Citrix Endpoint Management

Windows Desktop and Tablet

Endpoint Management enrolls Windows 10 devices in MDM. Endpoint Management supports the following authentication types for Windows 10 devices enrolled in MDM:

  • Domain-based authentication
    • Active Directory
    • Azure Active Directory
  • Identity providers:
    • Azure Active Directory
    • Citrix identity provider

For more information about the supported authentication types, see Certificates and authentication.

A general workflow for starting Windows 10 device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

    If you plan to enroll Windows devices using the AutoDiscovery service, you must configure the Citrix AutoDiscovery service. Request Citrix Technical Support for assistance. For more information, see Request AutoDiscovery for Windows devices.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Windows Desktop and Tablet device policies.

  4. Users enroll Windows 10 devices.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

You specify how to manage Windows 10 devices in enrollment profiles. Two options are available:

  • Fully managed (MDM enrollment)
  • Do not manage devices (no MDM enrollment)

To configure enrollment settings for Windows 10 devices, go to Configure > Enrollment Profiles > Windows. For more information about enrollment profiles, see Enrollment profiles.

Enrollment Profile page for Windows

The following table lists the enrollment methods that Endpoint Management supports for Windows 10 devices:

Method Supported
Azure Active Directory enrollment Yes
Citrix Workspace app enrollment Yes
AutoDiscovery service enrollment Yes
Windows bulk enrollment Yes
Manual enrollment Yes
Enrollment invitations No

Note:

  • Manual enrollment requires users to enter a fully qualified domain name (FQDN) of the Endpoint Management server. We do not recommend using manual enrollment. Instead, use other methods to simplify the enrollment process for users.
  • You cannot send enrollment invitations to Windows devices. Windows users enroll directly through their devices.

Configure Windows Desktop and Tablet device policies

Use these policies to configure how Endpoint Management interacts with desktop and tablet devices running Windows 10. This table lists all device policies available for Windows desktop and tablet devices.

     
App Configuration App Inventory App Lock
App Uninstall Application Guard BitLocker
Control OS Update Credentials Custom XML
Defender Device Guard Device Health Attestation
Exchange Firewall Kiosk
Office Passcode Restrictions
Store Terms and Conditions VPN
Web clip Wi-Fi Windows Agent
Windows Hello for Business Windows GPO configuration Windows Information Protection

Enroll Windows 10 devices through Azure Active Directory

Important:

Before users can enroll, you must configure Azure Active Directory (AD) settings in Azure and then configure Endpoint Management. For details, see Connect Endpoint Management to Azure AD.

Windows 10 devices can enroll with Azure as a federated means of AD authentication. This enrollment requires an Azure AD Premium subscription. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/devices/overview#license-requirements.

You can join Windows 10 devices to Microsoft Azure AD by using any of the following methods:

Enroll in MDM when joining Azure AD after configuring devices

  1. On a device, from the Start menu, navigate to Settings > Accounts > Access work or school and click Connect.

  2. In the Set up a work or school account dialog box, under Alternate actions, click Join this device to Azure Active Directory.

  3. Enter Azure AD credentials and click Sign in.

  4. Accept the terms and conditions that the organization requires.

    • If users click Decline, the device neither joins Azure AD nor enrolls in Endpoint Management.
  5. Click Join to proceed with the enrollment process.

  6. Click Done to complete the enrollment process.

Enroll in MDM when registering to Azure AD

  1. On a device, from the Start menu, navigate to Settings > Accounts > Access work or school and click Connect.

  2. In the Set up a work or school account dialog box, enter Azure AD credentials and click Sign in.

  3. Accept the terms and conditions that the organization requires. The device is registered to Azure AD and enrolls in Endpoint Management.

    • If users click Decline, the device is registered to Azure AD but not enrolled into Endpoint Management. There is no Info button on the account.
  4. Click Join to proceed with the enrollment process.

  5. Click Done to complete the enrollment process.

Enroll Windows 10 devices through Citrix Workspace app (Preview)

Endpoint Management supports automatically enrolling Windows 10 devices through Citrix Workspace app. This support means that users can enroll supported Windows 10 devices.

Prerequisites:

  • Cloud-based deployment
  • Citrix Workspace app 1911 or later
  • Citrix Endpoint Management 20.1.0 or later
  • Citrix Endpoint Management integrated with Citrix Workspace

    For information about Endpoint Management integration with Citrix Workspace, see Integration with Citrix Workspace experience. For information about enabling Workspace integration for Endpoint Management in Citrix Cloud, see Endpoint Management in the Citrix Workspace documentation.

The following enrollment prompt appears when users enter their credentials to add a store in Citrix Workspace app:

Enrollment prompt on Citrix Workspace app for Windows

The enrollment prompt appears only when the following conditions are met:

  • The device is not MDM-enrolled.

  • The user is a member of the local administrators group on the endpoint.

  • An enrollment profile is present for Windows 10 devices.

Enroll Windows devices by using the AutoDiscovery service

To configure the AutoDiscovery service for Windows devices, request Citrix Technical Support for assistance. For more information, see Request AutoDiscovery for Windows devices.

Note:

For Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails for self-signed SSL certificates.

Users perform the following steps to complete the enrollment:

  1. On a device, from the Start menu, navigate to Settings > Accounts > Access work or school and click Enroll only in device management.

  2. In the Set up a work or school account dialog box, enter a corporate email address and click Next.

    To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo\@mydomain.com). That step lets a user bypass a known Microsoft limitation where the built-in Device Management on Windows performs enrollment. In the Connecting to a service dialog box, enter the user name and password associated with the local user. The device then discovers an Endpoint Management server and starts the enrollment process.

  3. Enter the credential and click Continue.

  4. In the Terms of use dialog box, agree to have the device managed and then click Accept.

Enrolling domain-joined Windows devices through the AutoDiscovery service fails if the domain policy disables MDM enrollment. Users can use either of the following methods instead:

  • Remove the devices from the domain, enroll, and then rejoin them.
  • Enter the FQDN of the Endpoint Management server to proceed.

Windows bulk enrollment

With Windows bulk enrollment, you can set up many devices for an MDM server to manage without the need to reimage devices. You use a provisioning package for bulk enrollment for Windows 10 Desktop and Laptop devices. For information, see Bulk enrollment of Windows devices.

Security actions

Windows 10 devices support the following security actions. For a description of each security action, see Security actions.

     
Locate Lock Reboot
Revoke Selective Wipe Wipe

Connect Endpoint Management to Azure AD

Windows 10 devices can enroll with Azure. Users created in Azure AD can have access to the devices. Endpoint Management is deployed in Microsoft Azure as an MDM service. Connecting Endpoint Management to Azure AD enables users to automatically enroll their devices into Endpoint Management when they enroll the devices into Azure AD.

To connect Endpoint Management to Azure AD, perform the following steps:

  1. In the Azure portal, navigate to Azure Active Directory > Mobility (MDM and MAM) > Add application and click On-premises MDM application.

  2. Provide a name for the application and click Add.

  3. Select the application you created, configure the following, and then click Save.

    • MDM user scope. Select All.
    • MDM terms of use URL. Enter in the format, https://<Endpoint Management Enrollment FQDN>:8443/zdm/wpe/tou.
    • MDM discovery URL. Enter in the format, https:// <Endpoint Management Enrollment FQDN>:8443/zdm/wpe.
  4. Click On-premises MDM application settings.

    • In the Properties pane, set APP ID URI in the format, https:// < Endpoint Management Enrollment FQDN>:8443. This App ID URI is a unique ID that you cannot use again in any other app.
    • In the Required permissions pane, select Microsoft Graph and Windows Azure Active Directory.
    • In the Keys pane, create the authentication key. Click Save to view the key value. The key value appears only once. Save the key for later use. You need the key in step 7.
  5. In the Endpoint Management console, go to Settings > Identity Provider (IDP) and then click Add.

  6. On the Discovery URL page, configure the following and click Next.

    • IDP Name. Enter a unique name to identify the IdP connection that you are creating.
    • IDP Type. Select Azure Active Directory.
    • Tenant ID. The Directory ID in Azure. You see it when you navigate to Azure Active Directory > Properties in Azure.
  7. On the Win 10 MDM Info page, configure the following and click Next.

    • App ID URI. The APP ID URI value you typed in Azure.
    • Client ID. The Application ID you see in the Properties pane in Azure.
    • Key. The key value you created and saved in step 4 above.
  8. On the IDP Claims Usage page, configure the following and click Next.

    • User Identifier type. Select userPrincipalName.
    • User Identifier string. Enter ${id_token}.upn.
  9. Click Save.

  10. Add an Azure AD user as a local user and assign it to a local user group.

  11. Create a terms and conditions device policy and a delivery group that includes that local user group.

Device management when integrated with Workspace Environment Management

With Workspace Environment Management (WEM) alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two, WEM can access MDM features and you can manage a wider spectrum of Windows operating systems through Endpoint Management. That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

For a list of the devices supported, see Operating System requirements.

Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

For more information, see Windows GPO Configuration device policy.

BitLocker recovery key

Encrypting disks using BitLocker is a useful security feature. However, unlocking devices can be a challenge if the user loses their BitLocker recovery key. Endpoint Management can now automatically, securely save BitLocker recovery keys for users. Users can find their BitLocker recovery key on the Self-Help Portal. To enable and find the BitLocker recovery key:

  1. In the Endpoint Management console, navigate to Settings > Server Properties.
  2. Search for shp and enable the shp.console.enable feature. Ensure that enable.new.shp remains disabled. For more information on enabling the Self-Help Portal, see Configure Enrollment Modes.
  3. Navigate to Configure > Device policies. Find your BitLocker policy or create one and enable the BitLocker Recovery backup to Endpoint Management setting.

When unlocking their device, end users see a message asking them to enter their key. The message displays the Recovery key ID as well.

BitLocker recovery message

To find their BitLocker recovery key, users navigate to the Self-Help Portal.

  1. Under the General details, see the BitLocker Recovery Data.
    • Recovery key ID: The identifier for the BitLocker recovery key used to encrypt the disk. This ID must match the key ID given in the previous message.
    • Recovery key: The key the user must enter to unlock their disk. Enter this key at the unlock prompt. BitLocker Recovery Key on the Self-Help Portal

For more information about the BitLocker device policy, see BitLocker device policy.