Citrix XenMobile Kiosk mode required for Android device (i.Safe Mobile tablet)

[Anandh Chandrabose1709158945]

Hi XenMobile Experts,

 

We have the requirement to restrict all the applications on user's device except the Citrix XenMobile applications. Our users are using Android tablet devices (i.safe Mobile model) .The user devices are shared devices. 

How can we enable restrict users to access all other applications on their device (except XenMobile apps).

 

Please share me your valuable suggestions.

[Ryan Tsamouris]

Hello there!

 

Welcome to the exciting and ever-frustrating world of kiosking devices. We have a great deal of experience with pushing restricted kiosks to mobile devices, as that's all we run in our hazardous environments, which if you're using i.Safe devices I assume these are going into C1D2 or D1 areas? I also know that i.Safe runs vanilla Android, and assuming they're the newer models they are running Android 9 correct? You may know everything below already, but in case someone else finds this I'm writing up the extra info to help:

 

First, get up to speed on Android Enterprise. Google is your best bet, but here are the basics:

• Android Legacy = Device Admin --> OLD method that Google wants to get rid of.
• Android Enterprise (AE) = Device Owner --> NEW method that you want to use. If you go with the old Device Admin mode then if you ever want to upgrade to AE you will have to first factory reset each device.
• Zero Touch = Vanilla Android automated out-of-box setup. I do not know if i.Safe supports this, but if they do, get with your Account rep to get it setup. Everything from here on assumes you're setting up these devices by hand. But if you can get Zero Touch working that would save you a lot of time.

Android Enterprise is the method and set of policies used to provision your devices. Citrix Endpoint Management (CEM) is the MDM that is used to enroll users and push AE policies, which includes a kiosk'd device that only runs the apps that you want. Screenshot of CEM AE policies:

 

 

Go read this and watch the first to YouTube videos in the blurb: https://www.citrix.com/blogs/2019/06/26/citrix-endpoint-management-and-android-enterprise-a-season-of-change/

 

To restrict access to the Citrix Secure apps only, you'll want to do the following:

1. In CEM, after AE is configured via Settings, you will want to add your approved AE apps via Configure > Apps > Add > Public App Store > Android Enterprise
2. You will add each Citrix app, which will be added to your private Google Play Store account (as registered by your Gmail account you created to setup the account earlier). Do not assign them to a Delivery Group yet.
3. Go configure your AE policies, including Restrictions, Wi-Fi, Location, etc. Once you get to the Kiosk policy, you will want to Whitelist the Citrix apps
   1. 
4. Now that you have your apps and policies configured, in CEM go to Configure > Delivery Groups, assign the policies and mark the apps as 'Required'. This will force those apps onto the device without user input (although the user will be able to download from your private Google Play Store as well).T

To give you the general process for setting up devices, if you are setting this up by hand (not Zero Touch), then the process would look like the following:

1. User/IT unboxes device. During first-time setup, on Google sign-in you input the EMM token afw#xenmobile (or QR code if you set that up)
2. After following prompts, Secure Hub is automatically installed
3. In Secure Hub, user signs in
4. AE policies are pushed to device, including app restrictions and your kiosk policy
5. Required apps are auto-installed (via CEM Delivery Groups), or user installs apps from private Google Play store (setup in CEM during AE setup process)

That should get you started. Let me know if you have any questions.

[Anandh Chandrabose1709158945]

Thanks a lot Ryan.