Citrix Endpoint Management

Citrix Endpoint Management integration with Microsoft Endpoint Manager

Endpoint Management integration with Microsoft Endpoint Manager (MEM) adds the value of Endpoint Management micro VPN to Microsoft Intune aware apps, such as Microsoft Managed Browser.

To activate the integration, contact the Citrix Cloud Operations team.

This release supports the following use cases:

  • Intune MAM with Endpoint Management MDM+MAM.

    This article focuses on the Intune MAM + Endpoint Management MDM+MAM use case. After you add Citrix as your MDM provider, configure Intune managed apps for delivery to devices.

    Important:

    For this use case, Secure Mail doesn’t support integration with Intune. Secure Mail only works for devices enrolled in MDX mode.

  • Intune MAM and Endpoint Management MDM.
  • Intune MAM.
  • Intune MAM and Intune MDM. Secure Mail for iOS supports single sign-on for this use case.

Getting Started Guide

This document is an easy-to-follow, graphical guide to setting up Endpoint Management integration with MEM.

System requirements

MDX-enable

Microsoft

  • Azure AD access (with Tenant Admin privileges)
  • Intune-enabled tenant

Firewall rule

  • Enable a Firewall rule to allow DNS and SSL traffic from a Citrix Gateway subnet IP to *.manage.microsoft.com, https://login.microsoftonline.com, and https://graph.windows.net (port 53 and 443)

Prerequisites

  • Managed Browser: The Mobile Apps SDK is integrated within the Intune Managed Browser app for iOS and Android. For more information about the Managed Browser, see the Microsoft Managed Browser page.
  • Citrix Cloud account: To sign up for a Citrix account and request a Citrix Endpoint Management trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com. For more information on requesting a Citrix Cloud account, see Sign up for Citrix Cloud.

    Note:

    The email you supply must be an address that is not associated with Azure AD. You can use any free email service.

  • APNs certificates for iOS: Ensure that you configure APNs certificates for iOS. To learn more about setting up these certificates, see this Citrix blog post: Creating and Importing APNs Certificates.
  • Azure AD Sync: Set up synchronization between Azure AD and on-premises Active Directory. Do not install the AD sync tool on the domain controller machine. For more information on setting up this sync, see the Microsoft documentation on Azure Active Directory.

Configuring Citrix Gateway

If you are setting up a new Endpoint Management deployment, install one of these Citrix Gateway appliances:

  • NetScaler Gateway VPX 3000 series or greater
  • NetScaler Gateway MPX or dedicated SDX instance

To use Citrix Gateway with Endpoint Management integration with MEM:

  • Configure Citrix Gateway with a management interface and a subnet IP.
  • Use TLS 1.2 for all client to server communication. For information about configuring TLS 1.2 for Citrix Gateway, see CTX247095.

If you are using Endpoint Management integration with MEM with an Endpoint Management MDM+MAM deployment, configure two Citrix Gateways. MDX app traffic is routed through one Citrix Gateway. Intune app traffic is routed through the other Citrix Gateway. Configure:

  • Two public IPs.
  • Optionally, one network address translated IP.
  • Two DNS names. Example: https://mam.company.com.
  • Two public SSL certificates. Configure certificates that match the reserved public DNS name or use wildcard certificates.
  • A MAM load balancer with an internal non-routable RFC 1918 IP address.
  • An LDAP Active Directory service account.

Consenting to delegated permission prompts

Some managed apps require users to authenticate. For those apps, Microsoft Graph exposes the request application permissions. By consenting to the permission prompts, the app can access the required resources and APIs. Some apps require consent by the Azure AD global administrator for Microsoft Azure AD. For these delegated permissions, the global administrator must grant Citrix Cloud permission to request tokens. The tokens then enable the following permissions. See the Microsoft Graph permissions reference.

  • Sign in and read user profile: This permission allows users to sign in and connect to Azure AD. Citrix can’t view user credentials.
  • Read all users’ basic profiles: The app reads profile properties on behalf of users in the organization. The properties include the display name, first and last name, and email address and photo of users in the organization.
  • Read all groups: This permission enables Azure AD groups to be enumerated for app and policy assignment.
  • Access directory as the signed-in user: This permission verifies the Intune subscription and enables Citrix Gateway and VPN configurations.
  • Read and write Microsoft Intune apps: The app can read and write the following:

    • Microsoft-managed properties
    • Group assignments and the status of apps
    • App configurations
    • App protection policies

Also, during the Citrix Gateway configuration, the Azure AD global administrator must:

  • Approve the Active Directory chosen for micro VPN.
  • Generate a client secret that Citrix Gateway uses to communicate with Azure AD and Intune.

The global administrator must not have the role of Citrix administrator. Instead, the Citrix administrator assigns Azure AD accounts to users with appropriate Intune application admin privileges. The Intune administrator then serves the role of a Citrix Cloud admin to manage Intune from within Citrix Cloud.

Note:

Citrix only uses the Intune Global Administrator password during setup and redirects the authentication to Microsoft. Citrix can’t access the password.

To configure Endpoint Management integration with MEM

For a video summary of the integration, watch:

Video icon

  1. Log on to the Citrix Cloud site and request a trial for Endpoint Management.

  2. A sales engineer schedules an onboarding meeting with you. Let them know that you want Endpoint Management integration with MEM. When your request is approved, click Manage.

    The Citrix Cloud site

  3. From here you can click the cog in the upper right of your site or you can click Configure Site.

    The Citrix Cloud site

  4. Follow the link in the first step to the Identity and Access Management page.

    The link for Identity and Access Management

  5. Click Connect to connect your Azure AD installation.

    The Identity and Access Management page

  6. Enter a unique logon URL that the Azure AD administrator uses to log on and then click Confirm.

    Logon URL screen and Connect button

  7. Add an Azure AD global administrator account and then accept the permissions request.

    The Use another account button

    The Accept button

  8. Confirm that your Azure AD instance connects successfully. To indicate a successful connection, the Not Connected text changes to say Enabled.

    The Disconnect button

  9. Click the Administrators tab and then add your Azure AD Intune administrator as a Citrix Cloud administrator. Select Azure AD or Citrix Identity from the drop-down menu, and then search for the user name you want to add. Click Invite and then grant the user Full Access or Custom Access before clicking Send Invite.

    Note:

    Endpoint Management requires the following rules for Custom Access: Library and Citrix Endpoint Management.

    As a result, the Azure AD Intune administrator receives an email invitation to create a password and sign in to Citrix Cloud. Before the administrator signs in, ensure that you sign out of all other accounts.

    The Azure AD Intune administrator must follow the remaining steps in this procedure.

    The Azure AD Intune administrator Invite option

    The confirmation screen

  10. After signing in with the new account, under Endpoint Management, click Manage. If the configuration is correct, the page shows that the Azure AD administrator is signed in and the Intune subscription is valid.

    The Endpoint Management Manage option

To configure Citrix Gateway for micro VPN

To use micro VPN with Intune, you must configure Citrix Gateway to authenticate to Azure AD. An existing Citrix Gateway virtual server does not work for this use case.

First, configure Azure AD to sync with the on-premises Active Directory. This step is necessary to ensure that authentication between Intune and Citrix Gateway occurs properly.

Active Directory synchronization

  1. From the Citrix Cloud console, under Endpoint Management, click Manage.

  2. Next to Micro VPN, click Configure Micro VPN.

    Configure Micro VPN button

  3. Enter a name for the micro VPN service and the external URL for your Citrix Gateway and then click Next.

    This script configures Citrix Gateway to support Azure AD and the Intune apps.

    Citrix Gateway details page

  4. Click Download Script. The .zip file includes a readme with instructions for implementing the script. Even though you can Save and Exit from here, the Micro VPN is not set up until you run the script on your Citrix Gateway installation.

    Download Script button

    Note:

    When you finish the Citrix Gateway configuration process, if you see an OAuth Status other than COMPLETE, see the Troubleshooting section.

To configure device management

If you want to manage devices in addition to apps, choose a method of device management. You can use Endpoint Management MDM+MAM or Intune MDM.

Note:

By default, Intune MDM is selected for the console. To use Intune as your MDM provider, see the Microsoft Intune documentation.

  1. From the Citrix Cloud console, under Endpoint Management integration with MEM, click Manage. Next to Device Management - Optional, click Configure MDM.

    Configure MDM screen

  2. Enter a unique site name, select the Cloud region closest to you and then click Request a Site. A prompt lets you know that you receive an email when your site is ready.

    The unique site name page

    The site request confirmation

  3. Click OK to close the prompt. Select an Active Directory Location to associate with your site or create a resource location and then click Next.

    Active Directory location option

    Option to create a resource location

  4. Click Download Cloud Connector and follow the on-screen instructions to install the cloud connector. After installation, click Test Connection to verify the connection between Citrix Cloud and the Cloud Connector.

    The download cloud connector option

    The test connection option

  5. Click Save & Exit to finish. Your resource location appears. Clicking Finish takes you back to the settings screen.

    The save and exit screen

  6. You can now access the Endpoint Management console from your site tile. From here, you can perform MDM management tasks and assign device policies. For more information on device policies, see Device Policies.

    The Manage Site screen

Configure Intune managed apps for delivery to devices

To configure Intune managed apps for delivery:

  • Add the apps to the Citrix Cloud library
  • Create Endpoint Management device policies to control the flow of data
  • Create a delivery group for the apps and policies

Add Intune managed apps to the Citrix Cloud library

For each app you want to add:

  1. From the Citrix Cloud console, click the menu icon and then click Library.

    Citrix Cloud Library page

  2. Click the blue plus sign icon on the upper-right and then click Add a Mobile app.

    You might need to wait a minute for the options to populate the list.

    Add a Mobile app option

  3. Select an app template to customize or click Upload my own App.

    Policies to configure

    Citrix supplies the existing app templates, each of which comes with a set of preconfigured default policies. For apps that customers upload, the following policies apply:

    • MDX Files: Includes MAM SDK enabled apps or MDX-wrapped apps, such as:
      • Intune app protection policies and the default MDX policies contained in the package
      • Public store apps, such as Intune app protection policies and default MDX policies that match the bundle ID or package ID
    • IPA Files: Intune App protection policies.
    • APK Files: Intune app protection policies.

    Note:

    If the app is not wrapped with Intune, Intune app protection policies do not apply.

  4. Clicked Upload my own App and upload your .mdx or Intune wrapped file.

    Upload own wrapped file screen

  5. Enter a name and description for the app, choose whether the app is optional or required, and then click Next.

  6. Configure the application settings. The following configurations enable data Endpoint Management and Intune containers to transfer data to each other.

    • Allow apps to receive data from other apps: Select Policy managed apps.
    • Allow app to transfer data to other apps: Select All apps.
    • Restrict cut, copy, paste with other apps: Select Policy managed apps.
  7. Configure the storage repositories for saved data. For Select which storage services corporate data can be saved to, select LocalStorage.

  8. Optional: Set Data Relocation, Access, and PIN policies for the app. Click Next.

  9. Review the summary of the app and then click Finish.

    This app configuration process might take a few minutes. When the process completes, a message indicates that the app has been published to the library.

    Finish button

  10. To assign user groups to the app, click Assign Users.

    Assign Users option

  11. In the search box, search for user groups and click to add them. You cannot add individual users.

    Add Subscribers option

  12. When you have added all the groups, you can close the window by clicking the X.

    The ready status

    You might encounter an error when adding user groups. This error occurs when the user group has not been synchronized to your local Active Directory.

Control the type of data transferred between managed apps

Control the type of data can be transferred between managed apps within the Endpoint Management or Intune containers using Endpoint Management device policies. You can configure a Restrictions policy to allow only data tagged as “corporate”. Configure an App Configuration policy to tag the data.

To configure the Restrictions device policy:

  1. In the Endpoint Management console, click Configure > Device Policies.

  2. On the Device Policies page, click Add. The Add a New Policy page appears.

    Device Policies configuration screen

  3. To create a device policy for iOS apps, select iOS in the Platforms pane.

  4. Click Restrictions from the list of policies.

  5. On the Policy Information page, type a name and (optionally) a description for the policy. Click Next.

  6. Under Security - Allow, set Documents from managed apps in unmanaged apps to Off. The Off setting causes these settings to change to Off: Unmanaged apps read managed contacts and Managed apps write unmanaged contacts. Click Next.

  7. Click Next until the Save button appears. Click Save.

Configure the App Configuration device policy for each app:

  1. In the Endpoint Management console, click Configure > Device Policies.

  2. Click Add. The Add a New Policy page appears.

  3. To create a device policy for an iOS app, select iOS in the Platforms pane.

  4. On the Policy Information page, type a name and (optionally) a description for the policy. Click Next.

  5. Click App Configuration from the list of policies.

  6. Select the identifier for app to be configured.

  7. For iOS apps, add the following text to Dictionary content:

    <dict>
        <key>IntuneMAMUPN</key>
        <string>${user.userprincipalname}</string>
    </dict>
    
  8. Click Check Dictionary.

  9. Click Next.

  10. Click Save.

Configure delivery groups for the apps and device policies

  1. In the Endpoint Management console, click Configure > Delivery Groups.

  2. On the Delivery Groups page, click Add. The Delivery Group Information page appears.

  3. On the Delivery Group Information page, type a name and (optionally) a description for the delivery group. Click Next.

  4. On the Assignments page, specify how you want to deploy the delivery group: Choose In Endpoint Management or In Citrix Cloud.

    Delivery Groups configuration screen

  5. If you chose In Endpoint Management:

    • Select domain: From the list, select the domain from which to choose users.
    • Include user groups: Do one of the following:
      • In the list of user groups, click the groups you want to add. The selected groups appear in the Selected user groups list.
      • Click Search to see a list of all user groups in the selected domain.
      • Type a full or partial group name in the search box, and then click Search to limit the list of user groups.

      To remove a user group from the Selected user groups list, do one of the following:

      • In the Selected user groups list, click the X next to each of the groups you want to remove.
      • Click Search to see a list of all user groups in the selected domain. Scroll through the list and clear the check box of each of the groups you want to remove.
      • Type a full or partial group name in the search box, and then click Search to limit the list of user groups. Scroll through the list and clear the check box of each of the groups you want to remove.
  6. Click Next.

  7. In the Policies page, drag the Restrictions policy and the App Configuration policy you create from the left to right. Click Next.

  8. In the Apps page, drag the apps you want to deliver from the left side of the page to Required Apps or Optional Apps. Click Next.

  9. Optional, configure the settings on the Media page, Actions page, and Enrollments page. Or accept the defaults on each page and click Next.

  10. On the Summary page, review the delivery group settings and click Save to create the delivery group.

When publishing the app in the Intune console, select Force apps to be managed. Users on unsupervised devices are prompted to allow management of the app. If users accept the prompt, the app is managed on the device. If users decline the prompt, the app is not available on the device.

Configure Secure Mail

Secure Mail now supports various configurations. You can wrap Secure Mail in an Intune MAM container connecting to an on-premises Exchange Server. You can connect Secure Mail to hosted Exchange or Office 365 accounts. This release does not support certificate-based authentication, however, so use LDAP instead.

Important:

To use Secure Mail in MDX mode, you must use Citrix Endpoint Management MDM+MAM.

Secure Mail also automatically populates user names. To enable this feature, you must configure the following custom policies first.

  1. From your Endpoint Management console, go to Settings > Server Properties and then click Add.

  2. In the list, click Custom Key and then in the Key field, type xms.store.idpuser_attrs.

  3. Set the value to true and then in Display name, type xms.store.idpuser_attrs. Click Save.

  4. Click Client Properties and then click Add.

  5. Select Custom Key and then type SEND_LDAP_ATTRIBUTES in the Key field.

  6. Type userPrincipalName=${user.userprincipalname},email=${user.mail},displayname=${user.displayname},sAMAccountName=${user.samaccountname},aadupn=${user.id_token.upn},aadtid=${user.id_token.tid} in the Value field, enter a description and then click Save.

    The following steps only apply for iOS devices.

  7. Go to Configure > Device Policies, click Add, and then select the App Configuration policy.

  8. Enter a policy name and then click Next.

    In the Identifier list, click Add new. In the text box that appears, enter the bundle ID for your Secure Mail app.

  9. In the Dictionary content box, type the following text.

    <dict>
    
    <key>XenMobileUserAttributes</key>
    
    <dict>
    
    <key>userPrincipalName</key>
    
    <string>${user.userprincipalname}</string>
    
    <key>email</key>
    
    <string>${user.mail}</string>
    
    <key>displayname</key>
    
    <string>${user.displayname}</string>
    
    <key>sAMAccountName</key>
    
    <string>${user.samaccountname}</string>
    
    <key>aadupn</key>
    
    <string>${user.id_token.upn}</string>
    
    <key>aadtid</key>
    
    <string>${user.id_token.tid}</string>
    
    </dict>
    
    <key>IntuneMAMUPN</key>
    
    <string>${user.id_token.upn}</string>
    
    </dict>
    
  10. Clear the Windows Phone and Windows Desktop/Tablet check boxes and then click Next.

  11. Select the user groups to which you want the policy deployed and then click Save.

Troubleshooting

General issues

Issue: When opening an app, the following error message appears: App Policy Required.

Resolution: Add policies in the Microsoft Graph API.

Issue: You have policy conflicts.

Resolution: Only a single policy per app is allowed.

Issue: Your app can’t connect to internal resources.

Resolution: Ensure that the correct firewall ports are open, your tenant ID is correct, and so on.

Citrix Gateway issues

The following table lists common issues with Citrix Gateway configurations and their solutions. For troubleshooting, enable more logs and check them by doing the following:

  1. In the command-line interface, run the following command: set audit syslogParams -logLevel ALL
  2. Check the logs from a shell using tail -f /var/log/ns.log
Issue Solution
The permissions required to be configured for the Gateway App on Azure are unavailable. Check if a proper Intune license is available. Try using the manage.windowsazure.com portal to see if the permission can be added. Contact Microsoft support if the issue persists.
Citrix Gateway cannot reach login.microsoftonline.com and graph.windows.net. From NS Shell, check if you are able to reach the following Microsoft website: curl -v -k https://login.microsoftonline.com. Then, check whether DNS is configured on Citrix Gateway and that the firewall settings are correct (in case DNS requests are firewalled).
An error appears in ns.log after you configure OAuthAction. Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set.
Sh OAuthAction command does not show OAuth status as complete. Check the DNS settings and configured permissions on the Azure Gateway App.
The Android or iOS device does not show the dual authentication prompt. Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server.

OAuth error condition and status

Status Error Condition
COMPLETE Success
AADFORGRAPH Invalid secret, URL not resolved, connection timeout
MDMINFO *manage.microsoft.com is down or unreachable
GRAPH Graph endpoint is down unreachable
CERTFETCH Cannot talk to “Token Endpoint: https://login.microsoftonline.com because of a DNS error. To validate this configuration, go to shell and type curl https://login.microsoftonline.com. This command must validate.

Limitations

The following items describe some limitations of using MEM with Citrix Endpoint Management.

  • When you deploy apps with Citrix and Intune to support micro VPN: When users provide their user name and password to access digest sites, an error appears even if the credentials are valid. [CXM-25227]
  • After changing Split tunnel from On to Off and waiting for the current gateway session to expire: External traffic passes directly on without going through Citrix Gateway until the user starts an internal site in Full VPN mode. [CXM-34922]
  • After changing the Open-in policy from Managed apps only to All apps, users cannot open documents in unmanaged apps until they close and relaunch Secure Mail. [CXM-34990]
  • When split tunneling is On in Full VPN mode, and the split DNS changes from local to remote, internal sites fail to load. [CXM-35168]

Known issues

When the mVPN policy Enable http/https redirection (with SSO) is disabled, Secure Mail does not function. [CXM-58886]

Third-party known issues

On Secure Mail for Android, when a user taps Create New Event, the new event creation page does not display. [CXM-23917]

When you deploy Citrix Secure Mail for iOS with Citrix and Intune to support micro VPN: The app policy that obscures the Secure Mail screen when users move the app to the background is not enforced. [CXM-25032]

Citrix Endpoint Management integration with Microsoft Endpoint Manager