This article has information regarding the Certificate Alias field in the Android Enterprise Managed Configuration for Citrix SSO app using Certificate based authentication.

Instructions

In the CEM environment when the client certificate is deployed using credential policy, it generates a random alias for the certificate and the same alias name should be used in the Managed Configurations for Citrix SSO app config certificate alias field as shown in the following figure:



The Certificate Alias shows as optional, however, it is needed for Certificate based Authentication, without which it will fail to establish VPN.

We can capture the Certificate Alias from one of the following methods:

Method 1: On the enrolled Android device
The admin should first deploy the client certificate on a test device and then make a note of the alias name when SecureHub asks to install the client certificate and use the same in the Certificate Alias field under Managed configurations.



Method 2: Using Citrix SSO app logs
Another option to get the certificate alias is through the Citrix SSO app logs from the device (email it to yourself from Citrix SSO Logs screen) and then look for log statement as shown below in CtxLog_com.citrix.CitrixVPN*.csv files.

"Ignoring selected certificate alias [XXXXXX] because it does not match with required alias [YYYYYY]"

From this log line you can infer that the alias provisioned in the VPN profile is YYYYYY​ and the one really installed on the device is XXXXXX​. They should match for the VPN to work, make sure to use the alias XXXXXX (the one selected by user) in the VPN profile and update in the Certificate alias field.

Method 3: From CEM debug logs
After deploying the client certificate, capture the CEM debug logs and look for following log message and update the Certificate alias field in the Managed configurations.

2020-03-19T03:06:10.137+0000 |    |  INFO | http-nio-10080-exec-10 | EWSession | Create unknown in DB credential=XXXXXXXXXXXX certificate for 27cp1_20170407155318257