Citrix Endpoint Management

Sending group enrollment invitations in Citrix Endpoint Management

You can send enrollment invitations to groups and nested groups in Citrix Endpoint Management. Enrollment invitations aren’t available for Windows devices.

When setting up the group invitation, you can specify one or more device platforms. You can also tag devices so that you can, for example, differentiate corporate-owned devices from employee-owned devices. Then, you set the authentication type for user devices.


If you plan to use custom notification templates, you must set up the templates before you configure enrollment security modes. For more information about notification templates, see Create and update notification templates.

For more information on basic configurations on user accounts, roles, and enrollment security modes and invitations, see User accounts, roles, and enrollment.

General steps

  1. Within the Citrix Endpoint Management console, navigate to Manage > Enrollment Invitations.

  2. Click Add toward the upper left of the screen and then click Add Invitation.

  3. Click Group from the Recipient menu.

    This step lets you choose one or more platforms. If you have a mix of different operating system platforms within your company, choose all platforms. Only clear the platform selection if you are sure that no users are using the particular platform.

  4. You can choose to tag devices during the invite process. Choose Corporate or Employee.

    Tagging makes it easy to separate corporate-owned devices and employee-owned devices.

  5. In the Domain list, choose the domain in which the group exists.

  6. In the Group list, select the Active Directory group you want to send the invites to.

  7. The Enrollment mode allows you to set the type of enrollment security that you prefer for users.

    • User name + Password
    • High Security
    • Invitation URL
    • Invitation URL + PIN
    • Invitation URL + Password
    • Two Factors
    • User name + PIN


    We deprecated the High Security enrollment security mode. To send enrollment invitations, you can use only Invitation URL, Invitation URL + PIN, or Invitation URL + Password enrollment security modes. For devices enrolling with User name + Password, Two Factor, or User name + PIN, users must download Citrix Secure Hub and manually enter their credentials.

  8. For the Agent Download, Enrollment URL, Enrollment PIN, and Enrollment Confirmation templates, choose the custom notification template that you have created in the past. Or, choose the default that is listed.

    For these notification templates, use your configured SMTP server setup within Citrix Endpoint Management. Set your SMTP information first before proceeding.


    The Expire after and Maximum Attempts options change based on the Enrollment mode option that you choose. You cannot change these options.

  9. Select On for Send invitation and then click Save and Send to complete the process.

Nested group support

You can use nested groups to send invites. Typically, nested groups are used in large-scale environments where groups with similar permissions are bound to each other.

Navigate to Settings > LDAP and then enable the Support nested group option.

Troubleshooting and known limitations

Issue: Invites are being sent out to users even though they have been removed from an Active Directory group.

Solution: Depending on how large your Active Directory environment is, it can take up to six hours for changes to propagate to all servers. If a user or nested group is removed recently, Citrix Endpoint Management might still consider those users as a part of the group.

So, it’s best to wait up to six hours before sending out another group invite to your users.

Sending group enrollment invitations in Citrix Endpoint Management