Product Documentation

XenMobile Autodiscovery Service

Autodiscovery is an important part of many XenMobile deployments. Autodiscovery simplifies the enrollment process for users. They can use their network user names and Active Directory passwords to enroll their devices, rather than having to also enter details about the XenMobile server. Users enter their user name in user principal name (UPN) format; for example, user@mycompany.com. The XenMobile AutoDiscovery Service enables you to create or edit an autodiscovery record without assistance from Citrix support.

To access the XenMobile AutoDiscovery Service, navigate to https://xenmobiletools.citrix.com and then click Request Auto Discovery.

Image of the AutoDiscovery Service

Requesting AutoDiscovery

  1. On the AutoDiscovery Service page, you need to first claim a domain. Click Add Domain.

    Image of the Add Domain screen

  2. In the dialog box that opens, enter the domain name of your XenMobile environment and then click Next.

    Image of the Domain name field

  3. The next step provides instructions on verifying that you own the domain.

    • Copy the DNS token provided in the XenMobile Tools Portal.

    • Create a DNS TXT record in the zone file for your domain in your domain hosting provider portal.

      To create a DNS TXT record you need to log into the Domain Hosting Provider portal for the domain you have added in step 2 above. In the Domain Hosting portal you can edit your Domain Name Server Records and add a custom TXT record. An example below of a adding a DNS TXT entry in a hosting portal for sample domain domain.com.

    • Paste the Domain Token in your DNS TXT record and save your Domain name Server record.

    • Back in the XenMobile Tools Portal, click Done to start the DNS check.

    The system detects your DNS TXT record. Alternatively, you can click I’ll update later, and the record is saved. The DNS check won’t start until you select the Waiting record and click DNS Check.

    This check ideally takes about an hour, but it can take up to two days to return a response. In addition, you may need to leave the portal and return to see the status change.

    Image of Verify your Domain dialog box

  4. After you claim your domain, you can enter AutoDiscovery Service information. Right-click the domain record for which you want to request autodiscovery and then click Add ADS.

    If your domain already has an AutoDiscovery record, log a case with Citrix Technical Support to modify details as required.

    Image of the add ADS option

  5. Enter your XenMobile Server FQDN, NetScaler Gateway FQDN, and Instance Name and then click Next. If you are unsure, add a default instance of “zdm”.

    Image of XenMobile Info options

    Note: In the preceding screenshot, note that Worx Home is now called Secure Hub.

  6. Enter the following information for Secure Hub and then click Next.

    • User ID Type: Select the type of ID with which users sign on as either E-mail address or UPN.

      UPN is used when the user’s UPN (User Principal Name) is the same as their e-mail address. Both methods use the domain entered to find the server address. With E-mail address the user will be asked to enter their user name and password and with UPN, they will be asked to enter their password.

    • HTTPS Port: Enter the port used to access Secure Hub over HTTPS. Typically, this is port 443.

    • iOS Enrollment Port: Enter the port used to access Secure Hub for iOS enrollment. Typically, this is port 8443.

    • Required Trusted CA for XenMobile: Indicate whether a trusted certificate is required to access XenMobile or not. This option can be OFF or ON. Currently, the ability to upload a certificate for this feature does not exist. If you want to use this feature, you need to call Citrix Support, and have autodiscovery set up through them. To learn more about certificate pinning, see the section on certificate pinning in Secure Hub in the XenMobile Apps documentation. To read about the ports required for certificate pinning to work, see the support article on XenMobile Port Requirements for ADS Connectivity.

    Image of the Worx Home (Secure Hub) Info settings

    Note: In the preceding screenshot, note that Worx Home is now called Secure Hub.

  7. A summary page displays all the information you entered in the preceding steps. Verify that the data is correct then click Save.

    Image of the summary page

    Note: In the preceding screenshot, note that Worx Home is now called Secure Hub.

Enable autodiscovery

Autodiscovery simplifies the enrollment process for users. They can use their network user names and Active Directory passwords to enroll their devices, rather than having to also enter details about the XenMobile Server. Users enter their user name in user principal name (UPN) format; for example, user@mycompany.com.

To enable autodiscovery, you can access the Autodiscovery Service portal at https://xenmobiletools.citrix.com.

There may be some limited cases in which you need to contact Citrix Support to enable autodiscovery. To do so, you can follow the procedures below to communicate your deployment information and, in the case of Windows devices, an SSL certificate to the Citrix Technical Support team. After Citrix receives this information, when users enroll their devices, the domain information is extracted and mapped to a server address. This information is maintained in the XenMobile database, so that the information is always accessible and available when users enroll.

  1. If you are unable to enable autodiscovery by using the Autodiscovery Service portal at https://xenmobiletools.citrix.com, open a Technical Support case by using the Citrix Support portal and then provide the following information:

    • The domain containing the accounts with which users will enroll.
    • The XenMobile server fully qualified domain name (FQDN).
    • The XenMobile instance name. By default, the instance name is zdm and is case-sensitive.
    • User ID Type, which can be either UPN or Email. By default, the type is UPN.
    • The port used for iOS enrollment if you changed the port number from the default port 8443.
    • The port through which the XenMobile server accepts connections if you changed the port number from the default port 443.
    • Optionally, an email address for your XenMobile administrator.
  2. If you plan to enroll Windows devices, do the following:

    • Obtain a publicly signed, non-wildcard SSL certificate for enterpriseenrollment.mycompany.com, where mycompany.com is the domain containing the accounts with which users will enroll. Attach the SSL certificate in .pfx format and its password to your request.
    • Create a canonical name (CNAME) record in your DNS and map the address of your SSL certificate (enterpriseenrollment.mycompany.com) to autodisc.zc.zenprise.com. When a Windows device user enrolls using a UPN, in addition to providing the details of your XenMobile Server, the Citrix enrollment server instructs the device to request a valid certificate from the XenMobile Server.

    Your Technical Support case will be updated when your details and certificate, if applicable, have been added to the Citrix servers. At this point, users can start enrolling with autodiscovery.

    Note: You can also use a multi-domain certificate if you want to enroll using more than one domain. The multi-domain certificate should have the following structure:

    A SubjectDN with a CN that specifies the primary domain it serves (for example, enterpriseenrollment.mycompany1.com).

    The appropriate SANs for the remaining domains (for example, enterpriseenrollment.mycompany2.com, enterpriseenrollment.mycompany3.com, and so on).

XenMobile Autodiscovery Service