- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
User Enrollment Options
You can have users enroll their devices in XenMobile in a number of ways. Before considering the specifics, you must decide if the devices in your environment will enroll in Enterprise mode (MDM+MAM), MDM mode, or MAM mode (also referred to as MAM-only mode). For more information about the management modes, see Management Modes.
At the highest level, there are four enrollment options:
- Enrollment Invitation: Send an enrollment invitation or invitation link to users.
- Self Help Portal: Set up a portal that users can visit to download Secure Hub and enroll their devices or send themselves an enrollment invitation.
- Manual Enrollment: Send out an email, handbook, or some other communication letting users know that the system is up and that they can enroll. Users then download Secure Hub and enroll their devices manually.
- Enterprise: Another option for device enrollment is through the Apple Device Enrollment Program (DEP) and Google Android for Work. Through each of these programs, you can purchase devices that are pre-configured and ready for employees to use. For more information, see Apple Device Enrollment Program (DEP) and Google Android for Work.
You can email an enrollment invitation to users with iOS, macOS, or Android devices. You can also send an installation link through SMTP or SMS to users with iOS, macOS, Android, or Windows devices. For more information, see Enroll devices.
If you choose to use the enrollment invitation method: You can choose from up to seven enrollment modes (depending on platform), and you can use any combination of the modes. You can enable or disable the modes from the XenMobile Settings page, and you can select a default from Username + Password, Two Factor, and Username + PIN. For information on each enrollment mode, see To configure enrollment modes.
If you choose certificate-based, consider excluding Username + Password traditional authentication from the allowed options, because this mode may expose a weak onboarding vector into your environment and potentially void the mandated security quality.
Invitations serve many purposes. The most common use of invitations is to notify users that the system is available, and that they can enroll. Invitation URLs are unique; once a user uses an invitation URL, the URL cannot be used again. You can use this property to limit the users or devices enrolling to your system.
You can set up XenMobile so that iOS users provide credentials during enrollment in one of the following ways:
Users type their credentials during enrollment.
Users insert a smart card from a derived credentials provider into a reader attached to their desktop. For information about derived credentials, see Derived credentials for iOS.
In the XenMobile console, you can also choose the option for Enrollment Profiles, through which you can control the number of devices specific users can enroll, based on Active Directory groups. For instance, if you want to allow your Finance division only one device per user, you can configure that scenario through enrollment profiles.
Be aware of the extra costs and pitfalls of certain enrollment options. If you want to send invitations using SMS, you need to set up an additional infrastructure. For more information on this option, see Notifications.
In addition, if you plan to send invitations by email, ensure that users have a way of accessing email outside of Secure Hub. You may use one-time password (OTP) enrollment modes as an alternative to Active Directory passwords for MDM enrollment. Note that OTP is available on iOS and Android devices only and is not currently available on Windows devices.
Users can request an enrollment invitation through the Self Help Portal. The default mode is Username + Password, but you can also change that requirement to Two Factor or Username + PIN. For information about setting up the Self Help Portal, see To configure enrollment modes.
With manual enrollment, users connect to XenMobile either through autodiscovery or by entering the server information. With autodiscovery, users log on to the server with only their email address or Active Directory credentials in User Principal Name format. Without autodiscovery, they must enter the server address and their Active Directory credentials. For more information about setting up autodiscovery, see XenMobile Autodiscovery Service.
You can facilitate manual enrollment in a number of ways. You can create a guide, distribute it to users, and have them enroll themselves. You can have your IT department manually enroll groups of users in certain time slots. You can use any similar method where users must enter their credentials and/or server information.
After you have your environment set up, you need to decide how to get users into your environment. An earlier section in this article discusses the specifics of user enrollment modes. This section discusses the way you reach out to users.
Open Enrollment vs. Selective Invitation
When onboarding users, you can allow enrollment through two basic methods: You can allow open enrollment in which, by default, any user with LDAP credentials and the XenMobile environment information can enroll. Or, you can limit the number of users by only allowing users with invitations to enroll. You can also limit open enrollment by Active Directory group.
With the invitation method, you can also limit the number of devices a user can enroll. In most situations, open enrollment is acceptable, but there are a few things to consider:
- If you are rolling out a MAM environment, you can easily limit enrollment through Active Directory group membership.
- With an MDM environment, the only way to limit enrollment is to limit the number of devices that can enroll based on Active Directory group membership. If you only allow corporate devices in your environment, this shouldn’t be an issue. You may want to consider this method, however, in a BYOD workplace where you want to limit the number of devices in your environment.
- You also want to keep in mind whether you have user or device licenses. With user licenses, each user can have multiple devices and only one license is consumed. With device licenses, each device enrolled consumes one license.
Selective invitation is typically performed less often because it requires a bit more work than open enrollment. In order for users to enroll their devices in your environment, you must send an invitation unique to each user. For information on how to send an enrollment invite, see Sending an enrollment invitation.
You’ll need to send an invite for each user or group whom you want enrolled in your environment, which can take a long time depending on the size of your organization. It is possible to use Active Directory groups to create invitations in batches, but you must carry out this approach in waves.
When you have decided whether you want to use open enrollment or selective invitation and have set up those environments, you’ll need to make users aware of their enrollment options.
If you use the selective invitation method, email and SMS messages are a part of the process. You can send emails through the XenMobile console for open enrollment as well. For details, see Sending an enrollment invitation.
In either case, keep in mind that for email, you need an SMTP server. For text messages, you need an SMS server. These may be extra costs to consider when making your decision. In addition, before you select a method, consider how you expect new users to access information, like email. If you want all users to access their email through XenMobile, sending them an invitation email would be problematic.
You may also send communication by another means outside of XenMobile for an open enrollment environment, as long as you include all the relevant information, such as where users can get the Secure Hub app and what method they should use to enroll. If you have autodiscovery turned off, you need to tell them the XenMobile server address as well. To learn more about autodiscovery, see XenMobile Autodiscovery Service.