Product Documentation

Defining Users and Groups

May 06, 2015
User account objects represent the users of the mobile devices managed by Device Manager. User accounts are associated to devices by Device Manager as part of the authentication process. Maintaining an accurate roster of users improves mobile device and service management. Groups are logical collections of users that serve as targets for management tasks, such as applying settings, implementing policies, and deploying software.
Note: Device Manager manages group of users, not individual user accounts.

User Account Information

Device Manager supports the following sources of user account information:

  • LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties.
    Note: Device Manager retains the source of user accounts. As a result, certain operations are not permitted on user accounts that you source from LDAP directories.
  • Manual entry. You can use group maintenance forms in Device Manager to quickly create user accounts.
  • Importing a provisioning file. You can develop a file outside of Device Manager containing user accounts and properties and then import the file. Device Manager automatically creates objects and sets properties values.

User accounts appear in the user table within the main display area of the Users tab. The table depicts each user account associated with the group that you select in the Group pane. The User toolbar provides available tasks to perform on user accounts. You can manipulate the table appearance.

The groups in which a user account is a member appear in the Groups column. Note that multiple groups appear as a multi-line entry. User accounts also appear in the Devices table. The user associated with a particular device appears in the User column. The user account shown in the User column represents the user that enrolled on that device.

Group Information

The group structure in Device Manager is flexible. Users may belong to multiple groups, groups may be nested inside of other groups, and the number of groups is not limited. You can create permanent or ad-hoc groups to suit any purpose. Device Manager supports the following sources of group information:

  • LDAP directory. You can configure Device Manager to read an LDAP-compliant directory, such as Active Directory to import groups, user accounts, and related properties.
  • Manual entry. You can use group maintenance forms in Device Manager to quickly create groups.

Groups appear in the Group pane, the area to the left on the Users tab. The pane depicts groups in a hierarchical arrangement with the number of members in each group given as a number in parenthesis after each group name. A default group is automatically created during Device Manager installation to serve as the top-level node for the group hierarchy; all other groups appear as children of this node. Groups imported from LDAP-compliant directories also appear in the group hierarchy, with the LDAP directory name as the primary node. The individual groups of the LDAP directory appear as children of the primary node.

Groups may be nested in the hierarchy without limit. Fully-qualified group names use periods as delimiters. For example, a group of name Corporate.Sales.SalesSupport.Admin implies a nesting model based on organizational structure.
Note: User accounts may exist at any level. Thus, on a parent node, the count of group members represents the user accounts associated with that discrete node, and not the sum of the accounts associated with the nodes children.

Groups also appear in the User table. The groups a user belongs to appear in the Groups column.

Creating an LDAP Connection to a User Directory

From the Options dialog box in Device Manager, you can perform the following actions for LDAP connections:

  • Create a new LDAP connection.
  • Edit an existing connection.
  • Set the default LDAP connection.
  • Activate or deactivate an LDAP connection.
  1. To create a new LDAP connection, click New.
  2. Select which type of directory (LDAP or LDAPS).
  3. If you chose an LDAPS connection, enter the required parameters and then click Import.
  4. After the SSL Certificate is successfully imported, click Next.
  5. Define the connection parameters.

    Make sure that the Search user Service Account has the following rights granted to it:

    Note: In the lockout limit field, the default is set to zero. However, Citrix recommends using a higher value, as well as a value that is slightly lower than the lockout limit set on your LDAP server. For example, if your LDAP server is configured to a limit of five attempts before lockout, Citrix suggests that you enter a 4 or a 3 in this field.
  6. Click Check to test the connection with the LDAP or LDAPS directory. If the connection check with the directory is successful, the following message appears: LDAP directory binding successful.
  7. Click OK and then click Next to map the directory attributes to the Device Manager Repository database. You can leave that step as it is and Device Manager will automatically bind the default fields.
  8. Click Next to define the mapping between the LDAP groups and Device Manager roles. To add a new group, press Add a group. Select a group and define the role you want to give to that LDAP group.
    Note: Unlike the process for creating groups within the web console in a standalone manner in which roles are given to users, here roles are given to an LDAP group.
  9. Specify which LDAP or LDAPS directory groups are imported in the Device Manager Repository database and then click Next. A window appears summarizing the directory connection configuration.
  10. Click Finish to save the parameters in the Device Manager database.

Adding, editing, or deleting user accounts

You manage user accounts in Device Manager User table toolbar or the context menu.

To add a user account

  1. In the group pane, select a group of which the user account will be a member.
  2. Click New user from the toolbar or context menu. The Create a new user window appears.
  3. Type a unique name for the user and a password.
  4. Select an entry from the Role drop-down list. For more information about roles, see User Accounts and Roles.
  5. Optionally, on the Properties tab, set user account attributes.

To edit a user account

  1. In the group pane, select the group of which the user account is a member.
  2. Click the user account to edit and the click Update. The Update a user window appears.
  3. Revise the user account data, then click Update to save the changes.
    Note: If you edit the properties of accounts that you source from an LDAP directory, you do not change data in the directory.

To delete a user account

  1. In the group pane, select the group of which the user account is a member.
  2. Click the user account to delete and click Delete on the toolbar and then click Yes to confirm the deletion.
    Important: You cannot undo this operation.
    Note: If you delete an account that you sourced from an LDAP directory, you only remove the account from the Device Manage database; you do not change the account information in the directory.

Adding or deleting groups

You manage groups from the Group pane toolbar or context menu. Device Manager does not have a group edit command, because the only accessible property of a group object is its name.

To add a group

  1. Select the parent node of the group.
  2. Click New group. The Create a new group window appears.
  3. Type a name for the group and then click Create. The group name must be unique relative to its peers in the group hierarchy. In addition, groups may not be added to group nodes that you import from LDAP-compliant directories.

To delete a group

Deleting a group has no affect on user accounts. You can only remove user accounts by using the Delete User command.

  1. Select the group to delete.
  2. Click Delete.
  3. Click Yes to confirm the operation and remove the group.
    Important: You cannot undo this operation.

User Accounts and Roles

You manage user accounts in Device Manager by using the following commands from the User table toolbar or context menu:
  • New user. Add a user account to Device Manager.
  • Update. Edit a user account.
  • Manage. Maintain a user account’s membership in Device Manager groups, subject to certain limitations.
  • Delete. Remove a user account from Device Manager.
  • Import. Read a provisioning file containing user accounts or properties to automatically create user account objects and update their attributes.
To search for a user account, on the Users tab, you use the Search tool. Type a search string into the Search field and then click the search icon.
Note: Searches are not case-sensitive; search results display matching user accounts in a separate table that does not include a "currently selected group" in the Group pane. (That is, no groups are selected.)

User Roles in Device Manager

Device Manager implements four default user roles to logically separate access to system functions, as shown in the following table. The columns represent the roles and the rows represent the system functions.

Citrix recommends that you assign the Support role to Help desk staff who require the ability to implement remote control sessions on mobile devices.

System function Administrator Support Provisioning User

Log into administration console



Use remote support application




Use device provisioning application





Use a mobile device





You can use role-based access control (RBAC) to create new user roles with permissions to access specific system functions beyond the functions defined by the default roles as shown in the preceding table. You can create new roles in Device Manager and then select specific features to which you want administrators to access. For example, you may want to create roles for the following purposes:

  • To prevent some administrators from viewing or wiping the devices of specific users.
  • To allow specific users to only run reports.
  • To enable super users to have access to everything, including the ability to create and limit other user roles.

You can view details about users and groups, such as the dates you created and modified a user or group on the Reporting tab.

Configuring Custom Roles with RBAC

You can use the Role-Based Access Control feature in Device Manager to do the following:

  • Create a new access control role (associate actions with roles)
  • Add groups to a role
  • Associate users with roles

To access the feature, in Device Manager, click Options in the upper-right corner, and then click Role Based Access Control.

To create a new access control role

You need to create an access control role in order to enable role-based access control in Device Manager.

  1. In the Role Based Access Control panel, click New.
  2. In the Create an admin role dialog box, enter a name for the role.
  3. Select the features you want to enable for the role and then click Create.

To add groups to a role

When you create a new role, you can also associate a user group with the role as part of the role definition.

  1. In the Role Based Access Control panel, select a role and then click Edit.
  2. In the Role dialog box, in the Permissions list, select the feature access you want to associate with a role.
  3. Under Restrict Group Access, select the group you want to have access to the role, and then click Save. The group you select and the users in the group users receive access to the features you choose.

To associate users with a role

After you create a new role, you can associate users with the role.

  1. In Device Manager, click the Users tab and then in the User table, double-click a user or click New User.
  2. In the New User dialog box, enter the user name and password.
  3. In the Role list, click the role you want to associate with a user and then click Create.

Role Based Access Controls (RBAC) Permissions

You can use role-based access control (RBAC) to create custom roles in Device Manager, beyond the default roles. Custom roles grant permissions to user accounts to target specific functionality within Device Manager.

For example, you can create roles to allow the following capabilities:

  • To give limited access to devices for administrators whom you want to only perform basic device operations and run reports. After the administrator logs on to Device Manager, only the Devices and Reports tabs appear. When a user only has Report rights, then the Device tab will not appear for that user, but the About tab will display, The About tab also will by default display for users who have no other rights at all.
  • To allow an administrator to view, add, locate, edit, and lock a device.

You can associate both user and groups with roles. For example, if you import Active Directory groups into Device Manager, you can apply fine-grained access control to the Active Directory groups.

The following table describes the list of features and accessibility you can associate with a role:

Role Functionality

Super Admin

Access to all functionality within Device Manager (all functionality listed in this table).

Authorised Access

Access to the Admin console and/or the Self Help Portal, as well as device access for remote support and remote support access:
  • Admin Console Access
  • Self Help Portal Access
  • Device Access (when Remote Support is enabled)
  • Remote Support


Access to view all of the Device Manager Dashboard and the ability to customize the Dashboard. In order to perform actions in the Dashboard, however, such as send notification, wipe/selective wipe, revoke, locate, and so on, a user must be granted those specific permissions. Also, if a user is restricted from viewing specific groups, the devices that belong to users in those blocked groups will not appear in the Dashboard.


Access to the Devices tab and the ability to perform general device management tasks, such as connecting to iOS devices, importing devices, editing device properties, locating, locking/unlocking, revoking, wiping, and selectively wiping a device. Specific permissions include:

  • Full wipe device
  • Selective wipe device
  • View locations - when selected, users can see location and locate/track device. Includes:
    • Locate device
    • Track device
  • Lock device
  • Unlock device
  • Deploy to a Device - allows you to push a deployment package to a device.
  • Edit device properties
  • Notification to a device - gives you the ability to select a notification template, send ad-hoc notifications to a device or group of devices from the devices tab using email, SMS, or agent push notifications.
  • Add/Delete device
  • Devices import
  • Revoke device
  • View Software Inventory - when selected, user is allowed to view a device software inventory.


Ability create users and groups. Includes the following permissions:
  • Add/delete groups
  • Add/delete users
  • Edit a user's property
  • Can manage admin users
  • Users import - ability to import list of users from a file


Access to the Options dialog all functionality related to enrollment, including setting default enrollment modes, configuring enrollment notification servers (SMTP/SMS Gateway), modifying and creating enrollment templates, and sending enrollment notifications. Includes the following permissions:
  • Edit enrollment
  • Notify user


Access to the Policies tab and all features related to defining and implementing policies, such as security and password policies, Exchange ActiveSync polies, app tunneling (Windows and Android), server groups, registry configurations (Windows), configurations, applications access (blacklist/whitelist), Sharepoint policies, and more. Includes the following permissions:
  • Add/delete policy
  • Edit policy
  • Download policies
  • Apply policies (deploy polices in a deployment package)


Access to the Files tab and adding, deleting, and downloading files. Includes the following permissions:
  • Add/delete files
  • Edit files
  • Download files
Applications Allows access to the Applications tab, where you can upload and define applications and create application categories to organize the apps you want to deploy to users' devices. Includes the following permissions:
  • Add/delete applications
  • Edit applications
  • Application download
  • Manage category (create custom app categories for organization)


Access to the Deployment tab and all functionality related to device deployment, such as the ability to create, edit, deploy, and delete packages. Includes the following permissions:
  • Add/delete package
  • Edit package
  • Deploy packages


Access to the Reporting tab and the ability to run and view Device Manager reports.


Access to the About tab features:
  • Edit and upload an APNS certificate
  • Edit XenMobile MDM license
  • Connections information - provides visibility into server related information, such as security parameters, JVM information, and system health.


The Options feature provides a user access to the Options dialog box and the following features in the Options dialog box:

  • Role-Based Access Control
  • LDAP
  • Mobile Service Provider
  • ActiveSync Gateway
  • Network Access Control
  • AppC WebServices API
  • GoToAssist
  • PKI Entity
  • Scheduling
  • Security
  • General service parameters
Note: If you want this role to have access to the Remote-Based Access Control feature, you need to specifically select the Remote-Based Access Control option in the dialog box.

Restrict Group Access

Allows you to associate groups with the current role. When a group is associated with a role, users in that group can only see devices associated with that group. If a user belongs to more than one group, and some of those groups provide a range or permissions, all permissions related to all groups are merged into the role.

Importing user accounts and properties from a file

You can import user accounts and properties from a specially developed file called a provisioning file, which you can create manually.
Note: If you are importing users from an LDAP directory, use the domain name along with the user name in the import file. For example, specify This syntax prevents additional lookups that will slow the import speed. If importing users to the Device Manager internal user directory, disable the default domain in order to speed up the import process. You can reenable the default domain after the import of internal users completes.

After a provisioning file is prepared, use the Import icon on the toolbar to read the file by following this procedure:

  1. From the Users tab toolbar, click Import. The Import a provisioning file window appears.
  2. In Provisioning file type, click Users or User Properties. If you click User Properties, you do not create an account.
  3. In Provisioning file location, browse to the location of the file and then click Import.

Provisioning File Formats

A provisioning file that you create manually and use to import user accounts and properties to Device Manager needs to have the following format:

For a user provisioning file of a .csv file type, the field separator is the ';'. The fields are the following:


Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'

An example of a user provisioning file content is as follows:


in which:

  • User: user01
  • Password: pwd;01
  • Role: USER
    Note: Role can only be one of the following: USER, ADMIN, SUPPORT, or DEVICE_PROVISIONING .
  • Groups:
    • myGroup.users02
    • myGroup.users02
    • myGroup.users.users01
      Note: The '.' character is used as a separator to create group hierarchy, and so this character is forbidden in the groups name.

An example of the file format to provision user attributes is as follows:


Note: Because ';' is used as the separator character, it needs to be escaped if present in string values -> '\;'

An example of a user attributes provisioning file is as follows:

user01;propertyN;propertyV\;test\;1\;2;prop 2;prop2 value

in which:

  • User: user01
  • Property 1:
    • name: propertyN
    • value: propertyV;test;1;2
      Note: Property attributes must be lower case. The database is case-sensitive
  • Property 2:
    • name: prop 2
    • value: prop2 value