If you use Microsoft Intune/EMS, this article doesn’t apply to your setup. See Citrix Endpoint Management integration with Microsoft Intune/EMS.
Microsoft moved Windows Phone 8.1 devices to End of Support on July 11, 2017. Endpoint Management supports Windows Phone 8.1 devices for MDM enrollment only.
To manage Windows 10 Phone devices in Endpoint Management, you can configure the Citrix AutoDiscovery Service. See Prepare to enroll devices and deliver resources.
Endpoint Management enrolls Windows 10 Phone devices into MDM mode. Endpoint Management supports the following authentication types for Windows Phone devices in MDM+MAM mode. For information, see the articles in the section, Certificates and authentication.
- Domain plus security token
- Client certificate
- Client certificate plus domain
- Identity providers:
- Azure Active Directory
- Citrix Identity provider
A general workflow for starting Windows 10 Phone device management is as follows:
Choose and configure an enrollment method. See Supported enrollment methods.
Set up device and app security actions. See Security actions.
For supported operating systems, see Supported device operating systems.
Supported enrollment methods
The following table lists the enrollment methods that Endpoint Management supports for Windows Phone devices:
|Azure Active Directory enrollment||Yes|
|Windows bulk enrollment||No|
Devices running Windows 10 Enterprise can enroll with Azure as a federated means of Active Directory authentication. This setup requires an Azure Active Directory Premium subscription.
You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:
- Enroll in MDM as part of Azure AD Join setup the first time the device is powered on.
- Enroll in MDM as part of Azure AD Join from the Windows Settings page after configuring the device.
- Enroll in MDM as part of Azure AD Join when you add a work account on a personal device.
Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in Endpoint Management. For details, see Single sign in with Azure Active Directory.
Configure Windows Phone device policies
Use these policies to configure how Endpoint Management interacts with phone devices running Windows 10. This table lists all device policies available for Windows 10 Phone devices.
Enroll Windows Phone devices by using Azure Active Directory
Sign on to a Windows Enterprise edition computer. Open Settings > Accounts > Access work or school and then click Connect.
From Set up a work or school account, under Alternative actions, click Join this device to Azure Active Directory.
Provide your Azure Active Directory credentials and then click Sign in.
Accept the Terms and Conditions set by your organization.
Click Join to proceed with the enrollment process.
Click Done to complete the enrollment process.
Enroll Windows Phone devices
To enroll Windows Phone devices in Endpoint Management, users need their Active Directory or internal network email address, and password. If AutoDiscovery is not set up, users also need the server web address for the Endpoint Management server. Then, they follow this procedure on their devices to enroll.
If you plan to deploy apps through the Windows Phone company store: Before your users enroll, configure an Enterprise Hub device policy. In that policy, you upload a signing certificate from DigiCert and a signed Citrix Company Hub app.
On the main screen of the Windows phone, tap the Settings icon.
Depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.
On the next screen, enter an email address and password and then tap sign in.
If AutoDiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to the last step in this procedure.
If AutoDiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example,
email@example.com). Using a non-existent address permits you to bypass a known Microsoft limitation. In the Connecting to a service screen, enter the user name and password associated with the local user.
On the next screen, type the web address of the Endpoint Management server, such as:
https://<xenmobile_server_fqdn>:<enrollment_port>/<instance_name>/wpe. For example,
The port number must be the same port that you used for an iOS enrollment.
If authentication is validated through a user name and domain, type the user name and domain and then tap sign in.
If a message indicates a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.
To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, Endpoint Management attempts to reconnect.
Endpoint Management connects to the device every three minutes for five successive times, then every two hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties.
Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen.
Windows 10 Phone devices support the following security actions. For a description of each security action, see Security actions.
|Locate||Lock||Lock and Reset Password|