Support for Citrix Endpoint Management

Citrix Gateway Service provides remote device access to your internal network and resources.

Use cases

Use the cloud-based Citrix Gateway Service with Endpoint Management when:

  • You want a maintenance-free service that doesn’t require negotiating with network, security, and compliance teams before configuring your corporate network.

  • You want to use the unified authentication experience provided by Citrix Cloud. Citrix Gateway Service uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. For more information, see Identity and access management.

  • You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail or Secure Web. Citrix Gateway provides an on-demand application VPN connection. Secure Hub initiates that VPN connection on mobile devices to access corporate network sites or resources.

    This variation of a clientless VPN is also known as Tunneled – Web single sign-on (SSO). Connections such as web traffic that tunnel to the internal network use Tunneled – Web SSO. We recommend Tunneled – Web SSO for connections that require single sign-on. For more information, see App network access for Android and App network access for iOS.

Architecture and communication flow overview

The following diagram provides an overview of Citrix Gateway Service architecture when used with Endpoint Management.

Citrix Gateway Service integration with Endpoint Management

Citrix Gateway Service isn’t used during device enrollment in Endpoint Management. After enrollment, MDM control traffic goes directly to Citrix Endpoint Management, without going through Citrix Gateway Service. Only MAM VPN data traffic is sent to the Citrix Gateway Service.

The following authentication types are supported for Citrix Gateway Service integration with Endpoint Management:

  • Basic, Digest, NTLM
  • Kerberos Constrained Delegation (KCD) single sign-on
  • Form-based single sign-on
  • SAML single sign-on

The following diagram shows the Endpoint Management communication flow with Citrix Gateway Service.

Endpoint Management traffic flow with Citrix Gateway Service


  • Citrix Workspace experience enabled

    With Citrix Workspace enabled, user enrollment starts in the Workspace app. When Secure Hub detects the Workspace entitlement, Secure Hub completes enrollment. Secure Hub then opens Citrix Workspace where users can access their apps and other resources.

  • Citrix Gateway Service subscription

    • If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway Service, contact your Citrix Sales representative. Switching from on-premises Citrix Gateway to the Citrix Gateway Service requires that you reenroll devices.

    • New Endpoint Management customers: Select the Citrix Gateway Service during Endpoint Management onboarding.

To configure Citrix Gateway Service with Citrix Endpoint Management

A preview of the Citrix Gateway Service is available for Endpoint Management customers. For more information, see Configure Citrix Gateway use with Endpoint Management.

Support for Citrix Endpoint Management