Citrix Endpoint Management

SSO account device policy

March 7, 2024

Contributed by:

K K C

The SSO account device policy lets ou create single sign-on (SSO) accounts in Citrix Endpoint Management. Those accounts let users sign on one-time only to access Citrix Endpoint Management and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is designed to work with a Kerberos authentication back-end.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Account name: Enter the Kerberos SSO account name that appears on users’ devices. This field is required.
Kerberos principal name: Enter the Kerberos principal name. This field is required.
Identity credential (Keystore or PKI credential): Click an optional identity credential in the drop-down list that can be used to renew the Kerberos credential without user interaction.
Kerberos realm: Enter the Kerberos realm for this policy. This value is typically your domain name in all capital letters (for example, EXAMPLE.COM). This field is required.
Permitted URLs: For each URL for which you want to require SSO, click Add and then do the following:
- Permitted URL: Enter a URL that you want to require SSO when a user visits the URL from the iOS device.
  
  For example, when a user tries to browse to a site and the website starts a Kerberos challenge: If that site isn’t in the URL list, the iOS device doesn’t attempt SSO by providing the Kerberos token that Kerberos might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL. For example, https://shopping.apple.com is valid, but https://*.apple.com isn’t.
  
  Also, if Kerberos isn’t activated based on host matching, the URL still falls back to a standard HTTP call. This can mean almost anything including a standard password challenge or an HTTP error if the URL is only configured for SSO using Kerberos.
- Click Add to add the URL or click Cancel to cancel adding the URL.
App Identifiers: For each app that is allowed to use this login, click Add and then do the following:
- App Identifier: Enter an app identifier for an app that is allowed to use this login. If you do not add any app identifiers, this login matches all app identifiers.
Policy settings
- Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
  - Select date: Click the calendar to select the specific date for removal.
  - Duration until removal (in hours): Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

SSO account device policy

March 7, 2024

Contributed by:

K K C

March 7, 2024

Contributed by:

K K C

SSO account device policy

iOS settings

In this article