Product Documentation

Configure roles with RBAC

Feb 21, 2018

Each predefined role-based access control (RBAC) role has certain associated access and feature permissions. This article describes what each of those permissions does. For a full list of default permissions for each built-in role, download Role-Based Access Control Defaults.

When you apply permissions, you are defining the user groups the RBAC role has the permission to manage. Note that the default administrator cannot change the applied permission settings. By default, the applied permissions apply to all user groups.

When you make an assignment, you are assigning the RBAC role to a group, so that the group of users owns the RBAC administrator rights.

This article contains the following sections:

Admin Role

Users with the predefined Admin role have access or do not have access to the following features in XenMobile. By default, Authorized access (except Self-Help Portal), Console features, and Apply permissions are enabled.

Authorized access

   
Admin console access Administrators have access to all features on the XenMobile console.
Self-Help Portal access Administrators do not have Self-Help Portal access.
Shared devices enroller Administrators do not have Shared devices enroller access. This feature is intended for users who need to enroll shared devices.
Remote Support access Administrators own Remote Support access.*
Public API access Administrators have access to the public API to perform actions programmatically that are available on the XenMobile console. The actions include administering certificates, apps, devices, delivery groups, and local users.

* Remote support isn’t available to XenMobile Service customers. For on-premises XenMobile Server deployments: Remote support enables your help desk representatives to take remote control of managed Windows CE and Android mobile devices. Screen cast is supported on Samsung KNOX devices only. Remote support isn’t available for clustered on-premises XenMobile Server deployments.

Console features

Administrators have unrestricted access to the XenMobile console.

   
Dashboard The Dashboard is the first page that administrators see after logging on to the XenMobile console. The Dashboard shows basic information about notifications and devices.
Reporting The Analyze > Reporting page provides pre-defined reports that let you analyze your app and device deployments.
Devices The Manage > Devices page is where you manage user devices. You can add individual devices on the page or import a device provisioning file to add multiple devices at one time.
Local Users and Groups The Manage > Users page is where you can add, edit, or delete local users and local user groups.
Enrollment The Manage > Enrollment Invitations page is where you manage how users are invited to enroll their devices in XenMobile.
Policies The Configure > Device Policies page is where you manage device polices, such as VPN and WiFi.
Apps The Configure > Apps page is where you manage the various apps that users can install on their devices.
Media The Configure > Media page is where you manage the various media that users can install on their devices.
Smart action The Configure > Actions page is where you manage responses to trigger events.
Enrollment Profiles The Configure > Enrollment Profiles page is where you configure enrollment profiles (modes) to allow users to enroll their devices.
Delivery Groups The Configure > Delivery Groups page is where you manage delivery groups and the resources associated with them.
Settings The Settings page is where you manage system settings, such as client and server properties, certificates, and credential providers.
Support The Troubleshooting and Support page is where you perform troubleshooting activities such as running diagnostics and generating logs.

Devices

Administrators access device features throughout the console by setting device restrictions, setting up and sending notifications to devices, administering apps on the devices, and so on.

   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Clear Restriction Remove one or more device restriction.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Includes: Locate device, See the location of a device, Track device, Track a device’s location over time.
Lock device Remotely lock a device so that users cannot use the device.
Unlock device Remotely unlock a device so that users can use the device.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM DEP/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. If you need to erase the device, use this code to clear the Activation Lock automatically.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart Windows devices from the XenMobile console.
Deploy to device Send apps, notifications, restrictions, and so on to a device.
Edit device Change settings on the device.
Notification to device Send a notification to a device.
Add/Delete device Add or remove devices from XenMobile.
Devices import Import a group of devices from a file into XenMobile.
Export device table Collect device information from the Device page and export it to a .csv file.
Revoke device Prohibit a device from connecting to XenMobile.
App lock Deny access to all apps on a device. On Android, users will not be able to log into XenMobile at all. On iOS, users will still be able to log in, but they will be unable to access apps.
App wipe On Android, this deletes the user’s XenMobile account. On iOS, this deletes the encryption key users need to be able to access XenMobile features.
View software inventory See what software is installed on a device.
Request AirPlay mirroring Request to start AirPlay streaming.
Stop AirPlay mirroring Stop AirPlay streaming.
Enable lost mode On the Manage page, in Devices, you can put a supervised device in lost mode to block a supervised device on the lock screen and locate the device when the device is lost or stolen.
Disable lost mode On the Manage page, in Devices, you can disable lost mode for a device that is set to lost mode.
OS Update device You can deploy a Control OS Updates device policy to devices.
Shut down device Shut down iOS devices from the XenMobile console.
Restart device Restart iOS devices from the XenMobile console.

Local Users and Groups

Administrators manage local users and local user groups on the Manage > Users page in XenMobile.

 
Add/Delete Local Users
Edit Local Users
Import Local Users
Export Local Users
Local User Groups

Enrollment

Administrators can add and delete enrollment invitations, send notifications to users, and export the enrollment table to a .csv file.

   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.
Export enrollment invitation table Collect enrollment information from the Enrollment page and export it to a .csv file.

Policies

   
Add/Delete policy Add or remove a device or app policy.
Edit policy Change a device or app policy.
Upload Policy Upload a device or app policy.
Clone Policy Copy a device or app policy.
Disable Policy Disable an existing app policy.
Export Policy Collect device policy information from the Device Policies page and export it to a .csv file.
Assign Policy Assign a device policy to one or more delivery groups.

App

Administrators manage apps on the Configure > Apps page in XenMobile.

   
Add/Delete app store or enterprise app Add or remove a public app store app or an app not wrapped with the MDX Toolkit.
Edit app store or enterprise app Make changes to a public app store app or an app not wrapped with the MDX Toolkit.
Add/Delete MDX, Web and SaaS app Add or remove an app wrapped with the MDX Toolkit (MDX app), an app from your internal network (Web app), or an app from a public network (SaaS) to XenMobile.
Edit MDX, Web and SaaS app Make changes to an app wrapped with the MDX Toolkit (MDX app), an app from your internal network (Web app), or an app from a public network (SaaS) to XenMobile.
Add/Delete category Add or delete a category in which apps can appear in the XenMobile Store.
Assign public/enterprise app to delivery group Assign a public app store app or an app not wrapped with the MDX Toolkit to a delivery group for deployment.
Assign MDX/WebLink/SaaS app to delivery group Assign an app wrapped with the MDX Toolkit (MDX app), an app that does not require single sign-on (WebLink), or an app from a public network (SaaS) to a delivery group for deployment to user devices.
Export app table Collect app information from the App page and export it to a .csv file.

Media

Manage media obtained from a public app store or through a VPP license.

 
Add/Delete app store or enterprise books
Assign public/enterprise books to delivery group
Edit app store or enterprise books

Smart action

   
Add/delete smart action Add or remove an action that is defined by a trigger (event, device or user property, or installed app name) and associated response.
Edit smart action Change an action that is defined by a trigger (event, device or user property, or installed app name) and associated response.
Assign smart action to delivery group Assign an action to a delivery group for deployment to user devices.
Export smart action Collect action information from the Actions page and export it to a .csv file.

Delivery group

Administrators manage delivery groups from the Configure > Delivery Groups page.

   
Add/delete delivery group Create or remove a delivery group, which adds specified users and optional policies, apps, and actions.
Edit delivery group Change an existing delivery group, which modifies users and optional policies, apps, and actions.
Deploy delivery group Make delivery group available for use.
Export delivery group Collect delivery group information from the Delivery group page and export it to a .csv file.

Enrollment profile

Manage enrollment profiles.

 
Add/delete enrollment profile
Edit enrollment profile
Assign enrollment profile to delivery group

Settings

Administrators configure various settings on the Settings pages.

   
RBAC RBAC Assignment, Assign roles
LDAP Administer one or more LDAP-compliant directory, such as Active Directory, to import groups, user accounts, and related properties.
License For on-premises XenMobile Server. Administer your Citrix licenses.
Enrollment Enable enrollment modes for users as well as the Self-Help Portal.
Release Management View the current installed release. Includes: Release Management Update
Certificates Edit APNS certificate, Certificates SSL Listener
Notification Templates Create notification templates to use in automated actions, enrollment, and standard notification message delivery to users.
Workflows Manage the creation, approval, and removal of user accounts for use with app configurations.
Credential Providers Add one or more credential providers authorized to issue device certificates. The credential providers control the certificate format and the conditions for renewing or revoking the certificate.
PKI Entities Manage public key infrastructure entities (generic, Microsoft Certificate Services, or discretionary CA).
Test PKI Connection Use the Test Connection button on the Settings > PKI Entities page to ensure that the server is accessible.
Client Properties Manage various properties on user devices, such as passcode type, strength, expiration, and so on.
Client Support Set the ways in which users can contact your support services (email, phone, or support ticket email).
Client Branding Create a custom store name and default store views for the XenMobile Store. Add a custom logo that appears on XenMobile Store or Secure Hub.
Carrier SMS Gateway Set up carrier SMS gateways to configure notifications that XenMobile sends through carrier SMS gateways.
Notification Server Set up a SMTP gateway server to send email to users.
ActiveSync Gateway Manage user access to users and devices through rules and properties.
Google Play Credentials Set up user name, password, and device ID to allow access to Google Play.
Apple Device Enrollment Program (DEP) Add an Apple DEP account to XenMobile.
Apple Configurator Device Enrollment Configure Apple Configurator settings in XenMobile.
iOS/VPP Settings Add Apple Volume Purchase Program accounts.
Mobile Service Provider Use the Mobile Service Provider interface to query BlackBerry and other Exchange ActiveSync devices and to issue operations.
NetScaler Gateway For on-premises XenMobile Server. Add a NetScaler Gateway. Choose whether to enable authentication and whether to push user certificate for authentication. Choose a credential provider.
Network Access Control Set the conditions that determine a device is non-compliant and therefore denied access to the network.
Samsung KNOX Enable or disable XenMobile to query Samsung KNOX attestation server REST APIs.
Server Properties Add or modify server properties. Requires restarting XenMobile on all nodes.
Syslog For on-premises XenMobile Server. Send log files to a system log (syslog) server using the server host name or IP address.
XenApp/XenDesktop Allow users to add XenApp and XenDesktop through Secure Hub.
ShareFile When using XenMobile with ShareFile Enterprise: Configure settings to connect to the ShareFile account and administrator service account to manage user accounts. Requires existing ShareFile domain and administrator credentials. When using XenMobile with StorageZone Connectors: Configure XenMobile to point to network shares and SharePoint locations defined in ShareFile StorageZones Connectors.
Experience Improvement Program For on-premises XenMobile Server. Opt into or out of sending anonymous statistics and usage information to Citrix.
Microsoft Azure For on-premises XenMobile Server. Integrate XenMobile with Microsoft Azure.
Android for Work Configure Android for Work server settings.
Identity Provider (IDP) Configure an identity provider.
Derived Credentials Configure derived credentials for iOS device enrollment.
XenMobile Tools Access XenMobile Tools page.
SNMP Configuration Enable SNMP for XenMobile Server nodes. Edit or add monitoring users, set up the SNMP manager where trap notifications appear, and configure trap intervals and thresholds.

Support

Administrators can perform various support tasks.

   
NetScaler Gateway Connectivity Checks Perform various connectivity checks for NetScaler Gateway by IP address. Requires a user name and password.
XenMobile Connectivity Checks Perform connectivity checks for selected XenMobile features, such as database, DNS, Google Plan, and so on.
Create Support Bundles For on-premises XenMobile Server. Create a file to send to Citrix Support for troubleshooting. Contains system information, logs, database information, core information, trace files, and the latest configuration information for XenMobile or NetScaler Gateway.
Citrix Product Documentation Access the public Citrix XenMobile documentation site.
Citrix Knowledge Center Access the Citrix Support site to search for knowledge base articles.
Logs Access and analyze log file details for debug, admin audit, and user audit.
Cluster Information For on-premises XenMobile Server. Access information about each of the nodes in a clustered environment.
Garbage Collection For on-premises XenMobile Server. Access information about memory objects no longer in use.
Java Memory Properties For on-premises XenMobile Server. Access a snapshot of Java memory usage, memory details, and memory pool details.
Macros Populate user or device property data within the text field of a profile, policy, notification, or enrollment template. Configure a single policy, deploy the policy to a large user base, and have user-specific values appear for each targeted user.
PKI Configuration Import and export PKI configuration information.
APNS Signing Utility Submit a request for Apple Push Network signing (APNs) certificates, or upload Secure Mail APNs certificate for iOS.
Citrix Insight Services Upload logs to Citrix Insight Services (CIS) for assistance with various issues.
Device NetScaler Connector Status Query XenMobile for the status of a device as sent to XenMobile NetScaler Connector based on the device ActiveSync ID.
Anonymization and de-anonymization For on-premises XenMobile Server. When you create support bundles in XenMobile, sensitive user, server, and network data is made anonymous by default. You can change this behavior on the Anonymization and De-anonymization page in Support under Advanced.
Log Settings Customize the log level or add a custom logger.

Restrict Group Access

Admin users can apply permissions to all user groups.

Device Provisioning Role

Important:

The Device Provisioning Role applies only to Windows CE devices.

Users with the predefined Device Provisioning role have limited access to console features; by default, their permission is set to all user groups and they cannot change this setting.

Console features

Device provisioning users have the following restricted access to the XenMobile console. By default, each of the following features is enabled.

Devices

   
Edit device Change settings on the device.
Add/Delete device Add or remove devices from XenMobile.

Settings

Device provisioning users can access the Settings page, but do not have the rights to configure the features.

Support Role

Users with the Support role have access to remote support; their permissions apply to all users by default and they cannot edit this setting.

User Role

Users with the User role have the following limited access to XenMobile.

Authorized access

   
Self-Help Portal Users have access only to the Self-Help Portal in XenMobile.

Console features

Users have the following restricted access to the XenMobile console.

Devices

   
Full Wipe device Erase all data and apps from a device, including memory cards if the device has one.
Selective Wipe device Erase all corporate data and apps from a device, leaving personal data and apps in place.
View locations See the location of and set geographic restrictions on a device. Included: Locate device, See the location of a device, Track device, Track device location over time
Lock device Remotely lock a device so that it cannot be used.
Unlock device Remotely unlock a device so that It can be used.
Lock container Remotely lock the corporate container on a device.
Unlock container Remotely unlock the corporate container on a device.
Reset container password Reset the corporate container password.
Enable ASM DEP/Bypass activation lock Store a bypass code on a supervised iOS device when Activation Lock is enabled. If you need to erase the device, use this code to clear the Activation Lock automatically.
Rings the device Remotely ring a Windows device at full volume for 5 minutes.
Reboot the device Restart a Windows device.
View software inventory See what software is installed on a device.

Enrollment

   
Add/Delete enrollment Add or remove an enrollment invitation to a user or a group of users.
Notify user Send and enrollment invitation to a user or group of users.

Restrict Group Access

For all four default roles, this permission is set by default and can be applied to all user groups. You cannot edit the role.

Configure roles with RBAC

The Role-Based Access Control (RBAC) feature in XenMobile lets you assign predefined roles, or sets of permissions, to users and groups. These permissions control the level of access users have to system functions.

XenMobile implements four default user roles to logically separate access to system functions:

  • Administrator: Grants full system access.
  • Device Provisioning: Grants access to basic device administration for Windows CE devices.
  • Support: Grants access to remote support.
  • User: Used by users who can enroll devices and access the Self Help Portal.

You can also use the default roles as templates that you customize to create new user roles with permissions to access specific system functions beyond the functions defined by the default roles.

Roles can be assigned to local users (at the user level) or to Active Directory groups (all users in that group have the same permissions). If a user belongs to several Active Directory groups, all the permissions are merged together to define the permissions for that user. For example, if ADGroupA users can locate manager devices, and ADGroupB users can wipe employee devices, then a user who belongs to both groups can locate and wipe devices of managers and employees.

Note:

Local users may have only one role assigned to them.

You can use the RBAC feature in XenMobile to do the following:

  • Create a new role.
  • Add groups to a role.
  • Associate local users to roles.
  1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.

    Image of XenMobile RBAC

    If you click the plus sign (+) next to a role, the role expands to show all the permissions for that role, as shown in the following figure.

    Image of XenMobile RBAC configuration

  3. Click Add to add a new user role, click the pen icon to the right of an existing role to edit the role, or click the trash can icon to the right of a role you previously defined to delete the role. You cannot delete the default user roles.

    • When you click Add or the pen icon, the Add Role or the Edit Role page appears.
    • When you click the trash can icon, a confirmation dialog appears. Click Delete to remove the selected role.
  4. Enter the following information to create a new user role or to edit an existing user role:

    • RBAC name: Enter a descriptive name for the new user role. You cannot change the name of an existing role.
    • RBAC template: Optionally, click a template as the starting point for the new role. You cannot select a template if you are editing an existing role.

    RBAC templates are the default user roles. They define the access to system functions that users associated with that role have. After you select an RBAC template, you can see all of the permissions associated with that role in the Authorized Access and Console Features fields. Using a template is optional; you can directly select the options you want to assign to a role in the Authorized Access and Console Features fields.

    Image of XenMobile RBAC configuration

  5. Click Apply to the right of the RBAC template field to populate the Authorized access and Console features check boxes with the pre-defined access and feature permissions for the selected template.

    Image of XenMobile RBAC configuration

  6. Select and clear the check boxes in Authorized access and Console features to customize the role.

    If you click the triangle next to a Console feature, permissions specific to that feature appear that you can select and clear. Clicking the top-level check box prohibits access to that console part; you must select individual options below the top level to enable those options. For example, in the following figure, the Full Wipe device and Clear Restrictions options do not appear on the console for users assigned to the role, but the checked options do appear.

    Image of XenMobile RBAC configuration

  7. Apply permissions: Select the groups to which you want to apply the selected permissions. If you click To specific user groups, a list of groups appears from which you can select one or more groups.

    Image of XenMobile RBAC configuration

  8. Click Next. The Assignment page appears.

    Image of XenMobile RBAC configuration

  9. Enter the following information to assign the role to user groups.

    • Select domain: In the list, click a domain.
    • Include user groups: Click Search to see a list of all available groups, or type a full or partial group name to limit the list to only groups with that name.
    • In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.

    Image of XenMobile RBAC configuration

    Note:

    To remove a user group from the Selected user groups list, click the X next to the user group name.

  10. Click Save.

Configure roles with RBAC