In my previous blog I took you through the steps to configure Windows AutoPilot in combination with Microsoft Intune. In this blog, I want you to show that it is also possible to use Windows AutoPilot or Azure AD Join with other MDM/EMM solutions, like in this case, Citrix XenMobile. In this scenario, after the Windows 10 out-of-box-experience (OOBE) setup, the Windows 10 device is automatically enrolled with Citrix XenMobile, ready to receive all the assigned policies and applications.
There are only a few steps to take to configure this integration. For this blog I assumed that the following requirements are already in place;
- A Citrix XenMobile environment up and running;
- An up and running Microsoft Azure AD tenant with an Azure AD Sync between the local domain and the Azure tenant;
- Azure AD Premium P1 or P2 licenses assigned to the end users;
- Windows AutoPilot pre-requirements configured (like Company Branding) as described in my previous blog;
In this blog
In this blog I show you step-by-step how to integrate Citrix XenMobile with Azure AD for auto enrollment via Azure AD Join or Windows AutoPilot. During these steps I will cover the following;
- Configure a Terms & Conditions policy within Citrix XenMobile
- Configure Azure AD “Mobility (MDM and MAN)” for Citrix XenMobile
- Configure the “Identity Provider (IDP)” for Azure AD in XenMobile
- Test the results
1. Configure a Terms & Conditions policy within Citrix XenMobile
Login to the Citrix XenMobile web console as an Administrator.
Navigate to: Configure > Device Policies and click Add
Click Terms & Conditions
Enter a Policy Name and a Description. For this blog I only apply a Terms & Conditions Policy for Windows 10 so I deselect all other platforms. Click Next
Upload a .txt file with your Terms and Conditions in it. For this test I use a .txt file with only one line as you can see in the screenshot above. Upload also a square logo in .png format (mine is 215 x 215 pixels in size). Click Next
Select the correct delivery group and click Save
2. Configure Azure AD “Mobility (MDM and MAN)” for Citrix XenMobile
The second step is to configure the Azure AD “Mobility (MDM and MAM)” part for Citrix XenMobile. During this steps we need to write down some information. This information is needed when configuring the IDP settings during step 3 of this blog. Open a Notepad application to temporarily store the information.
For the next steps login as Global Administrator to your Azure tenant.
Navigate to Azure Active Directory > Mobility (MDM and MAM). Click Add application
Click on On-premises MDM application (even if you are using Citrix XenMobile Cloud / Services).
Give the MDM application a name, in my case I name it XenMobile. Click Add.
After a few minutes the XenMobile MDM Application is created. Click on it to edit the properties.
For this MDM Application only users that are member of the “XenMobile Users” Delivery Group must be able to enroll their device with XenMobile. Therefor I add the same AD security group used for the XenMobile Delivery Group to the MDM user scope of this MDM Application. This is an optional step, you can also select All.
Fill in the following URL’s;
MDM discovery URL: https://<XenMobile MDM FQDN>:8443/zdm/wpe (in my case: https://robinhobo.xm.citrix.com:8443/zdm)
Click on On-premises MDM application settings
Click on Properties and copy the Application ID to the Notepad application.
The next step is to copy the App ID URI but first we need to change this value. The default value is something like “https://<tenantname>.onmicrosoft.com/f18c84c6-e9cb-41ac-ad56-eb11a86754c1”. If we leave it to this value you get an error during the Azure AD Join of a Windows 10 device telling you that there is something wrong with the “Terms & Condition” settings. A pretty misleading message what cost me a lot of troubleshooting time. Many thanks to Jeroen J.V Lebon for helping me out and fixing the problem when I had this in a customer tenant!
Change the App ID URI to the MDM FQDN with port 8443 at the end. In my case: https://robinhobo.xm.citrix.com:8443
Copy the correct App ID URI to the Notepad application. Optionally you can change the logo of this MDM application.
Click on Keys and fill in the following information;
Description: XenMobile (or something else you like
Expires: Never expires
Copy the Key Value to the Notepad application (do not close this screen before copying the code, it will not be visible anymore after closing this screen)
Navigate to: Azure Active Directory > Properties
Copy the Directory ID to your Notepad application.
3. Configure the “Identity Provider (IDP)” for Azure AD in XenMobile
The final step is to configure the Identity Provider (IDP) for Azure AD in Citrix XenMobile. For the next steps login to the Citrix XenMobile console as an administrator.
Open the Settings page and click on Identity Provider (IDP)
Click the Add button
Enter a IDP Name, something like Azure AD. Select Azure Active Directory as IDP Type.
Copy the Directory ID from your Notepad application and past it in the Tenant ID field. All other fields will be filled in automatically when hitting the Tab key.
Copy the App ID URI to the App ID URI field.
Copy the Application ID from the Notepad application to Client ID field.
Copy the Key from the Notepad application to the Key field.
Select your User Identifier type in my case I have everything configured for userPrincipalName. The User Identifier String will be filled in automatically.
4. Test the results
In this final chapter I will show you the results of just made configuration. I will do this with the enrollment of a new Windows 10 device. For this test I will use a Windows 10 virtual machine.
I will skip the first steps of the Windows 10 OOBE setup, if you want to see these steps, see my previous blog. After filling in your email address during the AutoPilot / Azure AD part, type in your password and hit Next
After a few minutes the Windows 10 device (or in this case virtual machine) is Azure AD Joined and also enrolled with Citrix XenMobile, fully automatic, and ready to be managed.