Citrix Endpoint Management

Configure roles with RBAC

The role-based access control (RBAC) feature in Endpoint Management lets you assign roles to users and groups. Roles are sets of permissions that control the level of access users have to system functions.

Endpoint Management comes with the following default user roles. You can use the default roles as templates that you customize to create your own user roles.

  • Administrator: Grants full system access.
  • User: Allows users to enroll devices and access the Self-Help Portal.

You can use the RBAC feature in Endpoint Management to:

  • Create and edit user roles.
  • Assign local user groups and Active Directory groups to a role.
  • Assign local users to roles. Use Manage > Users in Endpoint Management to make this assignment.

For cloud administrators, you assign roles in Citrix Cloud. See Manage Citrix Cloud administrators.

Important:

Only new Endpoint Management customers onboarded after October 4, 2021 can assign RBAC roles to cloud administrators.

For details on the predefined Admin and User role permissions, see Predefined roles.

Use the RBAC feature

You can assign roles to local users, to cloud administrators (in Citrix Cloud), and to local user groups and Active Directory groups.

  • Local users: Assign roles to local users using Manage > Users. You can assign only one role to local users. To change the roles, you can manually edit the user account. Or, you can create a group for local users and assign a role to that group.
  • Cloud administrators: A cloud administrator is a special user account that Citrix Cloud creates when an administrator is added to your Citrix Cloud customer account. A cloud administrator account uses the same user name as the administrator account on Citrix Cloud.

    You can assign only one role to cloud administrators. You can’t add these users to a group. Change the roles and permissions of cloud administrators through the Citrix Cloud console. However, these users are listed in the Manage > Users tab in Endpoint Management.

  • Active Directory groups: All users in an Active Directory group have the same permissions. If a user belongs to several Active Directory groups, all the permissions merge to define the permissions for that user. For example, suppose ADGroupA users can locate manager devices and ADGroupB users can wipe employee devices. A user who belongs to both groups can locate and wipe the devices of managers and employees. If a user belongs to groups with conflicting permissions, the allowed permissions prevail.

    Note:

    You can modify the permissions of an Endpoint Management administrator only after the administrator has accepted an administrator invitation and clicked Manage on the Endpoint Management tile.

For more information, see About user accounts.

To add roles and assign them to user groups:

  1. In the Endpoint Management console, to access the Settings page, click the gear icon in the upper-right corner.

  2. Click Role-Based Access Control. The Role-Based Access Control page shows the default user roles and any roles that you added.

    Click the plus sign (+) next to a role to see all the permissions for that role.

    Endpoint Management RBAC configuration

  3. To add a role, click Add. Or, to edit a role, click the pen to the right of an existing role.

    Note:

    You can delete a role by clicking the trash can to the right of a role that you defined. You can’t delete the default user roles.

  4. On the Add Role page, enter the following information:

    • RBAC name: Enter a descriptive name for the new user role. You can’t change the name of an existing role.
    • RBAC template: Optionally, select a template as the starting point for the new role. (When editing a role, you can’t select or change templates.) RBAC templates are the default user roles that define the access to system functions.
  5. Click Apply to the right of the RBAC template field to populate the Authorized access and Console features check boxes. Endpoint Management fills those fields with the predefined access and feature permissions for the selected template.

    Endpoint Management RBAC configuration

  6. To customize the role, select or clear the check boxes in Authorized access and Console features.

    Click the triangle next to a console feature to select permissions specific to that feature. Clicking the top-level check box does not select the individual permissions. Select individual options after expanding the top-level permission.

  7. Apply permissions: Click To specific user groups to apply permissions to the groups you select.

    For example, if an RBAC administrator has permissions to the ActiveDirectory and MSP user groups:

    • The administrator can access information only for users who are in the ActiveDirectory group, the MSP group, or both of those groups.
    • The administrator can’t view any other local or AD users. The administrator can view users who are members of child groups of either of those groups.
    • The administrator can send invitations to:

      • The permission groups and their child groups
      • The users who are members of permission groups and their child groups

    Endpoint Management RBAC configuration

  8. To continue to the Assignment page, click Next.

    Endpoint Management RBAC configuration

  9. Enter the following information to assign the role to user groups.

    • Select domain: From the list, select a domain.
    • Include user groups: Click Search to see a list of all available groups. Type a full or partial group name to narrow the search.
    • In the list that appears, select the user groups you want to assign the role to. When you select a user group, the group appears in the Selected user groups list.

    Endpoint Management RBAC configuration

    Tip:

    To remove a user group from the Selected user groups list, click the X next to the user group name.

  10. Click Save.

Predefined roles

Each predefined RBAC role has certain associated access and feature permissions. The tables that follow describe each of the permissions for the Admin role and for the User role. You can’t delete or edit the predefined roles.

Important:

Under the Settings permission, the RBAC permission gives Admin users full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system.

Admin role

The predefined Admin role provides specific access in Endpoint Management. By default, Authorized access (except Self-Help Portal), Console features, and Apply permissions are enabled.

You can change the role for local users who are assigned the Admin role by using Manage > Users. For cloud users who have the Admin role, use the Citrix Cloud console to change the role. By default, cloud and local users with the Admin role have Full access.

Authorized access for administrators

   
Admin console access Administrators can access all features on the Endpoint Management console.
Self-Help Portal access By default, administrators can’t access the Self-Help Portal. (Users with the User role can access only the Self-Help portal.)
Remote Support access Administrators can access the Remote Support feature.
Public API access Administrators can access the public API to perform actions programmatically that are available on the Endpoint Management console. The actions include administering certificates, apps, devices, delivery groups, and local users.

Console features for administrators

Administrators have unrestricted access to the Endpoint Management console.

   
Dashboard The Dashboard is the first page that administrators see after logging on to the Endpoint Management console. The Dashboard shows basic information about notifications and devices.
Reporting The Analyze > Reporting page provides pre-defined reports that let you analyze your app and device deployments.
Devices The Manage > Devices page is where you manage user devices. You can add individual devices on the page or import a device provisioning file to add multiple devices at one time.
Local Users and Groups The Manage > Users page is where you can add, edit, or delete local users and local user groups.
Enrollment The Manage > Enrollment Invitations page is where you manage how users are invited to enroll their devices in Endpoint Management.
Policies The Configure > Device Policies page is where you manage device policies, such as VPN and network.
App The Configure > Apps page is where you manage the various apps that users can install on their devices.
Media The Configure > Media page is where you manage the various media that users can install on their devices.
Action The Configure > Actions page is where you manage responses to trigger events.
Delivery Group The Configure > Delivery Groups page is where you manage delivery groups and the resources associated with them.
Enrollment Profile The Configure > Enrollment Profiles page is where you specify how users can enroll their devices.
Alexa for Business The Settings page is where you manage your Alexa for Business profiles.
Settings The Settings page is where you manage system settings, such as client and server properties, certificates, and credential providers. Important: These settings include the RBAC permission. The RBAC permission gives admins full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system.
Support The Troubleshooting and Support page is where you perform troubleshooting activities such as running diagnostics and generating logs.
Device restrictions for administrators

Administrators access device features throughout the console by setting device restrictions, setting up and sending notifications to devices, administering apps on the devices, and so on.

   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Clear Restriction Remove one or more device restrictions.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Includes: Locate device, Track device.
Lock device Remotely lock a device so that users can’t use the device.
Unlock device Remotely unlock a device so that users can use the device.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically.
Get Resident Users List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
Logout Resident User Force a log out of the current user.
Delete Resident User Delete the current session for a specific user. The user can sign in again.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart Windows devices from the Endpoint Management console.
Deploy to device Send apps, notifications, restrictions, and other resources to a device.
Edit device Change settings on the device.
Notification to device Send a notification to a device.
Add/Delete device Add or remove devices from Endpoint Management.
Devices import Import a group of devices from a file into Endpoint Management.
Export device table Collect device information from the Device page and export it to a .csv file.
Revoke device Prohibit a device from connecting to Endpoint Management.
App lock Deny access to all apps on a device. On Android, this restriction prevents users from signing in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.
App wipe On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features.
View software inventory See what software is installed on a device.
Request AirPlay mirroring Request to start AirPlay streaming.
Stop AirPlay mirroring Stop AirPlay streaming.
Enable lost mode On the Manage > Devices page, you can put a supervised device in lost mode to block a supervised device on the lock screen. You can then locate the device when the device is lost or stolen.
Disable lost mode On the Manage > Devices page, you can disable lost mode for a device that is set to lost mode.
OS Update device You can deploy an OS Update device policy to devices.
Shut down device Shut down iOS devices from the Endpoint Management console.
Restart device Restart iOS devices from the Endpoint Management console.
Renew Device Enrollment Certificate Renew a device CA certificate.
Local Users and Groups

Administrators manage local users and local user groups on the Manage > Users page in Endpoint Management.

 
Add Local Users
Delete Local Users
Edit Local Users
Import Local Users
Export Local Users
Local User Groups
Get Local User Lock ID
Delete Local User Lock
Enrollment

Administrators can add and delete enrollment invitations, send notifications to users, and export the enrollment table to a .csv file.

   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.
Export enrollment invitation table Collect enrollment information from the Enrollment page and export it to a .csv file.
Policies
   
Add/Delete policy Add or remove a device or app policy.
Edit policy Change a device or app policy.
Upload Policy Upload a device or app policy.
Clone Policy Copy a device or app policy.
Disable Policy Disable an existing app policy.
Export Policy Collect device policy information from the Device Policies page and export it to a .csv file.
Assign Policy Assign a device policy to one or more delivery groups.
App

Administrators manage apps on the Configure > Apps page in Endpoint Management.

   
Add/Delete app store or enterprise app Add or remove a public app store app or an enterprise app (not MDX-enabled).
Edit app store or enterprise app Change a public app store app or an enterprise app (not MDX-enabled).
Add/Delete MDX, Web, and SaaS app Add or remove an MDX-enabled app, an app from your internal network (Web app), or an app from a public network (SaaS) to Endpoint Management.
Edit MDX, Web, and SaaS app Change an MDX-enabled app, an app from your internal network (Web app), or an app from a public network (SaaS) to Endpoint Management.
Add/Delete category Add or delete a category in which apps can appear in the app store.
Assign public/enterprise app to delivery group Assign a public app store app or an MDX-enabled app to a delivery group for deployment.
Assign MDX/WebLink/SaaS app to delivery group Assign to a delivery group an app that is MDX-enabled, doesn’t require single sign-on (WebLink), or that’s from a public network (SaaS).
Export app table Collect app information from the App page and export it to a .csv file.
Media

Manage media from a public app store or a volume purchase license.

 
Add/Delete app store or enterprise books
Assign public/enterprise books to delivery group
Edit app store or enterprise books
Action
   
Add/delete action Add or remove an action defined by a trigger and associated response. A trigger is an event, device or user property, or installed app name.
Edit action Change an action defined by a trigger and associated response. A trigger is an event, device or user property, or installed app name.
Assign action to delivery group Assign an action to a delivery group for deployment to user devices.
Export action Collect action information from the Actions page and export it to a .csv file.
Delivery group

Administrators manage delivery groups from the Configure > Delivery Groups page.

   
Add/delete delivery group Create or remove a delivery group, which adds specified users and optional policies, apps, and actions.
Edit delivery group Change an existing delivery group, which modifies users and optional policies, apps, and actions.
Deploy delivery group Make the delivery group available for use.
Export delivery group Collect delivery group information from the Delivery group page and export it to a .csv file.
Enrollment profile

Manage enrollment profiles.

 
Add/delete enrollment profile
Edit enrollment profile
Assign enrollment profile to delivery group
Alexa for Business

Manage Alexa for Business profiles.

 
Add/delete/edit Rooms
Add/delete/edit Room profiles
Add/delete/edit Skill groups
Settings for administrators

Administrators configure various settings on the Settings pages.

   
RBAC RBAC Assignment. Important: This permission gives admins full access, including the ability to assign their own permissions. Give this access only to users who you intend to give the ability to manipulate everything in the Endpoint Management system.
LDAP Administer one or more LDAP-compliant directories, such as Active Directory, to import groups, user accounts, and related properties.
Enrollment Enable enrollment security modes for users and the Self-Help Portal.
Release Management View the current installed release. Includes: Release Management Update
Certificates Edit APNS certificate
Notification Templates Create notification templates to use in automated actions, enrollment, and standard notification message delivery to users.
Workflows Manage the creation, approval, and removal of user accounts for use with app configurations.
Credential Providers Add one or more credential providers authorized to issue device certificates. The credential providers control the certificate format and the conditions for renewing or revoking the certificate.
PKI Entities Manage public key infrastructure entities (generic, Microsoft Certificate Services, or discretionary CA).
Test PKI Connection Use the Test Connection button on the Settings > PKI Entities page to make sure that the server is accessible.
Client Properties Manage various properties on user devices, such as passcode type, strength, and expiration.
Client Support Set the ways in which users can contact your support services (email, phone, or support ticket email).
Client Branding Create a custom store name and default store views for the app store. Add a custom logo that appears in the app store or Secure Hub.
Carrier SMS Gateway Set up carrier SMS gateways to configure notifications that Endpoint Management sends through carrier SMS gateways.
Notification Server Set up an SMTP gateway server to send email to users.
ActiveSync Gateway Manage user access to users and devices through rules and properties.
Google Chrome Configure Endpoint Management to communicate with your Google Workspace account.
Apple Deployment Program Add an Apple Deployment Program account to Endpoint Management.
Apple Configurator Device Enrollment Configure Apple Configurator settings in Endpoint Management.
iOS/volume purchase Settings Add Apple volume purchase accounts.
Mobile Service Provider Use the Mobile Service Provider interface to query BlackBerry and other Exchange ActiveSync devices and to issue operations.
NetScaler Gateway Configure NetScaler Gateway (now renamed Citrix Gateway) settings in Endpoint Management.
Network Access Control Set the conditions that determine a device is noncompliant so that it can’t access the network.
Samsung Knox Enable or disable Endpoint Management to query Samsung Knox attestation server REST APIs.
Server Properties Add or modify server properties. Requires restarting Endpoint Management on all nodes.
Virtual Apps and Desktops Allow users to add Citrix Virtual Apps and Desktops through Citrix Workspace.
Citrix Files When using Endpoint Management with Enterprise accounts: Configure settings to connect to the Content Collaboration and administrator service accounts for user account management. Requires existing Citrix Files domain and administrator credentials. When using Endpoint Management with storage zone connectors: Configure Endpoint Management to point to network shares and SharePoint locations defined in storage zone connectors.
Android Enterprise Configure Android Enterprise server settings.
Identity Provider (IdP) Configure an identity provider.
Microsoft Store for Business Configure Microsoft Store for Business settings in Endpoint Management.
Endpoint Management Tools Access the Endpoint Management Tools page.
Windows Bulk Enrollment Configure Windows bulk enrollment settings.
Support

Administrators can do various support tasks.

   
NetScaler Gateway Connectivity Checks Perform various connectivity checks for NetScaler Gateway by IP address. Requires a user name and password.
Endpoint Management Connectivity Checks Do connectivity checks for selected Endpoint Management features, such as database, DNS, and Google Plan.
Citrix Product Documentation Access the public Citrix Endpoint Management documentation site.
Citrix Knowledge Center Access the Citrix Support site to search for knowledge base articles.
Logs View and download log files.
Macros Populate user or device property data in the text field of a profile, policy, notification, or enrollment template. Configure a single policy, deploy the policy to a large user base, and have user-specific values appear for each targeted user.
PKI Configuration Import and export PKI configuration information.
APNS Signing Utility Submit a request for Apple Push Network signing (APNs) certificates, or upload a Secure Mail APNs certificate for iOS.
Citrix Insight Services Upload logs to Citrix Insight Services (CIS) for assistance with various issues.
Device Citrix Gateway connector for Exchange ActiveSync Status Query Endpoint Management for the status of a device sent to the connector for Exchange ActiveSync. The query is based on the device ActiveSync ID.

Restrict Group Access

Admin users can apply permissions to all user groups.

Console features for device provisioning

Device provisioning users have the following restricted access to the Endpoint Management console. By default, each of the following features is enabled.

Device restrictions
   
Edit device Change settings on the device.
Add/Delete device Add or remove devices from Endpoint Management.

Settings for device provisioning

Device provisioning users can access the Settings page, but do not have the rights to configure the features.

User role

Users with the User role have the following limited access to Endpoint Management.

Authorized access for users

   
Self-Help Portal Provide users access only to the Self-Help Portal in Endpoint Management.

Console features for users

Users have the following restricted access to the Endpoint Management console.

Device restricted access for users
   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Included: Locate device, See the location of a device, Track device, Track device location over time
Lock device Remotely lock a device so that it cannot be used.
Unlock device Remotely unlock a device so that It can be used.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically.
Get Resident Users List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
Logout Resident User Force a log out of the current user.
Delete Resident User Delete the current session for a specific user. The user can sign in again.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart a Windows device.
App lock Deny access to all apps on a device. On Android, users can’t sign in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.
App wipe On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features.
View software inventory See what software is installed on a device.
Enrollment restrictions for users
   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.

Restrict Group Access for all roles

For the default roles, this permission is set by default and can be applied to all user groups. You can’t edit the role.

Configure roles with RBAC