Citrix Endpoint Management

Onboarding and resource setup

If you are new to Citrix, Citrix Cloud, or to Endpoint Management, this article guides you through onboarding. Learn about workflow and the details you need to get started.

  • Where do I start?
  • Does the configuration order matter? This article follows a recommended configuration sequence. You can work in a different order. The Endpoint Management console lets you know if prerequisites are missing, through messages such as “Set up after provisioning”.

  • What do I do after onboarding? After you complete the onboarding and resource configuration described in this article, continue your configuration in the Endpoint Management console. For information about next steps, see Prepare to enroll devices and deliver resources.

For new Citrix customers

For Citrix Cloud customers new to Endpoint Management:

If you already purchased an Endpoint Management subscription, skip to When the Manage button is available.

If you haven’t set up a Citrix Cloud account, see Sign up for Citrix Cloud.

If you already set up a Citrix Cloud account, but haven’t purchased Endpoint Management, request a service demo.

  1. Use your Citrix Cloud administrator credentials to sign in to your Citrix Cloud account. The Citrix Cloud home page appears.

    All Citrix Cloud administrator accounts are created as follows:

    • Citrix Cloud administrators are Endpoint Management administrators by default.
    • Citrix Cloud administrators created with customer access must have Endpoint Management selected for them to administrate Endpoint Management.
  2. On the Citrix Cloud home page, locate the Endpoint Management service tile and click Request Demo.

  3. Complete and submit the demo request form. The button on the Endpoint Management services tile changes to Demo Requested.

If you click the Endpoint Management services tile before your request is handled, a screen appears advising you to contact your representative or partner. A Citrix sales representative can provide more information and detail about the service.

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, you must handle some communication and port requirements.

Continue with the next section.

When the Manage button is available

This video guides you through onboarding:

When your Endpoint Management service is available, the button on the Endpoint Management services tile changes to Manage.


To start setup:

  1. Sign in to your Citrix Cloud account using your Citrix Cloud administrator credentials.
  2. Click Manage in the Endpoint Management tile to access the Endpoint Management console.
  3. Type your site name and select a region. Then select Save & Continue.

Site namme and region


To request the IPs to allow, contact the Citrix Support representative.

The Endpoint Management console then opens with a message saying that we are provisioning your suite and that some Endpoint Management functions are locked during provisioning.

  1. In the Welcome screen, click Start setup.
  2. Select the endpoints you want to manage and click Save. You can add or clear endpoints at any time to show or hide them in the console. Showing and hiding endpoints doesn’t affect your configuration.

Endpoints to manage

We send you an email when provisioning completes.

Resource Center

Resource Center icon Click the Resource Center icon to watch how-to videos without leaving the console.

During provisioning

While we provision Endpoint Management, you can get started with configuration.

Configure resource locations

You need resource locations before you can configure Lightweight Directory Access Protocol (LDAP) connections for Endpoint Management. Resource locations contain the resources required to deliver cloud services to your subscribers. You need one resource location per domain. For help, see the Citrix Cloud article, Resource Locations.

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory. The information that you must provide is included in the Onboarding Handbook under “Endpoint Management Trial Sales Engineer engagement.”

After you are authorized to access the trial, the button for Endpoint Management changes to Manage. Click Manage to open the Citrix Endpoint Management console.

Configure authentication

After your site is provisioned, you can continue with configuration. We recommend that you set up a cloud-hosted identity provider (IdP) or Lightweight Directory Access Protocol (LDAP) to import groups, user accounts, and related properties.

To configure IdP

Endpoint Management supports authentication with identity providers, such as Azure Active Directory, Okta, and on-premises Citrix Gateway.

To configure an IdP in Citrix Cloud and set it up for Endpoint Management:

To configure LDAP

You can configure a connection in Endpoint Management to one or more LDAP-compliant directories for domain-based authentication. Endpoint Management supports groups that are nested in LDAP. Nested groups synchronize daily at 12 AM local time.

As a part of configuring LDAP, you must install at least one Cloud Connector.

For a quick overview, watch this video.

To set up LDAP:

  1. On the Settings page, scroll to the LDAP tile and then click Set Up.
  2. Follow the on-screen guidance to download and install a Cloud Connector. Cloud Connectors are required for enabling communication between Citrix Cloud and your resources. For help, see Citrix Cloud Connector.

If you have the LDAP configuration and you add Azure AD or Okta as an identity provider, Endpoint Management synchronizes IdP-specific information for your Active Directory groups in the Endpoint Management database. This configuration doesn’t affect your existing delivery groups and user enrollments. However, you can’t add LDAP settings in Endpoint Management afterwards. For more information, see Identity provider authentication.

If you change the Domain alias or User search by settings after enrollment, users must re-enroll. For more information about LDAP configuration, see Domain or domain plus security token authentication.

After setting up LDAP, you can continue with the authentication configuration or set up a specific platform.

Configure Citrix Gateway

When integrated with Endpoint Management, Citrix Gateway provides remote device access to your internal network and resources.

Endpoint Management requires Citrix Gateway for the following scenarios:

  • You require a micro VPN for access to internal network resources for line-of-business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs Citrix Gateway to connect to internal back-end infrastructures.
  • You plan to use Endpoint Management to manage apps (MAM or MDM+MAM). Citrix Gateway isn’t required to manage devices only (MDM).
  • You plan to integrate Endpoint Management with Microsoft Endpoint Manager. (Requires an on-premises Citrix Gateway.)

For a quick overview, watch this video.

The following table summarizes the features supported by the on-premises Citrix Gateway solutions.

Supported features Citrix Gateway on-premises
Secure Mail (STA)* yes
Tunneled - Web SSO (web single sign-on) yes
Full VPN (not available for Citrix Mobile productivity apps for iOS) yes
Per-app VPN yes
Mobile single sign-on (access control) no
High Availability yes**
Multi-POP deployment yes***
Proxy support yes
Split-tunneling yes
Split DNS yes

* Citrix Cloud Secure Ticket Authority (STA) service configuration

** On-premises configuration

*** Global Server Load Balancing configuration

On-premises Citrix Gateway use cases

Use one or more on-premises Citrix Gateway appliances with Endpoint Management when:

  • You require per-app VPN capabilities.
  • You require full tunneling, split tunneling, reverse split tunneling, or split DNS. We recommend full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network.
  • You use Citrix Endpoint Management integration with Microsoft Endpoint Manager.

The usage of on-premises Citrix Gateway involves significant configuration and maintenance. After you configure LDAP and Citrix Gateway in the Endpoint Management console, you export a script from that console. You then run the script on the Citrix Gateway.

  1. On the Settings page, scroll to the Citrix Gateway tile and then click Start setup.
  2. Select Citrix Gateway (on-premises) as the type.
  3. Follow the on-screen guidance. For information, see Configure on-premises Citrix Gateway for use with Endpoint Management.

Configure notification server

To send notifications, you must configure a gateway and a notification server. A notification server ensures connectivity and the possibility of communication between end users and the administrator. To set up a notification server in Endpoint Management, see Notifications.

Configure an Apple Push Notification service (APNs) certificate for Apple devices

Endpoint Management requires an Apple Push Notification service (APNs) certificate from Apple to enroll and manage Apple devices. Endpoint Management also requires an APNs certificate if you plan to use push notifications for Secure Mail for Apple. For information about Endpoint Management and APNs, see Push Notifications for Secure Mail for iOS.

To obtain a certificate from Apple requires an Apple ID and developer account. For details, see the Apple Developer Program website.

For a quick overview, watch this video.

To configure APNs with a Citrix Certificate Signing Request:

  1. On the Settings page, expand the Apple tile.
  2. On the APNs Certificate tile, click Set Up and then follow the on-screen guidance.

For more information, see Certificates and authentication.

Configure Android Enterprise

Endpoint Management is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, Endpoint Management administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and Endpoint Management.

You can set up Android Enterprise for Endpoint Management with either Google Play or Google Workspace.

  1. If your organization does not use Google Workspace: You can use managed Google Play to register Citrix as your EMM provider. If you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use work apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

    Because this type of enterprise isn’t tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise. That setup enables you to use different enterprises to manage separate sets of devices and apps.

  2. If your organization already uses Google Workspace to provide users access to Google apps: You can use Google Workspace to register Citrix as your EMM. If your organization uses Google Workspace, it has an existing enterprise ID and existing Google Accounts for users. To use Endpoint Management with Google Workspace, you sync with your LDAP directory and retrieve Google Account information from Google using the Google Directory API.

    This type of enterprise is tied to an existing domain. Therefore, each domain can only create one enterprise. To enroll a device in Endpoint Management, each user must manually sign in with their existing Google Account. The account gives users access to managed Google Play and to other Google services through your Google Workspace plan.

For a quick overview, watch this video.

To get started:

  1. On the Settings page, expand the Android tile.
  2. On the Android Enterprise tile, click Set Up.
  3. Choose Google Play or G Suite, according to how you provide users access to Google applications. If you previously configured the Android Enterprise platform with Google Play, the UI takes you to the Google Play store to reenroll. Click Re-enroll, return to the CEM console, and refresh the page.
  4. Follow the on-screen guidance.


Configure Firebase Cloud Messaging

Citrix recommends that you use Firebase Cloud Messaging (FCM) to control how and when Android devices connect to Endpoint Management. Endpoint Management sends connection notifications to Android devices that are enabled for FCM. Any security action or deploy command triggers a push notification to prompt the user to reconnect to the Endpoint Management server. See Firebase Cloud Messaging.

Integrate with Microsoft Endpoint Manager

Endpoint Management integration with Microsoft Endpoint Manager adds the value of the Endpoint Management micro VPN to Microsoft Intune aware apps, such as Microsoft Edge browser.

Endpoint Management integration with MEM also allows enterprises to wrap their own line of business apps with Intune and Citrix. The app wrapping provides micro VPN capabilities inside an Intune mobile app management (MAM) container. Endpoint Management micro VPN enables your apps to access on-premises resources. You can manage and deliver Office 365 apps, line of business apps, and Citrix Secure Mail in one container. A single container provides ultimate security and productivity.

  • Citrix Cloud administrators are Endpoint Management administrators by default.
  • Citrix Cloud administrators created with customer access must have Endpoint Management selected for them to administrate Endpoint Management.

In the Endpoint Management console, you can change only the role and membership of a user. To change a role at any time, access the Endpoint Management console from the Citrix Cloud dashboard. Go to the Manage tab and click Users. Select a specific user and click Edit to change the role. For more information, see Configure roles with RBAC.

To integrate with MEM, see Citrix Endpoint Management integration with Microsoft Endpoint Manager.

After you complete configuration in Citrix Cloud, return to the Endpoint Management console as follows: Go to the Citrix Cloud Home page and then click Manage on the Endpoint Management tile. Then you can verify if you signed in to Endpoint Management with your Azure Active Directory account.

  1. On the Settings page, scroll to the Integrate with Microsoft EMS/Intune tile.
  2. Click See more. The UI indicates if you successfully enabled the connection.

Configure Microsoft EMS/Intune

In the Citrix Cloud console, you can also change user names or passwords, and delete or edit local users. See Identity and access management.

If you had a Citrix Content Collaboration account before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the Citrix Content Collaboration account. When you’re ready to proceed, go to

  1. After you log in, a screen similar to the following appears.

    Cloud configuration screen

  2. In the Citrix Content Collaboration tile, choose Link Account.

    Link Content Collaboration Account menu

  3. After we confirm your Citrix Content Collaboration account, the following page appears:

    Add Content Collaboration Account screen

  4. Click the Link Account tab to complete the process. You can immediately manage your Citrix Content Collaboration account from Citrix Cloud.