Citrix Endpoint Management in combination with Android Enterprise

Update 21-01-2022: The working order it a bit different so this blogpost is updated.

Since Android Enterprise is the way forward, I decided to write up a complete walk-through how-to implement this in a Citrix Endpoint Management (XenMobile) environment. You can enable and use this in the On-Premises and Cloud version of CEM.

Note: Disable the User name + PIN enrollment. As this will not trigger a work profile creation.

Create a Google Account via https://accounts.google.com 

Nothing fancy just a simple google account. Remember the credentials though 😉

Open the CEM/XenMobile management console and navigate to: Settings → Android Enterprise. From here the Cloud and On-Premises versions are different. In the Cloud version you just click: Connect → Logon with the created Google Account → Company name → EMM Provider (Citrix) → Complete Registration → Done. I will show the longer, on-premises, steps. 😉

Note: If you see something completely different here scroll to the bottom of this blogpost.

Citrix has created a three-step wizard to register CEM as an EMM provider.

The Google Play screen pops up and you need to login with the created Google Account.

Sorry for the following Dutch screenshot 😉

In the next screen you can add the Data Protection Officer. You can skip this by clicking next or fill in the correct names.

Now you return to the Management Tools page. To download the generated config file please provide a password and click download.

On the CEM management console click on: Upload File.

Note: It could be that the management console is timed out. Then it will redirect you to the login page and you need to upload the file once more.

Now the environment is connected and can be used. Please create a Passcode Policy for Android Enterprise that will require a passcode for the Work Profile.

Approving the apps can be done directly from CEM/XenMobile. Just search an android enteprise app and approve it (straight forward). You can also do this directly from the Managed Google Play Store via: https://play.google.com/work

Search an app you want to deploy via Android Enterprise. In this case I will deploy Citrix Secure Web.

Choose the approval settings you like. You can also be notified when new permissions are required.

If you select: My managed apps, you see a list with the approved applications.

When you enroll an Android device (enroll without username + pin) the Android device will create a work profile. In this profile you will see the Managed Play Store, Secure Hub and all applications which are mandatory deployed. When users start the managed play store, they will only see the approved applications.

Note: In Android (Tested on Samsung A50) there is an option to use the same security code for the work profile as for the personal profile. This setting should be turned off so that the work profile is protected with his own security code. Unfortunately, there is no policy in CEM to force this setting.

To create a fully managed Android device (fully managed = no personal profile) follow these steps:

1. Factory reset the device;
2. When device boot and asks for the Google account fill in afw#xenmobile as the email address;
3. This will download Secure Hub and you can enroll immediately into CEM.

Different Android Enterprise screen in CEM Console??

If you see this screen in the CEM console:

This means your environment is still using Android for Work V1 (The old version). Please navigate to Server Properties and remove the afw.accounts key.

Questions? Leave a comment 😉