Citrix Endpoint Management

Certificates and authentication

Several components play a role in authentication during Endpoint Management operations:

  • Endpoint Management: The Endpoint Management server is where you define enrollment security and the enrollment experience. Options for onboarding users include:
    • Whether to make the enrollment open for all or by invitation only.
    • Whether to require two-factor authentication or three-factor authentication. Endpoint Management client properties allow you to enable Citrix PIN authentication and configure the PIN complexity and expiration.
  • Citrix Gateway: Citrix Gateway provides termination for micro VPN SSL sessions. Citrix Gateway also provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.
  • Secure Hub: Secure Hub and Endpoint Management work together in enrollment operations. Secure Hub is the entity on a device that talks to Citrix Gateway: When a session expires, Secure Hub gets an authentication ticket from Citrix Gateway and passes the ticket to the MDX apps. Citrix recommends certificate pinning, which prevents man-in-the-middle attacks. For more information, see this section in the Secure Hub article: Certificate pinning.

    Secure Hub also facilitates the MDX security container: Secure Hub pushes policies, creates a session with Citrix Gateway when an app times out, and defines the MDX timeout and authentication experience. Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.

  • MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to Citrix Gateway, enforce offline mode restrictions, and enforce client policies, such as time-outs.

Citrix Endpoint Management authenticates users to their resources using the following authentication methods:

  • Mobile device management (MDM)
    • Cloud-hosted identity providers (IdPs)
    • Lightweight Directory Access Protocol (LDAP)
      • Invitation URL + Pin
      • Two-factor authentication
  • Mobile application management (MAM)
    • LDAP
    • Certificate
    • Security token MAM authentication requires Citrix Gateway.

For other configuration details, see the following articles:

Certificates

Endpoint Management generates a self-signed Secure Sockets Layer (SSL) certificate during installation to secure the communication flows to the server. Replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority.

Endpoint Management also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or SAN certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, users type their Citrix PIN for single sign-on (SSO) access to Endpoint Management-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with Endpoint Management, set up and create an Apple Push Notification Service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each Endpoint Management component:

Endpoint Management component Certificate format Required certificate type
Citrix Gateway PEM (BASE64), PFX (PKCS #12) SSL, Root (Citrix Gateway converts PFX to PEM automatically.
Endpoint Management .p12 (.pfx on Windows-based computers) SSL, SAML, APNs (Endpoint Management also generates a full PKI during the installation process.) Important: Endpoint Management doesn’t support certificates with a .pem extension. To use a .pem certificate, split the .pem file into a certificate and key and import each into Endpoint Management.
StoreFront PFX (PKCS #12) SSL, Root

Endpoint Management supports client certificates with bit lengths of 4096 and 2048.

For Citrix Gateway and Endpoint Management, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the Citrix Gateway or the Endpoint Management configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on Citrix Gateway or Endpoint Management.

Important:

Requirements for trusted certificates in iOS, iPadOS, and macOS

Apple has new requirements for TLS server certificates. Verify that all certificates follow the Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176.

Apple is reducing the maximum allowed lifetime of TLS server certificates. This change affects only server certificates issued after September 2020. See the Apple publication, https://support.apple.com/en-us/HT211025.

LDAP authentication

Endpoint Management supports domain-based authentication for one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). LDAP is a software protocol that provides access to information about groups, user accounts, and related properties. For more information, see Domain or domain plus security token authentication.

Identity provider authentication

You can configure an identity provider (IdP) through Citrix Cloud to enroll and manage user devices.

Supported use cases for IdPs:

  • Azure Active Directory through Citrix Cloud
    • Workspace integration is optional
    • Citrix Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported
  • Okta through Citrix Cloud
    • Workspace integration is optional
    • Citrix Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported
  • On-premises Citrix Gateway through Citrix Cloud
    • Citrix Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA)
    • Auto enrollment features such as the Apple Deployment Program are currently not supported

Identity provider authentication without a Cloud Connector (Preview)

This feature is available as a public preview. To enable this feature, contact your Citrix representative.

Endpoint Management supports configuring identity providers (IdPs), such as Azure AD and Okta, as authentication methods. This feature, now in preview, lets you configure IdPs without using a Cloud Connector. You can also manage user resource access through those IdPs. By using an IdP to manage access, you can better integrate with cloud services such as Office 365 and reduce the need for on-premises resources.

Endpoint Management still requires a Cloud Connector for the following:

  • LDAP
  • PKI Server
  • Internal DNS queries
  • Citrix Virtual Apps

To establish communication between Endpoint Management and a cloud-hosted identity provider without a Cloud Connector, you must configure Citrix identity as the IdP type for Endpoint Management. However, the services that require a Cloud Connector, as mentioned previously, aren’t available.

If you have previously configured LDAP, using this feature results in a hybrid environment where LDAP acts as a fallback for group membership and user and group searches. Without LDAP set up, you rely on the IdP fully.

After you finish this configuration, you can’t add LDAP settings in Endpoint Management. If you have LDAP set up and you add an IdP, Endpoint Management synchronizes IdP-specific information from your Active Directory groups to the Endpoint Management database. When you deploy policies, apps, and media to users, only the IdP groups receive the resources.

Prerequisites

There are two sets of prerequisites to must consider depending on your current Endpoint Management configuration:

With LDAP

  • User groups in Active Directory must match the user groups in Azure Active Directory or Okta.
  • User names and email addresses in Active Directory must match the information in Azure Active Directory or Okta.
  • Citrix Cloud account, with Citrix Cloud Connector installed for directory services synchronization.
  • Citrix Gateway. Citrix recommends that you enable certificate-based authentication for a full single sign-on experience. If you use LDAP authentication on the Citrix Gateway for MAM registration, end users experience a dual authentication prompt during enrollment. For more information, see Client certificate or certificate plus domain authentication.
  • Synchronize Active Directory SIDs into respective IdPs. Azure AD and Active Directory SIDs or Okta and Active Directory SIDs must match for delivery groups to function properly.
  • On Azure AD or Okta, create a group named Administrators for Citrix identity to connect to your IdP.
  • If you have multiple LDAPs synced to an IdP, set the global context server property ldap.set.gc.rootcontext to True. This property ensures that the Cloud Connector searches for all parent and child domains.
  • If your LDAP and IdP domains don’t match, add the appropriate IdP domain alias to the LDAP configuration.

Without LDAP

  • On Azure AD or Okta, create a group named Administrators for Citrix identity to connect to your IdP.

Configuration

To configure Azure AD or Okta as an identity provider through Citrix Cloud and set it up for Endpoint Management, follow one or both of these articles:

Active Directory synchronization

If you have Active Directory groups set up, Endpoint Management synchronizes IdP-specific information from those groups to the Endpoint Management database after you configure an IdP. To view the status of the synchronization process, go to Settings > Identity Provider. One of the following statuses appears under Directory sync.

  • Empty: Endpoint Management isn’t configured to manage this identity provider. Check the configuration for your IdP.
  • Done: The synchronization process successfully completed. Endpoint Management can now manage resources from this identity provider.
  • In progress: The synchronization process is in progress. If your database contains many user groups, Endpoint Management may take more time to synchronize IdP information for your Active Directory groups.
  • Error: An error occurred during synchronization. This issue might happen if your IdP is disconnected or a Cloud Connector isn’t working properly at the moment. Use debug logs to troubleshoot the issue or try to add the IdP settings again.

After synchronization completes, you can add IdP groups as assignments to your delivery group in Configure > Delivery groups > Assignments. When you select a domain for a delivery group assignment, pick the IdP you configured before searching. For information, see To add a delivery group.

You can also apply RBAC permissions IdP groups. For information, see To use the RBAC feature.

Expectations for existing configurations

After enabling and configuring this feature, you can expect the following for your existing setup:

  • Existing delivery groups and RBAC assignments and permissions are unaffected. Users have the same access and receive the same resources they did before configuring this feature.
  • Object identifiers for any Active Directory groups synced with Endpoint Management are automatically populated from the IdPs.
  • Existing enrolled devices are unaffected as long as the user information is synced to the IdP. When the user information isn’t synced to the IdP:
    • If you have LDAP set up, enrolled devices for users not synced to the IdP can still authenticate through LDAP.
    • If you don’t have LDAP set up, enrolled devices for users not synced with the IdP fail to refresh or reconnect.
  • For users that are found on the IdP, Endpoint Management determines their group membership based on IdP information.

Delete an LDAP-compliant directory

You can delete LDAP profiles that you no longer need. For instance, LDAP profiles with no users or groups being used by Endpoint Management.

  1. In the list of LDAP profiles, select the directory you want to delete.

    You can delete more than one property by selecting the check box next to each property.

  2. Click Delete. In the confirmation dialog box, choose one of the following options:

    Confirmation dialog to delete

    • Click Delete to delete all user and group information from the selected LDAP directory. If you configure Azure AD or Okta as an identity provider through Citrix Cloud, this operation lets you delete the default LDAP domain.

    • Click Keep synced to delete all user and group information that isn’t synchronized with an identity provider. Endpoint Management only keeps users and groups synced to an identity provider. Any user devices, delivery groups, and RBAC permissions linked to this LDAP become linked to the identity provider. If your database contains many user groups, Endpoint Management may take more time to map Active Directory objects to the IdP. This operation happens in the background.

Delete an identity provider

To stop using an identity provider or change the type of your identity provider, you must delete the IdP.

  1. In the Endpoint Management console, go to Settings > Identity Provider.
  2. In the IdP table, select the identity provider.
  3. Click Delete. In a confirmation dialog box, click Delete again.

Endpoint Management removes any user or group information from the database connected to your identity provider. Endpoint Management removes any delivery groups or RBAC assignments for this IdP as well. Any user devices enrolled from this IdP need to re-enroll. After deleting an IdP, you can configure a different type of an identity provider or set up LDAP again.

Limitations

  • This feature doesn’t support devices enrolling through Citrix Workspace app.
  • If you configure an identity provider, you can’t add LDAP settings in Endpoint Management.
  • To change the authentication domain, you must delete your identity provider.
  • The Self-Help Portal doesn’t support authentication with identity providers.
  • If you sync your parent and child domains to the IdP and those domains contain identical group names, those groups can’t be added to Endpoint Management. Make sure that your group names are unique across domains.
Certificates and authentication