XenMobile Server Current Release

Android Enterprise

Android Enterprise is a set of tools and services provided by Google as an enterprise management solution for Android devices. With Android Enterprise:

  • You use XenMobile to manage company-owned Android devices and bring your own device (BYOD) Android devices.

  • You can manage the entire device or a separate profile on the device. The separate profile isolates business accounts, apps, and data from personal accounts, apps, and data.

  • You can also manage devices dedicated to a single use, such as inventory management. For an overview of Android Enterprise capabilities from Google, see Android Enterprise Management.

Resources:

When you integrate XenMobile with managed Google Play to use Android Enterprise, you create an enterprise. Google defines an enterprise as binding between the organization and your enterprise mobile management (EMM) solution. All the users and devices that the organization manages through your solution belong to its enterprise.

An enterprise for Android Enterprise has three components: an EMM solution, a device policy controller (DPC) app, and a Google enterprise app platform. When you integrate XenMobile with Android Enterprise, the complete solution has these components:

  • XenMobile: The Citrix EMM. XenMobile is the unified XenMobile solution for a secure digital workspace. XenMobile provides the means for IT administrators to manage devices and apps for their organizations.
  • Citrix Secure Hub: The Citrix DPC app. Secure Hub is the launchpad for XenMobile. Secure Hub enforces policies on the device.
  • Managed Google Play: A Google enterprise app platform that integrates with XenMobile. The Google Play EMM API sets app policies and distributes apps.

This illustration shows how administrators interact with these components and how the components interact with each other:

Image

Using managed Google Play with XenMobile

Note:

You can use either managed Google Play or Google Workspace to register Citrix as your EMM provider. This article discusses using Android Enterprise with managed Google Play. If your organization uses Google Workspace to provide access to apps, you can use it with Android Enterprise. See Legacy Android Enterprise for Google Workspace (formerly G-Suite) customers.

When you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use the apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

Because this type of enterprise is not tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise to manage separate sets of devices and apps.

For XenMobile administrators, managed Google Play combines the user experience and app store features of Google Play with a set of management capabilities designed for enterprises. You use managed Google Play to add, buy, and approve apps for deployment to the Android Enterprise workspace on a device. You can use Google Play to deploy public apps, private apps, and third-party apps.

For users of managed devices, managed Google Play is the enterprise app store. Users can browse apps, view app details, and install them. Unlike the public version of Google Play, users can only install apps from managed Google Play that you make available for them.

Device deployment scenarios and modes of operation

Device deployment scenario refers to who owns the devices you deploy and how you manage them. Device profiles refer to how the DPC manages and enforces policies on devices.

A work profile isolates business accounts, apps, and data from personal accounts, apps, and data. For more details about work profiles, see the Google Android Enterprise help topic, What is a work profile.

Important:

When Android Enterprise devices update to Android 11, Google migrates devices managed as “fully managed with a work profile” to a new security-enhanced work profile experience. For more information, see Changes ahead for Android Enterprise’s Fully Managed with Work Profile.

Device management Use cases Work profile Personal profile Notes
Company-owned devices (fully managed) Company-owned devices intended only for work use No Yes. The DPC can do device-wide actions, such as configure device-wide connectivity, configure global settings, and do a factory reset. For new or factory reset devices only.
Fully managed with a work profile Company-owned devices intended for work and personal use Yes Yes. Two copies of the DPC run on these devices: One manages the device in device owner mode and the other manages the work profile in profile owner mode. You can apply separate policies to the device and the work profile. Formerly known as corporate-owned personally enabled (COPE) devices.
Dedicated devices* Company-owned devices configured for a single use case, such as digital signage or ticket printing No Yes. You provide only the required apps and prevent users from adding other apps. Formerly known as corporate owned single use (COSU) devices.
BYOD work profile** Personal devices enrolled in work profile mode (also known as profile owner mode) Yes Yes. The DPC manages only the work profile, not the whole device. These devices don’t need to be new or factory reset.

* Users can share a dedicated device. When a user signs on to an app on a dedicated device, the state of their work is with the app, not the device.

** XenMobile does not support Zebra devices as in BYOD work profile mode. XenMobile supports Zebra devices as fully managed devices and in device legacy mode (also called device admin mode).

For information on migrating from legacy mode to device owner or profile owner mode, see Migrate from device administration to Android Enterprise.

Authentication methods

Enrollment profiles determine whether Android devices enroll in MAM, MDM, or MDM+MAM, with the option for users to opt out of MDM.

For information about specifying the level of security and required enrollment steps, see Configure enrollment security modes.

XenMobile supports the following authentication methods for Android devices enrolled in MDM+MAM. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.

Requirements

Before you start using Android Enterprise, you need:

  • Accounts and credentials:

    • To set up Android Enterprise with managed Google Play, a corporate Google account
    • To download the latest MDX files, a Citrix customer account
    • To deploy private apps (optional), a Google developer account
  • Firebase Cloud Messaging (FCM) configured for XenMobile. See Firebase Cloud Messaging for instructions.

  • For Samsung Knox Mobile Enrollment (optional), Knox premium licenses.

Connecting XenMobile to Google Play

To set up Android Enterprise for your organization, register Citrix as your EMM provider through managed Google Play. That setup connects managed Google Play to XenMobile and creates an enterprise for Android Enterprise in XenMobile.

You need a corporate Google account to sign in to Google Play.

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Go to Settings > Android Enterprise.

Settings page with Android Enterprise highlighted

  1. Click Connect. Google Play opens.

Android Enterprise connects to Google Play

  1. Sign in to Google Play with your corporate Google account credentials. Enter your organization name and confirm that Citrix is your EMM provider.

  2. An enterprise ID is added for Android Enterprise. To enable Android Enterprise, slide Enable Android Enterprise to Yes.

    Enable Android Enterprise option

Your Enterprise ID appears in the XenMobile console.

Image

Your environment is connected to Google and is ready to manage the devices. You can now provide apps for users.

XenMobile can be used to provide users with Citrix mobile productivity apps, MDX apps, public app store apps, web and SaaS apps, enterprise apps, and web links. For more information on these types of apps and providing them to users, see Add apps.

The following section shows how to provide mobile productivity apps.

Providing Citrix mobile productivity apps to Android Enterprise users

Providing Citrix mobile productivity apps for Android Enterprise users requires these steps.

  1. Publish the apps as MDX apps. See Configure apps as MDX apps.

  2. Configure the rules for the security challenges that your users use to access the work profiles on their devices. See Configure security challenge policy.

The apps you publish are available to devices enrolled in your Android Enterprise enterprise.

Note:

When you deploy an Android Enterprise public app store app to an Android user, that user is automatically enrolled in Android Enterprise.

Configure apps as MDX apps

To configure a Citrix productivity app as an MDX app for Android Enterprise:

  1. In the XenMobile console, click Configure > Apps. The Apps page appears.

    Apps configuration screen

  2. Click Add. The Add App dialog box appears.

    Apps configuration screen

  3. Click MDX. The App Information page appears.

  4. On the left side of the page, select Android Enterprise as the platform.

  5. On the App Information page, type the following information:

    • Name: Type a descriptive name for the app. This name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  6. Click Next. The Android Enterprise MDX App page appears.

  7. Click Upload and navigate to the file location of the .mdx files for the app. Select the file and click Open.

  8. The UI notifies you if the attached application requires approval from the managed Google Play store. To approve the application without leaving the XenMobile console, click Yes.

    Add an MDX app

  9. When the managed Google Play store page opens, click Approve.

    Approve an MDX app

  10. Click Approve again.

  11. Select Keep approved when app requests new permissions. Click Save.

    Google play approval settings

  12. When the app is approved and saved, more settings appear on the page. Configure these settings:

    • File name: Type the file name associated with the app.
    • App Description: Type a description for the app.
    • Product track: Specify which product track you want to push to user devices. If you have a track designed for testing, you can select and assign it to your users. The default is Production.
    • App version: Optionally, type the app version number.
    • Package ID: The URL of the app in the Google Play store.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  13. Configure the MDX Policies. For more information about app policies for MDX apps, see MDX Policies at a Glance and MAM SDK overview.

  14. Configure the deployment rules. For information, see Deploy resources.

  15. Expand Store Configuration. This setting doesn’t apply to Android Enterprise apps, which appear only in managed Google Play.

    Apps configuration screen

    Optionally, you can add an FAQ for the app or screen captures that appear in the app store. You can also set whether users can rate or comment on the app.

    • Configure these settings:
      • App FAQ: Add FAQ questions and answers for the app.
      • App screenshots: Add screen captures to help classify the app in the app store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
      • Allow app ratings: Select whether to allow a user to rate the app. The default is ON. Allow app comments: Select whether to allow users to comment about the selected app. The default is ON.
  16. Click Next. The Approvals page appears.

    Apps configuration screen

    You use workflows when you need approval when creating user accounts. If you don’t want to set up approval workflows, you can skip to Step 15.

    Configure these settings to assign or create a workflow:

    • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
    • If you select Create a new workflow, configure these settings. For more information, see Apply workflows.
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in the Active Directory.
    • When the name appears in the field, select the checkbox next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
        • Click Search to see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then click Search to limit the search results.
        • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the checkbox next to each name you want to remove.
  17. Click Next. The Delivery Group Assignment page appears.

    Apps configuration screen

  18. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

  19. Expand Deployment Schedule and then configure the following settings:

    • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is set to ON.
    • Next to Deployment schedule, click Now or Later. The default option is set to Now.
    • If you click Later, click the calendar icon and then select the date and time for deployment.
    • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is set to On every connection.
    • Next to Deploy for always-on connection, make sure that OFF is selected. The default option is set to OFF. The always-on connections are not available for Android Enterprise if you began using XenMobile with version 10.18.19 or later. We don’t recommend the connections for customers who began using XenMobile before version 10.18.19.

      This option applies when you have configured the scheduling background deployment key in Settings > Server Properties.

      The deployment schedule that you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always-on connection.

  20. Click Save.

Repeat the steps to configure an MDX app for each mobile productivity app.

Configure security challenge policy

The XenMobile Passcode device policy configures the set of rules for the security challenges users to access their devices or the Android Enterprise work profiles on their devices. A security challenge can be a passcode or biometric recognition. For more information about the Passcode policy, see Passcode device policy.

  • If your Android Enterprise deployment includes BYOD devices, configure the passcode policy for the work profile.
  • If your deployment includes company-owned, fully managed devices, configure the passcode policy for the device itself.
  • If your deployment includes both types of devices, configure both types of passcode policy.

To configure the passcode policy:

  1. In the XenMobile console, go to Configure > Device Policies.

  2. Click Add.

  3. Click Show filter to show the Policy Platform pane. In the Policy Platform pane, select Android Enterprise.

  4. Click Passcode on the right pane.

Password security option

  1. Enter a Policy Name. Click Next.

    Password security name

  2. Configure the Passcode policy settings.
    • Set Device passcode required to On to see the settings available for security challenges for the device itself.
    • Set Work profile security challenge to On to see the settings available for work profile security challenges.
  3. Click Next.

  4. Assign the policy to one or more delivery groups.

  5. Click Save.

Creating enrollment profiles

Enrollment profiles control how Android devices are enrolled if Android Enterprise is enabled for your XenMobile deployment. When you create an enrollment profile to enroll Android Enterprise devices, you can configure the enrollment profile to enroll new and factory reset devices as:

  • Fully managed devices
  • Dedicated devices (COSU devices)
  • Fully managed devices with a work profile (COPE devices)

You can also configure each of these Android Enterprise enrollment profiles to enroll BYOD Android devices as work profile devices.

If Android Enterprise is enabled for your XenMobile deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices. By default, the Global enrollment profile enrolls new and factory reset Android devices as fully managed devices and enrolls BYOD Android devices as work profile devices.

When you create enrollment profiles, you assign delivery groups to them. If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. XenMobile selects the delivery group that appears last in an alphabetized list of delivery groups. For more information, see Enrollment profiles.

You can use enrollment profiles to combine multiple use cases such as MDM only, MDM+MAM, and MAM only. Your XenMobile Server license type, reflected in the server property, xms.server.mode, determines the settings available in Configure > Enrollment Profiles.

Add an enrollment profile for fully managed devices

The Global enrollment profile enrolls fully managed devices by default, but you can create more enrollment profiles to enroll fully managed devices.

  1. In the XenMobile console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Android Enterprise.

  6. Set Device owner mode to Company owned device.

    Enrollment Profiles configuration screen

  7. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices.

    • Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. The default is On.
    • Set BYOD work profile to Off to restrict enrollment to fully managed devices.
  8. Choose whether to enroll devices in Citrix MAM.

  9. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  10. Select Assignment (options). The Delivery Group Assignment screen appears.

  11. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices. Then click Save.

    The Enrollment Profile page appears with the profile that you added.

    Enrollment Profiles configuration screen

Add a dedicated device enrollment profile

When your XenMobile deployment includes dedicated devices, a single XenMobile administrator or small group of administrators enroll many dedicated devices. To make sure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user.

  1. In the XenMobile console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Make sure that the number of devices that members with this profile can enroll is set to unlimited.

  3. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  4. Set Management to Android Enterprise.

  5. Set Device owner mode to Dedicated device.

    Enrollment Profiles page

  6. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as dedicated devices. Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. Set BYOD work profile to Off to restrict enrollment to company-owned devices. Default is On.

  7. Choose whether to enroll devices in Citrix MAM.

  8. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  9. Select Assignment (options). The Delivery Group Assignment screen appears.

  10. Choose the delivery group or delivery groups that has the administrators who enroll the dedicated devices. Then click Save.

    The Enrollment Profile page appears with the profile that you added.

    Enrollment Profiles configuration screen

Add an enrollment profile for fully managed devices with a work profile

  1. In the XenMobile console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Android Enterprise. Set Device owner mode to Fully managed with work profile.

    Enrollment Profiles configuration screen

  6. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices with a work profile. Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. Set BYOD work profile to Off to restrict enrollment to dedicated devices. Default is Off.

  7. Choose whether to enroll devices in Citrix MAM.

  8. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  9. Select Assignment (options). The Delivery Group Assignment screen appears.

  10. Choose the delivery group or delivery groups that has the administrators who enroll fully managed devices with a work profile. Then click Save.

    The Enrollment Profile page appears with the profile that you added.

    Enrollment Profiles page

Adding an enrollment profile for legacy devices

Google is deprecating the device administrator mode of device management. Google encourages customers to manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.)

To support this change:

  • Citrix makes Android Enterprise the default enrollment option for Android devices.
  • If Android Enterprise is enabled for your XenMobile deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

Your organization might not be ready to begin managing legacy Android devices using Android Enterprise. In that case, you can continue to manage them in device administrator mode. For devices already enrolled in device administrator mode, XenMobile continues to manage them in device administrator mode.

Create an enrollment profile for legacy devices to allow new Android device enrollments to use device administrator mode.

To create an enrollment profile for legacy devices:

  1. In the XenMobile console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Legacy device administration (not recommended). Click Next.

    Enrollment Profiles configuration screen

  6. Choose whether to enroll devices in Citrix MAM.

  7. To allow users to decline device management when they enroll their devices, set Allow users to decline device management to On. Default is On.

  8. Select Assignment (options). The Delivery Group Assignment screen appears.

  9. Choose the delivery group or delivery groups that has the administrators who enroll the dedicated devices. Then click Save.

The Enrollment Profile page appears with the profile that you added.

Enrollment profile page

To continue managing a legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download the Secure Hub and providing an enrollment server URL.

Provisioning Android Enterprise work profile devices

Android Enterprise work profile devices are enrolled in profile owner mode. These devices do not need to be new or factory reset. BYOD devices are enrolled as work profile devices. The enrollment experience is similar to Android enrollment in XenMobile. Users download Secure Hub from Google Play and enroll their devices.

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android Enterprise as a work profile device.

When enrolling devices in Android Enterprise as work profile devices, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.

Provisioning Android Enterprise fully managed devices

You can enroll fully managed devices in the deployment you set up in the previous sections. Fully managed devices are company-owned devices and are enrolled in device owner mode. Only new or factory reset devices can be enrolled in device owner mode.

You can enroll devices in device owner mode using any of these enrollment methods:

  • DPC identifier token: With this enrollment method, users enter the characters afw#xenmobile when setting up the device. afw#xenmobile is the Citrix DPC identifier token. This token identifies the device as managed by XenMobile and downloads the Secure Hub from the Google Play store. See Enrolling devices using the Citrix DPC identifier token.
  • Near field communication (NFC) bump: The NFC bump enrollment method transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a new or factory-reset device. NFC is the only communication protocol that the device can use in this state. See Enrolling devices with NFC bump.
  • QR code: QR code enrollment can be used to enroll a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method sets up and configures the device profile mode by scanning a QR code from the setup wizard. See Enrolling devices using a QR code.
  • Zero touch: Zero-touch enrollment allows you to configure devices to enroll automatically when they are first powered on. Zero-touch enrollment is supported on some Android devices running Android 9.0 or later. See Zero-touch enrollment.
  • Google Accounts: Users enter their Google Account credentials to start the provisioning process. This option is for enterprises using Google Workspace.

Enrolling devices using the Citrix DPC identifier token

Users enter afw#xenmobile when prompted to enter a Google account after powering on new or factory reset devices for initial setup. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the XenMobile Server.

System requirements

  • Supported on all Android devices running the Android OS.

To enroll the device

  1. Power on a new or factory reset device.

  2. The initial device setup loads and prompts for a Google account. If the device loads the home screen of the device, check the notification bar for a Finish Setup notification.

  3. Enter afw#xenmobile in the Email or phone field.

    Device set up text

  4. Tap Install on the Android Enterprise screen prompting to install Secure Hub.

  5. Tap Install on the Secure Hub installer screen.

  6. Tap Allow for all app permission requests.

  7. Tap Accept & Continue to install Secure Hub and allow it to manage the device.

  8. Secure Hub is now installed and on the default enrollment screen. In this example, AutoDiscovery is not set up. If it was, the user can enter their user name/email and a server can be found for them. Instead, enter the enrollment URL for the environment and tap Next.

    Secure Hub credentials

  9. The default configuration for XenMobile allows users to choose if they use MAM or MDM+MAM. If prompted in this way, tap Yes, Enroll to choose MDM+MAM.

  10. Enter the user name and password, then tap Next.

  11. The user is prompted to configure a device passcode. Tap Set and enter a passcode.

  12. The user is prompted to configure a work profile unlock method. For this example, tap Password, tap PIN, and enter a PIN.

    Passcode options

  13. The device is now on the Secure Hub My Apps landing screen. Tap Add apps from Store.

  14. To add Secure Web, tap Secure Web.

    Secure Hub store

  15. Tap Add.

  16. Secure Hub directs the user to the Google Play store to install Secure Web. Tap Install.

  17. After Secure Web is installed, tap Open. Enter a URL from an internal site in the address bar and verify that the page loads.

  18. Go to Settings > Accounts on the device. Observe that the Managed Account can’t be modified. The developer options for sharing screen or remote debugging are also blocked.

    Account modification

Enrolling devices with NFC bump

To enroll a device as a fully managed device using NFC bumps requires two devices: One that is reset to its factory settings and one running the XenMobile Provisioning Tool.

System requirements and prerequisites

  • Supported Android devices.
  • A new or factory-reset device, provisioned for Android Enterprise as a fully managed device. You can find steps to complete this prerequisite later in this article.
  • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in the Secure Hub or on the Citrix downloads page.

Each device can have only one Android Enterprise profile, managed Secure Hub. Only one profile is allowed on each device. Trying to add a second DPC app removes the installed Secure Hub.

Data transferred through the NFC bump

Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize the Android Enterprise:

  • Package name of the DPC app that acts as device owner (in this case, Secure Hub).
  • Intranet/Internet location from which the device can download the DPC app.
  • SHA1 hash of the DPC app to verify if the download is successful.
  • Wi-Fi connection details so that a factory-reset device can connect and download the DPC app. Note: Android now does not support 802.1x Wi-Fi for this step.
  • Time zone for the device (optional).
  • Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

Configuring the XenMobile Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

The Provisioning Tool configuration

You can type data into the required fields or populate them using a text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must have the following data:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=<download_location>

This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=<SHA1 hash>

This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to get the checksum are discussed later in this article.

android.app.extra.PROVISIONING_WIFI_SSID=<wifi ssid>

This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=<wifi security type>

Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_WIFI_PASSWORD=<wifi password>

If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_LOCALE=<locale>

Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

android.app.extra.PROVISIONING_TIME_ZONE=<timezone>

The time zone in which the device is running. Type an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter a name, the time zone is automatically populated.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=<package name>

This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Protected_WiFi_Name

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA2

android.app.extra.PROVISIONING_WIFI_PASSWORD=wifiPasswordHere

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Unprotected_WiFi_Name

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

To get the checksum of Citrix Secure Hub

The checksum of Secure Hub is a constant value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM. To download an APK file for Secure Hub, use the following Google Play store link: https://play.google.com/managed/downloadManagingApp?identifier=xenmobile.

To get an app checksum

Prerequisites:

  • The apksigner tool from the Android SDK Build Tools
  • OpenSSL command line

To get the checksum of any app, follow these steps:

  1. Download the app’s APK file from the Google Play store.
  2. In the OpenSSL command line, navigate to the apksigner tool: android-sdk/build-tools/<version>/apksigner and type the following:

    apksigner verify -print-certs <apk_path> | perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}'  | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'
    <!--NeedCopy-->
    

    The command returns a valid checksum.

  3. To generate the QR code, enter the checksum in the PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM field. For example:
{
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.zenprise/com.zenprise.configuration.AdminFunction",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=xenmobile",
  "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
      "serverURL": "https://supportablility.xm.cloud.com"
   }
}
<!--NeedCopy-->

Libraries used

The Provisioning Tool uses the following libraries in its source code:

  • v7 appcompat library, Design support library, and v7 Palette library by Google under Apache license 2.0

    For information, see Support Library Features Guide.

  • Butter Knife by Jake Wharton under Apache license 2.0

Enrolling devices using a QR code

To enroll a fully managed device using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

System requirements

  • Supported on all Android devices running Android 9.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value: https://play.google.com/managed/downloadManagingApp?identifier=xenmobile

These fields are optional:

  • android.app.extra.PROVISIONING_LOCALE: Enter language and country codes.

    The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, enter en_US for English as spoken in the United States.

  • android.app.extra.PROVISIONING_TIME_ZONE: The time zone in which the device is running.

    Type an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter one, the time zone is automatically populated.

  • android.app.extra.PROVISIONING_LOCAL_TIME: Time in milliseconds since the Epoch.

    The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).

  • android.app.extra.PROVISIONING_SKIP_ENCRYPTION: Set to true to skip encryption during profile creation. Set to false to force encryption during profile creation.

A typical JSON looks like the following:

A typical JSON

Validate the JSON that is created using any JSON validation tool, such as https://jsonlint.com. Convert that JSON string to a QR code using any online QR code generator, such as https://www.qr-code-generator.com.

This QR code gets scanned by a factory-reset device to enroll the device as a fully managed device.

To enroll the device

After powering up a new or factory reset device:

  1. Tap the screen six times on the welcome screen to launch the QR code enrollment flow.
  2. When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network.

    Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.

  3. Point the camera to the QR code to scan the code.

    Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as the device owner.

For more information, see this Google guide for Android EMM developers: https://developers.google.com/android/work/prov-devices#qr_code_method.

Zero-touch enrollment

Zero-touch enrollment lets you set up devices to provision themselves as fully managed devices when they are powered on for the first time.

Your device reseller creates an account for you on the Android zero-touch portal, an online tool that lets you apply configurations to devices. Using the Android zero-touch portal, you create one or more zero-touch enrollment configurations and apply the configurations to the devices assigned to your account. When your users power up these devices, the devices are automatically enrolled in XenMobile. The configuration assigned to the device defines its automatic enrollment process.

System requirements

  • Supported for zero-touch enrollment begins with Android 9.0.

Devices and account information from your reseller

  • Devices eligible for zero-touch enrollment are bought from an enterprise reseller or Google partner. For a list of Android Enterprise zero-touch partners, see the Android website.

  • An Android Enterprise zero-touch portal account, created by your reseller.

  • Android Enterprise zero-touch portal account login information, provided by your reseller.

Create a zero-touch configuration

When you create a zero-touch configuration, include a custom JSON to specify details of the configuration.

Use this JSON to configure the device to enroll on the XenMobile Server you specify. Substitute the URL of your server for ‘URL’ in this example.

      {
          "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
        {
              "serverURL":"URL",
         }
      }
<!--NeedCopy-->

You can use an optional JSON with more parameters to further customize your configuration. This example specifies the XenMobile Server and the user name and password that devices using this configuration use to log on to the server.

     {
        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
          {
              "serverURL":"URL",
              "xm_username":"username",
              "xm_password":"password"
          }
            }
  <!--NeedCopy-->
  1. Go to the Android zero-touch portal at https://partner.android.com/zerotouch. Log in with the account information from your zero-touch device reseller.

  2. Click Configuration. the zero-touch portal

  3. Click + above the configuration table. the zero-touch portal

  4. Enter your configuration information in the configuration window that appears. the zero-touch portal
    • Configuration name: Type the name that you choose for this configuration.
    • EMM DPC: Choose Citrix Secure Hub.
    • DPC extras: Paste your custom JSON text in this field.
    • Company name: Type the name that you want to appear on your Android Enterprise zero-touch devices during device provisioning.
    • Support email address: Type an email address that your users can contact for help. This address appears on your Android Enterprise zero-touch devices before device provisioning.
    • Support phone number: Type a phone number that your users can contact for help. This phone number appears on your Android Enterprise zero-touch devices before device provisioning.
    • Custom Message: Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. This custom message appears on your Android Enterprise zero-touch devices before device provisioning.
  5. Click Add.

  6. To create more configurations, repeat steps 2 through 4.

  7. To apply a configuration to a device:

    1. In the Android zero-touch portal, click Devices.

    2. Find the device in the list of devices and choose the configuration you want to assign to it. the zero-touch portal

    3. Click Update.

You can apply a configuration to many devices using a CSV file.

For information on how to apply a configuration to many devices, see the Android Enterprise help topic Zero-touch enrollment for IT admins. This Android Enterprise help topic has more information on how to manage configurations and apply them to devices.

Provisioning dedicated Android Enterprise devices

Dedicated Android Enterprise devices are fully managed devices that are dedicated to fulfill a single use case. Dedicated devices are also known as corporate owned single use (COSU) devices. You restrict these devices to one app or small set of apps required to do the tasks needed for this use case. You also prevent users from enabling other apps or doing other actions on the device.

Enroll dedicated devices using any of the enrollment methods used for other fully managed devices, as described in Provisioning Android Enterprise fully managed devices. Provisioning dedicated devices require more setup before enrollment.

To provision dedicated devices:

  • Add an enrollment profile for XenMobile administrators that you allow to enroll dedicated devices to your XenMobile deployment. See Creating enrollment profiles.
  • Allow the apps that you want the dedicated device to access.
  • Optionally, set the allowed app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
  • Enroll each device in the enrollment profile that you added.

System requirements

  • Support for enrolling dedicated devices begins with Android 6.0.

Allow apps and set lock task mode

The Kiosk device policy lets you allow apps and set lock task mode. By default, Secure Hub and Google Play services are allowed.

To add the Kiosk policy:

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy dialog box appears.

  3. Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.

  4. Under Platforms, select Android Enterprise. Clear other platforms.

  5. In the Policy Information pane, type the Policy Name and an optional Description.

  6. Click Next and then click Add.

  7. To allow an app and allow or deny lock task mode for that app:

    Select the app that you want to allow from the list.

    Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

    Device Policies configuration screen

  8. Click Save.

  9. To allow another app and allow or deny lock task mode for that app, click Add.

  10. Configure deployment rules and choose delivery groups. For more information, see Device policies.

To enroll the device

  1. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  2. Set Management to Android Enterprise.

  3. Set Device owner mode to Company-owned device.

    Enrollment Profiles configuration screen

  4. Select Assignment (options). The Delivery Group Assignment screen appears.

  5. Choose the delivery group or delivery groups that has the administrators who enroll the dedicated devices. Then click Save.

If you enabled BYOD work profile in the enrollment profile, devices that are not new or factory reset are enrolled as work profile devices. See Provisioning Android Enterprise work profile devices.

Provision Android Enterprise fully managed devices with a work profile (COPE devices)

Fully managed devices with a work profile, formerly called COPE devices, are company-owned devices that are used for both work and personal purposes. Your organization manages the entire devices. You can apply one set of policies to the device and a separate set of policies to the work profile.

In the XenMobile console, fully managed devices with a work profile appear with these terms:

  • The device ownership is “Corporate”.

  • The device Android Enterprise install type is “Corporate Owner Personally Enabled”.

System requirements

  • Support for enrolling fully managed devices with work profiles begins from Android 9.0 to Android 10.x.

Add an enrollment profile for fully managed devices with work profiles

Create an enrollment profile for enrolling fully managed devices with work profiles. The administrators in the delivery groups assigned to this enrollment profile can enroll fully managed devices with work profiles. To make sure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group that has the administrators who enroll fully managed devices with work profiles.

  1. In the XenMobile console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Make sure that the number of devices that members with this profile can enroll is set to unlimited.

  3. Click Next or select Android Enterprise under Platforms. The Enrollment Configuration page appears.

  4. Set Enrollment Type to one of the following:
    • Fully managed/Work profile: New devices or factory reset devices enroll fully managed. BYOD devices enroll with only a work profile managed by you.
    • COPE/Work profile: New devices or factory reset devices enroll fully managed with a work profile. BYOD devices enroll with only a work profile managed by you.

    Enrollment Profiles configuration screen

  5. Select Assignment (optional) or click Next. The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups that has the administrators who enroll the dedicated devices. Then click Save.

    The Enrollment Profile page appears with the profile that you added.

    Enrollment Profiles configuration screen

If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. XenMobile selects the delivery group that appears last in an alphabetized list of delivery groups.

To enroll the device

New and factory reset devices enroll as fully managed devices with a work profile using the DPC identifier token, near field communication (NFC) bump, or QC code methods. See Enrolling devices using the Citrix DPC identifier token, Enrolling devices with NFC bump, or Enrolling devices using a QR code.

Devices that are not new or factory reset enroll as work profile devices as described in Provisioning Android Enterprise work profile devices.

Viewing Android Enterprise devices in the XenMobile console

  1. In the XenMobile console, go to Manage > Devices.

  2. Add the Android enterprise Enabled Device? column by clicking the menu on the right of the table on this page. Android Enterprise device list

  3. To view available security actions, select a fully managed device and click Secure. When the device is fully managed, the Full Wipe action is available but Selective Wipe is not. That difference is because the device only allows apps from the managed Google Play store. There is not an option for the user to install applications from the public store. Your organization managed all the content on the device.

    Security actions

Configure Android Enterprise device and app policies

For an overview of the policies controlled at both the device and app levels, see Supported device policies and MDX policies for Android Enterprise.

What to know about policies:

  • Data loss protection: The XenMobile MAM container technology secures apps with encryption and other mobile Data Loss Prevention (DLP) technologies. Use the Citrix MAM SDK or MDX Toolkit to MDX-enable apps.

  • Device restrictions: Dozens of device restrictions let you control features such as:

    • Use of the device camera
    • Use of copy and paste between work and personal profiles
  • Per-app VPN: Use the Managed configurations device policy to configure VPN profiles for Android Enterprise.

  • Email policy: We recommend using the Managed configurations device policy to configure apps.

This table lists all device policies available for Android Enterprise devices.

Important:

For devices that enroll in Android Enterprise and use MDX apps: You can control some settings through MDX and Android Enterprise. Use the least restrictive policy settings for MDX and control the policy through Android Enterprise.

     
Android Enterprise app permissions Managed configurations App Inventory
App Uninstall Automatically update managed apps Control OS Update
Credentials Custom XML Exchange
Files Keyguard management Kiosk
Location Passcode Restrictions
Samsung MDM license key Scheduling Wi-Fi
XenMobile options    

Device policies for fully managed devices with work profile (COPE devices)

For fully managed devices with work profiles (COPE devices), some device policies can be used to apply separate settings to the entire device and the work profile. You can use other device policies to apply settings only to the entire device or only to the work profile of fully managed devices with work profiles.

Policy Applies to
Android Enterprise app permissions Work profile
Managed configurations Work profile
App inventory Work profile
App uninstall Work profile
Automatically update managed apps Work profile
Control OS update N/A
Credentials Work profile
Custom XML N/A
Exchange N/A
Files Work profile
Keyguard management Device and work profile
Kiosk N/A
Location Device (location mode only)
Passcode Device and work profile
Restrictions Device and work profile (create separate policies for the device and the work profile)
Samsung MDM license key N/A
Scheduling Work profile
Wi-Fi Device
XenMobile options Work profile

See also, Supported device policies and MDX policies for Android Enterprise and MAM SDK overview.

Security actions

Android Enterprise supports the following security actions. For a description of each security action, see Security actions.

Security action Work profile Fully managed
Certificate Renewal Yes Yes
Full Wipe No Yes
Locate Yes Yes
Lock Yes Yes
Lock and Reset Password No Yes
Notify (Ring) Yes Yes
Revoke Yes Yes
Selective Wipe Yes No

Security action notes

  • The locate security action fails unless the Location device policy sets the location mode for the device to High Accuracy or Battery Saving. See Location device policy.

  • On work profile devices that are running versions of Android earlier than Android 9.0:

    • The lock and reset password action isn’t supported.
  • On work profile devices with Android 9.0 or greater:

    • The passcode sent locks the work profile. The device itself isn’t locked.
    • If no passcode is set on the work profile:
      • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The device is locked.
    • If a passcode is set on the work profile:
      • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The work profile is locked but the device itself isn’t locked.
  • On fully managed devices with work profiles (COPE devices):

    • You can apply the Lock security action separately to the device or the work profile

Unenroll an Android Enterprise enterprise

If you no longer want to use your Android Enterprise enterprise, you can unenroll the enterprise.

Warning:

After you unenroll an enterprise, Android Enterprise apps on devices already enrolled through it reset to their default states. Google no longer manages the devices. If you enroll into a new Android Enterprise enterprise, you must approve apps for the new organization from managed Google Play. You can then update the apps from the XenMobile console.

After the Android Enterprise enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android Enterprise apps reset to their default state. Managed Configurations policies previously applied no longer affect operations.
  • XenMobile manages devices enrolled through the enterprise. From the perspective of Google, those devices are unmanaged. You can’t add new Android Enterprise apps. You can’t apply Managed Configurations policies. You can apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you try to enroll devices in Android Enterprise, they are enrolled as Android devices, not Android Enterprise devices.

Unenroll an Android Enterprise enterprise using the XenMobile Server console and XenMobile Tools.

When you do this task, XenMobile opens a popup window for XenMobile Tools. Before you begin, make sure that XenMobile has permission to open popup windows in the browser you are using. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block allow list.

To unenroll an Android Enterprise enterprise:

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android Enterprise.

  3. Click Unenroll.

    Unenroll option