Device management

Device management includes device enrollment, security actions, and device monitoring.

Enroll devices

To manage user devices remotely and securely, you enroll user devices in Endpoint Management. The Endpoint Management client software is installed on the user device and the user identity is authenticated. Then, Endpoint Management and the user profile are installed. Next, in the Endpoint Management console, you can perform device management tasks. You can apply policies, deploy apps, push data to the device, and lock, wipe, and locate lost or stolen devices.

Azure Active Directory enrollment is supported for iOS, Android, and Windows 10 devices. For information about configuring Azure as your identity provider (IDP), see Single sign in with Azure Active Directory.

Note:

Before you can enroll iOS device users, you must request an APNs certificate. For details, see Certificates and authentication.

To update configuration options for users and devices, go to the Manage > Enrollment Invitations page. For details, see Send an enrollment invitation in this article.

For other enrollment information, see:

Android devices

Note:

For information about enrolling Android Enterprise devices, see Android Enterprise

  1. Go to the Google Play store on your Android device, download the Citrix Secure Hub app, and then tap the app.
  2. When prompted to install the app, click Next and then click Install.
  3. After Secure Hub installs, tap Open.
  4. Enter your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.
  5. In the Activate device administrator screen, tap Activate.
  6. Enter your corporate password and then tap Sign On.
  7. Depending on the way Endpoint Management is configured, you may be asked to create a Citrix PIN. You can use the PIN to sign on to Secure Hub and other Endpoint Management-enabled apps, such as Secure Mail and Citrix Files. You enter your Citrix PIN twice. On the Create Citrix PIN screen, enter a PIN.
  8. Reenter the PIN. Secure Hub opens. You can then access the app store to view the apps you can install on your Android device.
  9. If you configured Endpoint Management to push apps to devices automatically after enrollment, users are prompted to install the apps. In addition, policies that you configure in Endpoint Management are deployed to the device. Tap Install to install the apps.

To unenroll and reenroll an Android device

Users can unenroll from within Secure Hub. When users unenroll by using the following procedure, the device still appears in the device inventory in the Endpoint Management console. You cannot perform actions on the device, however. You cannot track the device, and you cannot monitor the device compliance.

  1. Tap to open the Secure Hub app.

  2. Depending on whether you have a phone or a tablet, do the following:

    On a phone:

    • Swipe from the left of the screen to open a settings pane.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

    On a tablet:

    • Tap the arrow next to your email address on the upper-right corner.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

  3. Tap Re-Enroll. A message appears to confirm you want to reenroll your device.

  4. Tap OK.

    Your device is unenrolled.

  5. Follow the on-screen instructions to reenroll your device.

macOS devices

Endpoint Management provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.

  • Send users an enrollment invitation: This enrollment method enables you to set any of the following enrollment modes for macOS devices:

    • User name + password

    • User name + PIN

    • Two Factor

    When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

  • Send users an installation link: This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.

    To prevent the use of an enrollment link for macOS devices, set the server property, Enable macOS OTAE to false. As a result, macOS users can enroll only by using an enrollment invitation.

Send users an enrollment invitation

  1. Optionally set up macOS device policies in the Endpoint Management console. For more information about device policies, see Device Policies.

  2. Add an invitation for macOS user enrollment. For more information, see Send an enrollment invitation in this article.

  3. After users receive the invitation and click the link, the following screen appears in the Safari browser. Endpoint Management fills in the user name. If you chose Two Factor for the enrollment mode, another field appears.

    Image of Safari browser root certificate message

  4. Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For more information about certificates, see Certificates and authentication.

  5. Users provide the requested credentials.

    The Mac device policies install. You can now start managing Macs with Endpoint Management just as you manage mobile devices.

  1. Optionally set up macOS device policies in the Endpoint Management console. For more information about device policies, see Device Policies.

  2. Send the enrollment link https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.

    • serverFQDN is the fully qualified domain name (FQDN) of the server running Endpoint Management.
    • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
    • The instanceName, often shown as zdm, is the name specified during server installation.

    For more information about sending installation links, see To send an installation link.

  3. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install certificates. For more information about certificates, see Certificates and authentication.

  4. Users sign on to their Macs.

    The Mac device policies install. You can now start managing Macs with Endpoint Management just as you manage mobile devices.

Windows devices

Note:

This section includes references to Windows Phone 8.1 devices, which Microsoft moved to End of Support on July 11, 2017. Endpoint Management currently supports Windows Phone 8.1 devices for MDM enrollment only.

Devices running Windows 10 enroll with Azure as a federated means of Active Directory authentication. You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:

  • Enroll in MDM as part of Azure AD Join out-of-the-box the first time the device is powered on.
  • Enroll in MDM as part of Azure AD Join from the Windows Settings page after the device is configured.

You can enroll devices in Endpoint Management that are running the following Windows operating systems:

  • Windows 10 phone and tablet
  • Windows Phone 8.1

Users can enroll directly through their devices.

Note:

For Windows 10 RS2 Phone and Tablet, during re-enrollment, a user isn’t prompted for the Server URL. To work around this issue, restart the device. Or, on the email address screen, tap the X across from Connecting to a service to go to the Server URL page. This is a third-party issue.

To enable the management of supported Windows devices, you must configure the Citrix AutoDiscovery Service for user enrollment.

Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in Endpoint Management. For details, see Single sign in with Azure Active Directory.

Note:

In order for Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails if you’ve uploaded a self-signed SSL certificate.

To enroll Windows devices by using the AutoDiscovery Service

  1. On the device, check for and install all available Windows Updates.

  2. For Windows 10: In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1 phones: Tap PC Settings > Network > Workplace.

  3. Enter your corporate email address and then tap Continue on Windows 10 or tap Turn on device management on Windows 8.1. To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation where enrollment is performed by the built-in Device Management on Windows; in the Connecting to a service dialog box, enter the user name and password associated with the local user. The device automatically discovers a Endpoint Management server and starts the enrollment process.

  4. Enter your password. Use the password associated with an account that is part of a user group in Endpoint Management.

  5. For Windows 10: In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept. For Windows 8.1: In the Allow apps and services from IT admin dialog box, indicate that you agree to have your device managed and then tap Turn on.

To enroll Windows devices without self-discovery (for test environments only)

Enrolling Windows devices without using the AutoDiscovery Service isn’t considered best practice for production deployments. Citrix recommends that you use this process only in test environments and proof of concept deployments.

Enrollment without the AutoDiscovery Service results in a call to port 80 before connecting to the desired URL.

  1. On the device, check for and install all available Windows Updates.

  2. In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1: Tap PC Settings > Network > Workplace.

  3. Enter your corporate email address.

  4. If autodiscovery is not configured, an option appears where you can enter the server details, as described in step 5.

  5. In the Enter server address field, type the address: https://serverfqdn:8443/serverInstance/wpe.

    If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.

  6. Type your password.

  7. In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

To enroll Windows Phone devices

To enroll Windows Phone devices in Endpoint Management, users need their Active Directory or internal network email address, and password. If autodiscovery is not set up, users also need the server web address for the Endpoint Management server. Then, they follow this procedure on their devices to enroll.

Note:

If you plan to deploy apps through the Windows Phone company store, before your users enroll, ensure that you have configured an Enterprise Hub policy (with a signed Secure Hub, Windows Phone app for each platform you support).

  1. On the main screen of the Windows phone, tap the Settings icon.

    • For Windows 10: Depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.
    • For Windows 8.1: Tap PC Settings > Network > Workplace and then tap Add Account.
  2. On the next screen, enter an email address and password and then tap sign in.

    If autodiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to Step 8.

    If autodiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation; in the Connecting to a service dialog box, enter the user name and password associated with the local user.

  3. On the next screen, type the web address of the Endpoint Management server, such as: https://<xenmobile_server>:<portnumber>/<instancename>/wpe. For example, https://mycompany.mdm.com:8443/zdm/wpe.

    Note:

    The port number has to be adapted to your implementation. It must be the same port that you used for an iOS enrollment.

  4. Enter the user name and domain if authentication is validated through a user name and domain and then tap sign in.

  5. If a screen appears noting a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.

  6. On Windows Phone 8.1, when the account is added, you have the option of selecting Install company app. If your administrator has configured a Company App store, select this option and then tap done. If you clear this option, you will need to re-enroll your device to receive the Company app store.

  7. On Windows Phone 8.1, on the Account Added screen, tap done.

  8. To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, Endpoint Management attempts to reconnect. Endpoint Management connects to the device every 3 minutes 5 successive times, then every 2 hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties. Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen.

Send an enrollment invitation

In the Endpoint Management console, you can send an enrollment invitation to users with iOS, macOS, and Android devices. You can also send an installation link to users with iOS or Android devices.

Enrollment invitations are sent as follows:

  • If the enrollment invitation is for one local or Active Directory user: The user receives the invitation from SMS at the phone number and carrier name you specify.

  • If the enrollment invitation is for a group: The users receive invitations from SMS. If Active Directory users have an email address and mobile phone number in Active Directory, they receive the invitation. Local users receive the invitation at the email and phone number specified in user properties.

After users enroll, their devices appear as managed on Manage > Devices. The status of the invitation URL is shown as Redeemed.

Prerequisites

  • LDAP configured
  • If using local groups and local users:

    • One or more local groups.

    • Local users assigned to local groups.

    • Delivery groups are associated with local groups.

  • If using Active Directory:

    • Delivery groups are associated with Active Directory groups.

Create an enrollment invitation

  1. In the Endpoint Management console, click Manage > Enrollment Invitations. The Enrollment Invitations page appears.

    Image of Endpoint Management console Enrollment Invitations page

  2. Click Add. A menu of enrollment options appears.

    Image of Add Invitation menu

    • To send an enrollment invitation to a user or group, click Add Invitation.
    • To send an enrollment installation link to a list of recipients over SMTP or SMS, click Send Installation Link.

    Sending enrollment invitations and installation links are described after these steps.

  3. Click Add Invitation. The Enrollment Invitation screen appears.

    Image of Enrollment Invitation screen

  4. Configure these settings:

    • Recipient: Choose Group or User.
    • Select a platform: If Recipient is Group, all platforms are selected. You can change the platform selection. If Recipient is User, no platforms are selected. Select a platform.
    • Device ownership: Select Corporate or Employee.

    Settings for users or groups appear, as described in the following sections.

To send an enrollment invitation to a user

Image of Enrollment Invitation settings

  1. Configure these User settings:

    • User name: Type a user name. The user must exist in the Endpoint Management server as a local user or as a user in Active Directory. If the user is local, ensure that the email property of the user is set so you can send that user notifications. If the user is in Active Directory, ensure that LDAP is configured.
    • Device info: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose Serial number, UDID, or IMEI. After you choose an option, a field appears where you can type the corresponding value for the device.
    • Phone number: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Optionally, type the phone number of the user.
    • Carrier: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose a carrier to associate to the phone number of the user.
    • Enrollment mode: Choose how you want users to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear. A PIN for enrollment is also called a one-time PIN. Such PINs are valid only when the user enrolls.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see Configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitations page.

    Image of table on Enrollment Invitations page

To send an enrollment invitation to a group

The following figure shows the settings for configuring an enrollment invitation to a group.

Image of Enrollment invitation to group page

  1. Configure these settings:

    • Domain: Choose the domain of the group to receive the invitation.
    • Group: Choose the group to receive the invitation.
    • Enrollment mode: Choose how you want users in the group to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link:. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see Configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitation page.

    Image of Enrollment Invitation table

Before you can send an enrollment installation link, you must configure channels (SMTP or SMS) on the notification server from the Settings page. For details, see Notifications

Image of Send Installation link page

  1. Configure these settings and then click Save.

    • Recipient: For each recipient that you want to add, click Add and then do the following:
      • Email: Type the email address of the recipient. This field is required.
      • Phone number: Type the phone number of the recipient. This field is required.

      Note:

      To delete a recipient, hover over the line containing the listing and then click the trash icon on the right side. A confirmation dialog box appears. Click Delete to delete the listing or click Cancel to keep the listing.

      To edit a recipient, hover over the line containing the listing and then click the pen icon on the right side. Update the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

    • Channels: Select a channel to use for sending the enrollment installation link. You can send notifications over SMTP or SMS. These channels cannot be activated until you configure the server settings on the Settings page in Notification Server. For details, see Notifications.
    • SMTP: Configure these optional settings. If you do not type anything in these fields, the default values specified in the notification template configured for the platform you selected are used:
      • Sender: Type an optional sender.
      • Subject: Type an optional subject for the message. For example, “Enroll your device.”
      • Message: Type an optional message to be sent to the recipient. For example, “Enroll your device to gain access to organizational apps and email.”
    • SMS: Configure this setting. If you do not type anything in this field, the default value specified in the notification template configured for the platform you selected is used:
      • Message: Type a message to be sent to the recipients. This field is required for SMS-based notification.

        In North America, SMS messages that exceed 160 characters are delivered in multiple messages.

  2. Click Send.

    Note:

    If your environment uses sAMAccountName: After users receive the invitation and click the link, they must edit the user name to complete the authentication. The user name appears in the form of sAMAccountName@domainname.com. Users must remove the @domainname.com portion.

Device enrollment limit

Endpoint Management includes a default enrollment profile that allows users to enroll an unlimited number of devices. The default profile is named Global. Create enrollment profiles only if you want to limit the number of devices that users can enroll. You associate enrollment profiles with delivery groups.

The device enrollment limit applies to the ENT, MDM, and MAM server modes. This feature is available for iOS and Android devices only.

When your Endpoint Management deployment includes COSU devices, a single Endpoint Management administrator or small group of administrators enroll many COSU devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. For details, see Add a COSU enrollment profile in the Android Enterprise article.

  1. Go to Configure > Enrollment Profiles. The default Global profile appears.

    Image of the default Global profile

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile and then select the number of devices that members with this profile can enroll.

    Image of the Enrollment Info

  3. Click Next. The Delivery Group Assignment screen appears.

    Image of the Delivery Group Assignment screen

  4. Select the delivery groups for this enrollment profile and then click Save.

    The Delivery Groups page appears.

    Image of the Delivery Groups page

    To change the enrollment profiles associated with a delivery group, go to Configure > Delivery Groups and then click Enrollment Profiles.

    Image of the Enrollment Profiles page

User experience with a device enrollment limit

When you set the device enrollment limit and users try to enroll a new device, they follow these steps:

  1. Sign on to Secure Hub.

  2. Enter a server address to enroll.

  3. Enter the credentials.

  4. If the device limit is reached, an error message informs the user that they have exceeded the device registration limit.

    Image of the Secure Hub enrollment screen

    The Secure Hub enrollment screen appears again.

Security actions

You perform device and app security actions from the Manage > Devices page. Device actions include revoke, lock, unlock, and wipe. App security actions include app lock and app wipe.

  • Activation Lock Bypass: Removes the Activation Lock from supervised iOS devices before device activation. This command doesn’t require the personal Apple ID or password for a user.

  • App lock: Denies access to all apps on a device. On Android, after an app lock, users can’t sign in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.

  • App wipe: On Android, an app wipe deletes the user account from Endpoint Management. On iOS, deletes a user account in Secure Hub.

  • ASM DEP Activation Lock: Creates an Activation Lock bypass code for iOS devices enrolled in Apple School Manager DEP.

  • Clear restrictions: On supervised iOS devices, this command allows Endpoint Management to clear the restrictions password and restrictions settings configured by the user.

  • Enable/disable Lost Mode: Puts a supervised iOS device in Lost Mode and sends the device a message, phone number, and footnote to display. The second time that you send this command takes the device out of Lost Mode.

  • Full wipe: Immediately erases all data and apps from a device, including from any memory cards.

    • For Android devices, this request can also include the option to wipe memory cards.

    • For iOS, macOS, and tvOS devices, the wipe occurs immediately, even if the device is locked.

      For iOS 11 devices (minimum version): When you confirm the full wipe, you can choose to preserve the cellular data plan on the device.

      For iOS 11.3 devices (minimum version): When you confirm the full wipe, you can prevent iOS devices from performing proximity setup. When setting up a new iOS device, users can normally use an already configured iOS device to set up their own. You can disallow proximity setup on devices that are Endpoint Management managed and have been wiped.

    • For Windows Phone devices, a full wipe removes all Endpoint Management information and all user data, including personal content such as apps, emails, contacts, and media.

    • For Windows Mobile devices that are running Windows Mobile 6 or earlier: After the wipe, you might need to send the device back to the manufacturer to reload the original operating system, software, or both.

    • If the device user turns off the device before the memory card content is deleted, the user might still have access to device data.

    • You can cancel the wipe request until the request is sent to the device.

  • Locate: Locates a device and reports the device location, including a map, on the Manage > Devices.page, under Device details > General.

  • Lock: Remotely locks a device, which is useful if a device is lost but you aren’t sure if it’s stolen. Endpoint Management then generates a PIN code and sets it in the device. To access the device, the user types the PIN code. Use Cancel Lock to remove the lock from the Endpoint Management console

  • Lock and Reset Password: Remotely locks a device and resets the password.

  • Notify (Ring): Plays a sound on Android devices.

  • Reboot: Restarts Windows 10 devices. For Windows Tablet and PCs, the message “System will reboot soon” appears and then the reboot occurs in five minutes. For Windows Phone, the reboot occurs after a few minutes, with no warning message to users.

  • Request/Stop AirPlay Mirroring: Starts and stops AirPlay mirroring on supervised iOS devices.

  • Restart/Shut Down: Immediately restarts or shuts down supervised devices.

  • Revoke: Prohibits a device from connecting to Endpoint Management.

  • Revoke/Authorize (iOS, macOS, tvOS): Performs the same actions as a Selective Wipe. After revocation, you can reauthorize the device to reenroll it.

  • Ring: If the device is in Lost Mode, Ring plays a sound on a supervised iOS device. The sound plays until you removed the device from Lost Mode or the user disables the sound.

  • Selective wipe: Erases all corporate data and apps from a device, leaving personal data and apps in place. After a selective wipe, a user can reenroll the device.

    • Selectively wiping an Android device does not disconnect the device from Device Manager and the corporate network. To prevent the device from accessing Device Manager, you must also revoke the device certificates.
    • If the Samsung KNOX API is enabled, selectively wiping the device also removes the Samsung KNOX container.
    • For iOS and macOS devices, this command removes any profile installed through MDM.
    • A selective wipe on a Windows device also removes the contents of the profile folder for any currently signed on user. A selective wipe doesn’t remove any web clips that you deliver to users through a configuration. To remove web clips, users manually unenroll their devices. You can’t reenroll a selectively wiped device.
    • Selectively wiping a Windows Phone device removes the enterprise token that allows Endpoint Management to install apps on the device. The wipe also removes all Endpoint Management certificates and configurations deployed to the device. You can’t reenroll a selectively wiped Windows Phone device.
    • Selectively wiping on Android devices also revokes the device, and the device can be re-enrolled only after authorizing it again or deleting it from the console.
  • Unlock: Clears the passcode sent to the device when it was locked. This command doesn’t unlock the device.

In Manage > Devices, the Device details page also lists device Security properties. Those properties include Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type. The Full Wipe of Device field includes the user PIN code. The user must enter that code after the device is wiped. If the user forgets the code, you can look it up here.

Security actions for Android devices

Security action Android (except for Android Enterprise devices) Android Enterprise (BYOD) Android Enterprise (corporate-owned)
App Lock Yes No No
App Wipe Yes No No
Full Wipe Yes No Yes
Locate Yes: For devices running Android 6.0+, Locate requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command. Yes: For devices running Android 6.0+, Locate requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command. Yes: For devices running Android 6.0+, Locate requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command.
Lock Yes Yes Yes
Lock and Reset Password Yes No Yes
Notify (Ring) Yes Yes Yes
Revoke Yes Yes Yes
Selective Wipe Yes Yes No

Security actions for iOS, macOS, and tvOS devices

Security action iOS macOS tvOS
Activation Lock Bypass Yes No No
App Lock Yes No No
App Wipe Yes No No
ASM DEP Activation Lock Yes No No
Clear Restrictions Yes No No
Enable/Disable Lost Mode Yes No No
Enable/Disable Tracking Yes No No
Full Wipe Yes Yes Yes
Locate Yes No No
Lock Yes Yes No
Ring Yes Yes No
Request/Stop AirPlay Mirroring Yes No No
Restart/Shut Down Yes No Yes (Restart)
Revoke/Authorize Yes Yes Yes
Selective Wipe Yes Yes No
Unlock Yes No No

For details about security actions for Shared iPads, see Security actions for Shared iPads.

Security actions for Windows devices

Security action Windows Phone 10 Windows Tablet 10 Windows Phone 8.1
Locate Yes Yes No
Lock Yes Yes Yes
Lock and Reset Password Yes No Yes
Reboot Yes Yes No
Revoke Yes Yes Yes
Ring Yes No Yes
Selective Wipe Yes Yes Yes
Wipe Yes No Yes

The remainder of this article provides the steps for performing various security actions. You can also automate some actions. For more information, see Automated actions.

Lock iOS devices

You can lock a lost iOS device with an accompanying display of a message and phone number that displays on the device lock screen. This feature is supported on devices running iOS 7 and above.

To display a message and phone number on a locked device, set the Passcode policy to true in the Endpoint Management console. Alternatively, users can enable the passcode on the device manually.

  1. Click Manage > Devices. The Devices page appears.

    Image of the Devices page

  2. Select the iOS device you want to lock.

    Select the check box next to a device to show the options menu above the device list. Click anywhere else in the list to show the options menu on the right side of the listing.

    Image of the options menu

    Image of the options menu

  3. In the options menu, click Secure. The Security Actions dialog box appears.

    Image of the Security Actions dialog box

  4. Click Lock. The Security Actions confirmation dialog box displays.

    Image of the Security Actions confirmation

  5. Optionally, type a message and phone number that appears on the lock screen of the device.

    For iPads running iOS 7 and later: iOS appends the words “Lost iPad” to what you type in the Message field.

    For iPhones running iOS 7 and later: If you leave the Message field empty and provide a phone number, Apple displays the message “Call owner” on the device lock screen.

  6. Click Lock Device.

Remove a device from the Endpoint Management console

Important:

When you remove a device from the Endpoint Management console, managed apps and data remain on the device. To remove managed apps and data from the device, see “Delete a device” later in this article.

To remove a device from the Endpoint Management console, go to Manage > Devices, select a managed device, and then click Delete.

Image of the Delete option

Selectively wipe a device

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. In Security Actions, click Selective wipe.

  3. For Android devices only, disconnect the device from the corporate network: After the device is wiped, in Security Actions, click Revoke.

    To withdraw a selective wipe request before the wipe occurs, in Security Actions, click Cancel selective wipe.

Delete a device

This procedure removes managed apps and data from the device and deletes the device from the Devices list in the Endpoint Management console.

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. Click Selective Wipe. When prompted, click Perform Selective Wipe.

  3. To verify that the wipe command succeeded, refresh Manage > Devices. In the Mode column, the amber color for MDM and MAM indicates that the wipe command succeeded.

    Image of a successful wipe command

  4. On Manage > Devices, select the device, and then click Delete. When prompted, click Delete again.

Lock, unlock, wipe, or unwipe apps

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. In Security Actions, click the app action.

    You can also use the Security Actions box to check the device status for a user whose account is disabled or deleted from Active Directory. The presence of the App Unlock or App Unwipe actions indicate apps that are locked or wiped.

Put iOS devices in Lost Mode

The Endpoint Management Lost Mode device property puts an iOS device in Lost Mode. Unlike Apple Managed Lost Mode, Endpoint Management Lost Mode doesn’t require a user to perform either of the following actions to enable locating their device: Configure the Find My iPhone/iPad setting or enable the Location Services for Citrix Secure Hub.

In Endpoint Management Lost Mode, only Endpoint Management can unlock the device. (In contrast, if you use the Endpoint Management device lock feature, users can unlock the device directly by using a PIN code that you provide.

To enable or disable lost mode: Go to Manage > Devices, choose a supervised iOS device, and then click Secure. Then, click Enable Lost Mode or Disable Lost Mode.

Image of the lost mode options

If you click Enable Lost Mode, type information to appear on the device when it’s in lost mode.

Image of the information to appear on a device

Use any of the following methods to check Lost Mode status:

  • In the Security Actions window, verify if the button is Disable Lost Mode.
  • From Manage > Devices, on the General tab under Security, see the last Enable Lost Mode or Disable Lost Mode action.

Image of the General tab

  • From Manage > Devices, on the Properties tab, verify that the value of the MDM lost mode enabled setting is correct.

Image of the MDM lost mode enabled setting

If you enable Endpoint Management Lost Mode on an iOS device, the Endpoint Management console also changes as follows:

  • In Configure > Actions, the Actions list doesn’t include these automated actions: Revoke the device, Selectively wipe the device, and Completely wipe the device.
  • In Manage > Devices, the Security Actions list no longer includes the Revoke and Selective Wipe device actions. You can still use a security action to perform a Full Wipe action, as needed.

For iPads running iOS 7 and later: iOS appends the words “Lost iPad” to what you type in the Message in the Security Actions screen.

For iPhones running iOS 7 and later: If you leave the Message empty and provide a phone number, Apple shows the message “Call owner” on the device lock screen.

Bypass an iOS activation lock

Activation Lock is a feature of Find My iPhone/iPad that prevents reactivation of a lost or stolen supervised device. Activation Lock requires the user Apple ID and password before anyone can turn off Find My iPhone/iPad, erase the device, or reactivate the device. For the devices that your organization owns, bypassing an Activation Lock is necessary to, for example, reset or reallocate devices.

To enable Activation Lock, you configure and deploy the Endpoint Management MDM Options device policy. You can then manage a device from the Endpoint Management console without the Apple credentials of the user. To bypass the Apple credential requirement of an Activation Lock, issue the Activation Lock Bypass security action from the Endpoint Management console.

For example, if the user returns a lost phone or to set up the device before or after a Full Wipe: When the phone prompts for the iTunes account credential, you can bypass that step by issuing the Activation Lock Bypass security action from the Endpoint Management console.

Device requirements for activation lock bypass

  • iOS 7.1 (minimum version)
  • Supervised through Apple Configurator or Apple DEP
  • Configured with an iCloud account
  • Find My iPhone/iPad enabled
  • Enrolled in Endpoint Management
  • MDM Options device policy, with activation lock enabled, is deployed to devices

To bypass an activation lock before issuing a Full Wipe of a device:

  1. Go to Manage > Devices, select the device, click Secure, and then click Activation Lock Bypass.
  2. Wipe the device. The activation lock screen doesn’t appear during device setup.

To bypass an activation lock after issuing a Full Wipe of a device:

  1. Reset or wipe the device. The activation lock screen appears during device setup.
  2. Go to Manage > Devices, select the device, click Secure, and then click Activation Lock Bypass.
  3. Tap the Back button on the device. The home screen appears.

Keep in mind the following:

  • Advise your users not to turn off Find My iPhone/iPad. Don’t perform a full wipe from the device. In either of those cases, the user is prompted to enter the iCloud account password. After account validation, the user won’t see an Activate iPhone/iPad screen after erasing all content and settings.
  • For a device with a generated Activation lock bypass code and with the Activation lock enabled: If you can’t bypass the Activate iPhone/iPad page after a Full Wipe, there is no need to delete the device from Endpoint Management. Either you or the user can contact Apple support to unblock the device directly.
  • During a hardware inventory, Endpoint Management queries a device for an Activation lock bypass code. If a bypass code is available, the device sends it to Endpoint Management. Then, to remove the bypass code from the device, send the Activation Lock Bypass security action from the Endpoint Management console. At that point, Endpoint Management and Apple have the bypass code required to unblock the device.
  • The Activation Lock Bypass security action relies on the availability of an Apple service. If the action doesn’t work, you can unblock a device as follows. On the device, manually enter the credentials of the iCloud account. Or, leave the user name field empty and type the bypass code in the password field. To look up the bypass code, go to Manage > Devices, select the device, click Edit, and click Properties. The Activation lock bypass code is under Security information.

Get information about devices

The Endpoint Management database stores a list of mobile devices. A unique serial number or International Mobile Station Equipment Identity (IMEI)/Mobile Equipment Identifier (MEID) uniquely defines each mobile device. To populate the Endpoint Management console with your devices, you can add the devices manually or you can import a list of devices from a file. For more information about device provisioning file formats, see Device provisioning file formats later in this article.

The Manage > Devices page in the Endpoint Management console lists each device and the following information:

  • Status (icons indicate whether the device is jailbroken, is managed, whether Active Sync Gateway is available, and the deployment state)
  • Mode (whether the device mode is MDM, MAM, or both)
  • Other information about the device, such as User name, Device platform, Operating system version, Device model, Last access, and Inactivity days. Those headings are the defaults shown.

To customize the Devices table, click the down arrow on the last heading. Then, select the additional headings you want to see in the table or clear any headings to remove them.

Image of Devices table customization options

You can add devices manually, import devices from a device provisioning file, edit device details, perform security actions, and send notifications to devices. You can also export all device table data to a .csv file to create a custom report. The server exports all device attributes. If you apply filters, Endpoint Management uses the filters when creating the .csv file.

Add a device manually

  1. In the Endpoint Management console, click Manage > Devices. The Devices page appears.

    Image of Devices page

  2. Click Add. The Add Device page appears.

    Image of Add Device page

  3. Configure these settings:

    • Select platform: Click either iOS or Android.
    • Serial Number: Type the device serial number.
    • IMEI/MEID: Optionally, for Android devices only, type the device IMEI/MEID information.
  4. Click Add. The Devices table appears with the device added to the bottom of the list. Choose the device you added and then in the menu that appears, click Edit to view and confirm the device details.

    Note:

    When you select the check box next to a device, the options menu appears above the device list. When you click anywhere else in the list, the options menu appears on the right side of the listing.

    • LDAP configured

    • If using local groups and local users:

      • One or more local groups.

      • Local users assigned to local groups.

      • Delivery groups are associated with local groups.

    • If using Active Directory:

      • Delivery groups are associated with Active Directory groups.

      Image of Device Details list

  5. The General page lists device Identifiers, such as the serial number, ActiveSync ID, and other information for the platform type. For Device Ownership, select Corporate or BYOD.

    The General page also lists device Security properties, such as Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type. The Full Wipe of Device field includes the user PIN code. The user must enter that code after the device is wiped. If the user forgets the code, you can look it up here.

  6. The Properties page lists the device properties that Endpoint Management is to provision. This list shows any device properties included in the provisioning file used to add the device. To add a property, click Add and then select a property from the list. For valid values for each property, see the PDF Device property names and values.

    When you add a property, it initially appears under the category where you added it. After you click Next and then return to the Properties page, the property appears in the appropriate list.

    To delete a property, hover over the listing and then click the X on the right side. Endpoint Management deletes the item immediately.

  7. The remaining Device Details sections contain summary information for the device.

    • User Properties: Displays RBAC roles, group memberships, VPP accounts, and properties for the user. You can retire a VPP account from this page.
    • Assigned Policies: Displays the number of assigned policies including the number of deployed, pending, and failed policies. Provides the policy name, type and last deployed information for each policy.
    • Apps: Displays, for the last inventory, the number of installed, pending, and failed app deployments. Provides the app name, identifier, type, and other information. For a description of iOS and macOS inventory keys, such as HasUpdateAvailable, see Mobile Device Management (MDM) Protocol.
    • Media: Displays, for the last inventory, the number of deployed, pending, and failed media deployments.
    • Actions: Displays the number of deployed, pending, and failed actions. Provides the action name and time of the last deployment.
    • Delivery Groups: Displays the number of successful, pending, and failed delivery groups. For each deployment, provides the delivery group name and deployment time. Select a delivery group to view more detailed information, including status, action, and channel or user.
    • iOS Profiles: Displays the last iOS profile inventory, including name, type, organization, and description.
    • iOS Provisioning Profiles: Displays enterprise distribution provisioning profile information, such as the UUID, expiration date, and whether it is managed.
    • Certificates: Displays, for valid, expired, or revoked certificates, information such as the type, provider, issuer, serial number, and the number of remaining days before expiration.
    • Connections: Displays the first connection status and the last connection status. Provides for each connection, the user name, penultimate (next to last) authentication time, and last authentication time.
    • MDM Status: Displays information such as the MDM status, last push time, and last device reply time.
    • TouchDown: (Android devices only) Displays information about the last device authentication and the last user authenticated. Provides each applicable policy name and policy value.

Import devices from a provisioning file

You can import a file supplied by mobile operators or device manufacturers, or you can create your own device provisioning file. For details, see Device provisioning file formats later in this article.

  1. Go to Manage > Devices and then click Import. The Import Provisioning File dialog box appears.

    Image of the Import Provisioning File dialog box

  2. Click Choose File and then navigate to the file you want to import.

  3. Click Import. The Devices table lists the imported file.

  4. To edit the device information, select it and then click Edit. For information about the Device details pages, see Add a device manually.

Send a notification to devices

You can send notifications to devices from the Devices page. For more information about notifications, see Notifications.

  1. On the Manage > Devices page, elect the device or devices to which you want to send a notification.

  2. Click Notify. The Notification dialog box appears. The Recipients field lists all devices to receive the notification.

    Image of the Notification dialog box

  3. Configure these settings:

    • Templates: In the list, click the type of notification you want to send. For each template except for Ad Hoc, the Subject and Message fields show the text configured for the template that you choose.
    • Channels: Select how to send the message. The default is SMTP and SMS. Click the tabs to see the message format for each channel.
    • Sender: Enter an optional sender.
    • Subject: Enter a subject for an Ad Hoc message.
    • Message: Enter the message for an Ad Hoc message.
  4. Click Notify.

Export the Devices table

  1. Filter the Devices table according to what you want to appear in the export file.

  2. Click the Export button above the Devices table. Endpoint Management extracts the information in the filtered Devices table and converts it to a .csv file.

  3. When prompted, open or save the .csv file.

Tag user devices manually

You can manually tag a device in Endpoint Management in the following ways:

  • During the invitation-based enrollment process.
  • During the Self Help Portal enrollment process.
  • By adding device ownership as a device property

You have the option of tagging the device as either corporate- or employee-owned. When using the Self Help Portal to self-enroll a device, you can tag the device as corporate- or employee-owned. You can also tag a device manually, as follows.

  1. Add a property to the device from the Devices tab in the Endpoint Management console.
  2. Add the property named Owned by and choose either Corporate or BYOD (employee-owned).

    Image of Owned by property settings

Search for devices

For fast searching, the default search scope includes the following device properties:

  • Serial Number
  • IMEI
  • Wifi MAC address
  • Bluetooth MAC address
  • Active Sync ID
  • User Name

You can configure the search scope through a server property, include.device.properties.during.search, which defaults to false. To include all device properties in a device search, go to Settings > Server Properties and change the setting to true.

Device provisioning file formats

Many mobile operators or device manufacturers provide lists of authorized mobile devices. You can use these lists to avoid having to enter a long list of mobile devices manually. Endpoint Management supports an import file format that is common to all three supported device types: Android, iOS, and Windows.

A provisioning file that you create manually and use to import devices to Endpoint Management must be in the following format:

SerialNumber;IMEI;OperatingSystemFamily;propertyName1;propertyValue1;propertyName2;propertyValue2; … propertyNameN;propertyValueN

Keep in mind the following:

  • For valid values for each property, see the PDF Device property names and values.
  • Use the UTF-8 character set.
  • Use a semi-colon (;) to separate the fields within the provisioning file. If part of a field contains a semi-colon, escape it with a backslash character (\).

    For example, for this property:

    propertyV;test;1;2

    Escape it as follows:

    propertyV\;test\;1\;2

  • The serial number is required for iOS devices because the serial number is the iOS device identifier.
  • For other device platforms, you must include either the serial number or the IMEI.
  • Valid values for OperatingSystemFamily are WINDOWS, ANDROID, or iOS.

Example of a device provisioning file:

`1050BF3F517301081610065510590391;15244201625379901;WINDOWS;propertyN;propertyV\;test\;1\;2;prop 2
2050BF3F517301081610065510590392;25244201625379902;ANDROID;propertyN;propertyV$*&&ééétest
3050BF3F517301081610065510590393;35244201625379903;iOS;test;
4050BF3F517301081610065510590393;;iOS;test;
;55244201625379903;ANDROID;test.testé;value;`

Each line in the file describes a device. The first entry in the above sample means the following:

  • SerialNumber: 1050BF3F517301081610065510590391
  • IMEI: 15244201625379901
  • OperatingSystemFamily: WINDOWS
  • ProertyName: propertyN
  • PropertyValue: propertyV\;test\;1\;2;prop 2

Shared devices

Endpoint Management lets you configure devices that multiple users can share. The shared devices feature lets, for example, clinicians in hospitals use any nearby device to access apps and data rather than having to carry around a specific device. You may also want shift workers in fields like law enforcement, retail, and manufacturing to share devices to reduce equipment costs.

Key points about shared devices

You can use any of the supported iOS and Android devices as shared devices. For a list of supported devices, see Supported device operating systems.

MDM mode

  • Available on both iOS and Android tablets and phones. Basic device enrollment program (DEP) enrollment is not supported for a Endpoint Management Enterprise shared device. You must use an authorized DEP to enroll a shared device in this mode.
  • Client certificate authentication, Citrix PIN, Touch ID, User Entropy, and two-factor authentication are not supported.

MDM+MAM mode

  • Available only on iOS and Android tablets.
  • Only Active Directory username and password authentication is supported.
  • Client certificate authentication, Worx PIN, Touch ID, User Entropy, and two-factor authentication are not supported.
  • MAM-only mode is not supported. The devices must enroll in MDM.
  • Only Secure Mail, Secure Web, and the Citrix Files mobile app are supported. HDX apps are not supported.
  • Active Directory users are the only supported users; local users and groups are not supported
  • Re-enrollment is required for existing MDM-only shared devices to update to MDM+MAM mode.
  • Users can share Citrix mobile productivity apps and MDX-wrapped apps only; they cannot share native apps on the devices.
  • Once downloaded during first-time enrollment, Citrix mobile productivity apps are not downloaded again each time a new user signs on to the device. The new user can pick up the device, sign on, and get going.
  • On Android, to isolate each user’s data for security purposes, the Disallow rooted devices policy in the Endpoint Management console should be On.

Prerequisites for enrolling shared devices

Before you can enroll shared devices, you must do the following:

Prerequisites for MDM+MAM mode

  1. Create an Active Directory group named something like Shared Device Enrollers.
  2. Add to this group Active Directory users who will enroll shared devices. If you want a new account for this purpose, create a new Active Directory user (for example, sdenroll) and add that user to the Active Directory group.

Configuring a shared device

Follow these steps to configure a shared device.

  1. From the Endpoint Management console, click the gear in the upper-right corner. The Settings page appears.
  2. Click Role-Based Access Control, then click Add. The Add Role screen appears.
  3. Create a shared-device enrollment user role named Shared Device Enrollment User with Shared devices enroller permissions under Authorized Access. Be sure to expand Devices in Console features and then select Selective Wipe device. This setting ensures that the apps and policies provisioned through the shared devices enroller account are deleted through Secure Hub, when the device is un-enrolled.

    For Apply Permissions, keep the default setting, To all user groups, or assign permissions to specific Active Directory user groups with the To specific user groups.

    Image of the Apply Permissions options

    Click Next to move to the Assignment screen. Assign the shared-device enrollment role you just created to the Active Directory group you created for shared device enrollment users in Step 1 under Pre-requisites. In the image below, citrix.lab is the Active Directory domain and Shared Device Enrollers is the Active Directory group.

    Image of the Assignment screen

  4. Create a delivery group that contains the base policies, apps, and actions that you want to apply to the device when a user is not signed on, then associate that delivery group with the shared device enrollment user Active Directory group.

    Image of the delivery group settings

  5. Install Secure Hub on the shared device and enroll it in Endpoint Management using the shared device enrollment user account. You can now view and manage the device through the Endpoint Management console. For more information, see Enroll devices.

  6. To apply different policies or to provide additional apps for authenticated users, you must create a delivery group associated with those users and deployed to shared devices only. When creating the groups, configure deployment rules to ensure that the packages are deployed to shared devices. For more information, see Deploy Resources.

  7. To stop sharing the device, perform a selective wipe to remove the shared device enrollment user account from the device, along with any apps and policies deployed to it.

Shared device user experience

MDM mode

Users see only the resources available to them, and they have the same experience on every shared device. The shared device enrollment policies and apps always remain on the device. When a user who isn’t enrolled in shared devices signs on to Secure Hub, that person’s policies and apps are deployed to the device. When that user signs off, the policies and apps that differ from those of the shared device enrollment are removed, while the shared-device enrollment resources remain intact.

MDM+MAM mode

Secure Mail and Secure Web are deployed to the device when enrolled by the shared device enrollment user. User data is maintained securely on the device. The data is not exposed to other users when they sign on to Secure Mail or Secure Web.

Only one user at a time can sign on to Secure Hub. The previous user must sign off before the next user can sign on. For security reasons, Secure Hub does not store user credentials on shared devices, so users must enter their credentials each time they sign on. To ensure that a new user cannot access resources intended for the previous user, Secure Hub does not allow new users to sign on while the policies, apps, and data associated with the previous user are being removed.

Shared device enrollment doesn’t change the process for upgrading apps. You can push upgrades to shared-device users as always, and shared-device users can upgrade apps right on their devices.

  • For the best Secure Mail performance, set Max sync period based on the number of users that will share the device. Allowing unlimited sync is not recommended.
Number of users sharing device Recommended max sync period
21 to 25 1 week or less
6 to 20 2 weeks or less
5 or fewer 1 month or less
  • Block Enable contact export to avoid exposing a user’s contacts to other users who share the device.

  • On iOS, only the following settings can be set per user. All other settings will be common across users who share the device:

    • Notifications
    • Signature
    • Out of Office
    • Sync Mail Period
    • S/MIME
    • Check Spelling