Last week I upgraded our production XenMobile environment to version 8.7, after which I wanted to enroll a Windows 8.1 RT. Unfortunately there is no Worx Home application in the Windows Store, nor does Citrix offer a WorxMail of WorxWeb client. The Windows 8.1 enroll process is slightly different than a iOS of Android device and can be found in the eDocs. Ok, let’s enroll a Windows 8.1 RT and let us see what we can do with it.

Click “Settings”                                                               Click “Change PC Settings”

XD87-016    XD87-017

Click “Network”                                                             Select “Workplace”

XD87-018   XD87-019

Ok so far so good, let’s enter my email address and hit “Turn On”. After several seconds I received a error “Confirm you are using the correct sign-in info, and that your workplace uses this feature”


I confess, didn’t read the whole eDocs myself. I thought no additional DNS Records / Zenprise databases had to be configured to enroll a Windows 8.1 RT, I was wrong. The eDocs stated:

If you plan to enroll Windows devices, obtain an SSL certificate for, where is the domain containing the accounts with which users will enroll. Attach the SSL certificate to your request. The Citrix Cloud Ops team will contact you to obtain the password for the certificate and provide you with the address of the Citrix enrollment server.

This raises a question, can we use a wildcard certificate? I contacted the Citrix Cloud Ops team and they confirmed it’s possible to use  a wilcard certificate. So I went ahead and emailed my wildcard certificate to Citrix, but I’m not quite happy with this. I know for sure several large companies we do business with won’t accept the fact we’ll have to distribute a certificate (with private key) to a third party. Keeps this in mind when u are consulting a customer about the Windows 8.1 Auto-Discovery enrollment.

Apparently the enrollment procedure isn’t very clear to the Citrix Cloud Ops team as well. At first they didn’t exactly know what to do with my certificate and forwarded my request the the Citrix Support Team. The Citrix Support Team was confused as well and weren’t aware of the enrollment procedure. The support engineer had to get his hands on a Windows 8.1 RT tablet, to test the enrollment himself. A week later the Citrix Support Team contacted me they figured it out.

  • Supply Citrix with a SSL Certificate for “enterpriseenrollment.<>”  (Or a wildcard certificate)
  • Citrix contacted me by phone for the certificate password
  • Create a CNAME DNS record “enterpriseenrollment.<>”  for “”

Now everything is settled we can enroll a Windows 8.1 RT based on your email address!

Enter your email address and password and select continue:


Select the “I Agree” box en click “Turn on”:


As u can see below the XenMobile Device Management function is now turned on. If u would like to unroll the device you are able to click “Turn Off”


After enrollment the devices show up in the Citrix XenMobile Device Manager:


I’m however a bit disappointed about the very limited support for Windows 8.1 RT. Very few policy settings are available to configure:


For now I don’t think these devices are very suitable for Citrix XenMobile Device Manager, they aren’t a real competitor for iOS and Android device! The lack of WorxWeb and WorxMail and the capability of running applications in a secure sandbox big disadvantage.

Post Navigation