How to enroll windows 10 devices

July 3, 2018

To manage user devices remotely and securely, you enroll user devices in XenMobile. The XenMobile client software is installed on the user device and the user identity is authenticated. Then, XenMobile and the user profile are installed. Next, in the XenMobile console, you can perform device management tasks. You can apply policies, deploy apps, push data to the device, and lock, wipe, and locate lost or stolen devices.

Azure Active Directory enrollment is supported for iOS, Android, and Windows 10 devices. For more information about configuring Azure as your identity provider (IDP), see XenMobile Integration with Azure Active Directory as IDP.

Note:

Before you can enroll iOS device users, you must request an APNs certificate. For details, see Certificates and authentication.

To update configuration options for users and devices, go to the Manage > Enrollment Invitations page. For details, see Send an enrollment invitation in this article.

Android devices

Note:

For information about enrolling Android for Work devices, Android for Work.

  1. Go to the Google Play store on your Android device, download the Citrix Secure Hub app, and then tap the app.
  2. When prompted to install the app, click Next and then click Install.
  3. After Secure Hub installs, tap Open.
  4. Enter your corporate credentials, such as your XenMobile Server name, User Principal Name (UPN), or email address. Then, click Next.
  5. In the Activate device administrator screen, tap Activate.
  6. Enter your corporate password and then tap Sign On.
  7. Depending on the way XenMobile is configured, you may be asked to create a Citrix PIN. You can use the PIN to sign on to Secure Hub and other XenMobile-enabled apps, such as Secure Mail and ShareFile. You enter your Citrix PIN twice. On the Create Citrix PIN screen, enter a PIN.
  8. Reenter the PIN. Secure Hub opens. You can then access the XenMobile Store to view the apps you can install on your Android device.
  9. If you configured XenMobile to push apps to devices automatically after enrollment, users are prompted to install the apps. In addition, policies that you configure in XenMobile are deployed to the device. Tap Install to install the apps.

To unenroll and reenroll an Android device

Users can unenroll from within Secure Hub. When users unenroll by using the following procedure, the device still appears in the device inventory in the XenMobile console. You cannot perform actions on the device, however. You cannot track the device, and you cannot monitor the device compliance.

  1. Tap to open the Secure Hub app.

  2. Depending on whether you have a phone or a tablet, do the following:

    On a phone:

    • Swipe from the left of the screen to open a settings pane.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

    On a tablet:

    • Tap the arrow next to your email address on the upper-right corner.

    • Tap Preferences, tap Accounts, and then tap Delete Account.

  3. Tap Re-Enroll. A message appears to confirm you want to reenroll your device.

  4. Tap OK.

    Your device is unenrolled.

  5. Follow the on-screen instructions to reenroll your device.

iOS devices that use user-provided credentials

  1. Download the Secure Hub app from the Apple iTunes App Store on the device and then install the app on the device.

  2. On the iOS device Home screen, tap the Secure Hub app.

  3. When the Secure Hub app opens, enter the server address that your help desk provided.

    The screens presented might differ from these examples, depending on how XenMobile is configured.

    Image of Secure Hub with server address prompt

  4. When prompted, enter your user name and password or PIN. Click Next.

    Image of sign on screen

  5. When prompted to enroll, click Yes, Enroll and then enter your credentials when prompted.

    Image of Yes, Enroll button

  6. Tap Install to install the Citrix Profile Services.

    Image of Citrix Profile Services screen

  7. Tap Trust.

    Image of Remote Management trust screen

  8. Tap Open and then enter your credentials.

    Image of Secure Hub open prompt

    Image of credentials prompt

iOS devices that use derived credentials

Enrollment requires that users insert their smart card to a reader attached to their desktop.

  1. The user installs Secure Hub and the app from your derived credential provider.

    The identity provider app for Intercede is MyID for Citrix. The logo for that app follows.

    Image of Intercede logo

  2. The user starts Secure Hub. When prompted, the user types the XenMobile Server fully qualified domain name and then clicks Next. Enrollment in Secure Hub starts. If the XenMobile Server supports derived credentials, Secure Hub prompts the user to create a Citrix PIN.

    Image of Secure Hub enrollment screen

    Image of Yes, Enroll button

    Image of Citrix PIN screen

  3. The user follows the instructions to activate their smart credential. A splash screen appears, followed by a prompt to scan a QR code.

    Image of QR code scan screen

  4. The user inserts their card into the smart card reader that’s attached to their desktop. The desktop app then displays a QR code and prompts the user to scan the code using their mobile device.

    Image of identity confirmation screen

  5. The user enters their Secure Hub PIN when prompted.

    Image of PIN entry screen

  6. After authenticating the PIN, Secure Hub downloads the certificates. The user then follows the prompts to complete enrollment.

To view device information in the XenMobile console:

  • Go to Manage > Devices and then select a device to display a command box. Click Show more.

  • Go to Analyze > Dashboard.

macOS devices

XenMobile provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.

  • Send users an enrollment invitation: This enrollment method enables you to set any of the following enrollment modes for macOS devices:

    • User name + password

    • User name + PIN

    • Two Factor

    When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

  • Send users an installation link: This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.

    To prevent the use of an enrollment link for macOS devices, set the server property, Enable macOS OTAE to false. As a result, macOS users can enroll only by using an enrollment invitation.

Send users an enrollment invitation

  1. Optionally set up macOS device policies in the XenMobile console. For more information about device policies, see Device Policies.

  2. Add an invitation for macOS user enrollment. For more information, see Send an enrollment invitation in this article.

  3. After users receive the invitation and click the link, the following screen appears in the Safari browser. XenMobile fills in the user name. If you chose Two Factor for the enrollment mode, another field appears.

    Image of Safari browser root certificate message

  4. Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For more information about certificates, see Certificates and authentication.

  5. Users provide the requested credentials.

    The Mac device policies install. You can now start managing Macs with XenMobile just as you manage mobile devices.

Send users an installation link

  1. Optionally set up macOS device policies in the XenMobile console. For more information about device policies, see Device Policies.

  2. Send the enrollment link https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.

    • serverFQDN is the fully qualified domain name (FQDN) of the server running XenMobile.
    • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
    • The instanceName, often shown as zdm, is the name specified during server installation.

    For more information about sending installation links, see To send an installation link.

  3. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install certificates. For more information about certificates, see Certificates and authentication.

  4. Users sign on to their Macs.

    The Mac device policies install. You can now start managing Macs with XenMobile just as you manage mobile devices.

Windows devices

Note:

This section includes references to Windows Phone 8.1 devices, which Microsoft moved to End of Support on July 11, 2017. XenMobile currently supports Windows Phone 8.1 devices for MDM enrollment only.

Devices running Windows 10 enroll with Azure as a federated means of Active Directory authentication. You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:

  • Enroll in MDM as part of Azure AD Join out-of-the-box the first time the device is powered on.
  • Enroll in MDM as part of Azure AD Join from the Windows Settings page after the device is configured.

You can enroll devices in XenMobile that are running the following Windows operating systems:

  • Windows 10 phone and tablet
  • Windows Phone 8.1

Users can enroll directly through their devices.

Note:

For Windows 10 RS2 Phone and Tablet, during re-enrollment, a user isn’t prompted for the Server URL. To work around this issue, restart the device. Or, on the email address screen, tap the X across from Connecting to a service to go to the Server URL page. This is a third-party issue.

You must configure autodiscovery and the Windows discovery service for user enrollment to enable the management of supported Windows devices.

Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in XenMobile. For details, see Microsoft Azure Active Directory server settings.

Note:

In order for Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails if you’ve uploaded a self-signed SSL certificate.

To enroll Windows devices with self-discovery

To enable management of Windows devices, Citrix recommends you configure autodiscovery and the Windows discovery service. For details, see Enable autodiscovery.

  1. On the device, check for and install all available Windows Updates.

  2. For Windows 10: In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1 phones: Tap PC Settings > Network > Workplace.

  3. Enter your corporate email address and then tap Continue on Windows 10 or tap Turn on device management on Windows 8.1. To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation where enrollment is performed by the built-in Device Management on Windows; in the Connecting to a service dialog box, enter the user name and password associated with the local user. The device automatically discovers a XenMobile Server and starts the enrollment process.

  4. Enter your password. Use the password associated with an account that is part of a user group in XenMobile.

  5. For Windows 10: In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept. For Windows 8.1: In the Allow apps and services from IT admin dialog box, indicate that you agree to have your device managed and then tap Turn on.

To enroll Windows devices without self-discovery

It is possible to enroll Windows devices without autodiscovery. Citrix, however, recommends that you configure autodiscovery. Enrollment without autodiscovery results in a call to port 80 before connecting to the desired URL, so it is not considered best practice for production deployment. Citrix recommends that you use this process only in test environments and proof of concept deployment.

  1. On the device, check for and install all available Windows Updates.

  2. For Windows 10: In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1: Tap PC Settings > Network > Workplace.

  3. Enter your corporate email address.

  4. For Windows 10: If autodiscovery is not configured, an option appears where you can enter the server details, as described in step 5. For Windows 8.1: If Automatically detect server address is set to on, tap to turn the option off.

  5. For Windows 10, in the Enter server address field, type the address: https://serverfqdn:8443/serverInstance/wpe.

    If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.

    For Windows 8.1: Type the server address in the following format: https://serverfqdn:8443/serverInstance/Discovery.svc.

    If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.

  6. Type your password.

  7. For Windows 10: In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept. For Windows 8.1: In the Allow apps and services from IT admin dialog box, indicate that you agree to have your device managed and then tap Turn on.

To enroll Windows Phone devices

To enroll Windows Phone devices in XenMobile, users need their Active Directory or internal network email address, and password. If autodiscovery is not set up, users also need the server web address for the XenMobile Server. Then, they follow this procedure on their devices to enroll.

Note:

If you plan to deploy apps through the Windows Phone company store, before your users enroll, ensure that you have configured an Enterprise Hub policy (with a signed Secure Hub, Windows Phone app for each platform you support).

  1. On the main screen of the Windows phone, tap the Settings icon.

    • For Windows 10: Depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.
    • For Windows 8.1: Tap PC Settings > Network > Workplace and then tap Add Account.
  2. On the next screen, enter an email address and password and then tap sign in.

    If autodiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to Step 8.

    If autodiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation; in the Connecting to a service dialog box, enter the user name and password associated with the local user.

  3. On the next screen, type the web address of the XenMobile Server, such as: https://<xenmobile_server>:<portnumber>/<instancename>/wpe. For example, https://mycompany.mdm.com:8443/zdm/wpe.

    Note:

    The port number has to be adapted to your implementation. It must be the same port that you used for an iOS enrollment.

  4. Enter the user name and domain if authentication is validated through a user name and domain and then tap sign in.

  5. If a screen appears noting a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.

  6. On Windows Phone 8.1, when the account is added, you have the option of selecting Install company app. If your administrator has configured a Company App store, select this option and then tap done. If you clear this option, you will need to re-enroll your device to receive the Company app store.

  7. On Windows Phone 8.1, on the Account Added screen, tap done.

  8. To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, XenMobile attempts to reconnect. XenMobile connects to the device every 3 minutes 5 successive times, then every 2 hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties. Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen.

Send an enrollment invitation

In the XenMobile console, you can send an enrollment invitation to users with iOS, macOS, and Android devices. You can also send an installation link to users with iOS or Android devices.

Enrollment invitations are sent as follows:

  • If the enrollment invitation is for one local or Active Directory user: The user receives the invitation from SMS at the phone number and carrier name you specify.

  • If the enrollment invitation is for a group: The users receive invitations from SMS. If Active Directory users have an email address and mobile phone number in Active Directory, they receive the invitation. Local users receive the invitation at the email and phone number specified in user properties.

After users enroll, their devices appear as managed on Manage > Devices. The status of the invitation URL is shown as Redeemed.

Prerequisites

  • XenMobile Server configured in Enterprise (XME) or MDM mode
  • LDAP configured
  • If using local groups and local users:

    • One or more local groups.

    • Local users assigned to local groups.

    • Delivery groups are associated with local groups.

  • If using Active Directory:

    • Delivery groups are associated with Active Directory groups.

Create an enrollment invitation

  1. In the XenMobile console, click Manage > Enrollment Invitations. The Enrollment Invitations page appears.

    Image of XenMobile console Enrollment Invitations page

  2. Click Add. A menu of enrollment options appears.

    Image of Add Invitation menu

    • To send an enrollment invitation to a user or group, click Add Invitation.
    • To send an enrollment installation link to a list of recipients over SMTP or SMS, click Send Installation Link.

    Sending enrollment invitations and installation links are described after these steps.

  3. Click Add Invitation. The Enrollment Invitation screen appears.

    Image of Enrollment Invitation screen

  4. Configure these settings:

    • Recipient: Choose Group or User.
    • Select a platform: If Recipient is Group, all platforms are selected. You can change the platform selection. If Recipient is User, no platforms are selected. Select a platform.
    • Device ownership: Select Corporate or Employee.

    Settings for users or groups appear, as described in the following sections.

To send an enrollment invitation to a user

Image of Enrollment Invitation settings

  1. Configure these User settings:

    • User name: Type a user name. The user must exist in the XenMobile Server as a local user or as a user in Active Directory. If the user is local, ensure that the email property of the user is set so you can send that user notifications. If the user is in Active Directory, ensure that LDAP is configured.
    • Device info: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose Serial number, UDID, or IMEI. After you choose an option, a field appears where you can type the corresponding value for the device.
    • Phone number: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Optionally, type the phone number of the user.
    • Carrier: This setting doesn’t appear if you select multiple platforms or if you select only macOS. Choose a carrier to associate to the phone number of the user.
    • Enrollment mode: Choose how you want users to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear. A PIN for enrollment is also called a one-time PIN. Such PINs are valid only when the user enrolls.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see To configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs. For more information about configuring enrollment modes, see To configure enrollment modes.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitations page.

    Image of table on Enrollment Invitations page

To send an enrollment invitation to a group

The following figure shows the settings for configuring an enrollment invitation to a group.

Image of Enrollment invitation to group page

  1. Configure these settings:

    • Domain: Choose the domain of the group to receive the invitation.
    • Group: Choose the group to receive the invitation.
    • Enrollment mode: Choose how you want users in the group to enroll. The default is User name + Password. Some of the following options aren’t available for all platforms:
      • User name + Password
      • High Security
      • Invitation URL
      • Invitation URL + PIN
      • Invitation URL + Password
      • Two Factor
      • User name + PIN

    Only the enrollment modes that are valid for each of the selected platforms appear.

    Note:

    When you select any enrollment mode that includes a PIN, the Template for enrollment PIN field appears, where you click Enrollment PIN.

    • Template for agent download: Choose the download link template named Download link:. That template is for all supported platforms.
    • Template for enrollment URL: Choose Enrollment Invitation.
    • Template for enrollment confirmation: Choose Enrollment Confirmation.
    • Expire after: This field is set when you configure the Enrollment Mode and indicates when the enrollment expires. For more information about configuring enrollment modes, see To configure enrollment modes.
    • Maximum Attempts: This field is set when you configure the Enrollment Mode and indicates the maximum number of times the enrollment process occurs. For more information about configuring enrollment modes, see To configure enrollment modes.
    • Send invitation: Select ON to send the invitation immediately. Select OFF to add the invitation to the table on the Enrollment Invitations page, but not send it.
  2. Click Save and Send if you enabled Send invitation. Otherwise, click Save. The invitation appears in the table on the Enrollment Invitation page.

    Image of Enrollment Invitation table

To send an installation link

Before you can send an enrollment installation link, you must configure channels (SMTP or SMS) on the notification server from the Settings page. For details, see [Notifications](/en-us/xenmobile/server/users/notifications.html

Image of Send Installation link page

  1. Configure these settings and then click Save.

    • Recipient: For each recipient that you want to add, click Add and then do the following:
      • Email: Type the email address of the recipient. This field is required.
      • Phone number: Type the phone number of the recipient. This field is required.

    Note:

    To delete an existing recipient, hover over the line containing the listing and then click the trash icon on the right side. A confirmation dialog box appears. Click Delete to delete the listing or click Cancel to keep the listing.

    To edit an existing recipient, hover over the line containing the listing and then click the pen icon on the right-hand side. Update the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

    • Channels: Select a channel to use for sending the enrollment installation link. You can send notifications over SMTP or SMS. These channels cannot be activated until you configure the server settings on the Settings page in Notification Server. For details, see Notifications.
    • SMTP: Configure these optional settings. If you do not type anything in these fields, the default values specified in the notification template configured for the platform you selected are used:
      • Sender: Type an optional sender.
      • Subject: Type an optional subject for the message. For example, “Enroll your device.”
      • Message: Type an optional message to be sent to the recipient. For example, “Enroll your device to gain access to organizational apps and email.”
    • SMS: Configure this setting. If you do not type anything in this field, the default value specified in the notification template configured for the platform you selected is used:
      • Message: Type a message to be sent to the recipients. This field is required for SMS-based notification.

    Note: In North America, SMS messages that exceed 160 characters are delivered in multiple messages.

  2. Click Send.

    Note:

    If your environment uses sAMAccountName: After users receive the invitation and click the link, they must edit the user name to complete the authentication. The user name appears in the form of sAMAccountName@domainname.com. Users must remove the @domainname.com portion.

Related:

Leave a Reply