- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Deprecated device policies
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
Derived credentials for iOS
Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is a Personal Identity Verification (PIV) card.
The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device.
XenMobile can use derived credentials for iOS device enrollment and authentication. If configured for derived credentials, XenMobile doesn’t support enrollment invitations or other enrollment modes for iOS devices. Citrix recommends that you don’t enroll Android devices on servers set up for derived credentials.
- One of the following derived credential solutions:
Intercede 3.14 or later. For information on the Intercede requirements, see https://www.intercede.com/solutions-derived-credentials. Citrix has validated that XenMobile supports the Intercede derived credential solution. The app name in the Apple App Store is MyID for Citrix.
Users must install MyID for Citrix on their devices before enrolling in XenMobile.
Other derived credential solutions
While it’s likely that most other credential solutions are compatible with XenMobile, test the integration before deploying it to production.
- XenMobile Server 10.6 (minimum version)
- Configured for Enterprise (XME) mode
- Must have the root certificate of the authority that issues certificates to the Credentials Provider server. That setup enables XenMobile to accept the digitally signed certificates during enrollment. For information about adding the certificates, see Certificates and authentication.
- If the user email domain differs from the LDAP domain, include the email domain in the Domain alias setting in Settings > LDAP. For example, if the domain for email addresses is
myID.comand the LDAP domain name is
sample.com, set Domain alias to
- XenMobile doesn’t support the use of derived credentials with shared devices.
- User identity certificates:
- The user name in the Subject alternative name field must be formatted as the otherName, rfc822Name, or dNSName field of the SubjectAltName extension. Other fields are not supported. For more information about Subject alternative name, see the RFC, https://www.ietf.org/rfc/rfc5280.txt.
- User identity in the Subject field in either Email or CN isn’t supported.
NetScaler Gateway configured for certificate authentication or certificate plus security token authentication
For information about PKI configuration, see PKI entities.
- Secure Hub 10.8.15 (minimum version)
- Secure Mail 10.8.20 (minimum version)
- Use the same developer certificate to sign all apps in the Apple App Store.
For enrollment, XenMobile Server connects to the components described in the preceding Requirements section, as shown in the following diagram.
- During device enrollment, Secure Hub obtains certificates from the derived credentials app.
- The derived credentials app communicates with the credential management server during enrollment.
- You can use the same or different server for the credential management server and a third-party PKI provider.
- XenMobile server connects to your third-party PKI server to obtain certificates.
After enrollment, the components connect as shown in the following diagram.
The following sections describe how to configure XenMobile with a derived credentials provider, enable derived credentials for enrollment, and manage devices that use derived credentials.
By default, the XenMobile console doesn’t include the Settings > Derived Credentials page. To enable the interface for derived credentials: Go to Settings > Server Properties, add the server property derived.credentials.enable, and set the property to true.
These instructions assume that you have a working configuration for the derived credentials provider that you plan to integrate with XenMobile. You can then configure XenMobile to communicate with that server. You also choose a derived credentials CA certificate already added to XenMobile or import the certificate.
You can activate Online Certificate Status Protocol (OCSP) support for that CA certificate. For more information about OCSP, see “Discretionary CAs” in PKI entities.
In the XenMobile console, go to Settings > Derived Credentials for iOS.
Choose derived credentials provider. Citrix validated that XenMobile supports Intercede. If you choose Other for the provider, test the integration before putting your server into production.
App URL (iOS): If you choose Intercede as the provider, XenMobile fills in the App URL. If you choose Other as the provider, obtain the App URL from your derived credentials provider.
If a device can’t contact your provider, verify the App URL with the provider. You might need to change it.
Optional parameters: Some derived credential providers might require that you provide parameters for the connection. For example, a vendor might require that you specify the URLs of a back-end server. Click Add to provide parameters.
Specify a certificate for derived credentials: If the certificate is already uploaded to XenMobile, choose that certificate from Issuer CA. Otherwise, click Import to add a certificate. The Import Certificate dialog box appears.
In the Import Certificate dialog box, click Browse to navigate to the certificate. Then click Browse to navigate to the private key file.
If you choose Intercede as the provider, XenMobile fills in the User Identifier field and the User Identifier type. For Intercede, the User Identifier field is Subject alternative name, and the User Identifier type is userPrincipalName. Contact other derived credential providers for their information and configure the settings.
You can optionally use an OCSP responder for certificate revocation checking. By default, OSP checking is off. To activate OCSP support for the CA certificate:
- Set OCSP check to ON.
- Choose an option for Use custom OCSP URL. By default, XenMobile extracts the OCSP URL from the certificate (the Use certificate definition for revocation option). To specify a responder URL, click Use custom and then type the URL.
- Responder CA: From Responder CA, choose a certificate. Or, click Import and then use the Import Certificate dialog box to locate the certificate.
Click Save. The Derived Credentials dialog box appears.
To enable the derived credentials configuration, click Save. To use derived credentials, you must also configure enrollment settings.
To enable the derived credentials configuration and then go immediately to Settings > Enrollment, click Save and Go to Enrollment.
To enable derived credentials for enrollment: On the Settings > Enrollment page, under Advanced Enrollment, select Derived Credentials (iOS only) and then click Enable.
A confirmation dialog box appears. To enable derived credentials, select the check box, and click Enable.
To edit options for derived credentials enrollment, go to Settings > Enrollment, select Derived Credentials (iOS only) and then click Edit.
After you enable derived credentials: In the Devices Enrollment report, the column Enrollment mode shows derived_credentials.
For enrollment steps when using derived credentials, see iOS devices that use derived credentials.
After completing these steps, you may need to restart your XenMobile Server.
In order for Secure Mail to work properly with derived credentials, add the LDAP Attributes client property.
Follow the steps to add a client property in the article Client properties. Use the following information:
- Key: SEND_LDAP_ATTRIBUTES
For an example of the enrollment process using derived credentials, see Enrolling devices by using derived credentials.