Role-Based Access Control and XenMobile Support

XenMobile uses role-based access control (RBAC) to restrict user and group access to XenMobile system functions, such as the XenMobile console, Remote Support, and public API. This article describes the roles built in to XenMobile and includes considerations for deciding on a support model for XenMobile that leverages RBAC.


Remote Support is no longer available for new customers as of January 1, 2019. Existing customers can continue to use the product, however Citrix won’t provide enhancements or fixes.

Built-In Roles

You can change the access granted to the following built-in roles and you can add roles. For the full set of access and feature permissions associated with each role and their default setting, download Role-Based Access Control Defaults from the XenMobile documentation. For a definition of each feature, see Configure roles with RBAC in the XenMobile documentation.

Admin role

Default access granted:

  • Full system access except to Remote Support.
  • By default, administrators can perform some support tasks, such as check connectivity and create support bundles.


  • Do some or all of your administrators need access to Remote Support? If so, you can edit the Admin role or add Admin roles.
  • To restrict access further for some administrators or administrator groups, add roles based on the Admin template and edit the permissions.


Default access granted:

  • Access to Remote Support.


  • For on-premises XenMobile Server deployments: Remote support enables your help desk representatives to take remote control of managed Android mobile devices. Screen cast is supported on Samsung KNOX devices only.
  • Remote support isn’t available for clustered on-premises XenMobile Server deployments.


Default access granted:

  • Restricted access to the XenMobile console: device features (such as wipe, lock/unlock device; lock/unlock container; see location and set geographic restrictions; ring the device; reset container password); add, remove, and send enrollment invitations.


  • The User role enables you to enable users to help themselves.
  • To support shared devices, create a user role for shared device enrollment.

Considerations for a XenMobile Support Model

The support models that you can adopt can vary widely and might involve third parties who handle level 1 and 2 support while employees handle level 3 and 4 support. Regardless of how you distribute the support load, keep in mind the considerations in this section specific to your XenMobile deployment and user base.

Do users have corporate-owned or BYO devices? The primary question that influences support is who owns the user devices in your XenMobile environment. If your users have corporate-owned devices, you might offer a lower level of support, as a way to lock down the devices. In that case, you might provide a help desk that assists users with device issues and how to use the devices. Depending on the types of devices you need to support, consider how you might use the RBAC Device Provisioning and Support roles for your help desk.

If your users have BYO devices, your organization might expect users to find their own sources for device support. In that case, the support your organization provides is more of an administrative role focused around XenMobile-specific issues.

What is your support model for desktops? Consider whether your support model for desktops is appropriate for other corporate-owned devices. Can you use the same support organization? What additional training will they need?

Do you want to give users access to the XenMobile Self-Help Portal? Use Settings > Enrollment to enable the Self-Help Portal for an enrollment security mode. From the Self-Help Portal users can generate enrollment links that let them enroll their devices or send themselves an enrollment invitation. See Configure enrollment security modes.

Role-Based Access Control and XenMobile Support