This blog post was co-written by XenMobile team members Sameer Mehta, Robin Manke-Cassidy, and Shaunak Mistry.

Security and ease of use are the top drivers for organizations today when choosing solutions for their end-users. These choices are the key building blocks to enable the Future of Work experience. To help our customers embrace this experience, XenMobile, along with our partner Intercede, have introduced the derived credentials solution. Though the capabilities will continue to roll out over the rest of this year, we wanted to give you introduction to the derived credentials feature in XenMobile 10.6.

The enrollment for users with smart card technology has been a very laborious proposition. It required special hardware that transformed a slick device into a cumbersome process for end users and it is costly to maintain and procure for organizations. Prior to XenMobile Server 10.6, customers had many choices in methods for enrollment, such as the list below; however, for smart card users, the options were limited.


The release of XenMobile 10.6 introduced the option to enroll with the new virtual smart card (derived credential technology) with iOS MDM enrollment.


Derived credential technology with XenMobile and Intercede provides a unique value to this once high security but difficult user experience, which resulted from the implementation of smart card technology. Customers can now enforce high security that meets the latest U.S. government mobile security standards, but provide with a better end-user experience by:

  • Eliminating dependency on an Active Directory user-id or password, either during enrollment or through subsequent Active Directory password changes.
  • Provide compliance with NIST specifications where the private key never leaves the device while being protected within a secure vault.

Let’s walk through the derived credential technology. First, these are the components required to run derived credentials enrollment:

Second, let’s look at the high-level topology. You can see that Secure Hub is the initiator of the derived credential process.


  1. User installs the application MyID for Citrix and Secure Hub from the Apple App Store. By launching Secure Hub, the secure communication channel is initiated that manages the iOS MDM enrollment by deriving the credential from the MyID for Citrixcongratulations-to-citrix-2017-crn-women-of-the-channel-3
  2. Additionally, XenMobile server enhances the security by validating the derived credential through OCSP check during enrollment. Thus, preventing rogue derived credentials from impersonating a user identity.
  3. Upon successful enrollment, additional Secure Apps and digital workspace components can be deployed to the device.
  4. Secure Mail can be further secured to accept S/MIME for signing and email encryption.

At Citrix Synergy, our team presented a deep-dive session on the Derived Credentials solution.

Be on the lookout as we will continue to inform you about the exciting developments as we extend our Derived Credentials capabilities and empower you to embrace the Future of Work.

EMM banner