Citrix Secure Mail is a feature-rich mail client that comes with Citrix Endpoint Management (a.k.a. Citrix XenMobile). With Citrix Secure Mail you can enforce Mobile Application Management (MAM) policies to secure and containerize business data. You can also pre-configure the users mail account.
When publish Citrix Secure Mail with default settings (including the users mail account), the end user is asked to enter their password the first time the Secure Mail App is started as shown in the following screenshot.
However, it is possible to configure Secure Mail with SSO in a few simple steps. This so that users no longer have to enter their password when they start Secure Mail for the first time. In this blog I will show you step-by-step how to configure this.
Autodiscovery
The first step is to configure Citrix XenMobile Autodiscovery. You can do this via the XenMobile tools site (link here). You can find the step-by-step instructions for Autodiscovery here.
For Secure Mail SSO it is important that User ID Type is set to E-mail address on the WorxHome Info page when configuring Autodiscovery. See also the next screenshot.
Client Properties
The second step is to configure and create some Citrix XenMobile Client Properties. Within the Citrix XenMobile admin console go to the settings page.
Open Client Properties
Make sure that the value of ENABLE_PASSCODE_AUTH and ENABLE_PASSWORD_CACHING are set to true
Click the Add button and add the following Client Property;
Key: Custom Key
Key: ENABLE_CREDENTIAL_STORE
Value: true
Name: Credential Store
Description: Credential Store
Click Save
Click the Add button one more time and add the following Client Property;
Key: Custom Key
Key: SEND_LDAP_ATTRIBUTES
Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}, displayName= ${ user.displayName} ,mail= ${ user.mail}
Name: LDAP Attributes
Description: LDAP Attributes for SSON
Click Save
Server Properties
The next step is to create some Citrix XenMobile Server Properties. Within the Citrix XenMobile admin console go to the settings page.
Open the Server Properties page.
Click the Add button
Add the following Server Property;
Key: Custom Key
Key: MAM_MACRO_SUPPORT
Value: true
Display name: MAM Macro Support
Description: MAM Macro Support
Click Save
Restart the XenMobile server via CLI (in case of a XenMobile cluster, restart all the XenMobile nodes).
Configure Citrix Secure Mail
In the final step we need to set some special settings within the Citrix Secure Mail client policies.
Within the Citrix XenMobile admin console navigate to; Configure > Apps
Select Secure Mail and click Edit
Open the iOS page (repeat this steps for Android) page and browse to App Settings. Make sure the Secure Mail Exchange Server and Secure Mail user domain are empty.
Scroll down a little bit further and configure the following settings;
Initial authentication mechanism: User email address
Initial authentication credentials: userPrincipalName (or sAMAccountName if that is the authentication type used to authenticate against the Exchange Server)
Save the configuration of Secure Mail after changing also the Android settings.
Test the new configuration
For this test I reinstalled Secure Mail so that the new configuration is active immediately.
When I open Secure Mail for the first time I need to Authorize the app as you can see on the right.
After the Secure Mail is authorized, Secure Mail is automatically restarting and starts configuring my mail account. A few seconds later the folders are downloading and my mailbox is ready for use without the need to enter my password.
10 comments. Leave new
I am unable to get this to work, the app doesnt find the mail server. How does Xenmobile know the fqdn/ip of my internal Exchange 2016 server in this configuration?
Thank you!
Hi, it is imported that the Exhange Autodiscovery is configured correctly, otherwise it will not work.
I want to configure Secure Mail for apk as my environment supports only apk not MDX file.
Can i configure Secure Mail for users? I want to achieve the above solution for apk.
If not is there any other app which i can use keeeping security in minnd. i have pushed Secure Mail apk and i can configure autodiscovery but i cannot manage from MDM . I have tried selective wipe but it does not wipe data for secure mail apk. thank you in advance.
Are you using XenMobile / Endpoint Management – MDM Edition? If using Advanced or Enterprise you can download the MDX file from the Citrix website and apply the policies. With only APK files you cannot.
Hi Robin,
Thank you for the reply. Yes it’s MDM but it’s not supporting MAM or MDX. Its only supporting APK file. I have downloaded MDX file and tried but it’s not working. At present I have published touchdown for which exchange policy is applied and allows users to enter only password for there account Rest all is captured from Exchange. I have checked but I couldn’t find any option for secure mail. I might have to go for MAM and netscalar for secure mail.
Yes, you need to update to advanced edition with NetScaler. You need to configure MAM policies.
This is great! Thanks for an awesome tutorial.
I have another question though, a bit off topic. When I open Secure Mail and goto Calendar. Then click the plus sign to create a new meeting. How do I create a Skype meeting? I have Web and Audio (but only GoToMeeting and Other).
Thanks in advance!
/Martin
Hi Martin, Skype meetings are also possible, only the Skype app needs to be installed on the device and some exclusions needs to be made. See the following articles: https://support.citrix.com/article/CTX233642 and https://docs.citrix.com/en-us/citrix-secure-mail/ios-android-features.html#join-skype-for-business-meetings-on-ios-and-android
Hi Robin
Do you have any knowledge about the following MAM scenario:
A consultant is working for a consultant company that uses Secure Mail in a MAM configuration. Then he/she gets an assigment for a company that also uses Secure Mail with MAM policies. He/she is allowed to use the customers Secure Mail. Does Secure Mail support multiple user accounts with MAM policies?
I know that Microsoft Intune does not support multiple Outlook accounts in a MAM scenario.
Hi, unfortunately, the scenario does not work for Citrix Secure Mail either.