Citrix Endpoint Management

Enroll Apple devices in bulk

You can enroll large numbers of iOS, iPadOS, and macOS devices in Citrix Endpoint Management in two ways:

  • Use the Apple Deployment Programs (ADP) to enroll Apple devices that you buy directly from Apple or from a participating Apple Authorized Reseller or a carrier.

    For more information about deploying ADP-enabled devices, see Deploy devices through the Apple Deployment Programs. This article describes how users enroll ADP-enabled devices and how to reenroll the devices.

  • Use Apple Configurator 2 to enroll iOS devices regardless of whether you buy them directly from Apple.

This article describes how to deploy devices in bulk using Apple Configurator 2.

About bulk enrollment

The ADPs include Apple Business Manager (ABM) for business and Apple School Manager (ASM) for Education. Bulk enrollment through the ADPs features the following:

  • You don’t have to touch or prepare the devices.
  • After you complete deployment settings in Citrix Endpoint Management, you can give the devices to users who can start using them right away.
  • You can simplify the setup process for users by eliminating some of the Setup Assistant steps.
  • For more information about setting up ABM and ASM, see the documentation available from Apple Business Manager and Apple School Manager.

Bulk enrollment through Apple Configurator 2 features the following:

  • You attach iOS devices to a Mac running macOS 10.7.2 or later and the Apple Configurator 2 app. You prepare the iOS devices and configure policies through Apple Configurator 2.
  • Devices automatically enroll in Citrix Endpoint Management during the setup process. Once setup is completed, Citrix Endpoint Management pushes policies, apps, and other resources to devices. You can then start managing the devices.
  • For more information about using Apple Configurator 2, see the Apple Configurator Help.

How users enroll ADP-enabled devices

Users enroll their devices in Citrix Endpoint Management as follows:

  1. Users start their device.

  2. Citrix Endpoint Management delivers the ADP settings that you configured on the Settings > Apple Deployment Programs page to the device.

  3. Users configure the initial settings on their device.

  4. The device automatically starts the Citrix Endpoint Management device enrollment process.

  5. If you integrate Citrix Endpoint Management with Citrix Workspace, the Deployment Program deployment package includes the Citrix Workspace app as a required app. In that case, Citrix Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Citrix Endpoint Management.

  6. Users continue to configure the other initial settings on their device.

  7. In the home screen, users might be prompted to sign in to the Apple App Store so that they can download Citrix Secure Hub.


    This step is optional if you configure Citrix Endpoint Management to deploy the Citrix Secure Hub app using the device-based volume purchase app assignment. In this case, you don’t need to create an Apple App Store account or use an existing account.

    Apple Deployment Program setup

  8. Users open Citrix Secure Hub and type their credentials. If required by the policy, users might be prompted to create and verify a Citrix PIN.

    Citrix Endpoint Management deploys any remaining required apps to the device.

Reenroll the ADP-enabled devices

ADP-enabled devices enroll from a factory reset condition. To reenroll an ADP-enabled device, you must first complete a full wipe to unenroll the device. Detailed steps are as follows:

  1. On the Manage > Devices page, select the device.
  2. Click Security.
  3. Click Full Wipe to unenroll the device to the factory reset condition.
  4. Start the device.


Do not use Selective Wipe to unenroll an ADP-enabled device because ADP enrollment requires the device in the factory reset condition.

Deploy devices using Apple Configurator 2

You can use Apple Configurator 2 to deploy large numbers of devices with settings, apps, and data and enroll these devices in Citrix Endpoint Management.

Step 1: Configure settings in Citrix Endpoint Management

  1. In the Citrix Endpoint Management console, go to Settings > Apple Configurator Device Enrollment.

    Apple deployment program settings screen

  2. Set Enable Apple Configurator device enrollment to Yes.

  3. Copy the Enrollment URL to enter in Apple Configurator setting and paste this URL when you configure settings in Apple Configurator 2. This setting provides the URL for the Citrix Endpoint Management server that communicates with Apple. The enrollment URL is the Citrix Endpoint Management server fully qualified domain name (FQDN), such as, or the IP address.

  4. To prevent unknown devices from enrolling, set Require device registration before enrollment to Yes. Note: If this setting is Yes, you must add the configured devices to Manage > Devices in Citrix Endpoint Management manually or through a CSV file before enrollment.

  5. To require users of iOS devices to enter their credentials when enrolling, set Require credentials for device enrollment to Yes. The default is No.


    If the Citrix Endpoint Management server is using a trusted SSL certificate, skip this step. Click Export anchor certs and save the certchain.pem file to the macOS keychain (login or System).

    Apple deployment program settings screen

Step 2: Configure settings in Apple Configurator 2

  1. Prepare a Mac that runs macOS 10.7.2 or later and has Apple Configurator 2 installed.

  2. Use a Dock Connector-to-USB cable to connect Apple devices to the Mac. You can configure up to 30 connected devices simultaneously. If you do not have a Dock Connector, use one or more powered USB 2.0 high-speed hubs to connect the devices.

  3. Start Apple Configurator 2. The configurator shows any devices that you can prepare for supervision.

  4. To prepare a device for supervision:

    • Select Supervise devices if you intend to maintain control of the device by reapplying a configuration regularly. Click Next.


      Placing a device into Supervised mode installs the selected version of iOS on the device, completely wiping the device of any previously stored user data or apps.

    • In iOS, click Latest for the latest version of iOS that you want to install.

  5. In Enroll in MDM Server, choose an MDM server. To add a server, click Next.

  6. In Define an MDM server, provide a name for the server and paste the MDM server URL from the Citrix Endpoint Management console.

  7. In Assign to organization, choose an organization to supervise the device.

    For more information on preparing devices with Apple Configurator 2, see the Apple Configurator help page, Prepare devices.

  8. As each device is prepared, turn it on to start the iOS Setup Assistant, which prepares the device for first-time use.

Add devices to ABM or ASM using Apple Configurator 2

You can add iPhone, iPad, and Apple TV devices to your ABM or ASM account using Apple Configurator 2 regardless of where the devices were bought. After you add devices, they appear in the Devices section. These devices no longer include enrollment settings assigned through Apple Configurator 2. For more information, see the Apple Business Manager User Guide or Apple School Manager User Guide.

Renew the ADP token

Citrix Endpoint Management displays a license expiration warning when your ADP token expires. Replace the token from ASM or ABM.

Step 1: Download a public key from your Citrix Endpoint Management server

  1. In the Citrix Endpoint Management console, go to Settings > Apple Deployment Program to download a new public key.

Step 2: Create and download a server token file from your Apple account

  1. Sign in to ABM to download the token.

  2. Open Settings and select the server from which you need a token. Click Edit.

  3. Under MDM Server Settings, upload the new public key you downloaded from Citrix Endpoint Management and save the changes.

  4. Click Download Token to download the new token.

Step 3: Upload a server token file in Citrix Endpoint Management

  1. In Citrix Endpoint Management, go to Settings > Apple Deployment Program.

  2. Select the Deployment Program account, click Edit, and upload your server token file.

  3. Click Next and save the changes.

Enroll Apple devices in bulk