Citrix Endpoint Management

LDAP device policy

You create an LDAP policy for iOS devices in Citrix Endpoint Management to provide information about an LDAP server to use, including any necessary account information. The policy also provides a set of LDAP search policies to use when querying the LDAP server.

You need the LDAP host name before configuring this policy.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

  • Account description: Enter an optional account description.
  • Account user name: Enter an optional user name.
  • Account password: Enter an optional password. Use this field only with encrypted profiles.
  • LDAP host name: Enter the LDAP server host name. This field is required.
  • Use SSL: Select whether to use a Secure Socket Layer connection to the LDAP server. The default is On.
  • Search Settings: Add search settings to use when querying the LDAP server. You can enter as many search settings as you want, but you must add at least one search setting to make the account useful. Click Add and then do the following:
    • Description: Enter a description of the search setting. This field is required.
    • Scope: Choose Base, One level, or Subtree to define how deeply into the LDAP tree to search. The default is Base.
      • Base searches the node pointed to by Search base.
      • One level searches the Base node and one level below it.
      • Subtree searches the Base node, plus all its children, regardless of depth.
    • Search base: Enter the path to the node at which to start searching. For example, ou=people or 0=example corp. This field is required.
    • Click Save to add the search setting or click Cancel to cancel adding the search setting.
    • Repeat these steps for each search setting that you want to add.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.

macOS settings

  • Account description: Enter an optional account description.
  • Account user name: Enter an optional user name.
  • Account password: Enter an optional password. Use this field only with encrypted profiles.
  • LDAP host name: Enter the LDAP server host name. This field is required.
  • Use SSL: Select whether to use a Secure Socket Layer connection to the LDAP server. The default is On.
  • Search Settings: Add search settings to use when querying the LDAP server. You can enter as many search settings as you want, but you must add at least one search setting to make the account useful. Click Add and then do the following:
    • Description: Enter a description of the search setting. This field is required.
    • Scope: Choose Base, One level, or Subtree to define how deeply into the LDAP tree to search. The default is Base.
      • Base searches the node pointed to by the Search base.
      • One level searches the Base node and one level below it.
      • Subtree searches the Base node, plus all its children, regardless of depth.
    • Search base: Enter the path to the node at which to start searching. For example, ou=people or 0=example corp. This field is required.
    • Click Save to add the search setting or click Cancel to cancel adding the search setting.
    • Repeat these steps for each search setting that you want to add.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field.
    • Profile scope: Select whether this policy applies to a User or an entire System. The default is User. This option is available only on macOS 10.7 and later.
LDAP device policy