Citrix Endpoint Management integration with Microsoft Intune/EMS

Endpoint Management integration with Microsoft Enterprise Mobility + Security (EMS)/Intune adds the value of Endpoint Management micro VPN to Microsoft Intune aware apps, such as Microsoft Managed Browser.

Endpoint Management integration with EMS/Intune also allows enterprises to wrap their own line of business apps with Intune and Citrix to provide micro VPN capabilities inside an Intune mobile app management (MAM) container. Endpoint Management micro VPN enables your apps to access on-premises resources. You can manage and deliver Office 365 apps, line of business apps, and Citrix Secure Mail in one container for ultimate security and productivity.

This release supports the following use cases:

  • Intune MAM
  • Intune MAM and Intune mobile device management (MDM)
  • Intune MAM with Endpoint Management MDM-only
  • Intune MAM with Endpoint Management MDM and MAM

    Important:

    Kerberos Constrained Delegation is not supported with this setup.

Getting Started Guide

This document is an easy-to-follow, graphical guide to setting up Endpoint Management integration with EMS/Intune.

System Requirements

  • NetScaler version 11.1.51.26 or later. You can download this version of NetScaler from the NetScaler download page.
  • A Windows desktop running Windows 7 or later (for Android app wrapping only)
  • A Mac running macOS 10.10 or later (for iOS or Android app wrapping)
  • Mobile platforms:
    • iOS 10.x, 11.x
    • Android 5.x, 6.x, 7.x, 8.x

Microsoft

  • Azure AD access (with Tenant Admin privileges)
  • Intune-enabled tenant

Firewall rule

  • Enable a Firewall rule to allow DNS and SSL traffic from a NetScaler subnet IP to *.manage.microsoft.com, https://login.microsoftonline.com, and https://graph.windows.net (port 53 and 443)

Prerequisites

  • Intune environment: If you don’t have an Intune environment set up, follow the steps in the Microsoft documentation.
  • Intune app wrappers: Microsoft hosts the wrappers in a private GitHub repository that you need an invitation to access. After you receive an invitation, download the wrappers from the Citrix GitHub page.
  • Managed Browser: The Mobile Apps SDK is integrated within the Intune Managed Browser app for iOS and Android.For more information about the Managed Browser, see the Microsoft Managed Browser page.
  • Installations of the Android SDK and the Java JDK. Install these SDKs on the machine you use to wrap apps. For details about the Intune SDK, see the Microsoft Intune App SDK for Android developer guide.
  • JDK environment variable. Set the JDK environment variable for the JDK to change the path to match your JDK version and installed location. Example: $env:Path += ";C:\\Program Files\\Java\\jdk1.8.0\_121\\bin"
  • Citrix Cloud account. To sign up for a Citrix account and request a Citrix Endpoint Management trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com. For more information on requesting a Citrix Cloud account, see Sign up for Citrix Cloud. Note: The email you supply must be an address that is not associated with Azure AD. You can use any free email service.
  • APNs certificates for iOS. Ensure that you configure APNs certificates for iOS. To learn more about setting up these certificates, see this Citrix blog post: Creating and Importing APNs Certificates.
  • Configure Google Play credentials. If you plan on using Android Public Store Apps, configure Google Play credentials. For more information about configuring the credentials, see Google Play credentials.
  • Azure AD Sync. Set up synchronization between Azure AD and on-premises Active Directory. Do not install the AD sync tool on the domain controller machine. For more information on setting up this sync, see the Microsoft documentation, Integrate your on-premises directories with Azure Active Directory.

Consenting to delegated permission prompts

For managed apps that require users to authenticate, the apps request application permissions exposed by Microsoft Graph. By consenting to these permission prompts, the app can access required resources and APIs. Some apps require consent by the Azure AD global administrator for Microsoft Azure AD. For these delegated permissions, the global administrator must grant Citrix Cloud permission to request tokens. The tokens then enable the following permissions. For more details, see the Microsoft Graph permissions reference.

  • Sign in and read user profile. This permission allows users to sign in and connect to Azure AD. Note that Citrix does not view user credentials.
  • Read all users’ basic profiles. The app reads profile properties on behalf of users in the organization. The properties include display name, first and last name, and email address and photo of users in the organization.
  • Read all groups. This permission enables Azure AD groups to be enumerated for app and policy assignment.
  • Access directory as the signed-in user. This permission verifies the Intune subscription and enables NetScaler and VPN configurations.
  • Read and write Microsoft Intune apps. The app can read and write Microsoft-managed properties, group assignments and the status of apps, app configurations, and app protection policies.

In addition, during the NetScaler configuration, the Azure AD global administrator must approve the Active Directory chosen for micro VPN. The global administrator must also generate a client secret that NetScaler uses to communicate with AAD and Intune.

The global administrator must not have the role of Citrix administrator. Instead, the Citrix administrator assigns Azure AD accounts to users with appropriate Intune application admin privileges. The Intune administrator then serves the role of a Citrix Cloud admin to manage Intune from within Citrix Cloud.

Note:

Citrix only uses the Intune Global Administrator password during setup and redirects the authentication to Microsoft. Citrix never has access to the password.

To configure Endpoint Management integration with EMS/Intune

  1. Log on to the Citrix Cloud site and request a trial for Endpoint Management.

  2. A sales engineer schedules an onboarding meeting with you. Let them know that you want Endpoint Management integration with EMS/Intune. When your request is approved, click Manage.

    Image of the Citrix Cloud site

  3. Follow the link in the first step to the Identity and Access Management page.

    Image of the link for Identity and Access Management

  4. Do one of the following:

    • Click Connect to connect your Azure AD installation.
    • If you have already federated your Azure AD installation, click Upgrade.

    Image of the Identity and Access Management page

  5. Enter a unique logon URL that the Azure AD administrator uses to log on and then click Connect.

    Image of logon URL screen and Connect button

  6. Add an Azure AD global administrator account and then accept the permissions request.

    Image of the Use another account button

    Image of the Accept button

  7. Confirm that your Azure AD instance connects successfully. To indicate a successful connection, the Connect button changes to say Disconnect.

    Image of the Disconnect button

  8. Click the Administrators tab and then add your Azure AD Intune administrator as a Citrix Cloud administrator.

    As a result, the Azure AD Intune administrator receives an email invitation to create a password and sign in to Citrix Cloud. Before the administrator signs in, ensure that you sign out of all other accounts.

    The Azure AD Intune administrator must follow the remaining steps in this procedure.

    Image of the Azure AD Intune administrator Invite option

    Image of the confirmation screen

  9. After signing in with the new account, under Endpoint Management, click Manage. If everything is configured correctly, the page shows that the Azure AD administrator is signed in and that your Intune subscription is valid.

    Image of the Endpoint Management Manage option

Video help

Watch this video to see, step by step, how to connect Endpoint Management integration with Intune/EMS.

Video icon

To configure NetScaler Gateway for micro VPN

To use micro VPN with Intune, you must configure NetScaler Gateway to authenticate to Azure AD. An existing NetScaler Gateway virtual server does not work for this use case.

First, configure Azure AD to sync with the on-premises Active Directory. This step is necessary to ensure that authentication between Intune and NetScaler occurs properly.

Image of diagram of Active Directory synchronization

  1. From the Citrix Cloud console, under Endpoint Management, click Manage.

  2. Next to Micro VPN, click Configure Micro VPN.

    Image of Configure Micro VPN button

  3. Enter a name for the micro VPN service and the external URL for your NetScaler Gateway and then click Next.

    This script configures NetScaler to support Azure AD and the Intune apps.

    Image of NetScaler Gateway details page

  4. Click Download Script. The .zip file includes a readme with instructions for implementing the script. Even though you can Save and Exit from here, the Micro VPN is not set up until you run the script on your NetScaler installation.

    Image of Download Script button

    Note: When you finish the NetScaler configuration process, if you see an OAuth Status other than COMPLETE, see the Troubleshooting section.

To configure device management

If you want to manage devices in addition to apps, choose a method of device management. You can use Endpoint Management MDM or Intune MDM.

Note: By default, Intune MDM is selected for the console. To use Intune as your MDM provider, follow Microsoft documentation at Set the mobile device management authority.

  1. From the Citrix Cloud console, under Endpoint Management integration with EMS/Intune, click Manage. Next to Device Management - Optional, click Configure MDM.

    Image of Configure MDM screen

  2. Enter a unique site name, select the Cloud region closest to you and then click Request a Site. A prompt lets you know that you receive an email when your site is ready.

    Image of the unique site name page

    Image of the site request confirmation

  3. Click OK to close the prompt. Select an Active Directory Location to associate with your site or create a resource location and then click Next.

    Image of Active Directory location option

    Image of option to create a new resource location

  4. Click Download Cloud Connector and follow the instructions on screen to install the cloud connector. After installation, click Test Connection to verify the connection between Citrix Cloud and the Cloud Connector.

    Image of the download cloud connector option

    Image of the test connection option

  5. Click Save & Exit to finish. Your resource location appears. Clicking Finish takes you back to the settings screen.

    Image of the save and exit screen

  6. You can now access the Endpoint Management console from your site tile. From here, you can perform MDM management tasks and assign device policies. For more information on device policies, see Device Policies.

    Image of the Manage Site screen

Wrapping iOS apps

Microsoft has enhanced their Intune App Wrapping Tool to add the optional parameter “-citrix”. As a final step, this parameter invokes the MDX Toolkit command line interface (CLI) CGAppCLPrepTool to wrap the application. To wrap the app with Intune, follow the instructions at Prepare line of business apps for MAM.

Important: Ensure that you use the wrapping tool supplied for this release and not the one linked to from the article.

Several MDX options exist. See the list below for a description of each MDX Variant.

  • MDX network-only wrapper: Only Intune MDM, Intune MAM, or Endpoint Management MDM-only can manage this wrapper. Wrap the app by using the Intune App Wrapping Tool and specify the “-citrix” option. This wrapper is a minimal version of MDX that only has support for micro VPN without containment or encryption.
  • MDX Wrapper: Has support for other types of policies, including containment. Does not support encryption. Wrap the app with the Intune App Wrapping tool and then the MDX Toolkit.
  • Citrix Mobile Apps SDK: Use the Citrix Mobile Apps SDK when developing an app to access all MDX features, including encryption.

You can achieve the same result if, when building your iOS app, you link the Citrix Mobile Apps SDK framework and Intune SDK framework. For more information on the Citrix Mobile Apps SDK and Intune SDK, see MDX Developer Guide and Intune App SDK overview respectively.

Customer line of business apps that consume the Intune SDK for containment or networking purposes.

Use case example Intune Citrix MDX
Customer Line of Business consuming Intune SDK needing containment or networking. Intune SDK MDX network-only wrapper
Citrix mobile productivity apps or Line of Business apps that require containment and networking capabilities. Intune SDK Citrix Mobile Apps SDK
Line of Business apps for network-only wrapper. Intune wrapper MDX network-only wrapper
Use of the Microsoft Managed Browser. Intune SDK already embedded in the app MDX network-only support already embedded in the app

Wrapping Android apps

Wrapping an Android app works similarly to iOS. The tool you use to wrap Android apps is the ManagedAppUtility.jar. You can use the ManagedAppUtility.jar to wrap apps with the full version of MDX or with the network-only version. To use the network-only wrapper, use the “-mVPN” parameter.

See the following table for examples of when to use each wrapping variant.

Android wrapping scenarios

Use case example Intune Citrix MDX
Microsoft managed browser Intune SDK MDX network-only wrapper
Citrix mobile productivity apps Intune SDK MDX for Citrix mobile productivity apps
Line of business apps for network-only wrapper Intune wrapper MDX network-only wrapper

To add apps to Endpoint Management integration with EMS/Intune console

To add Intune managed apps, follow these steps.

  1. From the Citrix Cloud console, click the menu icon and then click Library.

    Image of Citrix Cloud Library page

  2. Click the blue plus sign icon on the upper-right and then click Add a Mobile app.

    You may need to wait a minute for the options to populate the list.

    Image of Add a Mobile app option

  3. Select an app template to customize or click Add my own App to Templates. Citrix supplies the existing app templates, each of which comes with a set of preconfigured default policies. For apps that customers upload, the following policies apply:

    • MDX Files: Includes MDX wrapped apps, such as Intune app protection policies and the default MDX policies contained in the package; and public store apps, such as Intune app protection policies and default MDX policies that match the bundle ID or package ID.
    • IPA Files. Intune App protection policies.
    • APK Files. Intune app protection policies.

      Note: If the app is not wrapped with Intune, Intune app protection policies do not apply.

  4. Configure the following additional policies.

    Image of policies to configure

  5. If you clicked Add my own App to Templates, upload your .mdx or Intune wrapped file.

    Image of Upload own wrapped file screen

  6. Enter a name and description for the app, choose whether the app is featured or required and then click Next.

  7. Select whether you want to allow micro VPN or not. Allowing micro VPN enables the app to access on-premises resources.

  8. If you allow micro VPN, you can apply the recommended settings or select your own. The policies are as follows:

    • Micro-VPN Redirect Web Traffic with SSO: Select True if you want users to use Secure Browse.
    • Micro-VPN Session Required: Select True if you want to require an online session for the app to work.
    • Exclude Domains: Enter domains, separated by commas, that you want to be excluded from the micro VPN policies.
    • Disable TCP Redirect: Select Enable if you want Full VPN turned off.

    For more information on these policies, see MDX Policies.

    Image of Micro VPN policies screen

  9. Configure more policies for the app and then click Next. For a complete list of app policies, see MDX Policies at a Glance.

    Image of application policies

    Note: Not all of these policies are available.

  10. There are no deployment policies to configure. Click Next.

    Image of deployment policy section

  11. Review the summary of the app and then click Finish.

    This app configuration process may take a few minutes. When the process completes, a message indicates that the app has been published to the library.

    Image of Finish button

  12. To assign user groups to the app, click Assign Users.

    Image of Assign Users option

  13. From the Add Subscribers list, select your AAD instance. Then, in the search box, search for user groups and click to add them. You cannot add individual users.

    Image of Add Subscribers option

  14. Added groups show up as pending and then move to a ready status. When you have added all groups and they appear as ready, you can close the window by clicking the X.

    Image of pending status

    Image of the ready status

    You may encounter an error when adding user groups. This error occurs when the user group has not been synchronized to Local Active Directory.

MDX policies

When you wrap an app with MDX technology or you use the Citrix Mobile Apps SDK to build the app, Intune administrators can configure the MDX policies. These policies include a subset of Citrix MDX policies that do not require Secure Hub to manage the app. Citrix recommends that you use the following MDX policies.

The following set of Intune-specific network management policies control the network policy configuration for MDX (full or network only) when managed by Intune. Some of these policies correspond to existing Citrix MDX network containment policies. Others are specific to Intune configuration and control.

  • MvpnGatewayAddress. Publicly resolvable fully qualified domain name (FQDN) address of the gateway that the app uses. Default value is empty. To enable tunneling through a specific enterprise gateway, set this parameter to the target gateway address. The address is the FQDN for the public-facing address of the gateway in the form https://mygateway.domain.com. This is the name resource ID and base URL used during the gateway app registration with Azure. This parameter must be set to enable network redirection. If left empty, micro VPN network redirection through the enterprise gateway is disabled.
  • MvpnRedirectWebTrafficWithSSO. Enables or disables HTTP/HTTPS interception with redirection through the NetScaler Gateway reverse web proxy endpoint, also known as Secure Browse. When True, Secure Browse is used for web traffic. When using the Secure Browse endpoint, the gateway is able to respond to HTTP authentication challenges inline, providing for the possibility of a single-sign-on (SSO) experience. Default value is True. Full-tunnel redirection is required for apps that use client certificates for end-to-end SSL with mutual authentication. For those apps, this option needs to be disabled.
  • MvpnSessionRequired. If True, the SDK ensures that the configured gateway is reachable and a valid micro VPN session is available before allowing app to become active. If there is no network, the gateway is unreachable or a logon session cannot be established. The app remains blocked until a working micro VPN session can be confirmed. If False, the app opens regardless of network condition. A micro VPN session is initialized as needed when an app configured for tunneled access attempts to use one of the redirected network APIs. Default value is False.
  • MvpnExcludeDomains. Comma-separated list of host or domain names to be excluded from being routed through the NetScaler reverse web proxy. The host or domain names are excluded even though the gateway configured split DNS settings might otherwise select the domain or host.

    Note: This policy is only enforced for Secure Browse connections. If MvpnRedirectWebTrafficWithSSO is False, this policy is ignored.

  • MvpnDisableTcpRedirect. Enable or disable TCP level network level redirection through the NetScaler Gateway VPN tunneling endpoint. Under normal circumstances, always leave this policy enabled. However, troubleshooting web SSO issues is often easier when preventing TCP level interception of web traffic that standard web interception functions do not catch.

For more information about these policies, see MDX Policies for iOS Apps.

Deploying policies for line of business apps

After you’ve uploaded your apps to Intune, follow this procedure to apply policies to those apps.

  1. Sign in to https://portal.azure.com/ and then navigate to Intune > Mobile apps.
  2. Under Manage, click App configuration policies.
  3. Click Add and then enter a name for the policy you want to create. For Enrollment Type, select Not Enrolled with Intune. This selection is a limitation of the current system.
  4. Click Associated App, **select the apps to which you want to apply the policy and then click **OK.
  5. Click Configuration Settings.
  6. In the Name field, enter the name of one of the policies noted in the following section in this article.
  7. In the Value field, enter the value you want to apply for that policy. Click off the field to add the policy to the list. You can add multiple policies.
  8. Click OK and then click Add. The policy is added to your list of policies.
  9. You can delete the policy. To do so, select the policy and then click Delete Policy on the right.

Line of business policies

The following table lists the policies you can deploy for line of business apps. In addition to these policies, you can also use the policies listed earlier in this article for MDX. For more information about these policies, see MDX Policies at a Glance.

Name (iOS/Android) Description Values
AppLogLevel/DefaultLoggerLevel Controls default verbosity of the mobile productivity app diagnostic logging facility. Higher-level numbers include more detailed logging. 1-5
AppLogTarget/DefaultLoggerOut Determines which output media are used by the mobile productivity app diagnostic logging facilities by default. File, Console, or Both
AppLogFileSize/MaxLogFileSize Limits the size in MB of the log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 1 MB. Maximum is 5 MB. 1-5
AppLogFileCount/MaxLogFiles Limits the number of log files retained by the mobile productivity app diagnostic logging facility before rolling over. Minimum is 2. Maximum is 8. 2-8

To configure Secure Mail

Secure Mail now supports various configurations. You can wrap Secure Mail in an Intune MAM container connecting to an on-premises Exchange Server. You can connect Secure Mail to hosted Exchange or Office 365 accounts. This release does not support certificate-based authentication, however, so use LDAP instead.

Secure Mail also automatically populates user names. To enable this feature, you must configure the following custom policies first.

  1. From your Endpoint Management console, go to Settings > Server Properties and then click Add.

  2. In the list, click Custom Key and then in the Key field, type *xms.store.idpuser\_attrs*.

  3. Set the value to true ** and then in Display name, type *xms.store.idpuser\_attrs*. Click Save.

  4. Click Client Properties and then click Add.

  5. Select Custom Key and then type SEND_LDAP_ATTRIBUTES in the Key field.

  6. Type *userPrincipalName=${user.userprincipalname},email=${user.mail},displayname=${user.displayname},sAMAccountName=${user.samaccountname},aadupn=${user.id\_token.upn},aadtid=${user.id\_token.tid} in the Value field, enter a description and then click Save.

    The following steps only apply for iOS devices.

  7. Go to Configure > Device Policies, click Add, and then select the App Configuration policy.

  8. Enter a policy name and then click Next.

    In the Identifier list, click Add new. In the text box that appears, enter the bundle ID for your Secure Mail app.

  9. In the Dictionary content box, type the following text.

    <dict>
    
    <key>XenMobileUserAttributes</key>
    
    <dict>
    
    <key>userPrincipalName</key>
    
    <string>${user.userprincipalname}</string>
    
    <key>email</key>
    
    <string>${user.mail}</string>
    
    <key>displayname</key>
    
    <string>${user.displayname}</string>
    
    <key>sAMAccountName</key>
    
    <string>${user.samaccountname}</string>
    
    <key>aadupn</key>
    
    <string>${user.id_token.upn}</string>
    
    <key>aadtid</key>
    
    <string>${user.id_token.tid}</string>
    
    </dict>
    
    <key>IntuneMAMUPN</key>
    
    <string>${user.id_token.upn}</string>
    
    </dict>
    
  10. Clear the Windows Phone and Windows Desktop/Tablet check boxes and then click Next.

  11. Select the user groups to which you want the policy deployed and then click Save.

Troubleshooting

General Issues

Issue: When opening an app, the following error message appears: App Policy Required.

Resolution: Add policies in the Microsoft Graph API.

Issue: You have policy conflicts.

Resolution: Only a single policy per app is allowed.

Issue: When wrapping an app, the following error appears:

Failed to package app.

com.microsoft.intune.mam.apppackager.utils.AppPackagerException: This app already has the MAM SDK integrated.

com.microsoft.intune.mam.apppackager.AppPackager.packageApp(AppPackager.java:113)

com.microsoft.intune.mam.apppackager.PackagerMain.mainInternal(PackagerMain.java:198)

com.microsoft.intune.mam.apppackager.PackagerMain.main(PackagerMain.java:56)

The application could not be wrapped.

Resolution: The app is integrated with the Intune SDK. You do not need to wrap the app with the Intune wrapper.

Issue:: Your app can’t connect to internal resources.

Resolution: Ensure that the correct firewall ports are open, you correct tenant ID, and so on.

NetScaler Gateway issues

The following table lists common issues with NetScaler Gateway configurations and their solutions. For troubleshooting, enable more logs and check them by doing the following:

  1. In the command-line interface, run the following command: set audit syslogParams -logLevel ALL
  2. Check the logs from shell using tail -f /var/log/ns.log
Issue Solution
The permissions required to be configured for Gateway App on Azure are unavailable. Check if a proper Intune license is available. Try using the manage.windowsazure.com portal to see if the permission can be added. Contact Microsoft support if the issue persists.
NetScaler Gateway cannot reach login.microsoftonline.com and graph.windows.net. From NS Shell, check if you are able to reach the following Microsoft website: curl -v -k https://login.microsoftonline.com. Then, check whether DNS is configured on NetScaler and that the firewall settings are correct (in case DNS requests are firewalled).
An error appears in ns.log after you configure OAuthAction. Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set.
Sh OAuthAction command does not show OAuth status as complete. Check the DNS settings and configured permissions on the Azure Gateway App.
The Android or iOS device does not show the dual authentication prompt. Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server.

OAuth error condition and status

Status Error Condition
COMPLETE Success
AADFORGRAPH Invalid secret, URL not resolved, connection timeout
MDMINFO *manage.microsoft.com is down or unreachable
GRAPH Graph endpoint is down unreachable
CERTFETCH Cannot talk to “Token Endpoint: https://login.microsoftonline.com because of a DNS error. To validate this configuration, go to shell and type curl https://login.microsoftonline.com. This command must validate.

Known issues

When you deploy apps with Citrix and Intune to support micro VPN: When users provide their user name and password to access digest sites, even though their credentials are valid, an error appears. [CXM-25227]

After changing Split tunnel from On to Off and waiting for the current gateway session to expire: External traffic passes directly on without going through NetScaler until the user launches an internal site in Full VPN mode. [CXM-34922]

After changing the Open-in policy from Managed apps only to All apps, users cannot open documents in unmanaged apps until they close and relaunch Secure Mail. [CXM-34990]

When split tunnel is On in Full VPN mode, and the split DNS changes from local to remote, internal sites fail to load. [CXM-35168]

Third-party known issues

On Secure Mail for Android, when a user taps Create New Event, the new event creation page does not display. [CXM-23917]

When you deploy Citrix Secure Mail for iOS with Citrix and Intune to support micro VPN: The app policy that obscures the Secure Mail screen when users move the app to the background is not enforced. [CXM-25032]

When users first run Secure Mail on Intune MDM+MAM, the setup takes users through a workflow to select Intune MAM/Endpoint Management. [CXM-31272]