Android Enterprise devices managed by Citrix Endpoint Management (CEM) – Notes from the field

This blog post does not describe the Android Enterprise functionality or the basic management. This post also will not describe how to enable Android Enterprise for Citrix Endpoint Management in great detail, at least not in a complete step by step guide.

The content of the post is based on a CEM instance hosted by Citrix Cloud because of the fully support of all Android Enterprise features. XenMobile Server (XMS) 10.13 seems to support more and more features but it’s not comparable at this point in time. If you have planned to migrate your on-premises XenMobile Server to the Citrix Cloud, follow my tips.

I describe you a short overview about the requirements and will give you some interested notes from the field. What stumbling blocks I have found. So that you do not stumble! Let’s start with the requirements.

Requirements for Android Enterprise Support

First of all, to manage Android Enterprise devices, there are some requirements that need to be defined. An Android Google Play Store account is required, the account should be exclusive to the CEM environment.

However, each Google Play Store account can be assigned to only one Mobile Device Management, which means you will need a new account for each migration project. These accounts are free and you should only be charged for the paid apps. It is similar to the Apple Volume Purchase Program. Also, this Google Play Store account is required to approve your enterprise apps for the managed enterprise store.

Citrix Cloud Endpoint Management Enable Android Enterprise

Furthermore, you need to enable Google Firebase Massaging for real-time notifications. To do this, you can use the same Google account as used for the Play Store and you need to create a new project, e.g. named CEM Notification, which creates a server key and a sender ID. These values must be copied and pasted into the CEM GUI (Settings > Google Firebase Messaging). More detailed information here!

Citrix Cloud Endpoint Management Google Firebase Cloud Messaging Settings

My personal recommendation is to use Citrix Cloud hosted CEM, but it seems that XenMobile Server 10.13 supports more Android Enterprise features than in previous firmware releases.

As a final requirement, the devices must support an Android operating system at least Android 7.0 or higher. Otherwise the devices can only be managed by the Android legacy administrator option.

Short summary of requirements:

  • Android Google Play Store Account for the business appstore and pairing with CEM instance
  • Google Firebase Messaging API ID for real-time notification, e.g. selective wipe or send a message
  • CEM hosted in Citrix Cloud or XMS 10.13 build and higher
  • Android devices with operation system version greater than Android 7.0

Notes from the field

Now, it’s time for some best practices and tips. I’ll give you some hints from the practice of my recent Android Enterprise projects with Citrix Endpoint Management (CEM). Later I will update this post if I encounter any new stumbling blocks.

Define an enrollment profile

What are enrollment profiles? These profiles define the enrollment mode for your mobile devices, so that you can configure BYOD or full-managed Corporate Devices as Android Enterprise enrollment mode for different Active Directory user groups. This feature gives you more flexibility and can be configured for iOS and Android Enrollment as well.

For support of both Android Legacy Device Administrator and Android Enterprise enrollment types, you must ensure that the global enrollment profile is set to “Android Legacy Mode”. Otherwise, older Android devices with lower Android version 7.0 may experience enrollment issues. Open the enrollment profiles and edit the global enrollment profile.

Citrix Cloud Endpoint Management Enrollment Profile Global

Select “Legacy device administration” as your global enrollment profile so that your environment will support Android devices that do not support Android Enterprise, such as mobile scanners or specialized industrial mobile devices.

Citrix Cloud Endpoint Management Enrollment Profile Global Android Legacy

To enable Android Enterprise, you need to create a new enrollment profile, for example, named “Android_Enterprise_Enabled”. And select “Android Enterprise” as management and your preferred device ownership mode. Company-owned devices have to be completely wiped before they can be enrolled. Fully managed with work profile can be used for both corporate and BYOD devices, which means your device will be split into a private and a business container.

Citrix Cloud Endpoint Management Enrollment Profile Global Android Enterprise

The next step is to create a new delivery group and bind the Android Enterprise enrollment profile. Remember that the delivery groups are processed alphabetically and the last group wins for the enrollment mode. With this in mind, the name of your Delivery Group must start with a last letter of the alphabet, for example “zAndroidEnterprise_Enabled”. That allows you to support both Android Legacy and Android Enterprise devices.

Citrix Cloud Endpoint Management Deliverygroup Android Enterprise

How to manage Android Enterprise Apps for Work

Android Enterprise Apps for Work are apps that your users need for their daily business, which are the same app builds as for the end user. It’s the same Play Store library which is split for personal and business.

Every Android Enterprise App you want to manage per Mobile Device Managed must be approved on the Google Play Store for Work. You can approve or upload apps directly per Link to the Google Play Store for Work: https://play.google.com/work?hl=en or per Citrix Endpoint Management Administration GUI by adding new public store apps.

Find the Android app you want to approve, and then confirm by accepting all the permissions the app requires from the devices. This is not difficult, but there is something to consider.

Citrix SecureWeb Apps on Android Enterprise GooglePlay Approved
Citrix SecureWeb Apps on Android Enterprise GooglePlay Approve

You need to decide what happens when the app requests new permissions. For example, an app version 1.0 only needs access to photos, but in app version 1.1 it needs more permissions to read contacts or check locations. If you keep the permission, the user can install the app as before, but it allows the app to use more device information than before.

This could violate company policies. I recommend to enable notifications when the app requests new permissions and then decide app by app what to do.

Citrix SecureWeb Apps on Android Enterprise GooglePlay KeepPermissions

You can push the apps silently to the devices or provide as an optional app in the Enterprise Store. In-house developed apps, APK Apps, that include MAM SDK and Weblinks for the device homescreen, must upload to the Google Play Store to work as well.

MyManaged Apps GooglePlay For Work

All Citrix Secure Apps are still available and must only be approved to your account. One thing you have to do is to upload the MDX files to your Endpoint Management and define your App settings, like your Microsoft Exchange server or browser bookmarks.

Device Policies & Apps Filtering

Citrix Endpoint Management gives you the opportunity to filter most objects, like device policies or apps. That feature is called “Deployment Rules” and allows you to create filter rules based on the device properties. What does it mean for Android Enterprise? It will help you to distinguish between Android Legacy and Enterprise policies or apps, which should be deployed.

The following Device Properties are only available with an enrolled Android Enterprise Device. So you have to enroll one Android Enterprise Devices first or create an Android dummy devices with the following properties values:

Citrix Cloud Endpoint Management Android Enterprise Devices Properties

You can use values to filter your policies or apps. For example, if you don’t filter your apps than both apps for Android Legacy and Enterprise will be appears in the Secure Hub Corporate Store.

Furthermore, it makes sense to filter these device policies. You find the deployment rules on the bottom of every policy or app. It’s a little bit hidden. Unfortunately, there are no global settings, which means that you have to define your rules manually for each object. Additionally, there are no API calls to automate these tasks.

How does it look in the administration console:

Citrix Cloud Endpoint Management Deployment Rules Android Legacy

If you want to assign your policies or apps only to Android legacy devices, you have to use this rule:

Limit by known device property name Android Enterprise Enabled Device? isn't equal to true

Otherwise use this rule for Android Enterprise:

Limit by known device property name Android Enterprise Enabled Device? is equal to true

Finally it says that you can use your existing Delivery Groups and must only extend your device policies and apps to support Android Enterprise. Do not forget to set the deployment rules.

Android Enterprise Device Policies

There are different types of device policies, such as WLAN, passcode, credential or restriction policies. First, I will focus on the best restriction policies for Android Enterprise then with some interesting other policies. Any existing device policy used for Android Legacy can be extended for Android Enterprise.

However, you must ensure that the filtering rules described above are defined. First, you need to specify which logon mode this policy should apply to, whether for BYOD with work profile or fully managed corporate devices.

Restriction Policy

Here are my best restriction policies for Android Enterprise that you should consider. There are so many more restrictions for every use-case.

RestrictionFunction
Allow screen captureEnable this setting for screen recording/sharing such as Teamviewer Quicksupport or screenshots.
Allow VPN configurationEnable this setting for PerAppVPN support, e.g. via Citrix SSO App & Citrix ADC, otherwise no VPN can be established.
Allow use of cameraThis setting only allows using the camera from managed Android apps, which does not mean that the camera app is available.
Enable system appsActivate this option and define your system apps which should be show in or Work Profile or managed device. For example the camera app with app id “com.sec.android.app.camera”.
See more app ids here.
Allow cross profile copy and pasteThis function allows the transfer of data and clipboard between the private and business profile. I recommend disabling this function to prevent data transfer.
Allow user control of application settingsThis setting only allows users to uninstall apps, clear app cache, force app process and any other app action. I would enable this feature because otherwise users will not be able to uninstall apps.
Allow work profile app widgets on home screen (BYOD work profile)Allow this feature and define an app list to be displayed as a widget on the home screen. For example, the Citrix Secure Mail app that you can select from the app list wether added as public store app.
Allow work profile contacts in device contacts
(BYOD work profile)
This setting is important for incoming calls to display the caller ID of a business contact with BYOD work profile. Otherwise only the number would be displayed.

How does it looks in the CEM administration web gui (Configure > Device Policy > Restriction > Android Enterprise):

Citrix Cloud Endpoint Management Android Enterprise Restriction Security Apps
Citrix Cloud Endpoint Management Android Enterprise Restriction App BYOD

Automatically Update Managed Apps Policy

Without Automatically Update Managed Apps Policy set the users have to install app updates manually. But that doesn’t work because users don’t do it themselves. It’s very simple to define the auto update for managed apps.

Citrix Cloud Endpoint Management Android Enterprise Device Policy Auto Update Managed Apps

You create a new device policy of type “Automatically Update Managed Apps Policy” and select your preferred update behavior for your managed apps. The options “Always” use the cellular network such 4G or 5G so that “Only when device is connected to WiFi” saves the cellular data usage.

Android System Apps

Here you can find a list of some default Android system apps:

com.android.mms
com.sec.android.app.myfiles
com.sec.android.widgetapp.easymodecontactswidget
com.sec.android.app.camera
com.sec.android.gallery3d
com.sec.android.app.voicenote
com.sec.android.app.popupcalculator
com.sec.android.app.clockpackage
com.sec.android.app.magnifier
com.sec.android.daemonapp
com.samsung.android.app.memo
com.samsung.android.messaging
com.samsung.android.calendar
com.samsung.android.app.notes
com.samsung.android.weather
com.samsung.android.app.galaxyfinder
com.samsung.android.app.reminder
com.samsung.android.lool
com.diotek.sec.lookup.dictionary
com.android.bluetooth
com.android.contacts
com.android.keychain
com.android.keyguard
com.android.launcher
com.android.nfc
com.android.phone
com.android.providers.downloads
com.android.settings
com.android.systemui
com.android.vending
com.google.android.apps.enterprise.dmagent
com.google.android.deskclock
com.google.android.dialer
com.google.android.gms
com.google.android.GoogleCamera
com.google.android.googlequicksearchbox
com.google.android.gsf
com.google.android.gsf.login
com.google.android.inputmethod.latin
com.google.android.nfcprovision
com.google.android.setupwizard
com.google.android.webview
com.samsung.android.contacts
com.samsung.android.phone

Summary

In conclusion, Android Enterprise integration is not too complicated, but you need to follow some practices. So that your Citrix Endpoint Management supports both Android Legacy and Android Enterprise. Please remember to define deployment rules for both Android types and device restriction policies for your use cases. Good luck to unlock Android Enterprise for your Citrix Endpoint Management environment!

Last but not no least, my credits go to Rory Monaghan and Anton van Pelt for reviewing and feedback.

If you need help or have any questions feel free to contact or follow me on Twitter.
Cheers,

Daniel Weppeler

Leave a Reply

Your email address will not be published. Required fields are marked *