Auto-discovery simplifies the enrollment process for users by enabling them to enroll their devices using their corporate network user names and passwords rather than requiring them to enter details about the Device Manager server. User names must be entered in user principal name (UPN) format; for example,

Auto-discovery normally requires that you send the Citrix Technical Support team specific deployment information and, in the case of Windows devices, an SSL certificate. After Citrix receives this information, when users enroll their devices, the domain information is extracted and mapped to a server address so that the user has only to enter their Microsoft Active Directory password to enroll. This information is maintained in the Citrix XenMobile database so that it is always accessible and available when users enroll. More information about how to achive this with Citrix Cloud Ops:

But you can achive the same with your existing NetScaler and some additional policies and DNS changes. Here a short step by step guide:

  1. Add a SSL-LB-Vserver externally reachable over Port 443 or use an existing SSL-CS-Vserver and use a CS-policy to send traffic to the Host “” to a dedicated LB-Vserver.
  2. Bind the related certificate on the SSL-Vserver. When using CS-Vserver you need a wildcard certificate.
  3. Add a fake Server/Service to the LB-Vserver that the Vserver stays always up. We do not send traffic to the Server/Service configured.
  4. Add a DNS reccord to your official DNS-Servers for the Host “” pointing to the SSL-LB-Vserver or to the SSL-CS-Vserver IPon the NetScaler.
  5. Add 2 rewriting actions and the related policies. One for http request and one for http respond:Rewriting request policy and action:

    add rewrite action rw-action-enterpriseenrollment-request replace_all HTTP.REQ.URL “\”/zdm/wpe\”” -search “regex(re~.*~)”
    add rewrite policy ns-enterpriseenrollment-request true rw-action-enterpriseenrollment-requestRewriting response

    add rewrite action rw-action-enterpriseenrollment-respond replace_all “HTTP.RES.BODY(60000).SET_TEXT_MODE(IGNORECASE)” “\”\”” -search “text(\”\”)”
    add rewrite policy ns-enterpriseenrollment-respond true rw-action-enterpriseenrollment-respond
  6. Bind the 2 rewriting policies to the LB-Vserver created in step 1 or 2.
    bind lb vserver enterpriseenrollment -policyName ns-enterpriseenrollment-request -priority 100 -gotoPriorityExpression END -type REQUEST
    bind lb vserver enterpriseenrollment -policyName ns-enterpriseenrollment-respond -priority 100 -gotoPriorityExpression END -type RESPONSE
  7. enroll your device with your email address