XenMobile

Shared devices

XenMobile lets you configure devices that multiple users can share. The shared devices feature lets, for example, clinicians in hospitals use any nearby device to access apps and data rather than having to carry around a specific device. You might also want to shift workers in fields like law enforcement, retail, and manufacturing to share devices to reduce equipment costs.

Key points about shared devices

You can use any of the supported iOS and Android devices as shared devices. For a list of supported devices, see Supported device operating systems.

MDM enrollment

  • Available on both iOS and Android tablets and phones. Doesn’t support the basic Apple Deployment Program enrollment for a XenMobile Enterprise shared device. Use an authorized Apple Deployment Program to enroll a shared device in this mode.
  • Doesn’t support client certificate authentication, Citrix PIN, Touch ID, User Entropy, and two-factor authentication.

MDM+MAM enrollment

  • Available only on iOS and Android devices.
  • Supports only Active Directory user name and password authentication.
  • Doesn’t support client certificate authentication, Secure Hub passcode, Touch ID, User Entropy, and two-factor authentication.
  • Doesn’t support MAM-only enrollment. The devices must enroll in MDM.
  • Supports only Secure Mail, Secure Web, and the ShareFile mobile apps. Doesn’t support HDX apps.
  • Supports only Active Directory users. Doesn’t support local users and groups.
  • To update to MDM+MAM, requires re-enrollment of existing MDM-only shared devices.
  • Users cannot share native apps on the devices.
  • Once downloaded during first-time enrollment, mobile productivity apps are not downloaded again during user sign-in.
  • On Android, to isolate each user’s data for security purposes, set the Disallow rooted devices policy in the XenMobile console to On.

Prerequisites for enrolling shared devices

Before you can enroll shared devices, you must do the following:

Prerequisites for MDM+MAM enrollment

  1. Create an Active Directory group. Give it a descriptive name, such as Shared Device Enrollers.
  2. Add to the group the Active Directory users who enroll shared devices. If you want a new account for this purpose, create a new Active Directory user (for example, sdenroll) and add that user to the Active Directory group.

Configuring a shared device

Follow these steps to configure a shared device.

  1. From the XenMobile console, click the gear in the upper-right corner. The Settings page appears.
  2. Click Role-Based Access Control, then click Add. The Add Role screen appears.
  3. Create a shared-device enrollment user role named Shared Device Enrollment User with Shared devices enroller permissions under Authorized Access. Be sure to expand Devices in Console features and then select Selective Wipe device. This setting ensures that the apps and policies provisioned through the shared devices enroller account are deleted through Secure Hub, when the device is unenrolled.

    For Apply Permissions, keep the default setting, To all user groups, or assign permissions to specific Active Directory user groups with the To specific user groups.

    Image of the Apply Permissions options

    Click Next to move to the Assignment screen. Assign the shared-device enrollment role to the Active Directory group for shared device enrollment users, created in Step 1 under Pre-requisites. In the following image, citrix.lab is the Active Directory domain and Shared Device Enrollers is the Active Directory group.

    Image of the Assignment screen

  4. Create a delivery group that contains the base policies, apps, and actions that you want to apply to the device when a user is not signed on. Then associate that delivery group with the Active Directory group of the shared device enrollment user.

    Image of the delivery group settings

  5. Install Secure Hub on the shared device and enroll it in XenMobile using the shared device enrollment user account. You can now view and manage the device through the XenMobile console. For more information, see Enroll devices.

  6. To apply different policies or to provide more apps for authenticated users, you must create a delivery group associated with those users and deployed to shared devices only. When creating the groups, configure deployment rules to ensure that the packages are deployed to shared devices. For more information, see Deploy resources.

  7. To stop sharing the device, perform a selective wipe to remove the shared device enrollment user account from the device. Remove any apps and policies deployed to the device.

Shared device user experience

MDM enrollment

Users see only the resources available to them, and they have the same experience on every shared device. The shared device enrollment policies and apps always remain on the device. When a user who isn’t enrolled in shared devices signs on to Secure Hub, that person’s policies and apps get deployed to the device. When that user signs off, any policies and apps that aren’t part of the shared device enrollment get removed. The shared-device enrollment resources remain intact.

MDM+MAM enrollment

Secure Mail and Secure Web are deployed to the device when enrolled by the shared device enrollment user. User data is maintained securely on the device. The data is not exposed to other users when they sign on to Secure Mail or Secure Web.

Only one user at a time can sign on to Secure Hub. The previous user must sign off before the next user can sign on. For security reasons, Secure Hub does not store user credentials on shared devices, so users must enter their credentials each time they sign on. Secure Hub blocks new sign-ons until it removes the policies, apps, and data associated with the previous user.

Shared device enrollment doesn’t change the process for upgrading apps. You can push upgrades to shared-device users as always, and shared-device users can upgrade apps right on their devices.

  • For the best Secure Mail performance, set Max sync period based on the number of users to share the device. Allowing unlimited sync is not recommended.
Number of users sharing device Recommended max sync period
21–25 1 week or less
6–20 2 weeks or less
5 or fewer 1 month or less
  • Block Enable contact export to avoid exposing a user’s contacts to other users who share the device.

  • On iOS, only the following settings can be set per user. All other settings are common across users who share the device:

    • Notifications
    • Signature
    • Out of Office
    • Sync Mail Period
    • S/MIME
    • Check Spelling
Shared devices