Citrix Endpoint Management in combination with Android Enterprise

Published by Jeroen Tielen on

Since Android Enterprise is the way forward, I decided to write up a complete walk-through how-to implement this in a Citrix Endpoint Management (XenMobile) environment. You can enable and use this in the On-Premises and Cloud version of CEM.

Note: Disable the User name + PIN enrollment. As this will not trigger a work profile creation.

Create a Google Account via https://accounts.google.com 

Choose: For myself

Nothing fancy just a simple google account. Remember the credentials though 😉

Now we can go to the Managed Google Play Store via: https://play.google.com/work

Search an app you want to deploy via Android Enterprise. In this case I will deploy Citrix Secure Web.

Approve Citrix Secure Web

Choose the approval settings you like. You can also be notified when new permissions are required.

If you select: My managed apps, you see a list with the approved applications.

The Google part is done. Open the CEM management console and navigate to: Settings → Android Enterprise. From here the Cloud and On-Premises versions are different. In the Cloud version you just click: Connect → Logon with the created Google Account → Company name → EMM Provider (Citrix) → Complete Registration → Done. I will show the longer, on-premises, steps. 😉

Note: If you see something completely different here scroll to the bottom of this blogpost.

Click: Go to XenMobile Tools

Citrix has created a three-step wizard to register CEM as an EMM provider.

Click: Go to Google Play

The Google Play screen pops up and you need to login with the created Google Account.

Click: Login

Sorry for the following Dutch screenshot 😉

Give your company name and click: Next

In the next screen you can add the Data Protection Officer. You can skip this by clicking next or fill in the correct names.

Click: Complete Registration

Now you return to the Management Tools page. To download the generated config file please provide a password and click download.

Download config file

On the CEM management console click on: Upload File.

Click: Upload file

Note: It could be that the management console is timed out. Then it will redirect you to the login page and you need to upload the file once more.

Once connected flip the switch to enable Android Enterprise

Now the environment is connected and can be used. Please create a Passcode Policy for Android Enterprise that will require a passcode for the Work Profile.

Create passcode policy for Android Enterprise

When you enroll an Android device (enroll without username + pin) the Android device will create a work profile. In this profile you will see the Managed Play Store, Secure Hub and all applications which are mandatory deployed. When users start the managed play store, they will only see the approved applications.

The profiles are shown at the bottom

Note: In Android (Tested on Samsung A50) there is an option to use the same security code for the work profile as for the personal profile. This setting should be turned off so that the work profile is protected with his own security code. Unfortunately, there is no policy in CEM to force this setting.

To create a fully managed Android device (fully managed = no personal profile) follow these steps:

  1. Factory reset the device;
  2. When device boot and asks for the Google account fill in afw#xenmobile as the email address;
  3. This will download Secure Hub and you can enroll immediately into CEM.

The workprofile has its own applications

Different Android Enterprise screen in CEM Console??

If you see this screen in the CEM console:

Android for Work V1

This means your environment is still using Android for Work V1 (The old version). Please navigate to Server Properties and remove the afw.accounts key.

Delete the key

Questions? Leave a comment 😉


Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux