Integrate Citrix Endpoint Management with Citrix Workspace App



As we move away from cliché VDI debates and statements to a new end user computing era, secure unified digital workspace offerings become more relevant. This overall offering makes more business and technical sense to customers and partners alike enabling the real digitalization of businesses.

Mobile Device Management, Mobile Application Management, and Mobile Content Management are amongst the hottest terms in the Enterprise Mobility Management and Security space yet they do not, on their own, power users to completely conduct their work from any location using any device having the same experience as an office desk.

When combining the power of Desktop Virtualization, Application Virtualization, Mobility, Content Collaboration, Access Control, SaaS Apps and SSO, native 2FA and Analytics, all integrated and correlating with each other ,  we end up with a mobile and secure unified end-to-end workspace that can be fully utilized to conduct business in a more productive manner.

Citrix Workspace App is intended to be a unified secure digital workspace that allows users to access all of their services required to conduct business in a more productive and secure manner from a unified app. It is a work in progress and part of what’s still missing is full integration with Endpoint Management formerly known as XenMobile.

Citrix Endpoint Management uses an agent called Secure Hub which means when using full Citrix workspace services, one would need to have the Workspace App and the Secure hub agent installed which would defeat the term “unified”. More so, users would still be required to enroll to secure hub and install/open Citrix provided secure applications such as Secure Mail and Secure Web.

Recently, Citrix, utilizing the power of cloud and service integration/correlation, added some integration functionality between Endpoint Management and Workspace App, which allows published MAM applications to appear/open from the Workspace App which if un-enrolled would prompt the user to enroll using Secure Hub but that’s about it for now as still users need to see, interact and sign-in to Secure Hub independently which is essentially another application.

In the future, Secure Hub code would be moved into Workspace App which means all mobility functionality would be built-it and no additional applications such as Secure Hub would be required. For now, I will explore the current functionality of Workspace App integration with Endpoint Management and how users interact between both apps.

On a side note, my Citrix Cloud account was provisioned prior to Q3 2018 which meant that my cloud instance was still being hosted on AWS thus Endpoint Management service integration was not available. I have been working with Citrix Cloud support team for the last month and they have successfully migrated my instance to Azure and enabled the Endpoint Management Integration for the same. If you don’t find Endpoint Management in your service integrations tab that would be the issue so contact Citrix support for the same.


Step 1: Enable Endpoint Management service integration from Citrix Cloud – Workspace Configuration – Service Integrations.


Step 2: In order for applications to be part of Citrix Cloud and be able to assign users access to these applications from Library, navigate to Endpoint Management – Configure – Delivery Groups – Add. Make sure to choose In Citrix Cloud on the Users tab and add the required Applications to published/visible in Workspace App.




Step 3: Navigate to Library and add subscribers to the just recently created group which includes the added mobile applications.



Integration configuration is as simple as just three steps and that’s about it. Users will now have access to mobile applications visible from Workspace App. In the next section we will look into the user experience.

User Experience:

Notes to Citrix:

  • MAM only mode is not currently supported for this integration so using mobility apps from Workspace App will require full MDM/MAM enrollment. MAM-only enrollments needs to be done completely from Secure Hub.
  • Another really important feature missing from Citrix Workspace Service/App is email based enrollments which would make it easy for users to sign into the workspace URL without using the URL . It should be as easy as the one already available for Endpoint Management and the Workspace App actually asks to input email but Citrix support has assured me its not currently supported so that’s a bummer.
  • It would be cool for Workspace App to have the same concept as WorxPin which would also support biometric and face recognition technologies for login instead of AD password for all resources in the Workspace App. Top that with the coming TOTP feature coming soon to Citrix Cloud.

Scenario 1: Only Citrix Workspace App is installed and user vdi1 requires to open QuickEdit from Workspace App.


  • Some sections of the video are blacked-out by Secure Hub during mirroring to PC so those are just default Secure Hub enrollment procedures nothing special.
  • Enrollment did not ask for authentication when redirecting to Secure Hub. This is a new enrollment conducted from Workspace App.
  • Enrollment did not ask for MDM URL and was automatically injected into secure hub.
  • Secure Web application asked for credentials in Secure Hub. This can be controlled from the app setting “ App Passcode “. Enabling Worx Pin would make this pretty easy for end-users.
  • Worx Pin was not enabled when the above was performed.

Scenario 2: Only Secure Hub is installed and user vdi1 needs to enroll to Endpoint Management.

WhatsApp Image 2019-03-15 at 12.40.10 AM

WhatsApp Image 2019-03-15 at 12.40.09 AM

WhatsApp Image 2019-03-15 at 12.40.10 AM(1)

The same steps in the above video applies which I cannot show for the most since its inside Secure hub which is blacked-out, Secure Hub now forces you to install and configure Workspace App with Citrix Cloud URL before continuing manual enrollment. After enrollment is complete, secure hub does not display apps anymore and users are forwarded to Workspace App for the same.


  • Seems that Secure Hub will force new users to enroll using the Workspace App when using the cloud provided Endpoint Management URL. Disabling Endpoint Management service integration did not independent Secure Hub enrollment functionality.
  • Worx Pin was enabled and works fine for Endpoint management applications through Workspace App.
  • Apps are only accessible from Workspace App and Secure Hub does not show any applications except a tab “ Add Apps ” that forwards you to Workspace App.

Scenario 3: vdi1 user is already enrolled in MAM-only mode manually using the MAM URL.


WhatsApp Image 2019-03-15 at 12.51.37 AM

WhatsApp Image 2019-03-15 at 12.51.38 AM

WhatsApp Image 2019-03-15 at 12.57.01 AM


Unlike MDM mode, Applications are visible in both Secure Hub and Workspace App when enrolled in MAM-only mode which was done manually prior to installing and configuring Workspace App.


Integration has gone a far way and the SSO when enrolling to Endpoint management from Workspace App to Secure Hub is just amazing. I hope some of the notes I listed above are tackled and looking forward to having all Secure Hub code into Workspace App.

May the Peace, Mercy, and Blessing of God Be Upon You

Leave a Reply

Your email address will not be published. Required fields are marked *