Derived credentials for iOS

Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is a Personal Identity Verification (PIV) card.

The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device.

XenMobile can use derived credentials for iOS device enrollment and authentication. If configured for derived credentials, XenMobile doesn’t support enrollment invitations or other enrollment modes for iOS devices. Citrix recommends that you don’t enroll Android devices on servers set up for derived credentials.


  • One of the following derived credential solutions:
    • Intercede 3.14 or later. For information on the Intercede requirements, see Citrix has validated that XenMobile supports the Intercede derived credential solution. The app name in the Apple App Store is MyID for Citrix.

      Users must install MyID for Citrix on their devices before enrolling in XenMobile.

    • Other derived credential solutions

      While it’s likely that most other credential solutions are compatible with XenMobile, test the integration before deploying it to production.

  • XenMobile Server 10.6 (minimum version)
    • Configured for Enterprise (XME) mode
    • Must have the root certificate of the authority that issues certificates to the Credentials Provider server. That setup enables XenMobile to accept the digitally signed certificates during enrollment. For information about adding the certificates, see Certificates and authentication.
    • If the user email domain differs from the LDAP domain, include the email domain in the Domain alias setting in Settings > LDAP. For example, if the domain for email addresses is and the LDAP domain name is, set Domain alias to,
    • XenMobile doesn’t support the use of derived credentials with shared devices.
  • User identity certificates:
    • The user name in the Subject alternative name field must be formatted as the otherName, rfc822Name, or dNSName field of the SubjectAltName extension. Other fields are not supported. For more information about Subject alternative name, see the RFC,
    • User identity in the Subject field in either Email or CN isn’t supported.
  • NetScaler Gateway configured for certificate authentication or certificate plus security token authentication

    For information about PKI configuration, see PKI entities.

  • Secure Hub 10.8.15 (minimum version)
  • Secure Mail 10.8.20 (minimum version)
    • Use the same developer certificate to sign all apps in the Apple App Store.


For enrollment, XenMobile Server connects to the components described in the preceding Requirements section, as shown in the following diagram.

Diagram of derived credentials enrollment architecture

  • During device enrollment, Secure Hub obtains certificates from the derived credentials app.
  • The derived credentials app communicates with the credential management server during enrollment.
  • You can use the same or different server for the credential management server and a third-party PKI provider.
  • XenMobile Server connects to your third-party PKI server to obtain certificates.

After enrollment, the components connect as shown in the following diagram.

Diagram of derived credentials post-enrollment architecture

The following sections describe how to configure XenMobile with a derived credentials provider, enable derived credentials for enrollment, and manage devices that use derived credentials.

Enable derived credentials

By default, the XenMobile console doesn’t include the Settings > Derived Credentials page. To enable the interface for derived credentials: Go to Settings > Server Properties, add the server property derived.credentials.enable, and set the property to true.

Image of Server Properties configuration screen

Configure derived credentials

These instructions assume that you have a working configuration for the derived credentials provider that you plan to integrate with XenMobile. You can then configure XenMobile to communicate with that server. You also choose a derived credentials CA certificate already added to XenMobile or import the certificate.

You can activate Online Certificate Status Protocol (OCSP) support for that CA certificate. For more information about OCSP, see “Discretionary CAs” in PKI entities.

  1. In the XenMobile console, go to Settings > Derived Credentials for iOS.

    Image of Derived Credentials configuration screen

  2. Under Provider:

    • Choose derived credentials provider. Citrix validated that XenMobile supports Intercede. If you choose Other for the provider, test the integration before putting your server into production.

    • App URL (iOS): If you choose Intercede as the provider, XenMobile fills in the App URL. If you choose Other as the provider, obtain the App URL from your derived credentials provider.

      If a device can’t contact your provider, verify the App URL with the provider. You might need to change it.

    • Optional parameters: Some derived credential providers might require that you provide parameters for the connection. For example, a vendor might require that you specify the URLs of a back-end server. Click Add to provide parameters.

  3. Specify a certificate for derived credentials: If the certificate is already uploaded to XenMobile, choose that certificate from Issuer CA. Otherwise, click Import to add a certificate. The Import Certificate dialog box appears.

  4. In the Import Certificate dialog box, click Browse to navigate to the certificate. Then click Browse to navigate to the private key file.

    Image of Derived Credentials configuration screen

  5. If you choose Intercede as the provider, XenMobile fills in the User Identifier field and the User Identifier type. For Intercede, the User Identifier field is Subject alternative name, and the User Identifier type is userPrincipalName. Contact other derived credential providers for their information and configure the settings.

  6. You can optionally use an OCSP responder for certificate revocation checking. By default, OSP checking is off. To activate OCSP support for the CA certificate:

    • Set OCSP check to ON.

    Image of Derived Credentials configuration screen

    • Choose an option for Use custom OCSP URL. By default, XenMobile extracts the OCSP URL from the certificate (the Use certificate definition for revocation option). To specify a responder URL, click Use custom and then type the URL.
    • Responder CA: From Responder CA, choose a certificate. Or, click Import and then use the Import Certificate dialog box to locate the certificate.
  7. Click Save. The Derived Credentials dialog box appears.

    Image of Derived Credentials configuration screen

    • To enable the derived credentials configuration, click Save. To use derived credentials, you must also configure enrollment settings.

    • To enable the derived credentials configuration and then go immediately to Settings > Enrollment, click Save and Go to Enrollment.

  8. To enable derived credentials for enrollment: On the Settings > Enrollment page, under Advanced Enrollment, select Derived Credentials (iOS only) and then click Enable.

    Image of Enrollment configuration screen

  9. A confirmation dialog box appears. To enable derived credentials, select the check box, and click Enable.

    Image of Enrollment configuration screen

  10. To edit options for derived credentials enrollment, go to Settings > Enrollment, select Derived Credentials (iOS only) and then click Edit.

After you enable derived credentials: In the Devices Enrollment report, the column Enrollment mode shows derived_credentials.

For enrollment steps when using derived credentials, see iOS devices that use derived credentials.


After completing these steps, you may need to restart your XenMobile Server.

Configure XenMobile Server for Secure Mail

In order for Secure Mail to work properly with derived credentials, add the LDAP Attributes client property.

Follow the steps to add a client property in the article Client properties. Use the following information:

  • Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},displayName=${user.displayName},mail=${user.mail}

Image of Client Properties configuration screen


For an example of the enrollment process using derived credentials, see Enrolling devices by using derived credentials.