Prepare to enroll devices and deliver resources
Before proceeding, be sure to complete all the tasks described in Onboarding and resource setup.
Keep your users informed about upcoming changes. See Welcome to your Citrix Endpoint Management User Adoption Kit.
Endpoint Management supports various enrollment options. This article covers the basic setup required to enable all supported devices to enroll. The following diagram summarizes the basic setup.
For a list of supported devices, see Supported device operating systems.
Set up an Apple Push Notification service (APNs) certificate for iOS devices
Apple support for the Apple Push Notification service legacy binary protocol ends as of November 2020. Apple recommends that you use the HTTP/2-based APNs provider API instead. As of release 20.1.0, Citrix Endpoint Management supports the HTTP/2-based API. For more information, see the news update, “Apple Push Notification Service Update” in https://developer.apple.com/. For help with checking connectivity to APNs, see Connectivity checks.
Endpoint Management requires an Apple Push Notification service (APNs) certificate from Apple to enroll and manage iOS devices. Endpoint Management also requires an APNs certificate for Secure Mail for iOS push notifications.
To obtain a certificate from Apple requires an Apple ID and developer account. For details, see the Apple Developer Program website.
To obtain an APNs certificate and import it into Endpoint Management, see APNs certificates.
For more information about Endpoint Management and APNs, see Push Notifications for Secure Mail for iOS.
Set up Firebase Cloud Messaging (FCM) for Android devices
Firebase Cloud Messaging (FCM) controls how and when Android devices connect to the Endpoint Management service. Any security action or deployment command triggers a push notification. The notification prompts users to reconnect to Endpoint Management.
FCM setup requires that you configure your Google account. To create Google Play credentials, see Manage your developer account information. You also use Google Play to add, buy, and approve apps for deployment to the Android Enterprise workspace on a device. You can use Google Play to deploy your private Android apps, public apps, and third-party apps.
To set up FCM, see Firebase Cloud Messaging.
Set up Endpoint Management AutoDiscovery service
As of June 1, 2020, Citrix will change
ads.xm.cloud.com, for iOS and Android devices. For Windows Phone devices,
autodisc.xm.cloud.comas well. When those changes occur, you must update the related CNAME records.
Discovery is an important part of many Endpoint Management deployments. The AutoDiscovery service simplifies the enrollment process for users. Users:
- Can use their network user names and Active Directory passwords to enroll their devices.
- Can connect without typing details about Endpoint Management.
- Enter their user name in user principal name (UPN) format. For example,
The Endpoint Management AutoDiscovery service enables you to create or edit an AutoDiscovery record without assistance from Citrix support.
AutoDiscovery is recommended for high security environments. AutoDiscovery supports certificate pinning, which prevents man-in-the-middle attacks. Certificate pinning ensures that the certificate signed by your enterprise is used when Citrix clients communicate with Endpoint Management. For information about certificate pinning, see Certificate pinning.
On the AutoDiscovery service page, claim a domain. Click Add Domain.
In the dialog box that opens, enter the domain name of your Endpoint Management environment and then click Next.
The next screen provides instructions on verifying that you own the domain.
Copy the DNS token provided in the Endpoint Management Tools portal.
To create a DNS TXT record in the zone file for your domain in your domain hosting provider portal:
Log in to the domain hosting provider portal for the domain. You can edit your domain name server records and add a custom TXT record.
Paste the domain token in your DNS TXT record and save your domain name server record.
In the Endpoint Management Tools portal, click Done to start the DNS check.
The system detects your DNS TXT record. Alternatively, you can click I’ll update later to save the record. The DNS check doesn’t start until you select the record that has a status of “Waiting” and then click DNS Check.
This check generally takes about an hour. However, it can take up to two days to return a response. The status change might not reflect in the Tools portal until you log out and log in again.
After you claim your domain, you provide information about the AutoDiscovery service. Right-click the domain record for which you want to request AutoDiscovery and then click Add ADS.
Enter the requested information and then click Next. If you are unsure about your instance name, add the default instance of
Enter the following information for Secure Hub and then click Next.
User ID Type: Select the type of ID with which users sign on as either E-mail address or UPN.
To prompt users to enter their user name and password, choose E-mail address. To prompt users to enter their password, choose UPN. Use UPN when the User Principal Name matches the email address. Both methods use the domain entered to find the server address.
HTTPS Port: Enter the port used to access Secure Hub over HTTPS. Typically, the HTTPS port is 443.
iOS Enrollment Port: Enter the port used to access Secure Hub for iOS enrollment. Typically, this port is 8443.
Required Trusted CA for Endpoint Management: Indicate whether a trusted certificate is required to access Endpoint Management or not. This option can be Off or On. To use a trusted certificate, contact Citrix Support to upload the certificate. To learn more about certificate pinning, see the section on certificate pinning in Secure Hub. To read about the ports required for certificate pinning to work, see the support article on Endpoint Management Port Requirements for ADS Connectivity.
A summary page displays all the information you entered in the preceding steps. Verify that the data is correct then click Save.
Request AutoDiscovery for Windows devices
If you plan to enroll Windows devices, do the following:
Contact Citrix Support and create a support request to enable Windows AutoDiscovery.
Obtain a publicly signed, non-wildcard SSL certificate for
mycompany.comportion is the domain that contains the accounts that users use to enroll. Attach the SSL certificate in .pfx format and its password to the support request created in the previous step.
To use more than one domain to enroll Windows devices, you can also use a multi-domain certificate with the following structure:
- A SubjectDN with a CN that specifies the primary domain it serves (for example, enterpriseenrollment.mycompany1.com).
- The appropriate SANs for the remaining domains (for example, enterpriseenrollment.mycompany2.com, enterpriseenrollment.mycompany3.com, and so on).
Create a canonical name (CNAME) record in your DNS and map the address of your SSL certificate (enterpriseenrollment.mycompany.com) to autodisc.xm.cloud.com.
When a Windows device user enrolls using a UPN, the Citrix enrollment server:
- Provides the details of your Endpoint Management server.
- Instructs the device to request a valid certificate from Endpoint Management.
At this point, you can enroll all supported devices. Proceed to the next section to prepare to deliver resources to devices.
Default device policies and mobile productivity apps
If you onboard starting with Endpoint Management 19.5.0 or later, we preconfigure a few device policies and mobile productivity apps. That configuration enables you to:
- Immediately deploy basic functionality to devices
- Start with the recommended baseline configurations for a secure workspace
For the Android, Android Enterprise, iOS, macOS, and Windows Desktop/Tablet platforms, your site contains these preconfigured device policies:
Passcode device policy: The Passcode device policy is On, with all default passcode settings enabled.
App inventory device policy: The App inventory device policy is On.
Restrictions device policy: The Restrictions device policy is On, with all default restrictions settings enabled.
Those policies are in the AllUsers delivery group, which contains all Active Directory and local users. We recommend that you use the AllUsers delivery group only for initial testing. Then, create your delivery groups and disable the AllUsers delivery group. You can reuse the preconfigured device policies and apps in your delivery groups.
All Endpoint Management device policies are documented under Device policies. That article includes information about how to use the console to edit device policies. For information about some commonly used device policies, see Device policies and Use Case Behavior.
For the iOS and Android platforms, your site contains these preconfigured mobile productivity apps:
- Secure Mail
- Secure Web
- Citrix Files
Those apps are in the AllUsers delivery group.
For more information, see About mobile productivity apps.
Continue your Endpoint Management configuration
After you complete the basic setup for device enrollment, how you configure Endpoint Management varies widely based on your use cases. For example:
- What are your security requirements and how do you want to balance those requirements with user experience?
- Which device platforms do you support?
- Do users own their devices or use corporate-owned devices?
- What device policies do you want to push to devices?
- What types of apps do you provide users?
This section helps you navigate through the many configuration choices by directing you to articles in this documentation set.
As you complete configuration in third-party sites, make note of the information and its location, for reference when you configure Endpoint Management console settings.
Security and authentication
Endpoint Management uses certificates to create secure connections and authenticate users. Citrix provides wildcard certificates for your Endpoint Management instance.
Recommended background reading:
For a discussion of authentication components and recommended configurations by security level, see the “Advanced concepts” article, Authentication.
See also, Security and user experience.
For an overview of the authentication components used during Endpoint Management operations, see Certificates and authentication.
You can choose from the following types of authentication. Configuring authentication includes tasks in the Endpoint Management and Citrix Gateway consoles.
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
To deliver certificates to users, configure:
For other authentication options, see other articles under Certificates and authentication.
Device enrollment modes specify the credential types required for users to enroll their devices in Endpoint Management. Device enrollment modes have varying levels of security and determine the required user enrollment steps.
- For information about Endpoint Management enrollment options, see Configure enrollment modes.
Azure Active Directory enrollment is supported for iOS, Android, and Windows 10 devices. For information about configuring Azure as your identity provider (IdP), see Authenticate with Azure Active Directory through Citrix Cloud.
Other enrollment options:
- Deploy devices through Apple Deployment Program
- Bulk enrollment of Apple devices
- Create an Android Enterprise administrator account. For details, see Android Enterprise. Or, see Legacy Android Enterprise for G Suite Customers.
- Samsung Knox Bulk Enrollment
- Bulk enrollment of Windows devices
- Configure G Suite for Chrome OS device enrollment from your G Suite account. For details, see Chrome OS.
- Workspace hub device management
You can send notifications for enrollment. For information, see Notifications. You can also use notifications for automated actions and standard messages sent to users.
For more information about enrollment, see Device management and articles under that node.
Device policies and management
Device (MDM) policies
You can filter device policy lists in the Endpoint Management console. For example, filter by platform to see a list of policies most often used for that platform. See Device policies.
Prepare apps for deployment
For information about the apps supported by Endpoint Management, see Add apps.
You can manage iOS app licensing by using Apple volume purchase. For information, see Apple Volume Purchase.
You can use Endpoint Management to deploy iBooks that you obtain through Apple volume purchase. For information, see Add media.
You can connect Citrix Endpoint Management to the Microsoft Store for Business. For information, see Deploy Microsoft Store for Business apps from Endpoint Management.
Citrix provides mobile productivity apps, including Secure Mail and Secure Web. For information, see About mobile productivity apps.
As an alternative to Secure Mail, you can deliver native mail to devices. See:
Citrix Secure Mail, Citrix Secure Web, and Citrix Files offer the option of opening the MDX container. That option allows users to transfer docs and data to Microsoft Office 365 apps. You manage this capability for iOS and Android platforms through the open-in policies on the Endpoint Management console. See Allowing Secure Interaction with Office 365 Apps and Office device policy.
For general information about app policies, see App Policies and Use Case Scenario.
The MDX Service and MDX Toolkit are app wrapping technologies that prepare enterprise apps for secure deployment with Endpoint Management. The MAM SDK replaces the MDX Service and MDX Toolkit, which are scheduled to reach end of life (EOL) in September 2021.
For information about the MAM SDK, see MAM SDK Overview.
For more information about apps, see other articles under Add apps.
The Role-Based Access Control (RBAC) feature in Endpoint Management lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions. For information, see Configure roles with RBAC.
You create automated actions in Endpoint Management to specify the action to take in reaction to events, certain settings, or the presence of apps on user devices. For information, see Automated actions.