Onboarding and resource setup

To sign up for a Citrix account and request an Endpoint Management trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears. Next to Endpoint Management, click Request Trial.

Cloud configuration screen

The button then changes to Trial Requested. After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. The information that you must provide is included in the Onboarding Handbook under “Endpoint Management Trial Sales Engineer engagement.” You receive an email to notify you when your trial becomes available.

While waiting for the trial, be sure to prepare for your Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Endpoint Management solution, some communication and port requirements are required. That setup connects the Endpoint Management infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for Endpoint Management changes to Manage, which opens a wizard. Each step in the wizard is optional, but the configurations are a good starting point. If you don’t configure any of the steps in the wizard, you can configure them later from the Endpoint Management console.

The wizard starts with Certificates. Some certificates are generated automatically. The only certificate you need to upload at this point is an APNs certificate, if you plan on deploying iOS devices. For more information about certificates, see Certificates and authentication.

Endpoint Management configuration screen

Configure NetScaler Gateway settings next. (NetScaler Gateway is now called Citrix Gateway, but it appears as NetScaler Gateway in some places in the UI.)

  • Before you click Export Configuration Script, complete the fields on the NetScaler Gateway and LDAP Configuration settings pages and save the configuration. The exported script is empty or incomplete unless you provide the information on both of those pages.
  • To export the script after you complete the wizard, go to Settings > NetScaler Gateway. For more information about how Citrix Gateway and Endpoint Management integrate, see Citrix Gateway and Endpoint Management.

Endpoint Management configuration screen

The remaining steps cover LDAP configuration, Notification server setup, and connecting your Android Enterprise account.

Endpoint Management configuration screen

Endpoint Management configuration screen

Endpoint Management configuration screen

After you complete the wizard, the Citrix Cloud Operations group integrates Endpoint Management on Citrix Cloud.

The following sections describe more setup to perform when you can access the Endpoint Management console.

Configure allowed URLs for resource locations

To specify the allowed URLs for a resource location, go to Settings >Cloud Connector Whitelist, click Add, and choose a Resource Location. Then, specify the Allowed/Whitelisted URLs for that location.

  • Allowed/Whitelisted URLs: Specify one URL per line. You can use the asterisk (*) or question mark (?) wildcards.

Cloud Connector configuration screen

Configure Citrix Gateway use with Endpoint Management

When integrated with Endpoint Management, Citrix Gateway provides an authentication mechanism for remote device access to the internal network. Endpoint Management requires Citrix Gateway for the following scenarios:

  • You require a micro VPN for access to internal network resources for line of business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs Citrix Gateway to connect to internal back-end infrastructures.

  • You plan to use Endpoint Management to manage apps (MAM or MDM+MAM). Citrix Gateway isn’t required to manage devices only (MDM).
  • You plan to integrate Endpoint Management with Microsoft Intune/EMS.

Citrix offers both cloud-based and on-premises Citrix Gateway solutions.


After you configure a Citrix Gateway solution, switching to the other solution requires that you reenroll devices. If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative. For prerequisites, see To use Citrix Gateway service.

The following table summarizes the features supported by the cloud-based and on-premises Citrix Gateway solutions.

Supported features Citrix Gateway service Citrix Gateway on-premises
Secure Mail (STA)* yes yes
Secure Browse (web single sign-on) yes yes
Full VPN no yes
Per-app VPN no yes
Mobile single sign-on (access control) yes no
High Availability yes yes**
Multi-POP deployment yes yes***
Proxy support yes yes
Split-tunneling no yes
Split DNS no yes

* Citrix Cloud Secure Ticket Authority (STA) service configuration

** On-premises configuration

*** Global Server Load Balancing configuration

Citrix Gateway service use cases (preview)

Citrix Gateway service is now in preview. For support during the preview, go to CGS and Mobile SSO Tech Preview Feedback.

Use the cloud-based Citrix Gateway service with Endpoint Management when:

  • You want a maintenance-free service that doesn’t require negotiating with network, security, and compliance teams before configuring your corporate network.

  • You want to use the unified authentication experience provided by Citrix Cloud. Citrix Gateway service uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account.

  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail or Secure Web. Citrix Gateway provides an on-demand application VPN connection that Secure Hub initiates on mobile devices to access corporate network sites or resources.

    This variation of a clientless VPN is also known as Secure Browse. Connections such as web traffic that tunnel to the internal network use Secure Browse. We recommend Secure Browse for connections that require single sign-on (SSO).

How Citrix Gateway service works

MDM and MAM control traffic go directly to Citrix Endpoint Management, without going through Citrix Gateway service. All traffic sent to Citrix Gateway gets directed to the on-premises Gateway Connector.

Citrix Gateway service isn’t used during device enrollment in Endpoint Management.

For Citrix mobile productivity apps:

  • Secure Hub uses a certificate for MAM control traffic.
  • Secure Mail uses the Citrix Cloud Secure Ticket Authority (STA) service.


    Citrix Gateway service uses the primary resource location.

  • Secure Web uses Secure Browse.

The following diagram provides an overview of Citrix Gateway service architecture.

Citrix Gateway service architecture overview

The on-premises Gateway Connector can reside outside of the DMZ. All Gateway Connector connections are outbound on SSL port 443. For more information, see Gateway Connector.

The following authentication types are supported for Citrix Gateway service integration with Endpoint Management:

  • Basic, Digest, NTLM
  • Kerberos Constrained Delegation (KCD) single sign-on
  • Form-based single sign-on
  • SAML single sign-on

To use Citrix Gateway service


  • Citrix Workspace experience enabled

    If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Support representative.

  • Citrix Gateway service subscription

  • Gateway Connector installed on-premises in a resource location

    For information, see Citrix Gateway Connector. If the connector isn’t available during Citrix Endpoint Management onboarding, you can install it after onboarding.

New Endpoint Management customers can configure Citrix Gateway service:

  • During onboarding in the Initial Configuration wizard.
  • After onboarding in Settings > NetScaler Gateway > Add Citrix Gateway service.

From either of those locations, choose Use Citrix Gateway service as the Type.

Citrix Gateway configuration screen

On-premises Citrix Gateway use cases

Use one or more on-premises Citrix Gateway appliances with Endpoint Management when:

  • You require per-app VPN capabilities.
  • You require full tunneling, split tunneling, reverse split tunneling, or split DNS. We recommend full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network.
  • You use Citrix Endpoint Management integration with Microsoft Intune/EMS.

Use of on-premises Citrix Gateway involves significant configuration and maintenance. For more information, see Configure on-premises Citrix Gateway for use with Endpoint Management.

Endpoint Management administration

Endpoint Management is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, Endpoint Management administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and Endpoint Management.

All Citrix Cloud administrator accounts also are created as follows:

  • Citrix Cloud administrators are Endpoint Management administrators by default.
  • However, a Citrix Cloud administrator created with custom access that excludes Endpoint Management isn’t created as an Endpoint Management administrator.

To change a role at any time, access the Endpoint Management console from the Citrix Cloud dashboard. For more information about adding and editing administrators, see:

  • Add, edit, or delete local user accounts for Endpoint Management

    In the Endpoint Management console, you can change only the role and membership of a user.

  • Add administrators for Citrix Cloud

    In the Citrix Cloud console, you can change user names or passwords, and delete or edit local users.

Endpoint Management Dashboard screen

If you had a Citrix Content Collaboration account before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the Citrix Content Collaboration account. When you’re ready to proceed, go to https://onboarding.cloud.com.

  1. After you log in, a screen similar to the following appears.

    Cloud configuration screen

  2. In the Citrix Content Collaboration tile, choose Link Account.

    Link Content Collaboration Account menu

    After we confirm your Citrix Content Collaboration account, the following page appears:

    Add Content Collaboration Account screen

  3. Click the Link Account tab to complete the process. You can immediately manage your Citrix Content Collaboration account from within Citrix Cloud.

Next steps

To ensure that everything is set up correctly, you can use the Endpoint Management Analyzer. From the Troubleshooting and Support page, click Endpoint Management Analyzer to access this tool. For more information on using the Endpoint Management Analyzer, see Endpoint Management Analyzer.

After you complete the onboarding and resource configuration described in this article, continue your configuration in the Endpoint Management console. For information about next steps, see Prepare to enroll devices and deliver resources.