As I work, on a daily basis, with customers who are configuring their Citrix Endpoint Management environment for the first time, I’ve found that, often, decisions about management modes and enrollment options have not been given much consideration. Because of this, I’ve seen initial configurations and rollouts come to a screeching halt while organizations scramble to figure out which enrollment option and management modes are right for them.

In my previous post, “Cloud Guidepost: Citrix Endpoint Management – Enrolling your devices Pt. 1”, I covered the management modes available with Citrix Endpoint Management. This post, a continuation of the previous, will cover the four enrollment options. Your selected enrollment option will define the steps required for a user to enroll their BYOD or corporate-owned device.

Let’s review the four enrollment options:

Manual enrollment

Manual enrollment is the default enrollment option of a net-new Citrix Endpoint Management environment. There are two main ways to handle manual enrollment: (1) manual enrollment with auto-discovery and (2) manual enrollment without auto-discovery. Out of the box, without any additional configuration, manual enrollment will be completed without auto-discovery. In this case, we have a couple options. Admins can create a guide that details the enrollment process for users, distribute the guide to the users who will be enrolling their devices, and allow them to enroll the device themselves. Alternatively, users can bring their devices to the IT department to facilitate the enrollment process on behalf of the users.

At a high level, beginning the enrollment process for manual enrollment without auto-discovery looks like this:

  • Users will download the Secure Hub application from the Apple App Store or Google Play Store
  • Launch Secure Hub
  • Type in the MDM or MAM fully qualified domain name (FQDN) of the Citrix Endpoint Management environment, depending on the management mode.

This can be a bit cumbersome to end-users, as the FQDN may be quite long or difficult to remember. It’s recommended that this FQDN is included in the enrollment guide, should your organization decide to go that route.

The second option — manual enrollment with auto-discovery — follows a similar flow. The difference being, users will type their email address or user principal name into Secure Hub to begin the enrollment process instead of the Endpoint Management FQDN. This is a better user experience, as users will not have to remember or reference the FQDN to begin the enrollment process, they will just supply information they already know.

Enrollment invitation

Users can be invited to enroll their devices in Citrix Endpoint Management, enabling admins far more control over who is allowed to enroll devices and how users will authenticate. Enrollment invitations can be sent via email or SMS. Within the enrollment invitation option, there are seven enrollment modes which define the information end-users will provide for authentication:

  • User name + Password
  • Invitation URL
  • Invitation URL + PIN
  • Invitation URL + Password
  • Two Factor
  • User name + PIN
  • High Security

You may be wondering, “What does the high security option entail?” High security sends the user the following three emails:

  • An email with a download link that allows the user to download and install the Connect client app.
  • An email with an enrollment invitation web address, that allows the user to launch the client app and enroll the user’s device.
  • An email with a one-time PIN that the user must enter when enrolling the device, along with the user’s Active Directory (or local) user name and password.

When using the high security method, the user can only enroll by using the web address in the notification. If the user loses the notification invitation, the user cannot enroll with the sent invitation. You can, however, send another invitation.

Additional information on the configuration of enrollment modes with enrollment invitations can be found here. Furthermore, steps to create and send enrollment invitations can be found here. This method should be used when admins wish to configure selective enrollment by invite only.

Self-help portal

For organizations who wish to enable their end-users the ability to generate their own enrollment invitations, in an effort to mitigate the facilitation of enrollment by IT, Citrix Endpoint Management offers a self-help portal for device enrollment. End-users will be able to sign in to the self-help portal with their credentials and generate enrollment links or send themselves an enrollment invitation. This enrollment option will use username and password as the default authentication requirement but can be configured to use two factor, or username and PIN.


Finally, we have enterprise enrollment. This is the preferred enrollment option for organizations that will be issuing corporate-owned devices to their end-users. This enrollment option depends on Apple DEP and/or Android for Work programs. These programs allow organizations to purchase preconfigured devices, enabling automatic or guided enrollment of DEP or Android for Work devices, respectively, the moment they are powered on for the first time. Additional information regarding Apple DEP integration can be found here. Information regarding Android for Work integration can be found here.


My hope is that this post and the previous post have shed light on some of the options Citrix Endpoint Management offers for enrollment and which options and management modes are appropriate given certain use cases. Ultimately, I hope these posts will help drive the enrollment and management option conversations within your organization, making your rollout as seamless as possible!

JonnyLee Giard
Cloud Success Engineer