Product Documentation

Configuring Device Manager Security Options

Dec 21, 2015

The security options dialog box allows to customize the security features of the service. By default, when Secure Device is included in the license, it is automatically activated during installation, with a strong level of security. If you need to change those parameters, use that dialog box.

  • Enforce SSL. Forces devices to communicate by using an SSL transport. All HTTP (unsecure) requests from devices will be rejected.
  • Strong Authentication. Enables strong authentication by generating a Strong ID for devices that is then used as a second method of authentication during the enrollment process.
  • Strong ID Valid Once. Allows Strong ID passcodes to only be used once. When the Strong ID is used once to generate a device certificate, it cannot be reused. The device has to be revoked and re-authorized.
  • Certificate Renewal. Sets the renewal time for certificates used in Strong Authentication mode. A setting of zero disables the certificate renewal process.
  • Always Add Device. Registers devices automatically into Device Manager even when Secure Device is activated.
  • Block Rooted Android and iOS Enrollment. Enabling this function blocks rooted or jailbroken devices from enrolling.
  • 8 Char Strong ID. Enables a Strong ID character string that is limited to 8 characters.
  • Enable SHP Console for Users. Enables or disables the Self-Help Console for user management of devices.
  • XDM/SHP console max inactive interval. The time (in minutes) between client requests before the server invalidates a log on session. If you set the value to zero, log on sessions do not timeout. For example, if the console max timeout value is set to 1 (one minute) and a user logs on and does not interact with the UI for over one minute, then the user is logged off. The console might still appear as if the user is logged on until the user attempts to interact with the UI, but then the console will be refreshed and the user will see the log on page.
  • iOS agent auto logout (minutes). Length of time before an iOS agent user is logged off due to inactivity.
  • Enable client cert authentication for iOS. If enabled, iOS enrollment agent uses certificate authentication. If disabled, iOS enrollment agent uses session-based authentication.

To enable Strong ID

Strong ID is a form of 2 factor authentication used to provide an extra layer of extra security when enrolling a device. Devices cannot enroll until the device's serial number or IMEI is known. When you enable Strong ID, Citrix recommends enabling the character string to be 8 characters in length.

  1. In the Device Manager console, click Options > Security.
  2. You can add the devices manually or import the devices from the Devices tab by using the serial number of IMEI, which generates a Strong ID for the device.

When users are ready to enroll their device, users need to call support personnel and give the serial number or IMEI. Support personnel can then proved the Strong ID from the device properties.