- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
Azure Active Directory as IDP
Configuring Azure Active Directory (AD) as your identity provider (IDP) lets users enroll in XenMobile using their Azure credentials.
iOS, Android, and Windows 10 devices are supported. iOS and Android devices enroll through Secure Hub.
You configure Azure as your IDP under Settings > Authentication > IDP. The IDP page is new to this version of XenMobile. In previous versions of XenMobile, you configured Azure under Settings > Microsoft Azure.
Versions and licenses
- To enroll iOS or Android devices, you need Secure Hub 10.5.5.
- To enroll Windows 10 devices, you need Microsoft Azure Premium licenses.
Directory services and authentication
- XenMobile Server must be configured for certificate-based authentication.
- If you are using NetScaler for authentication, NetScaler must be configured for certificate-based authentication.
- Secure Hub authentication uses Azure AD and honors the authentication mode defined on Azure AD.
- XenMobile Server must connect to Windows Active Directory (AD) using LDAP. Configure your local LDAP server to sync with Azure AD.
When device enrolls through Secure Hub and XenMobile is configured to use Azure as its IDP:
Users enter a user name and password, on their device, in the Azure AD login screen shown in Secure Hub.
Azure AD validates the user and sends an ID token.
Secure Hub shares the ID token with XenMobile Server.
XenMobile validates the ID token and the user information present in the ID token. XenMobile returns a session ID.
To use Azure AD as your IDP, first log in to your Azure account and make these changes:
Register your custom domain and verify the domain. For details, see Add your own domain name to Azure Active Directory.
Extend your on-premises directory to Azure Active Directory using directory integration tools. For details, see Directory Integration.
To use Azure AD to enroll Windows 10 devices, make the following changes to your Azure account:
Make the MDM a reliable party of Azure AD. To do so, click Azure Active Directory > Applications and then click Add.
Select Add an application from the gallery. Go to MOBILE DEVICE MANAGEMENT and then select on-premises MDM application. Save the settings.
You choose on-premises application even if you signed up for Citrix XenMobile cloud. In Microsoft terminology, any non-multi-tenant application is an on-premises MDM application.
MDM Discovery URL:
APP ID URI:
- MDM Discovery URL:
Select the on-premises MDM application that you created in step 2. Enable the option, Manage devices for these users, to enable MDM management for all users or any specific user group.
For more information about using Azure AD with Windows 10 devices, see the Microsoft article Azure Active Directory integration with MDM.
Locate or make note of the information you need from your Azure account:
- Tenant ID from the Azure application settings page.
- If you want to use Azure AD to enroll Windows 10 devices, you also need:
- App ID URI: The URL for the server running XenMobile.
- Client ID: The unique identifier for your app from the Azure Configure page.
- Key: From the Azure application settings page.
In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.
Under Authentication, click Identity Provider (IDP). The Identity Provider page appears.
Click Add. The IDP configuration page appears.
Configure the following information about your IDP:
- IDP Name: Type a name for IDP connection you are creating.
- IDP Type: Choose Azure Active Directory as your IDP type.
- Tenant ID: Copy this value from the Azure application settings page. In the browser address bar, copy the section made up of numbers and letters.
For example, in
https://manage.windowszaure.com/acmew.onmicrosoft.com#workspaces/ActiveDirectoryExtensin/Directory/abc213-abc123-abc123/onprem..., the tenant ID is:
The rest of the fields automatically fill. When they are filled, click Next.
To configure XenMobile to enroll Windows 10 devices using Azure AD for MDM enrollment, configure the following settings. To skip this optional step, clear Win 10 MDM.
- App ID URI: Type the URL for the XenMobile Server that you entered when you configured your Azure settings.
- Client ID: Copy and paste this value from the Azure Configure page. The client ID is the unique identifier for your app.
- Key: Copy this value from the Azure application settings page. Under keys, select a duration in the list and then save the setting. You can then copy the key and paste it into this field. A key is required when apps read or write data in Microsoft Azure AD.
Citrix has registered Secure Hub with Microsoft Azure and maintains the information. This screen shows the details used by Secure Hub to communicate with Azure Active Directory. This page will be used in the future if any of this information needs a change. Edit this page only if Citrix advises you to.
Configure the type of user identifier that your IDP provides:
- User Identifier type: Choose userPrincipalName from the list.
- User Identifier string: This field is automatically filled.
Review the Summary page and click Save.
Users start Secure Hub. Users then enter the XenMobile Server Fully Qualified Domain Name (FQDN), a User Principle Name (UPN), or email address.
Users then click Yes, Enroll.
Users log on by using their Azure AD credentials.
Users complete the enrollment steps in the same way as any other enrollment through Secure Hub.
XenMobile doesn’t support authentication through Azure AD for enrollment invitations. If you send users an enrollment invitation containing an enrollment URL, users authenticate through LDAP instead of Azure AD.