Citrix Endpoint Management in combination with Android Enterprise

Update 21-01-2022: The working order it a bit different so this blogpost is updated.

Since Android Enterprise is the way forward, I decided to write up a complete walk-through how-to implement this in a Citrix Endpoint Management (XenMobile) environment. You can enable and use this in the On-Premises and Cloud version of CEM.

Note: Disable the User name + PIN enrollment. As this will not trigger a work profile creation.

Create a Google Account via 

Choose: For myself

Nothing fancy just a simple google account. Remember the credentials though 😉

Open the CEM/XenMobile management console and navigate to: Settings → Android Enterprise. From here the Cloud and On-Premises versions are different. In the Cloud version you just click: Connect → Logon with the created Google Account → Company name → EMM Provider (Citrix) → Complete Registration → Done. I will show the longer, on-premises, steps. 😉

Note: If you see something completely different here scroll to the bottom of this blogpost.

Click: Go to XenMobile Tools

Citrix has created a three-step wizard to register CEM as an EMM provider.

Click: Go to Google Play

The Google Play screen pops up and you need to login with the created Google Account.

Click: Login

Sorry for the following Dutch screenshot 😉

Give your company name and click: Next

In the next screen you can add the Data Protection Officer. You can skip this by clicking next or fill in the correct names.

Click: Complete Registration

Now you return to the Management Tools page. To download the generated config file please provide a password and click download.

Download config file

On the CEM management console click on: Upload File.

Click: Upload file

Note: It could be that the management console is timed out. Then it will redirect you to the login page and you need to upload the file once more.

Once connected flip the switch to enable Android Enterprise

Now the environment is connected and can be used. Please create a Passcode Policy for Android Enterprise that will require a passcode for the Work Profile.

Create passcode policy for Android Enterprise

Approving the apps can be done directly from CEM/XenMobile. Just search an android enteprise app and approve it (straight forward). You can also do this directly from the Managed Google Play Store via:

Search an app you want to deploy via Android Enterprise. In this case I will deploy Citrix Secure Web.

Approve Citrix Secure Web

Choose the approval settings you like. You can also be notified when new permissions are required.

If you select: My managed apps, you see a list with the approved applications.

When you enroll an Android device (enroll without username + pin) the Android device will create a work profile. In this profile you will see the Managed Play Store, Secure Hub and all applications which are mandatory deployed. When users start the managed play store, they will only see the approved applications.

The profiles are shown at the bottom

Note: In Android (Tested on Samsung A50) there is an option to use the same security code for the work profile as for the personal profile. This setting should be turned off so that the work profile is protected with his own security code. Unfortunately, there is no policy in CEM to force this setting.

To create a fully managed Android device (fully managed = no personal profile) follow these steps:

  1. Factory reset the device;
  2. When device boot and asks for the Google account fill in afw#xenmobile as the email address;
  3. This will download Secure Hub and you can enroll immediately into CEM.
The workprofile has its own applications

Different Android Enterprise screen in CEM Console??

If you see this screen in the CEM console:

Android for Work V1

This means your environment is still using Android for Work V1 (The old version). Please navigate to Server Properties and remove the afw.accounts key.

Delete the key

Questions? Leave a comment 😉

6 thoughts on “Citrix Endpoint Management in combination with Android Enterprise

  1. Thanks for great guide, i just feel stupid to not find this in CEM

    Note: Disable the User name + PIN enrollment. As this will not trigger a work profile creation.

        1. Ahh got it. I misunderstood the question.

          In the CEM console go to Settings –> Enrollment

          Make sure “User name + password” is enabled en defaulted.

          Hope this will help you. Cheers, Jeroen.

  2. Hi Jeroen,

    I have an Android app (actually a Cordova/Angular app) on a device with Secure Hub, how can I get the username from within the Angular app. Is there a way to retrieve the username that is logged in on Secure Hub?

    1. Hi Dick,

      Sorry for the late reply. You can use macro’s like: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}.
      But this will only work in apps which support this, and I assume cordova/angular will not.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top