Recently I was involved in a XenMobile project were the customer asked for a more simple way to let users enroll their device. This environment only contains Apple iPhone and iPad devices. Since XenMobile 10 there are 2 enrollment types that can make the enrollment process more simple for the end-user. This is what Citrix calls “Bulk enrollment of iOS devices”. The enrollment types are:
- Device Enrollment Program (DEP)
- Apple Configurator Device Enrollment
This blogpost will explain how you can use Apple Configurator to make the enrollment process simpler. The Device Enrollment Program will be explained in another blogpost.
The following steps will be needed:
- Enable Bulk Enrollment
- Add Worx Home App
- Create a Delivery Group
- Configure Apple Configurator
- Create an organization
- Define the MDM Server
- Create a basic profile
- Create a Blueprint
- Prepare iOS Device settings in the blueprint
- Add the basic profile to the Blueprint
First of all this procedure can only be used on new Apple devices or on devices that got a factory reset.
Enable Bulk Enrollment
Enable iOS Bulk Enrollment for Apple Configurator via the XenMobile web GUI:
Make note of the MDM server URL, we need this URL later.
Add Worx Home App
Next we need to add Worx Home as a public app for iPad and iPhone:
Create a Delivery Group
We also need to create a Delivery Group to force a DEP inventory policy and push the Worx Home app installation:
As you can see XenMobile automatically configures a local DEP group as soon as you enable DEP:
Add tbe DEP Software Inventory policy (created by the system!):
Add the Worx Home public app as a required app to install:
Now XenMobile Server is ready to deploy devices.
Configure Apple Configurator
In this blogpost I make use of Apple Configurator 2.
Create an organization
We need to create an organization, this will be used later in a blueprint and show on the user device during enrollment:
Define the MDM Server
We need to device the XenMobile Server as a MDM server with Apple Configurator:
Here we have to specify the Enrollment URL that was shown during enabling “Apple Configurator Device Enrollment” in XenMobile Server:
Apple Configurator expect MDMServiceConfig, click next to ignore this error we will correct this URL later.
Click Next to finish the MDM Server configuration:
Click Edit to change the MDM Server and paste the XenMobile Server URL again to correct the issue:
The certificates will be downloaded from the URL automatically.
Create basic profile
Next we need to create a basic profile were we specify the Wireless network that the device needs to connect to during enrollment:
Create a Blueprint
In the Blueprint we define the basic profile, MDM server and organization:
Prepare iOS Device settings in the blueprint
We need to prepare iOS Devices to specify which settings are getting applied during enrollment setup:
Here we can link the MDM server we specified earlier:
If you want to supervice the device you need to select the following option:
Here we can assign the Organization we specified earlier, this will be shown during enrollment:
This is one of the most important steps, we can specify which steps needs to be configured during enrollment setup. By deselecting some components we can simplify the enrollment experience for the end-user. Deselecting those options doesn’t mean that they can’t configured anymore. Those steps are just skipped by the setup wizard:
All those prepare steps will be added to the Blueprint:
Add the basic profile to the Blueprint
We need to assign the basic profile to the Blueprint to add the Wireless network settings that might be needed during enrollment:
With this we have created the setup package for a new device.
Apply the Blueprint
We now need to apply the Blue print to each new or factory reset device by connecting them via USB to the Mac OSX machine where the Apple Configurator is installed.
As soon as we apply the profile to a device the device will be added to the XenMobile devices list:
User Experience
After we applied the Blueprint to the device we can supply the device to the user. If you choose to not apply the passcode setup phase you can already bootup the device one to run to the small wizard.
This is how the enrollment works after applying the Blueprint.
The WiFi settings that were supplied via the basic profile are choosen by default:
Now as a user we have the option to apply the Blueprint configuration or skip this Blueprint. If you skip the configuration no setup wizard is started, so no configuration at all, nor enrollement in XenMobile!
If we apply the configuration the Blueprint will get installed and activated:
Depending on the configuration a user in now promted with the applicable setup phases. If no setup phase were selected during the Blueprint prepare option the user will see the iOS Spingboard immediately.
If we look in the XenMobile console we will see a new device without a user assigned:
In a few seconds the XenMobile DEP policy kicks in and the user is prompted to install the Worx Home application by signing in to iTunes:
After Worx Home is installed a user can now enroll to XenMobile by starting the Worx Home app and sign in. The cool thing is that the user don’t need to supply the XenMobile MDM FQDN, UPN or E-mail address:
After the user supplied their credentials they are directly enrolled into XenMobile, no need to install the certificate profiles. Keep in mind to make users aware of this to avoid privacy discussions!
After the device is enrolled it showed up with the right user in the XenMobile console. Now other policies will get applied and in case of XenMobile MAM the user will get access to the Worx Store:
Caution!
Keep in mind that when applying a blueprint to the device you will also perfrom the profile installment on the device. This procedure will absolutely create a better user experience but keep in mind to inform users about the profile installment.
Summary
In this blogpost I showed you how to make the enrollment of iOS devices in XenMobile smoother via Apple Configurator. Thanks to my colleague Jan-Paul for sharing his experiences on this topic! The next blogpost will explain how to configure the Apple Device Enrollment Program (DEP) for Citrix XenMobile, Stay tuned
