Citrix Endpoint Management

User communities

February 23, 2024

Contributed by:

K C

Every organization consists of diverse user communities that operate in different functional roles. These user communities do different tasks and office functions using various resources that you provide through user mobile devices. Users might work from home or in remote offices using mobile devices that you provide. Or, users might use personal mobile devices, which allow them to access tools that are subject to certain security compliance rules.

With more user communities using mobile devices, Enterprise Mobility Management (EMM) becomes critical to prevent a data leak and to enforce organizational security restrictions. For efficient and more sophisticated Mobile Device Management, you can categorize your user communities. Doing so simplifies the mapping of users to resources and makes sure that the right security policies apply to the right users.

Categorizing user communities can include the use of the following components:

Active Directory Organizational Units (OUs) and Groups

Users added to specific Active Directory security groups can receive policies and resources such as apps. Removing users from the Active Directory security groups removes access to previously allowed Citrix Endpoint Management resources.
Citrix Endpoint Management local users and groups

For users who don’t have an account in Active Directory, you can create the users as local Citrix Endpoint Management users. You can add local users to delivery groups and provision resources to them in the same manner as Active Directory users.
Citrix Endpoint Management delivery groups

If many groups of users with different levels of permissions are to consume a single app, you might want to create separate delivery groups. With separate delivery groups, you can deploy two separate versions of the same app. Citrix recommends creating delivery groups before you create device policies.
Delivery group and user group mapping

Delivery group to Active Directory group mappings can be either one-to-one, or one-to-many. Assign base policies and apps to a one-to-many delivery group mapping. Assign function-specific policies and apps to one-to-one delivery group mappings.
Delivery Group and Resource Mapping of Apps

Assign specific apps to each delivery group.
Delivery Group and Resource Mapping of MDM Resources

Assign apps and specific device management resources to each delivery group. For example, configure a delivery group with any mix of the following: Types of apps (public, HDX, and so on), specific apps per app type, and resources such as device policies and automated actions.

The following example illustrates how the user communities of a healthcare organization are classified for EMM.

Use case

This example healthcare organization provides technology resources and access to many users, including network and affiliate employees and volunteers. The organization has chosen to roll out the EMM solution to non-executive users only.

You can divide user roles and functions for this organization into subgroups including: clinical, non-clinical, and contractors. A selected set of users receives corporate mobile devices, while others can access limited company resources from their personal devices (BYOD). To enforce the appropriate level of security restrictions and prevent data leaks, the organization decided that corporate IT manages each enrolled device. Also, users can only enroll a single device.

The following sections provide an overview of the roles and functions of each subgroup.

Clinical

Nurses
Physicians (Doctors, Surgeons, and so on)
Specialists (Dieticians, anesthesiologists, radiologists, cardiologists, oncologists, and so on)
Outside physicians (Non-employee physicians and office workers that work from remote offices)
Home Health Services (Office and mobile workers doing physician services for patient home visits)
Research Specialist (Knowledge Workers and Power Users at six Research Institutes doing clinical research to find answers to issues in medicine)
Education and Training (Nurses, physicians, and specialists in education and training)

Non-clinical

Shared Services (Office workers doing various back-office functions including: HR, Payroll, Accounts Payable, Supply Chain Service, and so on)
Physician Services (Office workers doing various healthcare management, administrative services, and business process solutions to providers, including: Administrative Services, Analytics and Business Intelligence, Business Systems, Client Services, Finance, Managed Care Administration, Patient Access Solutions, Revenue Cycle Solutions, and so on)
Support Services (Office workers doing various non-clinical functions including: Benefits Administration, Clinical Integration, Communications, Compensation and Performance Management, Facility and Property Services, HR Technology Systems, Information Services, Internal Audit and Process Improvement, and so on.)
Philanthropic Programs (Office and mobile workers that do various functions in support of philanthropic programs)

Contractors

Manufacturer and vendor partners (Onsite and remotely connected via site-to-site VPN providing various non-clinical support functions)

Based on the preceding information, the organization created the following entities. For more information about delivery groups in Citrix Endpoint Management, see Deploy resources in the Citrix Endpoint Management product documentation.

Active Directory Organizational Units (OUs) and Groups

For OU = Citrix Endpoint Management Resources

OU = Clinical; Groups =
- XM-Nurses
- XM-Physicians
- XM-Specialists
- XM-Outside Physicians
- XM-Home Health Services
- XM-Research Specialist
- XM-Education and Training
OU = Non-Clinical; Groups =
- XM-Shared Services
- XM-Physician Services
- XM-Support Services
- XM-Philanthropic Programs

Citrix Endpoint Management Local Users and Groups

For Group= Contractors, Users =

Vendor1
Vendor2
Vendor 3
… Vendor 10

Citrix Endpoint Management Delivery Groups

Clinical-Nurses
Clinical-Physicians
Clinical-Specialists
Clinical-Outside Physicians
Clinical-Home Health Services
Clinical-Research Specialist
Clinical-Education and Training
Non-Clinical-Shared Services
Non-Clinical-Physician Services
Non-Clinical-Support Services
Non-Clinical-Philanthropic Programs

Delivery Group and User Group mapping

Active Directory Groups	Citrix Endpoint Management Delivery Groups
XM-Nurses	Clinical-Nurses
XM-Physicians	Clinical-Physicians
XM-Specialists	Clinical-Specialists
XM-Outside Physicians	Clinical-Outside Physicians
XM-Home Health Services	Clinical-Home Health Services
XM-Research Specialist	Clinical-Research Specialist
XM-Education and Training	Clinical-Education and Training
XM-Shared Services	Non-Clinical-Shared Services
XM-Physician Services	Non-Clinical-Physician Services
XM-Support Services	Non-Clinical-Support Services
XM-Philanthropic Programs	Non-Clinical-Philanthropic Programs

Delivery Group and Resource mapping of apps

	Secure Mail	Secure Web	Citrix Files	Workspace app	SalesForce1	EpicCare Haiku	Epic Hyperspace
Clinical-Nurses	X	X	X
Clinical-Physicians
Clinical-Specialists
Clinical-Outside Physicians	X		X
Clinical-Home Health Services	X		X
Clinical-Research Specialist	X		X
Clinical-Education and Training						X	X
Non-Clinical-Shared Services						X	X
Non-Clinical-Physician Services						X	X
Non-Clinical-Support Services	X		X			X	X
Non-Clinical-Philanthropic Programs	X		X			X	X
Contractors	X		X	X	X	X	X

Delivery Group and Resource mapping of MDM Resources

	MDM: Device Restrictions	MDM: Network policy
Clinical-Nurses		X
Clinical-Physicians	X
Clinical-Specialists
Clinical-Outside Physicians
Clinical-Home Health Services
Clinical-Research Specialist
Clinical-Education and Training
Non-Clinical-Shared Services
Non-Clinical-Physician Services
Non-Clinical-Support Services
Non-Clinical-Philanthropic Programs
Contractors		X

Notes and considerations

Citrix Endpoint Management creates a default delivery group named All Users during the initial configuration. If you do not disable this Delivery Group, all Active Directory users have the right to enroll into Citrix Endpoint Management.
Citrix Endpoint Management synchronizes Active Directory users and groups on demand using a dynamic connection to the LDAP server.
If a user is part of a group that is not mapped in Citrix Endpoint Management, that user cannot enroll. Likewise, if a user is a member of many groups, Citrix Endpoint Management only categorizes the user as being in the groups mapped to Citrix Endpoint Management.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

User communities

February 23, 2024

Contributed by:

K C

February 23, 2024

Contributed by:

K C

User communities

Use case

Clinical

Non-clinical

Contractors

Active Directory Organizational Units (OUs) and Groups

Citrix Endpoint Management Local Users and Groups

Citrix Endpoint Management Delivery Groups

Delivery Group and User Group mapping

Delivery Group and Resource mapping of apps

Delivery Group and Resource mapping of MDM Resources

Notes and considerations

In this article