Certificates and authentication 编辑

Several components play a role in authentication during Endpoint Management operations:

• Endpoint Management: The Endpoint Management server is where you define enrollment security and the enrollment experience. Options for onboarding users include:
  • Whether to make the enrollment open for all or by invitation only.
  • Whether to require two-factor authentication or three-factor authentication. Endpoint Management client properties allow you to enable Citrix PIN authentication and configure the PIN complexity and expiration.
• Citrix Gateway: Citrix Gateway provides termination for micro VPN SSL sessions. Citrix Gateway also provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.

• Secure Hub: Secure Hub and Endpoint Management work together in enrollment operations. Secure Hub is the entity on a device that talks to Citrix Gateway: When a session expires, Secure Hub gets an authentication ticket from Citrix Gateway and passes the ticket to the MDX apps. Citrix recommends certificate pinning, which prevents man-in-the-middle attacks. For more information, see this section in the Secure Hub article: Certificate pinning.

  Secure Hub also facilitates the MDX security container: Secure Hub pushes policies, creates a session with Citrix Gateway when an app times out, and defines the MDX timeout and authentication experience. Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.

• MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to Citrix Gateway, enforce offline mode restrictions, and enforce client policies, such as time-outs.

Citrix Endpoint Management authenticates users to their resources using the following authentication methods:

• Mobile device management (MDM)
  • Cloud-hosted identity providers (IdPs)
  • Lightweight Directory Access Protocol (LDAP)
    • Invitation URL + Pin
    • Two-factor authentication
• Mobile application management (MAM)
  • LDAP
  • Certificate
  • Security token MAM authentication requires Citrix Gateway.

For other configuration details, see the following articles:

• Upload, update, and renew certificates
• Citrix Gateway and Endpoint Management
• Domain or domain plus security token authentication
• Client certificate or certificate plus domain authentication
• PKI entities
• Credential providers
• APNs certificates
• If your site isn’t Workspace enabled: SAML for single sign-on with Citrix Files
• Authentication with Azure Active Directory through Citrix Cloud
• Authentication with Okta through Citrix Cloud
• Authentication with an on-premises Citrix Gateway through Citrix Cloud
• To authenticate to a Wi-Fi server, send a certificate to the devices: Network device policy
• To push a unique certificate not used for authentication, such as an internal root certificate authority (CA) certificate, or a specific policy: Credentials device policy

Certificates

Endpoint Management generates a self-signed Secure Sockets Layer (SSL) certificate during installation to secure the communication flows to the server. Replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority.

Endpoint Management also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or SAN certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, users type their Citrix PIN for single sign-on (SSO) access to Endpoint Management-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with Endpoint Management, set up and create an Apple Push Notification Service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each Endpoint Management component:

Endpoint Management supports client certificates with bit lengths of 4096 and 2048.

For Citrix Gateway and Endpoint Management, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the Citrix Gateway or the Endpoint Management configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on Citrix Gateway or Endpoint Management.

Important:

Requirements for trusted certificates in iOS, iPadOS, and macOS

Apple has new requirements for TLS server certificates. Verify that all certificates follow the Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176.

Apple is reducing the maximum allowed lifetime of TLS server certificates. This change affects only server certificates issued after September 2020. See the Apple publication, https://support.apple.com/en-us/HT211025.

LDAP authentication

Endpoint Management supports domain-based authentication for one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). LDAP is a software protocol that provides access to information about groups, user accounts, and related properties. For more information, see Domain or domain plus security token authentication.

Identity provider authentication

You can configure an identity provider (IdP) through Citrix Cloud to enroll and manage user devices.

Supported use cases for IdPs:

• Azure Active Directory through Citrix Cloud
  • Workspace integration is optional
  • Citrix Gateway configured for certificate-based authentication
  • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
  • iOS for MDM+MAM and MDM enrollments
  • iOS and macOS for Apple Business Manager enrollments
  • Legacy Android (DA)

  Auto enrollment features such as the Apple School Manager are currently not supported.

• Okta through Citrix Cloud
  • Workspace integration is optional
  • Citrix Gateway configured for certificate-based authentication
  • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
  • iOS for MDM+MAM and MDM enrollments
  • iOS and macOS for Apple Business Manager enrollments
  • Legacy Android (DA)

  Auto enrollment features such as the Apple School Manager are currently not supported.

• On-premises Citrix Gateway through Citrix Cloud
  • Citrix Gateway configured for certificate-based authentication
  • Android Enterprise (Preview. Supports BYOD, fully managed devices, and enhanced enrollment profiles)
  • iOS for MDM+MAM and MDM enrollments
  • Legacy Android (DA) Auto enrollment features such as the Apple Deployment Program are currently not supported.