Device management

Citrix Endpoint Management can manage, secure, and inventory a broad range of device types within a single management console.

  • Use a common set of device policies to manage supported devices. For a quick look at the device policies available by platform:

    1. Go to the Endpoint Management console and navigate to Configure > Device Polices.
    2. Click Add and then select the platforms you want to view.

      For more information, see Filter the list of added device policies.

  • Protect business information with strict security for identity, corporate-owned and BYO devices, apps, data, and network. Specify the user identities to use to authenticate to devices. Configure how to keep enterprise and personal data separate on devices.

  • Deliver any app to end users, regardless of device or operating system. Protect your information at the app level and ensure enterprise-grade mobile application management.

  • Use provisioning and configuration controls to set up devices. Those controls include device enrollment, policy application, and access privileges.

  • Use security and compliance controls to create a customized security baseline with actionable triggers. For example, lock, wipe, or notify a device in violation of defined compliance standards.

  • Use OS update controls to prevent or enforce operating system updates. This feature is critical for data loss prevention against targeted operating system vulnerabilities.

To access articles about each supported platform, expand the “Device management” section in the contents list. Those articles provide details specific to each device platform. The rest of this article describes how to perform general device management tasks.

Device management workflows

The workflow diagrams in this section provide a suggested sequence for performing device management tasks.

  1. Recommended prerequisites for adding devices and apps: Performing the following setup in advance lets you configure devices and apps without interruption.

    Workflow diagram of recommended steps before adding devices and apps

    See:

    Configure users and groups

    Deploy resources

    Configure roles with RBAC

    Create and update notification templates

    Create and manage workflows

  2. Add devices:

    Workflow diagram of adding devices

    See:

    Prepare to enroll devices and deliver resources

    Device policies

    To deploy to delivery groups

    Automated actions

  3. Prepare enrollment invitations: Perform these tasks if you plan to use enrollment invitations.

    Workflow diagram of preparing enrollment invitations

    See:

    Configure enrollment modes

    Send a notification to devices

  4. Add apps:

    Workflow diagram of adding apps

    See:

    MDX Service

    Add apps

    Create app categories

    Create and manage workflows

    To deploy to delivery groups

  5. Perform ongoing device and app management: In addition to using the Endpoint Management dashboard, we encourage you to review the What’s new content for each release. What’s new provides information about any needed actions, such as configuring new device policies.

    Workflow diagram of app and device management

    See:

    Monitor and support

    Reports

    Security actions

    What’s new

    Device policies

Enrollment invitations

To manage user devices remotely and securely, you enroll user devices in Endpoint Management. The Endpoint Management client software is installed on the user device and the user identity is authenticated. Then, Endpoint Management and the user profile are installed. For enrollment details for supported device platforms, see the device articles under this section.

In the Endpoint Management console, you can send an enrollment invitation to users with iOS, macOS, and Android devices. You can also send an installation link to users with iOS or Android devices.

Enrollment invitations are sent as follows:

  • If the enrollment invitation is for one local or Active Directory user: The user receives the invitation from SMS at the phone number and carrier name you specify.

  • If the enrollment invitation is for a group: The users receive invitations from SMS. If Active Directory users have an email address and mobile phone number in Active Directory, they receive the invitation. Local users receive the invitation at the email and phone number specified in user properties.

After users enroll, their devices appear as managed on Manage > Devices. The status of the invitation URL is shown as Redeemed.

Prerequisites

  • LDAP configured
  • If using local groups and local users:

    • One or more local groups.

    • Local users assigned to local groups.

    • Delivery groups are associated with local groups.

  • If using Active Directory:

    • Delivery groups are associated with Active Directory groups.

Create an enrollment invitation

  1. In the Endpoint Management console, click Manage > Enrollment Invitations. The Enrollment Invitations page appears.

    Image of Endpoint Management console Enrollment Invitations page

  2. Click Add. A menu of enrollment options appears.

    Image of Add Invitation menu

    • To send an enrollment invitation to a user or group, click Add Invitation.
    • To send an enrollment installation link to a list of recipients over SMTP or SMS, click Send Installation Link.

    Sending enrollment invitations and installation links are described after these steps.

  3. Click Add Invitation. The Enrollment Invitation screen appears.

    Image of Enrollment Invitation screen

  4. Configure these settings:

    • Recipient: Choose Group or User.
    • Select a platform: If Recipient is Group, all platforms are selected. You can change the platform selection. If Recipient is User, no platforms are selected. Select a platform.
    • Device ownership: Select Corporate or Employee.

    Settings for users or groups appear, as described in the following sections.

To send an enrollment invitation to a user

Image of Enrollment Invitation settings

  1. Configure these User settings:

    • User name: Type a user name. The user must exist in the Endpoint Management server as a local user or as a user in Active Directory. If the user is local, set the email property of the user so you can send that user notifications. If the user is in Active Directory, ensure that LDAP is configured.
    • Device info: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose Serial number, UDID, or IMEI. After you choose an option, a field appears where you can type the corresponding value for the device.
    • Phone number: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Optionally, type the phone number of the user.
    • Carrier: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose a carrier to associate to the phone number of the user.
    • Enrollment mode: Choose how you want users to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear. A PIN for enrollment is also called a one-time PIN. Such PINs are valid only when the user enrolls.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears. Click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see Configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitations page.

    Image of table on Enrollment Invitations page

To send an enrollment invitation to a group

The following figure shows the settings for configuring an enrollment invitation to a group.

Image of Enrollment invitation to group page

  1. Configure these settings:

    • Domain: Choose the domain of the group to receive the invitation.
    • Group: Choose the group to receive the invitation.
    • Enrollment mode: Choose how you want users in the group to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears. Click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see Configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitation page.

    Image of Enrollment Invitation table

Before you can send an enrollment installation link, you must configure channels (SMTP or SMS) on the notification server from the Settings page. For details, see Notifications

Image of Send Installation link page

  1. Configure these settings and then click Save.

    • Recipient: For each recipient that you want to add, click Add and then do the following:
      • Email: Type the email address of the recipient. This field is required.
      • Phone number: Type the phone number of the recipient. This field is required.

      Note:

      To delete a recipient, hover over the line containing the listing and then click the trash icon on the right side. A confirmation dialog box appears. Click Delete to delete the listing or click Cancel to keep the listing.

      To edit a recipient, hover over the line containing the listing and then click the pen icon on the right side. Update the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

    • Channels: Select a channel to use for sending the enrollment installation link. You can send notifications over SMTP or SMS. These channels cannot be activated until you configure the server settings on the Settings page in Notification Server. For details, see Notifications.
    • SMTP: Configure these optional settings. If you do not type anything in these fields, the default values specified in the notification template configured for the platform you selected are used:
      • Sender: Type an optional sender.
      • Subject: Type an optional subject for the message. For example, “Enroll your device.”
      • Message: Type an optional message to be sent to the recipient. For example, “Enroll your device to gain access to organizational apps and email.”
    • SMS: Configure this setting. If you do not type anything in this field, the default value specified in the notification template configured for the platform you selected is used:
      • Message: Type a message to be sent to the recipients. This field is required for SMS-based notification.

        In North America, SMS messages that exceed 160 characters are delivered in multiple messages.

  2. Click Send.

    Note:

    If your environment uses sAMAccountName: After users receive the invitation and click the link, they must edit the user name to complete the authentication. The user name appears in the form of sAMAccountName@domainname.com. Users must remove the @domainname.com portion.

Device enrollment limit

Endpoint Management includes a default enrollment profile that allows users to enroll an unlimited number of devices. The default profile is named Global. Create enrollment profiles only if you want to limit the number of devices that users can enroll. You associate enrollment profiles with delivery groups.

The device enrollment limit applies to the ENT, MDM, and MAM server modes. This feature is available for iOS and Android devices only.

When your Endpoint Management deployment includes COSU devices, a single Endpoint Management administrator or small group of administrators enroll many COSU devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. For details, see Add a COSU enrollment profile in the Android Enterprise article.

  1. Go to Configure > Enrollment Profiles. The default Global profile appears.

    Image of the default Global profile

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile and then select the number of devices that members with this profile can enroll.

    Image of the Enrollment Info

  3. Click Next. The Delivery Group Assignment screen appears.

    Image of the Delivery Group Assignment screen

  4. Select the delivery groups for this enrollment profile and then click Save.

    The Delivery Groups page appears.

    Image of the Delivery Groups page

    To change the enrollment profiles associated with a delivery group, go to Configure > Delivery Groups and then click Enrollment Profiles.

    Image of the Enrollment Profiles page

User experience with a device enrollment limit

When you set the device enrollment limit and users try to enroll a new device, they follow these steps:

  1. Sign on to Secure Hub.

  2. Enter a server address to enroll.

  3. Enter the credentials.

  4. If the device limit is reached, an error message informs the user that they have exceeded the device registration limit.

    Image of the Secure Hub enrollment screen

    The Secure Hub enrollment screen appears again.

Security actions

You perform device and app security actions from the Manage > Devices page. Device actions include revoke, lock, unlock, and wipe. App security actions include app lock and app wipe.

  • Activation Lock Bypass: Removes the Activation Lock from supervised iOS devices before device activation. This command doesn’t require the personal Apple ID or password for a user.

  • App lock: Denies access to all apps on a device. On Android, after an app lock, users can’t sign in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.

  • App wipe: On Android, an app wipe deletes the user account from Endpoint Management. On iOS, deletes a user account in Secure Hub.

  • ASM DEP Activation Lock: Creates an Activation Lock bypass code for iOS devices enrolled in Apple School Manager DEP.

  • Certificate renewal: For supported iOS, macOS, and Android devices, the Certificate Renewal security action initiates certificate renewal. The next time that devices connect back to Endpoint Management, the Endpoint Management server issues new device certificates based on the new CA.

  • Clear restrictions: On supervised iOS devices, this command allows Endpoint Management to clear the restrictions password and restrictions settings configured by the user.

  • Enable/disable Lost Mode: Puts a supervised iOS device in Lost Mode and sends the device a message, phone number, and footnote to display. The second time that you send this command takes the device out of Lost Mode.

  • Full wipe: Immediately erases all data and apps from a device, including from any memory cards.

    • For Android devices, this request can also include the option to wipe memory cards.

    • For iOS, macOS, and tvOS devices, the wipe occurs immediately, even if the device is locked.

      For iOS 11 devices (minimum version): When you confirm the full wipe, you can choose to preserve the cellular data plan on the device.

      For iOS 11.3 devices (minimum version): When you confirm the full wipe, you can prevent iOS devices from performing proximity setup. When setting up a new iOS device, users can normally use an already configured iOS device to set up their own. You can disallow proximity setup on devices that are Endpoint Management managed and have been wiped.

    • For Windows Phone devices, a full wipe removes all Endpoint Management information and all user data. The user data removed includes personal content such as apps, emails, contacts, and media.

    • If the device user turns off the device before the memory card content is deleted, the user might still have access to device data.

    • You can cancel the wipe request until the request is sent to the device.

  • Locate: Locates a device and reports the device location, including a map, on the Manage > Devices.page, under Device details > General.

  • Lock: Remotely locks a device, which is useful when you lose a device and don’t know if the device is stolen. Endpoint Management then generates a PIN code and sets it in the device. To access the device, the user types the PIN code. Use Cancel Lock to remove the lock from the Endpoint Management console

  • Lock and Reset Password: Remotely locks a device and resets the password.

  • Notify (Ring): Plays a sound on Android devices.

  • Reboot: Restarts Windows 10 devices. For Windows Tablet and PCs, the message “System will reboot soon” appears and then the reboot occurs in five minutes. For Windows Phone, the reboot occurs after a few minutes, with no warning message to users.

  • Request/Stop AirPlay Mirroring: Starts and stops AirPlay mirroring on supervised iOS devices.

  • Restart/Shut Down: Immediately restarts or shuts down supervised devices. tvOS supports Restart but not Shut Down.

  • Revoke: Prohibits a device from connecting to Endpoint Management.

  • Revoke/Authorize (iOS, macOS, tvOS): Performs the same actions as a Selective Wipe. After revocation, you can reauthorize the device to reenroll it.

  • Ring: If the device is in Lost Mode, Ring plays a sound on a supervised iOS device. The sound plays until you removed the device from Lost Mode or the user disables the sound.

  • Selective wipe: Erases all corporate data and apps from a device, leaving personal data and apps in place. After a selective wipe, a user can reenroll the device.

    • Selectively wiping an Android device does not disconnect the device from Device Manager and the corporate network. To prevent the device from accessing Device Manager, you must also revoke the device certificates.
    • If the Samsung KNOX API is enabled, selectively wiping the device also removes the Samsung KNOX container.
    • For iOS and macOS devices, this command removes any profile installed through MDM.
    • A selective wipe on a Windows device also removes the contents of the profile folder for any currently signed on user. A selective wipe doesn’t remove any web clips that you deliver to users through a configuration. To remove web clips, users manually unenroll their devices. You can’t reenroll a selectively wiped device.
    • Selectively wiping a Windows Phone device removes the enterprise token that allows Endpoint Management to install apps on the device. The wipe also removes all Endpoint Management certificates and configurations deployed to the device. You can’t reenroll a selectively wiped Windows Phone device.
    • Selectively wiping an Android device also revokes the device. You can reenroll the device only after reauthorizing it or deleting it from the console.
  • Unlock: Clears the passcode sent to the device when it was locked. This command doesn’t unlock the device.

In Manage > Devices, the Device details page also lists device Security properties. Those properties include Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type. The Full Wipe of Device field includes the user PIN code. The user must enter that code after the device is wiped. If the user forgets the code, you can look it up here.

You can automate some actions. For more information, see Automated actions.

Remove a device from the Endpoint Management console

Important:

When you remove a device from the Endpoint Management console, managed apps and data remain on the device. To remove managed apps and data from the device, see “Delete a device” later in this article.

To remove a device from the Endpoint Management console, go to Manage > Devices, select a managed device, and then click Delete.

Image of the Delete option

Selectively wipe a device

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. In Security Actions, click Selective wipe.

  3. For Android devices only, disconnect the device from the corporate network: After the device is wiped, in Security Actions, click Revoke.

    To withdraw a selective wipe request before the wipe occurs, in Security Actions, click Cancel selective wipe.

Delete a device

This procedure removes managed apps and data from the device and deletes the device from the Devices list in the Endpoint Management console.

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. Click Selective Wipe. When prompted, click Perform Selective Wipe.

  3. To verify that the wipe command succeeded, refresh Manage > Devices. In the Mode column, the amber color for MDM and MAM indicates that the wipe command succeeded.

    Image of a successful wipe command

  4. On Manage > Devices, select the device, and then click Delete. When prompted, click Delete again.

Lock, unlock, wipe, or unwipe apps

  1. Go to Manage > Devices, select a managed device, and then click Secure.

  2. In Security Actions, click the app action.

    You can also use the Security Actions box to check the device status for a user whose account is disabled or deleted from Active Directory. The presence of the App Unlock or App Unwipe actions indicate apps that are locked or wiped.

Get information about devices

The Endpoint Management database stores a list of mobile devices. A unique serial number or International Mobile Station Equipment Identity (IMEI)/Mobile Equipment Identifier (MEID) uniquely defines each mobile device. To populate the Endpoint Management console with your devices, you can add the devices manually or you can import a list of devices from a file. For more information about device provisioning file formats, see Device provisioning file formats later in this article.

The Manage > Devices page in the Endpoint Management console lists each device and the following information:

  • Status: Icons indicate whether the device is jailbroken, is managed, whether ActiveSync Gateway is available, and the deployment state.
  • Mode: Indicates the device mode, such as MDM or MAM+MDM.
  • Other information about the device, such as User name, Device platform, Last access, and Inactivity days. Those headings are the defaults shown.

To customize the Devices table, click the down arrow on the last heading. Then, select the additional headings you want to see in the table or clear any headings to remove them.

Image of Devices table customization options

You can add devices manually, import devices from a device provisioning file, edit device details, perform security actions, and send notifications to devices. You can also export all device table data to a .csv file to create a custom report. The server exports all device attributes. If you apply filters, Endpoint Management uses the filters when creating the .csv file.

Import devices from a provisioning file

You can import a file supplied by mobile operators or device manufacturers, or you can create your own device provisioning file. For details, see Device provisioning file formats later in this article.

  1. Go to Manage > Devices and then click Import. The Import Provisioning File dialog box appears.

    Image of the Import Provisioning File dialog box

  2. Click Choose File and then navigate to the file you want to import.

  3. Click Import. The Devices table lists the imported file.

  4. To edit the device information, select it and then click Edit. For information about the Device details pages, see Get information about devices.

Send a notification to devices

You can send notifications to devices from the Devices page. For more information about notifications, see Notifications.

  1. On the Manage > Devices page, elect the device or devices to which you want to send a notification.

  2. Click Notify. The Notification dialog box appears. The Recipients field lists all devices to receive the notification.

    Image of the Notification dialog box

  3. Configure these settings:

    • Templates: In the list, click the type of notification you want to send. For each template except for Ad Hoc, the Subject and Message fields show the text configured for the template that you choose.
    • Channels: Select how to send the message. The default is SMTP and SMS. Click the tabs to see the message format for each channel.
    • Sender: Enter an optional sender.
    • Subject: Enter a subject for an Ad Hoc message.
    • Message: Enter the message for an Ad Hoc message.
  4. Click Notify.

Export the Devices table

  1. Filter the Devices table according to what you want to appear in the export file.

  2. Click the Export button above the Devices table. Endpoint Management extracts the information in the filtered Devices table and converts it to a .csv file.

  3. When prompted, open or save the .csv file.

Tag user devices manually

You can manually tag a device in Endpoint Management in the following ways:

  • During the invitation-based enrollment process.
  • During the Self Help Portal enrollment process.
  • By adding device ownership as a device property

You have the option of tagging the device as either corporate- or employee-owned. When using the Self Help Portal to self-enroll a device, you can tag the device as corporate- or employee-owned. You can also tag a device manually, as follows.

  1. Add a property to the device from the Devices tab in the Endpoint Management console.
  2. Add the property named Owned by and choose either Corporate or BYOD (employee-owned).

    Image of Owned by property settings

Search for devices

For fast searching, the default search scope includes the following device properties:

  • Serial Number
  • IMEI
  • Wifi MAC address
  • Bluetooth MAC address
  • Active Sync ID
  • User Name

You can configure the search scope through a server property, include.device.properties.during.search, which defaults to false. To include all device properties in a device search, go to Settings > Server Properties and change the setting to true.

Device provisioning file formats

Many mobile operators or device manufacturers provide lists of authorized mobile devices. You can use these lists to avoid having to enter a long list of mobile devices manually. Endpoint Management supports an import file format that is common to these supported device types: Android, iOS, and Windows.

A provisioning file that you create manually and use to import devices to Endpoint Management must be in the following format:

SerialNumber;IMEI;OperatingSystemFamily;propertyName1;propertyValue1;propertyName2;propertyValue2; … propertyNameN;propertyValueN

Keep in mind the following:

  • For valid values for each property, see the PDF Device property names and values.
  • Use the UTF-8 character set.
  • Use a semi-colon (;) to separate the fields within the provisioning file. If part of a field contains a semi-colon, escape it with a backslash character (\).

    For example, for this property:

    propertyV;test;1;2

    Escape it as follows:

    propertyV\;test\;1\;2

  • The serial number is required for iOS devices because the serial number is the iOS device identifier.
  • For other device platforms, you must include either the serial number or the IMEI.
  • Valid values for OperatingSystemFamily are WINDOWS, ANDROID, or iOS.

Example of a device provisioning file:

`1050BF3F517301081610065510590391;15244201625379901;WINDOWS;propertyN;propertyV\;test\;1\;2;prop 2
2050BF3F517301081610065510590392;25244201625379902;ANDROID;propertyN;propertyV$*&&ééétest
3050BF3F517301081610065510590393;35244201625379903;iOS;test;
4050BF3F517301081610065510590393;;iOS;test;
;55244201625379903;ANDROID;test.testé;value;`

Each line in the file describes a device. The first entry in that sample means the following:

  • SerialNumber: 1050BF3F517301081610065510590391
  • IMEI: 15244201625379901
  • OperatingSystemFamily: WINDOWS
  • ProertyName: propertyN
  • PropertyValue: propertyV\;test\;1\;2;prop 2

Shared devices

Endpoint Management lets you configure devices that multiple users can share. The shared devices feature lets, for example, clinicians in hospitals use any nearby device to access apps and data rather than having to carry around a specific device. You might also want shift workers in fields like law enforcement, retail, and manufacturing to share devices to reduce equipment costs.

Key points about shared devices

You can use any of the supported iOS and Android devices as shared devices. For a list of supported devices, see Supported device operating systems.

MDM mode

  • Available on both iOS and Android tablets and phones. Basic device enrollment program (DEP) enrollment is not supported for an Endpoint Management Enterprise shared device. Use an authorized DEP to enroll a shared device in this mode.
  • Authentication types not supported: Client certificate authentication, Citrix PIN, Touch ID, User Entropy, and two-factor authentication.

MDM+MAM mode

  • Available only on iOS and Android tablets.
  • Only Active Directory user name and password authentication is supported.
  • Client certificate authentication, passcode for Secure Hub, Touch ID, User Entropy, and two-factor authentication are not supported.
  • MAM-only mode is not supported. The devices must enroll in MDM.
  • Only Secure Mail, Secure Web, and the Citrix Files mobile app are supported. HDX apps are not supported.
  • Active Directory users are the only supported users. Local users and groups are not supported
  • Re-enrollment is required for existing MDM-only shared devices to update to MDM+MAM mode.
  • Users can share Citrix mobile productivity apps and MDX-wrapped apps only; they cannot share native apps on the devices.
  • Once downloaded during first-time enrollment, Citrix mobile productivity apps are not downloaded again each time a new user signs on to the device. The new user can pick up the device, sign on, and get going.
  • On Android, to isolate each user’s data for security purposes, enable the Disallow rooted devices policy in the Endpoint Management console.

Prerequisites for enrolling shared devices

Before you can enroll shared devices, you must do the following:

Prerequisites for MDM+MAM mode

  1. Create an Active Directory group named something like Shared Device Enrollers.
  2. Add to this group the Active Directory users who you want to enroll shared devices. If you want a new account for this purpose, create a new Active Directory user (for example, sdenroll) and add that user to the Active Directory group.

Configuring a shared device

Follow these steps to configure a shared device.

  1. From the Endpoint Management console, click the gear in the upper-right corner. The Settings page appears.
  2. Click Role-Based Access Control, then click Add. The Add Role screen appears.
  3. Create a shared-device enrollment user role named Shared Device Enrollment User with Shared devices enroller permissions under Authorized Access. Be sure to expand Devices in Console features and then select Selective Wipe device. This setting ensures that the apps and policies provisioned through the shared devices enroller account are deleted through Secure Hub, when the device is unenrolled.

    For Apply Permissions, keep the default setting, To all user groups, or assign permissions to specific Active Directory user groups with the To specific user groups.

    Image of the Apply Permissions options

    Click Next to move to the Assignment screen. Assign the shared-device enrollment role you created to the Active Directory group you created for shared device enrollment users. In the following image, citrix.lab is the Active Directory domain and Shared Device Enrollers is the Active Directory group.

    Image of the Assignment screen

  4. Create a delivery group that contains the base policies, apps, and actions that you want to apply to the device when a user is not signed on. Then, associate that delivery group with the shared device enrollment user Active Directory group.

    Image of the delivery group settings

  5. Install Secure Hub on the shared device and enroll it in Endpoint Management using the shared device enrollment user account. You can now view and manage the device through the Endpoint Management console.

  6. To apply different policies or to provide more apps for authenticated users, you must create a delivery group associated with those users and deployed to shared devices only. When creating the groups, configure deployment rules to ensure that the packages are deployed to shared devices. For more information, see Deploy Resources.

  7. To stop sharing the device, perform a selective wipe to remove the shared device enrollment user account from the device. The selective wipe also removes any apps and policies deployed to the device.

Shared device user experience

MDM mode

Users see only the resources available to them, and they have the same experience on every shared device. The shared device enrollment policies and apps always remain on the device. When a user who isn’t enrolled in shared devices signs on to Secure Hub, that person’s policies and apps are deployed to the device. When that user signs off, the policies and apps that differ from those of the shared device enrollment are removed. The shared-device enrollment resources remain intact.

MDM+MAM mode

Secure Mail and Secure Web are deployed to the device when enrolled by the shared device enrollment user. User data is maintained securely on the device. The data is not exposed to other users when they sign on to Secure Mail or Secure Web.

Only one user at a time can sign on to Secure Hub. The previous user must sign off before the next user can sign on. For security reasons, Secure Hub does not store user credentials on shared devices, so users must enter their credentials each time they sign on. To ensure that a new user cannot access resources intended for the previous user: Secure Hub does not allow new users to sign on while the policies, apps, and data associated with the previous user are being removed.

Shared device enrollment doesn’t change the process for upgrading apps. You can push upgrades to shared-device users as always, and shared-device users can upgrade apps right on their devices.

  • For the best Secure Mail performance, set Max sync period based on the number of users to share the device. Allowing unlimited sync is not recommended.
Number of users sharing device Recommended max sync period
21–25 1 week or less
6–20 2 weeks or less
5 or fewer 1 month or less
  • Block Enable contact export to avoid exposing a user’s contacts to other users who share the device.

  • On iOS, only the following settings can be set per user. All other settings are common across users who share the device:

    • Notifications
    • Signature
    • Out of Office
    • Sync Mail Period
    • S/MIME
    • Check Spelling