Citrix Endpoint Management

Windows Phone


If you use Microsoft Endpoint Manager, this article doesn’t apply to your setup. See Citrix Endpoint Management integration with Microsoft Endpoint Manager.

Microsoft moved Windows Phone 8.1 devices to End of Support on July 11, 2017. Endpoint Management supports Windows Phone 8.1 devices for MDM enrollment only.

To manage Windows 10 Phone devices in Endpoint Management, configure the Citrix AutoDiscovery service. Request Citrix Technical Support for assistance. For more information, see Request AutoDiscovery for Windows devices.

Endpoint Management enrolls Windows 10 Phone devices into MDM. Endpoint Management supports the following authentication types for Windows Phone devices:

  • Domain-based authentication
    • Active Directory
    • Azure Active Directory
  • Identity providers:
    • Azure Active Directory
    • Citrix identity provider


A general workflow for starting Windows 10 Phone device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Windows Phone device policies.

  4. Enroll Windows Phone devices.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Windows Phone devices:

Method Supported
Azure Active Directory enrollment Yes
Windows bulk enrollment No
Manual enrollment Yes
Enrollment invitations No

Azure enrollment

Devices running Windows 10 Enterprise can enroll with Azure as a federated means of Active Directory authentication. This setup requires an Azure Active Directory Premium subscription.

You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:

  • Enroll in MDM as part of Azure AD Join setup the first time the device is powered on.
  • Enroll in MDM as part of Azure AD Join from the Windows Settings page after configuring the device.
  • Enroll in MDM as part of Azure AD Join when you add a work account on a personal device.

Before users can enroll, you must configure Azure Active Directory (AD) settings in Azure and then configure Endpoint Management. For details, see Connect Endpoint Management to Azure AD.

Configure Windows Phone device policies

Use these policies to configure how Endpoint Management interacts with phone devices running Windows 10. This table lists all device policies available for Windows 10 Phone devices.

App configuration App inventory App uninstall  
BitLocker Credentials Custom XML  
Device Health Attestation Enterprise Hub Exchange  
Maps Network Passcode  
Restrictions   Storage encryption Terms and Conditions
VPN Windows Hello for Business Windows Information Protection  

Enroll Windows Phone devices by using Azure Active Directory

  1. Sign on to a Windows Enterprise edition computer. Open Settings > Accounts > Access work or school and then click Connect.

  2. From Set up a work or school account, under Alternative actions, click Join this device to Azure Active Directory.

  3. Provide your Azure Active Directory credentials and then click Sign in.

  4. Accept the Terms and Conditions set by your organization.

  5. Click Join to proceed with the enrollment process.

  6. Click Done to complete the enrollment process.

Enroll Windows Phone devices

To enroll Windows Phone devices in Endpoint Management, users need their Active Directory or internal network email address, and password. If AutoDiscovery is not set up, users also need the server web address for the Endpoint Management server. Then, they follow this procedure on their devices to enroll.


If you plan to deploy apps through the Windows Phone company store: Before your users enroll, configure an Enterprise Hub device policy. In that policy, you upload a signing certificate from DigiCert and a signed Citrix Company Hub app.

  1. On the main screen of the Windows phone, tap the Settings icon.

  2. Depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.

  3. On the next screen, enter an email address and password and then tap sign in.

    If AutoDiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to the last step in this procedure.

    If AutoDiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example, Using a non-existent address permits you to bypass a known Microsoft limitation. In the Connecting to a service screen, enter the user name and password associated with the local user.

  4. On the next screen, type the web address of the Endpoint Management server, such as: https://<xenmobile_server_fqdn>:<enrollment_port>/<instance_name>/wpe. For example,


    The port number must be the same port that you used for an iOS enrollment.

  5. If authentication is validated through a user name and domain, type the user name and domain and then tap sign in.

  6. If a message indicates a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.

  7. To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, Endpoint Management attempts to reconnect.

    Endpoint Management connects to the device every three minutes for five successive times, then every two hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties.

    Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen.

Security actions

Windows 10 Phone devices support the following security actions. For a description of each security action, see Security actions.

Locate Lock Lock and Reset Password
Reboot Revoke Ring
Selective Wipe Wipe  
Windows Phone