Onboarding and resource setup

To sign up for a Citrix account and request a Endpoint Management trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears. Next to Endpoint Management, click Request Trial.

Image of Cloud configuration screen

The button then changes to Trial Requested. After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. The information that you must provide is included in the Onboarding Handbook under “Endpoint Management Trial Sales Engineer engagement.” You receive an email to notify you when your trial becomes available.

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for Endpoint Management changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to Endpoint Management.

The following diagram shows the first screen that you see when starting a trial. The setup wizard first prompts you to configure details such as a site name and IP address range for the cloud-hosted components.

Image of Cloud configuration screen

After you set up resource locations in the setup wizard, the wizard guides you through the initial configuration of Endpoint Management, starting with LDAP.

Image of Endpoint Management configuration screen

After you complete the wizard, Citrix Cloud Operations group integrates Endpoint Management on Citrix Cloud. Meanwhile, you can start the process of preparing to support Android, iOS, and Windows platforms. For more information, see “Mobile platform support” in Endpoint Management.

The following sections describe more setup to perform when you can access the Endpoint Management console.

Configure allowed URLs for resource locations

To specify the allowed URLs for a resource location, go to Settings >Cloud Connector Whitelist, click Add, and choose a Resource Location. Then, specify the Allowed/Whitelisted URLs for that location.

  • Allowed/Whitelisted URLs: Specify one URL per line. You can use the asterisk (*) or question mark (?) wildcards.

Image of Cloud Connector configuration screen

Configure users and groups

A User type column appears on the Manage > Users page of the Endpoint Management console. That column indicates whether each user is a local, Active Directory, or cloud user.

For local users and AD users, you can perform all user management functions described in User accounts, roles, and enrollment.

A cloud user is a special user account that Citrix Cloud creates and manages on the Endpoint Management server. Citrix Cloud creates a cloud user account when an administrator is added to your Citrix Cloud customer account. A cloud user account uses the same user name as the administrator account. The cloud user account provides single sign-on and performs other administrative functions.

For cloud users:

  • You can change the roles and user properties of cloud users through the Endpoint Management console.
  • You cannot change cloud user passwords through the Endpoint Management console.
  • You can change a cloud user password from Identity and access management in Citrix Cloud.
  • You cannot delete cloud users.
  • You cannot give cloud users membership in a group.

Configure delivery groups

When you create a delivery group, you specify whether the user assignments are managed in Endpoint Management or in Citrix Cloud. You cannot change this specification after you create the delivery group.

If you plan to use the delivery group to deliver other services available through Citrix Cloud, specify that the user assignments are managed in Citrix Cloud. Other services include Citrix Virtual Apps and Desktops, Life Cycle Management, Citrix Content Collaboration, or Secure Browser Service. You can only add Active Directory users to these delivery groups.

If you only need mobility management for a delivery group of users and apps, set Manage user assignments to In Endpoint Management. Delivery groups with users managed in Endpoint Management are not visible in Citrix Cloud. Therefore, you cannot use delivery groups managed in Endpoint Management to deliver other services.

You can perform all Endpoint Management delivery group management functions through the Endpoint Management console, as described in Deploy Resources.

To add a delivery group and specify how its user assignments are managed:

  1. In the console, click Configure > Delivery Groups.

  2. From the Delivery Groups page, click Add. The Delivery Group Information page appears.

    Image of Delivery Groups configuration screen

  3. Enter a name and description for the delivery group and click Next.

  4. On the User Assignments page, specify how to manage the delivery group user assignments.

    • In Endpoint Management. Select this option if you plan to create a delivery group for users and apps that only need mobility management. Delivery groups whose user assignments are managed in Endpoint Management are not visible in Citrix Cloud and cannot be used to deliver other services.
    • In Citrix Cloud. Select this option if you plan to use the delivery group to deliver other services, such as Citrix Virtual Apps and Desktops or Citrix Content Collaboration.

    Image of Delivery Groups configuration screen

Important

You cannot change the Manage user assignments setting after the user group is created.

  1. Add users to the delivery group and click Next.

  2. Add optional resources to the delivery group, as described in Deploy Resources.

  3. Review the Summary page.

  4. Click Save to create the delivery group.

Configure resource locations for PKI entity connections

To use Cloud Connector for Microsoft Certificate Services entity connections, go to Settings > PKI Entities. When you add or edit a PKI entity, change Use Cloud Connector to ON. Then, specify a Resource Location and Allowed Relative Paths for those locations.

  • Resource Location: Choose from the resource locations defined in Citrix Cloud Connector.
  • Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard.

Suppose that the resource location is https://www.ServiceRoot/certsrv. To provide access to all URLs in that path, enter * in Allowed Relative Paths.

Image of PKI configuration screen

Configure resource locations for Citrix Virtual Apps and Desktops connections

To use Cloud Connector for Virtual Apps and Desktops connections, go to Settings > XenApp/XenDesktop. Then, change Use Cloud Connector to ON and specify the following options for those locations.

  • Resource Location: Choose from the resource locations defined in Citrix Cloud Connector.
  • Allowed Relative Paths: The relative paths allowed for the specified resource location. Specify one path per line. You can use the asterisk (*) wildcard.

    Suppose that the resource location is https://storefront.company.com and you want to provide access to the following URLs:

    • https://storefront.company.com/Citrix/PNAgent/Config.xml
    • https://storefront.company.com/Citrix/PNAgent/enum.aspx
    • https://storefront.company.com/Citrix/PNAgent/launch.aspx

    To allow all requests with the URL https://storefront.company.com/Citrix/PNAgent/*, enter this path: /Citrix/PNAgent/*

    Endpoint Management blocks all other paths.

Image of XenApp and XenDesktop configuration screen

Configure an on-premises Citrix Gateway for use with Endpoint Management

To configure an on-premises Citrix Gateway for use with Endpoint Management, you perform the following general steps, detailed in this section:

  1. Download a script and related files from the Endpoint Management console.
  2. Update the script for your environment.
  3. Run the script on NetScaler. You can use the script to configure multiple Citrix Gateways.

The script configures these Citrix Gateway settings required by Endpoint Management:

  • Citrix Gateway virtual servers needed for MDM and MAM
  • Session policies for the Citrix Gateway virtual servers
  • Endpoint Management server details
  • Proxy load balancer for certificate validation
  • LDAP server details (The script includes comments about the LDAP configuration details.)
  • Traffic actions and policies for the proxy server
  • Clientless access profile
  • Static local DNS record on NetScaler
  • Bindings: Service and traffic policy; CA certificate and service

The script doesn’t handle the following configuration:

  • Exchange load balancing
  • Citrix Content Collaboration load balancing
  • ICA Proxy configuration

The rest of this section describes these general steps for using the script. See the readme file provided with the script for the latest detailed instructions.

  1. Verify that your environment meets the prerequisites. For information, see System requirements.

  2. Download the script bundle, update the script placeholders with details from your environment, and then run the script.

  3. Test the configuration.

Download the script bundle and update the script for your environment

Note:

NetScaler Gateway is now renamed to Citrix Gateway. The old name is still shown in the console UI.

  1. To download the script bundle, go to the Settings > NetScaler Gateway page, select a gateway, click Export Configuration Script, and then click Download.

    Image of Citrix Gateway configuration screen

    The Export Configuration Script button also appears on the page where you add a Citrix Gateway.

    The script bundle includes a:

    • Readme file with detailed instructions
    • Script that contains the NetScaler CLI commands used to configure the required components in NetScaler
    • Public Root CA certificate and the Intermediate CA certificate
    • Script that contains the NetScaler CLI commands used to remove the NetScaler configuration
  2. Upload and install the certificate files (provided in the script bundle) on the NetScaler appliance in the /nsconfig/ssl/ directory.

    Image of Citrix Gateway configuration screen

    The following examples show how to install the root certificate.

    Image of Citrix Gateway configuration screen

    Image of Citrix Gateway configuration screen

    Image of Citrix Gateway configuration screen

    Image of Citrix Gateway configuration screen

    Ensure that you install both the root and intermediate certificates.

  3. Edit the script (OfflineNSGConfigtBundle_CREATESCRIPT) to replace all placeholders with details from your environment.

    Image of Citrix Gateway configuration screen

  4. Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example:

    /netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/OfflineNSGConfigtBundle_CREATESCRIPT.txt"

    Image of Citrix Gateway configuration screen

    When the script completes, the following lines appear.

    Image of Citrix Gateway success screen

Test the configuration

To validate the configuration:

  1. Validate that the Citrix Gateway Virtual Server shows a state of UP.

    Image of Citrix Gateway status screen

  2. Validate that the Proxy Load Balancing Virtual Server shows a state of UP.

    Image of Citrix Gateway status screen

  3. Open a web browser, connect to the Citrix Gateway URL, and attempt to authenticate. If the authentication succeeds, you are redirected to an “HTTP Status 404 - Not Found” message.

  4. Enroll a device and ensure it gets both MDM and MAM enrollment.

Endpoint Management administration

Endpoint Management is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, Endpoint Management administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and Endpoint Management.

All Citrix Cloud administrators also are created as Endpoint Management administrators by default unless those administrators were created with custom access that doesn’t include Endpoint Management. To change a role at any time, access the Endpoint Management console from the Citrix Cloud dashboard. For more information about adding and editing administrators, see Add, edit, or delete local user accounts for Endpoint Managment and Add administrators for Citrix Cloud. You can change only the role and membership of a user. You cannot change user names or passwords, nor delete or edit local users, from the Endpoint Management console. Instead, make those changes within Citrix Cloud.

Image of Endpoint Management Dashboard screen

If you have a Citrix Content Collaboration account that existed before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the Citrix Content Collaboration account. When you’re ready to proceed, go to https://onboarding.cloud.com.

  1. After you log in, a screen similar to the following appears.

    Image of Cloud configuration screen

  2. In the Citrix Content Collaboration tile, choose Link Account.

    Image of Link Content Collaboration Account menu

    After we confirm your Citrix Content Collaboration account, the following page appears:

    Image of Add Content Collaboration Account screen

  3. Click the Link Account tab to complete the process. You can immediately manage your Citrix Content Collaboration account from within Citrix Cloud.

Next steps

After you complete the onboarding and resource setup described in this article, continue your configuration in the Endpoint Management console. For information about next steps, see Prepare to enroll devices and deliver resources.