Design Decision: Device Considerations
The main challenge with device management is enforcing policies at the device level. Device policies can be enforced through GPOs or through endpoint management software.
For instance, GPOs applied through domain memberships are used to administer the devices by setting policies such as screen saver timeouts to improve security. Azure AD does not support device level management directly. However, GPOs for device management are available when Azure AD is used with an on-premises Active Directory or Azure AD DS.
Both Citrix and Microsoft provide solutions for managing mobile devices that can apply policies to iOS, Android and Windows 10 devices. Citrix provides the Endpoint Management service in Citrix Cloud while Microsoft offers Endpoint Manager, which includes Intune. Windows 10 includes modern features for managing devices and removes the legacy dependencies on Active Directory GPOs. You can choose your method of policy enforcement depending on how extensively device management is used within your organization. Here are the questions that you need to answer about Device Management:
Do I still need GPOs for my devices?
If all of your user devices are running Windows 10 or later, GPOs may be replaced by Microsoft Intune policies
If legacy applications require settings that cannot be deployed via Intune, then a traditional Active Directory DS is required
Carefully review all existing GPOs in place, you may not need them any more
Citrix VDA hosts still use GPOs
What are the requirements for Citrix Endpoint Management?
Citrix Endpoint Management requires a Citrix Cloud Connector for directory synchronization
Citrix Endpoint Management should be set to use the Citrix Identity provider through Secure Hub so Endpoint Management can authenticate directly to Azure AD
Citrix Endpoint Management integrates with Azure AD as long as the users are not using local accounts
Citrix Endpoint Management integrates with Microsoft Endpoint Manager so you can wrap your own line of business (LOB) applications with Intune and provide a micro-VPN
Citrix Endpoint Management requires that enrollment invitations use LDAP authentication instead of Azure AD
Citrix Endpoint Management requires user names, email addresses, and groups match between Active Directory DS and Azure AD
Citrix Endpoint Management requires a Citrix Gateway (v12.1 or later) installed at your resource location for micro-VPN access, mobile productivity apps, or integration with Microsoft Endpoint Manager
Citrix Endpoint Management requires a local StorageZone controller to support Citrix Files with private data storage
Citrix Endpoint Management needs certificate-based authentication configured on the Citrix Gateway to provide a single sign-on experience
Citrix Endpoint Management requires enrollment profiles for Android Enterprise and ΓÇ£Allow users to decline device managementΓÇ¥ set to off.
- Citrix Endpoint Management supports using the Citrix Cloud service to authenticate managed devices on the following platforms:
- Apple iOS
- Android BYOD
- Android Legacy Device Administration mode
- To manage the Citrix Cloud Endpoint Management Service use the console found under My Services
What are the requirements for Microsoft Endpoint Manager?
Microsoft Endpoint Manager does support both cloud and on-premises deployments
Microsoft Intune requires Azure AD Global Administrator or Intune Service Administrator permissions to deploy
Microsoft Intune does not have a hierarchy for applying settings to determine if one policy clearly has precedence. If two policies exist for the same setting within Intune, then a conflict results.
Microsoft Endpoint Manager supports iOS, Android, Windows Mobile, and Windows 10
- Microsoft Intune can be licensed in one of three ways:
- Standalone Azure service
- Enterprise Mobility + Security (EMS)
- Microsoft 365
- Azure AD Premium licenses are required for the following features:
- Some AD join operations
- Windows AutoPilot
- MFA device settings
- Conditional access
- Dynamic device groups
- Manage Microsoft Intune through the Azure Intune console