Integration with Citrix Endpoint Management (Formerly XenMobile)

Preparing UEM Platform for Integration

Citrix Endpoint Management deploys Harmony Mobile Protect app on a device.

Prerequisites

  • Harmony Mobile service integrates with Citrix Endpoint Management through the existing API. To enable integration, you must first create a Citrix Endpoint Management API account.

    Harmony Mobile integrates with Citrix Endpoint Management (On-Premise) and Citrix Endpoint Management is version 10.7 or later, through API access. Harmony Mobile uses the API to synchronize the device records, to retrieve device apps list, and to report the device risk level to Citrix Endpoint Management.

  • Citrix Endpoint Management must be configured with an Apple Push Certificate (APNS) and Google Play Credentials.

  • The MDX app files for Citrix Mail and Citrix Web Browser have been added to the App Catalog.

  • For Active Directory integration, users to be registered to Harmony Mobile must belong to Security Group(s) to be tied to Harmony Mobile. See "Creating a Delivery Group" on the next page.

Citrix Endpoint Management Console (Example):

General Workflow

  1. Create a Delivery Group for Check Point Harmony Mobile. See Creating a Delivery Group.

  2. For user's enrollment into Citrix Endpoint Management send an enrollment invitations. See Sending Enrollment Invitations.

  3. For integration from Harmony Mobile to Endpoint Management create a limited administrator account (optional). See Creating Limited Administrator Account (optional)

Creating a local users Group

To include the delivery group, that will be created in the next step, in our own group, we must create a local group.

  1. Navigate to Manage > Users and click on Manage Local Groups tab.

  2. Enter a Local Group name as shown in the example below and click on the “+” sign to the right.

Creating a Delivery Group

To deploy policies, configurations, apps, etc. in Endpoint Management, you must create a delivery group that contains the users whose devices are registered to Harmony Mobile.

  1. Navigate to Configure > Delivery Group and click Add.

  2. On the Delivery Group Info tab, provide a unique name for the Delivery Group, such as in the example below.

  3. Click Next.

  4. On the Assignments tab, in Mange user Assignment section select whether it is In Endpoint Management, or In Citrix Cloud.

  5. In the Select Domain section select whether this is an AD Domain user group or a local Citrix group.

    1. If an AD Domain group, select the domain, and then enter in a Security Group name to search the AD database for the group. Select the Security Group(s) to include.

    2. If a local group, select local from the Domain section and enter in a User Group if one exists. If a user group doesn’t exist, you can skip selecting a group.

    3. If a local group, select local from the Domain section and enter in a User Group that you’ve created in the previous section.

    4. Click Next.

    5. Click Next through the remaining tabs until the final Summary tab, and then click Save.

Sending Enrollment Invitations

This step is not absolutely required, but it is nice for the workflow for user engagement/enrollment into Citrix Endpoint Management. By sending enrollment invitations, the users are emailed enrollment instructions and any required authentication information.

  1. Navigate to Manage > Enrollment Invitations, click Add, and select Add Invitation.

  2. On the Enrollment Invitation tab, select the following:

    1. Recipient Group

    2. Platform: Select Android and iOS

    3. Domain: local

    4. Group: Select the group you created in the previous step

    5. Enrollment mode: User name + Password

  3. Toggle the Send Invitation button to be ON.

  4. Click Save & Send.

Enrolling Devices to Citrix Endpoint Management

Visit this guide for details on device enrollment to Citrix Endpoint Management.

Creating Limited Administrator Account (optional)

For integration from Harmony Mobile to Endpoint Management, create an administrator role and account that limits the access of this admin to only those permissions necessary to provide integration.

Best Practice - It is a best practice to create such an admin account, but it is optional.

Create a New Administrator Role

  1. Navigate to Settings > Server tab > find Role-Based Access Control in the list and click on it.

  2. Click Add.

  3. On the Add Role window, enter in a Name and select the following Authorized Access for this new role:

    1. Admin console access

    2. Remote Support access

    3. Public API access

  4. In addition the Authorized Access permissions, we are going to select the following Console features for this role by scrolling to the desired features and selecting checkboxes as written below:

    1. Devices > Clear Restriction

    2. Devices > Edit device

    3. Devices > View software inventory

    4. Local Users and Groups > Edit Local User

    5. Local Users and Groups > Local User Groups

  1. Click Next.

  2. On the Assignment tab click Save.

Create a New Administrator Account

  1. Navigate to Manage > Users, click Add Local User.

  2. In Add Local User screen, fill in all required (*) fields with appropriate information, such as in the example below:

    1. Enter a valid name and password.

    2. In the Role field select the Role we created in the previous step Creating Limited Administrator Account (optional).

    3. In the Membership field select the local users group we created in the section Creating a local users Group.

  3. Click Save.

Note - At this point, you have all the information you need to configure the Device Management integration settings in the Harmony Mobile Dashboard.

From Our Examples:

Server = https://cpmobile.xm.cloud.com:4443/

API Admin Username/Password = Admin_User/<hidden>

Organization Local Group = SBM_local_group

Organization AD Group(s) = Users_Group_SBM