Enroll Secure Mail on your device

What is Citrix Secure Mail?

Citrix Secure Mail lets you manage your email, calendars, and contacts on your mobile phones and tablets. Be it an enterprise or a BYOD program, you can confidently turn your mobile device into a business tool. With Secure Mail, you can manage emails from multiple accounts, calendars (business and personal), and contacts. For the complete product documentation, see Secure Mail overview.

Supported mail servers

To maintain continuity, Secure Mail syncs with Microsoft Exchange Server and IBM Notes Traveler Server. For a list of supported servers, see supported Mail Servers.

Integrating Exchange Server or IBM Notes Traveler Server

To stay in sync with your mail servers, integrate Secure Mail with an Exchange Server or IBM Notes Traveler Server. Ensure that the Exchange Server or IBM Notes Traveler Server resides in your internal network or is behind Citrix Gateway.

For more information, see Integrating Exchange Server or IBM Notes Traveler Server.

Supported file formats

For Secure Mail for iOS, you can attach files from the iOS native Files app. Supported formats are .txt, word, audio, video, html, .zip files, images, .eml files, and .vcf contact file formats. For more information, see View and attach files.

Citrix Secure Mail connection modes

The Secure Ticket Authority (STA) is an XML web service that exchanges Citrix Endpoint Management information for randomly generated tickets. It is used to control access for a Citrix Secure Gateway server.


Citrix recommends that you use a STA connection for Secure Mail because a STA connection supports long-lived session connections.

STA mode

A STA-based configuration requires a Citrix Gateway. This configuration does not consume extra Citrix Gateway Universal Licenses for mail sync. It uses an ICA Proxy or SOCKS type of connection.

Non-STA mode

A Non-STA based configuration allows users to connect directly to an Exchange Server (if externally available). If Citrix Gateway is available, users connect via micro VPN and sign on to Secure Hub to sync mail. This method consumes Citrix Gateway Universal Licenses.


Only the ActiveSync protocol is supported.

For more information on Citrix Gateway integration, see Integrating with Citrix Gateway and Citrix ADC.

Dual mode (Secure Mail for Android)

Mobile application management SDK is available to replace areas of MDX functionality that aren’t covered by the Android platform. The MDX wrapping technology is scheduled to reach end of life (EOL) in September 2021. To continue managing your enterprise applications, you must incorporate the Mobile application management SDK (MAM) SDK.

For prerequisites, setup, and other important details about the APIs available as part of the MAM SDK, see Mobile Application Integration.

Push notifications for Secure Mail

Secure Mail can receive email and calendar notifications when the app is running in the background or is closed. For more information about push notifications, see Push Notifications for Secure Mail.


By default, the Push Notifications policy is disabled in the Citrix Endpoint Management console.

Modern authentication with Microsoft Office 365

Secure Mail supports modern authentication with Microsoft Office 365 for Active Directory Federation Services (AD FS) or Identity Provider (IdP). Modern authentication is OAuth token-based authentication with user name and password. Secure Mail users with iOS devices can take advantage of certificate-based authentication when connecting to Office 365. For more information, see Modern authentication with Microsoft Office 365.

Micro VPN requirements

With Citrix micro VPN, a single, per-app VPN gives access to a specific app back-end resource. Using micro VPN technology reduces data transfer costs and simplifies security because the VPN tunnel isn’t always active. Instead, it’s only active when needed. This method reduces risk and optimizes the performance of the device for a better user experience. For more information about Citrix Micro VPN, see Citrix Secure Hub for Mobile Devices and micro VPN Technology.

Troubleshooting Citrix Secure Mail

When Secure Mail isn’t working properly, connection issues are typically the cause. This section describes how to avoid connection issues. If issues occur, this article describes to troubleshoot the issues.

Citrix Endpoint Management authentication timeouts via Citrix Gateway

To access your mail server via the Citrix Gateway, you need to configure background services for Secure Mail. You must configure background services in the MDX app policies settings. For more information, see MDX app policies for the background services configuration.

Verify SSL connectivity

Ensure that the SSL certificate chain is properly configured. You can check for missing Root or Intermediate CAs that are not linked or installed on mobile devices by using the SSL Certificate Checker.

Server certificates, signed by multiple hierarchical Certificate Authorities (CA), form a chain of certificates that you must link. For information about installing or linking your certificates, see Install, link, and update certificates.

Delay in receiving push notifications

If push notifications are not working correctly, connection issues are typically the cause. For information about avoiding connection issues, see Secure Mail Push Notifications FAQs.

For information about troubleshooting push notifications for Secure Mail for iOS, see Troubleshooting Secure Mail Issues with iOS Push Notifications.

For other information about badge count or notification behavior, see FAQ: Badge and Notification Behavior For End Users.

Reporting issues in Secure Mail

You can report any issues you face in Secure Mail by opening Citrix Secure Hub. Citrix Secure Hub is the launchpad for the mobile productivity apps. To generate device logs while reporting an issue, see How to generate the device side logs.

Other resources

See the following links for more information about related Citrix products: