Citrix Endpoint Management

Android for Workspace

Android for Workspace uses the Android Management API (AMAPI) provided by Google to manage Android devices. With Android for Workspace, users no longer need to enroll their devices through Secure Hub. Users enroll through the Citrix Workspace app, and they access all apps and content through Workspace.

Android for Workspace is available for Citrix Workspace enabled cloud deployments only. The initial release of Android for Workspace supports the work profile enrollment method only. With this enrollment method, devices have a work profile and a personal profile to separate corporate data from personal data. Work profiles and personal profiles are separated at an OS level. For more details about work profiles, see the Google help topic, What is a work profile.

This platform is separate from the Android Enterprise platform. Existing configurations for Android Enterprise aren’t compatible with Android for Workspace. If you already have Android Enterprise configured, you must create new versions of the following:

  • Google account
  • Delivery groups
  • Enrollment profiles
  • Device and app policies

Also, Android Enterprise users enrolled in Endpoint Management must re-enroll using the Citrix Workspace app.

If you want to use Android Enterprise without the AMAPI features, see Android Enterprise.


Before you start using Android for Workspace, you need:

  • Citrix Gateway Service

  • Accounts and credentials:

    • To set up Android for Workspace with managed Google Play, a corporate Google account
    • To download the latest MDX files, a Citrix customer account
  • To use Android for Workspace, devices must have the following:

    • Android 7 or later
    • Citrix Workspace app version

Getting started with Android for Workspace

Getting started path

One-time setup

Follow these steps to perform the initial setup of the Android for Workspace platform.

  1. Create a Google account. If you already have Android Enterprise set up, you must use a Google account with a different email address.

    See Using managed Google Play with Endpoint Management and Requirements.

  2. Bind your Google account to Endpoint Management.

    See Connecting Endpoint Management to Google Play.

  3. Create and configure enrollment profiles.

    See Creating enrollment profiles.

  4. Prepare to deliver MDX-enabled apps.

    Use the MAM SDK to develop apps.

    See MAM SDK overview.

Configure devices

  1. Create delivery groups. Existing delivery groups for Android Enterprise don’t deliver resources to Android for Workspace devices.

    Control who gets what resources and when they get them. See Deploy resources.

  2. Add apps. You can approve the apps in Google Play directly from the Endpoint Management console.

  3. Create enrollment profiles.

    Specify device and app management enrollment options. See Creating enrollment profiles.

  4. Configure device and app policies.

    Balance enterprise security with user privacy and user experience. See Configure Android for Workspace device and app policies.

  5. Distribute apps.


    Apps published for Android for Workspace have no deployment rules. Endpoint Management pushes new apps and policies to Android for Workspace devices every 30 minutes.

  6. Configure security actions to monitor and ensure compliance.

    See Security actions.

Using managed Google Play with Endpoint Management

When you integrate Endpoint Management with managed Google Play to use Android for Workspace, you create an enterprise. Google defines an enterprise as a binding between the organization and your enterprise mobile management (EMM) solution. All the users and devices that the organization manages through your solution belong to its enterprise.

An enterprise for Android for Workspace has two components: an EMM solution and a Google enterprise app platform. When you integrate Endpoint Management with Android for Workspace, the complete solution has these components:

  • Citrix Endpoint Management: The Citrix EMM. Endpoint Management is the unified endpoint management for a secure digital workspace. Endpoint Management provides the means for IT administrators to manage devices and apps for their organizations.
  • Managed Google Play: A Google enterprise app platform that integrates with Endpoint Management. The Google Play EMM API sets app policies and distributes app.

When you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use the apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

Because this type of enterprise is not tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise. Using different enterprises lets you manage separate sets of devices and apps.

For Endpoint Management administrators, managed Google Play combines the user experience and app store features of Google Play with a set of management capabilities designed for enterprises. You use managed Google Play to add, buy, and approve apps for deployment to the Android for Workspace workspace on a device. You can use Google Play to deploy public apps, private apps, and third-party apps.

For users of managed devices, managed Google Play is the enterprise app store. Users can browse apps, view app details, and install them. Unlike the public version of Google Play, users can only install apps from managed Google Play that you make available for them.

Connecting Endpoint Management to Google Play

To set up Android for Workspace for your organization, register Citrix as your EMM provider through managed Google Play. That setup connects managed Google Play to Endpoint Management and creates an enterprise for Android for Workspace in Endpoint Management.

You need a corporate Google account to sign in to Google Play.

  1. In the Endpoint Management console, go to Settings > Android for Workspace.

  2. Click Connect. Google Play opens.

    Android for Workspace connects to Google Play

  3. Sign in to Google Play with your corporate Google account credentials. Enter your organization name and confirm Citrix is your EMM provider.

  4. An enterprise ID is added for Android for Workspace. Your Enterprise ID appears in the Endpoint Management console.

    Android for Workspace enterprise ID

Your environment is connected to Google and is ready to manage devices. You can now provide apps for users.

Endpoint Management can provide users with Citrix mobile productivity apps, MDX apps, public app store apps, web and SaaS apps, enterprise apps, and web links. For more information on these types of apps and providing them to users, see Add apps.

Creating enrollment profiles

Enrollment profiles control how Android devices enroll if Android for Workspace in enabled for your Endpoint Management deployment. Configure the enrollment profile to enroll new and factory reset devices as Android for Workspace work profile devices. You can also configure each of these enrollment profiles to enroll BYOD Android devices as work profile devices.

Citrix Workspace is an MDM+MAM solution only. When a user enrolls in Endpoint Management through the Workspace app, they must agree to device management and app management.

The authentication method for Android for Workspace devices defaults to the authentication method set up for the Citrix Workspace app. Configuring an authentication method in the Endpoint Management console has no effect on these devices. See Choose or change authentication methods.

When you create enrollment profiles, you assign delivery groups to them. If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. For more information, see Enrollment profiles.

Add an enrollment profile for work profile devices

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Enable Enrollment through Workspace app. Endpoint Management enables BYOD work profile and Citrix MAM automatically.

    Enrollment Profiles configuration screen

  6. Select Assignment (optional). The Delivery Group Assignment screen appears.

  7. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices with a work profile. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles page

Provisioning Android for Workspace BYOD work profile devices

Android for Workspace BYOD work profile devices are enrolled in profile owner mode. These devices do not need to be new or factory reset. Users download Citrix Workspace from Google Play and enroll their devices.

By default, Endpoint Management disables the USB Debugging and Unknown Sources settings on a device when you enroll the device in Android for Workspace as a work profile device.

When enrolling devices in Android for Workspace as work profile devices, always go to Google Play. From there, enable Citrix Workspace to appear in the user’s personal profile.

Configure Android for Workspace device and app policies

For an overview of the policies controlled at both the device and app levels, see Supported device policies and MDX policies for Android Enterprise.

What to know about policies:

  • Device restrictions: Dozens of device restrictions let you control features such as:

    • Use of the device camera
    • Use of copy and paste between work and personal profiles
  • Per-app VPN: Use the Managed configurations device policy to configure VPN profiles for Android for Workspace.

Device policies

The following is a list of device policies available for Android for Workspace.

Security actions

Android for Workspace supports the following security actions. For a description of each security action, see Security actions.

  • Full Wipe
  • Locate
  • Lock
  • Notify (Ring)
  • Selective Wipe

The locate security action fails unless the Location device policy sets the location mode for the device to High Accuracy or Battery Saving. See Location device policy.

Unenroll an Android for Workspace enterprise

If you no longer want to use your Android for Workspace enterprise, you can unenroll the enterprise.


After you unenroll an enterprise, apps on devices already enrolled through the enterprise reset to their default states. Google no longer manages the devices. If you enroll into a new Android for Workspace enterprise, you must approve apps for the new organization from managed Google Play. You can then update the apps from the Endpoint Management console.

After you unenroll the Android for Workspace enterprise:

  • Devices and users enrolled through the enterprise have the apps reset to their default state. Managed Configurations policies previously applied no longer affect operations.
  • Endpoint Management manages devices enrolled through the enterprise. From the perspective of Google, those devices are unmanaged. You can’t add new apps. You can’t apply Managed configurations policies. You can apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you attempt to enroll devices in Android for Workspace, they are enrolled as Android devices, not Android for Workspace devices.

Unenroll an Android for Workspace enterprise using the Endpoint Management server console and Endpoint Management Tools.

When you perform this task, Endpoint Management opens a Tools popup window. Before you begin, ensure that your browser has permission to open popup windows. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the Endpoint Management site to the popup allow list.

To unenroll an Android for Workspace enterprise:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android for Workspace.

  3. Click Unenroll.

    Unenroll option

User experience

Users on the Android for Workspace platform enroll their devices through the Citrix Workspace app. Once users enroll, they access apps and corporate data through the Workspace app.

For information about setting up the Citrix Workspace app, see Citrix Workspace app for Android.

For information about enrollment and setting up the app on user devices, see About Citrix Workspace app for Android in the user help documentation.

Known limitations

  • Google doesn’t support the following features with Android for Workspace. Any policy that affects these features doesn’t apply to these devices and mobile productivity apps won’t allow users to access the functionality.
    • Calendar widget
    • Calendar synchronization with personal profile
    • Cross profile contacts
  • End users need to import certificate authority (CA) certificates manually. Endpoint Management doesn’t push the CA certificates to the device.
  • URLs inside Secure Mail don’t automatically open in Secure Web. Users need to choose Open-In App and select Secure Web.
  • All DNS servers configured in your Citrix Gateway connector must be able to resolve all fully qualified domain names (FQDN). If the DNS servers can’t resolve all FQDNs, URLs may fail to load in Secure Web.
  • Secure Web may show a blank screen when launched. If this happens, open the Citrix Workspace app, authenticate, and launch Secure Web again.
  • Intranet websites may fail to load in Secure Web. If this occurs, configure a Web SaaS app in the Citrix Cloud app library for that URL.
  • Apps prepared using the MAM SDK may not show as managed. If this occurs, launch the Citrix Workspace App and open the apps from there.