Onboarding and resource setup

If you are new to Citrix, Citrix Cloud, or to Endpoint Management, this article guides you through onboarding. Learn about workflow and the details you need to get started.

  • Where do I start?
  • Does the configuration order matter? This article follows a recommended configuration sequence. You can work in a different order. The Endpoint Management console lets you know if prerequisites are missing, through messages such as “Set up after provisioning”.

Provide us with your feedback for the new console experience in Endpoint Management using the Citrix Endpoint Management Console Feedback link.

For new Citrix customers

For Citrix Cloud customers new to Endpoint Management:

If you already purchased an Endpoint Management subscription, skip to When the Manage button is available.

If you already set up a Citrix Cloud account, but haven’t purchased Endpoint Management, request a service demo.

  1. Use your Citrix Cloud administrator credentials to sign in to your Citrix Cloud account. The Citrix Cloud home page appears.

    All Citrix Cloud administrator accounts are created as follows:

    • Citrix Cloud administrators are Endpoint Management administrators by default.
    • Citrix Cloud administrators created with customer access must have Endpoint Management selected for them to administrate Endpoint Management.
  2. On the Citrix Cloud home page, locate the Endpoint Management service tile and click Request Demo. A demo request page appears.

    Citrix Cloud demo request page

  3. Complete and submit the form. The button on the Endpoint Management services tile changes to Demo Requested.

If you click the Endpoint Management services tile before your request is handled, the following screen appears. We advise that you contact your representative or partner. A Citrix sales representative can provide more information and detail about the service.

Contact sales representative page

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, you must handle some communication and port requirements.

Continue with the next section.

When the Manage button is available

For a quick overview of the Endpoint Management onboarding process, watch this video.

Video icon

When your Endpoint Management service is available, the button on the Endpoint Management services tile changes to Manage.

Endpoint Management Manage button

To start setup:

  1. Sign in to your Citrix Cloud account using your Citrix Cloud administrator credentials.
  2. Click Manage in the Endpoint Management tile.
  3. Type your site name and select a region.

Endpoint Management site details page

Note:

To request IP whitelisting, contact the Citrix Support representative.

The Endpoint Management console then opens with a provisioning status message.

Endpoint Management provisioning status message

  1. In the Welcome screen, click Start setup.
  2. Select the endpoints you want to manage. You can add or clear endpoints at any time to show or hide them in the console. Showing and hiding endpoints doesn’t affect your configuration.

Endpoint Management Add Endpoints page

Citrix sends you an email when provisioning completes.

During provisioning

While we provision Endpoint Management, you can get started with configuration.

Configure resource locations

You need resource locations before you can configure Lightweight Directory Access Protocol (LDAP) connections for Endpoint Management. Resource locations contain the resources required to deliver cloud services to your subscribers. You need one resource location per domain. For help, see the Citrix Cloud article, Resource Locations.

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory. The information that you must provide is included in the Onboarding Handbook under “Endpoint Management Trial Sales Engineer engagement.”

After you are authorized to access the trial, the button for Endpoint Management changes to Manage. Click Manage to open the Citrix Endpoint Management console.

Configure LDAP

After your site is provisioned, you can continue with configuration. We recommend that you start with the LDAP authentication to import groups, user accounts, and related properties. As a part of this process, you need to install at least one Cloud Connector.

For a quick overview, watch this video.

Video icon

To set up LDAP:

  1. On the Settings page, scroll to the LDAP tile and then click Set Up.
  2. Follow the on-screen guidance to download and install a Cloud Connector. Cloud Connectors are required for enabling communication between Citrix Cloud and your resources. For help, see Citrix Cloud Connector.

After setting up LDAP, you can continue with the authentication configuration or set up a specific platform.

Configure Citrix Gateway

When integrated with Endpoint Management, Citrix Gateway provides remote device access to your internal network and resources.

Endpoint Management requires Citrix Gateway for the following scenarios:

  • You require a micro VPN for access to internal network resources for line of business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs Citrix Gateway to connect to internal back-end infrastructures.
  • You plan to use Endpoint Management to manage apps (MAM or MDM+MAM). Citrix Gateway isn’t required to manage devices only (MDM).
  • You plan to integrate Endpoint Management with Microsoft Intune/EMS. (Requires an on-premises Citrix Gateway.)

Citrix offers both cloud-based and on-premises Citrix Gateway solutions. However, only customers with the Citrix Gateway service entitlement can configure the cloud-based service.

For a quick overview, watch this video.

Video icon

Important:

After you configure a Citrix Gateway solution, switching to another solution requires that you reenroll devices. If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Sales representative. For prerequisites, see To use Citrix Gateway service in this article.

The following table summarizes the features supported by the cloud-based and on-premises Citrix Gateway solutions.

Supported features Citrix Gateway service Citrix Gateway on-premises
Secure Mail (STA)* yes yes
Tunneled - Web SSO (web single sign-on) yes yes
Full VPN no yes
Per-app VPN no yes
Mobile single sign-on (access control) yes no
High Availability yes yes**
Multi-POP deployment yes yes***
Proxy support yes yes
Split-tunneling no yes
Split DNS no yes

* Citrix Cloud Secure Ticket Authority (STA) service configuration

** On-premises configuration

*** Global Server Load Balancing configuration

Citrix Gateway service use cases (preview)

Citrix Gateway service is now in preview. For support during the preview, go to CGS and Mobile SSO Tech Preview Feedback.

Use the cloud-based Citrix Gateway service with Endpoint Management when:

  • You want to use the unified authentication experience provided by Citrix Cloud. Citrix Gateway service uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account.
  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail or Secure Web. Citrix Gateway provides an on-demand application VPN connection that Secure Hub initiates on mobile devices to access corporate network sites or resources.

This variation of a clientless VPN is also known as Tunneled – Web single sign-on (SSO). Connections such as web traffic that tunnel to the internal network use Tunneled - Web SSO. We recommend Tunneled - Web SSO for connections that require single sign-on.

How Citrix Gateway service works

MDM and MAM control traffic go directly to Citrix Endpoint Management, without going through Citrix Gateway service. All traffic sent to Citrix Gateway gets directed to the on-premises Gateway Connector.

Citrix Gateway service isn’t used during device enrollment in Endpoint Management. For Citrix mobile productivity apps:

  • Secure Hub uses a certificate for MAM control traffic.
  • Secure Mail uses the Citrix Cloud Secure Ticket Authority (STA) service.

    Note:

    Citrix Gateway service uses the primary resource location.

  • Citrix Gateway provides an on-demand application VPN connection. Secure Hub initiates that connection on mobile devices to access corporate network sites or resources.

Citrix Gateway service architecture overview

Citrix Gateway service isn’t used during device enrollment in Endpoint Management. After enrollment, MDM control traffic goes directly to Citrix Endpoint Management, without going through Citrix Gateway service. MAM control traffic goes through the Citrix Gateway service. All traffic sent to Citrix Gateway gets directed to the on-premises Gateway Connector.

For a more detailed diagram of the traffic flow, see Support for Citrix Endpoint Management. For Gateway Connector port requirements, see Gateway Connector.

The following authentication types are supported for Citrix Gateway service integration with Endpoint Management:

  • Basic, Digest, NTLM
  • Kerberos Constrained Delegation (KCD) single sign-on; form-based single sign-on
  • SAML single sign-on

To use Citrix Gateway service:

Prerequisites:

  • Citrix Workspace experience enabled

    • With Citrix Workspace enabled, user enrollment starts the Workspace app. When Secure Hub detects the Workspace entitlement, Secure Hub completes enrollment. Secure Hub then opens Citrix Workspace where users can access their apps and other resources.
  • Citrix Gateway service subscription

    • If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Sales representative. Switching from on-premises Citrix Gateway to the Citrix Gateway service requires that you reenroll devices.
    • New Endpoint Management customers: Select the Citrix Gateway service during Endpoint Management onboarding.
  • Gateway Connector installed on-premises in a resource location

    • Endpoint Management uses the resource location for Gateway Connector only for STA tickets for Secure Mail. Citrix Gateway sends STA traffic to the Gateway Connector in the resource location.
    • You can install one or more Gateway Connectors in any resource location. Endpoint Management doesn’t support Gateway Connectors installed in multiple resource locations.
    • You can install Gateway Connector in the same or a different resource location than Active Directory. The only role of Active Directory is to use Citrix Cloud authentication to authenticate users to Citrix Gateway service. Citrix Gateway service creates session connections to the Gateway Connector for authenticated users. You can have multiple Active Directories.
    • If the connector isn’t available during Citrix Endpoint Management onboarding, you can install it after onboarding.

    For more information, see Citrix Gateway Connector and System requirements.

Citrix recommends that new Endpoint Management customers configure Citrix Gateway service rather than on-premises Citrix Gateway:

To set up Citrix Gateway service:

  1. On the Settings page, scroll to the Citrix Gateway tile and then click Set Up.
  2. Choose Citrix Gateway service (cloud) as the type. Only customers with the Citrix Gateway service entitlement can view this setting.
  3. Follow the on-screen guidance. For information, see Configure on-premises Citrix Gateway for use with Endpoint Management.

On-premises Citrix Gateway use cases

Use one or more on-premises Citrix Gateway appliances with Endpoint Management when:

  • You require per-app VPN capabilities.
  • You require full tunneling, split tunneling, reverse split tunneling, or split DNS. We recommend full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network.
  • You use Citrix Endpoint Management integration with Microsoft Intune/EMS.

The usage of on-premises Citrix Gateway involves significant configuration and maintenance. After you configure LDAP and Citrix Gateway in the Endpoint Management console, you export a script from that console. You then run the script on the Citrix Gateway.

  1. On the Settings page, scroll to the Citrix Gateway tile and then click Set Up.
  2. Choose Citrix Gateway (on-premises) as the type.
  3. Follow the on-screen guidance. For information, see Configure on-premises Citrix Gateway for use with Endpoint Management.

Configure notification server

To send notifications, you must configure a gateway and a notification server. A notification server ensures connectivity and the possibility of communication between end users and the administrator. To set up a notification server in Endpoint Management, see Notifications.

Configure an Apple Push Notification service (APNs) certificate for Apple devices

Endpoint Management requires an Apple Push Notification service (APNs) certificate from Apple to enroll and manage Apple devices. Endpoint Management also requires an APNs certificate if you plan to use push notifications for Secure Mail for Apple. For information about Endpoint Management and APNs, see Push Notifications for Secure Mail for iOS.

To obtain a certificate from Apple requires an Apple ID and developer account. For details, see the Apple Developer Program website.

For a quick overview, watch this video.

Video icon

To configure APNs with a Citrix Certificate Signing Request:

  1. On the Settings page, expand the Apple tile.
  2. On the APNs Certificate tile, click Set Up and then follow the on-screen guidance.

Configure Citrix CSR for APNs screen

For more information, see Certificates and authentication.

Configure Android Enterprise

Endpoint Management is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, Endpoint Management administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and Endpoint Management.

You can set up Android Enterprise for Endpoint Management with either Google Play or G Suite.

  1. If your organization does not use G Suite: You can use managed Google Play to register Citrix as your EMM provider. If you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use work apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

    Because this type of enterprise isn’t tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise. That setup enables you to use different enterprises to manage separate sets of devices and apps.

  2. If your organization already uses G Suite to provide users access to Google apps: You can use G Suite to register Citrix as your EMM. If your organization uses G Suite, it has an existing enterprise ID and existing Google Accounts for users. To use Endpoint Management with G Suite, you sync with your LDAP directory and retrieve Google Account information from Google using the Google Directory API.

    This type of enterprise is tied to an existing domain. Therefore, each domain can only create one enterprise. To enroll a device in Endpoint Management, each user must manually sign in with their existing Google Account. The account gives users access to managed Google Play and to other Google services through your G Suite plan.

For a quick overview, watch this video.

Video icon

To get started:

  1. On the Settings page, expand the Android tile.
  2. On the Android Enterprise tile, click Set Up.
  3. Choose Google Play or G Suite, according to how you provide users access to Google applications. If you previously configured the Android Enterprise platform with Google Play, the UI takes you to the Google Play store to reenroll. Click the Re-enroll button, return to the CEM console, and refresh the page.
  4. Then follow the on-screen guidance.

Choose Google Play or G Suite for Android Enterprise screen

See:

  1. Managed Google Play or G Suite
  2. Create an Android Enterprise Account

Configure Firebase Cloud Messaging

Citrix recommends that you use Firebase Cloud Messaging (FCM) to control how and when Android devices connect to Endpoint Management. Endpoint Management sends connection notifications to Android devices that are enabled for FCM. Any security action or deploy command triggers a push notification to prompt the user to reconnect to the Endpoint Management server. See Firebase Cloud Messaging.

Integrate with Microsoft EMS/Intune

Endpoint Management integration with Microsoft Enterprise Mobility + Security (EMS)/Intune adds the value of Endpoint Management micro VPN to Microsoft Intune aware apps, such as Microsoft Managed Browser.

Endpoint Management integration with EMS/Intune also allows enterprises to wrap their own line of business apps with Intune and Citrix. The app wrapping provides micro VPN capabilities inside an Intune mobile app management (MAM) container. Endpoint Management micro VPN enables your apps to access on-premises resources. You can manage and deliver Office 365 apps, line of business apps, and Citrix Secure Mail in one container. A single container provides ultimate security and productivity.

  • Citrix Cloud administrators are Endpoint Management administrators by default.
  • Citrix Cloud administrators created with customer access must have Endpoint Management selected for them to administrate Endpoint Management.

In the Endpoint Management console, you can change only the role and membership of a user. To change a role at any time, access the Endpoint Management console from the Citrix Cloud dashboard. Go to the Manage tab and click Users. Select a specific user and click Edit to change the role. For more information, see Configure roles with RBAC.

To integrate with Microsoft EMS/Intune, see Citrix Endpoint Management integration with Microsoft Intune/EMS.

After you complete configuration in Citrix Cloud, return to the Endpoint Management console as follows: Go to the Citrix Cloud Home page and then click Manage on the Endpoint Management tile. Then you can verify if you signed in to Endpoint Management with your Azure Active Directory account.

  1. On the Settings page, scroll to the Integrate with Microsoft EMS/Intune tile.
  2. Click See more. The UI indicates if you successfully enabled the connection.

Configure Microsoft EMS/Intune

In the Citrix Cloud console, you can also change user names or passwords, and delete or edit local users. See Identity and access management.

If you had a Citrix Content Collaboration account before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the Citrix Content Collaboration account. When you’re ready to proceed, go to https://onboarding.cloud.com.

  1. After you log in, a screen similar to the following appears.

    Cloud configuration screen

  2. In the Citrix Content Collaboration tile, choose Link Account.

    Link Content Collaboration Account menu

  3. After we confirm your Citrix Content Collaboration account, the following page appears:

    Add Content Collaboration Account screen

  4. Click the Link Account tab to complete the process. You can immediately manage your Citrix Content Collaboration account from within Citrix Cloud.

Next steps

To ensure that everything is set up correctly, you can use the Endpoint Management Analyzer. From the Troubleshooting and Support page, click Endpoint Management Analyzer to access this tool. For information on using the Endpoint Management Analyzer, see Endpoint Management Analyzer.

After you complete the onboarding and resource configuration described in this article, continue your configuration in the Endpoint Management console. For information about next steps, see Prepare to enroll devices and deliver resources.

Known issues

  • After configuring LDAP, support for nested groups is disabled. [CXM-73722]
  • If you set the use.afw.accounts server property as true after you enrolled in G Suite for Android Enterprise, the new console doesn’t provide you with an option to upgrade to Google Play. [CXM-73403]