Citrix Endpoint Management

Certificates and authentication

Several components play a role in authentication during Endpoint Management operations:

  • Endpoint Management: The Endpoint Management server is where you define enrollment security and the enrollment experience. Options for onboarding users include:
    • Whether to make the enrollment open for all or by invitation only.
    • Whether to require two-factor authentication or three-factor authentication. Through client properties in Endpoint Management, you can enable Citrix PIN authentication and configure the complexity and expiration time of the PIN.
  • Citrix Gateway: Citrix Gateway provides termination for micro VPN SSL sessions. Citrix Gateway also provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.
  • Secure Hub: Secure Hub and Endpoint Management work together in enrollment operations. Secure Hub is the entity on a device that talks to Citrix Gateway: When a session expires, Secure Hub gets an authentication ticket from Citrix Gateway and passes the ticket to the MDX apps. Citrix recommends certificate pinning, which prevents man-in-the-middle attacks. For more information, see this section in the Secure Hub article: Certificate pinning.

    Secure Hub also facilitates the MDX security container: Secure Hub pushes policies, creates a session with Citrix Gateway when an app times out, and defines the MDX timeout and authentication experience. Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.

  • MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to Citrix Gateway, enforce offline mode restrictions, and enforce client policies, such as time-outs.

For more information about configuring authentication, including an overview of single-factor and two-factor authentication methods, see the Deployment Handbook article, Authentication.

You use certificates in Endpoint Management to create secure connections and authenticate users. For other configuration details, see the following articles:

Certificates

Endpoint Management generates a self-signed Secure Sockets Layer (SSL) certificate during installation to secure the communication flows to the server. Replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority.

Endpoint Management also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or SAN certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, users type their Citrix PIN for single sign-on (SSO) access to Endpoint Management-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with Endpoint Management, set up and create an Apple Push Notification Service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each Endpoint Management component:

Endpoint Management component Certificate format Required certificate type
Citrix Gateway PEM (BASE64), PFX (PKCS #12) SSL, Root (Citrix Gateway converts PFX to PEM automatically.
Endpoint Management .p12 (.pfx on Windows-based computers) SSL, SAML, APNs (Endpoint Management also generates a full PKI during the installation process.) Important: Endpoint Management doesn’t support certificates with a .pem extension. To use a .pem certificate, split the .pem file into a certificate and key and import each into Endpoint Management.
StoreFront PFX (PKCS #12) SSL, Root

Endpoint Management supports client certificates with bit lengths of 4096, 2048, and 1024. 1024-bit certificates are easily compromised.

For Citrix Gateway and Endpoint Management, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the Citrix Gateway or the Endpoint Management configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on Citrix Gateway or Endpoint Management.

Important:

Requirements for trusted certificates in iOS, iPadOS, and macOS

Apple has new requirements for TLS server certificates. Verify that all certificates follow the Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176.

Apple is reducing the maximum allowed lifetime of TLS server certificates. This change affects only server certificates issued after September 2020. See the Apple publication, https://support.apple.com/en-us/HT211025.

Identity provider authentication

You can configure an identity provider (IdP) through Citrix Cloud to enroll and manage user devices.

Supported use cases for IdPs:

  • Azure Active Directory through Citrix Cloud
    • Workspace integration is optional
    • Citrix Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported
  • Okta through Citrix Cloud
    • Workspace integration is optional
    • Citrix Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported
  • On-premises Citrix Gateway through Citrix Cloud (Preview)
    • Citrix Gateway configured for certificate-based authentication
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported
Certificates and authentication