Citrix Endpoint Management

Management modes

Management modes is a term that includes Mobile Device Management (MDM) and Mobile App Management (MAM). You can configure:

  • Enrollment profiles to enroll Android and iOS devices into MDM, MAM, or both (MDM+MAM). If you choose MDM+MAM, you can give users the ability to opt out of MDM.
  • Enrollment profiles to enroll Windows 10 devices into MDM.

You specify enrollment options in enrollment profiles, which you attach to delivery groups. For information about enrollment options, see Enrollment profiles. The following sections focus on considerations for managing devices and apps.

Mobile device management (MDM)

With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices and data on devices at a system level. You can configure policies, actions, and security functions. For example, you can wipe a device selectively if the device is lost, stolen, or out of compliance.

Even if you don’t choose to manage apps on devices, you can deliver mobile apps, such as public app store and enterprise apps.

Following are common use cases for MDM:

  • MDM is a consideration for corporate-owned devices where device-level management policies or certain restrictions are required. Those restrictions include full wipe, selective wipe, or geo-location.
  • When customers require management of an actual device, but do not require MDX policies.
  • When users only need email delivered to their native email clients on their mobile devices, and Exchange ActiveSync or Client Access Server is already externally accessible. In this use case, you can use MDM to configure email delivery.
  • When you deploy native enterprise apps (non-MDX), public app store apps, or MDX apps delivered from public stores. Consider that an MDM solution alone might not prevent data leakage of confidential information between apps on the device. Data leakage might occur with copy and paste or Save As operations in Office 365 apps.

Mobile app management (MAM)

MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With Endpoint Management configured for MAM, you can use MDX-enabled mobile apps to provide per-app containerization and control.

By using MDX policies, Endpoint Management provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.

MAM is often suitable for bring-your-own (BYO) devices because, although the device is unmanaged, corporate data remains protected. MDX has more than 50 MAM-only policies that you can set. Those policies don’t require an MDM control or device passcodes for encryption.

MAM also supports the Citrix mobile productivity apps. This support includes:

  • Secure email delivery to Citrix Secure Mail
  • Data sharing between the secured Citrix mobile productivity apps
  • Secure data storage in Citrix Files.

For details, see Mobile productivity apps.

MAM is often suitable for the following examples:

  • You deliver mobile apps, such as MDX apps, managed at the app level.
  • You are not required to manage devices at a system level.

MDM+MAM

Endpoint Management lets you specify whether users can opt out of device management. This flexibility is useful for environments that include a mix of use cases. These environments might require management of a device through MDM policies to access your MAM resources.

MDM+MAM is suitable for the following examples:

  • You have a single use case in which both MDM and MAM are required. MDM is required to access your MAM resources.
  • Some use cases require MDM while some do not.
  • Some use cases require MAM while some do not.

Device Management and MDM Enrollment

An Endpoint Management Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources.

Before deploying Citrix mobile productivity apps to users, fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, users might need to re-enroll their devices. For more information, see Enrollment profiles.

For information about enrollment mode and Citrix Gateway, see Integrating with Citrix Gateway and Citrix ADC.

Following is a summary of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment.

When MDM enrollment is optional

Advantages

  • Users can access MAM resources without putting their devices under MDM management. This option can increase user adoption.
  • Ability to secure access to MAM resources to protect enterprise data.
  • MDX policies such as App Passcode can control app access for each MDX app.
  • Configuring Citrix Gateway, Endpoint Management, and per-application time-outs, along with Citrix PIN, provide an extra layer of protection.
  • While MDM actions do not apply to the device, some MDX policies are available to deny MAM access. The denial would be based on system settings, such as jailbroken or rooted devices.
  • Users can choose whether to enroll their device with MDM during first-time use.

Disadvantages

  • MAM resources are available to devices not enrolled in MDM.
  • MDM policies and actions are available only to MDM-enrolled devices.

Mitigation options

  • Have users agree to a company terms and conditions that hold them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.
  • Manage application access and security by using application timers. Decreased time-out values increase security, but can affect user experience.

When MDM enrollment is required

Advantages

  • Ability to restrict access to MAM resources only to MDM-managed devices.
  • MDM policies and actions can apply to all devices in the environment as desired.
  • Users are not able to opt out of enrolling their device.

Disadvantages

  • Requires all users to enroll with MDM.
  • Might decrease adoption for users who object to corporate management of their personal devices.

Mitigation options

  • Educate users about what Endpoint Management actually manages on their devices and what information administrators can access.

Management modes