Citrix Endpoint Management


To manage macOS devices in Citrix Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, see APNs certificates.

Citrix Endpoint Management enrolls macOS devices into MDM. Citrix Endpoint Management supports the following enrollment authentication types for macOS devices in MDM.

  • Domain
  • Domain plus one-time password
  • Invitation URL plus one-time password

Requirements for trusted certificates in macOS 15:

Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication, For help with managing certificates, see Upload certificates.

A general workflow for starting macOS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure macOS device policies.

  4. Enroll macOS devices.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Apple host names that must remain open

Some Apple host names must be open to make sure proper operation of iOS, macOS, and Apple App Store. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, see

Supported enrollment methods

The following table lists the enrollment methods that Citrix Endpoint Management supports for macOS devices:

Method Supported
Apple Deployment Program Yes
Apple School Manager Yes
Apple Configurator No
Manual enrollment Yes
Enrollment invitations Yes

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Deployment Program for device enrollment and management in Citrix Endpoint Management. That program is for iOS, macOS, and Apple TV devices. See Deploy devices through Apple Deployment Program.

For education accounts, you create an Apple School Manager account. Apple School Manager unifies the Deployment Program and Volume Purchase. Apple School Manager is a type of Education Apple Deployment Program. See Integrate with Apple Education features.

You can use the Apple Deployment Program to bulkly enroll iOS, macOS, and Apple TV devices. You can buy those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier.

Configure macOS device policies

Use these policies to configure how Citrix Endpoint Management interacts with devices running macOS. This table lists all device policies available for macOS devices.

AirPlay mirroring App inventory App uninstall
Calendar (CalDAV) Contacts (CardDAV) Credentials
Device name Exchange FileVault
Firewall Font Import iOS & macOS profile
LDAP Mail Network
OS update Passcode Profile removal
Restrictions SCEP VPN
Web clip    

Enroll macOS devices

Citrix Endpoint Management provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.

  • Send users an enrollment invitation: This enrollment method enables you to set any of the following enrollment security modes for macOS devices:

    • User name + password
    • User name + PIN
    • Two-factor authentication

    When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

  • Send users an enrollment link: This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.

    To prevent the use of an enrollment link for macOS devices, set the server property Enable macOS OTAE to false. As a result, macOS users can enroll only by using an enrollment invitation.

Send macOS users an enrollment invitation

  1. Add an invitation for macOS user enrollment. See Enrollment invitations.

  2. After users receive the invitation and click the link, the following screen appears in the Safari browser. Citrix Endpoint Management fills in the user name. If you chose Two Factor for the enrollment security mode, another field appears.

    Safari browser root certificate message

  3. Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For information about certificates, see Certificates and authentication.

  4. Users provide the requested credentials.

    The Mac device policies install. You can now start managing macOS devices with Citrix Endpoint Management just as you manage mobile devices.

  1. Send the enrollment link https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.

    • serverFQDN is the fully qualified domain name (FQDN) of the server running Citrix Endpoint Management.
    • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
    • The instanceName, often shown as zdm, is the name specified during server installation.

    For more information about sending installation links, see To send an installation link.

  2. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install the certificates. For information about certificates, see Certificates and authentication.

  3. Users sign on to their Macs.

    The Mac device policies install. You can now start managing macOS devices with Citrix Endpoint Management just as you manage mobile devices.

Security actions

macOS supports the following security actions. For a description of each security action, see Security actions.

Revoke Lock Selective Wipe
Full Wipe Certificate renewal Rotate personal recovery key

Lock macOS devices

You can remotely lock a lost macOS device. Citrix Endpoint Management locks the device. It then generates a PIN code and sets it in the device. To access the device, the user types the PIN code. Use Cancel Lock to remove the lock from the Citrix Endpoint Management console.

You can use the Passcode device policy to configure more settings associated with the PIN code. For more information, see macOS settings.

  1. Click Manage > Devices. The Devices page appears.

    The Device page

  2. Select the macOS device that you want to lock.

    Select the checkbox next to a device to show the options menu above the device list. You can also click anywhere else on a listed item to show the options menu on the right side of the list.

    The options menu

    The options menu

  3. In the options menu, click Secure. The Security Actions dialog box appears.

    The Security Actions dialog box

  4. Click Lock. The Security Actions confirmation dialog box displays.

    The Security Actions confirmation

  5. Click Lock Device.


You can also specify a passcode instead of using the code that Citrix Endpoint Management generates. The lock action fails if the code specified does not meet the code requirements of the device or existing work profile.

Bootstrap token

A bootstrap token assists with granting the SecureToken macOS attribute to accounts when you sign on to a macOS device. SecureToken passes down from one trusted account to another. SecureToken-enabled accounts can do cryptographic operations on the device. Without the bootstrap token, you need to follow complex workflows to create accounts on that device before adding individual user accounts.

Citrix Endpoint Management supports escrowing bootstrap tokens for macOS devices that are enrolled through the Apple Deployment Program. You use the Apple Deployment Program to enroll macOS devices that you buy directly from Apple, a participating Apple Authorized Reseller, or a carrier. For information about enrolling in the Apple Deployment Program, see Deploy devices through Apple Deployment Program.

Bootstrap tokens are generated during the Setup Assistant workflow. Specifically, they are generated during local user account creation. The Setup Assistant runs the first time users start their devices. The tokens are saved in the Citrix Endpoint Management database and not visible to you and end users. Deleting the devices from your Citrix Endpoint Management site deletes the tokens. Doing a factory reset doesn’t delete them.


  • macOS 11.0 or later
  • macOS devices that have the Apple T2 Security Chip
  • macOS devices enrolled through Apple Deployment Program

One benefit of escrowing bootstrap tokens with Citrix Endpoint Management is that remote accounts can be enabled for FileVault and able to unlock the FileVault volume. For information about FileVault, see FileVault device policy.