Design Decision: Device Considerations

The main challenge with device management is enforcing policies at the device level. Device policies can be enforced through GPOs or through endpoint management software.

For instance, GPOs applied through domain memberships are used to administer the devices by setting policies such as screen saver timeouts to improve security. Azure AD does not support device level management directly. However, GPOs for device management are available when Azure AD is used with an on-premises Active Directory or Azure AD DS.

Both Citrix and Microsoft provide solutions for managing mobile devices that can apply policies to iOS, Android and Windows 10 devices. Citrix provides the Endpoint Management service in Citrix Cloud while Microsoft offers Endpoint Manager, which includes Intune. Windows 10 includes modern features for managing devices and removes the legacy dependencies on Active Directory GPOs. You can choose your method of policy enforcement depending on how extensively device management is used within your organization. Here are the questions that you need to answer about Device Management:

Do I still need GPOs for my devices?

  • If all of your user devices are running Windows 10 or later, GPOs may be replaced by Microsoft Intune policies

  • If legacy applications require settings that cannot be deployed via Intune, then a traditional Active Directory DS is required

  • Carefully review all existing GPOs in place, you may not need them any more

  • Citrix VDA hosts still use GPOs

What are the requirements for Citrix Endpoint Management?

  • Citrix Endpoint Management requires a Citrix Cloud Connector for directory synchronization

  • Citrix Endpoint Management should be set to use the Citrix Identity provider through Secure Hub so Endpoint Management can authenticate directly to Azure AD

  • Citrix Endpoint Management integrates with Azure AD as long as the users are not using local accounts

  • Citrix Endpoint Management integrates with Microsoft Endpoint Manager so you can wrap your own line of business (LOB) applications with Intune and provide a micro-VPN

  • Citrix Endpoint Management requires that enrollment invitations use LDAP authentication instead of Azure AD

  • Citrix Endpoint Management requires user names, email addresses, and groups match between Active Directory DS and Azure AD

  • Citrix Endpoint Management requires a Citrix Gateway (v12.1 or later) installed at your resource location for micro-VPN access, mobile productivity apps, or integration with Microsoft Endpoint Manager

  • Citrix Endpoint Management requires a local StorageZone controller to support Citrix Files with private data storage

  • Citrix Endpoint Management needs certificate-based authentication configured on the Citrix Gateway to provide a single sign-on experience

  • Citrix Endpoint Management requires enrollment profiles for Android Enterprise and ΓÇ£Allow users to decline device managementΓÇ¥ set to off.

  • Citrix Endpoint Management supports using the Citrix Cloud service to authenticate managed devices on the following platforms:
    • Apple iOS
    • Android BYOD
    • Android Legacy Device Administration mode
  • To manage the Citrix Cloud Endpoint Management Service use the console found under My Services

What are the requirements for Microsoft Endpoint Manager?

  • Microsoft Endpoint Manager does support both cloud and on-premises deployments

  • Microsoft Intune requires Azure AD Global Administrator or Intune Service Administrator permissions to deploy

  • Microsoft Intune does not have a hierarchy for applying settings to determine if one policy clearly has precedence. If two policies exist for the same setting within Intune, then a conflict results.

  • Microsoft Endpoint Manager supports iOS, Android, Windows Mobile, and Windows 10

  • Microsoft Intune can be licensed in one of three ways:
    • Standalone Azure service
    • Enterprise Mobility + Security (EMS)
    • Microsoft 365
  • Azure AD Premium licenses are required for the following features:
    • Some AD join operations
    • Windows AutoPilot
    • MFA device settings
    • Conditional access
    • Dynamic device groups
  • Manage Microsoft Intune through the Azure Intune console

Authentication with Azure Active Directory through Citrix Cloud

Citrix Endpoint Management integration with Microsoft Endpoint Manager

Citrix Endpoint Manager System requirements

Provision Hybrid AAD joined Virtual Machine on Azure to enable Intune

Design Decision: Device Considerations

In this article