SSO for Secure Mail

You can configure Endpoint Management to enroll users automatically in Secure Mail when they enroll in Secure Hub. Users don’t have to enter more information or take more steps to enroll in Secure Mail. For users who enroll in Secure Hub with email credentials, this feature requires that autodiscovery is enabled. If autodiscovery is not enabled, you can enable this feature for the following enrollment methods:

  • The Endpoint Management address is passed to Secure Mail from Secure Hub.
  • Users enter the Endpoint Management address when enrolling in Secure Hub.

To enable the automatic enrollment in Secure Mail

  1. In the Endpoint Management client properties, on the Settings page, do the following:

    a. Set the following values to true:

    • ENABLE_PASSCODE_AUTH
    • ENABLE_PASSWORD_CACHING
    • ENABLE_CREDENTIAL_STORE

    b. Add this configuration:

    • Display name: SEND_LDAP_ATTRIBUTES

    • Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname}, displayName= ${ user.displayName} ,mail= ${ user.mail}

  2. On the Settings page, add this configuration to the server property:

    MAM_MACRO_SUPPORT set to true

  3. Configure these Secure Mail properties:

    • Set Initial Authentication Mechanism to User email address.
    • Set Initial Authentication Credentials to userPrincipalName.
  4. Configure email-based AutoDiscovery Service for the user’s Exchange Server mailbox. For support, reach out to your Microsoft Exchange administrator. This article assumes that you configure Autodiscovery Service by querying DNS for an SRV record.

To configure the Secure Mail app policy

Upload the Secure Mail app to Endpoint Management. Upload the .mdx file associated with the correct version of the Secure Mail app. Then, configure the following Secure Mail app settings:

  1. In Initial authentication mechanism, click User email address.

  2. In Initial authentication credentials, click userPrincipalName or sAMAccountName. Your selection is based on the authentication type configured against the user’s Exchange Mail Server.

  3. Leave the Secure Mail Exchange Server and Secure Mail user domain fields empty.

  4. Configure other policies of the Secure Mail app as required and make necessary delivery group assignments.

The end-to-end Secure Mail SSO user experience with automatic provisioning

Ensure that you meet the following prerequisites.

  1. Install Secure Hub from the Apple App Store (iOS) or the Google Play Store (Android).

  2. Open Secure Hub and enter an email address and password for enrolling in Endpoint Management.

  3. Install Secure Mail from the Apple App Store (iOS) or the Google Play Store (Android).

  4. Open Secure Mail and tap OK. This step allows Secure Hub to manage Secure Mail. Upon opening, Secure Mail is automatically configured.

The Exchange Server that corresponds to the user’s mailbox database is obtained from the Autodiscovery Service you configured. The DNS SRV Record query makes use of the user’s email address fetched from Secure Hub.

All the required details for account configuration, such as email address, userPrincipalName/sAMAccountName, and password are fetched from Secure Hub.

When the account is configured, users can view details on the device in Secure Mail > Settings > Account.

Troubleshoot issues

If any issues occur with the SSO configuration, you can try the following steps.

  1. Ensure that the XenMobile Server version is 10.5 or later.

  2. Ensure that Endpoint Management is configured for AutoDiscovery Service and user enrollment is configured for use with an email address.

  3. Ensure that the Exchange Server domain is configured with autodiscovery. Make sure the query for the SRV record returns the expected mail server details for ActiveSync mail clients.

  4. In case of an issue with this functionality, collect the following information and contact Citrix Technical Support:

    • Download Endpoint Management Diagnostic Logs.
    • Collect Secure Mail Diagnostic Logs with the highest log level.
    • Collect IIS logs from the directory C:\inetpub\logs\LogFiles\W3SVC1 from the Exchange Server hosting the Autodiscovery Service. For more details on Microsoft Autodiscovery Service, see the Autodiscover service in Exchange Server.
SSO for Secure Mail