How to configure Citrix Secure Mail with SSO

Citrix Secure Mail is a feature-rich mail client that comes with Citrix Endpoint Management (a.k.a. Citrix XenMobile). With Citrix Secure Mail you can enforce Mobile Application Management (MAM) policies to secure and containerize business data. You can also pre-configure the users mail account.

When publish Citrix Secure Mail with default settings (including the users mail account), the end user is asked to enter their password the first time the Secure Mail App is started as shown in the following screenshot.

However, it is possible to configure Secure Mail with SSO in a few simple steps. This so that users no longer have to enter their password when they start Secure Mail for the first time. In this blog I will show you step-by-step how to configure this.


The first step is to configure Citrix XenMobile Autodiscovery. You can do this via the XenMobile tools site (link here). You can find the step-by-step instructions for Autodiscovery here.

For Secure Mail SSO it is important that User ID Type is set to E-mail address on the WorxHome Info page when configuring Autodiscovery. See also the next screenshot.

Client Properties

The second step is to configure and create some Citrix XenMobile Client Properties. Within the Citrix XenMobile admin console go to the settings page.

Open Client Properties

Make sure that the value of ENABLE_PASSCODE_AUTH and ENABLE_PASSWORD_CACHING are set to true

Click the Add button and add the following Client Property;

Key: Custom Key


Value: true

Name: Credential Store

Description: Credential Store

Click Save

Click the Add button one more time and add the following Client Property;

Key: Custom Key


Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}, displayName= ${ user.displayName} ,mail= ${ user.mail}

Name: LDAP Attributes

Description: LDAP Attributes for SSON

Click Save

Server Properties

The next step is to create some Citrix XenMobile Server Properties. Within the Citrix XenMobile admin console go to the settings page.

Open the Server Properties page.

Click the Add button

Add the following Server Property;

Key: Custom Key


Value: true

Display name: MAM Macro Support

Description: MAM Macro Support

Click Save

Restart the XenMobile server via CLI (in case of a XenMobile cluster, restart all the XenMobile nodes).

Configure Citrix Secure Mail

In the final step we need to set some special settings within the Citrix Secure Mail client policies.

Within the Citrix XenMobile admin console navigate to; Configure > Apps

Select Secure Mail and click Edit

Open the iOS page (repeat this steps for Android) page and browse to App Settings. Make sure the Secure Mail Exchange Server and Secure Mail user domain are empty.

Scroll down a little bit further and configure the following settings;

Initial authentication mechanism: User email address

Initial authentication credentials: userPrincipalName (or sAMAccountName if that is the authentication type used to authenticate against the Exchange Server)

Save the configuration of Secure Mail after changing also the Android settings.

Test the new configuration

For this test I reinstalled Secure Mail so that the new configuration is active immediately.

When I open Secure Mail for the first time I need to Authorize the app as you can see on the right.

After the Secure Mail is authorized, Secure Mail is automatically restarting and starts configuring my mail account. A few seconds later the folders are downloading and my mailbox is ready for use without the need to enter my password.


  • I am unable to get this to work, the app doesnt find the mail server. How does Xenmobile know the fqdn/ip of my internal Exchange 2016 server in this configuration?

    Thank you!

  • I want to configure Secure Mail for apk as my environment supports only apk not MDX file.
    Can i configure Secure Mail for users? I want to achieve the above solution for apk.
    If not is there any other app which i can use keeeping security in minnd. i have pushed Secure Mail apk and i can configure autodiscovery but i cannot manage from MDM . I have tried selective wipe but it does not wipe data for secure mail apk. thank you in advance.

    • Are you using XenMobile / Endpoint Management – MDM Edition? If using Advanced or Enterprise you can download the MDX file from the Citrix website and apply the policies. With only APK files you cannot.

      • Hi Robin,
        Thank you for the reply. Yes it’s MDM but it’s not supporting MAM or MDX. Its only supporting APK file. I have downloaded MDX file and tried but it’s not working. At present I have published touchdown for which exchange policy is applied and allows users to enter only password for there account Rest all is captured from Exchange. I have checked but I couldn’t find any option for secure mail. I might have to go for MAM and netscalar for secure mail.

  • This is great! Thanks for an awesome tutorial.
    I have another question though, a bit off topic. When I open Secure Mail and goto Calendar. Then click the plus sign to create a new meeting. How do I create a Skype meeting? I have Web and Audio (but only GoToMeeting and Other).

    Thanks in advance!


  • Hi Robin
    Do you have any knowledge about the following MAM scenario:
    A consultant is working for a consultant company that uses Secure Mail in a MAM configuration. Then he/she gets an assigment for a company that also uses Secure Mail with MAM policies. He/she is allowed to use the customers Secure Mail. Does Secure Mail support multiple user accounts with MAM policies?
    I know that Microsoft Intune does not support multiple Outlook accounts in a MAM scenario.

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.