Citrix Endpoint Management

Firebase Cloud Messaging

Note:

Firebase Cloud Messaging (FCM) was previously known as Google Cloud Messaging (GCM). Some Citrix Endpoint Management console labels and messages use the GCM terminology.

Citrix recommends that you use Firebase Cloud Messaging (FCM) to control how and when Android devices connect to Citrix Endpoint Management. Citrix Endpoint Management, when configured for FCM sends connection notifications to Android devices that are enabled for FCM. Any security action or deploy command triggers a push notification to prompt the user to reconnect to the Citrix Endpoint Management server.

After you complete the configuration steps in this article and a device checks in, the device registers with the FCM service in Citrix Endpoint Management. That connection enables near real-time communication from your Citrix Endpoint Management service to your device by using FCM. FCM registration works for new device enrollments and previously enrolled devices.

When Citrix Endpoint Management needs to start a connection to the device, it connects to the FCM service. Then, the FCM service notifies the device to connect. This type of connection is similar to what Apple uses for its Push Notification Service.

Prerequisites

  • Latest Citrix Secure Hub client
  • Google developer account credentials
  • Google Play services installed on FCM-enabled Android devices

Firewall ports

  • Open port 443 on Citrix Endpoint Management to fcm.googleapis.com and Google.com.
  • Open outgoing Internet communication for device Wi-Fi on ports 5228, 5229, and 5230.
  • To allow outgoing connections, FCM recommends adding ports 5228 through 5230 to an allow list, with no IP restrictions. However, if you require IP restrictions, FCM recommends adding all the IP addresses in the IPv4 and IPv6 blocks to an allow list. Those blocks are listed in the Google ASN of 15169. Update that list monthly.

For more information, see Port requirements.

Architecture

This diagram shows the communication flow for FCM in the external and internal network.

The FCM architecture

To configure your Google account for FCM

  1. Sign in to the following URL using your Google developer account credentials:

    https://console.firebase.google.com/

  2. Click Add project.

    The Create a project option

  3. After you create the project, click Project settings.

    The Project settings option

  4. Click the Cloud Messaging tab. Verify that the Firebase Cloud Messaging API is enabled and click Manage Service Accounts.

    The Cloud Messaging tab

  5. Copy the values from the Key and OAuth 2 Client ID fields. If you don’t have a key listed, click the ellipsis under Actions to add a key.

    Google Cloud service accounts

For steps to set up an FCM client app on Android, see this Google Developers Cloud Messaging article: https://firebase.google.com/docs/cloud-messaging/android/client.

To configure Citrix Endpoint Management for FCM

In the Citrix Endpoint Management console, go to Settings > Firebase Cloud Messaging.

  • Edit API key, and type the Firebase Cloud Messaging Key that you copied in the last step of the Firebase Cloud Messaging configuration.

  • Edit Sender ID, and type the OAuth 2 Client ID value you copied in the previous procedure.

The Sender ID value entry

To test your configuration

  1. Enroll an Android device.

  2. Leave the device idle for some time, so that it disconnects from Citrix Endpoint Management.

  3. From the Citrix Endpoint Management console, click Manage, select the Android device, and then click Secure.

    The Secure Android device option

  4. Under Device Actions, click Selective Wipe.

    The Selective Wipe option

    In a successful configuration, selective wipe occurs on the device.

Firebase Cloud Messaging