Setting up Android Enterprise in XenMobile (Android for Work)

I’ve recently had to configure Android enterprise in XenMobile and found Citrix documentation rather lacking in a few areas.

Configuring Android Enterprise (Android for Work)

  1. Create a Google account that you will use to setup Android Enterprise
  2. In your XenMobile server go into Settings - > Android for Work
  3. Under option 2 click on “Go to XenMobile Tools”

  1. Log into your Citrix account and Select Option 1 “Go to Google Play”

  1. Log into the Google account you’ve created in step 1 and click on “Get Started”

  1. Enter your organisation name and agree to terms and conditions then press confirm

  1. Press Complete Registration

  1. Create a passphrase for enterprise.config file and hit download

  1. Upload the enterprise.config into your XenMobile server under option 3

  2. The Android for Work configuration should be done

Preparing for Device Enrolment
Now that Android Enterprise (AfW) is setup you need to create some basic configuration and publish some applications.

Create an Android for Work passcode policy and publish it to the delivery group that will be deployed to your user

To prepare applications first you need log into with your Google account in step 1.
Search for the application you wish to make available in the work profile and hit approve.

All your approved applications should be visible under “My managed apps”

Now we need to make the application available to the user in XenMobile.
In your XenMobile console navigate to Configure -> Apps and add a new Public App Store app.

Select Android for Work and search for your app, if you cannot find it hit “Didn’t find the app you were looking for?” and enter the Play Store for Work URL i.e.

Publish the app to a delivery group your user will be a member of.

Device Enrolment
On the device install Secure Hub and proceed with enrolment, if using samaccountname for LDAP lookups enter domainname\username

You will be prompted to setup your Android Enterprise profile

Once setup and enrolment is complete (you’ve set a Secure Hub PIN if applicable etc) you should applications in “Work mode”

Going into Work Play Store will show you the applications that you’ve published to the user

More information is available here:
Citrix documentation -
Citrix blog -
Android Enterprise -


many thanks for this great documentation :slight_smile: I just have an issue while I’m registering my device… I correctly get the “Set up your work profile process” but after that Secure Hub close and I get a message “Your work profile was deleted”. And it doesn’t work… Have you ever experienced this kind of issue ?

Many thanks in advance

Is your authentication to XenMobile set to UPN or SamAccountName?


are those steps 3 and 4 possible in the on-prem solution or how do you configure it? Is it still possible to use the “Worx Provisioning Tool (Android for Work)” for adding devices?

Thank you!

Yes options 3 and 4 are possible in the on-prem solution, clicking on the setting in XMS will take you to Citrix XenMobile tools to complete setup.

What version of XenMobile are you running?

There are few possible provisioning methods for Device Owner:

  • QR code
  • afw# string
  • NFC bump

Functionality may vary depending on the version of Android that you are using/testing with


thank you for your answer!
I use 10.8.x (can not look it up now).
Are there any articles / instructions for all methods?
I got the impression that the are not a lot of articles about that.
Basically I`m looking for a way to deploy different Android devices in an MDM-only scenario.

  • No possibility to add a Google account
  • Whitelisting for apps (own app store and no play store on the device)
  • No AD authentication
  • Remove / hide unnecessary apps like all google apps or any bloatware

Would that be possible with Android for Work?

Yes it is possible with Android Enterprise (previously known as Android for work) using Work Managed Device method.

Your devices need to run Android 6 or above.

The setup steps are identical, the only differences are the enrolment.

  • You will “Approve” applications through Managed Play Store
  • These applications can be made available to users via the XMS console.
  • Users will only be able to install apps form the Managed Play Store.
  • Work Managed Device enrolment disables bloatware as part of enrolment.
  • This method does not require a Google Account
  • You still need an account to enrol your device into XM be it a local or AD account.

There are a few ways of enrolling a Work Managed device.

When setting up a new device (or factory reset device) enter afw#xenmobile instead of the Google account when prompted for a Google Account

You can also leverage a QR code or NFC bump setup, instructions can be found here:

More information on Android Enterprise:

1 Like


it’s UPN. It works some times on an Android 7 but it always failed on Android 8…


thank you for the answers! This helped a lot! I configured everything and tested it and I`m not amused. The method “afw#xenmobile” works but only with WiFi connection?!

  1. Do you really need WiFi for enrollment? Is there no way around this?

  2. Is it possible to use the “normal” Android policies for Android for work devices? I couldn`t block Chrome with an Android policy.

Do you have experience with the NFC tool of Citrix?

I cant get it to work. WiFi doesnt connect (different networks and always double checked the password).

Citrix is really lacking of usable tools. There are apps of other vendors that are easy to prepare and even create a QR code. I have seen a tool which stats that for Android 6 and newer it`s necessary to use SHA-256 instead of SHA-1.
Do I have to use SHA-256 in the Citrix tool?
Is the URL for the download the “externally hosted url” of the Jason file (like QR Code)?

I am testing with and old Nexus 5 with Android 6. By it`s not possible to hide everything (Chrome and Google Assistant are still there) and you can still login with a google account. Maybe the reason for this is that it is “primarily” a google device.

I’ve seen this issue before, it was device specific.

The device had to be factory reset and it started working correctly.

i.e. 2 same model devices 1 could enrol into AE the other one could not

You can enrol over mobile data, it sounds like you have connectivity issues in your environment.

What are you trying to achieve with your Android devices?

By the sounds of it you are trying to trying to setup a COSU device ( not a Work Managed Device.

Refer to

You may also want to look into the following programs for devices enrolment:
Android Zero Touch

Knox Managed Enrolment (KME)

Hello, thank you again!

Zero touch enrolment wont be possible because I have to manage legacy devices (Android 5 – 7). Unfortunately theres no way to add old devices like with Apple DEP.
A second bumper is that COSU wont be possible because Citrix doesnt support this for on-prem XMS right now or maybe never. I think COSU might be the better solution. But I can only go with work manged.

Maybe I cant enrol over mobile data because the device is the problem. I tested it with two different providers. With one SIM-card the connection is very fast (188 Mbps download and 34 Mbps upload). Nevertheless it only worked sometimes with mobile data. Often I get this error message (after downloading Secure Hub). This is very annoying because you have to do a full factory reset every time it doesnt work. If I got another device I`ll test it further.

I think Samsung Knox might be the best solution for supported devices. But you have to connect to WiFi:
“Only TIMA-enabled Samsung 2.4 devices are supported out of the box by the Samsung KNOX Mobile Enrollment tool. Also, for a device to successfully enroll in the enterprise, the device must connect to WiFi and users must agree to download and install Secure Hub.”
This isn`t true for all devices because Samsung supports OTA enrolment in Knox 2.6:

If you are using Samsung devices you can use Knox configure to achieve the outcome you are after.

Knox Configure allows you to heavily customise the devices remotely (beyond what you can do with MDM).

You need Knox 2.7.1 or above on the device.

This capability requires you to purchase Knox configure licenses.

Having some errors with the Xenmobile enrollment with AFE and Samsung KME. When continuing the enrollment failing and getting the error " The enrollment couldn’t be Finished" Please try again or contact the administrator.

Could this be AFE or XM?

Really depends in which part it fails, is it giving you this error after you installed Secure Hub and entered your credentials or…?