Enable XenMobile Enrollment of iOS and Android Devices with Azure AD as Identity Provider

Enable XenMobile Enrollment of iOS and Android Devices with Azure AD as Identity Provider

book

Article ID: CTX223143

calendar_today

Updated On:

Description

With the latest version XenMobile server, you are provided with a new feature where an end user can use their Azure Active Directory credentials to enroll their Windows, iOS and Android devices to the XenMobile server. In this case Azure Active Directory will be the Identity provider and XenMobile server will act as a service provider.

 To achieve the above use case, you as an admin need to setup the following.

1.      Configure On perm MDM application in Azure Active Directory.

2.      Configure Azure Active Directory as an Identity Provider in the XenMobile Server.

Instructions

Pre-requisites

 
This document is prepared assuming that
 
·        You have Microsoft Azure Active Directory premium license.
·        You have XenMobile 10.5.2.x deployed.
·        You have both NetScaler and XenMobile server talking to same Active Directory.
·        You have Azure AD connector up and running, syncing the enterprise AD and Azure AD.
·        You have a XenMobile environment up and running enabled with Certificate only based authentication.
 
Note: All screenshots in this document are for representational purposes only.

Creating MDM App in Azure Active Directory

         1.           Login to Azure Portal.(https://portal.azure.com), post login click on Azure Active Directory à Mobility (MDM and MAM) and click Add.
 User-added image
         2.           From Add an application pane, click on On-Premise MDM application.
User-added image
Provide the Name of the application and click Add.
User-added image
         3.           Select the Application that you have created.
·        Under Configure pane, select the targeted MDM User group
·        Provide the MDM Terms of User URL as “https://<XMS Enrollment FQDN>:8443/zdm/wpe/tou”
·        Provide MDM Discovery URL as “https:// <XMS Enrollment FQDN>:8443/zdm/wpe” and then save the config.
Now click on “On-Premise MDM application settings”
User-added image
         4.           In the Properties pane, set the APP ID URL as “https:// <XMS Enrollment FQDN>:8443” and note the Application ID (which you will be using it as Client ID in XenMobile configuration)
Note: This App ID URI is a unique ID which you will not be allowed to used again in any other app.
User-added image
         5.           Click on the Keys tab to create an authentication key by providing the Description and Expiry, Save the configuration to view the key value.
Note: Key will be only be displayed once the config has been saved.
User-added image
         6.           Tenant ID can be found in the Help (?) à Show Dialogistic page
User-added image
Now Look for the Teant ID in the Pop up page.
User-added image

Configuring Azure AD as Identity Provider in XenMobile Server

 
         1.           Login to the XenMobile server using a browser.
Go to settings, Under Authentication Click on the Identity Provide (IDP).
 User-added image 
         2.           Now under Identity Provide (IDP), click Add.
User-added image
         3.                    1.         Provide the IDP Name (Enter a name of your choice)
         2.         Select the IDP Type as Azure Active Directory from the dropdown
         3.         Provide the Tenant Id that you have from the previous section
         4.         Scroll down and click Next.
 
Note: Other details are automatically pre-populated after you provide the Tenant ID.
 
User-added image
         5.           If you planning to manage Windows 10 devices, then provide App ID URI, Client ID and Key details which you have collected in the previous section.
 
Click Next
 User-added image
         6.           Under Secure Hub, all the details will be pre-populated, click Next to continue.
 User-added image
         7.           Under IDP Claims Usage section, select the User identifier type as UserPrincialName, the User Identifer String will be automatically pre-populated.
 
Click Next
 User-added image
         8.           Review the summary and then Save the configuration. 
User-added image

End User Enrollment Experience on iOS Device

         1.           On your iOS device download Secure Hub from App Store. Launch Secure Hub, provide the enrollment FQDN and click Next.
User-added image 
         3.           On “Enroll Your iPhone” popup, tap on Yes, Enroll
 User-added image
         4.           Secure Hub will now be redirected to the Microsoft Login screen.
Enter the Azure Active Directory credentials and click Sign in.
User-added image
         5.           On successful authentication, the Enrollment in progress status is displayed.
 User-added image
         6.           Certificate and profile are pushed down to the device.
The end user will have to install the Enrollment Certificate and Profile.
 User-added image 
         7.           Once the enrollment is completed, user will be asked to set a Citrix Pin for the Secure Hub.
 User-added image
         8.           After setting the Citrix Pin, user will be able to view/access the apps entitled.
 User-added image

Issue/Introduction

Enroll iOS and Android devices to XMS using Azure AD credentials.
Powered by Wolken Software