How to integrate Citrix XenMobile with Azure AD for auto enrollment with AutoPilot or Azure AD Join

In my previous blog I took you through the steps to configure Windows AutoPilot in combination with Microsoft Intune. In this blog, I want you to show that it is also possible to use Windows AutoPilot or Azure AD Join with other MDM/EMM solutions, like in this case, Citrix XenMobile. In this scenario, after the Windows 10 out-of-box-experience (OOBE) setup, the Windows 10 device is automatically enrolled with Citrix XenMobile, ready to receive all the assigned policies and applications.

There are only a few steps to take to configure this integration. For this blog I assumed that the following requirements are already in place;

  • A Citrix XenMobile environment up and running;
  • An up and running Microsoft Azure AD tenant with an Azure AD Sync between the local domain and the Azure tenant;
  • Azure AD Premium P1 or P2 licenses assigned to the end users;
  • Windows AutoPilot pre-requirements configured (like Company Branding) as described in my previous blog;

In this blog

In this blog I show you step-by-step how to integrate Citrix XenMobile with Azure AD for auto enrollment via Azure AD Join or Windows AutoPilot. During these steps I will cover the following;

  1. Configure a Terms & Conditions policy within Citrix XenMobile
  2. Configure Azure AD “Mobility (MDM and MAN)” for Citrix XenMobile
  3. Configure the “Identity Provider (IDP)” for Azure AD in XenMobile
  4. Test the results

1. Configure a Terms & Conditions policy within Citrix XenMobile

Login to the Citrix XenMobile web console as an Administrator.

Navigate to: Configure > Device Policies and click Add

Click Terms & Conditions

Enter a Policy Name and a Description. For this blog I only apply a Terms & Conditions Policy for Windows 10 so I deselect all other platforms. Click Next

Upload a .txt file with your Terms and Conditions in it. For this test I use a .txt file with only one line as you can see in the screenshot above. Upload also a square logo in .png format (mine is 215 x 215 pixels in size). Click Next

Select the correct delivery group and click Save

2. Configure Azure AD “Mobility (MDM and MAN)” for Citrix XenMobile

The second step is to configure the Azure AD “Mobility (MDM and MAM)” part for Citrix XenMobile. During this steps we need to write down some information. This information is needed when configuring the IDP settings during step 3 of this blog. Open a Notepad application to temporarily store the information.

For the next steps login as Global Administrator to your Azure tenant.

Navigate to Azure Active Directory > Mobility (MDM and MAM). Click Add application

Click on On-premises MDM application (even if you are using Citrix XenMobile Cloud / Services).

Give the MDM application a name, in my case I name it XenMobile. Click Add.

After a few minutes the XenMobile MDM Application is created. Click on it to edit the properties.

For this MDM Application only users that are member of the “XenMobile Users” Delivery Group must be able to enroll their device with XenMobile. Therefor I add the same AD security group used for the XenMobile Delivery Group to the MDM user scope of this MDM Application. This is an optional step, you can also select All.

Fill in the following URL’s;

MDM terms of use URL: https://<XenMobile MDM FQDN>:8443/zdm/wpe/tou (in my case: https://robinhobo.xm.citrix.com:8443/zdm/wpe/tou)

MDM discovery URL: https://<XenMobile MDM FQDN>:8443/zdm/wpe (in my case: https://robinhobo.xm.citrix.com:8443/zdm)

Click on On-premises MDM application settings

Click on Properties and copy the Application ID to the Notepad application.

The next step is to copy the App ID URI but first we need to change this value. The default value is something like “https://<tenantname>.onmicrosoft.com/f18c84c6-e9cb-41ac-ad56-eb11a86754c1”. If we leave it to this value you get an error during the Azure AD Join of a Windows 10 device telling you that there is something wrong with the “Terms & Condition” settings. A pretty misleading message what cost me a lot of troubleshooting time. Many thanks to Jeroen J.V Lebon for helping me out and fixing the problem when I had this in a customer tenant!

Change the App ID URI to the MDM FQDN with port 8443 at the end. In my case: https://robinhobo.xm.citrix.com:8443

Copy the correct App ID URI to the Notepad application. Optionally you can change the logo of this MDM application.

Click Save

Click on Keys and fill in the following information;

Description: XenMobile (or something else you like
Expires: Never expires

Click Save

Copy the Key Value to the Notepad application (do not close this screen before copying the code, it will not be visible anymore after closing this screen)

Click Save

Navigate to: Azure Active Directory > Properties

Copy the Directory ID to your Notepad application.

3. Configure the “Identity Provider (IDP)” for Azure AD in XenMobile

The final step is to configure the Identity Provider (IDP) for Azure AD in Citrix XenMobile. For the next steps login to the Citrix XenMobile console as an administrator.

Open the Settings page and click on Identity Provider (IDP)

Click the Add button

Enter a IDP Name, something like Azure AD. Select Azure Active Directory as IDP Type.

Copy the Directory ID from your Notepad application and past it in the Tenant ID field. All other fields will be filled in automatically when hitting the Tab key.

Click Next

Copy the App ID URI to the App ID URI field.

Copy the Application ID from the Notepad application to Client ID field.

Copy the Key from the Notepad application to the Key field.

Click Next

Select your User Identifier type in my case I have everything configured for userPrincipalName. The User Identifier String will be filled in automatically.

Click Next

Click Save

4. Test the results

In this final chapter I will show you the results of just made configuration. I will do this with the enrollment of a new Windows 10 device. For this test I will use a Windows 10 virtual machine.

I will skip the first steps of the Windows 10 OOBE setup, if you want to see these steps, see my previous blog. After filling in your email address during the AutoPilot / Azure AD part, type in your password and hit Next

As you can see the Terms of Use policy that is created in the first step of this blog is displayed. Click Accept

After a few minutes the Windows 10 device (or in this case virtual machine) is Azure AD Joined and also enrolled with Citrix XenMobile, fully automatic, and ready to be managed.

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close