Android OS

Note:

This article doesn’t apply to devices that are managed with Android Enterprise, Samsung KNOX, Samsung SAFE, or Samsung SEAMS. For information about those devices, see other articles in this section.

Endpoint Management also supports Android OS devices that aren’t managed through an Android or Samsung enterprise program. To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.

Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.

A general workflow for starting Android device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Android device policies.

  4. Enroll Android devices.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Android devices:

Method Supported
Bulk enrollment No
Manual enrollment Yes
Enrollment invitations Yes

Add an Android device manually

If you wamt to add an Android or iOS device manually, such as for testing purposes, follow these steps.

  1. In the Endpoint Management console, click Manage > Devices. The Devices page appears.

    Image of Devices page

  2. Click Add. The Add Device page appears.

    Image of Add Device page

  3. Configure these settings:

    • Select platform: Click Android.
    • Serial Number: Type the device serial number.
    • IMEI/MEID: Optionally, type the device IMEI/MEID information.
  4. Click Add. The Devices table appears with the device added to the bottom of the list. To view and confirm the device details: Choose the device you added and then, in the menu that appears, click Edit.

    Note:

    When you select the check box next to a device, the options menu appears above the device list. When you click anywhere else in the list, the options menu appears on the right side of the listing.

    • LDAP configured

    • If using local groups and local users:

      • One or more local groups.

      • Local users assigned to local groups.

      • Delivery groups are associated with local groups.

    • If using Active Directory:

      • Delivery groups are associated with Active Directory groups.

      Image of Device Details list

  5. The General page lists device Identifiers, such as the serial number and other information for the platform type. For Device Ownership, select Corporate or BYOD.

    The General page also lists device Security properties, such as Strong ID, Lock Device, Activation Lock Bypass, and other information for the platform type. The Full Wipe of Device field includes the user PIN code. The user must enter that code after the device is wiped. If the user forgets the code, you can look it up here.

  6. The Properties page lists the device properties that Endpoint Management is to provision. This list shows any device properties included in the provisioning file used to add the device. To add a property, click Add and then select a property from the list. For valid values for each property, see the PDF Device property names and values.

    When you add a property, it initially appears under the category where you added it. After you click Next and then return to the Properties page, the property appears in the appropriate list.

    To delete a property, hover over the listing and then click the X on the right side. Endpoint Management deletes the item immediately.

  7. The remaining Device Details sections contain summary information for the device.

    • User Properties: Displays RBAC roles, group memberships, VPP accounts, and properties for the user. You can retire a VPP account from this page.
    • Assigned Policies: Displays the number of assigned policies including the number of deployed, pending, and failed policies. Provides the policy name, type and last deployed information for each policy.
    • Apps: Displays, for the last inventory, the number of installed, pending, and failed app deployments. Provides the app name, identifier, type, and other information. For a description of iOS and macOS inventory keys, such as HasUpdateAvailable, see Mobile Device Management (MDM) Protocol.
    • Media: Displays, for the last inventory, the number of deployed, pending, and failed media deployments.
    • Actions: Displays the number of deployed, pending, and failed actions. Provides the action name and time of the last deployment.
    • Delivery Groups: Displays the number of successful, pending, and failed delivery groups. For each deployment, provides the delivery group name and deployment time. Select a delivery group to view more detailed information, including status, action, and channel or user.
    • iOS Profiles: Displays the last iOS profile inventory, including name, type, organization, and description.
    • iOS Provisioning Profiles: Displays enterprise distribution provisioning profile information, such as the UUID, expiration date, and managed status.
    • Certificates: Displays, for valid, expired, or revoked certificates, information such as the type, provider, issuer, serial number, and the number of remaining days before expiration.
    • Connections: Displays the first connection status and the last connection status. Provides for each connection, the user name, penultimate (next to last) authentication time, and last authentication time.
    • MDM Status: Displays information such as the MDM status, last push time, and last device reply time.

Configure Android device policies

Use these policies to configure how Endpoint Management interacts with devices running Android. This table lists all device policies available for Android devices.

     
APN App Access App Inventory
App Lock App Uninstall Credentials
Endpoint Management Options Endpoint Management Uninstall Exchange for Android HTC
Files Launcher Configuration Location
Passcode Restrictions Scheduling
Store Terms and Conditions Tunnel
VPN Webclip WiFi

Enroll Android devices

  1. Go to the Google Play store on your Android device, download the Citrix Secure Hub app, and then tap the app.
  2. When prompted to install the app, click Next and then click Install.
  3. After Secure Hub installs, tap Open.
  4. For devices running Android 6.0 and greater, accept the required permissions:

    • Allow Secure Hub to make and manage phone calls? (required)
    • Allow Secure Hub to access photos, media, and files on your device? (required)
    • Allow Secure Hub to access this devices’s location? (optional)
  5. Enter your corporate credentials, such as your Endpoint Management server name, User Principal Name (UPN), or email address. Then, click Next.
  6. For devices in MDM+MAM mode, choose how to enroll your device:

    • To enroll in MDM+MAM mode, tap Yes, enroll.
    • To enroll in MAM-only mode, tap No.
  7. In the Activate device administrator screen, tap Activate.
  8. Enter your corporate password and then tap Sign On.
  9. Depending on the way Endpoint Management is configured, you might be asked to create a Citrix PIN. You can use the PIN to sign on to Secure Hub and other Endpoint Management-enabled apps, such as Secure Mail and Citrix Files. You enter your Citrix PIN twice. On the Create Citrix PIN screen, enter a PIN.
  10. Reenter the PIN. Secure Hub opens. You can then access the app store to view the apps you can install on your Android device.
  11. If you configured Endpoint Management to push apps to devices automatically after enrollment, users are prompted to install the apps. In addition, policies that you configure in Endpoint Management are deployed to the device. Tap Install to install the apps.

To unenroll and reenroll an Android device

Users can unenroll from within Secure Hub. When users unenroll by using the following procedure, the device still appears in the device inventory in the Endpoint Management console. You cannot perform actions on the device, however. For example, you cannot track the device or monitor device compliance.

  1. Tap to open the Secure Hub app.

  2. Depending on whether you have a phone or a tablet, do the following:

    On a phone:

    • Swipe from the left of the screen to open a settings pane.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

    On a tablet:

    • Tap the arrow next to your email address on the upper-right corner.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

  3. In the Delete Account? window, tap Yes, delete. Secure Hub unenrolls your device. Follow the on-screen instructions to re-enroll your device.

Security actions

Android supports the following security actions. For a description of each security action, see Security actions.

     
App Lock App Wipe Certificate Renewal
Full Wipe Locate Lock
Lock and Reset Password Notify Revoke
Selective Wipe    

Note:

For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command.