Configure roles with RBAC

Each predefined role-based access control (RBAC) role has certain associated access and feature permissions. This article describes what each of those permissions does. For a full list of default permissions for each built-in role, download Role-Based Access Control Defaults.

When you apply permissions, you are defining the user groups the RBAC role has the permission to manage. The default administrator cannot change the applied permission settings. By default, the applied permissions apply to all user groups.

When you make an assignment, you are assigning the RBAC role to a group, so that the group of users owns the RBAC administrator rights.

Admin Role

Users with the predefined Admin role have access or do not have access to the following features in Endpoint Management. By default, Authorized access (except Self-Help Portal), Console features, and Apply permissions are enabled.

Authorized access for administrators

   
Admin console access Administrators have access to all features on the Endpoint Management console.
Self-Help Portal access By default, administrators do not have Self-Help Portal access.
Shared devices enroller By default, administrators do not have Shared devices enroller access. This feature is intended for users who require permission to enroll shared devices.
Public API access Administrators have access to the public API to perform actions programmatically that are available on the Endpoint Management console. The actions include administering certificates, apps, devices, delivery groups, and local users.
COSU devices enroller By default, administrators do not have access to enroll COSU devices to your Endpoint Management deployment. This feature is intended for users who require permission to enroll COSU devices.

Console features for administrators

Administrators have unrestricted access to the Endpoint Management console.

   
Dashboard The Dashboard is the first page that administrators see after logging on to the Endpoint Management console. The Dashboard shows basic information about notifications and devices.
Reporting The Analyze > Reporting page provides pre-defined reports that let you analyze your app and device deployments.
Devices The Manage > Devices page is where you manage user devices. You can add individual devices on the page or import a device provisioning file to add multiple devices at one time.
Local Users and Groups The Manage > Users page is where you can add, edit, or delete local users and local user groups.
Enrollment The Manage > Enrollment Invitations page is where you manage how users are invited to enroll their devices in Endpoint Management.
Policies The Configure > Device Policies page is where you manage device polices, such as VPN and WiFi.
App The Configure > Apps page is where you manage the various apps that users can install on their devices.
Media The Configure > Media page is where you manage the various media that users can install on their devices.
Smart action The Configure > Actions page is where you manage responses to trigger events.
Enrollment Profile The Configure > Enrollment Profiles page is where you configure enrollment profiles (modes) to allow users to enroll their devices.
Delivery Group The Configure > Delivery Groups page is where you manage delivery groups and the resources associated with them.
Settings The Settings page is where you manage system settings, such as client and server properties, certificates, and credential providers.
Support The Troubleshooting and Support page is where you perform troubleshooting activities such as running diagnostics and generating logs.

Device restrictions for administrators

Administrators access device features throughout the console by setting device restrictions, setting up and sending notifications to devices, administering apps on the devices, and so on.

   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Clear Restriction Remove one or more device restrictions.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Includes: Locate device, Track device.
Lock device Remotely lock a device so that users cannot use the device.
Unlock device Remotely unlock a device so that users can use the device.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM DEP/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically.
Get Resident Users List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
Logout Resident User Force a log out of the current user.
Delete Resident User Delete the current session for a specific user. The user can sign in again.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart Windows devices from the Endpoint Management console.
Deploy to device Send apps, notifications, restrictions, and other resources to a device.
Edit device Change settings on the device.
Notification to device Send a notification to a device.
Add/Delete device Add or remove devices from Endpoint Management.
Devices import Import a group of devices from a file into Endpoint Management.
Export device table Collect device information from the Device page and export it to a .csv file.
Revoke device Prohibit a device from connecting to Endpoint Management.
App lock Deny access to all apps on a device. On Android, this restriction prevents users from signing in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.
App wipe On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features.
View software inventory See what software is installed on a device.
Request AirPlay mirroring Request to start AirPlay streaming.
Stop AirPlay mirroring Stop AirPlay streaming.
Enable lost mode On the Manage > Devices page, you can put a supervised device in lost mode to block a supervised device on the lock screen. You can then locate the device when the device is lost or stolen.
Disable lost mode On the Manage > Devices page, you can disable lost mode for a device that is set to lost mode.
OS Update device You can deploy a Control OS Updates device policy to devices.
Shut down device Shut down iOS devices from the Endpoint Management console.
Restart device Restart iOS devices from the Endpoint Management console.

Local Users and Groups

Administrators manage local users and local user groups on the Manage > Users page in Endpoint Management.

 
Add/Delete Local Users
Edit Local Users
Import Local Users
Export Local Users
Local User Groups

Enrollment

Administrators can add and delete enrollment invitations, send notifications to users, and export the enrollment table to a .csv file.

   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.
Export enrollment invitation table Collect enrollment information from the Enrollment page and export it to a .csv file.

Policies

   
Add/Delete policy Add or remove a device or app policy.
Edit policy Change a device or app policy.
Upload Policy Upload a device or app policy.
Clone Policy Copy a device or app policy.
Disable Policy Disable an existing app policy.
Export Policy Collect device policy information from the Device Policies page and export it to a .csv file.
Assign Policy Assign a device policy to one or more delivery groups.

App

Administrators manage apps on the Configure > Apps page in Endpoint Management.

   
Add/Delete app store or enterprise app Add or remove a public app store app or an app not wrapped with MDX.
Edit app store or enterprise app Edit a public app store app or an app not wrapped with MDX.
Add/Delete MDX, Web, and SaaS app Add or remove apps. A Web app is an app from your internal network. A SaaS apps is an app from a public network (SaaS).
Edit MDX, Web, and SaaS app Edit apps.
Add/Delete category Add or delete a category in which apps can appear in the app store.
Assign public/enterprise app to delivery group Assign a public app store app or an app not wrapped with MDX to a delivery group for deployment.
Assign MDX/WebLink/SaaS app to delivery group Assign apps to a delivery group for deployment to user devices. A WebLink app is an app that does not require single sign-on.
Export app table Collect app information from the App page and export it to a .csv file.

Media

Manage media obtained from a public app store or through a VPP license.

 
Add/Delete app store or enterprise books
Assign public/enterprise books to delivery group
Edit app store or enterprise books

Smart action

   
Add/delete smart action Add or remove an action that is defined by a trigger (event, device or user property, or installed app name) and associated response.
Edit smart action Change an action that is defined by a trigger (event, device or user property, or installed app name) and associated response.
Assign smart action to delivery group Assign an action to a delivery group for deployment to user devices.
Export smart action Collect action information from the Actions page and export it to a .csv file.

Delivery group

Administrators manage delivery groups from the Configure > Delivery Groups page.

   
Add/delete delivery group Create or remove a delivery group, which adds specified users and optional policies, apps, and actions.
Edit delivery group Change an existing delivery group, which modifies users and optional policies, apps, and actions.
Deploy delivery group Make delivery group available for use.
Export delivery group Collect delivery group information from the Delivery group page and export it to a .csv file.

Enrollment profile

Manage enrollment profiles.

 
Add/delete enrollment profile
Edit enrollment profile
Assign enrollment profile to delivery group

Settings for administrators

Administrators configure various settings on the Settings pages.

   
RBAC RBAC Assignment
LDAP Administer one or more LDAP-compliant directories, such as Active Directory, to import groups, user accounts, and related properties.
Enrollment Enable enrollment modes for users and the Self-Help Portal.
Release Management View the current installed release. Includes: Release Management Update
Certificates Edit APNS certificate
Notification Templates Create notification templates to use in automated actions, enrollment, and standard notification message delivery to users.
Workflows Manage the creation, approval, and removal of user accounts for use with app configurations.
Credential Providers Add one or more credential providers authorized to issue device certificates. The credential providers control the certificate format and the conditions for renewing or revoking the certificate.
PKI Entities Manage public key infrastructure entities (generic, Microsoft Certificate Services, or discretionary CA).
Test PKI Connection Use the Test Connection button on the Settings > PKI Entities page to ensure that the server is accessible.
Client Properties Manage various properties on user devices, such as passcode type, strength, and expiration.
Client Support Set the ways in which users can contact your support services (email, phone, or support ticket email).
Client Branding Create a custom store name and default store views for the app store. Add a custom logo that appears in the app store or Secure Hub.
Carrier SMS Gateway Set up carrier SMS gateways to configure notifications that Endpoint Management sends through carrier SMS gateways.
Notification Server Set up an SMTP gateway server to send email to users.
ActiveSync Gateway Manage user access to users and devices through rules and properties.
Google Play Credentials Set up user name, password, and device ID to allow access to Google Play.
Google Chrome Configure Endpoint Management to communicate with your G Suite account.
Apple Device Enrollment Program (DEP) Add an Apple DEP account to Endpoint Management.
Apple Configurator Device Enrollment Configure Apple Configurator settings in Endpoint Management.
iOS/VPP Settings Add Apple Volume Purchase Program accounts.
Mobile Service Provider Use the Mobile Service Provider interface to query BlackBerry and other Exchange ActiveSync devices and to issue operations.
NetScaler Gateway Configure NetScaler Gateway settings in Endpoint Management.
Network Access Control Set the conditions that determine a device is non-compliant and therefore denied access to the network.
Samsung KNOX Enable or disable Endpoint Management to query Samsung KNOX attestation server REST APIs.
Server Properties Add or modify server properties. Requires restarting Endpoint Management on all nodes.
XenApp and XenDesktop Allow users to add XenApp and XenDesktop through Secure Hub.
ShareFile When using Endpoint Management with ShareFile Enterprise: Configure settings to connect to the ShareFile account and administrator service account to manage user accounts. Requires existing ShareFile domain and administrator credentials. When using Endpoint Management with StorageZone Connectors: Configure Endpoint Management to point to network shares and SharePoint locations defined in ShareFile StorageZones Connectors.
Android Enterprise Configure Android Enterprise server settings.
Identity Provider (IdP) Configure an identity provider.
Derived Credentials Configure derived credentials for iOS device enrollment.
Microsoft Store for Business Configure Microsoft Store for Business settings in Endpoint Management.
Endpoint Management Tools Access Endpoint Management Tools page.
Windows Bulk Enrollment Configure Windows bulk enrollment settings.

Support

Administrators can perform various support tasks.

   
NetScaler Gateway Connectivity Checks Perform various connectivity checks for NetScaler Gateway by IP address. Requires a user name and password.
Endpoint Management Connectivity Checks Perform connectivity checks for selected Endpoint Management features, such as database, DNS, and Google Plan.
Citrix Product Documentation Access the public Citrix Endpoint Management documentation site.
Citrix Knowledge Center Access the Citrix Support site to search for knowledge base articles.
Logs View and download log files.
Macros Populate user or device property data within the text field of a profile, policy, notification, or enrollment template. Configure a single policy, deploy the policy to a large user base, and have user-specific values appear for each targeted user.
PKI Configuration Import and export PKI configuration information.
APNS Signing Utility Submit a request for Apple Push Network signing (APNs) certificates, or upload Secure Mail APNs certificate for iOS.
Citrix Insight Services Upload logs to Citrix Insight Services (CIS) for assistance with various issues.
Device Citrix Gateway connector for Exchange ActiveSync Status Query Endpoint Management for the status of a device as sent to the connector for Exchange ActiveSync based on the device ActiveSync ID.

Restrict Group Access

Admin users can apply permissions to all user groups.

Device Provisioning Role

Important:

The Device Provisioning Role applies only to Windows CE devices.

Users with the predefined Device Provisioning role have limited access to console features. By default, their permission is set to all user groups and they cannot change this setting.

Console features for device provisioning

Device provisioning users have the following restricted access to the Endpoint Management console. By default, each of the following features is enabled.

Device restrictions

   
Edit device Change settings on the device.
Add/Delete device Add or remove devices from Endpoint Management.

Settings for device provisioning

Device provisioning users can access the Settings page, but do not have the rights to configure the features.

User Role

Users with the User role have the following limited access to Endpoint Management.

Authorized access for users

   
Self-Help Portal Provide users access only to the Self-Help Portal in Endpoint Management.

Console features for users

Users have the following restricted access to the Endpoint Management console.

Device restricted access for users

   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Included: Locate device, See the location of a device, Track device, Track device location over time
Lock device Remotely lock a device so that it cannot be used.
Unlock device Remotely unlock a device so that It can be used.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM DEP/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. To erase the device, use this code to clear the Activation Lock automatically.
Get Resident Users List the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
Logout Resident User Force a log out of the current user.
Delete Resident User Delete the current session for a specific user. The user can sign in again.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart a Windows device.
App lock Deny access to all apps on a device. On Android, users can’t sign in to Endpoint Management. On iOS, users can sign in, but they can’t access apps.
App wipe On Android, this restriction deletes the user’s Endpoint Management account. On iOS, this restriction deletes the encryption key required for users to access Endpoint Management features.
View software inventory See what software is installed on a device.

Enrollment restrictions for users

   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.

Restrict Group Access for all roles

For all four default roles, this permission is set by default and can be applied to all user groups. You cannot edit the role.

To use the RBAC feature

The Role-Based Access Control (RBAC) feature in Endpoint Management lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions.

Endpoint Management implements four default user roles to logically separate access to system functions:

  • Administrator: Grants full system access.
  • Device Provisioning: Grants access to basic device administration for Windows CE devices.
  • User: Used by users who can enroll devices and access the Self Help Portal.

You can also use the default roles as templates that you customize to create user roles. You can assign to those user roles permissions to access additional system functions.

You can assign roles to local users (at the user level) or to Active Directory groups (all users in that group have the same permissions). If a user belongs to several Active Directory groups, all the permissions merge together to define the permissions for that user. For example, if ADGroupA users can locate manager devices, and ADGroupB users can wipe employee devices: A user who belongs to both groups can locate and wipe devices of managers and employees.

Note:

Local users may have only one role assigned to them.

You can use the RBAC feature in Endpoint Management to do the following:

  • Create a role.
  • Add groups to a role.
  • Associate local users to roles.
  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.

    If you click the plus sign (+) next to a role, the role expands to show all the permissions for that role.

    Image of Endpoint Management RBAC configuration

  3. Click Add to add a user role. Click the pen icon to the right of an existing role to edit the role. Or, Click the trash can icon to the right of a role that you defined to delete the role. You cannot delete the default user roles.

    • When you click Add or the pen icon, the Add Role or the Edit Role page appears.
    • When you click the trash can icon, a confirmation dialog appears. Click Delete to remove the selected role.
  4. Enter the following information to create a user role or to edit a user role:

    • RBAC name: Enter a descriptive name for the new user role. You cannot change the name of an existing role.
    • RBAC template: Optionally, click a template as the starting point for the new role. When editing an existing role, you cannot select a template.

    RBAC templates are the default user roles. They define the access to system functions that users associated with that role have. After you select an RBAC template, you can see all of the permissions associated with that role in the Authorized Access and Console Features fields. Using a template is optional; you can directly select the options you want to assign to a role in the Authorized Access and Console Features fields.

  5. Click Apply to the right of the RBAC template field to populate the Authorized access and Console features check boxes. Endpoint Management fills those fields with the pre-defined access and feature permissions for the selected template.

    Image of Endpoint Management RBAC configuration

  6. Select and clear the check boxes in Authorized access and Console features to customize the role.

    If you click the triangle next to a Console feature, permissions specific to that feature appear that you can select and clear. Clicking the top-level check box prohibits access to that console part. Select individual options below the top level to enable those options.

  7. Apply permissions: Select the groups to which you want to apply the selected permissions. If you click To specific user groups, a list of groups appears from which you can select one or more groups.

    Image of Endpoint Management RBAC configuration

  8. Click Next. The Assignment page appears.

    Image of Endpoint Management RBAC configuration

  9. Enter the following information to assign the role to user groups.

    • Select domain: In the list, click a domain.
    • Include user groups: Click Search to see a list of all available groups. Or, type a full or partial group name to limit the list to only groups with that name.
    • In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.

    Image of Endpoint Management RBAC configuration

    Note:

    To remove a user group from the Selected user groups list, click the X next to the user group name.

  10. Click Save.

Configure roles with RBAC