About Endpoint Management

You choose an Endpoint Management offering based on whether you need Mobile Device Management (MDM), Mobile App Management (MAM), or both.

For example, if you use only the MDM features of Endpoint Management, you can:

  • Deploy device policies and apps.
  • Retrieve asset inventories.
  • Carry out actions on devices, such as a device wipe.

If you use only the MAM features of Endpoint Management, you can:

  • Secure apps and data on BYO mobile devices.
  • Deliver enterprise mobile apps.
  • Lock apps and wipe their data.

If you use both the MDM and MAM features, you can:

  • Manage a corporate-issued device by using MDM
  • Deploy device policies and apps
  • Retrieve an asset inventory
  • Wipe devices
  • Deliver enterprise mobile apps
  • Lock apps and wipe the data on devices

For more information about Endpoint Management offerings, see this data sheet.


The device and app management requirements of your organization determine the Endpoint Management components in your Endpoint Management architecture. The components of Endpoint Management are modular and build on each other. For example, your deployment includes NetScaler Gateway to give users remote access to mobile apps and to track user device types. Endpoint Management is where you manage apps and devices, and NetScaler Gateway enables users to connect to your network.

The following diagram shows a general architectural overview of an Endpoint Management cloud deployment and its integration with your data center.

Diagram of general architecture

The following subsections contain reference architecture diagrams for the core Endpoint Management and for optional components such as an external Certificate Authority and Endpoint Management connector for Exchange ActiveSync.

For more information about NetScaler and NetScaler Gateway requirements, see the Citrix product documentation at docs.citrix.com.

Core reference architecture

For details about port requirements, see System requirements.

Diagram of core architecture

Reference architecture with an external Certificate Authority

Diagram of external certificate authority architecture

Reference architecture with XenApp and XenDesktop

Diagram of XenApp and XenDesktop architecture

Reference architecture with Endpoint Management connector for Exchange ActiveSync

Diagram of Endpoint Management connector for Exchange ActiveSync architecture

Reference architecture with Citrix Gateway connector for Exchange ActiveSync

Diagram of Citrix Gateway connector for Exchange ActiveSync architecture

Resource locations

Place resource locations where they best meet your business needs. For example, in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include:

  • Proximity to subscribers
  • Proximity to data
  • Scale requirements
  • Security attributes

You can build any number of resource locations. For example, you might:

  • Build a resource location in your data center for the head office, based on subscribers and applications that require proximity to the data.
  • Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers.
  • Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations.

Cloud Connector

Citrix uses Cloud Connector to integrate the Endpoint Management architecture into your existing infrastructure. Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector supports all Endpoint Management authentication types.

The following diagram shows the traffic flow for Cloud Connector.

Diagram of cloud connector traffic flow

Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn’t accept incoming connections.

A solution that includes Mobile App Management (MAM) requires a micro VPN that is provided by an on-premises NetScaler Gateway. Cloud Connector, NetScaler Gateway, and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with Endpoint Management and your on-premises NetScaler Gateway.

Endpoint Management components

Endpoint Management console. You use the Endpoint Management administrator console to configure Endpoint Management. For details about using the Endpoint Management console, see the articles under Endpoint Management. Citrix notifies you when the What’s new articles for Endpoint Management are updated for a new release.

Note these differences between the Endpoint Management service and the on-premises releases:

  • The Remote Support client is not available for Endpoint Management.
  • Endpoint Management server-side components are not FIPS 140-2 compliant.
  • Citrix does not support syslog integration in Endpoint Management with an on-premises syslog server. Instead, you can download the logs from the Support page in the Endpoint Management console. When doing so, you must click Download All.

MDX Service. The Endpoint Management MDX Service securely wraps mobile apps created within your organization or outside the company. For more information, see MDX Service.

Mobile productivity apps. Citrix-developed mobile productivity apps provide a suite of productivity and communication tools within the Endpoint Management environment. Your company policies secure those apps. For more information, see Mobile productivity apps.

Endpoint Management connector for Exchange ActiveSync. Endpoint Management connector for Exchange ActiveSync provides secure email access to users who use native mobile email apps. The connector for Exchange ActiveSync provides ActiveSync filtering at the Exchange service level. As a result, filtering only occurs once the mail reaches the Exchange service, rather than when it enters the Endpoint Management environment. The connector doesn’t require the use of NetScaler. You can deploy the connector without changing routing for the existing ActiveSync traffic. For more information, see Endpoint Management connector for Exchange ActiveSync.

Citrix Gateway connector for Exchange ActiveSync. Citrix Gateway connector for Exchange ActiveSync provides secure email access to users who use native mobile email apps. The connector for Exchange ActiveSync provides ActiveSync filtering at the perimeter, by using NetScaler as a proxy for ActiveSync traffic. As a result, the filtering component sits in the path of mail traffic flow, intercepting mail as it enters or leaves the environment. The connector for Exchange ActiveSync acts an intermediary between NetScaler and the Endpoint Management server. For more information, see Citrix Gateway connector for Exchange ActiveSync.

Endpoint Management technical security overview

Citrix Cloud manages the control plane for Endpoint Management environments, including the Endpoint Management server, NetScaler load balancer, and a single-tenant database. The cloud service integrates with a customer data center using Citrix Cloud Connector. Endpoint Management customers who use Cloud Connector typically manage NetScaler Gateway in their data centers.

The following figure illustrates the service and its security boundaries.

Diagram of security boundaries

The information in this section:

  • Provides an introduction to the security functionality of Citrix Cloud.
  • Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment.
  • Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services.

Data flow

The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections.

Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center.

Data isolation

The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials.

Credential handling

The service handles the following types of credentials:

  • User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection.
  • Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service.
  • Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database.

Deployment considerations

Citrix recommends that you consult the published best practices documentation for deploying NetScaler Gateway within your environments.

More resources

See the following resources for more security information: