It’s a new way to manage Windows 10 in the cloud with Citrix XenMobile —Connectivity Management.
Here after, the 1st of blog series series. Toward the end, a summary of Windows 10 features that have been released over the past couple of quarters, along with a preview of what’s to come will be shared.
Modern Endpoint Management and Windows 10
To get back to the components of modern endpoint management (MEM) and the functionality Citrix XenMobile provides, we wanted to start with a framework that we’ll reference in the next several blog posts. The components we’ll discuss in this blog are identity, on-boarding and connectivity of Windows 10 endpoints.
Identity and Windows 10
There are two primary options to onboard Windows 10 Endpoints into Xenmobile UEM/MEM Service:
- Traditional User Identity: Active Directory (AD) – not to be confused with domain joined, active directory can be used to enroll the endpoint into Citrix XenMobile Service. Querying Active Directory (AD) — the traditional option — is usually hosted on-premises and often accessed via Lightweight Directory Access Protocol (LDAP) for remote access.
- Cloud User Identity: Azure Active Directory (AAD), hosted in the cloud enrollment is the first step in the modern management of a device and Azure Active Directory (AAD) the Microsoft cloud service for identity management beyond the confines of the corporate domain.
Onboarding/Enrolling Windows 10 Endpoints into XenMobile
Onboarding of Windows 10 endpoints can be done in several ways. Some onboarding scenarios provide a better user experience then others.
- Manual Enrollment: With manual enrollment, the user has complete control of the Windows 10 endpoint and has decided to create or user account which may be local or a domain account. Therefore the user needs to go into the settings that can be found in the start menu, then go into the account options and select enroll only into device management. When you have autodiscovery for Windows 10 enabled for Xenmobile, users can then enter their email addresses or UPNs, and automatic redirection to the Xenmobile Service will be handled by the Citrix Autodiscovery Service.See how manual enrollment with XenMobile en Autodiscovery Service all together works in this brief video.
To enable management of Windows endpoints, Citrix recommends that you configure autodiscovery and the Windows discovery service. - Azure Active Directory Enrollment: Configuring AAD as your identity provider (IDP) lets users enroll in XenMobile using their Azure credentials. Endpoints running Windows 10 MDM enroll with Azure as a federated means of Active Directory authentication either out-of-the-box the first time the device is powered on, or from the Windows Settings page after the device is configured.
There are three main areas to integrate AAD with XenMobile to provide authentication for Windows 10 endpoints:
- Prepare AAD – you’ll need an AAD premium license and global admin login, then:
a. Add a custom domain
b. Sync AD with AAD
c. Add an “on-premises” MDM application in the AAD Portal(Note: XenMobile Service is cloud hosted; “on-premises” is defined by Microsoft docs) - Configure Azure AD as a XenMobile IDP
- Enroll Windows 10 Client using AAD synced domain credentials
See how to do AAD enrollment with XenMobile all together in this brief video.
See details about AAD enrollment with XenMobile.
Enhancing your onboarding, enrollment of Windows 10 Endpoints
When you want to onboard, enroll and manage a substantial number of Windows 10 endpoints, or make the onboarding even easier for your end-users, then Microsoft Autopilot or Windows 10 Bulk Provisioning are good options. Both are supported by XenMobile.
Microsoft Windows AutoPilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new endpoints, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover endpoints. This solution enables an IT department to achieve these things with little to no infrastructure to manage, with a process that’s easy and simple. Citrix XenMobile Service has had support for Windows Autopilot since the release of XenMobile Service 10.7.5.
See how to implement Autopilot with XenMobile all together in this brief video.
See details on Windows AutoPilot.
Windows 10 Bulk Provisioning
XenMobile supports bulk enrollment of Windows 10 endpoints. With bulk enrollment, you can set up many endpoints for an MDM server to manage without the need to reimage endpoints. You can use the provisioning package for bulk enrollment for Windows 10 desktop endpoints. Follow these steps to set up and perform bulk enrollment. Citrix XenMobile Service has support for Windows Autopilot since the release of XenMobile Service 10.18.2
See details on Windows 10 Bulk Provisioning.
Provision, Manage, and Secure Connectivity on Windows 10 Endpoints
Network access is an essential path for mobile endpoints to access apps and data, and managing it is an essential layer of securing those apps and data. XenMobile can configure endpoint WiFi and VPN connectivity to protect access to critical intranet assets.
Custom XML VPN
Unless you’re using Intune Managed browser, which seamlessly integrates with Citrix XenMobile microVPN, or Azure app proxy (if you don’t have too many apps to manage), you are likely in need of a per-app VPN solution.
In a blog earlier this quarter, Jeroen explains how to configure a Per-App VPN for WIP-protected Win10 Endpoints with CSPs using the XenMobile custom XML feature.
See how to do a Win 10 per-app VPN with XenMobile in this brief video.
Custom XML Wi-fi
Configuring Wi-fi correctly and securely is important to providing mobile device connectivity and protection enterprise resources on the device. Here Jeroen shows how to configure Windows 10 Wi-fi parameters such as SSID, encryption and authentication details. He uses the Wi-Fi configuration service provider (CSP) and the Wi-Fi Profile Manager to build custom XML that XenMobile can deploy to any Windows 10 endpoint.
Summary
As promised here’s a summary of recent Windows 10 Modern Management features, many of which we’ll cover in upcoming blogs in the series.
- Bitlocker – encrypt and manage device disk to help protect sensitive data
- ADMX App Configuration – import/set Microsoft Win10 Admin app policy templates
- Control OS Update – approve/select and deploy Win 10 updates to managed devices
- Defender – enable defender on managed Win10 devices to help guard against malware
- Device Guard – harden Win10 against malware by ensuring only known good code runs
- Firewall – outside of the DMZ, anywhere, host based firewalls add another security
- Microsoft Store for Business – distribute Microsoft business apps in to managed devices
- Windows Information Protection – manage apps to protect against enterprise data leakage
- Windows 10 Hello – setup face ID recognition to unlock Win10 devices
- Deploy Office 365 – push any or all Office 365 apps directly from Microsoft
- Kiosk Mode – restrict Win 10 devices to run a single app as a kiosk
- OS Update optimization – utilize Microsoft peer-to-peer client update service
- App Lock – blacklist / whitelist individual Win 10 apps
- Application Guard – virtualize Microsoft Edge browser sessions for non-trusted sites
While this blog series focuses on Windows 10 Modern Management, at the same XenMobile continues to expand its managed footprint with broad platform support including iOS, Android, Windows 10, MacOS, all Android Enterprise modes, Chrome Enterprise, tvOS, Citrix’s Workspace Hub and other endpoints; not to mention XenMobile has the most comprehensive multi-container MAM solution in industry, and the best suite of productivity apps, providing comprehensive Unified Endpoint Management! Comment below, tweet Jeroen @jjvlebon or me @tweetmattbrooks, or meet us in person at Citrix Synergy 2018 in Anaheim, May 7-10! Stay tuned for our deep dive on the next set of XenMobile Windows 10 features!
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more TechBytes and subscribe.