It’s a new way to manage Windows 10 in the cloud with Citrix XenMobile —Connectivity Management.
The week before last, we were recovering from Mobile World Congress (MWC) and the week before that, we were in Barcelona at MWC (enough said!) Analysis? Humans need sleep. That said…
Thanks to Jack Madden for the shout-out in his Friday notebook the week before MWC. To answer your question, “YES,” we’ve been quietly building an arsenal of Unified Endpoint Management (UEM) features across a variety of platforms (see What’s New). It’s chock full of functionality to manage a variety of platforms (ChromeOS, Raspberry Pi, and Android things, to name a few recent additions) and, of course, Windows 10 endpoints.
First, we’ll dive into the feature groups we’ve planned for the blog series. Toward the end, we want to share a summary of Windows 10 features that have been released over the past couple of quarters, along with a preview of what’s to come.
Modern Endpoint Management and Windows 10
To get back to the components of modern endpoint management (MEM) and the functionality Citrix XenMobile provides, we wanted to start with a framework that we’ll reference in the next several blog posts. The components we’ll discuss in this blog are identity, on-boarding and connectivity of Windows 10 endpoints.
Identity and Windows 10
There are two primary options to onboard Windows 10 Endpoints into Xenmobile UEM/MEM Service:
- Traditional User Identity: Active Directory (AD) – not to be confused with domain joined, active directory can be used to enroll the endpoint into Citrix XenMobile Service. Querying Active Directory (AD) — the traditional option — is usually hosted on-premises and often accessed via Lightweight Directory Access Protocol (LDAP) for remote access.
- Cloud User Identity: Azure Active Directory (AAD), hosted in the cloud enrollment is the first step in the modern management of a device and Azure Active Directory (AAD) the Microsoft cloud service for identity management beyond the confines of the corporate domain.
Onboarding/Enrolling Windows 10 Endpoints into XenMobile
Onboarding of Windows 10 endpoints can be done in several ways. Some onboarding scenarios provide a better user experience then others.
- Manual Enrollment: With manual enrollment, the user has complete control of the Windows 10 endpoint and has decided to create or user account which may be local or a domain account. Therefore the user needs to go into the settings that can be found in the start menu, then go into the account options and select enroll only into device management. When you have autodiscovery for Windows 10 enabled for Xenmobile, users can then enter their email addresses or UPNs, and automatic redirection to the Xenmobile Service will be handled by the Citrix Autodiscovery Service.See how manual enrollment with XenMobile en Autodiscovery Service all together works in this brief video.
To enable management of Windows endpoints, Citrix recommends that you configure autodiscovery and the Windows discovery service.
- Azure Active Directory Enrollment: Configuring AAD as your identity provider (IDP) lets users enroll in XenMobile using their Azure credentials. Endpoints running Windows 10 MDM enroll with Azure as a federated means of Active Directory authentication either out-of-the-box the first time the device is powered on, or from the Windows Settings page after the device is configured.
There are three main areas to integrate AAD with XenMobile to provide authentication for Windows 10 endpoints:
- Prepare AAD – you’ll need an AAD premium license and global admin login, then:
a. Add a custom domain
b. Sync AD with AAD
c. Add an “on-premises” MDM application in the AAD Portal(Note: XenMobile Service is cloud hosted; “on-premises” is defined by Microsoft docs)
- Configure Azure AD as a XenMobile IDP
- Enroll Windows 10 Client using AAD synced domain credentials
Enhancing your onboarding, enrollment of Windows 10 Endpoints
When you want to onboard, enroll and manage a substantial number of Windows 10 endpoints, or make the onboarding even easier for your end-users, then Microsoft Autopilot or Windows 10 Bulk Provisioning are good options. Both are supported by XenMobile.
Microsoft Windows AutoPilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new endpoints, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover endpoints. This solution enables an IT department to achieve these things with little to no infrastructure to manage, with a process that’s easy and simple. Citrix XenMobile Service has had support for Windows Autopilot since the release of XenMobile Service 10.7.5.
Windows 10 Bulk Provisioning
XenMobile supports bulk enrollment of Windows 10 endpoints. With bulk enrollment, you can set up many endpoints for an MDM server to manage without the need to reimage endpoints. You can use the provisioning package for bulk enrollment for Windows 10 desktop endpoints. Follow these steps to set up and perform bulk enrollment. Citrix XenMobile Service has support for Windows Autopilot since the release of XenMobile Service 10.18.2
See details on Windows 10 Bulk Provisioning.
Provision, Manage, and Secure Connectivity on Windows 10 Endpoints
Network access is an essential path for mobile endpoints to access apps and data, and managing it is an essential layer of securing those apps and data. XenMobile can configure endpoint WiFi and VPN connectivity to protect access to critical intranet assets.
Custom XML VPN
In a blog earlier this quarter, Jeroen explains how to configure a Per-App VPN for WIP-protected Win10 Endpoints with CSPs using the XenMobile custom XML feature.
See how to do a Win 10 per-app VPN with XenMobile in this brief video.
Custom XML Wi-fi
Configuring Wi-fi correctly and securely is important to providing mobile device connectivity and protection enterprise resources on the device. Here Jeroen shows how to configure Windows 10 Wi-fi parameters such as SSID, encryption and authentication details. He uses the Wi-Fi configuration service provider (CSP) and the Wi-Fi Profile Manager to build custom XML that XenMobile can deploy to any Windows 10 endpoint.
As promised here’s a summary of recent Windows 10 Modern Management features, many of which we’ll cover in upcoming blogs in the series.
- Bitlocker – encrypt and manage device disk to help protect sensitive data
- ADMX App Configuration – import/set Microsoft Win10 Admin app policy templates
- Control OS Update – approve/select and deploy Win 10 updates to managed devices
- Defender – enable defender on managed Win10 devices to help guard against malware
- Device Guard – harden Win10 against malware by ensuring only known good code runs
- Firewall – outside of the DMZ, anywhere, host based firewalls add another security
- Microsoft Store for Business – distribute Microsoft business apps in to managed devices
- Windows Information Protection – manage apps to protect against enterprise data leakage
- Windows 10 Hello – setup face ID recognition to unlock Win10 devices
- Deploy Office 365 – push any or all Office 365 apps directly from Microsoft
- Kiosk Mode – restrict Win 10 devices to run a single app as a kiosk
- OS Update optimization – utilize Microsoft peer-to-peer client update service
- App Lock – blacklist / whitelist individual Win 10 apps
- Application Guard – virtualize Microsoft Edge browser sessions for non-trusted sites
While this blog series focuses on Windows 10 Modern Management, at the same XenMobile continues to expand its managed footprint with broad platform support including iOS, Android, Windows 10, MacOS, all Android Enterprise modes, Chrome Enterprise, tvOS, Citrix’s Workspace Hub and other endpoints; not to mention XenMobile has the most comprehensive multi-container MAM solution in industry, and the best suite of productivity apps, providing comprehensive Unified Endpoint Management! Comment below, tweet Jeroen @jjvlebon or me @tweetmattbrooks, or meet us in person at Citrix Synergy 2018 in Anaheim, May 7-10! Stay tuned for our deep dive on the next set of XenMobile Windows 10 features!
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific TechBytes? Let us know! firstname.lastname@example.org