Jump to content

Reference Architecture: Citrix Endpoint Management with Android Enterprise Integration

  • Contributed By: Vivekananthan Devaraj
  • Special Thanks To: David Egan, Chetan Thakker, Vikas Nambiar

Citrix Endpoint Management Overview

Citrix Endpoint Management simplifies device and app management with a comprehensive, unified endpoint management solution. It also enables anywhere, any-device access to everything people need to be productive - including intelligence features that guide and automate work. There are also cloud management options for Citrix Virtual Apps and Desktops. Citrix Endpoint Management is available as a service in Citrix Cloud that removes the need for the customer to manage infrastructure, allowing them to focus on the device policies and application management.

Citrix Endpoint Management has Mobile Device Management (MDM) and Mobile App Management (MAM) features. MDM features of Endpoint Management allow admins to deploy device policies and apps, retrieve asset inventories, and carry out actions on devices, such as a device wipe. MAM features of Endpoint Management allow securing the apps and data on Bring Your Own mobile devices, delivering mobile enterprise apps, locking apps, and wiping app data.

Refer to the Citrix documentation, which illustrates the reference architectures for the Endpoint Management deployment, formerly known as XenMobile. The deployment scenarios include MDM-only, MAM-only, and MDM+MAM as the core architectures.

Refer to the Product documentation, which illustrates the Endpoint Management components and comprehensive reference architecture diagrams with communication flow. It also covers the core reference architecture, integration with Citrix Virtual Apps and Desktops, Endpoint Management connector for Exchange ActiveSync, and Citrix Gateway Connector for Exchange ActiveSync.

Android Enterprise with Citrix Endpoint Management

Overview of Android Enterprise

Google announced device admin deprecation with its 2019 Android release. Device management using device admin permissions is considered a legacy management approach for Android devices. Android Enterprise is a modern management platform.

Android Enterprise is a set of tools and services provided by Google as an enterprise management solution for Android devices. The program offers APIs and other tools for developers to integrate support for Android into their Enterprise Mobility Management (EMM) solutions like Citrix Endpoint Management.

With Android Enterprise:

  • Customers can use Endpoint Management to manage company-owned Android devices and Bring Your Own (BYO) Android devices.

  • Customers can manage the entire device or a separate work profile on the device. The separate work profile isolates business accounts, apps, and data from personal accounts, apps, and data.

  • Customers can also manage devices dedicated to single-use, such as inventory management.

When Endpoint Management integrated with managed Google Play to use Android Enterprise in the organization is called enterprise. Google defines that an enterprise is a binding between the organization and the mobile management (EMM) solution. All the users and devices that the organization manages through the EMM solution belong to its enterprise. When Endpoint Management integrates with Android Enterprise, the complete solution has these components:

  • Citrix Endpoint Management: The Citrix Endpoint Management is the unified endpoint management for a secure digital workspace. Endpoint Management provides the means for IT administrators to manage devices and apps for their organizations.

  • Citrix Secure Hub: The Citrix DPC app. Secure Hub is the launchpad for Endpoint Management. Secure Hub enforces policies on the device.

  • Managed Google Play: A Google enterprise app platform that integrates with Citrix Endpoint Management and its API sets app policies and distributes apps.

Benefits of Android Enterprise with Citrix Endpoint Management

Whether corporate or employee-owned, Citrix Endpoint Management, and Android Enterprise deliver the controls that organizations need to protect their information while enabling user productivity. Citrix Endpoint Management supports each of the Android Enterprise management modes, including BYOD (Android work profile) and corporate profiles, including COPE(Company Owned/Personally Enabled), COBO(Company Owned/Business Only), COSU(Corporate Owned, Single Use) use cases. For BYOD users, Android Enterprise managed by Citrix Endpoint Management users get peace of mind and personal privacy while IT benefits from data security and compliance.

When administered by Citrix Endpoint Management, Android Enterprise provides flexibility in protecting company information. Apply the multiple layers of Android security, including hardened security and Google Play Protection, and extend advanced device and app management controls from Citrix Endpoint Management.

For faster onboarding and enrollment, Citrix Endpoint Management supports the different provisioning options provided by Android Enterprise, including EMM token, zero-touch enrollment, NFC, and QR code. In addition to Android Enterprise managed by Citrix Endpoint Management, users get seamless access to their Android business apps through managed Google Play. When combined with Citrix Workspace, users also get access to all other apps, including virtual, SaaS, and web. Users also get more work done with Citrix mobile productivity apps, including Citrix Secure Mail and Citrix Content Collaboration with integrated workflows.

Impact of device administration deprecation

Google announced to deprecate the following Device Administration APIs. These APIs won’t work on devices running Android Q after you upgrade Secure Hub to target the Android Q API level:

  • Disable camera: Controls access to device cameras.

  • Keyguard features: Control features that are related to the device lock, such as biometrics and patterns.

  • Expire password: Forces users to change their password after a configurable time.

  • Limit password: Sets restrictive password requirements.

  • The deprecated APIs have no impact on devices enrolled in Citrix MAM-only mode.

With the increased need for Android devices in the enterprise world and its growing use cases, Google introduced Android Enterprise with modern management modes – work profile, fully managed, and dedicated device. Refer to Google developer documentation for more details about the use-cases and profiles.

Reference Architecture for Android Enterprise with Citrix Endpoint Management

 

reference-architectures_citrix-endpoint-management_007.png

 

To enroll a new customer through the EMM console, you need to create an enterprise. In an Android Enterprise deployment, an enterprise maintains control over various aspects of user devices, such as isolating work-related information from users' personal data, pre-configuring approved apps for the environment, or disabling device capabilities (for example, the camera). Refer to the Google documentation.

On the CEM server, you bind Citrix as your EMM partner for Android Enterprise (a 3-step process). CEM creates an Enterprise Service Account, which is used to manage data via Google Play APIs. The Google Play infrastructure offer services that include a managed, private enterprise app delivery store.

Once the integration is set up, Citrix Endpoint Management and managed Google Play work seamlessly together to secure, configure, and manage organizations’ Android devices and the required public or corporate apps.

An admin uses the EMM console to perform a range of tasks, including configuring device settings and apps. The DPC Secure Hub creates and manages the work profile on the device on which it is installed. The work profile encrypts work-related information and keeps it separate from users' personal apps and data. Before creating the work profile, the DPC can also provision a managed Google Play Account for use on the device.

In Android Enterprise for work profile or fully managed devices, users receive their apps via the Managed Google Play Store. EMM Admins approve public apps for use and can also add private apps on the Managed Google Play Store. The OrgID binding with Citrix Endpoint Management controls visibility of the private apps, which are approved through the Managed Google Play store, for devices enrolled with that organization.

The Secure Hub applies the device policies as set by an admin to meet an organization's requirements and constraints. For example, security policy might require that device lock after a certain number of failed password attempts. The DPC queries the EMM console for current policies then applies the policies

Provisioning methods:

Fully Managed Device Provisioning Method

QR code — Android 9 devices and higher have a QR code reader built-in. For this method, the user simply turns on the device, taps the welcome screen six times, and scans the QR code, which automatically starts the enrollment-provisioning process by connecting to Google Play to access the management profile.

Android zero-touch — Using Android zero-touch enrollment, IT admins can create, edit, and delete UEM configurations. In doing so, devices or groups of devices can be shipped with the enrollment already complete. All the user needs to do is turn on the device, connect to Wi-Fi, and enter their password.

EMM token — With this method, a user’s IT department provides them with a token. For Citrix Endpoint Management, the token is afw#xenmobile. This token has to be entered after the new device turns on when the user is prompted for “Email or phone.” Entering the correct EMM token downloads the Citrix Endpoint Management device policy controller app so that the user can simply enter credentials to get set up.

NFC Bump — The NFC Bump method uses “Near Field Communication” to provision the device. Using NFC Bump, the new device must be nearby (4 centimeters) to another. Bulk enrollment of corporate-issued devices has always been a major headache for IT. With NFC Bump enrollment, IT enrolls a master device, carrying the MDM server details, and simply taps the device to other unenrolled devices to start the automated-enrollment process. Bulk enrollment made easy!

BYOD Provisioning Method

In addition to the Work Managed options above, the BYOD method is popular for workers using a personally owned device. With this method, IT manages the business data (the Android work profile), leaving all the personal data and applications private. In other words, IT only has visibility and control of the work applications and nothing else. With this method, there is no device management, only mobile application management (MAM).

Migrate from device administration to Android Enterprise

Site Details

Default Enrollment Profile

Comments/Recommendation

New Site

Android Enterprise – Fully Managed/Work Profile

Any new sites default to Android Enterprise (AE). Recommendation: Set up AE if not already set up and enroll devices in AE, Device Admin is a legacy mode

Existing Site with Android Enterprise (AE) setup

Android Enterprise – Fully Managed/Work Profile

Any sites with AE configured defaults to Android Enterprise. Recommendation: a) If the site is AE with no Device Admin enrollment – no change required b) If the site has Device Admin mode enrollment – make sure to update the Enrollment Profile for those devices to point to Legacy (device administrator)

Existing Site NOT setup with Android Enterprise

Legacy (device administrator)

Sites without an Android Enterprise setup will default to Legacy (device administrator). Recommendation: Set up Android Enterprise and plan migration

Android Enterprise includes support for fully managed and work profile device modes. The Google publication, Android Enterprise Migration Bluebook, explains in detail about how legacy device administration and Android Enterprise differ. We recommend that you read the migration approach from Google. Also, refer to the Android Enterprise Solution Directory for a list of Android-recommended devices that meet the elevated enterprise requirements. And for more information, visit Citrix’s Android Enterprise product page.

Sources

The goal of this reference architecture is to assist you with planning your own implementation. To make this job easier, we would like to provide you with source diagrams that you can adapt in your own detailed designs and implementation guides: reference-architectures_citrix-endpoint-management.pptx

References

Reference Architecture for On-Premises Deployments

Core Reference Architectures of CEM

CEM Product Document for EMS/Intune Integration

Get Started with Intune Integration

Android Enterprise Google Guide

Google document on build DPC

Android Enterprise Migration Bluebook

Android Enterprise Solution Directory

Citrix’s Android Enterprise product document

reference-architectures_citrix-endpoint-management_001.png

reference-architectures_citrix-endpoint-management_002.png

reference-architectures_citrix-endpoint-management_003.png

reference-architectures_citrix-endpoint-management_004.png

reference-architectures_citrix-endpoint-management_005.png

reference-architectures_citrix-endpoint-management_006.png

reference-architectures_citrix-endpoint-management_007.png

reference-architectures_citrix-endpoint-management_001.png

reference-architectures_citrix-endpoint-management_002.png

reference-architectures_citrix-endpoint-management_003.png

reference-architectures_citrix-endpoint-management_004.png

reference-architectures_citrix-endpoint-management_005.png

reference-architectures_citrix-endpoint-management_006.png

    •

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
    Add a comment...

    © Cloud Software Group, Inc. All rights reserved.