- What's new
- System requirements
- Onboarding and resource setup
- About XenMobile Service
Certificates and authentication
- NetScaler Gateway and XenMobile
- Domain or domain plus security token authentication
- Client certificate or certificate plus domain authentication
- PKI entities
- Credential providers
- APNs certificates
- SAML for single sign-on with ShareFile
- Single sign in with Azure Active Directory
- Derived credentials for iOS
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of Apple devices
- Bulk enrollment of Windows devices
- Client properties
- Deploy devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- Workspace hub device management
- XenMobile Autodiscovery Service
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work app permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- Application Guard device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Guard device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Firewall device policy
- Font device policy
- Home screen layout device policy
- Import Device Configuration device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Lock screen message device policy
- Mail device policy
- Managed bookmarks device policy
- Managed domains device policy
- Maps device policy
- Maximum resident users device policy
- MDM options device policy
- Office device policy
- Organization information device policy
- Passcode device policy
- Passcode lock grace period device policy
- Personal hotspot device policy
- Power management device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows Agent device policy
- Windows CE certificate device policy
- Windows Hello for Business device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- Management modes
- Device requirements
- Security and user experience
- User communities
- Email strategy
- XenMobile integration
- Integrating with NetScaler Gateway and NetScaler
- SSO and proxy considerations for MDX Apps
- Server properties
- Device and app policies
- User enrollment options
- Tuning XenMobile operations
- App provisioning and deprovisioning
- Dashboard-based operations
- Role-Based Access Control and XenMobile support model
- Systems monitoring
- Citrix support process
- Sending group enrollment invitations in XenMobile
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
- Configuring an on-premises Device Health Attestation server
- XenMobile deployment
Single sign in with Azure Active Directory
XenMobile Service supports single sign-in with Azure Active Directory credentials for the following scenarios:
- User enrollment through Citrix Secure Hub (Android or iOS)
- For the RBAC User role, authentication to the XenMobile Self Help Portal
- Administrator authentication to the XenMobile console
- For XenMobile Service, administrator authentication to the XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API.
- For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF.
XenMobile Service uses the Citrix Cloud service, Citrix Identity Platform, to federate with Azure Active Directory. Citrix Identity Platform is an identity provider (IDP) service.
To set up this service, you configure Citrix Cloud to use Azure Active Directory as your Identity Provider. Then, configure Citrix Identity Platform as the IDP type for XenMobile Server. Users can then log on to Secure Hub with their Azure Active Directory credentials. Secure Hub uses client certificate authentication for MAM devices.
Citrix recommends that you use Citrix Identity Platform instead of a direct connection to Azure Active Directory.
- XenMobile Server, configured in MDM, MAM-only, or Enterprise mode
- NetScaler Gateway, configured for certificate-based authentication
- Secure Hub 10.7.20 (minimum version)
- Azure Active Directory user credentials
To configure Azure Active Directory in Citrix Cloud:
Go to https://citrix.cloud.com and sign in to your Citrix Cloud account.
From the Citrix Cloud menu, go to the Identity and Access Management page and connect to Azure Active Directory.
Type your administrator sign-in URL and then click Connect.
After you sign in, your Azure Active Directory account connects to Citrix Cloud. The Identity and Access Management > Authentication page shows which accounts to use to sign in to your Citrix Cloud and Azure AD accounts.
After you configure Azure Active Directory in Citrix Cloud, configure XenMobile Server as follows.
In the XenMobile console, go to Settings > Identity Provider (IDP) and then click Add.
In the Identity Provider (IDP) page, configure the following:
- IDP Name: Type a unique name to identify the IDP connection that you are creating.
- IDP Type: Choose Citrix Identity Platform.
- Auth Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
Click Next. In the IDP Claims Usage page, configure the following:
- User Identifier type: This field is set to userPrincipalName.
- User Identifier string: This field is automatically filled.
Click Next, review the Summary page, and then click Save.
Secure Hub users, XenMobile console, and Self Help Portal users can now sign in with their Azure Active Directory credentials.
The sign-in screen for the XenMobile console and the XenMobile Self Help Portal includes the link Sign in with my company credentials.
Click that link to enter your Azure Active Directory credentials. After successfully authenticating you, XenMobile doesn’t require you to sign in for future access.
If you sign in to the XenMobile console or self-help portal from domain joined devices and click the Sign in with my company credentials link: XenMobile provides a single sign-on experience. No authentication prompt appears.
With XenMobile configured to use Citrix Identity Platform as its IDP, the Secure Hub authentication flow is as follows for a device enrolled through Secure Hub:
- A user starts Secure Hub.
- Secure Hub passes the authentication request to Citrix Identity Platform, which passes the request to Azure Active Directory.
- The user types their user name and password.
- Azure Active Directory validates the user and sends a code to Citrix Identity Platform.
- Citrix Identity Platform sends the code to Secure Hub, which sends the code to XenMobile Server.
- XenMobile obtains an ID token by using the code and secret, and then validates the user information that’s in the ID token. XenMobile returns a session ID.
Users of domain-joined devices can use their Azure Active Directory credentials for a single sign-on experience. For XenMobile local accounts, single sign-on isn’t available.