With Endpoint Management, you can choose whether to manage devices, apps, or both. Endpoint Management uses the following terms for device and app management modes, sometimes also referred to as deployment modes:
- Mobile device management mode (MDM mode)
- Mobile app management mode (MAM mode)
- MDM+MAM mode (Enterprise mode)
Mobile device management (MDM Mode)
With MDM, you can configure, secure, and support mobile devices. MDM enables you to protect devices and data on devices at a system level. You can configure policies, actions, and security functions. For example, you can wipe a device selectively if the device is lost, stolen, or out of compliance. Although app management is not available with MDM mode, you can deliver mobile apps, such as public app store and enterprise apps, in this mode. Following are common use cases for MDM mode:
- MDM is a consideration for corporate-owned devices where device-level management policies or restrictions, such as full wipe, selective wipe, or geo-location are required.
- When customers require management of an actual device, but do not require MDX policies, such as app containerization, controls on app data sharing, or micro VPN.
- When users only need email delivered to their native email clients on their mobile devices, and Exchange ActiveSync or Client Access Server is already externally accessible. In this use case, you can use MDM to configure email delivery.
- When you deploy native enterprise apps (non-MDX), public app store apps, or MDX apps delivered from public stores. Consider that an MDM solution alone might not prevent data leakage of confidential information between apps on the device. Data leakage might occur with copy and paste or Save As operations in Office 365 apps.
Mobile app management (MAM Mode)
MAM protects app data and lets you control app data sharing. MAM also allows for the management of corporate data and resources, separately from personal data. With Endpoint Management configured for MAM mode, you can use MDX-enabled mobile apps to provide per-app containerization and control. MAM mode is also called MAM-only mode.
By leveraging MDX policies, Endpoint Management provides app-level control over network access (such as micro VPN), app and device interaction, data encryption, and app access.
MAM mode is often suitable for bring-your-own (BYO) devices because, although the device is unmanaged, corporate data remains protected. MDX has more than 50 MAM-only policies that you can set without needing an MDM control or relying on device passcodes for encryption.
MAM also supports the Citrix mobile productivity apps. This support includes secure email delivery to Citrix Secure Mail, data sharing between the secured Citrix mobile productivity apps, and secure data storage in Citrix Files. For details, see Mobile productivity apps.
MAM is often suitable for the following examples:
- You deliver mobile apps, such as MDX apps, managed at the app level.
- You are not required to manage devices at a system level.
MDM+MAM (Enterprise Mode)
MDM+MAM is a hybrid mode, also called Enterprise Mode, which enables all feature sets available in the Endpoint Management Enterprise Mobility Management (EMM) solution. Configuring Endpoint Management with MDM+MAM mode enables both MDM and MAM features.
Endpoint Management lets you specify whether users can choose to opt out of device management or whether you require device management. This flexibility is useful for environments that include a mix of use cases. These environments may or may not require management of a device through MDM policies to access your MAM resources.
MDM+MAM is suitable for the following examples:
- You have a single use case in which both MDM and MAM are required. MDM is required to access your MAM resources.
- Some use cases require MDM while some do not.
- Some use cases require MAM while some do not.
The Endpoint Management edition for which you have a license determines the management modes and other features available, as shown in the following table.
|Endpoint Management MDM Edition||Endpoint Management Advanced Edition||Endpoint Management Enterprise Edition|
|MDM features||MDM features||MDM features|
|-||MAM features||MAM features|
|-||MDX Service or Toolkit||MDX Service or Toolkit|
|Secure Hub||Secure Hub||Secure Hub|
|-||Secure Mail||Secure Mail|
|-||Secure Web||Secure Web|
|-||Secure Tasks||Secure Tasks|
|-||-||Citrix Files Enterprise Edition|
Secure Notes and Secure Web reached End of Life (EOL) status on December 31, 2018. For details, see EOL and deprecated apps.
Device Management and MDM Enrollment
An Endpoint Management Enterprise environment can include a mixture of use cases, some of which require device management through MDM policies to allow access to MAM resources. Before deploying Citrix mobile productivity apps to users, fully assess your use cases and decide whether to require MDM enrollment. If you later decide to change the requirement for MDM enrollment, it is likely that users must re-enroll their devices.
Following is a summary of the advantages and disadvantages (along with mitigations) of requiring MDM enrollment in a Endpoint Management Enterprise mode deployment.
When MDM enrollment is optional
- Users can access MAM resources without putting their devices under MDM management. This option can increase user adoption.
- Ability to secure access to MAM resources to protect enterprise data.
- MDX policies such as App Passcode can control app access for each MDX app.
- Configuring Citrix Gateway, Endpoint Management, and per-application time-outs, along with Citrix PIN, provide an extra layer of protection.
- While MDM actions do not apply to the device, some MDX policies are available to deny MAM access. The denial would be based on system settings, such as jailbroken or rooted devices.
- Users can choose whether to enroll their device with MDM during first-time use.
- MAM resources are available to devices not enrolled in MDM.
- MDM policies and actions are available only to MDM-enrolled devices.
- Have users agree to a company terms and conditions that holds them responsible if they choose to go out of compliance. Have administrators monitor unmanaged devices.
- Manage application access and security by using application timers. Decreased time-out values increase security, but may affect user experience.
When MDM enrollment is required
- Ability to restrict access to MAM resources only to MDM-managed devices.
- MDM policies and actions can apply to all devices in the environment as desired.
- Users are not able to opt out of enrolling their device.
- Requires all users to enroll with MDM.
- Might decrease adoption for users who object to corporate management of their personal devices.
- Educate users about what Endpoint Management actually manages on their devices and what information administrators can access.