Citrix Endpoint Management

Certificates and authentication

Several components play a role in authentication during Citrix Endpoint Management operations:

  • Citrix Endpoint Management: The Citrix Endpoint Management server is where you define enrollment security and the enrollment experience. Options for onboarding users include:
    • Whether to make the enrollment open for all or by invitation only.
    • Whether to require two-factor authentication or three-factor authentication. Citrix Endpoint Management client properties allow you to enable Citrix PIN authentication and configure the PIN complexity and expiration.
  • NetScaler Gateway: NetScaler Gateway provides termination for micro VPN SSL sessions. NetScaler Gateway also provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.
  • Citrix Secure Hub: Citrix Secure Hub and Citrix Endpoint Management work together in enrollment operations. Citrix Secure Hub is the entity on a device that talks to NetScaler Gateway: When a session expires, Citrix Secure Hub gets an authentication ticket from NetScaler Gateway and passes the ticket to the MDX apps. Citrix recommends certificate pinning, which prevents man-in-the-middle attacks. For more information, see this section in the Citrix Secure Hub article: Certificate pinning.

    Citrix Secure Hub also facilitates the MDX security container: Citrix Secure Hub pushes policies, creates a session with NetScaler Gateway when an app times out, and defines the MDX timeout and authentication experience. Citrix Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.

  • MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to NetScaler Gateway, enforce offline mode restrictions, and enforce client policies, such as time-outs.

Citrix Endpoint Management authenticates users to their resources using the following authentication methods:

  • Mobile Device Management (MDM)
    • Cloud-hosted identity providers (IdPs)
    • Lightweight Directory Access Protocol (LDAP)
      • Invitation URL + Pin
      • Two-factor authentication
  • Mobile application management (MAM)
    • LDAP
    • Certificate
    • Security token MAM authentication requires NetScaler Gateway.

For other configuration details, see the following articles:

Certificates

Citrix Endpoint Management generates a self-signed Secure Sockets Layer (SSL) certificate during installation to secure the communication flows to the server. Replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority.

Citrix Endpoint Management also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or SAN certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, users type their Citrix PIN for single sign-on (SSO) access to Citrix Endpoint Management-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with Citrix Endpoint Management, set up and create an Apple Push Notification Service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each Citrix Endpoint Management component:

Citrix Endpoint Management component Certificate format Required certificate type
NetScaler Gateway PEM (BASE64), PFX (PKCS #12) SSL, Root (NetScaler Gateway converts PFX to PEM automatically.
Citrix Endpoint Management .p12 (.pfx on Windows-based computers) SSL, SAML, APNs (Citrix Endpoint Management also generates a full PKI during the installation process.) Important: Citrix Endpoint Management doesn’t support certificates with a .pem extension. To use a .pem certificate, split the .pem file into a certificate and key and import each into Citrix Endpoint Management.
StoreFront PFX (PKCS #12) SSL, Root

Citrix Endpoint Management supports client certificates with bit lengths of 4096 and 2048.

For NetScaler Gateway and Citrix Endpoint Management, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the Citrix Endpoint Management configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or Citrix Endpoint Management.

Important:

Requirements for trusted certificates in iOS, iPadOS, and macOS

Apple has new requirements for TLS server certificates. Verify that all certificates follow the Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176.

Apple is reducing the maximum allowed lifetime of TLS server certificates. This change affects only server certificates issued after September 2020. See the Apple publication, https://support.apple.com/en-us/HT211025.

LDAP authentication

Citrix Endpoint Management supports domain-based authentication for one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). LDAP is a software protocol that provides access to information about groups, user accounts, and related properties. For more information, see Domain or domain plus security token authentication.

Identity provider authentication

You can configure an identity provider (IdP) through Citrix Cloud to enroll and manage user devices.

Supported use cases for IdPs:

  • Azure Active Directory through Citrix Cloud
    • Workspace integration is optional
    • NetScaler Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • iOS and macOS for Apple Business Manager enrollments
    • Legacy Android (DA)

    Auto enrollment features such as the Apple School Manager are currently not supported.

  • Okta through Citrix Cloud
    • Workspace integration is optional
    • NetScaler Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • iOS and macOS for Apple Business Manager enrollments
    • Legacy Android (DA)

    Auto enrollment features such as the Apple School Manager are currently not supported.

  • On-premises NetScaler Gateway through Citrix Cloud
    • NetScaler Gateway configured for certificate-based authentication
    • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
    • iOS for MDM+MAM and MDM enrollments
    • Legacy Android (DA) Auto enrollment features such as the Apple Deployment Program are currently not supported.
Certificates and authentication