XenMobile Server Current Release

Azure Active Directory as IdP

Configuring Azure Active Directory (AAD) as your identity provider (IdP) lets users enroll in XenMobile using their Azure credentials.

iOS, Android, and Windows 10 and Windows 11 devices are supported. iOS and Android devices enroll through Secure Hub. This authentication method is available only to users enrolling in MDM through Citrix Secure Hub. Devices enrolling in MAM can’t authenticate using AAD credentials. To use Secure Hub with MDM+MAM, configure XenMobile to use Citrix Gateway for MAM enrollment. For more information, see Citrix Gateway and XenMobile.

You configure Azure as your IdP under Settings > Authentication > IDP. The IDP page is new to this version of XenMobile. In previous versions of XenMobile, you configured Azure under Settings > Microsoft Azure.

Requirements

  • Versions and licenses

    • To enroll iOS or Android devices, you need Secure Hub 10.5.5.
    • To enroll Windows 10 and Windows 11 devices, you need Microsoft Azure Premium licenses.
  • Directory services and authentication

    • XenMobile Server must be configured for certificate-based authentication.
    • If you are using Citrix ADC for authentication, Citrix ADC must be configured for certificate-based authentication.
    • Secure Hub authentication uses Azure AD and honors the authentication mode defined on Azure AD.
    • XenMobile Server must connect to Windows Active Directory (AD) using LDAP. Configure your local LDAP server to sync with Azure AD.

Authentication flow

When the device enrolls through Secure Hub and XenMobile is configured to use Azure as its IdP:

  1. Users enter their Azure Active Directory user name and password, on their device, in the Azure AD login screen shown in Secure Hub.

  2. Azure AD validates the user and sends an ID token.

  3. Secure Hub shares the ID token with XenMobile Server.

  4. XenMobile validates the ID token and the user information present in the ID token. XenMobile returns a session ID.

Azure account setup

To use Azure AD as your IdP, first log in to your Azure account and make these changes:

  1. Register your custom domain and verify the domain. For details, see Add custom domain name to Azure Active Directory.

  2. Extend your on-premises directory to Azure Active Directory using directory integration tools. For details, see Directory Integration.

To use Azure AD to enroll Windows 10 and Windows 11 devices, make the following changes to your Azure account:

  1. Make the MDM a reliable party of Azure AD. To do so, click Azure Active Directory > Applications and then click Add.

  2. Select Add an application from the gallery. Go to MOBILE DEVICE MANAGEMENT and then select on-premises MDM application. Save the settings.

    You choose an on-premises application even if you signed up for Citrix XenMobile cloud. In Microsoft terminology, any non-multi-tenant application is an on-premises MDM application.

  3. In the application, configure XenMobile Server discovery, terms of use endpoints, and APP ID URI:
    • MDM Discovery URL: https://<FQDN>:8443/<instanceName>/wpe
    • MDM Terms of Use URL: https://<FQDN>:8443/<instanceName>/wpe/tou
    • APP ID URI: https://<FQDN>:8443/
  4. Select the on-premises MDM application that you created in step 2. Enable the option Manage devices for these users to enable MDM management for all users or any specific user group.

    For more information about using Azure AD with Windows 10 and Windows 11 devices, see the Microsoft article Azure Active Directory integration with MDM.

Configure Azure AD as your IdP

  1. Locate or make note of the information you need from your Azure account:

    • Tenant ID from the Azure application settings page.
    • If you want to use Azure AD to enroll Windows 10 and Windows 11 devices, you also need:
      • App ID URI: The URL for the server running XenMobile.
      • Client ID: The unique identifier for your app from the Azure Configure page.
      • Key: From the Azure application settings page.
  2. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  3. Under Authentication, click Identity Provider (IDP). The Identity Provider page appears.

    Image of Identity Provider configuration screen

  4. Click Add. The IDP configuration page appears.

  5. Configure the following information about your IdP:

    • IDP Name: Type a name for the IdP connection that you are creating.
    • IDP Type: Choose Azure Active Directory as your IdP type.
    • Tenant ID: Copy this value from the Azure application settings page. In the browser address bar, copy the section made up of numbers and letters.

    For example, in https://manage.windowszaure.com/acmew.onmicrosoft.com#workspaces/ActiveDirectoryExtensin/Directory/abc213-abc123-abc123/onprem..., the tenant ID is: abc123-abc123-abc123.

    Image of Identity Provider configuration screen

  6. The rest of the fields automatically fill. When they are filled, click Next.

  7. To configure XenMobile to enroll Windows 10 and Windows 11 devices using Azure AD for MDM enrollment, configure the following settings. To skip this optional step, clear Windows MDM.

    • App ID URI: Type the URL for the XenMobile Server that you entered when you configured your Azure settings.
    • Client ID: Copy and paste this value from the Azure Configure page. The client ID is the unique identifier for your app.
    • Key: Copy this value from the Azure application settings page. Under keys, select a duration in the list and then save the setting. You can then copy the key and paste it into this field. A key is required when apps read or write data in Microsoft Azure AD.

    Image of Identity Provider configuration screen

  8. Click Next.

    Citrix has registered Secure Hub with Microsoft Azure and maintains the information. This screen shows the details used by Secure Hub to communicate with Azure Active Directory. This page will be used in the future if any of this information needs a change. Edit this page only if Citrix advises you to.

  9. Click Next.

    Image of Identity Provider configuration screen

  10. Configure the type of user identifier that your IdP provides:

    • User Identifier type: Choose userPrincipalName from the list.
    • User Identifier string: This field is automatically filled.
  11. Click Next.

    Image of Identity Provider configuration screen

  12. Review the Summary page and click Save.

    Image of Identity Provider configuration screen

What users experience

  1. Users start Secure Hub. Users then enter the XenMobile Server Fully Qualified Domain Name (FQDN), a User Principle Name (UPN), or email address.

    Image of Secure Hub screen

  2. Users then click Yes, Enroll.

    Image of Secure Hub screen

  3. Users log on by using their Azure AD credentials.

    Image of Secure Hub screen

    Image of Secure Hub screen

    Image of Secure Hub screen

  4. Users complete the enrollment steps in the same way as any other enrollment through Secure Hub.

    Note:

    XenMobile doesn’t support authentication through Azure AD for enrollment invitations. If you send users an enrollment invitation that has an enrollment URL, users authenticate through LDAP instead of Azure AD.

Azure Active Directory as IdP