How to enroll windows 10 devices
Article ID: CTX228501
Updated On:
Description
How to enroll Windows 10 in XenMobile
Instructions
Windows devices
Note
This section includes references to Windows Phone 8.1 devices, which Microsoft moved to End of Support on July 11, 2017. XenMobile currently supports Windows Phone 8.1 devices for MDM enrollment only.
Devices running Windows 10 enroll with Azure as a federated means of Active Directory authentication. You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:
- Enroll in MDM as part of Azure AD Join out-of-the-box the first time the device is powered on.
- Enroll in MDM as part of Azure AD Join from the Windows Settings page after the device is configured.
You can enroll devices in XenMobile that are running the following Windows operating systems:
- Windows 10 phone and tablet
- Windows Phone 8.1
Users can enroll directly through their devices.
Note for Windows 10 RS2 Phone and Tablet: During re-enrollment, a user isn't prompted for the Server URL. To work around this issue, restart the device. Or, on the email address screen, tap the X across from "Connecting to a service" to go to the Server URL page. This is a third-party issue.
You must configure autodiscovery and the Windows discovery service for user enrollment to enable the management of supported Windows devices.
Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in XenMobile. For details, see Microsoft Azure Active Directory server settings.
Note
In order for Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails if you've uploaded a self-signed SSL certificate.
To enroll Windows devices with self-discovery
To enable management of Windows devices, Citrix recommends you configure autodiscovery and the Windows discovery service. For details, see Enable autodiscovery.
1. On the device, check for and install all available Windows Updates.
2. For Windows 10: In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1 phones: Tap PC Settings > Network > Workplace.
3. Enter your corporate email address and then tap Continue on Windows 10 or tap Turn on device management on Windows 8.1. To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation where enrollment is performed by the built-in Device Management on Windows; in the Connecting to a service dialog box, enter the user name and password associated with the local user. The device automatically discovers a XenMobile Server and starts the enrollment process.4. Enter your password. Use the password associated with an account that is part of a user group in XenMobile.
5. For Windows 10: In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept. For Windows 8.1: In the Allow apps and services from IT admindialog box, indicate that you agree to have your device managed and then tap Turn on.
To enroll Windows devices without self-discovery
It is possible to enroll Windows devices without autodiscovery. Citrix, however, recommends that you configure autodiscovery. Enrollment without autodiscovery results in a call to port 80 before connecting to the desired URL, so it is not considered best practice for production deployment. Citrix recommends that you use this process only in test environments and proof of concept deployment.
1. On the device, check for and install all available Windows Updates.
2. For Windows 10: In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school. For Windows 8.1: Tap PC Settings > Network > Workplace.
3. Enter your corporate email address.
4. For Windows 10: If autodiscovery is not configured, an option appears where you can enter the server details, as described in step 5. For Windows 8.1: If Automatically detect server addressis set to on, tap to turn the option off.
5. For Windows 10: In the Enter server address field, type the address:
https://example.com:8443/zdm/xyz.
If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.
For Windows 8.1: Type the server address in the following format:
https://serverfqdn: 8443/serverInstance/Discovery.svc.
If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.
7. For Windows 10: In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept. For Windows 8.1: In the Allow apps and services from IT admindialog box, indicate that you agree to have your device managed and then tap Turn on.
To enroll Windows Phone devices
To enroll Windows Phone devices in XenMobile, users need their Active Directory or internal network email address, and password. If autodiscovery is not set up, users also need the server web address for the XenMobile Server. Then, they follow this procedure on their devices to enroll.
Note: If you plan to deploy apps through the Windows Phone company store, before your users enroll, ensure that you have configured an Enterprise Hub policy (with a signed Secure Hub, Windows Phone app for each platform you support).
1. On the main screen of the Windows phone, tap the Settings icon.
- For Windows 10: Depending on your version, either tap Accounts > Access work or school > Connect to work or school or tap Accounts > Work access > Enroll in to device management.
- For Windows 8.1: Tap PC Settings > Network > Workplace, and then tap Add Account.
2. On the next screen, enter an email address and password and then tap sign in.
If autodiscovery is configured for your domain, the information requested in the next several steps is automatically populated. Proceed to Step 8.
If autodiscovery is not configured for your domain, continue with the next step. To enroll as a local user, enter a non-existent email address with the correct domain name (for example, foo@mydomain.com). This permits you to bypass a known Microsoft limitation; in the Connecting to a service dialog box, enter the user name and password associated with the local user.
3. On the next screen, type the web address of the XenMobile Server, such as: https://<xenmobile_server>:<portnumber>/<instancename>/wpe. For example, https://mycompany.mdm.com:8443/zdm/wpe. Note: The port number has to be adapted to your implementation. It must be the same port that you used for an iOS enrollment.
4. Enter the user name and domain if authentication is validated through a user name and domain and then tap sign in.
5. If a screen appears noting a problem with the certificate, the error is the result of using a self-signed certificate. If the server is trusted, tap continue. Otherwise, tap Cancel.
6. On Windows Phone 8.1, when the account is added, you have the option of selecting Install company app. If your administrator has configured a Company App store, select this option and then tap done. If you clear this option, you will need to re-enroll your device to receive the Company app store.
7. On Windows Phone 8.1, on the Account Added screen, tap done.
8. To force a connection to the server, tap the refresh icon. If the device does not manually connect to the server, XenMobile attempts to reconnect. XenMobile connects to the device every 3 minutes 5 successive times, then every 2 hours afterward. You can alter this connection rate in the Windows WNS Heartbeat Interval located in Server properties. Once enrollment is complete, Secure Hub enrolls in the background. No indicator appears when the installation is complete. Tap Secure Hub from the All Apps screen
