Android OS


This article doesn’t apply to devices that are managed with Android Enterprise, Samsung KNOX, Samsung SAFE, or Samsung SEAMS. For information about those devices, see other articles in this section.

Endpoint Management also supports Android OS devices that aren’t managed through an Android or Samsung enterprise program. To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.

Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see

A general workflow for starting Android device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Android device policies.

  4. Enroll Android devices.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Android devices:

Method Supported
Bulk enrollment No
Manual enrollment Yes
Enrollment invitations Yes

Configure Android device policies

Use these policies to configure how Endpoint Management interacts with devices running Android. This table lists all device policies available for Android devices.

APN App Access App Inventory
App Lock App Uninstall Credentials
Endpoint Management Options Endpoint Management Uninstall Exchange for Android HTC
Exchange for Android TouchDown Files Launcher Configuration
Location Passcode Restrictions
Scheduling Store Terms and Conditions
Tunnel VPN Webclip

Enroll Android devices

  1. Go to the Google Play store on your Android device, download the Citrix Secure Hub app, and then tap the app.
  2. When prompted to install the app, click Next and then click Install.
  3. After Secure Hub installs, tap Open.
  4. For devices running Android 6.0 and greater, accept the required permissions:

    • Allow Secure Hub to make and manage phone calls? (required)
    • Allow Secure Hub to access photos, media, and files on your device? (required)
    • Allow Secure Hub to access this devices’s location? (optional)
  5. Enter your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.
  6. For devices in MDM+MAM mode, choose how to enroll your device:

    • To enroll in MDM+MAM mode, tap Yes, enroll.
    • To enroll in MAM-only mode, tap No.
  7. In the Activate device administrator screen, tap Activate.
  8. Enter your corporate password and then tap Sign On.
  9. Depending on the way Endpoint Management is configured, you might be asked to create a Citrix PIN. You can use the PIN to sign on to Secure Hub and other Endpoint Management-enabled apps, such as Secure Mail and Citrix Files. You enter your Citrix PIN twice. On the Create Citrix PIN screen, enter a PIN.
  10. Reenter the PIN. Secure Hub opens. You can then access the app store to view the apps you can install on your Android device.
  11. If you configured Endpoint Management to push apps to devices automatically after enrollment, users are prompted to install the apps. In addition, policies that you configure in Endpoint Management are deployed to the device. Tap Install to install the apps.

To unenroll and reenroll an Android device

Users can unenroll from within Secure Hub. When users unenroll by using the following procedure, the device still appears in the device inventory in the Endpoint Management console. You cannot perform actions on the device, however. For example, you cannot track the device or monitor device compliance.

  1. Tap to open the Secure Hub app.

  2. Depending on whether you have a phone or a tablet, do the following:

    On a phone:

    • Swipe from the left of the screen to open a settings pane.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

    On a tablet:

    • Tap the arrow next to your email address on the upper-right corner.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

  3. In the Delete Account? window, tap Yes, delete. Secure Hub unenrolls your device. Follow the on-screen instructions to re-enroll your device.

Security actions

Android supports the following security actions. For a description of each security action, see Security actions.

App Lock App Wipe Certificate Renewal
Full Wipe Locate Lock
Lock and Reset Password Notify Revoke
Selective Wipe    


For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command.