Citrix Endpoint Management

SSO account device policy

The SSO account device policy lets ou create single sign-on (SSO) accounts in Citrix Endpoint Management. Those accounts let users sign on one-time only to access Citrix Endpoint Management and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is designed to work with a Kerberos authentication back-end.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

  • Account name: Enter the Kerberos SSO account name that appears on users’ devices. This field is required.
  • Kerberos principal name: Enter the Kerberos principal name. This field is required.
  • Identity credential (Keystore or PKI credential): Click an optional identity credential in the drop-down list that can be used to renew the Kerberos credential without user interaction.
  • Kerberos realm: Enter the Kerberos realm for this policy. This value is typically your domain name in all capital letters (for example, EXAMPLE.COM). This field is required.
  • Permitted URLs: For each URL for which you want to require SSO, click Add and then do the following:
    • Permitted URL: Enter a URL that you want to require SSO when a user visits the URL from the iOS device.

      For example, when a user tries to browse to a site and the website starts a Kerberos challenge: If that site isn’t in the URL list, the iOS device doesn’t attempt SSO by providing the Kerberos token that Kerberos might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL. For example, https://shopping.apple.com is valid, but https://*.apple.com isn’t.

      Also, if Kerberos isn’t activated based on host matching, the URL still falls back to a standard HTTP call. This can mean almost anything including a standard password challenge or an HTTP error if the URL is only configured for SSO using Kerberos.

    • Click Add to add the URL or click Cancel to cancel adding the URL.

  • App Identifiers: For each app that is allowed to use this login, click Add and then do the following:
    • App Identifier: Enter an app identifier for an app that is allowed to use this login. If you do not add any app identifiers, this login matches all app identifiers.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.
SSO account device policy