Thanks Nick. Leaving a couple comments below for the next poor soul who comes along with the same issue from Google, apologies for wall of text
I agree, it's has to be something on Citrix side, however all the MDM solutions on iOS have limited configuration options available, and Esri apps (apparently) follow standard AppConfig rules.
I have already sent the above + the FQDN list from the Esri Trust site to the network team, who are currently crawling through logs with Citrix support. i'll update this if something comes of it.
Esri support have advised it's a network thing (which I understand), and as Citrix don't know Esri product specifically, they have no idea. These issues are always difficult to get resolved.
One poorly documented requirement is to add the the Enterprise Portal domain to the per-app config as a Safari Domain, or from 10.6 the login popup can't be accessed (as that's a Safari window). this is only referenced in the Navigator documentation and not for any other apps (Collector, Explorer, QuickConnect).
https://doc.arcgis.com/en/navigator/iphone/help/deploy.htm
What a Safari Domain does is tunnel the whole safari app after that is triggered (until whenever your VPN is set to disconnect), which isn't ideal but we can live with. This can be seen as I can :
- log into Esri app > Enterprise Portal > triggering the Safari Domain rule set on that portal domain
- then open up the actual Safari browser app, which shows VPN connection in the corner. Also verified as I can access our intranet sites, and shows in VPN + iOS Fiddler logs
- Until the VPN session times out, via Safari I can access ArcGIS Online fine and login, and view basemaps (and also Portal).
So agreed is definitely some app-level config issue, however there's limited 'spots' in the Citrix config to put the whitelisting for all the AGOL service URLs.
