MDX policies for third-party apps for iOS
This article describes the MDX policies for third-party iOS apps. You can change policy settings directly in the policy XML files or in the Citrix Endpoint Management console when you add an app.
Authentication
Device passcode
IfOn, a PIN or passcode is required to unlock the device when it starts or resumes after a period of inactivity. A device passcode is required to encrypt app data using Apple file encryption. Data for all apps on the device are encrypted. Default value isOff.
App passcode
IfOn, a PIN or passcode is required to unlock the app when it starts or resumes after a period of inactivity. Default value isOn.
To configure the inactivity timer for all apps, set theINACTIVITY_TIMERvalue in minutes inClient Propertieson theSettingstab. The default inactivity timer value is60minutes. To disable the inactivity timer, so that a PIN or passcode prompt appears only when the app starts, set the value to zero.
Note:
If you select安全offlinefor the Encryption keys policy, this policy is automatically enabled.
Online Session Required
Maximum offline period (hours)
Defines the maximum period an app can run without reconfirming app entitlement and refreshing policies from Citrix Endpoint Management. At expiration, log on to the server may be triggered if needed. Default value is168hours (7 days). Minimum period is1hour.
Alternate Citrix Gateway
Note:
This policy name in the Endpoint Management console isAlternate NetScaler Gateway.
Address of a specific alternate Citrix Gateway that should be used for authentication and for micro VPN sessions with this app. This is an optional policy that, when with the Online session required policy, forces apps to reauthenticate to the specific gateway. Such gateways would typically have different (higher assurance) authentication requirements and traffic management policies. If left empty, the server’s default gateway is always used. Default value is empty.
Device security
Block jailbroken or rooted
IfOn, the app is locked when the device is jailbroken or rooted. IfOff, the app can run even if the device is jailbroken or rooted. Default value isOn.
Network requirements
Require Wi-Fi
IfOn, the app is locked when the device is not connected to a Wi-Fi network. IfOff, the app can run if the device has an active connection, such as a 4G/3G, LAN, or Wi-Fi connection. Default value isOff.
Allowed Wi-Fi Networks
Comma-delimited list of Wi-Fi networks. If the network name contains any non-alphanumeric characters (including commas), the name must be enclosed in double-quotes. The app runs only if connected to one of the networks listed. If blank, all networks are allowed. This does not affect connections to cellular networks. Default value is blank.
Miscellaneous access
App update grace period (hours)
Defines the grace period that an app can continue to be used after the system has discovered that an app update is available. Default value is168 hours (7 days).
Note:
Using a value of zero is not recommended since it immediately prevents a running app from being used until the update is downloaded and installed (without any warning to the user). This might lead to a situation where the user is forced to exit the app (potentially losing work) to comply with the required update.
Erase app data on lock
Erases data and resets the app when the app is locked. IfOff, app data is not erased when the app is locked. Default value isOff.
An app can be locked for any of the following reasons:
- Loss of app entitlement for the user
- App subscription removed
- Account removed
- 安全Hub uninstalled
- Too many app authentication failures
- Jailbroken device detected (per policy setting)
- Device placed in locked state by other administrative action
Active poll period (minutes)
When an app starts, the MDX Framework polls Citrix Endpoint Management to determine current app and device status. Assuming the server running Endpoint Management can be reached, the framework returns information about the lock/erase status of the device and the enable/disable status of the app. Whether the server can be reached or not, a subsequent poll is scheduled based on the active poll period interval. After the period expires, a new poll is again attempted. Default value is60 minutes(1 hour).
Important:
Only set this value lower for high-risk apps or performance may be affected.
Non-compliant device behavior
Allows you to choose an action when a device does not adhere to the minimum compliance requirements. SelectAllow appfor the app to run normally. SelectAllow app after warningfor the app to run after the warning appears. SelectBlockto block the app from running. Default value isAllow app after warning.
App interaction
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for this app. IfRestricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default value isRestricted.
Paste
Blocks, permits, or restricts Clipboard paste operations for this app. IfRestricted, the pasted Clipboard data is sourced from a private Clipboard that is only available to MDX apps. Default value isUnrestricted.
Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for this app. IfRestricted, documents can be exchanged only with other MDX apps.
IfUnrestricted, set the Enable encryption policy toOnso that users can open documents in unwrapped apps. If the receiving app is unwrapped or has encryption disabled, Citrix Endpoint Management decrypts the document. Default value isRestricted.
Restricted Open-In exception list
When the Document exchange (Open In) policy isRestricted, an MDX app can share documents with this comma-delimited list of unmanaged app IDs, even if the Document exchange(Open In) policy isRestrictedand Enable encryption isOn. The default exception list allows Office 365 apps:
com.microsoft.Office.Word,com.microsoft.Office.Excel,com.microsoft.Office.Powerpoint, com.microsoft.onenote,com.microsoft.onenoteiPad,com.microsoft.Office.Outlook
Only Office 365 apps are supported for this policy.
Caution:
Be sure to consider the security implications of this policy. The exception list allows content to travel between unmanaged apps and the MDX environment.
Inbound document exchange (Open In)
Blocks, restricts, or allows inbound document exchange operations for this app. IfRestricted, documents can be exchanged only with other MDX apps. Default value isUnrestricted.
IfBlockedorRestricted, you can use the Inbound document exchange whitelist policy to specify apps that can send documents to this app.
Note:
The Inbound Document Exchange Whitelist policy only supports devices running on iOS 12.
Options:Unrestricted,Blocked, orRestricted
App URL schemes
iOSapps can dispatch URL requests to other apps that have been registered to handle specific schemes (such as “http://”). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the schemes that are passed into this app for handling (that is, inbound URLs). Default value is empty, meaning that all registered app URL schemes are blocked.
The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Inbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix.
- A minus “-“ prefix blocks the URL from being passed into this app.
- A plus “+” prefix permits the URL to be passed into the app for handling.
- If neither “+” or “-“ is provided with the pattern, “+” (allow) is assumed.
- If an inbound URL does not match any pattern in the list, the URL is blocked.
The following table contains examples of App URL schemes:
| Scheme | App that requires the URL scheme | Purpose |
|---|---|---|
| ctxmobilebrowser | 安全Web- | Permit Secure Web to handle HTTP: URLs from other apps.- |
| ctxmobilebrowsers | 安全Web- | Permit Secure Web to handle HTTPS: URLs from other apps. |
| ctxmail | 安全Mail- | Permit Secure Mail to handle mailto: URLs from other apps. |
| COL-G2M | GoToMeeting- | Permit a wrapped GoToMeeting app to handle meeting requests. |
| ctxsalesforce | Citrix for Salesforce- | Permit Citrix for Salesforce to handle Salesforce requests. |
| wbx | WebEx | Permit a wrapped WebEx app to handle meeting requests. |
App interaction (outbound URL)
Domains excluded from URL filtering
This policy excludes outbound URLs from any “Allowed URLs” filtering. Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes to exclude from the “Allowed URLs” filtering. If this policy is empty (the default), the defined “Allowed URLs” filtering processes are URLs. If this policy contains any entries, those URLs with host fields matching at least one item in the list (via DNS suffix match) are sent unaltered to iOS, bypassing the “Allowed URLs” filtering logic. Default value is empty.
Allowed URLs
iOSapps can dispatch URL requests to other applications that have been registered to handle specific schemes (such as"http://"). This facility provides a mechanism for an app to pass requests for help to another app. This policy serves to filter the URLs that are passed from this app to other apps for handling (that is, outbound URLs).
The policy should be formatted as a comma-separated list of patterns in which each pattern may be preceded by a plus “+” or minus “-“. Outbound URLs are compared against the patterns in the order listed until a match is found. Once matched, the action taken is dictated by the prefix. A minus “-“ prefix blocks the URL from being passed out to another app. A plus “+’ prefix permits the URL to be passed out to another app for handling. If neither “+” or minus “-“ is provided with the pattern, “+” (allow) is assumed. A pair of valus separated by “=” indicates a substitution where occurrences of the first string are replaced with the second. You can use regular-expression “^” prefix to search string to anchor it to the beginning of the URL. If an outbound URL does not match any pattern in the list, it will be blocked.
Default
+maps.apple.com
+itunes.apple.com
^http:=ctxmobilebrowser:
^https:=ctxmobilebrowsers:
^mailto:=ctxmail:
+^citrixreceiver:
+ ^ telprompt:
+^tel:
+^lmi-g2m:
+^maps:ios_addr
+^mapitem:
+^sms:
+^facetime:
+^ctxnotes:
+^ctxnotesex:
+^ctxtasks:
+^facetime-audio:
+^itms-apps:
+^ctx-sf:
+^sharefile:
+^lync:
+^slack:
If the setting is blank, all URLs are blocked, except for the following:
- http:
- https:
- +citrixreceiver: +tel:
The following table contains examples of allowed URLs:
| URL format | Description |
|---|---|
| ^mailto:=ctxmail: | All mailto: URLs open in Secure Mail. |
| ^http: | All HTTP URLs open in Secure Web. |
| ^https: | All HTTPS URLs open in Secure Web. |
| ^tel: | Allows user to make calls. |
| -//www.dropbox.com | Blocks Dropbox URLs dispatched from managed apps. |
| +^COL-G2M: | Permits managed apps to open the GoToMeeting client app. |
| -^SMS: | Blocks the use of a messaging chat client. |
| - ^ wbx: | Blocks managed apps from opening the WebEx client app. |
| +^ctxsalesforce: | Permits Citrix for Salesforce to communicate with your Salesforce server. |
Allowed Secure Web domains
This policy only affects “Allowed URLs” policy entries that would redirect a URL to the Secure Web app (^ http:=ctxmobilebrowser: and ^https:=ctxmobilebrowsers:). Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes allowed to redirect to the Secure Web app. If this policy contains any entries, then only those URLs with host fields matching at least one item in the list (via DNS suffix match) redirect to the Secure Web app. All other URLs are sent unaltered to iOS, bypassing the Secure Web app. Default value is empty.
App Restrictions
Important:
Be sure to consider the security implications of policies that block apps from accessing or using phone features. When those policies areOff, content can travel between unmanaged apps and the Secure environment.
Block camera
IfOn, prevents an app from directly using the camera hardware. Default value isOFF.
Block Photo Library
IfOn, prevents an app from accessing the Photo Library on the device. Default value isOn.
Block mic record
IfOn, prevents an app from directly using the microphone hardware. Default value isOn.
Block dictation
IfOn, prevents an app from directly using dictation services. Default value isOn.
Block location services
IfOn, prevents an app from using the location services components (GPS or network). Default value isOfffor Secure Mail.
Block SMS compose
IfOn, prevents an app from using the SMS compose feature used to send SMS/text messages from the app. Default value isOn.
Block email compose
IfOn, prevents an app from using the email compose feature used to send email messages from the app. Default value isOn.
Block iCloud
IfOn, prevents an app from using iCloud for the storing and sharing of settings and data.
Note:
iCloud data file is controlled by the Block file backup policy.
Default value isOn.
Block look up
IfOn, prevents an app from using the Look Up feature, which searches for highlighted text in the Dictionary, iTunes, the App Store, movie showtimes, nearby locations and more. Default value isOn.
块文件备份
IfOn, prevents data files from being backed up by iCloud or iTunes. Default value isOn.
Block AirPrint
IfOn, prevents an app from using AirPrint features for printing data to AirPrint-enabled printers. Default value isOn.
Block AirDrop
IfOn, prevents an app from using AirDrop. Default value isOn.
Block Facebook and Twitter APIs
IfOn, prevents an app from using the iOS Facebook and Twitter APIs. Default value isOn.
Obscure screen contents
IfOn, when users switch apps, the screen is obscured. This policy prevents iOS from recording screen contents and displaying thumbnails. Default value isOn.
Block 3rd party keyboards (iOS 11 and later only)
IfOn, prevents an app from using third-party keyboard extensions on iOS 8+. Default value isOn.
Block app logs
IfOn, prohibits an app from using the mobile productivity app diagnostic logging facility. IfOff, app logs are recorded and may be collected by using the Secure Hub email support feature. Default value isOff.
App network access
Network access
Note:
Tunneled - Web SSOis the name for the安全Browsein the settings. The behavior is the same.
The settings options are as follows:
- Blocked: All network access is blocked. Networking APIs used by your app fail. Per the previous guideline, you should gracefully handle such a failure.
- Unrestricted: All network calls go directly and are not tunneled.
- Tunneled - Web SSO: The HTTP/HTTPS URL is rewritten. This option allows only the tunneling of HTTP and HTTPS traffic. A significant advantage ofTunneled - Web SSOis single sign-on (SSO) for HTTP and HTTPS traffic and also PKINIT authentication. On Android, this option has low setup overhead and is thus the preferred option for web browsing types of operations.
If theTunneled - Web SSOoption is selected, a per-app VPN tunnel in this initial mode is created back to the enterprise network, and Citrix Gateway split tunnel settings are used. Citrix recommendsTunneled - Web SSOfor connections that require single sign-on (SSO).
micro VPN session required
IfYes, the user must have a connection to the enterprise network and an active session. IfNo, an active session is not required. Default value isUse Previous Setting. For newly uploaded apps, the default value isNo. Whichever setting was selected prior to the upgrade to this new policy remains in effect until an option other thanUse Previous Setting被选中。
micro VPN session required grace period (minutes)
This value determines how many minutes users can use the app before the Online Session Required policy prevents them from further use (until the online session is validated). Default value is0(no grace period). This policy isn’t applicable for integration with Microsoft Intune/EMS.
Certificate label
When used with the StoreFront certificate integration service, this label identifies the specific certificate required for this app. If no label is provided, a certificate is not made available for use with a public key infrastructure (PKI). Default value is empty (no certificate used).
Exclusion List
Comma-delimited list of FQDNs or DNS suffixes to be accessed directly instead of through a VPN connection. This only applies to theTunneled - Web SSOmode when Citrix Gateway is configured with Split tunnel reverse mode.
App logs
Default log output
Determines which output media are used by mobile productivity app diagnostic logging facilities by default. Possibilities are file, console, or both. Default value isfile.
Default log level
Controls default verbosity of the mobile productivity app diagnostic logging facility. Each level includes levels of lesser values. Range of possible levels includes:
- 0 - Nothing logged
- 1 - Critical errors
- 2 - Errors
- 3 - Warnings
- 4 - Informational messages
- 5 - Detailed informational messages
- 6 through 15 - Debug levels 1 through 10
Default value is level 4 (Informational messages).
Max log files
Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. Default value is 2.
Max log file size
限制的大小在兆字节(MB)日志文件retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.
Redirect system logs
IfOn, intercepts and redirects system or console logs from an app to the Mobile Productivity Apps diagnostic facility. IfOff, app use of system or console logs is not intercepted.
Default value isOn.
App geofence
Center point longitude
Longitude (X coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in signed degrees format (DDD.dddd), for example “-31.9635”. West longitudes should be prefaced with a minus sign. Default value is0.
Center point latitude
Latitude (Y coordinate) of the center point of point/radius geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in signed degreed format (DDD.dddd), for example “43.06581”. Southern latitudes should be prefaced with a minus sign. Default value is0.
Radius
Radius of the geofence in which the app is constrained to operate. When operated outside the configured geofence, the app remains locked.
Should be expressed in meters. When set to zero, the geofence is disabled. When the Block location serviced policy is enabled, geofencing does not work properly. Default is0(disabled).
Analytics
Google Analytics level of detail
Citrix collects analytics data to improve product quality. SelectingAnonymousopts users out of including company identifiable information. Default is Complete.
Reporting
Citrix报告
IfOn, Citrix collects crash reports and diagnostics to help troubleshoot issues. IfOff, Citrix doesn’t collect data.
Note:
Citrix might also control this feature with a feature flag. Both the feature flag and this policy must be enabled for this feature to function.
Default value isOff.
Upload token
You can obtain an upload token from your Citrix Insight Services (CIS) account. If you specify this optional token, CIS gives you access to crash reports and diagnostics uploaded from your devices. Citrix has access to that same information. Default value is empty.
Send reports over Wi-Fi only
IfOn, Citrix sends crash reports and diagnostics only when you’re connected to a Wi-Fi network. Default value isOn.
Report file cache maximum
Limits the size of the crash report and diagnostics bundles retained before clearing the cache. Minimum is 1 MB. Maximum is 5 MB. Default value is 2 MB.