Citrix Virtual Apps and Desktops service for Citrix Service Providers

This article describes how Citrix Service Providers (CSP) can set up the Virtual Apps and Desktops service for tenant customers in Citrix Cloud. For an overview of the features available for Citrix Partners, see Citrix Cloud for Partners.

Requirements

Limitations and known issues

Limitations

  • Tenant name changes take up to 24 hours to apply across all interfaces.
  • When creating a new tenant, the email address must be unique.
  • Studio filtering by scope (similar to Monitor) is not available. To see the resources attached to a scope, select Administrators in the Studio navigation pane. On the Scopes tab, select the scope and then click Edit Scope in the Action pane.

Known issues

  • The customer scope name in Studio shows an internal ID rather than the customer name. You can change the scope name to a friendly name. Select Administrators in the Studio navigation pane. On the Scopes tab, select the scope and then click Edit Scope in the Action pane.
  • After scopes are assigned to a resource, you cannot use Studio to remove or unassign them. Those tasks are supported only through PowerShell.
  • Studio does not enforce scopes. You are responsible for selecting the appropriate scope when creating machine catalogs, Delivery Groups, and Application Groups.
  • When more than 15 scopes are created (auto-created and custom), the Citrix Cloud custom access information for an administrator (Identity and Access Management > Administrators) does not display correctly. Workaround: Limit scopes to 15 or fewer.
  • After adding the Citrix Virtual Apps and Desktops service to a customer:
    • You cannot remove it from a customer.
    • You cannot remove the link between the customer and the CSP.

Add a customer

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer Dashboard, click Invite or Add. Provide the requested information.
  3. If the customer does not have a Citrix Cloud account, adding the customer creates a customer account. Adding the customer also automatically adds you as a full access administrator of that customer’s account.
  4. If the customer has a Citrix Cloud account:
    1. A Citrix Cloud URL displays, which you copy and send to the customer. For details of this process, see Inviting a customer to connect.
    2. The customer must add you as a full access administrator to their account. See Add administrators to a Citrix Cloud account.

You can add more administrators later and control which customers they can see on the Manage and Monitor dashboards.

Add the Citrix Virtual Apps and Desktops service to a customer

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer Dashboard, in the ellipsis menu for the customer, select Add Service.
  3. In Select a Service to Add, click Virtual Apps and Desktops.
  4. Click Continue.

After you complete this procedure, the customer is onboarded to your Citrix Virtual Apps and Desktops service subscription.

When the onboarding completes, a new customer scope is created automatically in the Citrix Virtual Apps and Desktops service. The scope is visible in Studio. This scope is unique to that customer. You can rename the scope, but you cannot delete it.

Use this scope to tailor access for other administrators. For example, let’s say you have ten customers and two administrators. Using the unique scope, you can restrict one administrator’s access to only three of the customers, while the other administrator can access one of those three customers, plus two other customers. For details, see Control administrator access to customers.

Set up a resource location

A resource location holds the machines that deliver apps and desktops for your customers, as well as infrastructure components such as Citrix Cloud Connectors. For details, see Connect to Citrix Cloud.

Set up catalogs and groups to deliver apps and desktops

A catalog is a group of identical virtual machines. When you create a catalog, a master image is used (with other settings) as a template for creating the machines. For details, see Create machine catalogs.

A Delivery Group is a collection of machines selected from one or more machine catalogs. The Delivery Group specifies which users can use those machines, plus the applications and/or desktops available to those users. For details, see Create Delivery Groups.

Application Groups let you manage collections of applications. You can create Application Groups for applications shared across different Delivery Groups or used by a subset of users within Delivery Groups. For details, see Create Application Groups.

When configuring groups, be sure that:

  • The Delivery Group’s scope is a subset of the machine catalog’s scope. For example, assume the catalog’s scope is A and B. The Delivery Group’s scope can be either A or B, or A and B.
  • The Application Group’s scope is a subset of the Delivery Group’s scope. For example, assume the Delivery Groups associated with an Application Group have scope A and B. The Application Group’s scope can be either A or B, or A and B.

Federated domains

Federated domains enable customer users to use credentials from a domain attached to your resource location to sign in to their workspace. This allows you to provide dedicated workspaces to your customers that customer users can access using a custom workspace URL (for example, customer.cloud.com), while the resource location is still on your Citrix Cloud account. You can provide dedicated workspaces alongside the shared workspace that customers can access using your CSP workspace URL (for example, csppartner.cloud.com). To enable customers to access their dedicated workspace, you add them to the appropriate domains that you manage. After configuring the workspace through Workspace Configuration, customers’ users can sign in to their workspace and access the apps and desktops that you’ve made available.

Add a customer to a domain

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer Dashboard, select Identity and Access Management in the upper left menu.
  3. On the Domains tab, select Manage Federated Domain in the domain’s ellipsis menu.
  4. On the Manage Federated Domain card, in the Available customers column, select a customer you want to add to the domain. Click the plus sign next to the customer name. The selected customer now appears in the Federated customers column. Repeat to add other customers. When you’re done, click Apply.

Remove a customer from a domain

When you remove a customer from a domain that you manage, the customer’s users can no longer access their workspaces using credentials from your domain.

  1. From the Citrix Cloud menu, select Identity and Access Management, then select Domains.
  2. Locate the domain you want to manage and click the ellipsis button. Select Manage Federated Domain.
  3. From the list of federated customers, locate or search for the customers you want to remove and click the X button. Click Remove all to remove all the customers in the list from the domain. The selected customers move to the list of available customers.
  4. Click Apply.
  5. Review the customers you selected and select Remove Customers.

Control administrator access to customers

You can control administrator access to customers by using the unique scope that was created when you added the Citrix Virtual Apps and Desktops service to the customer. You can configure access when you add an administrator or later.

To learn about restricting access using roles and scopes in the Citrix Virtual Apps and Desktops service, see Delegated administration.

Add an administrator with restricted access

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer Dashboard, select Identity and Access Management in the upper left menu.
  3. On the Administrators tab, click Add Administrators From, and then select Citrix Identity.
  4. Type the email address of the person you’re adding as an administrator, and then click Invite.
  5. Configure the appropriate access permissions for the administrator. Citrix recommends selecting Custom access, unless you want the administrator to have management control of Citrix Cloud and all of the subscribed services.
  6. After selecting Custom access, select one or more role and scope pairs for the Virtual Apps and Desktops service, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
  7. When you’re done selecting role and scope pairs, click Send Invite.

When the administrator accepts the invitation, they have the access that you assigned.

Edit delegated administration permissions for administrators

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer dashboard, select Identity and Access Management in the upper left menu.
  3. On the Administrators tab, select Edit Access from the ellipsis menu for the administrator.
  4. Select and clear role and scope pairs for the Virtual Apps and Desktops service, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
  5. Click Save.

View customer administrators and their assigned roles and scopes

  1. Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu.
  2. From the Customer Dashboard, select My Services > Virtual Apps and Desktops in the upper left menu.
  3. In the Citrix Virtual Apps and Desktops service, click the Manage tab, if it isn’t already selected.
  4. Click Configuration > Administrators in the navigation pane.

Information is available on three tabs:

  • The Administrators tab lists the administrators that have been created, plus their roles and scopes.
  • The Roles tab lists all roles. To view role details, select the role in the middle pane. The lower portion of that pane lists the object types and associated permissions for the role. Click the Administrators tab in the lower pane to display a list of administrators who currently have this role.
  • The Scopes tab lists all the scopes, including those generated for customers of Citrix partners.

Configure workspaces

The customer has their own workspace with a unique customer.cloud.com URL. This is where the customer’s users access their published apps and desktops.

The workspace URL is displayed in two places:

  • From the Customer dashboard, select Workspace Configuration from the menu in the upper left menu.
  • From the Citrix Virtual Apps and Desktops service Welcome page (the Overview tab), the workspace URL appears at the bottom of the page.

You can change access and authentication to a workspace. You can also customize the workspace appearance and preferences. For details, see the following articles:

Monitor a customer’s service

The Monitor dashboard in a CSP environment is essentially the same as a non-CSP environment. See Monitor for details.

By default, the Monitor dashboard displays information about all customers. To display information about one customer, use Select Customer.

Keep in mind that the ability to see Monitor displays for a customer is controlled by the administrator’s configured access. The access must include a role and scope pair that includes the customer’s unique scope.

If you used built-in roles to configure access: The built-in roles control whether the administrator can see the Manage and Monitor displays. If you select only role and customer-scope pairs that do not include Monitor tab visibility, that administrator won’t see the Monitor tab for any selected customers. For example, if you give an administrator only Read Only Administrator,customerABC access, that administrator won’t see the Monitor tab for customer ABC, because read only administrators don’t have access to Monitor displays.