnel is set to On, ensure that mail server is listed as one of the Internet apps accessible on the backend.
CtxLog_AppPolicies.xml (iOS), Policy.xml (Android and Windows Phone)
T he policies logs provide the values of all MDX policies applied to Secure Mail as of the time you obtained the log. For
connection issues, verify that the values for the <BackgroundServices> and <BackgroundServicesGateway> policies.
Diagnostic logs (in the diagnostics folder)
For initial configurations of Secure Mail, the most common issue is “Your Company Network Is Not Currently Available.” To
use the diagnostic logs to troubleshoot connection issues, do the following.
T he key columns in the diagnostic logs are T imestamp, Message Class, and Message. When an error message appears in
Secure Mail, make note of the time so you can quickly locate related log entries in the T imestamp column.
To determine whether the connection from the device to NetScaler Gateway succeeded: Review the AG Tunneler entries.
T he following messages indicate successful connection:
AG policy Intercepting FQDN:443 for ST A tunneling
New T CP proxy connection to (null):443 established
To determine whether the connection from NetScaler Gateway to XenMobile succeeded (and thus can validate the STA
ticket), go to the Secure Hub diagnostic log and review the INFO (4) entries under Message Class, for the time the device
was enrolled. T he following messages indicate that Secure Hub obtained a STA ticket from XenMobile:
Getting ST A T icket
Got ST A T icket response
ST A T icket – Success obtaining ST A ticket for App -- Secure Mail
Note
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.293
During enrollment, Secure Hub sends a request to the XenMobile server for a STA ticket. T he XenMobile server sends the STA ticket
to the device, where it is stored and added to the XenMobile server STA ticket list.
To determine if XenMobile Server issued a STA ticket to a user, check the UserAuditLogFile.log, included in the XenMobile
support bundle. It lists for each ticket, the issue time, user name, user devices, and result. For example:
T ime: 2015-06-30T 12:26:34.771-0700
User: user2
Device: Mozilla/5.0 (iPad; CPU OS 8_1_2 like macOS)
Result: Successfully generated STA ticket for user 'user2' for app 'Secure Mail'
To check the communication from NetScaler Gateway to the mail server: Check if DNS and networking are configured
correctly. To do so, use Secure Web to access Outlook Web Access (OWA). Like Secure Mail, Secure Web can use a micro
VPN tunnel to establish a connection to NetScaler Gateway. Secure Web acts as a proxy to the internal or external
resource the app is accessing. Usually and particularly in an Exchange environment, OWA is hosted on the mail server.
To test the configuration, open Secure Web and enter the FQDN of the OWA page. T hat request takes the same route
and DNS resolution as communication between NetScaler Gateway and the mail server. If the OWA page opens, you know
that NetScaler Gateway is communicating with the mail server.
If the preceding checks indicate successful communications, you know that the issue isn't with your Citrix setup. Instead,
the issue is with the Exchange or Traveler servers.
You can collect information for your Exchange or Traveler server administrators. First check for HT T P issues on the
Exchange or Traveler servers by searching the Secure Mail diagnostic log for the word Error. If the errors include HT T P codes
and you have multiple Exchange or Traveler servers, investigate each server. Exchange and Traveler have HT T P logs that
show HT T P requests and responses from client devices. T he log for Exchange is C:\inetpub\LogFiles\W3SVC1\U_EX*.log.
T he log for Traveler is IBM_T ECHNICAL_SUPPORT > HT T HR*.log.
Troubleshooting issues with Email, Contacts, or Calendar
You can troubleshoot Secure Mail issues, such as an email or emails stuck in drafts, missing contacts, or calendar items outof-sync. To troubleshoot these issues, use Exchange ActiveSync mailbox logs. T he logs show incoming requests sent by the
devices and the outgoing responses from the mail server.
For more details, see these TechNet blog posts:
Exchange ActiveSync Mailbox Logging
Under T he Hood: Exchange ActiveSync Mailbox Log Analysis
Unlimited sync best practices
When users set their sync mail period to All, they have unlimited sync. With unlimited sync, the assumption is that users
manage their mailbox size, which is the Inbox and all synced subfolders. Here are a few points to keep in mind for best
performance.
1. If the mailbox size exceeds 18,000 messages or 600 MB in total size, email sync can slow down.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.294
2. It is not recommended to enable Load Attachments on WiFi with unlimited sync. T his option can cause the mail size to
bloat quickly on the device.
3. To prevent unlimited sync as an option for users, set the Max sync interval app policy to a value other than All.
4. It is not recommended to set All as the Def ault sync interval for users.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.295
iOS Data Protection
Oct 31, 20 17
Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the Enable iOS data
protection policies for Secure Mail and Secure Web. By default the policies are Of f .
When Enable iOS data protection is On for Secure Web, Secure Web uses Class A protection level for all files in the
sandbox. For details about Secure Mail data protection, see Australian Signals Directorate Data Protection. If you enable
this policy, the highest data protection class is used so there is no need to also specify the Minimum data protection
class policy.
To change the Enable iOS data protection policy:
1. Use the latest MDX Toolkit to wrap the latest version of XenMobile Apps. For details, see Wrapping iOS Mobile Apps and
Wrapping XenMobile Apps for iOS 8 or iOS 9.
2. Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps
> Add and then click MDX. For an upgrade, see Upgrade MDX or enterprise apps.
3. For Secure Mail, browse to the App settings, locate the Enable iOS data protection policy, and set it to On. Devices
running older operating system versions are not affected when this policy is enabled.
4. For Secure Web, browse to the App settings, locate the Enable iOS data protection policy, and set it to On. Devices
running older operating system versions are not affected when this policy is enabled.
5. Configure the app policies as usual and save your settings to deploy the app to the XenMobile Store.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.296
Certificate-based authentication with Office 365
Oct 31, 20 17
Secure Mail supports certificate-based authentication (also known as client-based authentication) with Office 365. Secure
Mail users with iOS and Android devices can take advantage of certificate-based authentication when connecting to
Office 365. When they sign on to Secure Mail, users authenticate by using a client certificate, instead of typing their
credentials. T his article discusses how to configure certificate-based authentication for Office 365.
Support for certificate-based authentication in Secure Mail exists for on-premises Exchange configurations. If you had
already set up certificate-based authentication in XenMobile, you now configure Exchange Online, Azure Active Directory,
and Active Directory Federation Services (ADFS) on Windows Server. T hen, users with Secure Mail versions 10 and later can
take advantage of certificate-based authentication to connect to their Office 365 accounts.
If you have not configured certificate-based authentication in XenMobile, you first enable the feature in the XenMobile
console. For details, see Client certificate or certificate plus domain authentication. T hen, you enable certificate-based
authentication for Exchange online, Azure (AD), and ADFS on Windows Server.
T he procedures in this article assume that you have enabled certificate-based authentication in XenMobile Server.
T he following figure shows how the components involved in certificate-based authentication integrate.
Prerequisites
1. A copy of the certificate (X.509) generated from the Certificate Authority (CA) when you configured PKI Entities in the
XenMobile console.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.297
T he CA must have a certificate revocation list (CRL) that can be referenced via a URL.
In the certificate Subject Alternative Name field, include the user email address in the RFC822 Name or the Principal
Name value. For example, see the following figure.
T he following steps show how you configure certificate-based authentication for Exchange Online, Azure AD, and ADFS on
Windows Server.
T his article summarizes configuration guidance from Microsoft. If you have trouble with the steps for configuring the
Microsoft components, we recommend that you see the Microsoft documentation for more information.
To enable Exchange Online
Microsoft Exchange Online uses modern authentication features of the Office 365 tenant. T hese features enable
authentication features like multifactor authentication (MFA) by using smart cards, certificate-based authentication, and
third-party SAML identity providers. By default, modern authentication isn't enabled in Exchange Online. To enable modern
authentication, do the following.
1. Connect to Exchange Online PowerShell. For details, see the Microsoft documentation.
2. Run the following command.
command
https://docs.citrix.com
COPY
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.298
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
3. To verify that the change was successful, run the following command.
command
COPY
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
To configure Azure AD
Exchange Online sends a prompt=login command to Azure AD in a request. By default, Azure AD translates this command
in the request to ADFS as wauth=usernamepassworduri.
By default, Azure AD prompts ADFS to do U/P authentication. Azure AD also sends the command 'wf resh=0' which
prompts Azure ADD to ignore the single sign-on (SSO) state and to do a fresh authentication.
1. Change the default Azure AD Set PromptLoginBehavior behavior.
a. Connect to Office 365 PowerShell. For details, see the Microsoft documentation.
b. Run the following command in Office 365 PowerShell. Note: T he domain is the same as the mail server domain.
command
COPY
Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled
2. Configure the certificate authorities in Azure AD. Upload the public portion of the root certificate, as discussed in the
preceding list of prerequisites.
a. Connect to Azure AD PowerShell. For details, see the Microsoft documentation.
b. Run the following set of commands in Azure AD PowerShell. T he .cer file is available locally on the machine.
command
https://docs.citrix.com
COPY
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.299
$cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]"
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.AuthorityType=0
$new_ca.TrustedCertificate=$cert
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
3. Configure revocation in Azure AD.
To revoke a client certificate, Azure AD fetches and caches the certificate revocation list (CRL) from the URLs, which were
uploaded as part of the CA information. T he last publish timestamp (Ef f ective Dateproperty) in the CRL is used to ensure
that the CRL is still valid. T he CRL is periodically referenced to revoke access to certificates that are a part of the list. To
ensure that the revocation persists, you must set the Ef f ective Date of the CRL to a date after the value set by
StsRef reshTokenValidFrom.
Ensure also that the certificate in question is in the CRL. T he following steps outline the process for updating and
invalidating the authorization token by setting the StsRef reshTokenValidFrom field.
a. Connect to the MSOL service. For details, see the Microsoft documentation.
b. Retrieve the current StsRef reshTokensValidFrom value for a valid user by running the following commands.
command
COPY
$user = Get-MsolUser -UserPrincipalName [email protected]
$user.StsRefreshTokensValidFrom
c. Configure a new StsRef reshTokensValidFrom value for the user equal to the current timestamp by running the
following command.
command
https://docs.citrix.com
COPY
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.300
Set-MsolUser -UserPrincipalName [email protected] -StsRefreshTokensValidFrom ("03/15/2017")
T he date you set must be in the future. If the date is not in the future, the StsRef reshTokensValidFrom property is not
set. If the date is in the future, StsRef reshTokensValidFrom is set to the current time (not the date indicated by the SetMsolUser command).
To configure ADFS
You complete two main steps to configure ADFS.
Enable certificates as an authentication method.
Configure claims in an ADFS token.
1. Enable certificates as an authentication method.
a. Open the ADFS management console and then navigate to Service > Authentication Methods > Edit Primary
Authentication Methods.
b. Under Extranet, select the Certificate Authentication check box.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.301
c. Under Intranet, optionally select the Certificate Authentication check box.
Most of your devices that use certificate authentication are likely to come only from the extranet. For that reason,
the Intranet selection is optional.
2. Configure claims in the ADFS token.
Azure AD sends the issuer and serial number to ADFS so that ADFS can revoke or deny authentication in different access
scenarios. If a device is lost or stolen, for example, the administrator can update the CRL. T hen, Azure AD revokes access by
using certificate authentication. To configure claims, do the following.
a. Navigate to Service > Claim Descriptions > Add Claim Description.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.302
b. In the Active Directory Claims Provider trust, add the following two rules. T hese rules indicate to ADFS to allow an
Active Directory user to pass through when authenticating.
command
COPY
Serial Number of the Client Certificate - http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
Issuer of the client certificate - http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
T he following figures are examples of the completed fields.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.303
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.304
Citrix Secure Notes
Oct 12, 20 17
Citrix Secure Notes lets users manage their notes on their mobile devices. Users can create, share, and organize notes that
contain text, photos, or audio.
T here are two options for storing notes: Secure Notes on a Microsoft Exchange Server or Secure Notes + on a ShareFile
server.
Secure Notes. T he Exchange option integrates with Outlook so that users enjoy data continuity and basic functionality.
Users sync notes, format text, create notebooks, and email notes. For Android users, Secure Notes syncs with Exchange
through Citrix Secure Mail. For iOS users, Secure Notes syncs directly with Exchange.
Secure Notes +. T he ShareFile option includes all the features of the Exchange option. In addition, users can capture
whiteboard photos or record conversations. T hey can tap to send notes to meeting attendees. And they can set up
reminders for their notes.
You can deploy both options to users through the Secure Notes version and the Secure Notes + version. T he first time
users sign on, they select the version they want.
With Secure Notes, users can:
Create and share notes with text, image, or audio content. T he inclusion of audio content requires the Secure Notes +
version.
T ag notes.
Organize notes into folders that they can color-code by category.
Email notes to Secure Mail contacts.
Sync with Exchange.
Upload notes to ShareFile.
Move notes between folders.
Format and spellcheck text with an in-app editor.
Map their location when creating a note. Requires the Secure Notes + version.
Set reminders on notes that contain tasks or actionable items. Requires the Secure Notes + version.
View notebooks as a grid.
Select text from a Secure Mail message and add it to an existing note or create a new note with it.
Have their notes auto-saved to local storage several times a minute.
As part of XenMobile Apps, Secure Notes benefits from single sign-on (SSO) compatibility with Citrix Secure Hub. After users
sign on to Secure Hub, they can move seamlessly into Secure Notes without having to reenter their user names and
passwords.
You can configure Secure Notes to be pushed to user devices automatically when the devices enroll in Secure Hub.
Alternatively, users can add the app from the XenMobile Store.
To begin, download Secure Notes and other XenMobile components from the XenMobile downloads page.
For Secure Notes and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Secure Notes f or Web
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.305
Users with accounts linked to ShareFile can sync notes between their mobile devices and their laptops or desktops. T hey do
so through a web-based version of Secure Notes. T hey sign on to the web-based version with their ShareFile user names
and passwords. T hey can store notes in your private StorageZones as well. Accounts linked to Exchange can already sync
notes between desktop and mobile.
For configuration details, see the next section on Integrating and Delivering Secure Notes.
Secure Notes for Web offers many of the same features as the mobile version:
Create, view, edit, tag, search, sort, and print notes.
Mark notes as favorites.
Create and color-code notebooks.
Move notes from one notebook to another.
Play audio files attached to notes.
Set reminders.
Secure Notes for Web works only with ShareFile cloud deployments. Certain features are not currently available, such as
the ability to sync offline notes, email notes, or link notes to calendar events. Secure Notes for Web also does not work on
mobile browsers.
Integrating and Delivering Secure Notes
1. You can integrate Secure Notes for iOS with an Exchange Server. (Secure Notes for Android uses the Secure Mail for
Android account to sync Exchange notes.) T he configuration uses Active Directory credentials to authenticate to
Exchange. For details, see Integrating Exchange Server or IBM Notes T raveler Server.
2. For Secure Notes and Secure Notes for Web: You can optionally enable single sign-on (SSO) from Secure Hub. T o do
that, you configure ShareFile account information in XenMobile to enable XenMobile as a SAML identity provider for
ShareFile. T he configuration uses Active Directory credentials to authenticate to ShareFile.
Configuring the ShareFile account information in XenMobile is a one-time setup used for all XenMobile clients, ShareFile
clients, and non-MDX ShareFile clients. For details, see ShareFile Single Sign-On.
3. For Secure Notes for Web: Update the ShareFile Login URL, which redirects authentication when ShareFile attempts
SAML-based SSO. T he following change is required for Secure Notes for Web and is also compatible with Secure Notes.
In the ShareFile administrator console, go to Admin > Conf igure Single Sign-On and update the Login URL as follows:
https://NetScalerFQDN/cginfa/https/XenMobileFQDN:443/samlsp/websso.do?
action=authenticateUser&app=SAML_AppName&reqtype=1&nssso=true
For details about SAML_AppName and NetScaler Gateway configuration for ShareFile, see ShareFile Single Sign-On.
4. Secure Notes for iOS syncs directly with Exchange and consumes one Exchange Active Sync (EAS) device ID position on
the server. Citrix recommends increasing the number of EAS partnerships to 20, so that users don't exceed the maximum
number of devices allowed. If users exceed the maximum, Secure Notes does not sync. T o increase EAS partnerships,
update the EASMaxDevices property of the Exchange Server throttling policy. For details on managing EAS partnerships,
see this blog post.
Alternatively, users can delete devices they're not using. T o do so, they must sign on to Outlook Web App and go to
Options > Phone > Mobile Phones. From there, they can remove devices from the list, as shown in the following figure.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.306
5. Download Secure Notes from the XenMobile downloads page. Wrap Secure Notes with the MDX Toolkit. For details, see
About the MDX Toolkit.
6. Add Secure Notes to XenMobile and configure MDX policies, as described in the next section.
Add Secure Notes to XenMobile
You add Secure Notes to XenMobile by using the same steps as for other MDX apps. For details, see Add an MDX app.
When adding Secure Notes, be aware of the following MDX policies that are specific to Secure Notes.
For all supported mobile devices:
Secure Notes storage options
Allows you to set storage options for notes that users create when using Secure Notes. If you choose the ShareFile and
Exchange Server option, the user can choose the storage option for notes. If ShareFile only, notes are stored in
ShareFile. If Exchange only, notes are stored in Exchange Server. Default value is ShareFile and Exchange Server.
ShareFile offers users more features than Exchange; see the section Secure Notes Features, below, for more information.
Accept all SSL certificates
If On, Secure Notes accepts all SSL certificates (valid or not) and allows access. If Of f , Secure Notes blocks access when a
certificate error occurs and displays a warning. Default value is Of f .
Inf ormation Rights Management
If On, Secure Notes supports Exchange Information Rights Management (IRM) capabilities. Default value is Of f .
Google analytics
If On, Citrix collects anonymous data to improve product quality. If Of f , no data is collected. Default value is On.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.307
In addition, Secure Notes for iOS has policies related to integration with Exchange Server. For details, see Integrating
Exchange Server or IBM Notes Traveler Server. Secure Notes for Android uses the Secure Mail for Android account to sync
Outlook notes.
Secure Notes Features
Secure Notes interacts with other XenMobile Apps for a productive workflow within the secure XenMobile environment.
From within Secure Notes, users can email notes to Secure Mail contacts or upload their notes to ShareFile for easy
sharing.
When you set Secure Notes storage options to ShareFile and Exchange, first-time users are asked to select the version
they want. T hey can choose Secure Notes or Secure Notes +, as shown in the following figure.
When users tap Compare, a list of the different features available with each version appears. T he following figure shows
the features for Secure Notes.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.308
T he following figure shows the features for Secure Notes +.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.309
Linking Notes to Meetings
iOS users can link Secure Notes to their calendars to receive notices of meetings and, during meetings, take notes that
they can easily share. Afterward, the meeting remains associated with the note. To enable this feature, users tap Link Your
Calendar during the initial sign-on and provide their email account credentials.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.310
If users tap Skip this f or now, they can link Secure Notes to meetings later by going into Settings and tapping on Link My
Calendar.
Deleting Accounts
Android users can de-link their Exchange accounts without having to delete their Secure Notes accounts. After de-linking,
users return to the initial Secure Notes sign-on screen. From there, they can choose to create a ShareFile account or
another Exchange account. In iOS, when users delete their accounts, the app creates a new account automatically.
Secure Notes Supported File Formats
Secure Notes supports m4a audio files and the following image files:
JPEG
PNG
BMP
GIF
WebP
Users cannot open PDF files in Secure Notes. iOS users, however, can email notes as PDFs. Secure Notes also does not
support video or documents.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.311
Citrix Secure Tasks
Oct 12, 20 17
Citrix Secure Tasks lets users manage their Microsoft Outlook tasks on their mobile devices. Secure Tasks syncs with
Exchange Server so that tasks, flagged messages, and categories that users create in Outlook appear in Secure Tasks. Users
can also create tasks within the app itself.
For Android users, Secure Tasks syncs with Exchange via Citrix Secure Mail. For iOS users, Secure Tasks syncs directly with
Exchange. You can configure Secure Tasks to be pushed to users' devices automatically when the devices enroll in Citrix
Secure Hub, or users can add the app from the XenMobile Store.
As a XenMobile app, Secure Tasks benefits from single sign-on (SSO) compatibility with Secure Hub. After users sign on to
Secure Hub, they can move seamlessly into Secure Tasks without having to reenter their user names and passwords.
To begin, download Secure Tasks and other XenMobile components from the XenMobile downloads page.
For Secure Tasks and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Integrating and Delivering Secure Tasks
To integrate and deliver Secure Tasks with XenMobile, follow these general steps:
1. You can integrate Secure T asks for iOS with an Exchange Server. (Secure T asks for Android uses the Secure Mail for
Android account to sync Exchange tasks.) T he configuration uses Active Directory credentials to authenticate to
Exchange. For details, see Integrating Exchange Server or IBM Notes T raveler Server.
2. Secure T asks for iOS syncs directly with Exchange and consumes one Exchange Active Sync (EAS) device ID position on
the server. Citrix recommends increasing the number of EAS partnerships to 20, so that users don't exceed the maximum
number of devices allowed. If users exceed the maximum, Secure T asks does not sync. T o increase EAS partnerships,
update the EASMaxDevices property of the Exchange Server throttling policy. For details on managing EAS partnerships,
see this blog post.
Alternatively, users can delete devices they are not using. To do this, they must sign on to Outlook Web App and go to
Options > Phone > Mobile Phones. From there, they can remove devices from the list, as shown in the following figure.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.312
3. Download and wrap Secure T asks. For details, see About the MDX T oolkit.
4. Add Secure T asks to XenMobile and configure MDX policies, as described in the next section.
Adding Secure Tasks to XenMobile
Add Secure Tasks to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app. When
adding Secure Tasks, be aware of the following MDX policies that are specific to Secure Tasks.
iOS-only Secure Tasks policies:
Secure Tasks Exchange Server. Fully qualified domain name (FQDN) for Exchange Server. Default value is empty.
Secure Tasks user domain. Default Active Directory domain name for Exchange users. Default value is empty.
Secure Mail Allowed URLs. Be sure to add +^ctxtasks: to this policy.
Secure Tasks policies for Android and iOS:
Background network services. Comma-separated list of service addresses and ports that are permitted for background
network access. Each service should be of the form fqdn:port. Default value is empty, implying background network
services are not available.
Background services ticket expiration. T ime period that a background network service ticket should remain valid. After
expiration, an enterprise logon is required to renew the ticket. Default value is 168 hours (7 days).
Google analytics. If On, Citrix collects anonymous data to improve product quality. If Off, no data is collected. Default
value is On.
Background network service gateway. Alternate gateway address to use for background network services in the
form fqdn:port. Default value is empty, implying that there is no alternate gateway.
Accept all SSL certif icates. If On, Secure T asks accepts all SSL certificates (valid or not) and allows access. If Off,
Secure T asks blocks access when a certificate error occurs and displays a warning. Default value is Off.
Secure Tasks Features
Users can populate their task list in several ways: by creating tasks in Outlook or within Secure Tasks itself by tapping the +
icon, or by flagging messages in Outlook or Secure Mail.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.313
Users can see their tasks in Secure Tasks when they tap, respectively, the Tasks and Flagged Mail icons at the bottom of
the screen. T here are also icons for completed tasks and all tasks.
When the task list includes tasks, users can perform several functions:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.314
Prioritize. T hey can label tasks as High, Normal, or Low priority.
Apply categories. T hey can create categories in the app or sync categories with Outlook to help organize their tasks.
Uncategorized tasks go into No Categories.
Filter by category. Users can view and manage only the tasks within the categories they select.
Search and sort. Users can search the tasks on their task lists, and they can sort tasks by due date and priority.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.315
Set due dates. Users can set a due date for each task. When sorted, tasks are sectioned into No Due date, Overdue,
T oday, T his week, T his Month, and Other.
Set repeating tasks. Users can set tasks to repeat every day, week, weekday, month, or year.
Note: Although users will see a Custom setting for repeating tasks, that feature isn't available for this tech preview.
Reply to/f orward f lagged mail.T his feature makes it convenient to reply to a flagged mail and then immediately
complete the task.
View tasks of f line. When users have no Internet connectivity, they can still view tasks on their devices. T hey can also
create, edit, and delete tasks; the changes apply when connectivity is restored and Secure T asks is synced.
Set reminders. Notifications appear at the time the user sets.
Google analytics. You can integrate data-collection programs, such as Google Analytics, to send Citrix data to help
improve Citrix products. All data collected is anonymous. You can opt out of data collection by setting the
UsageAnalytics policy to Of f .
Sync Behavior
By default, Secure Mail syncs flagged mail only from the Inbox. If Android users want to see flagged messages from other
folders, they need to turn on syncing for those folders in Secure Mail. To do so, they select the folder to be synced and
then tap the three dots in the upper-right corner to bring up Sync options. T hen they tap Sync options, and select how
often the flagged messages should sync.
T he length of time that flagged mail and tasks are synced and stored on the device varies according to operating system:
Flagged Mail
iOS
https://docs.citrix.com
Tasks
One month
© 1999-2017 Citrix Systems, Inc. All rights reserved.
Unlimited
p.316
Android
Flagged Mail
Secure Mail settings
Tasks
Unlimited
To change the sync window in Android, go to Sync options for the relevant folder, tap Days to sync and then select the
sync window.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.317
Citrix Secure Web
Oct 12, 20 17
Citrix Secure Web is a mobile web browser that provides secure access to internal and external sites. You can configure
Secure Web to be pushed to user devices automatically when the devices are enrolled in Citrix Secure Hub, or users can add
the app from the XenMobile Store.
You can download Secure Web and other XenMobile components from XenMobile Downloads.
For Secure Web and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Integrating and Delivering Secure Web
Beginning with version 10.4.1, you can distribute Secure Web as an enterprise app or from public app stores. For more
information, see XenMobile Apps administration and delivery.
Citrix will support both enterprise distribution and public app store distribution until November 30, 2017. After that, only
public app store distribution will be supported. T he MDX Toolkit will continue to support enterprise wrapping for app
developers.
To integrate and deliver Secure Web as an enterprise app, follow these general steps:
1. T o enable SSO to the internal network, configure NetScaler Gateway.
For HT T P traffic, NetScaler can provide SSO for all proxy authentication types supported by NetScaler. For HT T PS
traffic, the Web password caching policy enables Secure Web to authenticate and provide SSO to the proxy server
through MDX. MDX supports basic, digest and NT LM proxy authentication only. T he password is cached using MDX and
stored in the XenMobile shared vault, a secure storage area for sensitive app data. For details about NetScaler Gateway
configuration, see NetScaler Gateway.
2. Download and wrap Secure Web. For details about wrapping apps, see About the MDX T oolkit.
3. Determine how you want to configure user connections to the internal network. For details, see Configuring User
Connections.
4. Add Secure Web to XenMobile, by using the same steps as for other MDX apps and then configure MDX policies. For
details about policies specific to Secure Web, see About Secure Web Policies.
Configuring User Connections
Secure Web supports the following configurations for user connections:
Secure browse. Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as
secure browse. T his is the default configuration specified for the Pref erred VPN mode policy. Secure browse is
recommended for connections that require single sign-on (SSO).
Full VPN tunnel. Connections that tunnel to the internal network can use a full VPN tunnel, configured by the
Pref erred VPN mode policy. Full VPN tunnel is recommended for connections that use client certificates or end-to-end
SSL to a resource in the internal network. Full VPN tunnel handles any protocol over T CP and can be used with Windows
and Mac computers as well as iOS and Android devices.
T he Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse
modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an
authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.318
example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure
browse mode. Similarly, HT T P authentication challenges are more likely to be serviced with SSO when using secure
browse mode.
Full VPN tunnel with PAC. You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment
for iOS and Android devices. A PAC file contains rules that define how web browsers select a proxy to access a given
URL. PAC file rules can specify handling for both internal and external sites. Secure Web parses PAC file rules and send
the proxy server information to NetScaler Gateway.
T he full VPN tunneling performance when a PAC file is used is comparable to secure browse mode. For details about PAC
configuration, see Full VPN T unneling with PAC.
T he following table summarizes the differences between the user connection configurations.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.319
Secure Browse
Full VPN tunnel
Full VPN tunnel with PAC f ile
XenMobile supports proxy authentication provided by NetScaler. NetScaler
provides SSO for all proxy authentication types supported by NetScaler.
For authentication to HT T PS web sites, the Enable web password
NetScaler provides
caching policy enables Secure Web to authenticate and provide SSO to
SSO.
the proxy server through MDX. MDX supports basic, digest and NT LM
proxy authentication only. T he password is cached using MDX and stored
in the XenMobile shared vault, a secure storage area for sensitive app
data
Proxies HT T P and HT T PS traffic.
Proxies HT T P and
HT T PS traffic.
Proxies HT T P and HT T PS traffic.
Tunnels all TCP and DNS traffic
originating from Secure Web for iOS
and Android.
MDX replies to 401 responses
for HT T PS traffic.
NetScaler Gateway replies to 401
MDX replies to 401 responses for HT T PS traffic.
responses for HT T P traffic.
NetScaler Gateway
NetScaler Gateway replies to 401 responses for HT T P traffic.
NetScaler Gateway replies to
replies to 401 and
NetScaler Gateway replies to 407 responses when a proxy server is
407 responses when a proxy
407 responses.
configured.
server is configured. If NetScaler
Gateway is unable to reply, it
passes the request to MDX,
which caches the credentials.
Rewrites URLs.
Intercepts sockets.
No client certificate
support for
Provides client certificate validation.
backend services.
iOS and Android validate client
certificates.
NetScaler Gateway
performs name
resolution and
relies on DNS
DNS servers perform name resolution.
suffixes for
internal and
external sites.
HT T PS handshake
is between
NetScaler Gateway
HT T PS handshake is between Secure Web and the backend server.
and the backend
server.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.320
T he following table notes whether Secure Web prompts a user for credentials, based on the configuration and site type:
Secure Web prompts f or credentials?
SSO
Connection
On
configured
On first
subsequent
Af ter
Password
f or NetScaler
access of a
access of the
password
mode
Site type
caching?
Gateway?
website
website
change
Secure Browse
HT T P
No
Yes
No
No
No
Secure Browse
HT T PS
No
Yes
No
No
No
Full VPN
HT T P
No
Yes
No
No
No
Full VPN
HT T PS
Yes (1)
No
Yes (2)
No
Yes
(1) If the Secure Web MDX policy Enable web password caching is On.
(2) Required to cache the credential in Secure Web.
Full VPN Tunneling with PAC
Important
If Secure Web is configured with a PAC file and NetScaler is configured for proxy operation, Secure Web will time out. You must
remove NetScaler Gateway traffic policies configured for proxy before using full VPN tunneling with PAC.
When you configure Secure Web for full VPN tunneling with your PAC file or proxy server, Secure Web sends all traffic to
the proxy through NetScaler Gateway, which then routes traffic according to the proxy configuration rules. In this
configuration, NetScaler Gateway is unaware of the PAC file or proxy server. T he traffic flow is the same as for full VPN
tunneling without PAC.
T he following diagram shows the traffic flow when Secure Web users navigate to a web site:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.321
In that example, the traffic rules specify that:
NetScaler Gateway directly connects to the intranet site example1.net.
T raffic to intranet site example2.net is proxied through internal proxy servers.
External traffic is proxied through internal proxy servers. Proxy rules block external traffic to Facebook.com.
To configure full VPN tunneling with PAC
1. Validate and test the PAC file:
Note
For details about creating and using PAC files, see http://findproxyforurl.com/.
Validate your PAC file using a PAC validation tool such as Pacparser https://github.com/pacparser/pacparser. When you
read your PAC file, ensure the Pacparser results are what you expect. If the PAC file has a syntax error, mobile devices will
silently ignore the PAC file. (A PAC file is stored only in memory on mobile devices.)
A PAC file is processed from the top down and processing stops when a rule matches the current query.
Test the PAC file URL with a web browser before entering into the PAC/Proxy field of the XenMobile Server. Make sure that
the computer can access the network where the PAC file is located.
http://webserver.local/GenericPAC.pac
https://webserver.local/GenericPAC.pac
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.322
Tested PAC file extensions are .txt or .pac.
T he PAC file should show its contents inside the web browser.
Important
Each time you update the PAC file used with Secure Web, inform users that they must close and reopen Secure Web.
2. Configure NetScaler Gateway:
Disable NetScaler Gateway split tunneling. If split tunneling is on and a PAC file is configured, the PAC file rules override
the NetScaler split tunneling rules. A proxy does not override NetScaler split tunneling rules.
Remove NetScaler Gateway traffic policies configured for proxy. T his is required for Secure Web to work correctly. T he
following figure shows an example of the policy rules to remove.
3. Configure Secure Web policies:
Set the Preferred VPN mode policy to Full VPN tunnel.
Set the Permit VPN mode switching policy to Of f .
Configure the PAC file URL or proxy server policy. Secure Web supports HT T P and HT T PS as well as default and nondefault ports. For HT T PS, the root certificate authority must be installed on the device if the certificate is self-signed or
untrusted.
Be sure to test the URL or proxy server address in a web browser before configuring the policy.
Example PAC file URLs:
http[s]://example.com/proxy.pac
http[s]://10.10.0.100/proxy.txt
Example proxy servers (port is required):
myhost.example.com:port
10.10.0.100:port
Note
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.323
If you configure a PAC file or proxy server, do not configure PAC in system proxy settings for WiFi.
Set the Enable web password caching policy to On. Web password caching handles SSO for HT T PS sites.
NetScaler can perform SSO for internal proxies if the proxy supports the same authentication infrastructure.
Limitations of PAC file support
Secure Web does not support:
Failover from one proxy server to another. PAC file evaluation can return multiple proxy servers for a hostname. Secure
Web uses only the first proxy server returned.
Protocols, such as ftp and gopher in a PAC file.
SOCKS proxy servers in a PAC file.
Web Proxy Autodiscovery Protocol (WPAD).
Secure Web ignores the PAC file function alert so that Secure Web can parse a PAC file that doesn't include those calls.
Secure Web Policies
When adding Secure Web, be aware of these MDX policies that are specific to Secure Web.
For all supported mobile devices:
Allowed or blocked websites
Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites.
You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each
pattern in the list is preceded by a plus sign (+) or minus sign (-). T he browser compared a URL against the patterns in the
order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows:
A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address
could not be resolved.
A plus (+) prefix allows the URL to be processed normally.
If neither + or - is provided with the pattern, + (allow) is assumed.
If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a minus sign followed by an asterisk (-*). For example:
T he policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HT T P URLs within mycorp.com domain,
but blocks them elsewhere, permits HT T PS and FT P URLS anywhere, and blocks all other URLs.
T he policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in T raining.lab domain
(intranet) via HT T P or HT T PS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol.
Default value is empty (all URLs allowed).
Block pop-ups
Popups are new tabs that websites open without your permission. T his policy determines whether Secure Web allows
popups. If On, Secure Web prevents websites from opening pop-ups. Default value is Off.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.324
Preloaded bookmarks
Defines a preloaded set of bookmarks for the Secure Web browser. T he policy is a comma-separated list of tuples that
include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder and
name may optionally be enclosed in double quotes (").
For example, the policy values ,"Mycorp, Inc. home page",http://www.mycorp.com, "MyCorp Links",Account
logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact
us",http://www.mycorp.com/IR/Contactus.aspx define three bookmarks. T he first is a primary link (no folder name) titled
"Mycorp, Inc. home page". T he second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". T he
third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"."
Default value is empty.
Home page URL
Defines the website that Secure Web loads when started. Default value is empty (default start page).
For supported Android and iOS devices only:
Browser user interf ace
Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are
available. T hese include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to
restrict the use and visibility of some of these controls. Default value is All controls visible.
Options:
All controls visible. All controls are visible and users are not restricted from using them.
Read-only address bar. All controls are visible, but users cannot edit the browser address field.
Hide address bar. Hides the address bar, but not other controls.
Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience.
Enable web password caching
When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether
Secure Web silently caches the password on the device. T his policy applies to passwords entered in authentication dialogs
and not to passwords entered in web forms.
If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache
passwords and removes existing cached passwords. Default value is Off.
T his policy is enabled only when you also set the Preferred VPN policy to Full VPN tunnel for this app.
Proxy servers
You can also configure proxy servers for Secure Web when used in secure browse mode. For details, see this blog post.
DNS suf fixes
On Android, if DNS suffixes aren't configured, the VPN could fail. For details on configuring DNS suffixes, see Supporting
DNS Queries by Using DNS Suffixes for Android Devices.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.325
Preparing Intranet Sites f or Secure Web
T his section is for website developers who need to prepare an intranet site for use with Secure Web for Android and iOS.
Intranet sites designed for desktop browsers require changes to work properly on Android and iOS devices.
Secure Web relies on Android WebView and iOS UIWebView to provide web technology support. Some of the web
technologies supported by Secure Web are:
AngularJS
ASP.NET
JavaScript
JQuery
WebGL
WebSockets
Some of the web technologies not supported by Secure Web are:
Flash
Java
T he following table shows the HT ML rendering features and technologies supported for Secure Web. X indicates the
feature is available for a platform, browser, and component combination.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.326
Technology
iOS Secure Web
JavaScript engine
JavaScriptCore
Android 5.x/6.x/7.x Secure Web
V8
Local Storage
X
X
AppCache
X
X
IndexedDB
X
SPDY
X
WebP
X
srcet
X
X
WebGL
X
requestAnimationFrame API
X
Navigation T iming API
X
Resource T iming API
X
Technologies work the same across devices; however, Secure Web returns different user agent strings for different devices.
To determine the browser version used for Secure Web, you can view its user agent string. From Secure Web, navigate to
http://whatsmyuseragent.com/.
Troubleshooting Intranet Sites
To troubleshoot rendering issues when your intranet site is viewed in Secure Web, compare how the website renders on
Secure Web and a compatible third-party browser.
Operating system
Compatible third-party browsers
iOS
Chrome, Dolphin
Android
Dolphin
Note: Chrome is a native browser on Android. Do not use it for the comparison.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.327
In iOS, make sure the browsers have device-level VPN support. You can configure this on the device in Settings > VPN >
Add VPN Configuration.
You can also use VPN client apps available on the App Store, such as Citrix VPN, Cisco AnyConnect, or Pulse Secure.
If a web page renders the same for the two browsers, the issue is with your website. Update your site and make sure it
works well for the OS.
If the issue on a web page appears only in Secure Web, contact Citrix Support to open a support ticket. Please provide
your troubleshooting steps, including the tested browser and OS types. If Secure Web for iOS has rendering issues,
please include a web archive of the page as described in the following steps. Doing so helps Citrix resolve the issue faster.
To create a web archive file
Using Safari on macOS 10.9 or later, you can save a web page as a web archive file (referred to as a reading list) that includes
all linked files such as images, CSS, and JavaScript.
1. From Safari, empty the Reading List folder: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, type
the path name ~/Library/Safari/ReadingListArchives/, and then delete all of the folders in that location.
2. In the Menu bar, go to Saf ari > Pref erences > Advanced and enable Show Develop menu in menu bar.
3. In the Menu bar, go to Develop > User Agent and enter the Secure Web user agent:(Mozilla/5.0 (iPad; CPU OS 8_3 like
macOS) AppleWebKit/600.1.4 (KHT ML, like Gecko) Mobile/12F69 Secure Web/ 10.1.0(build 1.4.0) Safari/8536.25).
4. In Safari, open the web site you will save as a reading list (web archive file).
5. In the Menu bar, go to Bookmarks > Add to Reading List. T his can take a few minutes. T he archiving occurs in the
background.
6. Locate the archived reading list: In the Menu bar, go to View > Show Reading List Sidebar.
7. Verify the archive file:
1. T urn off network connectivity to your Mac.
2. Open the web site from the reading list.
T he web site should completely render.
8. Compress the archive file: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, type the path name
~/Library/Safari/ReadingListArchives/, and then compress the folder that has a random hex string as a file name. T his is
the file that you can send to Citrix support when you open a support ticket.
Secure Web Features
Secure Web makes use of mobile data exchange technologies to create a dedicated VPN tunnel for users to access
internal and external websites and all other websites - including sites with sensitive information - in an environment secured
by your organization's policies.
T he integration of Secure Web with Secure Mail and ShareFile offers a seamless user experience within the secure
XenMobile container. Here are some examples of integration features:
When users tap mailto links, a new email message opens in Citrix Secure Mail with no additional authentication required.
In iOS, users can open a link in Secure Web from a native mail app by inserting ctxmobilebrowser:// in front of the URL.
For example, to open example.com from a native mail app, use the URL ctxmobilebrowser://example.com.
When users click an intranet link in an email message, Secure Web goes to that site with no additional authentication
required.
Users can upload files to ShareFile that they download from the web in Secure Web.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.328
Secure Web users can also perform the following actions:
Block pop-ups.
Note: Much of Secure Web memory goes into rendering pop-ups, so performance is often improved by blocking pop-ups
in Settings.
Bookmark their favorite sites.
Download files.
Save pages offline.
Auto-save passwords.
Clear cache/history/cookies.
Disable cookies and HT ML5 local storage.
Securely share devices with other users.
Search within the address bar.
Allow web apps they run with Secure Web to access their location.
Export and import settings.
Open files directly in ShareFile without having to download the files. T o enable this feature, add ctx-sf : to the Allowed
URLs policy in XenMobile.
In iOS, use 3D T ouch actions to open a new tab and access offline pages, favorite sites, and downloads directly from
the home screen.
In iOS, download files of any size and open them in ShareFile or other apps.
Note: Putting Secure Web in the background causes the download to stop.
Search for a term within the current page view using Find in Page.
Secure Web also has dynamic text support, so it displays the font that users set on their devices.
T he following figure shows what users see when first opening Secure Web, as well as the various options within the app.
For the PDF version of the figure, download the Secure Web Quick Reference Guide.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.329
Supported File Formats
iOS
Android
Windows Mobile
H.263 AMR NB codec_MP4
X
X
H.263 AMR NB codec_3gp
X
X
H.264 AAC codec_3gp
X
X
H.264 AVC codec_mp4
X
X
VIDEO 1
MOV
X
X
X
MP4 2
X
X
X
X
X
3GP
WMV
https://docs.citrix.com
X
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.330
1
Secure Web currently doesn't support video playback.
2 MP4
is not supported when Secure Web is running in full VPN mode.
AUDIO
Flac
X
X
X
X
m4a
X
X
3GP(AMR-NB)
X
X
AAC
X
mp3
X
X
X
wav
X
X
X
X
X
wma
AC3
X
AMR
X
IMAGE
JPEG
X
X
PNG
X
X
GIF
X
T IFF
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.331
Progressive JPEG
X
Animated GIF
X
SVG
X
DOCUMENT 1
DOT
X
X
Download only; open in
PDF
X
QuickEdit or other app to
X
preview.
PPT
X
X
PPT X
X
X
DOC
X
X
DOCX
X
X
XLS
X
X
XLSX
X
X
T XT
X
X
X
DAT
X
XSD
X
JSON
X
1 To
preview documents on Android, you need Office apps, like QuickEdit, installed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.332
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.333
iOS Data Protection
Oct 0 5, 20 16
Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the Enable iOS data
protection policies for Secure Mail and Secure Web. By default the policies are Of f .
When Enable iOS data protection is On for Secure Web, Secure Web uses Class A protection level for all files in the
sandbox. For details about Secure Mail data protection, see Australian Signals Directorate Data Protection. If you enable
this policy, the highest data protection class is used so there is no need to also specify the Minimum data protection
class policy.
To change the Enable iOS data protection policy:
1. Use the latest MDX Toolkit to wrap the latest version of XenMobile Apps. For details, see Wrapping iOS Mobile Apps and
Wrapping XenMobile Apps for iOS 8 or iOS 9.
2. Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps
> Add and then click MDX. For an upgrade, see Upgrade MDX or enterprise apps.
3. For Secure Mail, browse to the App settings, locate the Enable iOS data protection policy, and set it to On. Devices
running older operating system versions arel not affected when this policy is enabled.
4. For Secure Web, browse to the App settings, locate the Enable iOS data protection policy, and set it to On. Devices
running older operating system versions are not affected when this policy is enabled.
5. Configure the app policies as usual and save your settings to deploy the app to the XenMobile Store.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.334
Citrix QuickEdit for XenMobile
Oct 12, 20 17
Tip
As of XenMobile Apps 10.4.5, an in-app guide is available to help users export their app settings and install the public store versions
of apps like Citrix QuickEdit for XenMobile.
Citrix QuickEdit is the editing tool for XenMobile Apps. Its compatibility with Citrix Secure Mail and Citrix ShareFile for
XenMobile allow for a seamless workflow within the secure XenMobile environment.
With this app on a mobile device or tablet, users can:
Create and edit documents, presentations, spreadsheets, and image files.
View and annotate PDFs.
Open and edit Secure Mail attachments with either QuickEdit or ShareFile.
Many of the standard features of the Microsoft Office suite are available in QuickEdit. For more details about QuickEdit
features, consult the user guide included in the help menu of the iOS app or the Help option in the overflow menu of the
Android app. You may also view the Getting Started guide in the link below.
You can configure QuickEdit to be pushed to user devices automatically when the devices are enrolled in Citrix Secure Hub,
or users can add the app from the XenMobile Store. Information on integrating and delivering QuickEdit can be found
further down this page.
QuickEdit is also compatible with native mail programs for easy sharing or transferring of files, either as an attachment or
ShareFile link.
You can download QuickEdit from the XenMobile downloads page.
For QuickEdit and other XenMobile App system requirements, see System requirements for XenMobile Apps.
PDF
QuickEdit iOS User Guide
Integrating and Delivering QuickEdit
To integrate and deliver QuickEdit with XenMobile, follow these general steps:
1. You can optionally enable SSO from Secure Hub. T o do that, configure ShareFile account information in XenMobile to
enable XenMobile as a SAML identity provider for ShareFile.
Configuring the ShareFile account information in XenMobile is a one-time setup used for all XenMobile, ShareFile, and
non-MDX ShareFile clients. For details, see Integrating and Delivering ShareFile XenMobile Clients.
2. Download and wrap QuickEdit. For details, see About the MDX T oolkit.
3. Add QuickEdit to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.335
Important
Known Issue: Found in QuickEdit version 6.14 (iOS)
When you try to send files to SecureMail from QuickEdit or ScanDirect, the transfer fails. As a workaround, add the following file
encryption exclusion within the policy settings for these apps:
"\/tmp\/\.com\.apple\.Pasteboard"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.336
ShareConnect
Oct 12, 20 17
With ShareConnect, users can securely connect to their computers through iPads, Android tablets, and Android phones to
access their files and applications. Users can:
Work on files that reside on both their computers and on connected and networked drives
Run apps from the target machine within ShareConnect.
Have mobile app access without the need to wrap other XenMobile apps.
Run ShareConnect on XenDesktop for mobile-optimized access.
You can download the MDX version of ShareConnect from the XenMobile downloads page.
For general information on how to install and use ShareConnect, see the Citrix Knowledge Center.
For ShareConnect and other XenMobile App system requirements, see System requirements for XenMobile Apps.
The f ollowing video demonstrates ShareConnect f eatures.
Architecture Overview
ShareConnect components include the Citrix-owned ShareConnect Broker and the ShareConnect Communication Servers,
as shown in the following figure. T he ShareConnect Broker is an application server and database that maps users to
computers and lets users know whether their host computer is online or offline. ShareConnect Communication Servers are
used to exchange data between host and client computers. T hat data can flow through a secure micro VPN tunnel
between the host and client computers based on XenMobile settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.337
In addition, ShareFile can provide user authentication through single sign-on (SSO) with a SAML Identity Provider (IdP), such
as XenMobile or Active Directory Federation Services (ADFS). Access to resources outside of the network is provided
through NetScaler Gateway in a deployment with XenMobile.
How Connections Work in ShareConnect
ShareConnect establishes either direct or indirect connections:
Direct connections. ShareConnect establishes a direct connection between the client computer and host computer if
the computers are on the same LAN or WiFi network. In this scenario, data flows directly between the client computer
or mobile device being used to access a host computer. Data does not flow through the ShareConnect Communication
Servers, resulting in optimal performance. For direct connections, XenMobile uses NetScaler Gateway to provide secure
access to resources outside of the local network.
Indirect connections. ShareConnect establishes an indirect connection between the client computer and host
computer if the computers are not directly reachable. In this scenario, data flows through the ShareConnect
Communication Servers.
T he following figure shows the connections used when users access a host computer from a computer or mobile device
running ShareConnect using direct connections. Connection steps are described after the figure.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.338
① In this scenario, XenMobile is configured to act as a SAML IdP for ShareFile, to provide SSO from Worx Home.
ShareConnect requests a SAML token from Worx Home, which in turn passes the request to XenMobile through NetScaler
Gateway. XenMobile then sends the SAML token to ShareConnect.
② ShareConnect sends the SAML token to ShareFile for validation and to exchange the SAML token for an OAuth token.
③ ShareConnect sends the OAuth token to the ShareConnect broker, which then sends a session token to ShareConnect.
④ ShareConnect gets a list of host computers from the ShareConnect Broker and prompts for host computer credentials.
ShareConnect then establishes a direct connection with the ShareConnect Communication Server. After the host
computer validates the credentials, ShareConnect gets a list of files and apps from the host computer. After the user opens
a file or app, a direct connection occurs between ShareConnect and the host computer.
⑤ T he ShareConnect agent on the host computer sends status messages to ShareConnect Poll Server to indicate whether
it's online or offline.
⑥ T he ShareConnect Poll Server sends load-balanced requests from the ShareConnect agent to the ShareConnect Broker
and sends host status updates to the ShareConnect Broker.
ShareConnect Security
ShareConnect uses built-in 128-bit AES encryption so that all data sent between the ShareConnect client and a host
computer running the ShareConnect agent is fully encrypted from end-to-end. T he encryption key is unique for each
connection. Even the most sophisticated devices cannot intercept the data necessary to decode the encryption.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.339
You typically configure ShareConnect so that data is routed directly between the ShareConnect client and a host
computer. Data is not routed through the ShareConnect Communication Servers unless you configure the Network access
policy for unrestricted access. For policy details, see To add ShareConnect to XenMobile in this article.
For direct or indirect connections, encrypted metadata, such as the IP addresses and ports needed to establish
connections, is sent to ShareConnect servers.
In addition, MDX wrapping of ShareConnect provides data encryption through the MDX Vault, which encrypts MDXwrapped apps and associated stored data on both iOS (pre-iOS 9) and Android devices using FIPS-certified cryptographic
modules provided by the OpenSSL.
Information on Security Settings and Admin controls can be found in the security whitepaper linked below.
PDF
ShareConnect Security Whitepaper
PDF
ShareConnect Administrator Guide
Port Requirements f or ShareConnect
You must open the following ports to allow ShareConnect communications. T he port requirements differ depending on the
type of connection, either direction connections (if the computers are on the same LAN or WiFi network) or indirect
connections (if the client and host computers cannot directly reach each other).
TCP port
Description
Source
Destination
For direct connections
80
Used for outbound connections from NetScaler
Gateway to app.shareconnect.com.
NetScaler
Gateway
app.shareconnect.com
80 / 443 / 8200
At least one of these ports is required for outbound
connections from NetScaler Gateway to the
ShareConnect Communication Server. For more
NetScaler
Gateway
ShareConnect
Communication
Servers
ShareConnect
host
poll.shareconnect.com
ShareConnect
computers
Communication
information, see http://www.citrixonline.com/iprange.
80 / 443 / 8200
Used for outbound connections from ShareConnect
host computers to Citrix servers.
Servers
443
Used for outbound connections from NetScaler
Gateway to required sites.
NetScaler
Gateway
crashlytics.com
secure.sharefile.com
ShareFile_subdomain.sharefile.com
53000 - 53010
https://docs.citrix.com
Used for outbound connections from NetScaler
Gateway to ShareConnect host computers.
NetScaler
Gateway
© 1999-2017 Citrix Systems, Inc. All rights reserved.
LAN-based
ShareConnect host
computers
p.340
53000 - 53010
TCP port
Used for inbound connections from NetScaler Gateway
Description
to ShareConnect host computers.
NetScaler
Source
Gateway
LAN-based
Destination
ShareConnect host
computers
For indirect connections
80
Used for outbound connections from the ShareConnect
agent to app.shareconnect.com.
ShareConnect
agent
app.shareconnect.com
80 / 443 / 8200
At least one of these ports is required for outbound
connections from the ShareConnect agent to the
ShareConnect Communication Server. For more
information, see http://www.citrixonline.com/iprange.
ShareConnect
agent
ShareConnect
Communication
Servers
80 / 443 / 8200
Used for outbound connections from ShareConnect
host computers to Citrix servers.
ShareConnect
host
poll.shareconnect.com
ShareConnect
computers
Communication
Servers
443
Used for outbound connections from the ShareConnect
agent to required sites.
ShareConnect
agent
crashlytics.com
secure.sharefile.com
ShareFile_subdomain.sharefile.com
Integrating and Delivering ShareConnect
To integrate and deliver ShareConnect with XenMobile, follow these general steps:
1. You can optionally enable SSO from Worx Home. T o do that, you configure ShareFile account information in XenMobile
to enable XenMobile as a SAML IdP for ShareFile.
Configuring the ShareFile account information in XenMobile is a one-time setup used for all Worx clients, ShareFile Worx
clients, and non-MDX ShareFile clients. For details, see To configure ShareFile account information in XenMobile for SSO.
2. Download and wrap ShareConnect. For details, see About the MDX T oolkit.
3. Add ShareConnect to XenMobile and configure MDX policies. For details, see T o add ShareConnect to XenMobile, in this
article.
4. Install the ShareConnect agent on host computers. T he ShareConnect agent is an MSI package, so you can use your
existing software deployment methods to distribute and install the agent. Users must then register the host computer
by signing on to the Agent using their ShareFile credentials within one hour of installation.
Alternatively, users can install the ShareConnect agent on the computer they will connect to with ShareConnect. For
details, see To install the ShareConnect agent on a computer, in this article.
To add ShareConnect to XenMobile
You add ShareConnect to XenMobile using the same steps as for other MDX apps. For details, see Add an MDX app. When
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.341
adding ShareConnect, configure the MDX policies for it as shown in the following table.
Policy
Value
Results
Network access
T unneled to the internal
network or Unrestricted
T unneled to the internal network uses a per-application
VPN tunnel back to the internal network for all network
access. T his configuration provides direct connection
between ShareConnect and a host computer.
Unrestricted uses Citrix-owned Communication Servers to
route encrypted data between a host computer and
ShareConnect. Be sure to test your setup with
unrestricted access to ensure everything works, even if
you plan to use Tunneled to the internal network for
network access.
Preferred VPN mode
Secure browse
Sets the initial connection mode appropriately for
connections that require SSO.
Enable encryption
On
Encrypts the data stored on the tablet. For details about
data encryption and iOS 9, see Advisory: iOS 9 and
XenMobile.
Cut and copy
Unrestricted
Enables cut and copy operations for ShareConnect.
Paste
Unrestricted
Enables paste operations for ShareConnect.
Document Exchange
(Open In)
Unrestricted
Permits users to open any file on the connected computer
or a connected network drive from ShareConnect.
Save Password
Off
Requires users to enter the user name and password for
their computer each time they sign on to ShareConnect.
For details, see About MDX Policies for XenMobile apps.
To install the ShareConnect agent on a computer
T he following steps describe how a user installs the ShareConnect agent on each physical or virtual computer they want to
connect to from a supported mobile device.
Before performing these steps, the user must first install Worx Home and follow the prompts to allow the XenMobile apps
to install on the supported mobile device.
1. Sign on to Worx Home on the tablet.
2. Open ShareConnect.
3. T ap Email download link.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.342
Citrix sends an email to you from [email protected]
4. From the host computer that you want to access from ShareConnect, open the email.
5. In the email, click Set up this computer.
6. Double-click ShareConnect_Installer.exe to begin the installation.
T he ShareConnect agent installs on your host computer. During the installation, ShareConnect prompts for an email
address (if ShareFile SSO is configured) or for ShareFile credentials (if ShareFile SSO is not configured).
7. Follow the instructions provided in the ShareConnect and Get Started wizards.
T he ShareConnect agent then registers the host computer, which can connect from a ShareConnect client provided
that the host computer is powered on and can reach poll.shareconnect.com on at least one published port (80, 443,
or 8200).
ShareConnect Features
Add host computers. Users can add and connect to remote host computers from supported mobile devices using
ShareConnect.
Access f iles. Users can view a list of recent files and browse and search for files on their host computer and connected
drives.
Edit f iles. From tablets, users can access desktop applications on their host computers to edit files. Users can work with
the applications in full screen .
Screen share. Instead of viewing a single file or app, users can use the screen-sharing feature to view their host
computer's desktop.
ShareFile integration. Users can move or share files between the host computer and ShareFile.
Keyboard and mouse. ShareConnect supports the simultaneous use of a Bluetooth keyboard and the Citrix XI
Prototype Mouse.
Restricted ports. ShareConnect uses ports 53000 to 53010 only.
Forced passwords f or each sign-on. For enhanced security, you can configure this option to require users to enter
their computer passwords every time they sign on to ShareConnect. When the Save password policy is turned off, as
shown in the following figure, users are forced to enter their sign-on credentials for every connection.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.343
Add or delete apps. Users can add or delete apps from their app tray in ShareConnect by toggling the switch beside
each app to select or deselect it.
Cache previewed f iles. ShareConnect caches already-accessed files so that the files don't download again if users
preview other files and then come back to the earlier ones. T his feature improves load times when users subsequently
access files.
Troubleshooting ShareConnect
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.344
ShareConnect Agent Installation Issues
Issue
Description and resolution
If a user downloads the ShareConnect
T he ShareConnect agent installer includes a token that expires one hour after download. If a
agent and waits an hour or more to start
user doesn't start the installation before the token expires, the user must sign on to their
the installation, the user must enter their
ShareFile account twice, first to register the ShareConnect agent and then to sign on to the
ShareFile account name and password
agent after the installation completes. If users download and install the ShareConnect agent
to register the ShareConnect agent.
within an hour, they are prompted to sign on only once.
During registration of the ShareConnect
agent, the agent does not connect and
Verify that the port to poll.shareconnect.com is not blocked. For details, see the System
an error message such as "Please check
Requirements earlier in this article.
your connection and try again." appears.
ShareConnect Connection Issues
Important
As described in To add ShareConnect to XenMobile earlier in this article, Citrix recommends that, to test ShareConnect, you set the
Network Access policy to Unrestricted to rule out issues with ports and network settings. Unrestricted access forces ShareConnect
to connect through the ShareConnect Communication Servers, which typically enable you to test the connection if the
ShareConnect mobile device and host computer have Internet access.
Issue
ShareConnect starts, but does not
connect to the host computer and
does not prompt for credentials.
Description and resolution
Verify that your setup meets the port requirements detailed earlier in this article under System
Requirements.
SSO to ShareConnect requires that your ShareFile account is configured with a SAML IdP. For
Users are unable to sign on to
ShareConnect using their
ShareFile account credentials.
After users sign on to
ShareConnect, ShareConnect
cannot connect to the host
computer.
https://docs.citrix.com
details about using XenMobile as a SAML IdP, see To configure ShareFile account information in
XenMobile for SSO. For details about configuring other IdPs, see ShareFile Single Sign-On.
If SSO is not configured for your account, ShareConnect for iOS prompts for the user's ShareFile
username and password.
When ShareConnect is configured for direct connections (that is, the Network access policy is set
to Tunneled to the internal network), connection failures can occur if there are restrictions in
network settings like firewalls blocking or proxy servers configured.
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.345
Citrix ShareFile for XenMobile
Oct 12, 20 17
ShareFile is an enterprise file sync and sharing service that lets users exchange documents easily and securely. ShareFile
gives users a variety of access options, including ShareFile mobile clients, such as ShareFile for Android Phone and ShareFile
for iPad.
You can integrate ShareFile with XenMobile to provide the full ShareFile Enterprise feature set or to provide access only to
ShareFile Connectors. By default, the XenMobile console enables configuration of ShareFile Enterprise only. To configure
XenMobile for use with StorageZones Connectors instead, see ShareFile Integration with XenMobile in the XenMobile
documentation.
ShareFile for XenMobile clients are MDX-capable versions of ShareFile mobile clients. T hese clients provide secure,
integrated access to data in other MDX-wrapped apps. ShareFile for XenMobile clients also benefit from MDX features,
such as micro VPN, single sign-on (SSO) with Secure Hub, and two-factor authentication.
You use XenMobile, ShareFile, ShareFile StorageZones Controller, and NetScaler as follows to deploy and manage ShareFile
for XenMobile clients:
When XenMobile is configured with ShareFile Enterprise, XenMobile acts as a SAML identity provider (IdP) and deploys
ShareFile for XenMobile clients. ShareFile manages ShareFile data. No ShareFile data travels through XenMobile.
When XenMobile is configured with ShareFile Enterprise or with StorageZones Connectors, the ShareFile StorageZones
Controller provides connectivity to data in network shares and SharePoint. Users access your stored data through the
ShareFile XenMobile apps. Users can edit Microsoft Office documents as well as preview and annotate Adobe PDF files
from mobile devices.
NetScaler manages requests from external users, securing their connections, load balancing requests, and handling
content switching for StorageZones Connectors.
You can download ShareFile for XenMobile clients from https://www.citrix.com/downloads/xenmobile/productsoftware/xenmobile-enterprise-edition-worx-apps-and-mdx-toolkit.html. You can download ShareFile for XenMobile clients
for Android and iOS, including separate iOS clients for use with restricted StorageZones.
For ShareFile for XenMobile and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Article Contents
How ShareFile for XenMobile Clients Differ from ShareFile Mobile Clients
System Requirements for ShareFile for XenMobile
Integrating and Delivering ShareFile for XenMobile clients
Configure ShareFile account information for XenMobile SSO
Add ShareFile for XenMobile Clients to XenMobile
Validate ShareFile for XenMobile Clients
How ShareFile f or XenMobile Clients Dif f er f rom ShareFile Mobile Clients
T he following table describes the differences between ShareFile for XenMobile clients and ShareFile mobile clients.
ShareFile for XenMobile clients are also referred to as wrapped ShareFile. ShareFile mobile clients are also referred to as
unwrapped ShareFile.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.346
Features
ShareFile f or XenMobile clients
ShareFile mobile clients
User access
Users obtain and open ShareFile for
XenMobile clients from Secure Hub.
Users obtain ShareFile mobile clients from app
stores.
SSO
For XenMobile integration with ShareFile
Enterprise: You can configure XenMobile as a
SAML IdP for ShareFile.
In this configuration, Secure Hub obtains a
You can configure XenMobile and NetScaler
Gateway as a SAML IdP for ShareFile.
In this configuration, a user logging on to ShareFile
SAML token for the ShareFile for XenMobile
redirected to the XenMobile environment for user
client, using XenMobile as the SAML IdP.
authentication. After successful authentication by
A user who starts the ShareFile for XenMobile
client, but is not signed on to Secure Hub is
using a web browser or other ShareFile clients is
XenMobile, the user receives a SAML token that is
valid for logon to their ShareFile account.
prompted to sign on to Secure Hub. T he user
does not have to know their ShareFile domain
or account information.
Micro VPN
Remote users can connect using a VPN or
micro VPN connection through NetScaler
Gateway to access apps and desktops in the
internal network. T his feature, available
Not applicable.
through NetScaler integration with
XenMobile, is transparent to users.
T wo-factor
authentication
NetScaler integration with XenMobile also
supports authentication using a combination
Not applicable.
of client certificate authentication and
another authentication type, such as LDAP or
RADIUS.
Folder
For XenMobile integration with ShareFile Enterprise: Determined by ShareFile.
permissions
Document
Users can open attachments received in
access
Secure Mail or downloaded by any MDX-
protection
wrapped app. Only MDX-wrapped apps
appear when the user performs an Open In
Users can open attachments from any app.
action. Data that is from a non-wrapped app
is not available to a ShareFile for XenMobile
client.
Secure Mail users can attach files from their
ShareFile repository without needing to
download the file to the device.
If a user has wrapped ShareFile and
unwrapped ShareFile on a device, the
wrapped ShareFile client cannot access files in
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.347
Features
the user's personal ShareFile account. T he
ShareFile f or XenMobile clients
wrapped ShareFile client can access only the
ShareFile mobile clients
ShareFile subdomain configured in XenMobile.
ShareFile
account
For XenMobile integration with ShareFile
Enterprise: T o access a personal ShareFile
access
account or a third-party ShareFile account,
For XenMobile integration with ShareFile Enterprise:
Available from ShareFile clients.
users must use a non-MDX version of
ShareFile on the device.
Device policies
Both XenMobile and ShareFile device policies apply to ShareFile for XenMobile clients. For example,
from the XenMobile console, you can perform a device wipe. From the ShareFile console, you can
remotely wipe the ShareFile app.
MDX policies
MDX policies let you configure settings that
Not applicable.
the XenMobile Store enforces. Policies
available only through MDX include the ability
to block the camera, mic, email compose,
screen capture, and clipboard cut, copy, and
paste operations.
Data
Encrypts all stored data using AES-256 and
Encrypts all stored data using AES-256 and protects
encryption
protects data in transit with SSL 3.0 and a
data in transit with SSL 3.0 and a minimum of 128-
minimum of 128-bit encryption.
bit encryption.
ShareFile for XenMobile clients are included
All XenMobile editions include all ShareFile Enterprise
with XenMobile Advanced and Enterprise
editions.
features. You can integrate XenMobile with the full
ShareFile feature set or just StorageZones
Availability
Connectors.
Integrating and Delivering ShareFile XenMobile Clients
To integrate and deliver ShareFile Worx clients with XenMobile, follow these general steps:
1. Enable XenMobile as a SAML IdP for ShareFile, to provide SSO from ShareFile Worx clients to ShareFile. T o do so, you
must configure ShareFile account information in XenMobile, as described in this article in T o configure ShareFile account
information in XenMobile for SSO.
ShareFile for Android 3.9 is required for SSO with Worx Home 10.0.8.
Important: T o use XenMobile as an SAML IdP for non-MDX ShareFile clients, such as the ShareFile web app and the
ShareFile Sync clients, additional configuration is required. For details, see this article on the ShareFile support site:
ShareFile Single Sign-On SSO. T he article contains a download link to the XenMobile 10 configuration guide.
2. Download (https://www.citrix.com/downloads/xenmobile/product-software/xenmobile-enterprise-edition-worx-appsand-mdx-toolkit.html) and wrap the ShareFile Worx clients. For details, see About the MDX T oolkit.
3. Add the ShareFile Worx clients to XenMobile. For details, see "T o add ShareFile Worx clients to XenMobile", further
down.
4. Validate your configuration. For details, see "T o validate ShareFile Worx clients", further down.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.348
About the settings:
Domain is the ShareFile subdomain to be used for the Worx clients.
Only the users in the selected delivery groups will have SSO access to ShareFile from the Worx clients.
If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you
add the ShareFile Worx client to XenMobile.
T he ShareFile Administrator Account Logon information is used by XenMobile to save the SAML settings in the ShareFile
control plane.
Important: T he configuration that enables SSO from ShareFile Worx clients to ShareFile does not authenticate users to
network shares or SharePoint document libraries. Access to those Connector data sources requires authentication to the
Active Directory domain in which the network shares or SharePoint servers reside.
To configure ShareFile account information in XenMobile for SSO
To enable SSO from Worx Home to XenMobile apps, you specify ShareFile account and ShareFile administrator service
account information in the XenMobile console. With that configuration, XenMobile acts as a SAML IdP for ShareFile, for
Worx clients, ShareFile Worx clients, and non-MDX ShareFile clients. When a user starts a Worx client, Worx Home obtains a
SAML token for the user from XenMobile and sends it to the Worx client.
In the XenMobile console, click Configure > Settings, expand More and then click ShareFile.
To add ShareFile for XenMobile clients to XenMobile
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.349
When you add ShareFile for XenMobile clients to XenMobile, you can enable SSO access to Connector data sources from
ShareFile for XenMobile clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode
policy as described in this section.
Prerequisites
XenMobile must be able to reach your ShareFile subdomain. T o test the connection, ping your ShareFile subdomain from
the XenMobile server.
T he time zone configured for your ShareFile account and for the hypervisor running XenMobile must be the same. If the
time zone differs, SSO requests can fail because the SAML token might not reach ShareFile within the expected time
frame. T o configure the NT P server for XenMobile 10, use the XenMobile command-line interface.
Note: Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.
Log in to the Sharefile administrator console using a ShareFile admin account and verify the SAML SSO settings in Admin
> Configure Single Sign-On.
Download and wrap the ShareFile for XenMobile clients.
Steps:
1. In the XenMobile console, click Configure > Apps and then click Add.
2. Click MDX.
3. Enter a Name and, optionally, a Description and App category for the app.
4. Click Next and then upload the .mdx file for the ShareFile for XenMobile client.
5. Click Next to configure the app information and policies.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.350
T he configuration that enables SSO from ShareFile for XenMobile clients to ShareFile does not authenticate users to
network shares or SharePoint document libraries. To enable SSO between the Secure Hub micro VPN and ShareFile
StorageZones Controller, complete the following policy configuration:
Set the Network access policy to T unneled to the internal network.
In this mode of operation, all network traffic from the ShareFile for XenMobile client is intercepted by the XenMobile
MDX framework and redirected through NetScaler Gateway using an app-specific micro VPN.
Set the Preferred VPN mode policy to Secure browse.
In this mode of tunneling, SSL/HT T P traffic from an MDX app is terminated by the MDX framework, which then initiates
new connections to internal connections on the user's behalf. T his policy setting enables the MDX framework to detect
and respond to authentication challenges issued by web servers.
Complete the Approvals and Delivery Group Assignments as needed.
Only the users in the selected delivery groups will have SSO access to ShareFile from the ShareFile for XenMobile clients. If
a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the
ShareFile for XenMobile client to XenMobile.
To validate ShareFile for XenMobile clients
1. After completing the configuration described in this article, start the ShareFile for XenMobile client. ShareFile should not
prompt you to sign on.
2. In Secure Mail, compose an email and add an attachment from ShareFile. Your ShareFile Home page should open,
without prompting you to sign on.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.351
Citrix ShareFile Workflows
Oct 12, 20 17
T he ShareFile Workflows for XenMobile app is the mobile component of the ShareFile Custom Workflows feature. T his
feature allows users to create customized workflows that include multiple triggers and actions. Customized forms can be
added to workflow templates and assigned to users.
When a user is assigned a form, the user can complete and submit the form via the ShareFile Workflows Mobile App. Form
data storage is securely integrated with ShareFile, where workflow files are stored for review, reference, and retrieval.
Workflow and form templates are created and managed within the ShareFile web application.
End-User Documentation
End-user documentation related to creating and managing workflow and form templates can be found at the Citrix
Knowledge Center:
Creating a Workflow T emplate
Creating a Form T emplate
Submitting Forms via the Workflows mobile app
For ShareFile Workflows and other XenMobile App system requirements, see System requirements for XenMobile Apps.
Wrapping and adding ShareFile Workflows to XenMobile
You wrap the ShareFile Workflows mobile app with the MDX Toolkit, available on the XenMobile downloads page. Follow
the instructions in Wrapping iOS Mobile Apps and Add an MDX app.
Recommended MDX policies
For the ShareFile Workflows for XenMobile iOS and Android apps, the following MDX policies are recommended for optimal
functionality and feature support. You adjust these policies via the XenMobile console.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.352
MDX
Policies
Recommended Value
App
Restrictions:
Block
Camera
Block Photo
Library
Block mic
record
OFF
OFF
OFF
Block
location
OFF
service
App
Network
Access
Network
Access
Tunneled to the internal network
Encryption
(Android
only)
Private file
encryption
exclusions
(Android
^databases/[09]+\.db_img_store/,^databases/db_img_store/,^databases/db_video_store/,^files/temp_attachment/,^files/temp_log/
only)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.353
Allowing secure interaction with Office 365 apps
Jun 26, 20 17
Citrix Secure Mail, Citrix Secure Web and ShareFile offer the option of opening the MDX container to allow users to
transfer docs and data to Microsoft Office 365 apps. You manage this capability for iOS and Android platforms through
the open-in policies on the XenMobile console.
Once opened in a Microsoft app, data is no longer secured or encrypted in the MDX container. Consider the security
implications before enabling this feature. Particularly, customers concerned with data loss prevention or who are subject to
HIPAA or other strict compliance requirements should weigh the trade-offs of opening the container.
Enabling Of fice 365 in iOS
1. Download the latest versions of Secure Mail, Secure Web, or ShareFile apps from the XenMobile downloads page.
2. Wrap the files using the latest version of the MDX T oolkit and your usual provisioning profiles and certificates.
3. Upload the files to the XenMobile console.
4. Locate the Document exchange (Open In) policy and set it to Restricted. In the Restricted Open-in exception list,
Microsoft Word, Excel, PowerPoint, OneNote and Outlook are automatically listed.
For example: com.microsoft.Office.Word, com.microsoft.Office.Excel, com.microsoft.Office.Powerpoint,
com.microsoft.onenote, com.microsoft.onenoteiPad, com.microsoft.Office.Outlook
In MDM enrollments, additional controls are for iOS devices are available.
You can upload iTunes apps to the XenMobile console and push the apps to devices. If you choose this option, set the
following policies to ON:
Remove app if MDM profile is removed
Prevent app data backup
Force app to be managed (note that a selective wipe will remove the app and any data)
To prevent documents and data flowing from Microsoft apps to unmanaged apps on the device, go to Configure >
Devices Policies > Restrictions > iOS on the XenMobile console and then set Documents f rom managed apps in
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.354
unmanaged apps and Documents f rom unmanaged apps in managed apps to OFF.
Enabling Of fice 365 in Android
1. Download the latest versions of Secure Mail, Secure Web, or ShareFile apps from the XenMobile downloads page.
2. Wrap the files using the latest version of the MDX T oolkit and your usual provisioning profiles and certificates.
3. Upload the files to the XenMobile console.
4. Scroll down to the Document exchange (Open In) policy and then select Restricted.
5. In Restricted Open-in exception list, add the following package IDs:
{com.microsof t.of f ice.word}
{com.microsof t.of f ice. powerpoint}
{com.microsof t.of f ice.excel}
6. Scroll down to Private f ile encryption exclusions.
Note: Only MDX wrapped apps require the exclusion.
7. For Secure Mail, enter:
^databases/[0-9]+\.db_img_store/,^f iles/ deviceName,^f iles/f ile_provider_images/
8. For Secure Web and ShareFile apps, enter:
,^app_o2_dex/,^app_o2_dex_opt/,.doc$/,. docx$/,^f iles/(.)+.docx$
9. For Secure Web and ShareFile apps, scroll to Public f ile encryption exclusions and add:
,^sharef ile/
10. Configure other app policies as usual and the save the apps.
Users must save files from Secure Mail, Secure Web or ShareFile on their devices and open the files with an Office 365 app.
For both iOS and Android, users can open and edit the following types of files on their devices:
Supported file f ormats
For the supported file formats, see the Microsoft Office documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.355
/
AppDNA
Citrix App Layering
Citrix Cloud
Citrix Receiver
CloudBridge
CloudPortal Services Manager
NetScaler
Yikes! 404 ... We feel your pain.
NetScaler Gateway
NetScaler
Management
and to view is not here. T he link might be misspelled or outdated.
T he page
you are trying
Analytics
System
NetScaler SD-WAN
NetScaler Secure Web Gateway
Some things to try:
ShareFile
UnideskGo to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
VDI-in-a-Box
Report
problem and we'll investigate
XenApp
and the
XenDesktop
XenMobile
Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
XenServer
Advanced Concepts
Developer
Legacy Documentation
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.356
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.357
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement