This article explains the MDM/MAM Enrollment flow for IOS devices for-On Prem Setup.

---

Instructions

Question : How is the MDM/MAM Enrollment flow for Secure Hub IOS devices-On Prem Setup.

Answer : Below steps explains the MDM/MAM flow which can be useful for troubleshooting purposes.

1. IOS SH User connects to MDM URL ( enrollment URL ) first.
2. The request would hit the Netscaler on Load Balancing VServer listening on port 8443.
3. The request reaches the XMS behind the LB Vserver and Users gets authenticated to AD via XMS and enrolls successfully to MDM.
4. Now XMS provides the SH Client the Netscaler Gateway Vserver URL to connect back for MAM ( For application access ).
5. Secure Hub then makes connection to Netscaler Gateway Vserver.
6. Netscaler Gateway then validates the user again by authenticating against the AD ( Single Sign On ), 
SSO is seamless for user and he WILL NOT be prompted for credentials again.
7. Once authenticated, the NSG will validate the SH client headers and provide the user with a Session profile ( PL_OS Session policy on NSG ).
8. In the Session profile is where you define the Internal MAM LB Vserver on port 8443/Applications management ( which provides the user with the Applications from XMS), under the Published Applications --> Account Services address.
9.Now the user is successfully both MDM+MAM enrolled.