XenMobile

XenMobile AutoDiscovery Service

The AutoDiscovery service simplifies the enrollment process for users through email-based URL discovery. The AutoDiscovery service also provides features such as enrollment verification, certificate pinning, and other benefits for Citrix Workspace customers. The service, hosted in Citrix Cloud, is an important part of many XenMobile deployments.

With the AutoDiscovery service, users:

  • Can use their corporate network credentials to enroll their devices.
  • Don’t need to enter details about the XenMobile Server address.
  • Enter their user name in user principal name (UPN) format. For example, user@mycompany.com.

We recommend that you use the AutoDiscovery service for high-security environments. The AutoDiscovery service supports certificate pinning, which prevents man-in-the-middle attacks. Certificate pinning ensures that the certificate signed by your enterprise is used when Citrix clients communicate with XenMobile. To configure certificate pinning for your XenMobile sites, contact Citrix Support. For information about certificate pinning, see Certificate pinning.

To access the AutoDiscovery service, navigate to https://adsui.cloud.com (commercial) or https://adsui.cem.cloud.us (government).

Prerequisites

  • The new AutoDiscovery service in Citrix Cloud requires the latest version of Secure Hub:
    • For iOS, Secure Hub version 21.1.0 or later
    • For Android, Secure Hub version 21.2.1 or later

      Devices running on earlier versions of Secure Hub might experience interruptions in service.

  • To access the new AutoDiscovery service, you must have a Citrix Cloud administrator account with full access. The AutoDiscovery service doesn’t support administrator accounts with custom access. If you don’t have an account, see Sign up for Citrix Cloud.

    Citrix migrated all existing AutoDiscovery records to Citrix Cloud without a disruption in service. The migrated records don’t automatically appear in the new console. You must reclaim domains in the new AutoDiscovery service to prove ownership. For more information, see CTX312339.

  • Before starting using the AutoDiscovery service for your Endpoint Management deployments, verify and claim your domain. You can claim up to 10 domains. The claim associates the verified domain with the AutoDiscovery service. To claim more than 10 domains, open an SRE ticket or contact Citrix Technical Support.
  • Use the MAM Port setting instead of Citrix Gateway FQDN to direct MAM traffic to your data center. If you enter a fully qualified domain name along with the port of your Citrix Gateway, the client device uses the configuration from the MAM Port setting.
  • If an ad blocker prevents the site from opening, ensure that you disable the ad blocker for the entire website.

Claim a domain

  1. On the Claims > Domains tab, click Add Domain.

    Add a domain

  2. In the dialog box that appears, enter the domain name of your XenMobile environment and then click Confirm. Your domain appears in Claims > Domains.

    Claim a domain

  3. On the domain you added, click the ellipsis menu and select Verify Domain to start the verification process. The Verify your domain page appears.

    Start the verification

  4. On the Verify your domain page, follow the instructions to verify that you own the domain.

    Verify your domain

    1. Click Copy to copy the DNS token to the clipboard.

    2. Create a DNS TXT record in the zone file for your domain. To do so, go to your domain hosting provider portal and add the DNS token you copied.

      The following screenshot shows a domain hosting provider portal. Your portal may look different.

      Verify your domain

    3. In Citrix Cloud, on the Verify your domain page, click Start DNS Check to start detecting your DNS TXT record. If you want to verify the domain later, click Verify Domain Later.

    The verification process generally takes about an hour. However, it can take up to two days to return a response. It is OK for you to log out and log in again during the status check.

    After the configuration completes, the status of your domain changes from Pending to Verified.

  5. After you claim your domain, provide information about the AutoDiscovery service. Click the ellipsis menu on the domain you added and then click Add Endpoint Management Info. The AutoDiscovery Service Information page appears.

  6. Enter the following information and then click Save.

    • Endpoint Management Server FQDN: Enter the fully qualified domain name of the XenMobile Server. For example: example.xm.cloud.com. This setting is used for MDM and MAM control traffic.

    • Citrix Gateway FQDN: Enter the fully qualified domain name of Citrix Gateway, in the form FQDN or FQDN:port. For example: example.com. This setting is used to direct MAM traffic to your data center. For MDM-only deployments, leave this field blank.

      Note:

      Citrix recommends that you use the MAM Port setting instead of Citrix Gateway FQDN to control MAM traffic. If you enter a fully qualified domain name along with the port of your Citrix Gateway, the client device uses the configuration from the MAM Port setting.

    • Instance Name: Enter the instance name of the XenMobile Server you configured above. If you are unsure about your instance name, leave the default value, zdm.

    • MDM Port: Enter the port used for MDM control traffic and MDM enrollment. For cloud-based services, the default is 443.

    • MAM Port: Enter the port used for MAM control traffic, MAM enrollment, iOS enrollment, and app enumeration. For cloud-based services, the default is 8443.

Request AutoDiscovery for Windows devices

If you plan to enroll Windows devices, do the following:

  1. Contact Citrix Support and create a support request to enable Windows AutoDiscovery.

  2. Obtain a publicly signed, non-wildcard SSL certificate for enterpriseenrollment.mycompany.com. The mycompany.com portion is the domain that contains the accounts that users use to enroll. Attach the SSL certificate in .pfx format and its password to the support request created in the previous step.

    To use more than one domain to enroll Windows devices, you can also use a multi-domain certificate with the following structure:

    • A SubjectDN with a CN that specifies the primary domain it serves (for example, enterpriseenrollment.mycompany1.com).
    • The appropriate SANs for the remaining domains (for example, enterpriseenrollment.mycompany2.com, enterpriseenrollment.mycompany3.com, and so on).
  3. Create a canonical name (CNAME) record in your DNS and map the address of your SSL certificate (enterpriseenrollment.mycompany.com) to autodisc.xm.cloud.com.

    When a Windows device user enrolls using a UPN, the Citrix enrollment server:

    • Provides the details of your XenMobile Server.
    • Instructs the device to request a valid certificate from XenMobile.

At this point, you can enroll all supported devices. Proceed to the next section to prepare to deliver resources to devices.

XenMobile AutoDiscovery Service