This article explains the MDM/MAM Enrollment flow for Android devices for-On Cloud Setup ( Where XMS Load Balance on cloud and Netscaler Gateway is on Premise )

---

Instructions

This article explains the MDM/MAM Enrollment flow for Android devices -On Cloud Setup where:
On Premise -- Is Netscaler Gateway.
On Cloud --  Is XMS Load Balance and Content Switch Vserver.

Below steps explains the MDM/MAM flow which can be useful for troubleshooting purposes.

1. Android SH User connects to MDM URL ( enrollment URL ) first.
2. The request would hit the Cloud Netscaler on MDM Load Balancing VServer listening on port 443.
3. The request reaches the XMS behind the MDM LB Vserver and Users gets authenticated to AD via XMS and enrolls successfully to MDM on Cloud.
4. Now XMS provides the SH Client the Netscaler Gateway Vserver URL ( on-Premise ) to connect back for MAM ( application access ).
5. Secure Hub then makes connection to Netscaler Gateway Vserver on Premise.
6. Netscaler Gateway then validates the user again by authenticating against the AD ( Single Sign On ), 
SSO is seamless for user and he WILL NOT be prompted for credentials again.
7. Once authenticated, the NSG will validate the SH client headers and provide the user with a Session profile ( PL_OS Session policy on NSG ).
8. In the Session profile, under the Published Applications --> Account Services address is where you define the MAM Vserver ( Which is the Content Switching Vserver on port 8443 on Cloud Netscaler ) which provides the user with the Application access from XMS.
The request from SH client would specifically hit the Default LB Virtual Server policy of Content Switch Vserver (on Cloud ).
9.Now the user is successfully both MDM+MAM enrolled.