Product Documentation

Inscripción de dispositivos

Feb 16, 2017

To manage user devices remotely and securely, user devices are enrolled in XenMobile. The XenMobile client software is installed on the user device and a users' identity is authenticated. Then, XenMobile and the user profile are installed. Next, in the XenMobile console, you can perform device management tasks. You can apply policies, deploy apps, push data to the device, and lock, wipe, and locate lost or stolen devices.

Note: Before you can enroll iOS device users, you must request an APNs certificate. For details, see Certificates.

To update configuration options for users and devices, go to Manage > Enrollment page. For details, see Send an enrollment invitation in this article.

Android devices

  1. Go to the Google Play store on your Android device, download the Citrix Secure Hub app and then tap the app.
  2. When prompted to install the app, click Next and then click Install.
  3. After Secure Hub installs, tap Open.
  4. Enter your corporate credentials, such as the organization's XenMobile server name, User Principal Name (UPN), or email address and then click Next.
  5. In the Activate device administrator screen, tap Activate.
  6. Enter your corporate password and then tap Sign On.
  7. Depending on the way XenMobile is configured, you may be asked to create a Citrix PIN, which you can use to sign on to Secure Hub and other XenMobile-enabled apps, such as Secure Mail, Secure Web, ShareFile, and more. You will need to enter your Citrix PIN twice. On the Create Citrix PIN screen, enter a PIN.
  8. Reenter the PIN. Secure Hub opens. You can then access the XenMobile Store to view the apps you can install on your Android device.
  9. If you configured XenMobile to automatically push apps to users' devices after enrollment, messages appear prompting them to install the apps. In addition, policies that you configure in XenMobile are deployed to the device. Tap Install to install the apps.

To unenroll and reenroll an Android device

Users can unenroll from within Secure Hub. When users unenroll by using the following procedure, the device still appears in the device inventory in the XenMobile console. You cannot take action on the device, however. You cannot track the device, and you cannot monitor the device compliance.

1. Tap to open the Secure Hub app.

2. Depending on whether you have a phone or a tablet, do the following:

On a phone:

a. Swipe from the left of the screen to open a settings pane.

b. Tap Preferences, tap Accounts and then tap Delete Account.

On a tablet:

a. Tap the arrow next to your email address on the upper-right corner.

b. Tap Preferences, tap Accounts and then tap Delete Account.

3. Tap Re-Enroll. A message appears to confirm you want to reenroll your device.

4. Tap OK.

Your device is unenrolled.

5. Follow the on-screen instructions to reenroll your device.

iOS devices

1. Download the Secure Hub app from the Apple iTunes App Store on the device and then install the app on the device.

2. On the iOS device Home screen, tap the Secure Hub app.

3. When the Secure Hub app opens, enter the server address that your help desk provided.

(The screens presented might differ from these examples, depending on how XenMobile is configured.)

localized image

4. When prompted, enter your user name and password or PIN. Click Next.

localized image

5. When prompted to enroll, click Yes, Enroll and then enter your credentials when prompted.

localized image
localized image

6. Tap Install to install the Citrix Profile Services.

localized image

7. Tap Trust.

localized image

8. Tap Open and then enter your credentials.

localized image
localized image

Mac OS X and macOS devices

You can enroll Mac devices that are running OS X or macOS in XenMobile for MDM-only. Mac users enroll over the air, directly from their devices.

To enroll Mac devices, XenMobile administrators do the following:

1. Optionally, set up Mac device policies in the XenMobile console. For more information about device policies, see Device Policies. To find out which device policies you can configure for Mac devices, see XenMobile Device Policies by Platform.

2. Send the enrollment link to the user: https://<serverFQDN>:8443/zdm/macos/otae

  • serverFQDN is the fully qualified domain name (FQDN) of the server running XenMobile.
  • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
  • zdm is the default instance name used during server installation. If you configured a different instance name, use that instance name instead.

You can also send the link in an email invitation. For details, see Sending enrollment invitations.

3. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and a publicly trusted digital signed certificate for iOS and macOS, users see the prompt to install certificates. For more information about certificates, see Certificates.

4. On the Mac device to be enrolled, users access the enrollment link using Safari.

Note: If users cannot access the link, they can clear browsing history and cache or use another browser.

5. By default, user see these prompts to install certificates.

a. Users click XenMobile root certificate.

localized image

b. Users click Continue to install the certificates.

localized image

Note: Installing the Root CA certificate of the XenMobile Server enables a trusted communication channel between the device and XenMobile.

c. Users click Install to install the XenMobile Profile installation.

localized image

d. Users type the device logon credentials when prompted.

localized image

e. This screen appears on successful installation of the XenMobile Certificates under Profiles. Users close this screen to proceed with the device enrollment.

localized image

6. At the macOS Over-the-Air Enrollment portal, users click Sign in.

localized image

7. Users type the user credentials in UPN or sAMAccountName format, as configured by the XenMobile administrator and then click Sign-in.

localized image

Note: XenMobile validates the user request and verifies the credentials using the Active Directory. The credentials are validated against Active Directory.

8. If the logon is successful, the XenMobile Profile Service window appears. Users click Install to install the XenMobile Profile Service. Installing XenMobile Profile Service allows the XenMobile administrator to manage the Mac device remotely.

localized image

9. To install the MDM profile, users click Continue and then click Install.

localized image

10. When prompted, users type the device logon credentials.

localized image

11. When the MDM configuration profile has been installed successfully, the MDM Configuration screen appears.

localized image

12. The Mac device now appears in the Device tab of the XenMobile console. You can now start managing Mac devices using XenMobile in the same way you manage mobile devices.

localized image

Windows devices

You can enroll devices in XenMobile that are running the following Windows operating systems:

  • Windows 8.1 and Windows 10
  • Windows Phone 8.1 and 10

Windows and Windows Phone users enroll directly through their devices.

You must configure autodiscovery and the Windows discovery service for user enrollment to enable the management of Windows and Windows Phone devices.

Nota

In order for Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails if you've uploaded a self-signed SSL certificate.

To enroll Windows devices with self-discovery

Users can enroll devices running Windows RT 8.1, both 32-bit and 64-bit versions of Windows 8.1 Pro and Windows 8.1 Enterprise, and Windows 10. To enable management of Windows devices, Citrix recommends you configure autodiscovery and the Windows discovery service. For details, see To enable autodiscovery in XenMobile for user enrollment.

1. On the device, check for and install all available Windows Updates. This step is particularly important when upgrading from Windows 8 to Windows 8.1, because users may not be automatically notified of all available updates.

2. In the charms menu, tap Settings and then:

  • For Windows 8.1, tap PC Settings > Network > Workplace.
  • For Windows 10, tap Accounts > Access work or school > Connect to work or school.
3. Enter your corporate email address and then tap Turn on device management on Windows 8.1 or Continue on Windows 10. To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation where enrollment is performed by the built-in Device Management on Windows; in the Connecting to a service dialog box, enter the user name and password associated with the local user. The device automatically discovers a XenMobile server and starts the enrollment process.
4. Enter your password. Use the password associated with an account that is part of a user group in XenMobile.
5. For Windows 8.1, in the Allow apps and services from IT admin dialog box, indicate that you agree to have your device managed and then tap Turn on. For Windows 10, in the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

To enroll Windows devices without self-discovery

It is possible to enroll Windows devices without autodiscovery. Citrix, however, recommends that you configure autodiscovery. Enrollment without autodiscovery results in a call to port 80 before connecting to the desired URL, so it is not considered best practice for production deployment. Citrix recommends that you use this process only in test environments and proof of concept deployment.

1. On the device, check for and install all available Windows Updates. This step is particularly important when upgrading from Windows 8 to Windows 8.1, because users may not be automatically notified of all available updates.

2. In the charms menu, tap Settings, and then:

  • For Windows 8.1, tap PC Settings > Network > Workplace.
  • For Windows 10, tap Accounts > Access work or school > Connect to work or school.

3. Enter your corporate email address.

4. On Windows 10, if autodiscovery is not configured, an option appears where you can enter the server details, as described in step 5. On Windows 8.1, if Automatically detect server address is set to on, tap to turn the option off.

5. In the Enter server address field:

  • For Windows 8.1, type the server address in the following format: https://serverfqdn:8443/serverInstance/Discovery.svc. If a port other than 8443 is used for unauthenticated SSL connections,use that port number in place of 8443 in this address
  • For Windows 10, use this address: https://beta.managedm.com:8443/zdm/wpe. If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.
6. Enter your password.

7. For Windows 8.1, in the Allow apps and services from IT admin dialog box, indicate that you agree to have your device managed and then tap Turn on. For Windows 10, in the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

To enroll Windows Phone devices

To enroll Windows Phone devices in XenMobile, users need their Active Directory or internal network email address, and password. If autodiscovery is not set up, users also need the server web address for the XenMobile server. Then, they follow this procedure on their devices to enroll.

Note: If you plan to deploy apps through the Windows Phone company store, before your users enroll, make sure that you have configured an Enterprise Hub policy (with a signed Secure Hub, Windows Phone app for each platform you support).

1. On the main screen of the Windows phone, tap the Settings icon.

  • For a Windows 10 Phone, depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.
  • For Windows Phone 8.1, tap PC Settings > Network > Workplace, and then tap Add Account.

2. On the next screen, enter an email address and password and then tap sign in.

If autodiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to Step 8.

If autodiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation; in the Connecting to a service dialog box, enter the user name and password associated with the local user.

3. On the next screen, type the web address of the XenMobile server, such as: https://<xenmobile_server>:<portnumber>/<instancename>/wpe. For example, https://mycompany.mdm.com:8443/zdm/wpe. Note: The port number has to be adapted to your implementation, but should be the same port that you used for an iOS enrollment.

4. Enter the user name and domain if authentication is validated through a user name and domain and then tap sign in.

5. If a screen appears noting a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.

6. On Windows phone 8.1, when the account is added, you have the option of selecting Install company app. If your administrator has configured a Company App store, select this option and then tap done. If you clear this option, you will need to re-enroll your device to receive the Company app store.

7. On Windows phone 8.1, on the Account Added screen, tap done.

8. To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, XenMobile attempts to reconnect. XenMobile connects to the device every 3 minutes 5 successive times, then every 2 hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties. Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen.

Send an enrollment invitation

In the XenMobile console, you can send an enrollment invitation to users with iOS or Android devices. You can also send an installation link to users with iOS, Android, or Windows devices.

1. In the XenMobile console, click Manage > Enrollment. The Enrollment page appears.

localized image

2. Click Add. A menu appears listing enrollment options.

localized image
  • To send an enrollment invitation to a user or group, click Add Invitation and then see To send an invitation for the steps to configure this setting.
  • To send an enrollment installation link to a list of recipients over SMTP or SMS, click Send Installation Link and then see To send an installation link for the steps to configure this setting.

To send an invitation

1. Click Add Invitation. The Enrollment Invitation screen appears.

localized image

2. Configure these settings:

  • Select a platform: In the list, click iOS or Android.
  • Device ownership: In the list, click Corporate or Employee.
  • Recipient: In the list, click User or Group.

Depending on the recipient you select, you see more settings to configure. For User settings, see To send an enrollment invitation to a user; for Group settings, see To send an enrollment invitation to a group.

To send an enrollment invitation to a user

localized image

1. Configure these User settings:

  • User name: Type a user name. The user must exist in the XenMobile server as a local user or as a user in Active Directory. If the user is local, make sure the user's email property is set so you can send that user notifications. If the user is in Active Directory, make sure LDAP is configured.
  • Device info: In the list, click Serial number, UDID, or IMEI. After you choose an option, a field appears where you can type the corresponding value for the device.
  • Phone number: Optionally, type the user's phone number.
  • Carrier: In the list, click a carrier with which to associate the user's phone number.
  • Enrollment mode: In the list, click how you want users to enroll. The default is User name + Password. Possible options are:
    • High Security
    • Invitation URL
    • Invitation URL + PIN
    • Invitation URL + Password
    • Two Factor
    • User name + PIN

Note: When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

  • Template for agent download: In the list, click the template to use for enrollment invitation.The choices for this option are based on the platform type. For example, iOS Download Link appears as an option if you selected iOS as a platform.
  • Template for enrollment URL: In the list, click Enrollment Invitation.
  • Template for enrollment confirmation: In the list, click Enrollment Confirmation.
  • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see To configure enrollment modes.
  • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs. For more information about configuring enrollment modes, see To configure enrollment modes.
  • Send invitation: Select ON to send the invitation immediately, or click OFF to only add the invitation to the table on the Enrollment page.

2. Click Save and Send if you enabled Send invitation; otherwise, click Save. The invitation appears in the table on the Enrollment page.

To send an enrollment invitation to a group

localized image

1. Configure these settings:

  • Domain: In the list, click the domain from which to select the group.
  • Group: In the list, click the group to receive the invitation.
  • Enrollment mode: In the list, click how you want users in the group to enroll. The default is User name + Password. Possible options are:
    • High Security
    • Invitation URL
    • Invitation URL + PIN
    • Invitation URL + Password
    • Two Factor
    • User name + PIN

Note: When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

  • Template for agent download: In the list, click the template to use for enrollment invitation.The choices for this option are based on the platform type. For example, iOS Download Link appears as an option if you selected iOS as a platform.
  • Template for enrollment URL: In the list, click Enrollment Invitation.
  • Template for enrollment confirmation: In the list, click Enrollment Confirmation.
  • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see To configure enrollment modes.
  • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs. For more information about configuring enrollment modes, see To configure enrollment modes.
  • Send invitation: Select ON to send the invitation immediately, or click OFF to only add the invitation to the table on the Enrollment page.

2. Click Save and Send if you enabled Send invitation; otherwise, click Save. The invitation appears in the table on the Enrollment page.

To send an installation link

localized image

Before you can send an enrollment installation link, you must configure channels (SMTP or SMS) on the notification server from the Settings page. For details, see Notifications.

1. Configure these settings:

  • Recipient: For each recipient that you want to add, click Add and do the following:
    • Email: Type the recipient's email address. This field is required.
    • Phone number: Type the recipient's phone number. This field is required.
    • Click Save.

Note: To delete an existing recipient, hover over the line containing the listing and then click the trash can icon on the right-hand side. A confirmation dialog box appears. Click Delete to delete the listing or click Cancel to keep the listing.

To edit an existing recipient, hover over the line containing the listing and then click the pen icon on the right-hand side. Make any changes to the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

  • Channels: Select a channel to use for sending the enrollment installation link. You can send notifications over SMTP or SMS. These channels cannot be activated until you configure the server settings on the Settings page in Notification Server. For details, see Notifications.
    • SMTP: Configure these optional settings. If you do not type anything in these fields, the default values specified in the notification template configured for the platform you selected are used:
      • Sender. Type an optional sender.
      • Subject: Type an optional subject for the message. For example, "Enroll your device."
      • Message: Type an optional message to be sent to the recipient. For example, "Enroll your device to gain access to organizational apps and email."
    • SMS: Configure this setting. If you do not type anything in this field, the default value specified in the notification template configured for the platform you selected is used:
      • Message: Type a message to be sent to the recipients. This field is required for SMS-based notification.

Note: In North America, SMS messages that exceed 160 characters are delivered in multiple messages.

2. Click Send.

Nota

If your environment leverages SAMAccountName, after users receive the invitation and click the link, they must edit the user name to complete the authentication. For example, they need to remove domainname in SAMAccountName@domainname.com.