Citrix Endpoint Management integration with Microsoft Intune/EMS

Endpoint Management integration with Microsoft Enterprise Mobility + Security (EMS)/Intune adds the value of Endpoint Management micro VPN to Microsoft Intune aware apps, such as Microsoft Managed Browser.

Endpoint Management integration with EMS/Intune also allows enterprises to wrap their own line-of-business apps with Intune and Citrix. That wrapping provides micro VPN capabilities inside an Intune mobile app management (MAM) container. Endpoint Management micro VPN enables your apps to access on-premises resources. You can manage and deliver Office 365 apps, line of business apps, and Citrix Secure Mail in one container for ultimate security and productivity.

This release supports the following use cases:

  • Intune MAM
  • Intune MAM and Intune mobile device management (MDM) Secure Mail for iOS supports single sign-on for this use case.
  • Intune MAM with Endpoint Management MDM+MAM


    For this use case, Secure Mail only works for devices enrolled in MAM.

Getting Started Guide

This document is an easy-to-follow, graphical guide to setting up Endpoint Management integration with EMS/Intune.

System requirements

  • Citrix Gateway version 12.0.59.x or 12.1.50.x or later. You can download the latest version of Citrix Gateway from the Citrix Gateway download page.
  • A Windows desktop running Windows 7 or later (for Android app wrapping only)
  • A Mac running macOS 10.10 or later (for iOS or Android app wrapping)
  • Mobile platforms:
    • iOS 11.x
    • Android 6.x, 7.x, 8.x


  • Azure AD access (with Tenant Admin privileges)
  • Intune-enabled tenant

Firewall rule

  • Enable a Firewall rule to allow DNS and SSL traffic from a Citrix Gateway subnet IP to *,, and (port 53 and 443)


  • Intune environment: If you don’t have an Intune environment set up, follow the steps in the Microsoft Intune documentation.
  • Intune app wrappers: Microsoft hosts the wrappers in a private GitHub repository that you need an invitation to access. After you receive an invitation, download the wrappers from Microsoft. You can find links to download the wrappers from the Microsoft Intune App SDK documentation on the Microsoft Intune documentation site noted above.
  • Managed Browser: The Mobile Apps SDK is integrated within the Intune Managed Browser app for iOS and Android. For more information about the Managed Browser, see the Microsoft Managed Browser page.
  • Installations of the Android SDK and the Java JDK: Install these SDKs on the machine you use to wrap apps. For details about the Intune SDK, see the Microsoft Intune App SDK for Android developer guide.
  • JDK environment variable: Set the JDK environment variable for the JDK to change the path to match your JDK version and installed location. Example: $env:Path += ";C:\\Program Files\\Java\\jdk1.8.0_121\\bin"
  • Citrix Cloud account: To sign up for a Citrix account and request a Citrix Endpoint Management trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to For more information on requesting a Citrix Cloud account, see Sign up for Citrix Cloud.


    The email you supply must be an address that is not associated with Azure AD. You can use any free email service.

  • APNs certificates for iOS: Ensure that you configure APNs certificates for iOS. To learn more about setting up these certificates, see this Citrix blog post: Creating and Importing APNs Certificates.
  • Azure AD Sync: Set up synchronization between Azure AD and on-premises Active Directory. Do not install the AD sync tool on the domain controller machine. For more information on setting up this sync, see the Microsoft documentation on Azure Active Directory.

Configuring Citrix Gateway

If you are setting up a new Endpoint Management deployment, install one of these Citrix Gateway appliances:

  • NetScaler Gateway VPX 3000 series or greater
  • NetScaler Gateway MPX or dedicated SDX instance

To use Citrix Gateway with Endpoint Management integration with EMS/Intune:

  • Configure Citrix Gateway with a management interface and a subnet IP.
  • Use TLS 1.2 for all client to server communication. For information about configuring TLS 1.2 for Citrix Gateway, see CTX247095.

If you are using Endpoint Management integration with EMS/Intune with an Endpoint Management MDM+MAM deployment, configure two Citrix Gateways. MDX app traffic is routed through one Citrix Gateway. Intune app traffic is routed through the other Citrix Gateway. Configure:

  • Two public IPs.
  • Optionally, one network address translated IP.
  • Two DNS names. Example:
  • Two public SSL certificates. Configure certificates that match the reserved public DNS name or use wildcard certificates.
  • A MAM load balancer with an internal non-routable RFC 1918 IP address.
  • An LDAP Active Directory service account.

Consenting to delegated permission prompts

For managed apps that require users to authenticate, the apps request application permissions exposed by Microsoft Graph. By consenting to these permission prompts, the app can access required resources and APIs. Some apps require consent by the Azure AD global administrator for Microsoft Azure AD. For these delegated permissions, the global administrator must grant Citrix Cloud permission to request tokens. The tokens then enable the following permissions. For more details, see the Microsoft Graph permissions reference.

  • Sign in and read user profile: This permission allows users to sign in and connect to Azure AD. Citrix can’t view user credentials.
  • Read all users’ basic profiles: The app reads profile properties on behalf of users in the organization. The properties include the display name, first and last name, and email address and photo of users in the organization.
  • Read all groups: This permission enables Azure AD groups to be enumerated for app and policy assignment.
  • Access directory as the signed-in user: This permission verifies the Intune subscription and enables Citrix Gateway and VPN configurations.
  • Read and write Microsoft Intune apps: The app can read and write Microsoft-managed properties, group assignments and the status of apps, app configurations, and app protection policies.

In addition, during the Citrix Gateway configuration, the Azure AD global administrator must approve the Active Directory chosen for micro VPN. The global administrator must also generate a client secret that Citrix Gateway uses to communicate with AAD and Intune.

The global administrator must not have the role of Citrix administrator. Instead, the Citrix administrator assigns Azure AD accounts to users with appropriate Intune application admin privileges. The Intune administrator then serves the role of a Citrix Cloud admin to manage Intune from within Citrix Cloud.


Citrix only uses the Intune Global Administrator password during setup and redirects the authentication to Microsoft. Citrix can’t access the password.

To configure Endpoint Management integration with EMS/Intune

For a video summary of the integration, watch:

Video icon

  1. Log on to the Citrix Cloud site and request a trial for Endpoint Management.

  2. A sales engineer schedules an onboarding meeting with you. Let them know that you want Endpoint Management integration with EMS/Intune. When your request is approved, click Manage.

    The Citrix Cloud site

  3. From here you can click the cog in the upper right of your site or you can click Configure Site.

    The Citrix Cloud site

  4. Follow the link in the first step to the Identity and Access Management page.

    The link for Identity and Access Management

  5. Click Connect to connect your Azure AD installation.

    The Identity and Access Management page

  6. Enter a unique logon URL that the Azure AD administrator uses to log on and then click Confirm.

    Logon URL screen and Connect button

  7. Add an Azure AD global administrator account and then accept the permissions request.

    The Use another account button

    The Accept button

  8. Confirm that your Azure AD instance connects successfully. To indicate a successful connection, the Not Connected text changes to say Enabled.

    The Disconnect button

  9. Click the Administrators tab and then add your Azure AD Intune administrator as a Citrix Cloud administrator. Select Azure AD or Citrix Identity from the drop-down menu, and then search for the user name you want to add. Click Invite and then grant the user Full Access or Custom Access before clicking Send Invite.


    Endpoint Management requires the following rules for Custom Access: Library and Citrix Endpoint Management.

    As a result, the Azure AD Intune administrator receives an email invitation to create a password and sign in to Citrix Cloud. Before the administrator signs in, ensure that you sign out of all other accounts.

    The Azure AD Intune administrator must follow the remaining steps in this procedure.

    The Azure AD Intune administrator Invite option

    The confirmation screen

  10. After signing in with the new account, under Endpoint Management, click Manage. If everything is configured correctly, the page shows that the Azure AD administrator is signed in and that your Intune subscription is valid.

    The Endpoint Management Manage option

To configure Citrix Gateway for micro VPN

To use micro VPN with Intune, you must configure Citrix Gateway to authenticate to Azure AD. An existing Citrix Gateway virtual server does not work for this use case.

First, configure Azure AD to sync with the on-premises Active Directory. This step is necessary to ensure that authentication between Intune and Citrix Gateway occurs properly.

Active Directory synchronization

  1. From the Citrix Cloud console, under Endpoint Management, click Manage.

  2. Next to Micro VPN, click Configure Micro VPN.

    Configure Micro VPN button

  3. Enter a name for the micro VPN service and the external URL for your Citrix Gateway and then click Next.

    This script configures Citrix Gateway to support Azure AD and the Intune apps.

    Citrix Gateway details page

  4. Click Download Script. The .zip file includes a readme with instructions for implementing the script. Even though you can Save and Exit from here, the Micro VPN is not set up until you run the script on your Citrix Gateway installation.

    Download Script button


    When you finish the Citrix Gateway configuration process, if you see an OAuth Status other than COMPLETE, see the Troubleshooting section.

To configure device management

If you want to manage devices in addition to apps, choose a method of device management. You can use Endpoint Management MDM+MAM or Intune MDM.


By default, Intune MDM is selected for the console. To use Intune as your MDM provider, see the Microsoft Intune documentation.

  1. From the Citrix Cloud console, under Endpoint Management integration with EMS/Intune, click Manage. Next to Device Management - Optional, click Configure MDM.

    Configure MDM screen

  2. Enter a unique site name, select the Cloud region closest to you and then click Request a Site. A prompt lets you know that you receive an email when your site is ready.

    The unique site name page

    The site request confirmation

  3. Click OK to close the prompt. Select an Active Directory Location to associate with your site or create a resource location and then click Next.

    Active Directory location option

    Option to create a resource location

  4. Click Download Cloud Connector and follow the on-screen instructions to install the cloud connector. After installation, click Test Connection to verify the connection between Citrix Cloud and the Cloud Connector.

    The download cloud connector option

    The test connection option

  5. Click Save & Exit to finish. Your resource location appears. Clicking Finish takes you back to the settings screen.

    The save and exit screen

  6. You can now access the Endpoint Management console from your site tile. From here, you can perform MDM management tasks and assign device policies. For more information on device policies, see Device Policies.

    The Manage Site screen

Wrapping iOS apps

Microsoft has enhanced their Intune App Wrapping Tool to add the optional parameter “-citrix.” As a final step, this parameter invokes the MDX Toolkit command line interface (CLI) CGAppCLPrepTool to wrap the application. To wrap the app with Intune, follow the instructions at Prepare line of business apps for MAM.


Ensure that you use the wrapping tool supplied for this release and not the one linked to from the article.

Several MDX options exist. See the list following for a description of each MDX Variant.

  • MDX network-only wrapper: Only Intune MDM, Intune MAM, or Endpoint Management MDM+MAM can manage this wrapper. Wrap the app by using the Intune App Wrapping Tool and specify the “-citrix” option. This wrapper is a minimal version of MDX that only has support for micro VPN without containment or encryption.
  • MDX Wrapper: Has support for other types of policies, including containment. Does not support encryption. Wrap the app with the Intune App Wrapping tool and then the MDX Toolkit.
  • Citrix Mobile Apps SDK: Use the Citrix Mobile Apps SDK when developing an app to access all MDX features, including encryption.

You can achieve the same result if, when building your iOS app, you link the Citrix Mobile Apps SDK framework and Intune SDK framework. For more information on the Citrix Mobile Apps SDK and Intune SDK, see MDX Developer Guide and Intune App SDK overview respectively.

Customer line of business apps that consume the Intune SDK for containment or networking purposes.

Use case example Intune Citrix MDX
Customer Line of Business consuming Intune SDK needing containment or networking. Intune SDK MDX network-only wrapper
Citrix mobile productivity apps or Line of Business apps that require containment and networking capabilities. Intune SDK Citrix Mobile Apps SDK
Line of Business apps for network-only wrapper. Intune wrapper MDX network-only wrapper
Use of the Microsoft Managed Browser. Intune SDK already embedded in the app MDX network-only support already embedded in the app

Wrapping Android apps

Wrapping an Android app works similarly to iOS. The tool you use to wrap Android apps is the ManagedAppUtility.jar. You can use the ManagedAppUtility.jar to wrap apps with the full version of MDX or with the network-only version. To use the network-only wrapper, use the “-mVPN” parameter.

See the following table for examples of when to use each wrapping variant.

Android wrapping scenarios

Use case example Intune Citrix MDX
Microsoft managed browser Intune SDK MDX network-only wrapper
Citrix mobile productivity apps Intune SDK MDX for Citrix mobile productivity apps
Line of business apps for network-only wrapper Intune wrapper MDX network-only wrapper

To add apps to Endpoint Management integration with EMS/Intune console

To add Intune managed apps, follow these steps.

  1. From the Citrix Cloud console, click the menu icon and then click Library.

    Citrix Cloud Library page

  2. Click the blue plus sign icon on the upper-right and then click Add a Mobile app.

    You might need to wait a minute for the options to populate the list.

    Add a Mobile app option

  3. Select an app template to customize or click Upload my own App.

    Policies to configure

    Citrix supplies the existing app templates, each of which comes with a set of preconfigured default policies. For apps that customers upload, the following policies apply:

    • MDX Files: Includes MDX wrapped apps, such as:
      • Intune app protection policies and the default MDX policies contained in the package
      • Public store apps, such as Intune app protection policies and default MDX policies that match the bundle ID or package ID
    • IPA Files: Intune App protection policies.
    • APK Files: Intune app protection policies.


    If the app is not wrapped with Intune, Intune app protection policies do not apply.

  4. If you clicked Upload my own App, upload your .mdx or Intune wrapped file.

    Upload own wrapped file screen

  5. Enter a name and description for the app, choose whether the app is featured or required, and then click Next.

  6. Set the Network access policy to select whether and how to allow micro VPN access. Enabling micro VPN allows the app controlled access to on-premises resources.

    • Unrestricted: Disables micro VPN access. The app can access the network with no restrictions, without using the micro VPN. Unrestricted is the default setting.


      In version 18.12.0: If you configure unrestricted network access and set the micro VPN session required policy to Yes, the network is unavailable.

    • Tunneled - Full VPN: Enables micro VPN full tunnel (TCP level) redirection.
    • Tunneled - Web SSO: Enables HTTP/HTTPS redirection (with SSO) redirection for micro VPN.
    • Tunneled - Full VPN and Web SSO: Enables micro VPN full tunnel (TCP level) redirection and HTTP/HTTPS redirection (with SSO) redirection.

      This option allows automatic switching between full VPN and Web SSO modes as needed. If a network request fails due to an authentication request that cannot be handled in full VPN mode, the request is retried in the alternate mode. For example, the full VPN can accommodate server challenges for client certificates. Web SSO mode is more likely to service HTTP authentication challenges.

      This setting is the equivalent to the now deprecated policy, PermitVPNModeSwitching.

      Micro VPN policies screen

  7. If you enable micro VPN access, set the micro VPN session required policy to select whether to require an online session for the app to work. Select Yes to require an online session. The default is No.

  8. If you enable micro VPN access, you can specify an mVPN tunnel exclusion list. Enter domains, separated by commas, that you want to exclude from the micro VPN policies.

    For more information on these policies, see MDX Policies.

  9. Configure more policies for the app and then click Next. For a complete list of app policies, see MDX Policies at a Glance.

    Application policies


    Not all of these policies are available.

  10. Review the summary of the app and then click Finish.

    This app configuration process might take a few minutes. When the process completes, a message indicates that the app has been published to the library.

    Finish button

  11. To assign user groups to the app, click Assign Users.

    Assign Users option

  12. In the search box, search for user groups and click to add them. You cannot add individual users.

    Add Subscribers option

  13. When you have added all groups, you can close the window by clicking the X.

    The ready status

    You might encounter an error when adding user groups. This error occurs when the user group has not been synchronized to Local Active Directory.

MDX policies

When you wrap an app with MDX technology or you use the Citrix Mobile Apps SDK to build the app, Intune administrators can configure the MDX policies. These policies include a subset of Citrix MDX policies that do not require Secure Hub to manage the app. Citrix recommends that you use the following MDX policies.

The following set of Intune-specific network management policies controls the network policy configuration for MDX (full or network only) when managed by Intune. Some of these policies correspond to existing Citrix MDX network containment policies. Others are specific to Intune configuration and control.


The MDX Toolkit version 18.12.0 release included new policies that combined or replaced older policies. The Network Access policy combines Network access, Preferred VPN mode, and Permit VPN mode switching. The Exclusion list policy replaces Split tunnel exclusion list. The micro VPN session required policy replaces micro VPN session required. For details, see What’s new in the MDX Toolkit 18.12.0.

Tunneled - Web SSO is the name for Secure Browse in the settings. The behavior is the same.

  • Enable http/https redirection: Enables or disables HTTP/HTTPS redirection through the Citrix Gateway reverse web proxy endpoint, also known as Tunneled - Web SSO. When On, Tunneled - Web SSO is used for web traffic. When using the Tunneled - Web SSO endpoint, the gateway is able to respond to HTTP authentication challenges inline, providing a single-sign-on (SSO) experience. To use Tunneled - Web SSO, set this policy to On. Full-tunnel redirection is required for apps that use client certificates for end-to-end SSL with mutual authentication. For those apps, you must disable this option. Default value is On.
  • Disable mVPN full tunnel (TCP level) redirection: Enable or disable TCP level network level redirection through the Citrix Gateway VPN tunneling endpoint. Under normal circumstances, always leave this policy enabled. However, troubleshooting web SSO issues is often easier when preventing TCP level interception of web traffic that standard web interception functions do not catch. Default value is On.
  • mVPN session required: If On, the SDK ensures that the configured gateway is reachable and a valid micro VPN session is available before allowing app to become active. If there is no network, the gateway is unreachable or a logon session cannot be established. The app remains blocked until a working micro VPN session can be confirmed. If Off, the app opens regardless of network condition. A micro VPN session is initialized as needed when an app configured for tunneled access attempts to use one of the redirected network APIs. Default value is Off.
  • mVPN tunnel exclusion list: Comma-separated list of host or domain names to be excluded from being routed through the Citrix Gateway reverse web proxy. The host or domain names are excluded even though the gateway configured split DNS settings might otherwise select the domain or host.


    This policy is only enforced for Tunneled - Web SSO connections. If Enable http/https redirection is Off, this policy is ignored.

For more information about these policies, see MDX Policies for iOS Apps.

Deploying policies for line of business apps

After you’ve uploaded your apps to Intune, follow this procedure to apply policies to those apps.

  1. Sign in to and then navigate to Intune > Mobile apps.
  2. Under Manage, click App configuration policies.
  3. Click Add and then enter a name for the policy you want to create. For Enrollment Type, select Not Enrolled with Intune. This selection is a limitation of the current system.
  4. Click Associated App, select the apps to which you want to apply the policy, and then click OK.
  5. Click Configuration Settings.
  6. In the Name field, enter the name of one of the policies noted in the following section in this article.
  7. In the Value field, enter the value you want to apply for that policy. Click off the field to add the policy to the list. You can add multiple policies.
  8. Click OK and then click Add. The policy is added to your list of policies.
  9. You can delete the policy. To do so, select the policy and then click Delete Policy on the right.

Line of business policies

The following table lists the policies you can deploy for line-of-business apps. In addition to these policies, you can also use the policies listed earlier in this article for MDX. For more information about these policies, see MDX Policies at a Glance.

Name (iOS/Android) Description Values
AppLogLevel/DefaultLoggerLevel Controls default verbosity of the mobile productivity app diagnostic logging facility. Higher-level numbers include more detailed logging. 1–5
AppLogTarget/DefaultLoggerOut Determines which output media are used by the mobile productivity app diagnostic logging facilities by default. File, Console, or Both
AppLogFileSize/MaxLogFileSize Limits the size in MB of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. 1–5
AppLogFileCount/MaxLogFiles Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. 2–8

To configure Secure Mail

Secure Mail now supports various configurations. You can wrap Secure Mail in an Intune MAM container connecting to an on-premises Exchange Server. You can connect Secure Mail to hosted Exchange or Office 365 accounts. This release does not support certificate-based authentication, however, so use LDAP instead.


To use Secure Mail in MDX mode, you must use Citrix Endpoint Management MDM+MAM.

Secure Mail also automatically populates user names. To enable this feature, you must configure the following custom policies first.

  1. From your Endpoint Management console, go to Settings > Server Properties and then click Add.

  2. In the list, click Custom Key and then in the Key field, type

  3. Set the value to true and then in Display name, type Click Save.

  4. Click Client Properties and then click Add.

  5. Select Custom Key and then type SEND_LDAP_ATTRIBUTES in the Key field.

  6. Type userPrincipalName=${user.userprincipalname},email=${user.mail},displayname=${user.displayname},sAMAccountName=${user.samaccountname},aadupn=${user.id_token.upn},aadtid=${user.id_token.tid} in the Value field, enter a description and then click Save.

    The following steps only apply for iOS devices.

  7. Go to Configure > Device Policies, click Add, and then select the App Configuration policy.

  8. Enter a policy name and then click Next.

    In the Identifier list, click Add new. In the text box that appears, enter the bundle ID for your Secure Mail app.

  9. In the Dictionary content box, type the following text.

  10. Clear the Windows Phone and Windows Desktop/Tablet check boxes and then click Next.

  11. Select the user groups to which you want the policy deployed and then click Save.


General issues

Issue: When opening an app, the following error message appears: App Policy Required.

Resolution: Add policies in the Microsoft Graph API.

Issue: You have policy conflicts.

Resolution: Only a single policy per app is allowed.

Issue: When wrapping an app, the following error appears:

Failed to package app. This app already has the MAM SDK integrated.

The application could not be wrapped.

Resolution: The app is integrated with the Intune SDK. You do not need to wrap the app with the Intune wrapper.

Issue: Your app can’t connect to internal resources.

Resolution: Ensure that the correct firewall ports are open, you correct tenant ID, and so on.

Citrix Gateway issues

The following table lists common issues with Citrix Gateway configurations and their solutions. For troubleshooting, enable more logs and check them by doing the following:

  1. In the command-line interface, run the following command: set audit syslogParams -logLevel ALL
  2. Check the logs from shell using tail -f /var/log/ns.log
Issue Solution
The permissions required to be configured for Gateway App on Azure are unavailable. Check if a proper Intune license is available. Try using the portal to see if the permission can be added. Contact Microsoft support if the issue persists.
Citrix Gateway cannot reach and From NS Shell, check if you are able to reach the following Microsoft website: curl -v -k Then, check whether DNS is configured on Citrix Gateway and that the firewall settings are correct (in case DNS requests are firewalled).
An error appears in ns.log after you configure OAuthAction. Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set.
Sh OAuthAction command does not show OAuth status as complete. Check the DNS settings and configured permissions on the Azure Gateway App.
The Android or iOS device does not show the dual authentication prompt. Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server.

OAuth error condition and status

Status Error Condition
AADFORGRAPH Invalid secret, URL not resolved, connection timeout
MDMINFO * is down or unreachable
GRAPH Graph endpoint is down unreachable
CERTFETCH Cannot talk to “Token Endpoint: because of a DNS error. To validate this configuration, go to shell and type curl This command must validate.


The following items describe some limitations of using Microsoft EMS/Intune with Citrix Endpoint Management.

  • When you deploy apps with Citrix and Intune to support micro VPN: When users provide their user name and password to access digest sites, even though their credentials are valid, an error appears. [CXM-25227]
  • After changing Split tunnel from On to Off and waiting for the current gateway session to expire: External traffic passes directly on without going through Citrix Gateway until the user launches an internal site in Full VPN mode. [CXM-34922]
  • After changing the Open-in policy from Managed apps only to All apps, users cannot open documents in unmanaged apps until they close and relaunch Secure Mail. [CXM-34990]
  • When split tunneling is On in Full VPN mode, and the split DNS changes from local to remote, internal sites fail to load. [CXM-35168]

Known issues

When the mVPN policy Enable http/https redirection (with SSO) is disabled, Secure Mail does not function. [CXM-58886]

Third-party known issues

On Secure Mail for Android, when a user taps Create New Event, the new event creation page does not display. [CXM-23917]

When you deploy Citrix Secure Mail for iOS with Citrix and Intune to support micro VPN: The app policy that obscures the Secure Mail screen when users move the app to the background is not enforced. [CXM-25032]