SDKs Overview

Deciding Which SDKs to Implement

The Core SDK is required but any combination of the other SDKs is allowed. Learn about the function and capabilities that each SDK brings to your application by navigating to any of the following:

• Core (Required)
• Compliance
• Containment
• Local Authentication
• Micro VPN

Core for iOS

The Core SDK manages Application Management and Containment and helps you to manage your app. The Core SDK is responsible for fetching, storing, and synchronizing policies and other settings from Citrix Endpoint Management and other mechanisms, and provide core functionality for overlaying SDKs.

Note:

The Core SDK is a prerequisite for all other MAM SDKs.

Compliance for iOS

The Compliance library helps you to detect compromised devices or non-compliant devices. You can use this library to detect when a device falls below the minimum compliance requirements.

The Compliance library detects the following compliance violations:

• Disabled device passcode (See App policy: Device Passcode)
• Jailbroken devices (See App policy: Block jailbroken or rooted)
• Non-compliant device behavior (See App policy: Non-compliant device behavior)

The compliance library also detects and enforces the following security actions:

• App containers self-destruct
• User change
• Device date and time change
• Admin app lock and App wipe (See App policy: Active poll period for status poll interval)
• Wipe data on local app lock (See App policy: Erase app data on app lock). Enforced on detecting the Jailbroken device, no iOS device passcode set, or when the app is disabled on Citrix Endpoint Management.

Containment for iOS

The Containment library manages the interaction between apps on a device and restrictions applied to certain device functionalities, such as cut-and-paste blocking, open URL and open-in, and blocking iCloud, camera, or AirDrop. The Containment library also manages the geofence and mail redirection policies.

The Containment library supports the following policies:

• Cut and copy
• Paste
• Document exchange (Open In)
• Restricted Open-In exception list
• Inbound document exchange (Open In)
• Inbound document exchange allow list
• App URL schemes
• Allowed URLs
• Block camera
• Block photo library
• Block mic record
• Block dictation
• Block location services
• Block SMS compose
• Block iCloud
• Block lookup
• Block file backup
• Block AirPrint
• Block AirDrop
• Block Facebook and Twitter APIs
• Obscure screen contents
• Block third-party keyboards (iOS 11+ only)
• Center point longitude
• Center point latitude
• Radius
• Mail Redirection

Local authentication for iOS

The Local Authentication SDK is designed for apps that need local authentication. It implements App Passcode policy and Max Offline Period policy. Customer apps that use the Local Auth SDK are called third party apps. The apps that are created using the Local Auth SDK (and possibly other CTXMAM SDKs) must be able to use the same Local Auth SDK and have their own inactivity timer record and must be shared among the third party apps. However, this inactivity timer record is not shared with first party apps since they are signed with a different provisioning profile. Thus the Inactivity Timer and Max Offline Period policies are not applied across app silos.

App passcode

When the AppPasscode policy is set to true, the Local Auth SDK considers the value of Inactivity Timer policy value which is set in minutes (default 60 minutes). The Local Auth SDK sets up a timer to verify user inactivity and when the inactivity timer expires, it displays Touch ID/ Face ID/ Device passcode Auth prompt to the user to authenticate. If the user successfully authenticates, the SDK resets the inactivity timer and the user is able to use the app. The inactivity countdown restarts and it resets when the user interacts with the app. If the user cannot successfully authenticate, the auth prompt continues and the user cannot use the app until successfully authenticates.

Max Offline Period

When the offline period expires, the user needs to enable the internet connection and sign to the CEM server using Secure Hub app. The Local Auth SDK tries to refresh the policies using the Core SDK and if needed, the app flips to Secure Hub. However, if the user is offline or Secure Hub returns any other failure, the user needs to make sure that the sign in to Secure Hub succeeds so that the policy refresh takes place and the app entitlement verification succeeds.

When the offline period expires, the app becomes temporarily unusable until the user signs in to the Secure Hub app. There will be offline period warning alert messages as the offline period approaches. The warnings are 30 minutes, 15 minutes, and 5 minutes before the Max Offline period expires.

Functionality provided and differences with the MDX Toolkit functionality

App Passcode

The Max Number Of Retries policy is not present in Local Auth SDK. Thus, the device lock or wipe policies does not apply when the user fails the authentication challenge. When the device Passcode authentication fails for 5 times, iOS disables the passcode validation screen for incrementing times starting from 1 minute to 5 minutes, to 15 minutes to 60 minutes, and finally it disables the iPhone and when this happens the user cannot use the device. This is standard iOS behavior and so the user experience is different than legacy MDX.

For the Local Auth SDK, the TouchID Enabled policy is not supported. We rely on iOS behavior wherein iOS will first use Touch ID/ Face ID if present and enabled and if it’s not present or locked out due to incorrect attempts, then it uses the device passcode.

The Secure Hub PIN related policies like PIN type, PIN strength, and PIN length requirement do not apply to the App Passcode policy since we are using the device passcode to authenticate. Thus, these policies are deprecated for Local Auth SDK. They continue to function for Secure Hub.

The App lock and wipe policy is not handled as part of this policy and the Max Number Of Retries policy is not considered. This is because we rely on iOS to lock or wipe the device as necessary after authentication failures. Currently, the maximum number of authentication failures before iOS locks the device is 10.

The following is the list of policies related to App Passcode that do not apply in Local Auth SDK:

• Touch ID Enabled
• Max Number Of Retries
• PIN type
• PIN strength
• PIN length
• Wipe device on Lock

Max Offline Period

The functionality for Max Offline Period policy is disabled when the value for the Max Offline Period policy is 0. The Local Auth SDK considers the policy refresh time and if the policy is not refreshed for the specified period, the Local Auth SDK sends a delegate callback to the app. Also, there is delegate callbacks, when the max offline period is approaching, and it is 30 minutes, 15 minutes, and 5 minutes before the Max Offline period expires. If the app didn’t set the delegate, the Local Auth SDK displays alert window with a “Quit” button that exits the app and a “Logon” button, when the Max Offline period expires. Also, if the app didn’t set the delegate, another alert window with “OK” button and a “Logon” button, is displayed when the max offline period is approaching, and similar to preceding delegate callbacks, it is 30 minutes, 15 minutes, and 5 minutes before the Max Offline period expires.

When the app developer implements the delegate pop-up, if the “Logon” button is clicked, the app must call a new API in the Core SDK that flips to SH and does the login. In the future, when we add AML support, we verify if AML can be used for in-app login and if so, the flip to SH will be skipped and authentication will occur in-app. If the delegate is not implemented, the Local Auth SDK puts up a similar popup.

Micro VPN for iOS

The Citrix Endpoint Management micro VPN library is designed to allow a per-app VPN connection without requiring mobile device management (MDM). The library exposes APIs to the app that enable the creation of the Web SSO network tunnel. The APIs provide a framework for the app to receive and respond to asynchronous events. With the library, apps are no longer required to be wrapped with the MDX Toolkit.

Why use the micro VPN library

MDX provides an app wrapping approach that modifies the original .ipa file and generates a wrapped ipa file. This process causes different kinds of compatibility issues during wrapping an app. This approach uses low level hooking, which can cause stability problems due to frequent changes in the operating system.

Citrix micro VPN library provides APIs to start a secure per-app VPN tunnel and to enable objects for network tunneling. Citrix micro VPN library gives app developers more control over when to start a network tunnel while avoiding any app wrapping issues. Citrix micro VPN library also improves the user experience by reducing iOS compatibility issues.