Product Documentation

Defining Users and Groups

Oct 20, 2015
User account objects represent the users of the mobile devices managed by Device Manager. User accounts are associated to devices by Device Manager as part of the authentication process. Maintaining an accurate roster of users improves mobile device and service management. Groups are logical collections of users that serve as targets for management tasks, such as applying settings, implementing policies, and deploying software.
Note: Device Manager manages group of users, not individual user accounts.

User Account Information

Device Manager supports the following sources of user account information:

  • LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties.
    Note: Device Manager retains the source of user accounts. As a result, certain operations are not permitted on user accounts that you source from LDAP directories.
  • Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts.
  • Importing a provisioning file. You can develop a file outside of Device Manager containing user accounts and properties and then import the file. Device Manager automatically creates objects and sets properties values.

User accounts appear in the user table within the main display area of the Users tab. The table depicts each user account associated with the group that you select in the Group pane. The User toolbar provides available tasks to perform on user accounts. You can manipulate the table appearance.

The groups in which a user account is a member appear in the Groups column. Note that multiple groups appear as a multi-line entry. User accounts also appear in the Devices table. The user associated with a particular device appears in the User column. The user account shown in the User column represents the user that enrolled on that device.

Group Information

The group structure in Device Manager is flexible. Users may belong to multiple groups, groups may be nested inside of other groups, and the number of groups is not limited. You can create permanent or ad-hoc groups to suit any purpose. Device Manager supports the following sources of group information:

  • LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties.
  • Manual entry. You can use group maintenance forms in Device Manager to quickly create groups.

Groups appear in the Group pane, the area to the left on the Users tab. The pane depicts groups in a hierarchical arrangement with the number of members in each group given as a number in parentheses after each group name. A default group is automatically created during Device Manager installation to serve as the top-level node for the group hierarchy; all other groups appear as children of this node. Groups imported from LDAP-compliant directories also appear in the group hierarchy, with the LDAP directory name as the primary node. The individual groups of the LDAP directory appear as children of the primary node.

Groups may be nested in the hierarchy without limit. Fully-qualified group names use periods as delimiters. For example, a group of name Corporate.Sales.SalesSupport.Admin implies a nesting model based on organizational structure.
Note: User accounts may exist at any level. Thus, on a parent node, the count of group members represents the user accounts associated with that discrete node, and not the sum of the accounts associated with the nodes children.

Groups also appear in the User table. The groups a user belongs to appear in the Groups column.

Creating an LDAP Connection to a User Directory

From the Options dialog box in Device Manager, you can perform the following actions for LDAP connections:

  • Create a new LDAP connection.
  • Edit an existing connection.
  • Set the default LDAP connection.
  • Activate or deactivate an LDAP connection.
  1. To create a new LDAP connection, click New.
  2. Select which type of directory (LDAP or LDAPS).
  3. If you chose an LDAPS connection, enter the required parameters and then click Import.
  4. After the SSL certificate is successfully imported, click Next.
  5. Define the connection parameters.

    Make sure that the Search user Service Account has the following rights granted to it:

    Note: In the lockout limit field, the default is set to zero. However, Citrix recommends using a higher value, as well as a value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is configured to a limit of five attempts before lockout, Citrix suggests that you enter a 4 or a 3 in this field.
  6. Click Check to test the connection with the LDAP or LDAPS directory. If the connection check with the directory is successful, the following message appears: LDAP directory binding successful.
  7. Click OK and then click Next to map the directory attributes to the Device Manager Repository database. You can leave that step as it is and Device Manager will automatically bind the default fields.
  8. Click Next to define the mapping between the LDAP groups and Device Manager roles. To add a new group, press Add a group. Select a group and define the role you want to give to that LDAP group.
    Note: Unlike the process for creating groups within the web console in a standalone manner in which roles are given to users; here roles are given to an LDAP group.
  9. Specify which LDAP or LDAPS directory groups are imported in the Device Manager Repository database and then click Next. A window appears summarizing the directory connection configuration.
  10. Click Finish to save the parameters in the Device Manager database.

To add, edit, or delete user accounts

You manage user accounts in on the Device Manager User table toolbar or the context menu.

To add a user account

  1. In the group pane, select a group of which the user account will be a member.
  2. Click New user from the toolbar or context menu. The Create a new user window appears.
  3. Type a unique name for the user and a password.
  4. Select an entry from the Role drop-down list. For more information about roles, see User Accounts and Roles.
  5. Optionally, on the Properties tab, set user account attributes.

To edit a user account

  1. In the group pane, select the group of which the user account is a member.
  2. Click the user account to edit and then click Update. The Update a user window appears.
  3. Revise the user account data and then click Update to save the changes.
    Note: If you edit the properties of accounts that you source from an LDAP directory, you do not change data in the directory.

To delete a user account

  1. In the group pane, select the group of which the user account is a member.
  2. Click the user account to delete, click Delete on the toolbar and then click Yes to confirm the deletion.
    Important: You cannot undo this operation.
    Note: If you delete an account that you sourced from an LDAP directory, you only remove the account from the Device Manager database; you do not change the account information in the directory.

To add or delete groups

You manage groups from the Group pane toolbar or context menu. Device Manager does not have a group edit command, because the only accessible property of a group object is its name.

To add a group

  1. Select the parent node of the group.
  2. Click New group. The Create a new group window appears.
  3. Type a name for the group and then click Create. The group name must be unique relative to its peers in the group hierarchy. In addition, groups may not be added to group nodes that you import from LDAP-compliant directories.

To delete a group

Deleting a group has no effect on user accounts. You can only remove user accounts by using the Delete User command.

  1. Select the group to delete.
  2. Click Delete.
  3. Click Yes to confirm the operation and remove the group.
    Important: You cannot undo this operation.

User Accounts and Roles

You manage user accounts by using the following commands on the Users tab and context menu in the Device Manager web console.

  • New user. Add a user account to Device Manager.
  • Update. Edit a user account.
  • Manage. Maintain a user account’s membership in Device Manager groups, subject to certain limitations.
  • Delete. Remove a user account from Device Manager.
  • Import. Read a provisioning file containing user accounts or properties to automatically create user account objects and update their attributes.

You can search for user accounts, using the Search tool on the Users tab. Note that searches are not case sensitive. Search results display matching user accounts in a separate table that does not include a "currently selected group" in the Group pane. That is, no groups are selected.

User Roles in Device Manager

Device Manager implements four default user roles to logically separate access to system functions, as shown in the following table. Citrix recommends that you assign the Support role to Help Desk staff who need the ability to implement remote control sessions on mobile devices.

System function Administrator Support Provisioning User

Log on to console



Start remote support sessions




Provision devices





Use managed device





You can use role-based access control (RBAC) to create new user roles with permissions to access specific system functions beyond the functions defined by the default roles. Create new roles in Device Manager and then select the specific features to which you want these roles to have access. For example, you may want to create custom roles to:

  • Prevent some administrators from viewing or wiping the devices of specific users.
  • Allow specific users to run reports without granting them any other permissions.
  • Enable super users to have full access, including the ability to create and limit other user roles.
  • Enroll shared devices. For details, see Shared Devices.

You can view details about users and groups, such as the dates you created and modified a user or group, on the Reporting tab of the console.

Configuring Custom Roles with Role-Based Access Control (RBAC)

You can use the role-based access control (RBAC) feature in Device Manager to do the following:

  • Create a new access control role (associate actions with roles).
  • Add groups to a role.
  • Associate users with roles.

To access the feature, in Device Manager, click Options in the upper-right corner and then click Role Based Access Control.

To create a new access control role

You need to create an access control role in order to enable RBAC in Device Manager.

  1. In the Role Based Access Control panel, click New.
  2. In the Create an admin role dialog box, enter a name for the role.
  3. Select the features you want to enable for the role and then click Create.

To add groups to a role

When you create a new role, you can also associate a user group with the role as part of the role definition.

  1. In the Role Based Access Control panel, select a role and then click Edit.
  2. In the Role dialog box, in the Permissions list, select the feature access you want to associate with a role.
  3. Under Restrict Group Access, select the group you want to have access to the role and then click Save. The group you select and the users in the group receive access to the features you choose.

To associate users with a role

After you create a new role, you can associate users with the role.

  1. In Device Manager, click the Users tab and then in the User table, double-click a user or click New User.
  2. In the New User dialog box, enter the user name and password.
  3. In the Role list, click the role you want to associate with a user and then click Create.

Role-Based Access Control (RBAC) Permissions

You can use role-based access control (RBAC) to create custom roles in Device Manager, beyond the default roles. Custom roles grant permissions to user accounts to target specific functionality. For example, you can create a role to grant limited access to devices to enable specific administrators to perform only basic device operations and run reports. When an administrator with this role logs on to the Device Manager web console, only the Devices and Reporting tabs appear. If the administrator has reporting rights only, the Device tab does not appear, but the About tab appears. The About tab appears by default for administrators who have no other rights.

You can associate both users and groups with roles. For example, if you import Microsoft Active Directory groups into Device Manager, you can apply fine-grained access control to those groups. The features and access you can associate with a role are described in the following table.

Role Functionality


Enables access to all functionality within Device Manager (all functionality listed in this table).

Authorised access

Enables access to the console and/or the Self Help Portal, plus device access for remote support and remote support access.

The Shared devices enroller permission is used to create a specific user account for enrolling shared devices. For details, see Shared Devices.


Grants permissions to view the entire Device Manager Dashboard and the ability to customize the Dashboard.

To perform actions in the Dashboard, such as sending notifications or wiping devices, administrators must be granted those specific permissions. If an administrator is prevented from viewing specific groups, the devices belonging to users in the blocked groups do not appear on the Dashboard.


Enables access to the Devices tab in the console and the ability to perform general device management tasks, such as editing device properties, locking and unlocking devices, and wiping devices.

The View locations permissions enable administrators to see device locations and to locate or track devices. Selecting the Deploy to device permission enables administrators to push deployment packages to devices. The Notification to device permission is used to select a notification template and send notifications to devices through email, SMS, or agent push notifications.


Grants permissions to create and manage users and groups.

The Users import permission enables administrators to import lists of users from a file.


Enables access to the Enrollment tab in the console, including all functionality related to enrollment (including setting default enrollment modes), configuring enrollment notification servers (SMTP and Secure Mobile Gateway), modifying and creating enrollment templates, and sending enrollment notifications.


Enables access to the Policies tab in the console and all features related to defining and implementing policies, such as security and password policies, Exchange ActiveSync policies, and application tunneling.

The Apply policy permission enables administrators to deploy policies in a deployment package.


Enables access to the Files tab in the console and the ability to add, delete, and download files.


Enables access to the Applications tab in the console, including the ability to upload and define applications, and to create custom categories to organize the applications you deploy to users' devices.


Enables access to the Deployment tab in the console and all functionality related to device deployment, such as the ability to create, edit, deploy, and delete packages.


Enables access to the Reporting tab in the console and the ability to run and view reports.


Enables access to the About tab in the console, including the ability to edit and upload an APNS certificate, and edit XenMobile MDM licenses.

The Connections Informations permission enables administrators to view server-related information, such as security parameters, Java Virtual Machine (JVM) information, and system health.


Enables access to the XenMobile Server Options dialog box in the console, including the ability to configure RBAC and to configure connections to LDAP servers.

Restrict group access

Enables you to associate groups with the current role. When a group is associated with a role, administrators in that group can only see devices associated with that group. If an administrator belongs to more than one group, all the permissions related to all the groups are merged into the role.

To import user accounts and properties from a provisioning file

You can import user accounts and properties from a file called a provisioning file, which you can create manually.
Note: If you are importing users from an LDAP directory, use the domain name along with the user name in the import file. For example, specify This syntax prevents additional lookups that will slow the import speed. If importing users to the Device Manager internal user directory, disable the default domain in order to speed up the import process. You can reenable the default domain after the import of internal users is completed.

After a provisioning file is prepared, use the Import icon on the toolbar to read the file by following this procedure:

  1. From the Users tab toolbar, click Import. The Import a provisioning file window appears.
  2. In Provisioning file type, click Users or User Properties. If you click User Properties, you do not create an account.
  3. In Provisioning file location, browse to the location of the file and then click Import.

Provisioning File Formats

A provisioning file that you create manually and use to import user accounts and properties to Device Manager needs to have the following format:

For a user provisioning file of a .csv file type, the field separator is the ';'. The fields are the following:


Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'

An example of a user provisioning file content is as follows:


in which:

  • User: user01
  • Password: pwd;01
  • Role: USER
    Note: Role can only be one of the following: USER, ADMIN, SUPPORT, or DEVICE_PROVISIONING
  • Groups:
    • myGroup.users02
    • myGroup.users02
    • myGroup.users.users01
      Note: The '.' character is used as a separator to create group hierarchy, and so this character is forbidden in the groups name.

An example of the file format to provision user attributes is as follows:


Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'

An example of a user attributes provisioning file is as follows:

user01;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value

in which:

  • User: user01
  • Property 1:
    • name: propertyN
    • value: propertyV;test;1;2
      Note: Property attributes must be lower case. The database is case sensitive.
  • Property 2:
    • name: prop 2
    • value: prop2 value