Product Documentation

User accounts, roles, and enrollment

Sep 06, 2017

You configure the following items in the XenMobile console on the Manage tab and the Settings page:

  • User accounts and groups
  • Roles for user accounts and groups
  • Enrollment mode and invitations

From the Manage tab, you can do the following:

You can also use workflows to manage the creation and removal of user accounts, as described later in this article in Create and manage workflows.

From the Settings page, you can do the following:

  • Click Role-Based Access Control to assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions. For details, see:
  • Click Notification Templates to use in automated actions, enrollment, and standard notification messages sent to users. You configure the notification templates to send messages over three different channels: Secure Hub, SMTP, or SMS. For details, see:

To add, edit, or delete local user accounts

You can add local user accounts to XenMobile manually or you can use a provisioning file to import the accounts. For the steps to import user accounts from a provisioning file, see To import user accounts by using a .csv provisioning file.

1. In the XenMobile console, click Manage > Users. The Users page appears.

localized image

2. Click Show filter to filter the list. 

To add a local user account

1. On the Users page, click Add Local User. The Add Local User page appears.

localized image

2. Configure these settings:

  • User name: Type the name, a required field. You can include spaces in names, as well as upper and lowercase letters.
  • Password: Type an optional user password.
  • Role: In the list, click the user role. For more information about roles, see Configuring Roles with RBAC. Possible options are:
    • ADMIN
    • DEVICE_PROVISIONING
    • SUPPORT
    • USER
  • Membership: In the list, click the group or groups to which to add the user.
  • User Properties: Add optional user properties. For each user property you want to add, click Add and do the following:
    • User Properties: In the list, click a property and then type the user property attribute in the field next to the property.
    • Click Done to save the user property or click Cancel.

Note: To delete an existing user property, hover over the line containing the property and then click the X on the right side. The property is deleted immediately.

To edit an existing user property, click the property and make changes. Click Done to save the changed listing or Cancel to leave the listing unchanged.

3. Click Save.

To edit a local user account

1. On the Users page, in the list of users, click to select a user and then click Edit. The Edit Local User page appears.

localized image

2. Change the following information as appropriate:

  • User name: You cannot change the user name.
  • Password: Change or add a user password.
  • Role: In the list, click the user role.
  • Membership: In the list, click the group or groups to which to add or edit the user account. To remove the user account from a group, clear the check box next to the group name.
  • User properties: Do one of the following:
    • For each user property you want to change, click the property and make changes. Click Done to save the changed listing or Cancel to leave the listing unchanged.
    • For each user property you want to add, click Add and do the following:
      • User Properties: In the list, click a property and then type the user property attribute in the field next to the property.
      • Click Done to save the user property or click Cancel.
    • For each existing user property you want to delete, hover over the line containing the property and then click the X on the right side. The property is deleted immediately.

3. Click Save to save your changes or click Cancel to leave the user unchanged.

To delete a local user account

1. On the Users page, in the list of user accounts, click to select a user account.

Note: You can select more than one user account to delete by selecting the check box next to each user account.

2. Click Delete. A confirmation dialog box appears.

3. Click Delete to delete the user account or click Cancel.

To delete Active Directory users

To delete one or more Active Directory users at a time, select the users and click Delete.

If a user that you delete has enrolled devices and you want to re-enroll those devices, delete the devices before re-enrolling them. To delete a device, go to Manage > Devices, select the device, and then click Delete.

Importing user accounts

You can import local user accounts and properties from a .csv file called a provisioning file, which you can create manually. For more information about formatting provisioning files, see Provisioning file formats.

Note:

  • For local users, use the domain name along with the user name in the import file. For example, specify username@domain. If the local user that you create or import is for a managed domain in XenMobile, the user cannot enroll by using the corresponding LDAP credentials.
  • If importing user accounts to the XenMobile internal user directory, disable the default domain to speed up the import process. Keep in mind that disabling the domain affects enrollments, so you should reenable the default domain after the import of internal users is complete.
  • Local users can be in User Principal Name (UPN) format. However, Citrix recommends that you do not use the managed domain. For example, if example.com is managed, do not create a local user with this UPN format: user@example.com.

After you prepare a provisioning file, follow these steps to import the file to XenMobile.

1. In the XenMobile console, click Manage > Users. The Users page appears.

2. Click Import Local Users. The Import Provisioning File dialog box appears.

localized image

3. Select either User or Property for the format of the provisioning file you are importing.

4. Select the provisioning file to use by clicking Browse and then navigating to the file location.

5. Click Import.

Provisioning file formats

A provisioning file that you create manually and use to import user accounts and properties to XenMobile must be in one of the following formats:

  • User provisioning file fields: user;password;role;group1;group2
  • User attribute provisioning file fields: user;propertyName1;propertyValue1;propertyName2;propertyValue2

Note:

  • Separate the fields within the provisioning file with a semi-colon (;). If part of a field contains a semi-colon, escape it with a backslash character (\). For example, type the property propertyV;test;1;2 as propertyV\;test\;1\;2 in the provisioning file.
  • Valid values for Role are the predefined roles USER, ADMIN, SUPPORT, and DEVICE_PROVISIONING, plus any other roles that you defined.
  • Use the period character (.) as a separator to create group hierarchy. Don't use a period in group names.
  • Use lowercase for property attributes in attribute provisioning files. The database is case sensitive.

Example of user provisioning content

This entry, user01;pwd\;o1;USER;myGroup.users01;myGroup.users02;myGroup.users.users01, means:

  • User: user01
  • Password: pwd;01
  • Role: USER
  • Groups:
    • myGroup.users01
    • myGroup.users02
    • myGroup.users.users.users01

As another example, AUser0;1.password;USER;ActiveDirectory.test.net, means:

  • User: AUser0
  • Password: 1.password
  • Role: USER
  • Group: ActiveDirectory.test.net

Example of user attribute provisioning content

This entry, user01;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value, means:

  • User: user01
  • Property 1
    • name: propertyN
    • value: propertyV;test;1;2
  • Property 2:
    • name: prop 2
    • value: prop2 value

To configure enrollment modes and enable the Self Help Portal

You configure device enrollment modes to allow users to enroll their devices in XenMobile. XenMobile offers seven modes, each with its own level of security and steps users must take to enroll their devices. You can make some modes available on the Self Help Portal. Users can log on to the portal and generate enrollment links that allow them to enroll their devices or choose to send themselves an enrollment invitation. You configure enrollment modes in the XenMobile console from the Settings > Enrollment page.

You send enrollment invitations from the Manage > Enrollment Invitations page. For information, see Send an enrollment invitation.

Note: If you plan to use custom notification templates, you must set up the templates before you configure enrollment modes. For more information about notification templates, see Creating or Updating Notification Templates.

1. On the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

2. Click Enrollment. The Enrollment page appears, containing a table of all available enrollment modes. By default, all enrollment modes are enabled.

3. Select any enrollment mode in the list to edit it. Then, set the mode as the default, disable the mode, or allow users access through the Self Help Portal.

Note: When you select the check box next to an enrollment mode, the options menu appears above the enrollment mode list. When you click anywhere else in the list, the options menu appears on the right side of the listing.

localized image

Choose from these enrollment modes:

  • User name + Password
  • High Security
  • Invitation URL
  • Invitation URL + PIN
  • Invitation URL + Password
  • Two Factor
  • User name + PIN

You can use enrollment invitations to restrict enrollment to users with an invitation only.

You can use one-time PIN (OTP) enrollment invitations as a two-factor solution. OTP enrollment invitations control the number of devices a user may enroll.

For environments with the highest security requirements, you can tie enrollment invitations to a device by SN/UDID/EMEI. A two-factor option is also available to require Active Directory password and OTP.

To edit an enrollment mode

1. In the Enrollment list, select an enrollment mode and then click Edit. The Edit Enrollment Mode page appears. Depending on the mode you select, you may see different options.

localized image

2. Change the following information as appropriate:

  • Expire after: Type an expiration deadline after which users cannot enroll their devices. This value appears in the user and group enrollment invitation configuration pages.

    Note: Type 0 to prevent the invitation from expiring.

  • Days: In the list, click Days or Hours to correspond to the expiration deadline you entered in Expire after.
  • Maximum attempts: Type the number of attempts to enroll that a user can make before being locked out of the enrollment process. This value appears in the user and group enrollment invitation configuration pages.

    Note: Type 0 to allow unlimited attempts.

  • PIN length: Type a numeral to set the length of the generated PIN.
  • Numeric: In the list, click Numeric or Alphanumeric for the PIN type.
  • Notification templates:
    • Template for enrollment URL: In the list, click a template to use for the enrollment URL. For example, the Enrollment invitation template sends users an email or SMS. The method depends on how you configured the template that lets them enroll their devices in XenMobile. For more information on notification templates, see Creating or updating Notification Templates.
    • Template for enrollment PIN: In the list, click a template to use for the enrollment PIN.
    • Template for enrollment confirmation: In the list, click a template to use to inform a user that they enrolled successfully.

3. Click Save.

To set an enrollment mode as default

When you set an enrollment mode as the default, the mode is used for all device enrollment requests unless you select a different enrollment mode. If no enrollment mode is set as the default, you must create a request for enrollment for each device enrollment.

Note: The only enrollment modes that you can use as a default are Only Username + Password, Two Factor, or Username + PIN.

1. Select the default enrollment mode, either Username + Password, Two Factor, or Username + PIN.

Note: To use a mode as the default, first enable it.

2. Click Default. The selected mode is now the default. If any other enrollment mode was set as the default, the mode is no longer the default.

To disable an enrollment mode

Disabling an enrollment mode makes it unavailable for use, both for group enrollment invitations and on the Self Help Portal. You may change how you allow users to enroll their devices by disabling one enrollment mode and enabling another.

1. Select an enrollment mode.

Note: You cannot disable the default enrollment mode. If you want to disable the default enrollment mode, you must first remove its default status.

2. Click Disable. The enrollment mode is no longer enabled.

To enable an enrollment mode on the Self Help Portal

Enabling an enrollment mode on the Self Help Portal lets users enroll their devices in XenMobile individually.

Note:

  • The enrollment mode must be enabled and bound to notification templates to be made available on the Self Help Portal.
  • You can only enable one enrollment mode on the Self Help Portal at a time.

1. Select an enrollment mode.

2 Click Self Help Portal. The enrollment mode you selected is now available to users on the Self Help Portal. Any mode already enabled on the Self Help Portal is no longer available to users.

Adding or removing groups

You manage groups in the Manage Groups dialog box in the XenMobile console on these pages: Users, Add Local User, or Edit Local User. There is no group edit command.

If you remove a group, keep in mind that removing the group has no effect on user accounts. Removing a group simply removes user association with that group. Users also lose access to apps or profiles provided by the Delivery Groups that are associated with that group; any other group associations, however, remain intact. If users are not associated with any other local groups, they are associated at the top level.

To add a local group

1. Do one of the following:

  • On the Users page, click Manage Local Groups.
localized image
  • On either the Add Local User page or the Edit Local User page, click Manage Groups.
localized image

The Manage Group dialog box appears.

localized image

2. Below the group list, type a new group name and then click the plus sign (+). The user group is added to the list.

3. Click Close.

To remove a group

Note: Removing a group has no effect on user accounts. Removing a group simply removes the users' association with that group. Users also lose access to apps or profiles provided by the Delivery Groups that are associated with that group; any other group associations, however, remain intact. If users are not associated with any other local groups, they are associated at the top level.

1. Do one of the following:

  • On the Users page, click Manage Local Groups.
  • On either the Add Local User page or the Edit Local User page, click Manage Groups.

The Manage Groups dialog box appears.

localized image

2. On the Manage Groups dialog box, click the group you want to delete.

3. Click the trash can icon to the right of the group name. A confirmation dialog box appears.

4. Click Delete to confirm the operation and remove the group.

Important: You cannot undo this operation.

5. On the Manage Groups dialog box, click Close.

Create and manage workflows

You can use workflows to manage the creation and removal of user accounts. Before you can use a workflow, identify individuals in your organization who have the authority to approve user account requests. Then, you can use the workflow template to create and approve user account requests.

When you set up XenMobile for the first time, you configure workflow email settings, which must be set before you can use workflows. You can change workflow email settings at any time. These settings include the email server, port, email address, and whether the request to create the user account requires approval.

You can configure workflows in two places in XenMobile:

  • In the Workflows page in the XenMobile console. On the Workflows page, you can configure multiple workflows for use with app configurations. When you configure workflows on the Workflows page, you can select the workflow when you configure the app.
  • When you configure an application connector in the app, you provide a workflow name and then configure the individuals who can approve the user account request. See Adding Apps to XenMobile.

You can assign up to three levels for manager approval of user accounts. If you need other persons to approve the user account, you can search for and select them by using their name or email address. When XenMobile finds the person, you then add them to the workflow. All individuals in the workflow receive emails to approve or deny the new user account.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

2. Click Workflows. The Workflows page appears.

3. Click Add. The Add Workflow page appears.

localized image

4. Configure these settings:

  • Name: Type a unique name for the workflow.
  • Description: Optionally, type a description for the workflow.
  • Email Approval Templates: In the list, select the email approval template to be assigned. You create email templates in the Notification Templates section under Settings in the XenMobile console. When you click the eye icon to the right of this field, you see a preview of the template you are configuring.
  • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
    • Not Needed
    • 1 level
    • 2 levels
    • 3 levels
  • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
  • Find additional required approvers: Type a name in the search field and then click Search. Names originate in Active Directory.
  • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
    • To remove a name from the list, do one of the following:
      • Click Search to see a list of everyone in the selected domain.
      • Type a full or partial name in the search box, and then click Search to limit the search results.
      • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name that you want to remove.

5. Click Save. The created workflow appears on the Workflows page.

After you create the workflow, you can view the workflow details, view the apps associated with the workflow, or delete the workflow. You cannot edit a workflow after you create the workflow. If you need a workflow with different approval levels or approvers, create another workflow.

To view details and delete a workflow

1. On the Workflows page, in the list of existing workflows, select a specific workflow. To do that, click the row in the table or select the check box next to the workflow.

2. To delete a workflow, click Delete. A confirmation dialog box appears. Click Delete again.

Important: You cannot undo this operation.