Citrix Endpoint Management

Onboarding and resource setup

If you are new to Citrix, Citrix Cloud, or to Citrix Endpoint Management, this article guides you through onboarding. Learn about workflow and the details that you need to get started.

  • Where do I start?
  • Does the configuration order matter? This article follows a recommended configuration sequence. You can work in a different order. The Citrix Endpoint Management console lets you know if prerequisites are missing, through messages such as “Set up after provisioning”.

  • What do I do after onboarding? After you complete the onboarding and resource configuration described in this article, continue your configuration in the Citrix Endpoint Management console. For information about the next steps, see Prepare to enroll devices and deliver resources.

For new Citrix customers

For Citrix Cloud customers new to Citrix Endpoint Management:

If you already bought an Citrix Endpoint Management subscription, skip to When the Manage button is available.

If you haven’t set up a Citrix Cloud account, see Sign-up for Citrix Cloud.

If you already set up a Citrix Cloud account, but haven’t bought Citrix Endpoint Management, request a service demo.

  1. Use your Citrix Cloud administrator credentials to sign in to your Citrix Cloud account. The Citrix Cloud home page appears.

    All Citrix Cloud administrator accounts are created as follows:

    • Citrix Cloud administrators are Citrix Endpoint Management administrators by default.
    • Citrix Cloud administrators created with customer access must have Citrix Endpoint Management selected for them to administrate Citrix Endpoint Management.
  2. On the Citrix Cloud home page, locate the Citrix Endpoint Management service tile and click Request Demo.

  3. Complete and submit the demo request form. The button on the Citrix Endpoint Management services tile changes to Demo Requested.

If you click the Citrix Endpoint Management services tile before your request is handled, a screen appears advising you to contact your representative or partner. A Citrix sales representative can provide more information and details about the service.

While waiting for the trial, be sure to prepare for your Citrix Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Citrix Endpoint Management solution, you must handle some communication and port requirements.

Continue with the next section.

When the Manage button is available

This video guides you through onboarding:

When your Citrix Endpoint Management service is available, the button on the Citrix Endpoint Management services tile changes to Manage.

Manage

To start setup:

  1. Sign in to your Citrix Cloud account using your Citrix Cloud administrator credentials.
  2. Click Manage in the Citrix Endpoint Management tile to access the Citrix Endpoint Management console.
  3. Type your site name and select a region. Then select Save & Continue.

Site name and region

Note:

To request the IPs to allow, contact the Citrix Support representative.

The Citrix Endpoint Management console then opens with a message saying that we are provisioning your suite and that some Citrix Endpoint Management functions are locked during provisioning.

  1. In the Welcome screen, click Start setup.
  2. Select the endpoints that you want to manage and click Save. You can add or clear endpoints at any time to show or hide them in the console. Showing and hiding endpoints doesn’t affect your configuration.

Endpoints to manage

We send you an email when provisioning completes.

Resource Center

Resource Center icon Click the Resource Center icon to watch how-to videos without leaving the console.

During provisioning

While we provision Citrix Endpoint Management, you can get started with configuration.

Configure resource locations

You need resource locations before you can configure Lightweight Directory Access Protocol (LDAP) connections for Citrix Endpoint Management. Resource locations have the resources required to deliver cloud services to your subscribers. You need one resource location per domain. For help, see the Citrix Cloud article, Resource Locations.

While waiting for the trial, be sure to prepare for your Citrix Endpoint Management deployment by reviewing System requirements. Although Citrix hosts and delivers your Citrix Endpoint Management solution, some communication and port requirements are required. That setup connects the Citrix Endpoint Management infrastructure to corporate services, such as Active Directory. The information that you must provide is included in the Onboarding Handbook under “Citrix Endpoint Management Trial Sales Engineer engagement.”

After you are authorized to access the trial, the button for Citrix Endpoint Management changes to Manage. Click Manage to open the Citrix Endpoint Management console.

Configure authentication

After your site is provisioned, you can continue with the configuration. We recommend that you set up a cloud-hosted identity provider (IdP) or Lightweight Directory Access Protocol (LDAP) to import groups, user accounts, and related properties.

To configure IdP

Citrix Endpoint Management supports authentication with identity providers, such as Azure Active Directory, Okta, and on-premises NetScaler Gateway.

To configure an IdP in Citrix Cloud and set it up for Citrix Endpoint Management:

To configure LDAP

You can configure a connection in Citrix Endpoint Management to one or more LDAP-compliant directories for domain-based authentication. Citrix Endpoint Management supports groups that are nested in LDAP. Nested groups synchronize daily at 12 AM local time.

As a part of configuring LDAP, you must install at least one Cloud Connector.

For a quick overview, watch this video.

To set up LDAP:

  1. On the Settings page, scroll to the LDAP tile and then click Set Up.
  2. Follow the on-screen guidance to download and install a Cloud Connector. Cloud Connectors are required for enabling communication between Citrix Cloud and your resources. For help, see Citrix Cloud Connector.

If you have the LDAP configuration and you add Azure AD or Okta as an identity provider, Citrix Endpoint Management synchronizes IdP-specific information for your Active Directory groups in the Citrix Endpoint Management database. This configuration doesn’t affect your existing delivery groups and user enrollments. But, you can’t add LDAP settings in Citrix Endpoint Management afterwards. For more information, see Identity provider authentication.

If you change the Domain alias or User search by settings after enrollment, users must re-enroll. For more information about LDAP configuration, see Domain or domain plus security token authentication.

After setting up LDAP, you can continue with the authentication configuration or set up a specific platform.

Configure NetScaler Gateway

When integrated with Citrix Endpoint Management, NetScaler Gateway provides remote device access to your internal network and resources.

Citrix Endpoint Management requires NetScaler Gateway for the following scenarios:

  • You require a micro VPN for access to internal network resources for line-of-business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs NetScaler Gateway to connect to internal back-end infrastructures.
  • You plan to use Citrix Endpoint Management to manage apps (MAM or MDM+MAM). NetScaler Gateway isn’t required to manage devices only (MDM).
  • You plan to integrate Citrix Endpoint Management with Microsoft Endpoint Manager. (Requires an on-premises NetScaler Gateway.)

For a quick overview, watch this video.

The following table summarizes the features supported by the on-premises NetScaler Gateway solutions.

Supported features NetScaler Gateway on-premises
Citrix Secure Mail (STA)* yes
Tunneled - Web SSO (web single sign-on) yes
Full VPN (not available for Citrix mobile productivity apps for iOS) yes
Per-app VPN yes
Mobile single sign-on (access control) no
High Availability yes**
Multi-POP deployment yes***
Proxy support yes
Split-tunneling yes
Split DNS yes

* Citrix Cloud Secure Ticket Authority (STA) service configuration

** On-premises configuration

*** Global Server Load Balancing configuration

On-premises NetScaler Gateway use cases

Use one or more on-premises NetScaler Gateway appliances with Citrix Endpoint Management when:

  • You require per-app VPN capabilities.
  • You require full tunneling, split tunneling, reverse split tunneling, or split DNS. We recommend full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network.
  • You use the Citrix Endpoint Management integration with Microsoft Endpoint Manager.

The usage of on-premises NetScaler Gateway involves significant configuration and maintenance. After you configure LDAP and NetScaler Gateway in the Citrix Endpoint Management console, you export a script from that console. You then run the script on the NetScaler Gateway.

  1. On the Settings page, scroll to the NetScaler Gateway tile and then click Start setup.
  2. Select NetScaler Gateway (on-premises) as the type.
  3. Follow the on-screen guidance. For information, see Configure on-premises NetScaler Gateway for use with Citrix Endpoint Management.

Configure notification server

To send notifications, you must configure a gateway and a notification server. A notification server makes sure of the connectivity and the possibility of communication between end users and the administrator. To set up a notification server in Citrix Endpoint Management, see Notifications.

Configure an Apple Push Notification service (APNs) certificate for Apple devices

Citrix Endpoint Management requires an Apple Push Notification service (APNs) certificate from Apple to enroll and manage Apple devices. Citrix Endpoint Management also requires an APNs certificate if you plan to use push notifications for Citrix Secure Mail for Apple. For information about Citrix Endpoint Management and APNs, see Push Notifications for Citrix Secure Mail for iOS.

To get a certificate from Apple requires an Apple ID and developer account. For details, see the Apple Developer Program website.

For a quick overview, watch this video.

To configure APNs with a Citrix Certificate Signing Request:

  1. On the Settings page, expand the Apple tile.
  2. On the APNs Certificate tile, click Set Up and then follow the on-screen guidance.

For more information, see Certificates and authentication.

Configure Android Enterprise

Citrix Endpoint Management is fully configured after you create delivery groups and assign users to the delivery groups through the Cloud Library. From this point on, Citrix Endpoint Management administration takes place within Citrix Cloud. The combined interface simplifies switching between Citrix Cloud and Citrix Endpoint Management.

You can set up Android Enterprise for Citrix Endpoint Management with either Google Play or Google Workspace.

  1. If your organization does not use Google Workspace: You can use managed Google Play to register Citrix as your EMM provider. If you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use the work apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

    Because this type of enterprise isn’t tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise. That setup enables you to use different enterprises to manage separate sets of devices and apps.

  2. If your organization already uses Google Workspace to provide users access to Google apps: You can use Google Workspace to register Citrix as your EMM. If your organization uses Google Workspace, it has an existing enterprise ID and existing Google Accounts for users. To use Citrix Endpoint Management with Google Workspace, you sync with your LDAP directory and retrieve Google Account information from Google using the Google Directory API.

    This type of enterprise is tied to an existing domain. So, each domain can only create one enterprise. To enroll a device in Citrix Endpoint Management, each user must manually sign in with their existing Google Account. The account gives users access to managed Google Play and to other Google services through your Google Workspace plan.

For a quick overview, watch this video.

To get started:

  1. On the Settings page, expand the Android tile.
  2. On the Android Enterprise tile, click Set Up.
  3. Choose Google Play or G Suite, according to how you provide users access to Google applications. If you previously configured the Android Enterprise platform with Google Play, the UI takes you to the Google Play store to reenroll. Click Re-enroll, return to the CEM console, and refresh the page.
  4. Follow the on-screen guidance.

See:

Configure Firebase Cloud Messaging

Citrix recommends that you use Firebase Cloud Messaging (FCM) to control how and when Android devices connect to Citrix Endpoint Management. Citrix Endpoint Management sends connection notifications to Android devices that are enabled for FCM. Any security action or deploy command triggers a push notification to prompt the user to reconnect to the Citrix Endpoint Management server. See Firebase Cloud Messaging.

Integrate with Microsoft Endpoint Manager

Citrix Endpoint Management integration with Microsoft Endpoint Manager adds the value of the Citrix Endpoint Management micro VPN to Microsoft Intune aware apps, such as the Microsoft Edge browser.

Citrix Endpoint Management integration with MEM also allows enterprises to wrap their own line of business apps with Intune and Citrix. The app wrapping provides micro VPN capabilities inside an Intune mobile app management (MAM) container. Citrix Endpoint Management micro VPN enables your apps to access on-premises resources. You can manage and deliver Office 365 apps, line of business apps, and Citrix Secure Mail in one container. A single container provides ultimate security and productivity.

  • Citrix Cloud administrators are Citrix Endpoint Management administrators by default.
  • Citrix Cloud administrators created with customer access must have Citrix Endpoint Management selected for them to administrate Citrix Endpoint Management.

In the Citrix Endpoint Management console, you can change only the role and membership of a user. To change a role at any time, access the Citrix Endpoint Management console from the Citrix Cloud dashboard. Go to the Manage tab and click Users. Select a specific user and click Edit to change the role. For more information, see Configure roles with RBAC.

To integrate with MEM, see Citrix Endpoint Management integration with Microsoft Endpoint Manager.

After you complete the configuration in Citrix Cloud, return to the Citrix Endpoint Management console as follows: Go to the Citrix Cloud Home page and then click Manage on the Citrix Endpoint Management tile. Then you can verify if you signed in to Citrix Endpoint Management with your Azure Active Directory account.

  1. On the Settings page, scroll to the Integrate with Microsoft EMS/Intune tile.
  2. Click See more. The UI indicates if you successfully enabled the connection.

Configure Microsoft EMS/Intune

In the Citrix Cloud console, you can also change user names or passwords, and delete or edit local users. See Identity and access management.

If you had a ShareFile account before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the ShareFile account. When you’re ready to continue, go to https://onboarding.cloud.com.

  1. After you log in, a screen similar to the following appears.

    Cloud configuration screen

  2. In the ShareFile tile, choose Link Account.

    Link ShareFile Account menu

  3. After we confirm your ShareFile account, the following page appears:

    Add ShareFile Account screen

  4. Click the Link Account tab to complete the process. You can immediately manage your ShareFile account from Citrix Cloud.